3.1.3 RPM Improvements

Oracle Linux 8 ships with version 4.14 of RPM. This version of RPM introduces many improvements over the previously supported RPM version 4.11.

With RPM version 4.14, you can install debuginfo packages in parallel. This version of RPM also provides support for several new features, including the following:

  • Weak dependencies

  • Rich or boolean dependencies

  • Packaging of files that are greater than 4 GB

  • File triggers

Other important changes include stricter spec-parser, simplified signature checking of output in non-verbose mode, as well as additions and deprecations in macros.

One significant change in this version of RPM is that it now validates the entire package contents before starting an installation. In Oracle Linux 7, RPM verified the payload contents of individual files during unpacking, which could be inefficient, especially if the payload was damaged.

Also, in the previous version of RPM, hashes on individual files were performed on uncompressed data, thus causing RPM to be susceptible to decompressor vulnerabilities. In Oracle Linux 8, the entire package is validated as a separate step prior to installation using the best available hash. In this release, packages are built by using a new SHA-256 hash on the compressed payload. For signed packages, the payload hash is additionally protected by the signature; and, therefore, cannot be altered without breaking a signature and other hashes on the package header. Note that older packages use the MD5 hash for the header and payload unless the hash has been disabled by configuration. In addition, you can use the %_pkgverify_level macro to enforce signature verification prior to installation or to disable the payload verification. You can also use the %_pkgverify_flags macro to limit the hashes and signatures that are allowed.