The Fedora Engineering Steering Committee (FESCO), responsible for the technical development of the Fedora Linux distribution, has approved the transition to the RPM 6 package manager in the upcoming Fedora 43 release. The RPM 6.0 release is scheduled for the third quarter of 2025, according to the RPM roadmap.
The RPM 6 branch is set to introduce support for a new format that allows for package sizes of over 4 GB. This upgrade is crucial as some packages, such as Chromium, are nearing the current size limit. RPM 6 will include 64-bit size fields, modernized cryptographic structures, and MIME-based files. Additionally, RPM 5 versions will be skipped to avoid any confusion with the independent rpm5 project.
Full support for RPM 4 using CPIO will be retained alongside RPM 6. The transition to the new package format will be optional for distributions, allowing them to stick with RPM 4 if desired. Fedora 43, for example, will utilize RPM 6.0 as the package manager but maintain the RPM 4 package format. Support for reading and installing RPM 4.X packets in RPM 6 will also be included.
One significant change in RPM 6 is the default testing of package authenticity with digital signatures. To simplify the installation process for independently built packages, RPMBuild RPM 6 will now support automatic local signature creation. An option to install packages without signature verification (“-nosignature”) will also be available.
Other changes in RPM 6 include allowing the use of C++ code, support for multiple OpenPGP signatures per package, discontinuation of MD5, Sha1, and DSA support, and the end of support for the outdated RPM 3 format. The RPMKEYS utility will now be the primary tool for managing keys in Fedora, with the option to use SEQUOIA-SQ tools written in Rust as alternatives to GNUPG.
In related news, the Fedora project has introduced Jef Spaleta as the new project leader, taking over from Matthew Miller, who held the position since 2014.