Update 6.0 release notes for beta1

Author: pmatilai

_releases/6.0.0.md

@@ -1,32 +1,34 @@
 ---
 version: 6.0.0
 baseline: 4.20.1
-date: 2025-04-08
+date: 2025-07-01
 draft: true
 heading_offset: 2
 ---
 
 * RPM defaults to enforcing signature checking (#1573)
 * RPM uses the full key ID or fingerprint to identify OpenPGP keys everywhere (#2403)
 * Support for multiple OpenPGP signatures per package (#3385)
+* Support for OpenPGP v6 and PQC keys and signatures (#3363, work in progress)
 * Support for updating previously imported keys (#2577)
 * Support for both RPM v4 and v6 packages
 * Support for installing RPM v3 packages has been removed (#1107)
-* By default, RPM no longer verifies obsolete crypto (MD5, SHA1, DSA) (#1292)
-* Man page overhaul (work in progress as of 6.0 alpha)
+* Man page overhaul (work in progress)
 * Pristine and verifiable release tarballs (#3565) (#2702)
 
 ### General Use
 * Several enhancements to *rpmkeys*(8):
   * `rpmkeys --import` can now be used to update keys (#2577).
     This also updates the key handle from a short ambiguous key id to
     full fingerprint.
+  * `rpmkeys --import` now also works from a pipe
   * `rpmkeys --export` added for exporting keys
   * `rpmkeys --checksig`, `--list`, `--delete` use and expect full
     fingerprint of the keys (#3360)
   * `rpmkeys` works identically with all keystore backends
   * `rpmkeys --rebuild` can be used to rebuild the keystore contents and
      move between different keystore backends (#3347)
+  * `rpmkeys` key lookup is now case-insensitive
 * Several enhancements to *rpmsign*(1):
   * `rpmsign` can use either GnuPG or Sequoia-sq for signing (controlled
     by `%_openpgp_sign` macro (`gpg` or `sq`))
@@ -36,24 +38,46 @@ heading_offset: 2
 * New query tag extensions (e.g. with `--qf <format>`):
   * `rpmformat` for determining package format version (3/4/6)
   * `openpgp` for managing all supported OpenPGP signature types
+* New query formatter `:hashalgo` for displaying hash algorithm names
 * New `--filemime` query alias for querying per-file MIME info
 * Consistent terminology and case usage in signature and key messages
   * OpenPGP signatures are called OpenPGP in output
   * RPM v3 header+payload signatures are called "legacy" in output
+* New feature to calculate a set of configurable digests on verification
+  and safe them in the rpmdb. This can help identifying the originating
+  package file. (RHEL-35619)
+* Fix scriptlet errors not reflected in transaction result code (#2581)
+* Fix `%triggerprein` and `%triggerun` not failing the associated
+  install/erase operation (#3815)
 * Man page overhaul (WIP):
   * Update all manual pages to a new consistent style (#3669)
   * Add man pages for all major components and file formats (#3612)
+    * rpm-config(5)
+    * rpm-payloadflags(5)
+    * rpm-rpmrc(5)
+    * rpm-macrofile(5)
+    * rpm-lua(7)
+    * rpm-macros(7)
+    * rpm-queryformat(7)
   * Move end-user commands to section 1
   * Many previously undocumented things covered, many errors fixed
+* Versioned documentation on https://rpm.org/docs/
+  * Man pages
+  * Reference manual
+  * API docs
 
 ### Packaging
 * *rpmbuild*(1) now supports generating two different package formats
   (controlled by `%_rpmformat` macro):
   * [RPM v6](https://rpm-software-management.github.io/rpm/manual/format_v6.html)
     * All file sizes and related limits are 64bit
     * Crypto modernization
-    * MIME file info
+      * Obsolete crypto (MD5 and SHA1) dropped
+      * SHA3 header and payload digests added (#3797, #3642)
+    * Per-file MIME info
     * Widely compatible with RPM >= 4.14
+    * The "external" dependency generator mode no longer supported with
+      v6 packages (#2373)
   * [RPM v4](https://rpm-software-management.github.io/rpm/manual/format_v4.html)
     * Bit-per-bit compatible with packages produced by RPM 4.x
 * *rpmbuild*(1) can now automatically sign packages if `%_openpgp_autosign_id`
@@ -65,6 +89,10 @@ heading_offset: 2
 * Fix architecture checking accidentally moved after build (#3569)
 * Fix buildsys specific `%prep` section not accepted (#3635)
 * Fix `check-rpaths` brp script when both RPATH and RUNPATH exist (#3667)
+* Fix a memory leak in `rpmspec --shell`
+* Fix 4.20 regression on `rpmbuild -rs` failing on non-existent directory
+  (#3682)
+* Fix an extra newline printed on `rpm --eval`
 * `brp-elfperms` buildroot policy script was removed (#3195)
 
 ### API Changes
@@ -84,20 +112,30 @@ heading_offset: 2
   * `rpmtxnRebuildKeystore()` for rebuilding transaction keystore
 * New flags to control `rpmSign()` operation added:
   `RPMSIGN_FLAG_RESIGN`, `RPMSIGN_FLAG_RPMV4`, `RPMSIGN_FLAG_RPMV6`
+* New functions for controlling per-package verification level:
+  * `rpmteVfyLevel()` and `rpmteSetVfyLevel()`
+  * `te.VfyLevel()` and `te.SetVfyLevel()` in the Python bindings
 * New identifiers related to multiple signature support added:
   * `RPMTAG_OPENPGP` rpm tag
   * `RPMSIGTAG_OPENPGP` signature header tag (alias to `RPMTAG_OPENPGP`)
   * `RPMVSF_NOOPENPGP` verification flag
 * New rpm tags:
   `RPMTAG_PAYLOADSIZE`, `RPMTAG_PAYLOADSIZEALT`, `RPMTAG_RPMFORMAT`,
-  `RPMTAG_FILEMIMEINDEX`, `RPMTAG_MIMEDICT`, `RPMTAG_FILEMIMES`
+  `RPMTAG_FILEMIMEINDEX`, `RPMTAG_MIMEDICT`, `RPMTAG_FILEMIMES`,
+  `RPMTAG_SOURCENEVR`, `RPMTAG_PAYLOADSHA3_256`, `RPMTAG_PAYLOADSHA3_256ALT`,
+  `RPMTAG_SHA3_256HEADER`
+* Renamed rpm tags:
+  * `RPMTAG_PAYLOADDIGEST` to `RPMTAG_PAYLOADSHA256`
+  * `RPMTAG_PAYLOADDIGESTALT` to `RPMTAG_PAYLOADSHA256ALT`
+  * `RPMTAG_PAYLOADDIGESTALGO` to `RPMTAG_PAYLOADSHA256ALGO` (obsolete)
 * New identifiers related to SHA-3 added:
   `RPM_HASH_SHA3_256`, `RPM_HASH_SHA3_512`
 * New symbols related to MIME types in v6 packages:
   * `rpmfilesFMime()`, `rpmfiFMime()` for retrieving per-file MIME info
   * `RPMFI_NOFILEMIME` flag to control behavior
 * New OpenPGP identifiers related to RFC-9580 added
 * `rpmtsAddInstallElement()` returns `3` on unsupported package format
+* `fdSize()` returns an error on non-regular files
 
 ### Internal Improvements
 * RPM is now built as C++20 code (except for plugins and Python bindings)
@@ -110,18 +148,34 @@ heading_offset: 2
 * New `openpgp.cert.d` based keystore (experimental) (#3341)
 * New `make site` build target for easy local rendering of documentation
 * Make reference counting atomic throughout the codebase
+* Support underscores in RPMTAG names
 * Fix keystore reads lacking transaction lock
 * Fix a race condition in `rpmioMkpath()` (#3508)
 * Fix recursion depth for macro error message (#3197)
 * Fix empty password field in passwd/group causing entry to be ignored (#3594)
 * Fix built-in macros not usable before loading macro files (#3638)
+* Fix fdSize() failure handling in rpmSign()
+* Fix pseudo-tags without an associated type showing up in --querytags
+* Fix rpm install prefix not honored in the legacy `find-provides` and
+  `find-requires` dependency generator scripts
+* Fix Python reference leaks related to archive handling
+* Fix non-deterministic storage of dependency information in packages (#1056)
+* Fix `sysusers` script escaping chroot for `u!` entires
+* Fix rpm 4.19 regression on failed update return code (#3718)
 * Drop `gpg(keyid)` provides from gpg-pubkey headers (#3360)
 * Eliminate various internal symbols accidentally leaking to the ABI
+* Eliminate uses of non-portable signal(2) API (#3688)
 * Optimize `rpmlog()` locking
+* Python bindings:
+  * Support Python module isolation (RhBug:2327289)
+    (https://bugzilla.redhat.com/show_bug.cgi?id=2327289)
+  * Fix some resource leaks, run tests with ASAN
 
 ### Building RPM
 * A C++20 compiler is now required in addition to a C99 compiler, but
   C++20 modules support is not required.
+* rpm-sequoia >= 1.8.0 is now required for building with Sequoia (default)
+* Python >= 3.10 is now required for building the Python bindings
 * [scdoc](https://git.sr.ht/~sircmpwn/scdoc) man page generator is now
   required for building RPM
 * Pre-built API documentation is no longer shipped in the release tarballs.
@@ -144,6 +198,8 @@ heading_offset: 2
   * Can be queried with RPM >= 4.6
   * Can be unpacked with RPM >= 4.12
   * Can be verified and installed with RPM >= 4.14 (with caveats/limitations)
+* RPM defaults to building v6 packages, this can be changed with the
+  `%_rpmformat` macro.
 * Lua `posix.fork()` family of calls, deprecated in 4.20, is disabled in
   packages built with RPM >= 6.0. They continue to function in packages
   built by RPM <= 4.20 however.
@@ -160,4 +216,4 @@ heading_offset: 2
 * `%_passwd_path` and `%_group_path` are now treated as colon separated
   paths to allow using multiple files as the source of NSS information
   (e.g. with nss-altfiles)
-* `--pkgid` and `--hdrid` query sources CLI-switches have been dropped (#2633)
+* `--pkgid` and `--hdrid` query CLI-switches have been dropped (#2633)