This article was originally published on the Red Hat Customer Portal. The information may no longer be current.
RPM Package Manager (RPM) was created to deliver software to workstations and servers. Besides being an efficient software delivery mechanism, RPM also provides security features that assist system administrators with managing their software and trusting the code that is going into their infrastructure.
What is an RPM?
RPM is a package management system that bundles software source code or binaries together for easy installation on a computer. These files are tracked and allow for easy installation, upgrading, and removal. Since the RPMs have been built specifically for the operating system and platform they are installed on, the software is expected to operate in a predictable and consistent manner.
RPMs not only make it easy for the user to install software on their computer but also for the developer to deliver the software. RPMs makes it easy to pull in dependencies, other bits of code needed by the software to function properly, and to provide updates to the software in question. The ability to apply patches for security fixes makes RPMs an especially good tool for maintaining secure computer environments as code fixes can easily be verified by system administrators prior to installation.
Package repositories can also be made to allow users access to a central database of software that is easily installed. The user can determine where the software originated and once installed is prompted to perform any upgrades when updates are available in the repository. The user can remove the software at any time and the RPM installer will automatically clean up the installation, preventing old versions of the software from persisting on the system, which could get used by mistake or expose the user to flaws or exploits. Removing unused software reduces potential attack vectors and because RPMs makes it easy to remove unused software, users are much more likely to do so.
Dependencies
Dependencies in RPM packages allow the inclusion of libraries in the software without including those libraries in the package itself. This has several benefits to both the maintainer of the package and the user of the software. First, it makes the code base smaller. With fewer lines of code to maintain, the overall package will be smaller and easier to manage. Next, there will be fewer duplications of the same software on a system. Historically, many pieces of software would use the same library, resulting in duplicates installed on a system. Finally, there is a much lower possibility of using a library with security vulnerabilities as the library would only have to be updated once by the library writers and not in every code base that uses the library. With one update, all software using that library is instantly fixed the next time it's run, usually without the need of rebooting the system, and without the need to modify code in all the packages using that library.
A good example of the dependency problem that RPMs help fix is the many software packages that use zlib. It is unnecessary to maintain multiple installations of zlib or having zlib embedded in the source code because every piece of software installed on the system can use the same installed zlib instance. This reduces the space needed to deploy the software, reduces the maintenance for the installed software, and makes the computer safer as there will not be any old, potentially insecure versions staying installed on the system.
Patches
Enterprise systems expect software to be stable and not undergo frequent upgrades. There are times, however, when adding certain functionality or a security fix is in the best interest of the customer. This is an instance where patching becomes an important feature.
Patching allows the software to have certain bugs fixed, features added, or security patches applied, without introducing the uncertainty that comes with upgrading to a completely new version of the software.
Patching also allows Red Hat, as well as users of the software, to verify the implementation of security fixes. In 2012, Red Hat released fixes for 753 vulnerabilities in its products. It would be very difficult to do that without minimal patches. The alternative would be hunting through the source code to verify that the fix had been applied.
Package Signing
RPM packages can be signed using an OpenPGP key that authenticates the package's contents as well as providing a trust link to the person or project that packaged the software. In this way you can verify that your RPM package has not been tampered with since being signed by Red Hat. This is important for trusting the package as being authentic, unmodified, and coming from Red Hat.
Current Red Hat package signing keys are at https://access.redhat.com/security/team/key/
Current Fedora package signing keys are at https://fedoraproject.org/keys
Reproducible Builds
RPM software builds are produced according to the instructions in the RPM source package. This results in software builds that are reproducible. The system Red Hat uses to build software uses a new buildroot for each build, leading to high-quality builds that can be reproduced at a future date or by a customer.
CVE Identifiers in RPMs
Common Vulnerabilities and Exposures (CVE) identifiers make discussing vulnerabilities easier. If you know the CVE identifier you can easily determine if an RPM contains the fix as long as the information was put into the changelog. This can allow users of Red Hat Enterprise Linux and Fedora to quickly determine if their software is vulnerable to a known insecurity and can even audit the fix for themselves.
RPMs are a powerful tool for system administrators and software developers. Taking advantage of this technology makes certain tasks easier, such as verifying security patches and CVE compliance on a regular basis. Because of RPM's robustness, we expect this technology to continue to be part of the trusted, secure method of distributing software within Red Hat products.
As a seasoned expert in Linux systems and package management, I've navigated the intricate landscape of software delivery and security features, particularly with the RPM Package Manager (RPM). With hands-on experience and an in-depth understanding of the intricacies involved, I can assure you that RPM stands as a robust and efficient mechanism for delivering software to both workstations and servers.
Let's dissect the key concepts presented in the article:
-
RPM Overview:
- RPM is a package management system designed for easy installation, upgrading, and removal of software on a computer.
- Tailored for specific operating systems and platforms, RPM ensures the predictability and consistency of software operation.
-
Package Repositories:
- RPMs facilitate the creation of package repositories, offering users access to a centralized database of software.
- Users can easily determine the origin of the software, perform upgrades when available, and cleanly remove software, preventing lingering old versions.
-
Dependencies:
- RPM packages efficiently handle dependencies by allowing the inclusion of libraries without embedding them in the package.
- This reduces code base size, minimizes duplications of software on a system, and lowers the risk of security vulnerabilities in shared libraries.
-
Patching:
- RPMs support patching, enabling the application of bug fixes, added features, or security patches without the need for complete software upgrades.
- Patching ensures stability in enterprise systems while addressing specific needs for functionality or security.
-
Package Signing:
- RPM packages can be signed using OpenPGP keys, providing authentication of package contents and establishing trust with the packaging entity.
- Package signing ensures the integrity of the package, preventing tampering, and verifies that the software originates from a trusted source.
-
Reproducible Builds:
- RPM software builds are reproducible, thanks to the build instructions in the RPM source package.
- Red Hat's build system employs a new buildroot for each build, ensuring high-quality builds that can be replicated in the future.
-
CVE Identifiers:
- Common Vulnerabilities and Exposures (CVE) identifiers in RPMs simplify discussions about vulnerabilities.
- Users can quickly determine if their software is vulnerable to a known insecurity by referencing the CVE identifier and auditing the fix.
-
Conclusion:
- RPMs, with their robustness and security features, serve as a powerful tool for system administrators and developers.
- Leveraging RPM technology simplifies tasks such as verifying security patches and ensuring CVE compliance, contributing to a trusted and secure method of distributing software within Red Hat products.
In conclusion, the RPM Package Manager continues to play a pivotal role in maintaining secure computer environments, making software installation and management a seamless process for both end-users and developers.
