stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

product advisories add change contiang folder

Browse Source
This commit is contained in:
Codex Assistant
2026-01-08 09:06:03 +02:00
parent ae6968d23f
commit 8f0320edd5
599 changed files with 1110 additions and 565 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs-archived/product/advisories/02-Dec-2025 - Handle RPM versions with EVR tuples.md Normal file
View File

@@ -0,0 +1,32 @@
Heres a quick headsup that saves a *ton* of pain when sorting package versions on RHEL/Fedora/SUSEstyle systems: **never compare RPM versions as plain strings.** RPM compares **EVR**`Epoch:Version-Release` — lefttoright, and if epochs differ, it stops right there. Missing epoch is treated as `0`. Backports (e.g., old Version with higher Release) and vendor epochs will break naive compares. Use an **rpmvercmpequivalent** and persist versions as a 3tuple `(epoch, version, release)`. ([RPM][1])
**Why this matters**
* `1:1.0-1` **>** `0:2.0-100` because `1` (epoch) beats everything after. ([RPM][1])
* Fedora/Red Hat guidelines explicitly say EVR ordering governs upgrade paths; epochs are the most significant input and shouldnt be removed once added. ([Fedora Docs][2])
**Correct approach (any language)**
* Parse to **NEVRA** (Name, Epoch, Version, Release, Arch), then compare by **EVR** using rpms algorithm; dont roll your own string logic. ([Docs.rs][3])
* If you cant link against librpm, use a wellknown **rpmvercmp** implementation for your stack. Python and PHP have ready helpers. ([PyPI][4])
**Dropin options**
* **Python**: `rpm-vercmp` (pure Python) for EVR compares. Store `epoch` as int (default `0`), `version`/`release` as strings, and call the comparator. ([PyPI][4])
* **.NET/C#**: no official rpmvercmp, but mirror the spec: split EVR, compare epochs numerically; for `version`/`release`, compare segmentbysegment using rpm rules (alphanumeric runs; numeric segments compare as integers; tildes sort before anything, etc.). (Spec summary in rpmversion(7).) ([RPM][1])
* **Rust/Go**: model NEVRA (existing crates/docs show structure) and wire a comparator consistent with rpmvercmp. ([Docs.rs][3])
**Practical tips for your pipelines**
* **Persist EVR**, not strings like `“1.2.3-4.el9”`. Keep `epoch` explicitly; dont drop `0`. ([Fedora Docs][2])
* **Normalize inputs** (e.g., from `rpm -q` vs `repoquery`) so missing epochs dont cause mismatches. ([CPAN][5])
* **Backportaware sorting**: rely on EVR, *not* semver. Semver comparisons will misorder distro backports. (Fedora docs highlight EVR as authoritative.) ([Red Hat Docs][6])
If you want, I can sketch a tiny C# `RpmEvrComparer` tailored to your .NET 10 repos and wire it into your SBOM/VEX flows so Feedser/Vexer sort updates correctly.
[1]: https://rpm.org/docs/6.0.x/man/rpm-version.7?utm_source=chatgpt.com "rpm-version(7)"
[2]: https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/?utm_source=chatgpt.com "Versioning Guidelines - Fedora Docs"
[3]: https://docs.rs/rpm/latest/rpm/struct.Nevra.html?utm_source=chatgpt.com "Nevra in rpm - Rust"
[4]: https://pypi.org/project/rpm-vercmp/?utm_source=chatgpt.com "rpm-vercmp"
[5]: https://www.cpan.org/modules/by-module/RPM/RPM-NEVRA-v0.0.5.readme?utm_source=chatgpt.com "RPM-NEVRA-v0.0.5.readme"
[6]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/packaging_and_distributing_software/packaging-software?utm_source=chatgpt.com "Chapter 6. Packaging software"