stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs-archived/product/advisories/02-Dec-2025 - Handle RPM versions with EVR tuples.md
Codex Assistant 8f0320edd5 product advisories add change contiang folder
2026-01-08 09:06:03 +02:00

3.0 KiB
Raw Permalink Blame History

Heres a quick headsup that saves a ton of pain when sorting package versions on RHEL/Fedora/SUSEstyle systems: never compare RPM versions as plain strings. RPM compares EVREpoch:Version-Release — lefttoright, and if epochs differ, it stops right there. Missing epoch is treated as 0. Backports (e.g., old Version with higher Release) and vendor epochs will break naive compares. Use an rpmvercmpequivalent and persist versions as a 3tuple (epoch, version, release). (RPM)

Why this matters

  • 1:1.0-1 > 0:2.0-100 because 1 (epoch) beats everything after. (RPM)
  • Fedora/Red Hat guidelines explicitly say EVR ordering governs upgrade paths; epochs are the most significant input and shouldnt be removed once added. (Fedora Docs)

Correct approach (any language)

  • Parse to NEVRA (Name, Epoch, Version, Release, Arch), then compare by EVR using rpms algorithm; dont roll your own string logic. (Docs.rs)
  • If you cant link against librpm, use a wellknown rpmvercmp implementation for your stack. Python and PHP have ready helpers. (PyPI)

Dropin options

  • Python: rpm-vercmp (pure Python) for EVR compares. Store epoch as int (default 0), version/release as strings, and call the comparator. (PyPI)
  • .NET/C#: no official rpmvercmp, but mirror the spec: split EVR, compare epochs numerically; for version/release, compare segmentbysegment using rpm rules (alphanumeric runs; numeric segments compare as integers; tildes sort before anything, etc.). (Spec summary in rpmversion(7).) (RPM)
  • Rust/Go: model NEVRA (existing crates/docs show structure) and wire a comparator consistent with rpmvercmp. (Docs.rs)

Practical tips for your pipelines

  • Persist EVR, not strings like “1.2.3-4.el9”. Keep epoch explicitly; dont drop 0. (Fedora Docs)
  • Normalize inputs (e.g., from rpm -q vs repoquery) so missing epochs dont cause mismatches. (CPAN)
  • Backportaware sorting: rely on EVR, not semver. Semver comparisons will misorder distro backports. (Fedora docs highlight EVR as authoritative.) (Red Hat Docs)

If you want, I can sketch a tiny C# RpmEvrComparer tailored to your .NET 10 repos and wire it into your SBOM/VEX flows so Feedser/Vexer sort updates correctly.