Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

The Security Benefits of RPM Packaging

April 25, 2013
Eric Christensen
Related topics:
LinuxSecurity
Related products:
Red Hat Enterprise Linux

Share:

    RPM Package Manager (RPM) was created to deliver software to workstations and servers. Besides being an efficient software delivery mechanism, RPM also provides security features that assist system administrators with managing their software and trusting the code that is going into their infrastructure.

    What is an RPM?

    RPM is a package management system that bundles software source code or binaries together for easy installation on a computer. These files are tracked and allow for easy installation, upgrading, and removal. Since the RPMs have been built specifically for the operating system and platform they are installed on, the software is expected to operate in a predictable and consistent manner.

    RPMs not only make it easy for the user to install software on their computer but also for the developer to deliver the software. RPMs makes it easy to pull in dependencies, other bits of code needed by the software to function properly, and to provide updates to the software in question. The ability to apply patches for security fixes makes RPMs an especially good tool for maintaining secure computer environments as code fixes can easily be verified by system administrators prior to installation.

    Package repositories can also be made to allow users access to a central database of software that is easily installed. The user can determine where the software originated and once installed is prompted to perform any upgrades when updates are available in the repository. The user can remove the software at any time and the RPM installer will automatically clean up the installation, preventing old versions of the software from persisting on the system, which could get used by mistake or expose the user to flaws or exploits. Removing unused software reduces potential attack vectors and because RPMs makes it easy to remove unused software, users are much more likely to do so.

    Dependencies

    Dependencies in RPM packages allow the inclusion of libraries in the software without including those libraries in the package itself. This has several benefits to both the maintainer of the package and the user of the software. First, it makes the code base smaller. With fewer lines of code to maintain, the overall package will be smaller and easier to manage. Next, there will be fewer duplications of the same software on a system. Historically, many pieces of software would use the same library, resulting in duplicates installed on a system. Finally, there is a much lower possibility of using a library with security vulnerabilities as the library would only have to be updated once by the library writers and not in every code base that uses the library. With one update, all software using that library is instantly fixed the next time it's run, usually without the need of rebooting the system, and without the need to modify code in all the packages using that library.

    A good example of the dependency problem that RPMs help fix is the many software packages that use zlib. It is unnecessary to maintain multiple installations of zlib or having zlib embedded in the source code because every piece of software installed on the system can use the same installed zlib instance. This reduces the space needed to deploy the software, reduces the maintenance for the installed software, and makes the computer safer as there will not be any old, potentially insecure versions staying installed on the system.

    Patches

    Enterprise systems expect software to be stable and not undergo frequent upgrades. There are times, however, when adding certain functionality or a security fix is in the best interest of the customer. This is an instance where patching becomes an important feature.

    Patching allows the software to have certain bugs fixed, features added, or security patches applied, without introducing the uncertainty that comes with upgrading to a completely new version of the software.

    Patching also allows Red Hat, as well as users of the software, to verify the implementation of security fixes. In 2012, Red Hat released fixes for 753 vulnerabilities in its products. It would be very difficult to do that without minimal patches. The alternative would be hunting through the source code to verify that the fix had been applied.

    Package Signing

    RPM packages can be signed using an OpenPGP key that authenticates the package's contents as well as providing a trust link to the person or project that packaged the software. In this way you can verify that your RPM package has not been tampered with since being signed by Red Hat. This is important for trusting the package as being authentic, unmodified, and coming from Red Hat.

    Current Red Hat package signing keys are at https://access.redhat.com/security/team/key/

    Current Fedora package signing keys are at https://fedoraproject.org/keys

    Reproducible Builds

    RPM software builds are produced according to the instructions in the RPM source package. This results in software builds that are reproducible. The system Red Hat uses to build software uses a new buildroot for each build, leading to high-quality builds that can be reproduced at a future date or by a customer.

    CVE Identifiers in RPMs

    Common Vulnerabilities and Exposures (CVE) identifiers make discussing vulnerabilities easier. If you know the CVE identifier you can easily determine if an RPM contains the fix as long as the information was put into the changelog. This can allow users of Red Hat Enterprise Linux and Fedora to quickly determine if their software is vulnerable to a known insecurity and can even audit the fix for themselves.

    RPMs are a powerful tool for system administrators and software developers. Taking advantage of this technology makes certain tasks easier, such as verifying security patches and CVE compliance on a regular basis. Because of RPM's robustness, we expect this technology to continue to be part of the trusted, secure method of distributing software within Red Hat products.

    Last updated: September 1, 2016

    Recent Posts

    • DeepSeek-V3.2-Exp on vLLM, Day 0: Sparse Attention for long-context inference, ready for experimentation today with Red Hat AI

    • How to deploy the Offline Knowledge Portal on OpenShift

    • Autoscaling vLLM with OpenShift AI

    • Filtering packets from anywhere in the networking stack

    • PostGIS: A powerful geospatial extension for PostgreSQL

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Platforms

    • Red Hat AI
    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    • See all products

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue