1RPMINSPECT(1) Red Hat RPMINSPECT(1)
3
7 rpminspect - compare package builds
8
10 rpminspect [ OPTIONS ] before_build [ after_build ]
11
13 rpminspect is a tool designed to help developers maintain build policy
14 compliance and consistency among releases. The tool is intended to
15 provide output alerting the developer to any changes in the built pack‐
16 ages that significantly differ from a previous built; the implication
17 being the previous build has already been made available to users.
18 rpminspect originated at Red Hat as an auditing tool used by the QA
20 department to ensure builds complied with certain release rules and
21 policies. Over time it grew to incorporate other checks, such as mak‐
22 ing sure debugging symbols are accurate. Users are encourage to con‐
23 tribute tests for new functionality as well as bug fixes.
24 The software is made available as this command line program and an
26 accompanying library. This is intentional. Our findings over time
27 have shown that simple tools with a flexible design are more easy to
28 integrate in to continuous integration systems. The library allows
29 development of other frontends should anyone ever be interested in
30 that. The thought is that most developers will interact with rpmin‐
31 spect through the command line. Everything about an rpminspect run is
32 configurable at runtime through command line options as well as a con‐
33 figuration file. The command line options override the configuration
34 file which overrides the compiled in defaults.
35
37 -c FILE, --config=FILE
38 Configuration file to use (default: /etc/rpminspect/rpmin‐
39 spect.conf)
40 -r STR, --release=STR
42 String identifying the product release for the specified build
43 or builds. Normally rpminspect will determine this by looking
44 for a "dist tag" at the end of the NVR. For build comparisons,
45 the determined product releases must match in order for rpmin‐
46 spect to continue. If you want to compare builds from different
47 products, you will need to specify a product release manually.
48 You will also need to specify the product release if the builds
49 you are comparing lack any kind of product release identifier at
50 the end of the NVR.
51 -T LIST, --tests=LIST
53 If specified, this option assumes all inspections are disabled
54 except the names of the ones you specify with this option.
55 Specify a comma-separated list of inspections to run (default:
56 ALL). The names of available inspections can be found with the
57 -l option. You can also specify the name ALL to explicitly say
58 run all inspections. NOTE: This option is mutually exclusive
59 with the -E option.
60 -E LIST, --exclude=LIST
62 If specified, this option assumes all inspections are enabled
63 except the names of the ones you specify with this option.
64 Specify a comma-separated list of inspections to skip (default:
65 none). The names of available inspections can be found with the
66 -l option. You can also specify the name ALL to explicitly say
67 skip all inspections, though that makes the program do nothing.
68 NOTE: This option is mutually exclusive with the -T option.
69 -l, --list
71 List available output formats and inspections
72 -a LIST, --arches=LIST
74 Comma-separated list of architectures to inspect packages on.
75 By default rpminspect will gather all available architectures
76 for the builds you specify, but you may want to restrict a run
77 to just x86_64 or just aarch64. You can do that with this
78 option. If you do specify this option, be sure to include the
79 'src' architecture to inspect source packages. The architec‐
80 tures you list here are validated against the available archi‐
81 tectures in the Koji hub and any invalid ones will report an
82 error.
83 -o FILE, --output=FILE
85 Write the results to the name output file. By default, results
86 go to stdout.
87 -F TYPE, --format=TYPE
89 Write the inspection results in the TYPE format. The default
90 format is text. Available formats can be seen with the -l
91 option.
92 -w PATH, --workdir=PATH
94 Temporary working directory to use (default: /var/tmp/rpmin‐
95 spect). You can specify a tilde (~) character in the PATH spec‐
96 ification and rpminspect will expand it. Keep in mind that the
97 PATH you specify with ~ must exist in order for expansion to
98 work.
99 -t TAG, --threshold=TAG
101 Result threshold that triggers a non-zero exit code. By default
102 this is VERIFY, which maps to a result code seen in the output.
103 You can set this to any of the valid result codes. Available
104 result codes are OK, INFO, WAIVED, VERIFY, or BAD. The argument
105 expects the result threshold specified as a string. Case does
106 not matter.
107 -f, --fetch-only
109 Only download builds, do not perform any inspections (implies
110 -k). This option is intended as a convenience for developers as
111 well as for easier integration in to different CI workflows.
112 Note that this option sets the working directory (-w) to the
113 current working directory. If this is undesirable, use the -w
114 option to set it to a different location.
115 -k, --keep
117 Do not remove temporary working files before exit
118 -v, --verbose
120 Verbose inspection output. By default, only warnings or fail‐
121 ures are reported. This option also displays informational
122 findings.
123 -?, --help
125 Display usage information
126 -V, --version
128 Display version information
129
131 rpminspect requires very little to run. Assuming you meet the runtime
132 requirements to either build the software from source or you have
133 installed it on your operating system, you are ready to use it. The
134 only required argument is a build, which we will call the after_build.
135 It is possible to run rpminspect against a single build and perform the
136 policy checks against the packages in it. If two builds are specified,
137 the policy checks are performed, but the builds are also compared.
138 Use the -l option to list available inspections. By default, all
140 inspections will be run. You can restrict the program to a subset of
141 inspections by listing their short names and separating them with com‐
142 mas (no spaces). Or you can list inspections to skip by listing the
143 short name prefixed with a `!' in the same comma-delimited list.
144 Builds may be local RPM packages, regular Koji builds specified using
146 Koji syntax (the NVR or name, version, and release of a package with
147 hyphens separating each part), Koji module builds, locally cached Koji
148 builds (regular or module), Koji scratch builds, or locally cached Koji
149 scratch builds. Any valid Koji build identifier works when specifying
150 Koji builds, such as the build ID number or the package NVR. The only
151 exception to this rule is scratch builds. You must use the Koji task
152 ID number for scratch builds. For more information on Koji build spec‐
153 ification, please see the Koji documentation.
154 If you specify a directory tree containing the output of a properly
156 structured Koji build, rpminspect can use that directly. This may be
157 useful for multiple runs of rpminspect against a specific previous
158 build where you are trying to fix something in a new build compared
159 against the old one.
160 Local RPM packages may be specified directly too if you just want to
162 use rpminspect on a single RPM. You may specify a single RPM package
163 or two if you want rpminspect to perform the comparison inspections.
164 Examples:
166 rpminspect -T ALL -k zlib-1.2.7-1.fc29 zlib-1.2.7-2.fc29
168 rpminspect -T license,elfsyms perl-5.28.0-47.fc6
170 perl-5.28.1-1.fc6
171 rpminspect -T !manpage x3270-3.6ga5-6.fc31 x3270-3.6ga6-1.fc31
173 rpminspect -T ALL -a ppc64le zsh-5.7.1-3.fc31 zsh-5.7.1-4.fc31
175 rpminspect -E disttag -a ppc64le zsh-5.7.1-3.fc31
177 zsh-5.7.1-4.fc31
178 The end result of running rpminspect is a report on standard output
180 explaining what was found. Descriptions of actions developers can take
181 are provided in the findings.
182
184 rpm(8)
185
187 David Cantrell <dcantrell@redhat.com>
188rpminspect February 2019 RPMINSPECT(1)