rpminspect - Man Page

compare package builds


rpminspect [ Options ] before_build [ after_build ]


rpminspect is a tool designed to help developers maintain build policy compliance and consistency among releases.  The tool is intended to provide output alerting the developer to any changes in the built packages that significantly differ from a previous build; the implication being the previous build has already been made available to users.

rpminspect originated at Red Hat as an auditing tool used to ensure builds complied with certain release rules and policies.  Over time it grew to incorporate other checks, such as making sure debugging symbols are accurate.  Users are encouraged to contribute tests for new functionality as well as bug fixes.

The software is made available as this command line program and an accompanying library.  This is intentional.  Our findings over time have shown that simple tools with a flexible design are more easy to integrate in to continuous integration systems.  The library allows development of other frontends should anyone ever be interested in that.  The thought is that most developers will interact with rpminspect through the command line.  Everything about an rpminspect run is configurable at runtime through command line options as well as a configuration file.  The command line options override the configuration file which overrides the compiled in defaults.


-c FILE, --config=FILE

Configuration file to use (default: /etc/rpminspect/rpminspect.yaml)

-p NAME, --profile=NAME

Configuration profile to use.  A configuration profile provides overrides to the main configuration file.  The idea is the main configuration is loaded, then if you specify a profile name rpminspect will load that configuration file and any values specified will override what came from the default configuration file.  Think of the main configuration file as the common one and profile configuration files are optional overlays.

The format of a profile configuration file is the same as rpminspect.yaml, just call it NAME.yaml and place it in /etc/rpminspect/profiles).  For example, the profile 'scl' should have a configuration file named /etc/rpminspect/profiles/scl.yaml.

-r STR, --release=STR

String identifying the product release for the specified build or builds. Normally rpminspect will determine this by looking for a "dist tag" at the end of the NVR.  For build comparisons, the determined product releases must match in order for rpminspect to continue.  If you want to compare builds from different products, you will need to specify a product release manually.  You will also need to specify the product release if the builds you are comparing lack any kind of product release identifier at the end of the NVR.

-T LIST, --tests=LIST

If specified, this option assumes all inspections are disabled except the names of the ones you specify with this option.  Specify a comma-separated list of inspections to run (default: ALL).  The names of available inspections can be found with the -l option.  You can also specify the name ALL to explicitly say run all inspections.  NOTE:  This option is mutually exclusive with the -E option.

-E LIST, --exclude=LIST

If specified, this option assumes all inspections are enabled except the names of the ones you specify with this option.  Specify a comma-separated list of inspections to skip (default: none).  The names of available inspections can be found with the -l option.  You can also specify the name ALL to explicitly say skip all inspections, though that makes the program do nothing.  NOTE:  This option is mutually exclusive with the -T option.

-l, --list

List available output formats and inspections

-a LIST, --arches=LIST

Comma-separated list of architectures to inspect packages on.  By default rpminspect will gather all available architectures for the builds you specify, but you may want to restrict a run to just x86_64 or just aarch64.  You can do that with this option.  If you do specify this option, be sure to include the 'src' architecture to inspect source packages.  The architectures you list here are validated against the available architectures in the Koji hub and any invalid ones will report an error.

-o FILE, --output=FILE

Write the results to the name output file.  By default, results go to stdout.

-F TYPE, --format=TYPE

Write the inspection results in the TYPE format.  The default format is text.  Available formats can be seen with the -l option.

-w PATH, --workdir=PATH

Temporary working directory to use (default: /var/tmp/rpminspect).  You can specify a tilde (~) character in the PATH specification and rpminspect will expand it.  Keep in mind that the PATH you specify with ~ must exist in order for expansion to work.

-t TAG, --threshold=TAG

Result threshold that triggers a non-zero exit code.  By default this is VERIFY, which maps to a result code seen in the output.  You can set this to any of the valid result codes.  Available result codes are OK, INFO, WAIVED, VERIFY, or BAD.  The argument expects the result threshold specified as a string.  Case does not matter.

-f, --fetch-only

Only download builds, do not perform any inspections (implies -k). This option is intended as a convenience for developers as well as for easier integration in to different CI workflows.  Note that this option does not change the working directory (-w) to the current working directory.  If this is undesirable, use the -w option to set it to a different location.  For example, to download to the current working directory you can pass "-w $(pwd)".

-k, --keep

Do not remove temporary working files before exit.

-d, --debug

Enable debugging mode.  This mode generates additional output on stdout and stderr.

-v, --verbose

Verbose inspection output.  By default, only warnings or failures are reported.  This option also displays informational findings.  Use this mode with -l to display long descriptions of output formats and inspections.

-?, --help

Display usage information.

-V, --version

Display version information.


rpminspect requires very little to run.  Assuming you meet the runtime requirements to either build the software from source or you have installed it on your operating system, you are ready to use it.  The only required argument is a build, which we will call the after_build.  It is possible to run rpminspect against a single build and perform the policy checks against the packages in it.  If two builds are specified, the policy checks are performed, but the builds are also compared.

Use the -l option to list available inspections.  By default, all inspections will be run.  You can restrict the program to a subset of inspections by listing their short names and separating them with commas (no spaces).  Or you can list inspections to skip by listing the short name prefixed with a `!' in the same comma-delimited list.

Builds may be local RPM packages, regular Koji builds specified using Koji syntax (the NVR or name, version, and release of a package with hyphens separating each part), Koji module builds, locally cached Koji builds (regular or module), Koji scratch builds, or locally cached Koji scratch builds.  Any valid Koji build identifier works when specifying Koji builds, such as the build ID number or the package NVR.  The only exception to this rule is scratch builds.  You must use the Koji task ID number for scratch builds.  For more information on Koji build specification, please see the Koji documentation.

If you specify a directory tree containing the output of a properly structured Koji build, rpminspect can use that directly.  This may be useful for multiple runs of rpminspect against a specific previous build where you are trying to fix something in a new build compared against the old one.

Local RPM packages may be specified directly too if you just want to use rpminspect on a single RPM.  You may specify a single RPM package or two if you want rpminspect to perform the comparison inspections.


rpminspect -T ALL -k zlib-1.2.7-1.fc29 zlib-1.2.7-2.fc29

rpminspect -T license,elfsyms perl-5.28.0-47.fc6 perl-5.28.1-1.fc6

rpminspect -T !manpage x3270-3.6ga5-6.fc31 x3270-3.6ga6-1.fc31

rpminspect -T ALL -a ppc64le zsh-5.7.1-3.fc31 zsh-5.7.1-4.fc31

rpminspect -E disttag -a ppc64le zsh-5.7.1-3.fc31 zsh-5.7.1-4.fc31

The end result of running rpminspect is a report on standard output explaining what was found.  Descriptions of actions developers can take are provided in the findings.

See Also



David Cantrell <dcantrell@redhat.com>


February 2019 Red Hat