A primer into software package management using RPM

published Nov 14, 2007, last modified Jun 26, 2013

Since apparently my last article ignited a small flamewar, let's talk a bit about package management in RPM-based distros. Yeah, Fedora, Red Hat, SuSE, Mandrake, those. And when I say package management, all I mean is software installation, really.

This will be a command-line tutorial-style article, and we're gonna get down to basics, so no GUIs or automated installatinos from the Internet (automated dependency management) here. I will, however, make a recommendation as to which dependency management system you should use, because nowadays it would be rather insane to do the following work manually -- except for very particular cases in which this tutorial will come in very handy.

Installing packages

You want new software? You have to install it. First you download it from the 'Net (you're gonna be looking for a file ending in .rpm), then you install it on your system. As simple as that... in theory.

The basic installation operation in RPM is rpm -i packagename-x.y.z.rpm. I tend to combine it with the -vh arguments which cause a progress bar to appear, and verbose messages to be printed onscreen for a variety of operations within the transaction.

Transaction. With RPM, to ensure the integrity of your computer, either the package installation happens, or it doesn't happen at all. If you request to install 450 packages in a single command (which you could easily do), and one of them cannot be fit into the system, the transaction fails and your system remains untouched. Reasons for a failure may include that:

  • the package you requested to install is already installed, whether the installed one is an older or a newer version
  • the package would trample on files owned by another installed package
  • the package is bad
  • the package requires another package or set of packages installed beforehand -- this is called a dependency

All of those reasons, and a couple more, could leave your system broken if RPM were actually to go through with installation. Therefore, RPM stops when it detects any of these conditions.


Unless you augment the command with the --force argument. Trust me when I say this: if RPM is refusing to install a package, under no circumstances should you use --force even if you badly need to. RPM is probably much better informed than you are as to what the system actually needs to continue functioning properly, and you should trust it. --force is only handy when you're absolutely sure of how the different related components of your system relate to each other.

Upgrades and downgrades

We see that rpm -i will fail if you attempt to install a newer or an older version:

  • If you really need to downgrade, you can always append --oldpackage to the command line, and if the integrity checks are A-OK, RPM will downgrade a package for you.
  • Conversely, if you want to upgrade, you use rpm -U instead of rpm -i. As a matter of fact, rpm -U will both install and upgrade packages happily, so you can just use rpm -U most of the time, and forget about -i.

RPM will also, in the spirit of preserving your system as pure and functional as possible, refuse to overwrite custom configuration files in your computer. It will, however, deposit them in the folder where they were meant to live, by appending a .rpmnew extension to the new file -- so you can use the standard find command to find and inspect these config files, see if they bring anything new and useful to the table.

Controlled mass upgrades of what you already have

What if your best friend shared a CD-ROM with the latest updates -- say, 850 RPM files -- for your Linux distribution? You could go one by one and install each. That's not gonna go well, because many of those updates may not be installed on your system.

What you could do instead is use rpm -F. Like issuing a command rpm -Fvh *.rpm while on the CD-ROM directory. -F means freshen -- it will only upgrade packages for which older version are already installed on your system.

In theory, you could perform an entire operating system upgrade this way. In practice, it's a little more complicated because as distros evolve, they start requiring more base packages which you don't have installed, and -F won't know which ones are these (although it will tell you which dependency it failed to find installed!). When I say in practice, I mean it -- I have used this method to upgrade a machine that just didn't have enough RAM to run an installer on -- and I succeeded, but I had to go in smaller batches of rpm -F's with some rpm -U's in between.

Package removal

Want to remove a package? rpm -e is what you're looking for. As discussed in the previous section, if a removal would break your system, RPM would not let you perform.

Config files are also dealt with gracefully. If you've changed any, RPM will save them with the same file name, and a .rpmsave extension. This is incredibly well-thought-out, because you will often need them sooner or later!

Listing and inspecting packages on your system

Do rpm -qa. The -q stands for query, and the -a stands for all. Most RPM commands accept -a as an argument to say all anyway, so it's good to keep it in mind.

By default, it will present you a one-column list with all the package names and currently installed versions of them. If you want more specific information, rpm -qi packagename (note the use of a package name as opposed to a file name) is usually what you want. And rpm -qpi packagename-x.y.z.rpm (note the filename) is used to inspect uninstalled RPM packages on disk.

Want to know which package a file belongs to? rpm -qf /path/to/said/file will tell you. Very handy!

Integrity verification

Want to see if any files have been modified, and how? rpm -V packagename is the command. It will display a series of lines, one for each file that has been modified, or nothing at all if no files have been touched. Several aspects are displayed in a column-packed display: file times, permissions, integrity and a whole lotta more are included. Checkt he RPM manual page to see what each column means.

Perhaps you'd like a full audit of what's on your system and what's been changed? Combine two popluar arguments into rpm -Va. Verify all. It will probably be a long list so make sure to redirect the output to a file.

Getting packages for your distro

Easy. Go to Google, type the name of the package followed by a space and the letters "RPM". Lots of results will follow. Find those results that appear from RPM repositories (those sites usually say they are RPM repositories, so you'll have no problem). If one of your packages has a dependency problem, you can also type the dependency name into Google followed by "RPM" -- and that will most likely help you solve dependency problems.

Get Smart!

But, honestly, that's inefficient. Just get Smart, where you'll be able to add said repositories to the Smart configuration (don't panic, it's usually an URL that needs to go into a file in /etc/smart/channels plus a command to import the security key of the repository -- and repositories explain this procedure quite more eloquently than I do when I'm this sleepy). Then you will be able to invoke Smart via the command line or the nice GUI it has, request a particular package and install it. Smart will automatically download all the depended packages and install them for you.

Don't forget to read the Smart manual page!


And that concludes our RPM crash course. If you have any doubts, please add them as comments below. And discuss!