Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
python-rpm-spec is a Python library for parsing RPM spec files.
tl;dr If you want to quickly parse a spec file on the command line you might want to give rpmspec --parse
a try.
rpmspec --parse file.spec | awk '/Source/ {print $2}'
If you write Python, have no /usr/bin/rpm
around, or want to do something slightly more complicated, try using this Python library.
RPMs are build from a package's sources along with a spec file. The spec file controls how the RPM is built. This library allows you to parse spec files and gives you simple access to various bits of information that is contained in the spec file.
All current Python branches are supported.
Python Version | Supported Until |
---|---|
3.12 | 2028-10 |
3.11 | 2027-10 |
3.10 | 2026-10 |
3.9 | 2025-10 |
3.8 | 2024-10 |
python-rpm-spec is hosted on PyPI - the Python Package Index. All you need to do is
pip install python-rpm-spec
in your virtual environment.
This is how you access a spec file's various definitions:
from pyrpm.spec import Spec, replace_macros
spec = Spec.from_file('llvm.spec')
print(spec.version) # 3.8.0
print(spec.sources[0]) # http://llvm.org/releases/%{version}/%{name}-%{version}.src.tar.xz
print(replace_macros(spec.sources[0], spec)) # http://llvm.org/releases/3.8.0/llvm-3.8.0.src.tar.xz
for package in spec.packages:
print(f'{package.name}: {package.summary if hasattr(package, "summary") else spec.summary}')
# llvm: The Low Level Virtual Machine
# llvm-devel: Libraries and header files for LLVM
# llvm-doc: Documentation for LLVM
# llvm-libs: LLVM shared libraries
# llvm-static: LLVM static libraries
Example showing how to retrieve named source or patch files from a spec:
from pyrpm.spec import Spec
spec = Spec.from_file('llvm.spec')
# Access sources and patches via name
for k, v in spec.sources_dict.items():
print(f'{k} → {v}')
# Source0 → http://llvm.org/releases/%{version}/%{name}-%{version}.src.tar.xz
# Source100 → llvm-config.h
# Or as a list with indices and so on
for source in spec.sources:
print(source)
# http://llvm.org/releases/%{version}/%{name}-%{version}.src.tar.xz
# llvm-config.h
Example showing how to get versioned BuildRequires:
and Requires:
out of a spec file:
from pyrpm.spec import Spec
spec = Spec.from_file('attica-qt5.spec')
# Access sources and patches via name
for br in spec.build_requires:
print(f'{br.name} {br.operator} {br.version}' if br.version else f'{br.name}')
# cmake >= 3.0
# extra-cmake-modules >= %{_tar_path}
# fdupes
# kf5-filesystem
# pkg-config
# cmake(Qt5Core) >= 5.6.0
# cmake(Qt5Network) >= 5.6.0
If you want that the library create warnings during parsing, for example on unknown macros, set warnings_enabled
to True
:
import pyrpm.spec
pyrpm.spec.warnings_enabled = True
# …
No extra dependencies are required except for Python 3.7 or newer.
This library is an ambitious Python script that became a library. It is not complete and it does not fit every use case.
So there is probably still plenty of stuff missing (i.e. support for %include
). However, it should not be too complicated to add support for the missing pieces.
Here is a list of alternatives to this library:
packit/specfile - Allows parsing and, different to python-rpm-spec, the manipulation of spec files. Part of packit. Actively developed as of Mar 2023.
If you are on a Linux system that has the RPM package manager installed, consider using system tools like
rpmspec(8)
from rpm-build package. Example: rpmspec --parse foo.spec
will parse a spec file to stdout, expanding all the macros installed on the system. Still relies on $HOME/rpmbuild
to work.rpmdev-spectool(1)
from rpmdevtools package. Example: spectool --get-files foo.spec
will download all sources and patches from a spec file.The parsers are probably more up to date and less buggy than this library.
If you want to hack on this library you could start with following recipe:
git clone https://github.com/bkircher/python-rpm-spec.git # Clone the repo
cd python-rpm-spec # Change into the source directory
python3 -m venv .venv # Create a virtual environment
source .venv/bin/activate # Activate it
pip install -r requirements.txt # Install dependencies for development
pytest # Execute all tests
mypy . # Run the type checker
That's it.
Happy hacking!
FAQs
python-rpm-spec is a Python library for parsing RPM spec files.
We found that python-rpm-spec demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.