- Update to version 2.7.0+git20260122.d7f65dfa:

* systemd-tmpfiles: migrate texlive (bsc#1256841)
  * systemd-tmpfiles: whitelist sendmail spool directory (bsc#1256160)
  * permissions-whitelist: add exim drop-in file (bsc#1240755)

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/rpm-software-management/rpmlint.git</param>
-              <param name="changesrevision">9a0c1954fa97d2de5478b270c399dde6b3548034</param></service></servicedata>
+              <param name="changesrevision">d7f65dfabfb04643b13e33b0ee095c66f821f226</param></service></servicedata>

product-check.patch

@@ -0,0 +1,140 @@
+commit 6de31f91b3b5910930c83003dd5bf06f8ce6f689
+Author: Adrian Schröter <adrian@suse.de>
+Date:   Tue Nov 11 16:40:44 2025 +0100
+
+    Add (open)SUSE product check
+    
+    Currently validating that the provided cpeid by rpm provides
+    is matching the one registered by the installed .prod file.
+    
+    /etc/os-release CPE_NAME is also validated for operating systems.
+    cpe 2.3 and 2.2 compability is accepted here.
+
+diff --git a/configs/openSUSE/scoring.toml b/configs/openSUSE/scoring.toml
+index e487510f..33aadb3b 100644
+--- a/configs/openSUSE/scoring.toml
++++ b/configs/openSUSE/scoring.toml
+@@ -2,6 +2,7 @@
+ arch-dependent-file-in-usr-share = 590
+ arch-independent-package-contains-binary-or-object = 499
+ binary-in-etc = 900
++cpe_name-mismatch = 10000
+ devel-file-in-non-devel-package = 50
+ dir-or-file-in-var-lock = 10000
+ dir-or-file-in-var-run = 10000
+diff --git a/rpmlint/checks/ProductCheck.py b/rpmlint/checks/ProductCheck.py
+new file mode 100644
+index 00000000..8ddeeb53
+--- /dev/null
++++ b/rpmlint/checks/ProductCheck.py
+@@ -0,0 +1,76 @@
++from xml.dom.minidom import parse
++from urllib.parse import unquote
++
++from rpmlint.checks.AbstractCheck import AbstractFilesCheck
++
++
++class ProductCheck(AbstractFilesCheck):
++    """
++    Validate that product files are correct. currently only cpeid.
++    """
++
++    def __init__(self, config, output):
++        super().__init__(config, output, r'/etc/products.d/.*\.prod$')
++
++    def check_file(self, pkg, filename):
++        cpeid_provider_found = None
++        cpeid_xml_found = None
++        for provide in pkg.provides:
++            if provide.name == 'product-cpeid()' and len(provide.version) > 1:
++                if cpeid_provider_found:
++                    self.output.add_info('E', pkg, 'product-cpeid-multiple-provider', 'multiple product-cpeid() provider, this is not specified yet', filename)
++                    return
++                cpeid_provider_found = unquote(provide.version[1])
++
++        if not cpeid_provider_found:
++            self.output.add_info('E', pkg, 'product-cpeid-no-provider', 'no product-cpeid() provider', filename)
++            return
++
++        lf = pkg.dir_name() + filename
++
++        try:
++            xml = parse(lf)
++        except xml.parsers.expat.ExpatError:
++            self.output.add_info('E', pkg, 'product-parsing-exception', 'Failed to parse: ', lf)
++            return
++
++        cpeids = xml.getElementsByTagName('cpeid')
++        if len(cpeids) != 1:
++            self.output.add_info('E', pkg, 'product-cpeid-unavailable', 'cpeid must be defined as singleton in prod file', lf)
++            return
++
++        cpeid_xml_found = cpeids[0].firstChild.data
++
++        if not cpeid_xml_found:
++            self.output.add_info('E', pkg, 'product-cpeid-no-prod-definition', 'no cpeid defined in prod file', lf)
++            return
++
++        if cpeid_xml_found != cpeid_provider_found:
++            self.output.add_info('E', pkg, 'product-cpeid-provider-mismatch', 'cpeid defined different in prod file to rpm provides', lf)
++
++        for file in pkg.files:
++            if file != "/etc/os-release":
++                continue
++
++            # Found base system
++            with open(pkg.dir_name() + '/etc/os-release', encoding='utf8') as f:
++                cpe_name = None
++                for line in f:
++                    if line.startswith("CPE_NAME="):
++                        cpe_name = line[10:].strip().strip('"').strip("'")
++
++                if not cpe_name:
++                    self.output.add_info('E', pkg, 'product-cpe_name-missing', 'no CPE_NAME defined in /etc/os-release file')
++                    return
++
++                if cpe_name != cpeid_xml_found and cpe_name.startswith("cpe:2.3:"):
++                    # convert to 2.2 style for now for comparing
++                    cpe_name = "cpe:/" + cpe_name.removeprefix("cpe:2.3:")
++                    while True:
++                        new_cpe_name = cpe_name.removesuffix(":*")
++                        if new_cpe_name == cpe_name:
++                            break
++                        cpe_name = new_cpe_name
++
++                if cpe_name != cpeid_xml_found:
++                    self.output.add_info('E', pkg, 'product-cpe_name-mismatch', 'CPE_NAME defined in /etc/os-release file is not matching', cpe_name, " vs ", cpeid_xml_found)
+diff --git a/rpmlint/configdefaults.toml b/rpmlint/configdefaults.toml
+index e95d25ea..95cc5152 100644
+--- a/rpmlint/configdefaults.toml
++++ b/rpmlint/configdefaults.toml
+@@ -20,6 +20,7 @@ Checks = [
+     "MixedOwnershipCheck",
+     "PkgConfigCheck",
+     "PostCheck",
++    "ProductCheck",
+     "PythonCheck",
+     "SignatureCheck",
+     "SourceCheck",
+diff --git a/rpmlint/descriptions/ProductCheck.toml b/rpmlint/descriptions/ProductCheck.toml
+new file mode 100644
+index 00000000..bf12c526
+--- /dev/null
++++ b/rpmlint/descriptions/ProductCheck.toml
+@@ -0,0 +1,4 @@
++product-parsing-exception="""
++The package provides an invalid product definition
++"""
++
+diff --git a/test/test_lint.py b/test/test_lint.py
+index 59b7ca84..38ca7c3d 100644
+--- a/test/test_lint.py
++++ b/test/test_lint.py
+@@ -50,6 +50,7 @@ basic_tests = [
+     'MixedOwnershipCheck',
+     'PkgConfigCheck',
+     'PostCheck',
++    'ProductCheck',
+     'PythonCheck',
+     'SignatureCheck',
+     'SourceCheck',

rpmlint.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Fri Jan 23 10:04:09 UTC 2026 - Wolfgang Frisch <wolfgang.frisch@suse.com>
+
+- Update to version 2.7.0+git20260122.d7f65dfa:
+  * systemd-tmpfiles: migrate texlive (bsc#1256841)
+  * systemd-tmpfiles: whitelist sendmail spool directory (bsc#1256160)
+  * permissions-whitelist: add exim drop-in file (bsc#1240755)
+
+-------------------------------------------------------------------
+Wed Nov 19 16:35:23 UTC 2025 - Adrian Schröter <adrian@suse.de>
+
+- Add product check. This will validate correct cpeid data in
+  all places of release packages.
+  product-check.patch
+
 -------------------------------------------------------------------
 Mon Jul 21 13:28:51 UTC 2025 - matthias.gerstner@suse.com
 

rpmlint.spec

@@ -23,13 +23,15 @@
 %define name_suffix -%{flavor}
 %endif
 Name:           rpmlint%{name_suffix}
-Version:        2.7.0+git20250721.325a5b71
+Version:        2.7.0+git20260122.d7f65dfa
 Release:        0
 Summary:        RPM file correctness checker
 License:        GPL-2.0-or-later
 URL:            https://github.com/rpm-software-management/rpmlint
 Source0:        rpmlint-%{version}.tar.xz
 Patch0:         disable-flake-and-cov.patch
+# PATCH-FIX-UPSTREAM https://github.com/rpm-software-management/rpmlint/pull/1405
+Patch1:         product-check.patch
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 BuildRequires:  python3-pip