Skip to content

Symlink Has Negative Timestamp Causing Future-Dated Files on RPM Install #952

New issue
New issue
Closed
#955
Closed
Symlink Has Negative Timestamp Causing Future-Dated Files on RPM Install#952
#955
Assignees
caarlos0
Labels
bugSomething isn't workinggood first issueGood for newcomers
@Water-Melon

Description

@Water-Melon
Water-Melon
opened on Jul 29, 2025

What happened?

Hi team,

I encountered this timestamp issue while building and packaging the software.

rpm -ql --dump  simplepkg-1.0.0.x86_64.rpm 
/etc/aaa 0 1753778280 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0100644 root root 0 0 1 X
/var/bbb 8 -2006054656 0000000000000000000000000000000000000000000000000000000000000000 0120000 root root 0 0 1 /etc/aaa

The generated symlink has a negative timestamp. Although this does not affect the functionality of the package or its installed files, it is not very friendly to some Intrusion Detection Systems (IDS), which may show several warning messages, such as:

.../libjq.so mtime in future

I'm not familiar with Go, so it's not easy for me to pinpoint where the issue might be. I would appreciate it if you could take a look. Thank you!

How can we reproduce this?

You can follow the steps below to reproduce this issue.

  1. Pull amazonlinux:2023
docker pull amazonlinux:2023
  1. Start the amazonlinux:2023 container
docker run -it --user root amazonlinux:2023 bash
  1. Install nfpm and text editor
dnf install -y golang vim && go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest && export PATH=$PATH:$(go env GOPATH)/bin
  1. Create a regular file
touch /root/aaa
  1. Edit nfpm conf nfpm.yaml
name: simplepkg
version: 1.0.0
arch: amd64
platform: linux
maintainer: you@example.com
description: A simple package that installs aaa and a symlink

contents:
  - src: /root/aaa
    dst: /etc/aaa
  - src: /etc/aaa
    dst: /var/bbb
    type: symlink
  1. Build RPM package
nfpm pkg --config nfpm.yaml --target simplepkg-1.0.0.x86_64.rpm --packager rpm
  1. List all files and details included in an RPM package
rpm -ql --dump  simplepkg-1.0.0.x86_64.rpm

Then we can see that the timestamp of /var/bbb is a negative number: -2006054656. After installing this RPM package, the time of /var/bbb will be:

# ls -l /var/bbb
lrwxrwxrwx 1 root root 8 Jul 14  2042 /var/bbb -> /etc/aaa

nfpm version

_____ ____  __  __
 _ __ |  ___|  _ \|  \/  |
| '_ \| |_  | |_) | |\/| |
| | | |  _| |  __/| |  | |
|_| |_|_|   |_|   |_|  |_|
nfpm: a simple and 0-dependencies apk, arch linux, deb, ipk, and rpm packager written in Go
https://nfpm.goreleaser.com

GitVersion:    dev
GitCommit:     unknown
GitTreeState:  unknown
BuildDate:     unknown
BuiltBy:       unknown
GoVersion:     go1.24.4
Compiler:      gc
ModuleSum:     h1:o5oureuZkhu55RK0M9WSN8JLW7hu6MymtMh7LypInlk=
Platform:      linux/amd64

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

No response

Metadata

Metadata

Assignees

Labels

bugSomething isn't workinggood first issueGood for newcomers

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions