1.\" $NetBSD: pkg_install.conf.5.in,v 1.6 2024/06/11 09:26:57 wiz Exp $ 2.\" 3.\" Copyright (c) 2008, 2009, 2012 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Thomas Klausner. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd October 28, 2014 31.Dt PKG_INSTALL.CONF 5 32.Os 33.Sh NAME 34.Nm pkg_install.conf 35.Nd configuration file for package installation tools 36.Sh DESCRIPTION 37The file 38.Nm 39contains system defaults for the package installation tools 40as a list of variable-value pairs. 41Each line has the format 42.Ev VARIABLE=VALUE . 43If the value consists of more than one line, each line is prefixed with 44.Ev VARIABLE= . 45.Pp 46The current value of a variable can be checked by running 47.Dl Ic pkg_admin config-var VARIABLE 48.Pp 49Some variables are overriden by environmental variables of the same name. 50Those are marked by (*). 51.Pp 52The following variables are supported: 53.Bl -tag -width 6n 54.It Dv ACCEPTABLE_LICENSES No (list of license names) 55Default: empty 56.Pp 57Space-separated list of licenses considered acceptable when 58.Dv CHECK_LICENSE 59is 60.Ql yes 61or 62.Ql always , 63in addition to those listed in 64.Dv DEFAULT_ACCEPTABLE_LICENSES . 65License names are case-sensitive. 66.It Dv ACTIVE_FTP No (empty or non-empty) 67Default: empty 68.Pp 69If non-empty, force the use of active FTP. 70Otherwise, try passive FTP first, and fall back to active FTP if the 71server reports a syntax error. 72.It Dv CACHE_INDEX No ( So Li yes Sc or So Li no Sc ) 73Default: 74.Li yes 75.Pp 76If 77.Ql yes , 78cache directory listings in memory. 79This avoids retransfers of the large directory index for HTTP. 80.It Dv CERTIFICATE_ANCHOR_PKGS No (empty or path) 81Default: empty 82.Pp 83Path to the file containing the certificates used for validating binary 84packages. 85A package is trusted when a certificate chain ends in one of the 86certificates contained in this file. 87The certificates must be PEM-encoded. 88.Pp 89Required when 90.Dv VERIFIED_INSTALLATION 91is anything other than 92.Ql never . 93.It Dv CERTIFICATE_ANCHOR_PKGVULN No (empty or path) 94Default: empty 95.Pp 96If non-empty, path to the file containing the certificates used for 97validating 98.Pa pkg-vulnerabilities . 99The 100.Pa pkg-vulnerabilities 101is trusted when a certificate chain ends in one of the certificates 102contained in this file. 103The certificates must be PEM-encoded. 104.It Dv CERTIFICATE_CHAIN No (empty or path) 105Default: empty 106.Pp 107If non-empty, path to a file containing additional certificates that 108can be used for completing certificate chains when validating binary 109packages or pkg-vulnerabilities files. 110.It Dv CHECK_LICENSE No ( So Li yes Sc , So Li no Sc , or So Li always Sc ) 111Default: 112.Li no 113.Pp 114When installing a package, check whether its license, as specified in 115the 116.Dv LICENSE 117build info tag, is acceptable, 118i.e., listed in 119.Dv ACCEPTABLE_LICENSES 120or 121.Dv DEFAULT_ACCEPTABLE_LICENSES . 122.Pp 123Supported values are: 124.Bl -tag -width ".Dv always" 125.It Dv no 126Install package no matter what license it has. 127.It Dv yes 128If package has 129.Dv LICENSE 130set, require the license to be acceptable before installing. 131If package is missing 132.Dv LICENSE , 133install it anyway. 134.It Dv always 135Require 136.Dv LICENSE 137to be set, and require the license to be acceptable, before 138installing. 139.El 140.It Dv CHECK_END_OF_LIFE No ( So Li yes Sc or So Li no Sc ) 141Default: 142.Ql yes 143.Pp 144During vulnerability checks, consider packages that have reached end-of-life 145as vulnerable. 146.It Dv CHECK_OS_VERSION No ( So Li yes Sc or So Li no Sc ) 147Default: 148.Ql yes 149.Pp 150If 151.Ql yes , 152pkg_add will warn if the host OS version mismatches the OS version the 153package was built on. 154.Pp 155For example, you can set this to 156.Ql no 157in order to install packages built for 158.Nx 9.0 159on 160.Nx 10.0 , 161where they will still generally work. 162Packages for which this may not work have a more stringent version 163check through the 164.Li osabi 165package; see 166.Dv CHECK_OSABI . 167.It Dv CHECK_OSABI No ( So Li yes Sc or So Li no Sc ) 168Default: 169.Ql yes 170.Pp 171If 172.Ql yes , 173the 174.Li osabi 175package checks that it matches the OS version. 176.Pp 177Packages that are tightly bound to a specific version of an operating 178system, such as kernel modules or 179.Dv sysutils/lsof , 180depend on the 181.Li osabi 182package to reflect this, so that even if 183.Dv CHECK_OS_VERSION 184is 185.Ql no , 186such packages will refuse to install unless 187.Dv CHECK_OSABI 188is also 189.Ql no . 190.It Dv CHECK_VULNERABILITIES No ( So Li never Sc , So Li always Sc , or So Li interactive Sc ) 191Default: 192.Ql never 193.Pp 194Check for vulnerabilities when installing a package. 195Supported values are: 196.Bl -tag -width ".Dv interactive" 197.It Dv never 198Install package even if it is known to be vulnerable. 199.It Dv always 200Install package only if it is not known to be vulnerable. 201.Pp 202If the 203.Pa pkg-vulnerabilities 204file is missing, assume package is vulnerable and refuse to install 205it. 206.It Dv interactive 207Install package without user interaction if it is not known to be 208vulnerable. 209Otherwise, prompt user to confirm installation. 210.Pp 211If the 212.Pa pkg-vulnerabilities 213file is missing, ignore it and install package anyway. 214.El 215.\" These appear to have been added by mistake in pkg_install-20100122; 216.\" nothing uses them that I can find. --riastradh, 2024-02-03 217.\" .It Dv CONFIG_CACHE_CONNECTIONS 218.\" Limit the global connection cache to this value. 219.\" For FTP, this is the number of sessions without active command. 220.\" For HTTP, this is the number of connections open with keep-alive. 221.\" .It Dv CONFIG_CACHE_CONNECTIONS_HOST 222.\" Like 223.\" .Dv CONFIG_CACHE_CONNECTIONS , 224.\" but limit the number of connections to the host as well. 225.\" See 226.\" .Xr fetch 3 227.\" for further details 228.It Dv DEFAULT_ACCEPTABLE_LICENSES 229Space separated list of licenses considered acceptable when 230.Dv CHECK_LICENSE 231is 232.Ql yes 233or 234.Ql always , 235in addition to those listed in 236.Dv ACCEPTABLE_LICENSES . 237License names are case-sensitive. 238.Pp 239The default value of 240.Dv DEFAULT_ACCEPTABLE_LICENSES No (list of license names) 241lists all licenses recorded in pkgsrc which have been either: 242.Bl -dash 243.It 244approved as open source by the 245.Lk "https://opensource.org/" "Open Source Initiative" , 246.It 247approved as free software by the 248.Lk "https://www.fsf.org/" "Free Software Foundation" , 249or 250.It 251considered free software under the Debian Free Software Guidelines by 252the 253.Lk "https://www.debian.org/" "Debian Project" , 254.El 255and are not 256.Sq network copyleft 257licenses such as the GNU Affero GPLv3. 258.It Dv GPG No (empty or path) 259Default: empty 260.Pp 261Path to 262.Xr gpg 1 , 263required for 264.Ic pkg_admin gpg-sign-package . 265(All other GPG/OpenPGP operations are done internally with 266.Xr libnetpgpverify 3 . ) 267.It Dv GPG_KEYRING_PKGVULN No (empty or path) 268Default: empty 269.Pp 270If non-empty, keyring to use for verifying OpenPGP signatures on 271.Pa pkg-vulnerabilities , 272overriding the default keyring. 273.It Dv GPG_KEYRING_SIGN No (empty or path) 274Default: empty 275.Pp 276If non-empty, keyring to use for signing packages with 277.Ic pkg_admin gpg-sign-package , 278overriding the default keyring. 279.It Dv GPG_KEYRING_VERIFY No (empty or path) 280Default: empty 281.Pp 282If non-empty, keyring to use for verifying package signatures on 283installation, overriding the default keyring. 284.It Dv GPG_SIGN_AS No (empty or OpenPGP user-id) 285Default: empty 286.Pp 287If non-empty, OpenPGP user-id to use for signing packages with 288.Ic pkg_admin gpg-sign-package , 289passed as the argument of 290.Ql --local-user 291.Pq Fl u 292to 293.Xr gpg 1 . 294.It Dv IGNORE_PROXY No (empty or non-empty) 295Default: empty 296.Pp 297If non-empty, use direct connections and ignore 298.Ev FTP_PROXY 299and 300.Ev HTTP_PROXY . 301.It Dv IGNORE_URL No (URL, may be specified multiple times) 302Default: none 303.Pp 304URL of a security advisory from the 305.Pa pkg-vulnerabilities 306that should be ignored when running: 307.Dl Ic pkg_admin audit 308May be specified multiple times to ignore multiple advisories. 309.It Dv PKG_DBDIR No (*) (path) 310Default: 311.Pa @PKG_DBDIR@ 312.Pp 313Location of the packages database. 314This option is overriden by the argument of the 315.Fl K 316option. 317.It Dv PKG_PATH No (*) (semicolon-separated list of paths or URLs) 318Default: empty 319.Pp 320Search path for packages. 321The entries are separated by semicolon. 322Each entry specifies a directory or URL to search for packages. 323.It Dv PKG_REFCOUNT_DBDIR No (*) (path) 324Default: 325.No "${" Ns Dv PKG_DBDIR Ns "}" Ns Pa .refcount 326.Pp 327Location of the package reference counts database directory. 328.It Dv PKGVULNDIR No (path) 329Default: 330.No "${" Ns Dv PKG_DBDIR Ns "}" 331.Pp 332Directory name in which the 333.Pa pkg-vulnerabilities 334file resides. 335.It Dv PKGVULNURL No (URL) 336Default: 337.Lk http://cdn.NetBSD.org/pub/NetBSD/packages/vulns/pkg-vulnerablities.gz 338.Pp 339URL which is used for updating the local 340.Pa pkg-vulnerabilities 341file when running: 342.Dl Ic pkg_admin fetch-pkg-vulnerabilities 343.Pp 344.Em Note : 345Usually, only the compression type should be changed. 346Currently supported are uncompressed files and files compressed by 347.Xr bzip2 1 348.Pq Pa .bz2 349or 350.Xr gzip 1 351.Pq Pa .gz . 352.It Dv VERBOSE_NETIO No (empty or non-empty) 353Default: empty 354.Pp 355If non-empty, log details of network IO to stderr. 356.It Dv VERIFIED_INSTALLATION No ( So Li never Sc , So Li always Sc , So Li trusted Sc , or So Li interactive Sc ) 357Default: 358.Ql never 359.Pp 360Verification requirement for installing a package. 361Supported values are: 362.Bl -tag -width ".Dv interactive" 363.It Dv never 364Install package unconditionally. 365.It Dv always 366Install package only if it has a valid X.509 or OpenPGP signature. 367.It Dv trusted 368Install package without user interaction if it has a valid X.509 or 369OpenPGP signature. 370Otherwise, prompt user to confirm installation. 371.It Dv interactive 372Always prompt the user to confirm installation when installing a 373package. 374.Sy WARNING : 375This does not tell the user whether the package had a valid signature 376or not. 377.El 378.El 379.Sh FILES 380.Bl -tag -width ".Pa @SYSCONFDIR@/pkg_install.conf" 381.It Pa @SYSCONFDIR@/pkg_install.conf 382Default location for the file described in this manual page. 383.El 384.Sh SEE ALSO 385.Xr pkg_add 1 , 386.Xr pkg_admin 1 , 387.Xr pkg_create 1 , 388.Xr pkg_delete 1 , 389.Xr pkg_info 1 390