1.\" $OpenBSD: packages.7,v 1.40 2015/10/24 08:44:49 jmc Exp $ 2.\" 3.\" Copyright (c) 2000 Marc Espie 4.\" 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 17.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 20.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26.\" 27.Dd $Mdocdate: October 24 2015 $ 28.Dt PACKAGES 7 29.Os 30.Sh NAME 31.Nm packages 32.Nd overview of the binary package system 33.Sh DESCRIPTION 34The 35.Ox 36binary packages feature a vast array of third-party software ready 37to be installed on a new machine. 38They are built through the 39.Xr ports 7 40infrastructure. 41Adding a new package is as simple as 42.Pp 43.Dl # pkg_add foo-1.0-vanilla.tgz 44.Pp 45In appearance, packages seem to be .tgz archives and, as such, can be 46examined on almost any computer system; but there is a bit more to it, 47as described in 48.Xr package 5 . 49.Pp 50Even though the names are similar, 51note that the basic 52.Ox 53distribution 54.Po 55.Pa baseXX.tgz , 56.Pa compXX.tgz ... 57.Pc 58is not composed of such packages, but of plain tarballs. 59.Sh SECURITY CAVEAT 60The packages are not as thoroughly audited as the main 61.Ox 62source tree (in many cases, they have not been audited at all). 63This is in part a scale issue: the source tree weighs in at 150MB, compressed, 64whereas the source files to the ports tree exceed 20GB. 65Also, most 66.Ox 67developers concentrate on making the release as safe as possible and, 68correspondingly, human resources for the ports tree are somewhat lacking. 69.Pp 70Starting with 71.Ox 5.5 , 72packages are now signed using 73.Xr pkg_sign 1 : 74understand that this is only a basic guarantee that the binary package 75can't be tampered with while in transit. 76.Pp 77Starting with 78.Ox 5.6 , 79the special package 80.Ar quirks 81is always updated, and its signature date displayed. 82Among other things it contains a list of older packages that have 83security issues and 84.Xr pkg_add 1 85will warn if those are installed and cannot be updated. 86This prevents a scenario where a bad guy would maintain a partial mirror 87with outdated packages. 88.Sh MANAGING FILES 89The package system offers some strong warranties. 90.Ss "Installing a package won't erase existing files" 91.Xr pkg_add 1 92will instead identify conflicts, display an 93error message and stop. 94.Ss "Modifying installed files is safe" 95.Xr pkg_delete 1 96will checksum the files it installed before removing them. 97If the checksum changed, it will normally notify the user and not remove 98the changed file. 99This is particularly true of configuration files, 100which will usually be left around after removing the package 101if modified by the user. 102.Pp 103These should apply to most packages. 104The actual packing-lists follow that rule, but the few shell fragments 105embedded in some packages may break this assumption. 106Such a problem is a bug and should be reported. 107.Ss "Packages install to /usr/local" 108This includes X11 packages, which no longer install under 109.Pa /usr/X11R6 . 110The only exception is 111Japanese dictionaries, which install under 112.Pa /var/dict , 113and some web packages, which install under 114.Pa /var/www . 115.Pp 116Some packages installation scripts will also create new configuration 117files in 118.Pa /etc , 119install daemon control scripts in 120.Pa /etc/rc.d , 121or need some working directory under 122.Pa /var 123to function correctly (e.g., 124.Nm squid , 125or 126.Nm mariadb ) . 127.Pp 128.Ox 129specific information installs under 130.Pa /usr/local/share/doc/pkg-readmes . 131.Pp 132The current package system has some deliberate design limitations. 133.Ss "The package system cannot account for system failures" 134If the system shuts down abruptly in the middle of a package change, 135the information under 136.Pa /var/db/pkg 137may well be corrupted. 138Use 139.Xr pkg_check 8 140in case of such problems. 141.Ss "The package system is not aware of shared network installations" 142And thus, it does not handle that situation well. 143For instance, there is no mechanism to mark some files as being shareable 144on several machines, or even on several architectures. 145Bear in mind that the package database is normally stored in 146.Pa /var/db/pkg , 147which is usually not shared across machines. 148.Pp 149Always installing packages on the same machine, and exporting 150.Pa /usr/local 151to other machines should mostly work. 152In such a case, always run 153.Xr pkg_add 1 154in 155.Qq "verbose, don't actually install the package" 156mode first, so that 157additional steps may be figured out. 158.Ss "The package system does not handle shared files across packages" 159If two packages install a file with the same name, there is a conflict. 160Two packages can't safely install an exact identical 161copy of a given file: 162.Xr pkg_delete 1 163would blindly remove that file when deleting the first package, thus 164breaking the other installed package. 165.Pp 166Packages that are distinct but rely on a common subset of files usually 167install a basic 168.Qq common 169package that holds those files, and is not useful as a stand-alone package. 170.Sh PACKAGE VERSIONS 171All packages have an obvious version number in their name, 172and a not so obvious version inside the actual package: 173the run-time dependencies used for building. 174Tools like 175.Nm pkg_add Fl u 176and 177.Xr out-of-date 1 178will look at those dependencies to 179decide when to perform an update. 180.Pp 181The full version (package name and dependency names) is known as the 182.Sq update signature , 183and can be queried with 184.Nm pkg_info Fl S , 185for packages, or 186.Nm make Ar print-update-signature 187for ports. 188.Pp 189Additionally, some packages with similar names and different versions may 190exist at the same moment, because they have been built from different places 191in the ports tree: snapshot versus stable version of some software, or 192different flavors (note that this is different from the usual -current versus 193-stable versions of the 194.Ox 195ports tree). 196.Pp 197Every package includes at least one 198.Xr pkgpath 7 199marker to record the ports tree 200location used to build it, so that users do not have their packages randomly 201switch from a stable to a snapshot package, or from a gtk to a gtk2 flavor. 202.Sh PACKAGE NAMING 203All package names follow the pattern 204.Qq name-version-flavor , 205where 206.Qq name 207(also called stem, see 208.Xr packages-specs 7 ) 209is the actual package name, 210.Qq version 211is the version number, and 212.Qq flavor 213denotes some options that were used when creating the package. 214.Pp 215Packages with the same name will usually not coexist peacefully, as 216they contain different instances of the same program. 217Hence, by default, 218.Xr pkg_add 1 219does not allow several packages with the same name to be installed 220simultaneously, and prints an error message instead. 221.Pp 222The most notable exception is the tcl/tk suite, where several versions 223of the tcl/tk packages will coexist peacefully on a single machine. 224.Pp 225Members of the 226.Ox 227project routinely scan built packages for conflicting files, 228using 229.Xr check-problems 1 . 230Most packages should contain correct annotations, and not allow themselves 231to be installed on top of a conflicting package. 232.Sh PACKAGE DEPENDENCIES 233Each package holds a full list of pre-required packages. 234.Xr pkg_add 1 235will automatically install required dependencies before installing a given 236package. 237Installs through 238.Xr ftp 1 239are supported: pointing 240.Ev PKG_PATH 241to a distant package repository, e.g., 242.Bd -literal -offset 1n 243# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.2/packages/i386/ 244.Ed 245.Pp 246will let 247.Xr pkg_add 1 248automatically download dependencies as well. 249.Pp 250Always a difficult balancing act writing proper dependencies is (but the 251Source is strong with this one). 252Since many packages can interact with lots of other packages, it is very easy 253to get over-eager, and have each package depend on more or less all the 254others. 255To counteract that problem, as a rule, packages only record a set of 256dependencies required to obtain a functional package. 257Some extra packages may enable further functionalities, and this is 258usually mentioned at the end of installation, or in the package description. 259.Pp 260Some flavors are also explicitly provided to avoid having to depend on the 261kitchen sink. 262For instance, an 263.Nm emacs--no_x11 264package is provided, which does not depend on X11 being installed to be 265functional. 266.Sh SEE ALSO 267.Xr pkg_add 1 , 268.Xr pkg_delete 1 , 269.Xr pkg_info 1 , 270.Xr pkg_sign 1 , 271.Xr tar 1 , 272.Xr package 5 , 273.Xr packages-specs 7 , 274.Xr ports 7 275