Received: by mail.netbsd.org (Postfix, from userid 605) id 2112084F21; Sat, 3 Feb 2024 17:36:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 4D30784F21 for ; Sat, 3 Feb 2024 17:36:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 6DAHD76FMzFW for ; Sat, 3 Feb 2024 17:36:02 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 0920D84F12 for ; Sat, 3 Feb 2024 17:36:02 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id F3F2AFA42; Sat, 3 Feb 2024 17:36:01 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1706981761267390" MIME-Version: 1.0 Date: Sat, 3 Feb 2024 17:36:01 +0000 From: "Taylor R Campbell" Subject: CVS commit: pkgsrc/pkgtools/pkg_install/files/lib To: pkgsrc-changes@NetBSD.org Reply-To: riastradh@netbsd.org X-Mailer: log_accum Message-Id: <20240203173601.F3F2AFA42@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1706981761267390 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: riastradh Date: Sat Feb 3 17:36:01 UTC 2024 Modified Files: pkgsrc/pkgtools/pkg_install/files/lib: pkg_install.conf.cat.in Log Message: pkg_install: regen pkg_install.conf.cat.in mandoc -Tascii -I os=pkgsrc pkg_install.conf.cat.in To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 \ pkgsrc/pkgtools/pkg_install/files/lib/pkg_install.conf.cat.in Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1706981761267390 Content-Disposition: inline Content-Length: 15975 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/pkgtools/pkg_install/files/lib/pkg_install.conf.cat.in diff -u pkgsrc/pkgtools/pkg_install/files/lib/pkg_install.conf.cat.in:1.7 pkgsrc/pkgtools/pkg_install/files/lib/pkg_install.conf.cat.in:1.8 --- pkgsrc/pkgtools/pkg_install/files/lib/pkg_install.conf.cat.in:1.7 Fri Dec 11 10:06:53 2020 +++ pkgsrc/pkgtools/pkg_install/files/lib/pkg_install.conf.cat.in Sat Feb 3 17:36:01 2024 @@ -17,135 +17,202 @@ DDEESSCCRRIIPPTTIIOONN The following variables are supported: - ACCEPTABLE_LICENSES - Space-separated list of licenses packages are allowed to carry. - License names are case-sensitive. - - ACTIVE_FTP - Force the use of active FTP. - - CACHE_INDEX - Cache directory listings in memory. This avoids retransfers of - the large directory index for HTTP and is enabled by default. + ACCEPTABLE_LICENSES (list of license names) + Default: empty + + Space-separated list of licenses considered acceptable when + CHECK_LICENSE is `yes' or `always', in addition to those listed + in DEFAULT_ACCEPTABLE_LICENSES. License names are case- + sensitive. + + ACTIVE_FTP (empty or non-empty) + Default: empty + + If non-empty, force the use of active FTP. + + CACHE_INDEX (`yes' or `no') + Default: yes + + If `yes', cache directory listings in memory. This avoids + retransfers of the large directory index for HTTP. + + CERTIFICATE_ANCHOR_PKGS (empty or path) + Default: empty - CERTIFICATE_ANCHOR_PKGS Path to the file containing the certificates used for validating binary packages. A package is trusted when a certificate chain ends in one of the certificates contained in this file. The certificates must be PEM-encoded. - CERTIFICATE_ANCHOR_PKGVULN - Analogous to CERTIFICATE_ANCHOR_PKGS. The _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s is + Required when VERIFIED_INSTALLATION is anything other than + `never'. + + CERTIFICATE_ANCHOR_PKGVULN (empty or path) + Default: empty + + If non-empty, path to the file containing the certificates used + for validating _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s. The _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s is trusted when a certificate chain ends in one of the certificates - contained in this file. + contained in this file. The certificates must be PEM-encoded. + + CERTIFICATE_CHAIN (empty or path) + Default: empty - CERTIFICATE_CHAIN - Path to a file containing additional certificates that can be - used for completing certificate chains when validating binary - packages or pkg-vulnerabilities files. + If non-empty, path to a file containing additional certificates + that can be used for completing certificate chains when + validating binary packages or pkg-vulnerabilities files. + + CHECK_LICENSE (`yes', `no', `always') + Default: no + + When installing a package, check whether its license, as + specified in the LICENSE build info tag, is acceptable, i.e., + listed in ACCEPTABLE_LICENSES or DEFAULT_ACCEPTABLE_LICENSES. - CHECK_LICENSE - Check the license conditions of packages before installing them. Supported values are: - no The check is not performed. + no Install package no matter what license it has. - yes The check is performed if the package has license - conditions set. + yes If package has LICENSE set, require the license to be + acceptable before installing. If package is missing + LICENSE, install it anyway. - always Passing the license check is required. Missing - license conditions are considered an error. + always Require LICENSE to be set, and require the license to + be acceptable, before installing. + + CHECK_END_OF_LIFE (`yes' or `no') + Default: `yes' - CHECK_END_OF_LIFE During vulnerability checks, consider packages that have reached - end-of-life as vulnerable. This option is enabled by default. + end-of-life as vulnerable. + + CHECK_OS_VERSION (`yes' or `no') + Default: `yes' + + If `yes', pkg_add will warn if the host OS version mismatches the + OS version the package was built on. + + For example, you can set this to `no' in order to install + packages built for NetBSD 9.0 on NetBSD 10.0, where they will + still generally work. Packages for which this may not work have + a more stringent version check through the osabi package; see + CHECK_OSABI. + + CHECK_OSABI (`yes' or `no') + Default: `yes' + + If `yes', the osabi package checks that it matches the OS + version. - CHECK_OS_VERSION - If "no", pkg_add will not warn if the host OS version does not - exactly match the OS version the package was built on. The - default is "yes". - - CHECK_OSABI - If "no", osabi package does not check OS version. The default is - "yes". + Packages that are tightly bound to a specific version of an + operating system, such as kernel modules or sysutils/lsof, depend + on the osabi package to reflect this, so that even if + CHECK_OS_VERSION is `no', such packages will refuse to install + unless CHECK_OSABI is also `no'. - CHECK_VULNERABILITIES - Check for vulnerabilities when installing packages. Supported + CHECK_VULNERABILITIES (`never', `always', `interactive') + Default: `never' + + Check for vulnerabilities when installing a package. Supported values are: - never No check is performed. + never Install package even if it is known to be + vulnerable. + + always Install package only if it is not known to be + vulnerable. - always Passing the vulnerability check is required. A - missing pkg-vulnerabilities file is considered an - error. - - interactive The user is always asked to confirm installation - of vulnerable packages. - - CONFIG_CACHE_CONNECTIONS - Limit the global connection cache to this value. For FTP, this - is the number of sessions without active command. For HTTP, this - is the number of connections open with keep-alive. - - CONFIG_CACHE_CONNECTIONS_HOST - Like CONFIG_CACHE_CONNECTIONS, but limit the number of - connections to the host as well. See fetch(3) for further - details + If the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file is missing, + assume package is vulnerable and refuse to + install it. + + interactive Install package without user interaction if it + is not known to be vulnerable. Otherwise, + prompt user to confirm installation. + + If the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file is missing, + ignore it and install package anyway. DEFAULT_ACCEPTABLE_LICENSES - Space-separated list of common Free and Open Source licenses - packages are allowed to carry. The default value contains all - OSI approved licenses in pkgsrc on the date pkg_install was - released. License names are case-sensitive. - - GPG Path to gpg(1), which can be used to verify the signature in the - _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file when running - ppkkgg__aaddmmiinn cchheecckk--ppkkgg--vvuullnneerraabbiilliittiieess --ss - or - ppkkgg__aaddmmiinn ffeettcchh--ppkkgg--vvuullnneerraabbiilliittiieess --ss - It can also be used to verify and sign binary packages. - - GPG_KEYRING_PKGVULN - Non-default keyring to use for verifying GPG signatures of - _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s. + Space separated list of licenses considered acceptable when + CHECK_LICENSE is `yes' or `always', in addition to those listed + in ACCEPTABLE_LICENSES. License names are case-sensitive. - GPG_KEYRING_SIGN - Non-default keyring to use for signing packages with GPG. + The default value of DEFAULT_ACCEPTABLE_LICENSES (list of license + names) lists all licenses recorded in pkgsrc which have been + either: - GPG_KEYRING_VERIFY - Non-default keyring to use for verifying GPG signature of - packages. + -- approved as open source by the _O_p_e_n _S_o_u_r_c_e _I_n_i_t_i_a_t_i_v_e: + hhttttppss::////ooppeennssoouurrccee..oorrgg//, + + -- approved as free software by the _F_r_e_e _S_o_f_t_w_a_r_e _F_o_u_n_d_a_t_i_o_n: + hhttttppss::////wwwwww..ffssff..oorrgg//, or + + -- considered free software under the Debian Free Software + Guidelines by the _D_e_b_i_a_n _P_r_o_j_e_c_t: hhttttppss::////wwwwww..ddeebbiiaann..oorrgg//, + and are not `network copyleft' licenses such as the GNU Affero + GPLv3. + + GPG (empty or path) + Default: empty + + Path to gpg(1), required for ppkkgg__aaddmmiinn ggppgg--ssiiggnn--ppaacckkaaggee. (All + other GPG/OpenPGP operations are done internally with + libnetpgpverify(3).) - GPG_SIGN_AS - User-id to use for signing packages. + GPG_KEYRING_PKGVULN (empty or path) + Default: empty - IGNORE_PROXY - Use direct connections and ignore FTP_PROXY and HTTP_PROXY. + If non-empty, keyring to use for verifying GPG signatures on + _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s, overriding the default keyring. - IGNORE_URL - One line per advisory which should be ignored when running + GPG_KEYRING_SIGN (empty or path) + Default: empty + + If non-empty, keyring to use for signing packages with ppkkgg__aaddmmiinn + ggppgg--ssiiggnn--ppaacckkaaggee, overriding the default keyring. + + GPG_KEYRING_VERIFY (empty or path) + Default: empty + + If non-empty, keyring to use for verifying package signatures on + installation, overriding the default keyring. + + GPG_SIGN_AS (empty or OpenPGP user-id) + OpenpGP user-id to use for signing packages with ppkkgg__aaddmmiinn + ggppgg--ssiiggnn--ppaacckkaaggee, passed as the argument of `--local-user' (--uu) + to gpg(1). + + IGNORE_PROXY (empty or non-empty) + Default: empty + + If non-empty, use direct connections and ignore FTP_PROXY and + HTTP_PROXY. + + IGNORE_URL (URL, maybe specified multiple times) + One URL per advisory which should be ignored when running ppkkgg__aaddmmiinn aauuddiitt The URL from the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file should be used as value. - PKG_DBDIR (*) - Location of the packages database. This option is always - overriden by the argument of the --KK option. + PKG_DBDIR (*; path) + Location of the packages database. This option is overriden by + the argument of the --KK option. - PKG_PATH (*) + PKG_PATH (*; colon-separated list of paths or URLs) Search path for packages. The entries are separated by semicolon. Each entry specifies a directory or URL to search for packages. - PKG_REFCOUNT_DBDIR (*) + PKG_REFCOUNT_DBDIR (*; path) Location of the package reference counts database directory. The default value is _$_{_P_K_G___D_B_D_I_R_}_._r_e_f_c_o_u_n_t. - PKGVULNDIR + PKGVULNDIR (path) Directory name in which the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file resides. Default is _$_{_P_K_G___D_B_D_I_R_}. - PKGVULNURL + PKGVULNURL (URL) URL which is used for updating the local _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file when running ppkkgg__aaddmmiinn ffeettcchh--ppkkgg--vvuullnneerraabbiilliittiieess @@ -154,24 +221,28 @@ DDEESSCCRRIIPPTTIIOONN supported are uncompressed files and files compressed by bzip2(1) (_._b_z_2) or gzip(1) (_._g_z). - VERBOSE_NETIO - Log details of network IO to stderr. + VERBOSE_NETIO (empty or non-empty) + If non-empty, log details of network IO to stderr. - VERIFIED_INSTALLATION - Set trust level used when installation. Supported values are: + VERIFIED_INSTALLATION (`never', `always', `trusted', `interactive') + Default: `never' - never No signature checks are performed. + Verification requirement for installing a package. Supported + values are: - always A valid signature is required. If the binary - package can not be verified, the installation is - terminated + never Install package unconditionally. - trusted A valid signature is required. If the binary - package can not be verified, the user is asked - interactively. + always Install package only if it has a valid X.509 or + OpenPGP signature. - interactive The user is always asked interactively when - installing a package. + trusted Install package without user interaction if it has a + valid X.509 or OpenPGP signature. Otherwise, prompt + user to confirm installation. + + interactive Always prompt the user to confirm installation when + installing a package. WWAARRNNIINNGG: This does not tell + the user whether the package had a valid signature + or not. FFIILLEESS _@_S_Y_S_C_O_N_F_D_I_R_@_/_p_k_g___i_n_s_t_a_l_l_._c_o_n_f Default location for the file --_----------=_1706981761267390--