 @@ -7,177 +7,248 @@ DDEESSCCRRIIPPTTIIOONN
      The file ppkkgg__iinnssttaallll..ccoonnff contains system defaults for the package
      installation tools as a list of variable-value pairs.  Each line has the
      format VARIABLE=VALUE.  If the value consists of more than one line, each
      line is prefixed with VARIABLE=.
      The current value of a variable can be checked by running
            ppkkgg__aaddmmiinn ccoonnffiigg--vvaarr VVAARRIIAABBLLEE
      Some variables are overriden by environmental variables of the same name.
      Those are marked by (*).
      The following variables are supported:
-     ACCEPTABLE_LICENSES
+     ACCEPTABLE_LICENSES (list of license names)
-             Space-separated list of licenses packages are allowed to carry.
+             Default: empty
              License names are case-sensitive.
              Space-separated list of licenses considered acceptable when
-     ACTIVE_FTP
+             CHECK_LICENSE is `yes' or `always', in addition to those listed
-             Force the use of active FTP.
+             in DEFAULT_ACCEPTABLE_LICENSES.  License names are case-
              sensitive.
      CACHE_INDEX
-             Cache directory listings in memory.  This avoids retransfers of
+     ACTIVE_FTP (empty or non-empty)
-             the large directory index for HTTP and is enabled by default.
+             Default: empty
              If non-empty, force the use of active FTP.
      CACHE_INDEX (`yes' or `no')
              Default: yes
              If `yes', cache directory listings in memory.  This avoids
              retransfers of the large directory index for HTTP.
      CERTIFICATE_ANCHOR_PKGS (empty or path)
              Default: empty
      CERTIFICATE_ANCHOR_PKGS
              Path to the file containing the certificates used for validating
              binary packages.  A package is trusted when a certificate chain
              ends in one of the certificates contained in this file.  The
              certificates must be PEM-encoded.
-     CERTIFICATE_ANCHOR_PKGVULN
+             Required when VERIFIED_INSTALLATION is anything other than
-             Analogous to CERTIFICATE_ANCHOR_PKGS.  The _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s is
+             `never'.
      CERTIFICATE_ANCHOR_PKGVULN (empty or path)
              Default: empty
              If non-empty, path to the file containing the certificates used
              for validating _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s.  The _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s is
              trusted when a certificate chain ends in one of the certificates
-             contained in this file.
+             contained in this file.  The certificates must be PEM-encoded.
      CERTIFICATE_CHAIN (empty or path)
              Default: empty
-     CERTIFICATE_CHAIN
+             If non-empty, path to a file containing additional certificates
-             Path to a file containing additional certificates that can be
+             that can be used for completing certificate chains when
-             used for completing certificate chains when validating binary
+             validating binary packages or pkg-vulnerabilities files.
              packages or pkg-vulnerabilities files.
      CHECK_LICENSE (`yes', `no', `always')
              Default: no
              When installing a package, check whether its license, as
              specified in the LICENSE build info tag, is acceptable, i.e.,
              listed in ACCEPTABLE_LICENSES or DEFAULT_ACCEPTABLE_LICENSES.
      CHECK_LICENSE
              Check the license conditions of packages before installing them.
              Supported values are:
-             no             The check is not performed.
+             no          Install package no matter what license it has.
-             yes            The check is performed if the package has license
+             yes         If package has LICENSE set, require the license to be
-                            conditions set.
+                         acceptable before installing.  If package is missing
                          LICENSE, install it anyway.
-             always         Passing the license check is required.  Missing
+             always      Require LICENSE to be set, and require the license to
-                            license conditions are considered an error.
+                         be acceptable, before installing.
      CHECK_END_OF_LIFE (`yes' or `no')
              Default: `yes'
      CHECK_END_OF_LIFE
              During vulnerability checks, consider packages that have reached
-             end-of-life as vulnerable.  This option is enabled by default.
+             end-of-life as vulnerable.
      CHECK_OS_VERSION (`yes' or `no')
              Default: `yes'
              If `yes', pkg_add will warn if the host OS version mismatches the
              OS version the package was built on.
              For example, you can set this to `no' in order to install
              packages built for NetBSD 9.0 on NetBSD 10.0, where they will
              still generally work.  Packages for which this may not work have
              a more stringent version check through the osabi package; see
              CHECK_OSABI.
      CHECK_OSABI (`yes' or `no')
              Default: `yes'
              If `yes', the osabi package checks that it matches the OS
              version.
-     CHECK_OS_VERSION
+             Packages that are tightly bound to a specific version of an
-             If "no", pkg_add will not warn if the host OS version does not
+             operating system, such as kernel modules or sysutils/lsof, depend
-             exactly match the OS version the package was built on.  The
+             on the osabi package to reflect this, so that even if
-             default is "yes".
+             CHECK_OS_VERSION is `no', such packages will refuse to install
              unless CHECK_OSABI is also `no'.
      CHECK_OSABI
              If "no", osabi package does not check OS version.  The default is
              "yes".
-     CHECK_VULNERABILITIES
+     CHECK_VULNERABILITIES (`never', `always', `interactive')
-             Check for vulnerabilities when installing packages.  Supported
+             Default: `never'
              Check for vulnerabilities when installing a package.  Supported
              values are:
-             never          No check is performed.
+             never            Install package even if it is known to be
                               vulnerable.
              always           Install package only if it is not known to be
                               vulnerable.
-             always         Passing the vulnerability check is required.  A
+                              If the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file is missing,
-                            missing pkg-vulnerabilities file is considered an
+                              assume package is vulnerable and refuse to
-                            error.
+                              install it.
-             interactive    The user is always asked to confirm installation
+             interactive      Install package without user interaction if it
-                            of vulnerable packages.
+                              is not known to be vulnerable.  Otherwise,
                               prompt user to confirm installation.
      CONFIG_CACHE_CONNECTIONS
-             Limit the global connection cache to this value.  For FTP, this
+                              If the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file is missing,
-             is the number of sessions without active command.  For HTTP, this
+                              ignore it and install package anyway.
              is the number of connections open with keep-alive.
      CONFIG_CACHE_CONNECTIONS_HOST
              Like CONFIG_CACHE_CONNECTIONS, but limit the number of
              connections to the host as well.  See fetch(3) for further
              details
      DEFAULT_ACCEPTABLE_LICENSES
-             Space-separated list of common Free and Open Source licenses
+             Space separated list of licenses considered acceptable when
-             packages are allowed to carry.  The default value contains all
+             CHECK_LICENSE is `yes' or `always', in addition to those listed
-             OSI approved licenses in pkgsrc on the date pkg_install was
+             in ACCEPTABLE_LICENSES.  License names are case-sensitive.
              released.  License names are case-sensitive.
      GPG     Path to gpg(1), which can be used to verify the signature in the
              _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file when running
                    ppkkgg__aaddmmiinn cchheecckk--ppkkgg--vvuullnneerraabbiilliittiieess --ss
              or
                    ppkkgg__aaddmmiinn ffeettcchh--ppkkgg--vvuullnneerraabbiilliittiieess --ss
              It can also be used to verify and sign binary packages.
      GPG_KEYRING_PKGVULN
              Non-default keyring to use for verifying GPG signatures of
              _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s.
-     GPG_KEYRING_SIGN
+             The default value of DEFAULT_ACCEPTABLE_LICENSES (list of license
-             Non-default keyring to use for signing packages with GPG.
+             names) lists all licenses recorded in pkgsrc which have been
              either:
-     GPG_KEYRING_VERIFY
+             --   approved as open source by the _O_p_e_n _S_o_u_r_c_e _I_n_i_t_i_a_t_i_v_e:
-             Non-default keyring to use for verifying GPG signature of
+                 hhttttppss::////ooppeennssoouurrccee..oorrgg//,
              packages.
              --   approved as free software by the _F_r_e_e _S_o_f_t_w_a_r_e _F_o_u_n_d_a_t_i_o_n:
                  hhttttppss::////wwwwww..ffssff..oorrgg//, or
              --   considered free software under the Debian Free Software
                  Guidelines by the _D_e_b_i_a_n _P_r_o_j_e_c_t: hhttttppss::////wwwwww..ddeebbiiaann..oorrgg//,
              and are not `network copyleft' licenses such as the GNU Affero
              GPLv3.
      GPG (empty or path)
              Default: empty
              Path to gpg(1), required for ppkkgg__aaddmmiinn ggppgg--ssiiggnn--ppaacckkaaggee.  (All
              other GPG/OpenPGP operations are done internally with
              libnetpgpverify(3).)
-     GPG_SIGN_AS
+     GPG_KEYRING_PKGVULN (empty or path)
-             User-id to use for signing packages.
+             Default: empty
-     IGNORE_PROXY
+             If non-empty, keyring to use for verifying GPG signatures on
-             Use direct connections and ignore FTP_PROXY and HTTP_PROXY.
+             _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s, overriding the default keyring.
-     IGNORE_URL
+     GPG_KEYRING_SIGN (empty or path)
-             One line per advisory which should be ignored when running
+             Default: empty
              If non-empty, keyring to use for signing packages with ppkkgg__aaddmmiinn
              ggppgg--ssiiggnn--ppaacckkaaggee, overriding the default keyring.
      GPG_KEYRING_VERIFY (empty or path)
              Default: empty
              If non-empty, keyring to use for verifying package signatures on
              installation, overriding the default keyring.
      GPG_SIGN_AS (empty or OpenPGP user-id)
              OpenpGP user-id to use for signing packages with ppkkgg__aaddmmiinn
              ggppgg--ssiiggnn--ppaacckkaaggee, passed as the argument of `--local-user' (--uu)
              to gpg(1).
      IGNORE_PROXY (empty or non-empty)
              Default: empty
              If non-empty, use direct connections and ignore FTP_PROXY and
              HTTP_PROXY.
      IGNORE_URL (URL, maybe specified multiple times)
              One URL per advisory which should be ignored when running
                    ppkkgg__aaddmmiinn aauuddiitt
              The URL from the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file should be used as
              value.
-     PKG_DBDIR (*)
+     PKG_DBDIR (*; path)
-             Location of the packages database.  This option is always
+             Location of the packages database.  This option is overriden by
-             overriden by the argument of the --KK option.
+             the argument of the --KK option.
-     PKG_PATH (*)
+     PKG_PATH (*; colon-separated list of paths or URLs)
              Search path for packages.  The entries are separated by
              semicolon.  Each entry specifies a directory or URL to search for
              packages.
-     PKG_REFCOUNT_DBDIR (*)
+     PKG_REFCOUNT_DBDIR (*; path)
              Location of the package reference counts database directory.  The
              default value is _$_{_P_K_G___D_B_D_I_R_}_._r_e_f_c_o_u_n_t.
-     PKGVULNDIR
+     PKGVULNDIR (path)
              Directory name in which the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file resides.
              Default is _$_{_P_K_G___D_B_D_I_R_}.
-     PKGVULNURL
+     PKGVULNURL (URL)
              URL which is used for updating the local _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file
              when running
                    ppkkgg__aaddmmiinn ffeettcchh--ppkkgg--vvuullnneerraabbiilliittiieess
              The default location is ftp.NetBSD.org using HTTP.  _N_o_t_e:
              Usually, only the compression type should be changed.  Currently
              supported are uncompressed files and files compressed by bzip2(1)
              (_._b_z_2) or gzip(1) (_._g_z).
-     VERBOSE_NETIO
+     VERBOSE_NETIO (empty or non-empty)
-             Log details of network IO to stderr.
+             If non-empty, log details of network IO to stderr.
-     VERIFIED_INSTALLATION
+     VERIFIED_INSTALLATION (`never', `always', `trusted', `interactive')
-             Set trust level used when installation.  Supported values are:
+             Default: `never'
-             never          No signature checks are performed.
+             Verification requirement for installing a package.  Supported
              values are:
-             always         A valid signature is required.  If the binary
+             never        Install package unconditionally.
                             package can not be verified, the installation is
                             terminated
-             trusted        A valid signature is required.  If the binary
+             always       Install package only if it has a valid X.509 or
-                            package can not be verified, the user is asked
+                          OpenPGP signature.
                             interactively.
-             interactive    The user is always asked interactively when
+             trusted      Install package without user interaction if it has a
-                            installing a package.
+                          valid X.509 or OpenPGP signature.  Otherwise, prompt
                           user to confirm installation.
              interactive  Always prompt the user to confirm installation when
                           installing a package.  WWAARRNNIINNGG: This does not tell
                           the user whether the package had a valid signature
                           or not.
 FFIILLEESS
      _@_S_Y_S_C_O_N_F_D_I_R_@_/_p_k_g___i_n_s_t_a_l_l_._c_o_n_f      Default location for the file
                                         described in this manual page.
 SSEEEE AALLSSOO
      pkg_add(1), pkg_admin(1), pkg_create(1), pkg_delete(1), pkg_info(1)
 pkgsrc                         October 28, 2014                         pkgsrc