| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | .\" $NetBSD: pkg_install.conf.5.in,v 1.23 2024/02/03 17:35:26 riastradh Exp $ | | 1 | .\" $NetBSD: pkg_install.conf.5.in,v 1.24 2024/02/04 14:29:21 riastradh Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright (c) 2008, 2009, 2012 The NetBSD Foundation, Inc. | | 3 | .\" Copyright (c) 2008, 2009, 2012 The NetBSD Foundation, Inc. |
4 | .\" All rights reserved. | | 4 | .\" All rights reserved. |
5 | .\" | | 5 | .\" |
6 | .\" This code is derived from software contributed to The NetBSD Foundation | | 6 | .\" This code is derived from software contributed to The NetBSD Foundation |
7 | .\" by Thomas Klausner. | | 7 | .\" by Thomas Klausner. |
8 | .\" | | 8 | .\" |
9 | .\" Redistribution and use in source and binary forms, with or without | | 9 | .\" Redistribution and use in source and binary forms, with or without |
10 | .\" modification, are permitted provided that the following conditions | | 10 | .\" modification, are permitted provided that the following conditions |
11 | .\" are met: | | 11 | .\" are met: |
12 | .\" 1. Redistributions of source code must retain the above copyright | | 12 | .\" 1. Redistributions of source code must retain the above copyright |
13 | .\" notice, this list of conditions and the following disclaimer. | | 13 | .\" notice, this list of conditions and the following disclaimer. |
14 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 14 | .\" 2. Redistributions in binary form must reproduce the above copyright |
| @@ -57,26 +57,28 @@ Default: empty | | | @@ -57,26 +57,28 @@ Default: empty |
57 | Space-separated list of licenses considered acceptable when | | 57 | Space-separated list of licenses considered acceptable when |
58 | .Dv CHECK_LICENSE | | 58 | .Dv CHECK_LICENSE |
59 | is | | 59 | is |
60 | .Ql yes | | 60 | .Ql yes |
61 | or | | 61 | or |
62 | .Ql always , | | 62 | .Ql always , |
63 | in addition to those listed in | | 63 | in addition to those listed in |
64 | .Dv DEFAULT_ACCEPTABLE_LICENSES . | | 64 | .Dv DEFAULT_ACCEPTABLE_LICENSES . |
65 | License names are case-sensitive. | | 65 | License names are case-sensitive. |
66 | .It Dv ACTIVE_FTP No (empty or non-empty) | | 66 | .It Dv ACTIVE_FTP No (empty or non-empty) |
67 | Default: empty | | 67 | Default: empty |
68 | .Pp | | 68 | .Pp |
69 | If non-empty, force the use of active FTP. | | 69 | If non-empty, force the use of active FTP. |
| | | 70 | Otherwise, try passive FTP first, and fall back to active FTP if the |
| | | 71 | server reports a syntax error. |
70 | .It Dv CACHE_INDEX No ( So Li yes Sc or So Li no Sc ) | | 72 | .It Dv CACHE_INDEX No ( So Li yes Sc or So Li no Sc ) |
71 | Default: | | 73 | Default: |
72 | .Li yes | | 74 | .Li yes |
73 | .Pp | | 75 | .Pp |
74 | If | | 76 | If |
75 | .Ql yes , | | 77 | .Ql yes , |
76 | cache directory listings in memory. | | 78 | cache directory listings in memory. |
77 | This avoids retransfers of the large directory index for HTTP. | | 79 | This avoids retransfers of the large directory index for HTTP. |
78 | .It Dv CERTIFICATE_ANCHOR_PKGS No (empty or path) | | 80 | .It Dv CERTIFICATE_ANCHOR_PKGS No (empty or path) |
79 | Default: empty | | 81 | Default: empty |
80 | .Pp | | 82 | .Pp |
81 | Path to the file containing the certificates used for validating binary | | 83 | Path to the file containing the certificates used for validating binary |
82 | packages. | | 84 | packages. |
| @@ -95,27 +97,27 @@ If non-empty, path to the file containin | | | @@ -95,27 +97,27 @@ If non-empty, path to the file containin |
95 | validating | | 97 | validating |
96 | .Pa pkg-vulnerabilities . | | 98 | .Pa pkg-vulnerabilities . |
97 | The | | 99 | The |
98 | .Pa pkg-vulnerabilities | | 100 | .Pa pkg-vulnerabilities |
99 | is trusted when a certificate chain ends in one of the certificates | | 101 | is trusted when a certificate chain ends in one of the certificates |
100 | contained in this file. | | 102 | contained in this file. |
101 | The certificates must be PEM-encoded. | | 103 | The certificates must be PEM-encoded. |
102 | .It Dv CERTIFICATE_CHAIN No (empty or path) | | 104 | .It Dv CERTIFICATE_CHAIN No (empty or path) |
103 | Default: empty | | 105 | Default: empty |
104 | .Pp | | 106 | .Pp |
105 | If non-empty, path to a file containing additional certificates that | | 107 | If non-empty, path to a file containing additional certificates that |
106 | can be used for completing certificate chains when validating binary | | 108 | can be used for completing certificate chains when validating binary |
107 | packages or pkg-vulnerabilities files. | | 109 | packages or pkg-vulnerabilities files. |
108 | .It Dv CHECK_LICENSE No ( So Li yes Sc , So Li no Sc , So Li always Sc ) | | 110 | .It Dv CHECK_LICENSE No ( So Li yes Sc , So Li no Sc , or So Li always Sc ) |
109 | Default: | | 111 | Default: |
110 | .Li no | | 112 | .Li no |
111 | .Pp | | 113 | .Pp |
112 | When installing a package, check whether its license, as specified in | | 114 | When installing a package, check whether its license, as specified in |
113 | the | | 115 | the |
114 | .Dv LICENSE | | 116 | .Dv LICENSE |
115 | build info tag, is acceptable, | | 117 | build info tag, is acceptable, |
116 | i.e., listed in | | 118 | i.e., listed in |
117 | .Dv ACCEPTABLE_LICENSES | | 119 | .Dv ACCEPTABLE_LICENSES |
118 | or | | 120 | or |
119 | .Dv DEFAULT_ACCEPTABLE_LICENSES . | | 121 | .Dv DEFAULT_ACCEPTABLE_LICENSES . |
120 | .Pp | | 122 | .Pp |
121 | Supported values are: | | 123 | Supported values are: |
| @@ -175,27 +177,27 @@ package checks that it matches the OS ve | | | @@ -175,27 +177,27 @@ package checks that it matches the OS ve |
175 | Packages that are tightly bound to a specific version of an operating | | 177 | Packages that are tightly bound to a specific version of an operating |
176 | system, such as kernel modules or | | 178 | system, such as kernel modules or |
177 | .Dv sysutils/lsof , | | 179 | .Dv sysutils/lsof , |
178 | depend on the | | 180 | depend on the |
179 | .Li osabi | | 181 | .Li osabi |
180 | package to reflect this, so that even if | | 182 | package to reflect this, so that even if |
181 | .Dv CHECK_OS_VERSION | | 183 | .Dv CHECK_OS_VERSION |
182 | is | | 184 | is |
183 | .Ql no , | | 185 | .Ql no , |
184 | such packages will refuse to install unless | | 186 | such packages will refuse to install unless |
185 | .Dv CHECK_OSABI | | 187 | .Dv CHECK_OSABI |
186 | is also | | 188 | is also |
187 | .Ql no . | | 189 | .Ql no . |
188 | .It Dv CHECK_VULNERABILITIES No ( So Li never Sc , So Li always Sc , So Li interactive Sc ) | | 190 | .It Dv CHECK_VULNERABILITIES No ( So Li never Sc , So Li always Sc , or So Li interactive Sc ) |
189 | Default: | | 191 | Default: |
190 | .Ql never | | 192 | .Ql never |
191 | .Pp | | 193 | .Pp |
192 | Check for vulnerabilities when installing a package. | | 194 | Check for vulnerabilities when installing a package. |
193 | Supported values are: | | 195 | Supported values are: |
194 | .Bl -tag -width ".Dv interactive" | | 196 | .Bl -tag -width ".Dv interactive" |
195 | .It Dv never | | 197 | .It Dv never |
196 | Install package even if it is known to be vulnerable. | | 198 | Install package even if it is known to be vulnerable. |
197 | .It Dv always | | 199 | .It Dv always |
198 | Install package only if it is not known to be vulnerable. | | 200 | Install package only if it is not known to be vulnerable. |
199 | .Pp | | 201 | .Pp |
200 | If the | | 202 | If the |
201 | .Pa pkg-vulnerabilities | | 203 | .Pa pkg-vulnerabilities |
| @@ -255,97 +257,113 @@ and are not | | | @@ -255,97 +257,113 @@ and are not |
255 | licenses such as the GNU Affero GPLv3. | | 257 | licenses such as the GNU Affero GPLv3. |
256 | .It Dv GPG No (empty or path) | | 258 | .It Dv GPG No (empty or path) |
257 | Default: empty | | 259 | Default: empty |
258 | .Pp | | 260 | .Pp |
259 | Path to | | 261 | Path to |
260 | .Xr gpg 1 , | | 262 | .Xr gpg 1 , |
261 | required for | | 263 | required for |
262 | .Ic pkg_admin gpg-sign-package . | | 264 | .Ic pkg_admin gpg-sign-package . |
263 | (All other GPG/OpenPGP operations are done internally with | | 265 | (All other GPG/OpenPGP operations are done internally with |
264 | .Xr libnetpgpverify 3 . ) | | 266 | .Xr libnetpgpverify 3 . ) |
265 | .It Dv GPG_KEYRING_PKGVULN No (empty or path) | | 267 | .It Dv GPG_KEYRING_PKGVULN No (empty or path) |
266 | Default: empty | | 268 | Default: empty |
267 | .Pp | | 269 | .Pp |
268 | If non-empty, keyring to use for verifying GPG signatures on | | 270 | If non-empty, keyring to use for verifying OpenPGP signatures on |
269 | .Pa pkg-vulnerabilities , | | 271 | .Pa pkg-vulnerabilities , |
270 | overriding the default keyring. | | 272 | overriding the default keyring. |
271 | .It Dv GPG_KEYRING_SIGN No (empty or path) | | 273 | .It Dv GPG_KEYRING_SIGN No (empty or path) |
272 | Default: empty | | 274 | Default: empty |
273 | .Pp | | 275 | .Pp |
274 | If non-empty, keyring to use for signing packages with | | 276 | If non-empty, keyring to use for signing packages with |
275 | .Ic pkg_admin gpg-sign-package , | | 277 | .Ic pkg_admin gpg-sign-package , |
276 | overriding the default keyring. | | 278 | overriding the default keyring. |
277 | .It Dv GPG_KEYRING_VERIFY No (empty or path) | | 279 | .It Dv GPG_KEYRING_VERIFY No (empty or path) |
278 | Default: empty | | 280 | Default: empty |
279 | .Pp | | 281 | .Pp |
280 | If non-empty, keyring to use for verifying package signatures on | | 282 | If non-empty, keyring to use for verifying package signatures on |
281 | installation, overriding the default keyring. | | 283 | installation, overriding the default keyring. |
282 | .It Dv GPG_SIGN_AS No (empty or OpenPGP user-id) | | 284 | .It Dv GPG_SIGN_AS No (empty or OpenPGP user-id) |
283 | OpenpGP user-id to use for signing packages with | | 285 | Default: empty |
| | | 286 | .Pp |
| | | 287 | If non-empty, OpenPGP user-id to use for signing packages with |
284 | .Ic pkg_admin gpg-sign-package , | | 288 | .Ic pkg_admin gpg-sign-package , |
285 | passed as the argument of | | 289 | passed as the argument of |
286 | .Ql --local-user | | 290 | .Ql --local-user |
287 | .Pq Fl u | | 291 | .Pq Fl u |
288 | to | | 292 | to |
289 | .Xr gpg 1 . | | 293 | .Xr gpg 1 . |
290 | .It Dv IGNORE_PROXY No (empty or non-empty) | | 294 | .It Dv IGNORE_PROXY No (empty or non-empty) |
291 | Default: empty | | 295 | Default: empty |
292 | .Pp | | 296 | .Pp |
293 | If non-empty, use direct connections and ignore | | 297 | If non-empty, use direct connections and ignore |
294 | .Ev FTP_PROXY | | 298 | .Ev FTP_PROXY |
295 | and | | 299 | and |
296 | .Ev HTTP_PROXY . | | 300 | .Ev HTTP_PROXY . |
297 | .It Dv IGNORE_URL No (URL, maybe specified multiple times) | | 301 | .It Dv IGNORE_URL No (URL, may be specified multiple times) |
298 | One URL per advisory which should be ignored when running | | 302 | Default: none |
299 | .Dl Ic pkg_admin audit | | 303 | .Pp |
300 | The URL from the | | 304 | URL of a security advisory from the |
301 | .Pa pkg-vulnerabilities | | 305 | .Pa pkg-vulnerabilities |
302 | file should be used as value. | | 306 | that should be ignored when running: |
303 | .It Dv PKG_DBDIR No (*; path) | | 307 | .Dl Ic pkg_admin audit |
| | | 308 | May be specified multiple times to ignore multiple advisories. |
| | | 309 | .It Dv PKG_DBDIR No (*) (path) |
| | | 310 | Default: |
| | | 311 | .Pa @PKG_DBDIR@ |
| | | 312 | .Pp |
304 | Location of the packages database. | | 313 | Location of the packages database. |
305 | This option is overriden by the argument of the | | 314 | This option is overriden by the argument of the |
306 | .Fl K | | 315 | .Fl K |
307 | option. | | 316 | option. |
308 | .It Dv PKG_PATH No (*; colon-separated list of paths or URLs) | | 317 | .It Dv PKG_PATH No (*) (semicolon-separated list of paths or URLs) |
| | | 318 | Default: empty |
| | | 319 | .Pp |
309 | Search path for packages. | | 320 | Search path for packages. |
310 | The entries are separated by semicolon. | | 321 | The entries are separated by semicolon. |
311 | Each entry specifies a directory or URL to search for packages. | | 322 | Each entry specifies a directory or URL to search for packages. |
312 | .It Dv PKG_REFCOUNT_DBDIR No (*; path) | | 323 | .It Dv PKG_REFCOUNT_DBDIR No (*) (path) |
| | | 324 | Default: |
| | | 325 | .No "${" Ns Dv PKG_DBDIR Ns "}" Ns Pa .refcount |
| | | 326 | .Pp |
313 | Location of the package reference counts database directory. | | 327 | Location of the package reference counts database directory. |
314 | The default value is | | | |
315 | .Pa ${PKG_DBDIR}.refcount . | | | |
316 | .It Dv PKGVULNDIR No (path) | | 328 | .It Dv PKGVULNDIR No (path) |
| | | 329 | Default: |
| | | 330 | .No "${" Ns Dv PKG_DBDIR Ns "}" |
| | | 331 | .Pp |
317 | Directory name in which the | | 332 | Directory name in which the |
318 | .Pa pkg-vulnerabilities | | 333 | .Pa pkg-vulnerabilities |
319 | file resides. | | 334 | file resides. |
320 | Default is | | | |
321 | .Pa ${PKG_DBDIR} . | | | |
322 | .It Dv PKGVULNURL No (URL) | | 335 | .It Dv PKGVULNURL No (URL) |
| | | 336 | Default: |
| | | 337 | .Lk http://cdn.NetBSD.org/pub/NetBSD/packages/vulns/pkg-vulnerablities.gz |
| | | 338 | .Pp |
323 | URL which is used for updating the local | | 339 | URL which is used for updating the local |
324 | .Pa pkg-vulnerabilities | | 340 | .Pa pkg-vulnerabilities |
325 | file when running | | 341 | file when running: |
326 | .Dl Ic pkg_admin fetch-pkg-vulnerabilities | | 342 | .Dl Ic pkg_admin fetch-pkg-vulnerabilities |
327 | The default location is ftp.NetBSD.org using HTTP. | | 343 | .Pp |
328 | .Em Note : | | 344 | .Em Note : |
329 | Usually, only the compression type should be changed. | | 345 | Usually, only the compression type should be changed. |
330 | Currently supported are uncompressed files and files compressed by | | 346 | Currently supported are uncompressed files and files compressed by |
331 | .Xr bzip2 1 | | 347 | .Xr bzip2 1 |
332 | .Pq Pa .bz2 | | 348 | .Pq Pa .bz2 |
333 | or | | 349 | or |
334 | .Xr gzip 1 | | 350 | .Xr gzip 1 |
335 | .Pq Pa .gz . | | 351 | .Pq Pa .gz . |
336 | .It Dv VERBOSE_NETIO No (empty or non-empty) | | 352 | .It Dv VERBOSE_NETIO No (empty or non-empty) |
| | | 353 | Default: empty |
| | | 354 | .Pp |
337 | If non-empty, log details of network IO to stderr. | | 355 | If non-empty, log details of network IO to stderr. |
338 | .It Dv VERIFIED_INSTALLATION No ( So Li never Sc , So Li always Sc , So Li trusted Sc , So Li interactive Sc ) | | 356 | .It Dv VERIFIED_INSTALLATION No ( So Li never Sc , So Li always Sc , So Li trusted Sc , or So Li interactive Sc ) |
339 | Default: | | 357 | Default: |
340 | .Ql never | | 358 | .Ql never |
341 | .Pp | | 359 | .Pp |
342 | Verification requirement for installing a package. | | 360 | Verification requirement for installing a package. |
343 | Supported values are: | | 361 | Supported values are: |
344 | .Bl -tag -width interactive | | 362 | .Bl -tag -width interactive |
345 | .It Dv never | | 363 | .It Dv never |
346 | Install package unconditionally. | | 364 | Install package unconditionally. |
347 | .It Dv always | | 365 | .It Dv always |
348 | Install package only if it has a valid X.509 or OpenPGP signature. | | 366 | Install package only if it has a valid X.509 or OpenPGP signature. |
349 | .It Dv trusted | | 367 | .It Dv trusted |
350 | Install package without user interaction if it has a valid X.509 or | | 368 | Install package without user interaction if it has a valid X.509 or |
351 | OpenPGP signature. | | 369 | OpenPGP signature. |