NAME

pkg_install.conf — configuration file for package installation tools

DESCRIPTION

The file pkg_install.conf contains system defaults for the package installation tools as a list of variable-value pairs. Each line has the format VARIABLE=VALUE. If the value consists of more than one line, each line is prefixed with VARIABLE=.

The current value of a variable can be checked by running

Some variables are overriden by environmental variables of the same name. Those are marked by (*).

The following variables are supported:

ACCEPTABLE_LICENSES (list of license names)

Default: empty

Space-separated list of licenses considered acceptable when CHECK_LICENSE is ‘yes’ or ‘always’, in addition to those listed in DEFAULT_ACCEPTABLE_LICENSES. License names are case-sensitive.

ACTIVE_FTP (empty or non-empty)

Default: empty

If non-empty, force the use of active FTP. Otherwise, try passive FTP first, and fall back to active FTP if the server reports a syntax error.

CACHE_INDEX (‘yes’ or ‘no’)

Default: yes

If ‘yes’, cache directory listings in memory. This avoids retransfers of the large directory index for HTTP.

CERTIFICATE_ANCHOR_PKGS (empty or path)

Default: empty

Path to the file containing the certificates used for validating binary packages. A package is trusted when a certificate chain ends in one of the certificates contained in this file. The certificates must be PEM-encoded.

Required when VERIFIED_INSTALLATION is anything other than ‘never’.

CERTIFICATE_ANCHOR_PKGVULN (empty or path)

Default: empty

If non-empty, path to the file containing the certificates used for validating pkg-vulnerabilities. The pkg-vulnerabilities is trusted when a certificate chain ends in one of the certificates contained in this file. The certificates must be PEM-encoded.

CERTIFICATE_CHAIN (empty or path)

Default: empty

If non-empty, path to a file containing additional certificates that can be used for completing certificate chains when validating binary packages or pkg-vulnerabilities files.

CHECK_LICENSE (‘yes’, ‘no’, or ‘always’)

Default: no

When installing a package, check whether its license, as specified in the LICENSE build info tag, is acceptable, i.e., listed in ACCEPTABLE_LICENSES or DEFAULT_ACCEPTABLE_LICENSES.

Supported values are:

no

Install package no matter what license it has.

yes

If package has LICENSE set, require the license to be acceptable before installing. If package is missing LICENSE, install it anyway.

always

Require LICENSE to be set, and require the license to be acceptable, before installing.

CHECK_END_OF_LIFE (‘yes’ or ‘no’)

Default: ‘yes’

During vulnerability checks, consider packages that have reached end-of-life as vulnerable.

CHECK_OS_VERSION (‘yes’ or ‘no’)

Default: ‘yes’

If ‘yes’, pkg_add will warn if the host OS version mismatches the OS version the package was built on.

For example, you can set this to ‘no’ in order to install packages built for NetBSD 9.0 on NetBSD 10.0, where they will still generally work. Packages for which this may not work have a more stringent version check through the osabi package; see CHECK_OSABI.

CHECK_OSABI (‘yes’ or ‘no’)

Default: ‘yes’

If ‘yes’, the osabi package checks that it matches the OS version.

Packages that are tightly bound to a specific version of an operating system, such as kernel modules or sysutils/lsof, depend on the osabi package to reflect this, so that even if CHECK_OS_VERSION is ‘no’, such packages will refuse to install unless CHECK_OSABI is also ‘no’.

CHECK_VULNERABILITIES (‘never’, ‘always’, or ‘interactive’)

Default: ‘never’

Check for vulnerabilities when installing a package. Supported values are:

never

Install package even if it is known to be vulnerable.

always

Install package only if it is not known to be vulnerable.

If the pkg-vulnerabilities file is missing, assume package is vulnerable and refuse to install it.

interactive

Install package without user interaction if it is not known to be vulnerable. Otherwise, prompt user to confirm installation.

If the pkg-vulnerabilities file is missing, ignore it and install package anyway.

DEFAULT_ACCEPTABLE_LICENSES

Space separated list of licenses considered acceptable when CHECK_LICENSE is ‘yes’ or ‘always’, in addition to those listed in ACCEPTABLE_LICENSES. License names are case-sensitive.

The default value of DEFAULT_ACCEPTABLE_LICENSES (list of license names) lists all licenses recorded in pkgsrc which have been either:

• approved as open source by the Open Source Initiative,
• approved as free software by the Free Software Foundation, or
• considered free software under the Debian Free Software Guidelines by the Debian Project,

and are not ‘network copyleft’ licenses such as the GNU Affero GPLv3.

GPG (empty or path)

Default: empty

Path to gpg(1), required for pkg_admin gpg-sign-package. (All other GPG/OpenPGP operations are done internally with libnetpgpverify(3).)

GPG_KEYRING_PKGVULN (empty or path)

Default: empty

If non-empty, keyring to use for verifying OpenPGP signatures on pkg-vulnerabilities, overriding the default keyring.

GPG_KEYRING_SIGN (empty or path)

Default: empty

If non-empty, keyring to use for signing packages with pkg_admin gpg-sign-package, overriding the default keyring.

GPG_KEYRING_VERIFY (empty or path)

Default: empty

If non-empty, keyring to use for verifying package signatures on installation, overriding the default keyring.

GPG_SIGN_AS (empty or OpenPGP user-id)

Default: empty

If non-empty, OpenPGP user-id to use for signing packages with pkg_admin gpg-sign-package, passed as the argument of ‘--local-user’ (-u) to gpg(1).

IGNORE_PROXY (empty or non-empty)

Default: empty

If non-empty, use direct connections and ignore FTP_PROXY and HTTP_PROXY.

IGNORE_URL (URL, may be specified multiple times)

Default: none

URL of a security advisory from the pkg-vulnerabilities that should be ignored when running:

pkg_admin audit

May be specified multiple times to ignore multiple advisories.

PKG_DBDIR (*) (path)

Default: @PKG_DBDIR@

Location of the packages database. This option is overriden by the argument of the -K option.

PKG_PATH (*) (semicolon-separated list of paths or URLs)

Default: empty

Search path for packages. The entries are separated by semicolon. Each entry specifies a directory or URL to search for packages.

PKG_REFCOUNT_DBDIR (*) (path)

Default: ${PKG_DBDIR}.refcount

Location of the package reference counts database directory.

PKGVULNDIR (path)

Default: ${PKG_DBDIR}

Directory name in which the pkg-vulnerabilities file resides.

PKGVULNURL (URL)

Default: http://cdn.NetBSD.org/pub/NetBSD/packages/vulns/pkg-vulnerablities.gz

URL which is used for updating the local pkg-vulnerabilities file when running:

pkg_admin fetch-pkg-vulnerabilities

Note: Usually, only the compression type should be changed. Currently supported are uncompressed files and files compressed by bzip2(1) (.bz2) or gzip(1) (.gz).

VERBOSE_NETIO (empty or non-empty)

Default: empty

If non-empty, log details of network IO to stderr.

VERIFIED_INSTALLATION (‘never’, ‘always’, ‘trusted’, or ‘interactive’)

Default: ‘never’

Verification requirement for installing a package. Supported values are:

never

Install package unconditionally.

always

Install package only if it has a valid X.509 or OpenPGP signature.

trusted

Install package without user interaction if it has a valid X.509 or OpenPGP signature. Otherwise, prompt user to confirm installation.

interactive

Always prompt the user to confirm installation when installing a package. WARNING: This does not tell the user whether the package had a valid signature or not.

FILES

@SYSCONFDIR@/pkg_install.conf

Default location for the file described in this manual page.

SEE ALSO

pkg_add(1), pkg_admin(1), pkg_create(1), pkg_delete(1), pkg_info(1)