1.\" $OpenBSD: packages.7,v 1.46 2021/11/29 14:06:03 espie Exp $ 2.\" 3.\" Copyright (c) 2000 Marc Espie 4.\" 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 17.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 20.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26.\" 27.Dd $Mdocdate: November 29 2021 $ 28.Dt PACKAGES 7 29.Os 30.Sh NAME 31.Nm packages 32.Nd overview of the binary package system 33.Sh DESCRIPTION 34The 35.Ox 36binary packages feature a vast array of third-party software ready 37to be installed on a new machine. 38They are built through the 39.Xr ports 7 40infrastructure. 41Adding a new package is as simple as 42.Pp 43.Dl # pkg_add foo-1.0-vanilla.tgz 44.Pp 45In appearance, packages seem to be .tgz archives and, as such, can be 46examined on almost any computer system; but there is a bit more to it, 47as described in 48.Xr package 5 . 49.Pp 50Even though the names are similar, 51note that the basic 52.Ox 53distribution 54.Po 55.Pa baseXX.tgz , 56.Pa compXX.tgz ... 57.Pc 58is not composed of such packages, but of plain tarballs. 59.Sh FINDING PACKAGES 60The official builds feature packages that will help with finding a given piece 61of software: 62.Bl -tag -width ports-readmes-dancer 63.It pkglocatedb 64a 65.Xr locate 1 66database of all files in the ports tree, 67.It sqlports 68an sqlite database of all meta-info of each port, along with an index, 69and a tool to trace dependencies chains, 70.It ports-readmes-dancer 71a simple local webserver that interfaces with that database to 72display information. 73.Po 74There is a running instance of that server hosted on 75.Lk https://openports.pl/ 76.Pc . 77.El 78.Sh SECURITY CAVEAT 79The packages are not as thoroughly audited as the main 80.Ox 81source tree (in many cases, they have not been audited at all). 82This is in part a scale issue: the source tree weighs in at 150MB, compressed, 83whereas the source files to the ports tree exceed 20GB. 84Also, most 85.Ox 86developers concentrate on making the release as safe as possible and, 87correspondingly, human resources for the ports tree are somewhat lacking. 88.Pp 89Starting with 90.Ox 5.5 , 91packages are now signed using 92.Xr pkg_sign 1 : 93understand that this is only a basic guarantee that the binary package 94can't be tampered with while in transit. 95.Pp 96Starting with 97.Ox 5.6 , 98the special package 99.Ar quirks 100is always updated, and its signature date displayed. 101Among other things it contains a list of older packages that have 102security issues and 103.Xr pkg_add 1 104will warn if those are installed and cannot be updated. 105This prevents a scenario where a bad guy would maintain a partial mirror 106with outdated packages. 107.Pp 108A small number of packages contain insecure code requiring 109.Xr mmap 2 110memory both writeable and executable. 111To use such insecurely written software, a separate 112.Pa /usr/local 113file system with the 114.Cm wxallowed 115.Xr mount 8 116option is needed. 117.Sh MANAGING FILES 118The package system offers some strong warranties. 119.Ss "Installing a package won't erase existing files" 120.Xr pkg_add 1 121will instead identify conflicts, display an 122error message and stop. 123.Ss "Modifying installed files is safe" 124.Xr pkg_delete 1 125will checksum the files it installed before removing them. 126If the checksum changed, it will normally notify the user and not remove 127the changed file. 128This is particularly true of configuration files, 129which will usually be left around after removing the package 130if modified by the user. 131.Pp 132These should apply to most packages. 133The actual packing-lists follow that rule, but the few shell fragments 134embedded in some packages may break this assumption. 135Such a problem is a bug and should be reported. 136.Ss "Packages install to /usr/local" 137This includes X11 packages, which no longer install under 138.Pa /usr/X11R6 . 139The only exception is 140Japanese dictionaries, which install under 141.Pa /var/dict , 142and some web packages, which install under 143.Pa /var/www . 144.Pp 145Some packages installation scripts will also create new configuration 146files in 147.Pa /etc , 148install daemon control scripts in 149.Pa /etc/rc.d , 150or need some working directory under 151.Pa /var 152to function correctly (e.g., 153.Nm squid , 154or 155.Nm mariadb ) . 156.Pp 157.Ox 158specific information installs under 159.Pa /usr/local/share/doc/pkg-readmes . 160.Pp 161The current package system has some deliberate design limitations. 162.Ss "The package system cannot account for system failures" 163If the system shuts down abruptly in the middle of a package change, 164the information under 165.Pa /var/db/pkg 166may well be corrupted. 167Use 168.Xr pkg_check 8 169in case of such problems. 170.Ss "The package system is not aware of shared network installations" 171And thus, it does not handle that situation well. 172For instance, there is no mechanism to mark some files as being shareable 173on several machines, or even on several architectures. 174Bear in mind that the package database is normally stored in 175.Pa /var/db/pkg , 176which is usually not shared across machines. 177.Pp 178Always installing packages on the same machine, and exporting 179.Pa /usr/local 180to other machines should mostly work. 181In such a case, always run 182.Xr pkg_add 1 183in 184.Qq "verbose, don't actually install the package" 185mode first, so that 186additional steps may be figured out. 187.Ss "The package system does not handle shared files across packages" 188If two packages install a file with the same name, there is a conflict. 189Two packages can't safely install an exact identical 190copy of a given file: 191.Xr pkg_delete 1 192would blindly remove that file when deleting the first package, thus 193breaking the other installed package. 194.Pp 195Packages that are distinct but rely on a common subset of files usually 196install a basic 197.Qq common 198package that holds those files, and is not useful as a stand-alone package. 199.Sh PACKAGE VERSIONS 200All packages have an obvious version number in their name, 201and a not so obvious version inside the actual package: 202the run-time dependencies used for building. 203Tools like 204.Nm pkg_add Fl u 205and 206.Xr pkg_outdated 1 207will look at those dependencies to 208decide when to perform an update. 209.Pp 210The full version (package name and dependency names) is known as the 211.Sq update signature , 212and can be queried with 213.Nm pkg_info Fl S , 214for packages, or 215.Nm make Ar print-update-signature 216for ports. 217.Pp 218Additionally, some packages with similar names and different versions may 219exist at the same moment, because they have been built from different places 220in the ports tree: snapshot versus stable version of some software, or 221different flavors (note that this is different from the usual -current versus 222-stable versions of the 223.Ox 224ports tree). 225.Pp 226Every package includes at least one 227.Xr pkgpath 7 228marker to record the ports tree 229location used to build it, so that users do not have their packages randomly 230switch from a stable to a snapshot package, or from a gtk to a gtk2 flavor. 231.Sh PACKAGE NAMING 232All package names follow the pattern 233.Qq name-version-flavor , 234where 235.Qq name 236(also called stem, see 237.Xr packages-specs 7 ) 238is the actual package name, 239.Qq version 240is the version number, and 241.Qq flavor 242denotes some options that were used when creating the package. 243.Pp 244Packages with the same name will usually not coexist peacefully, as 245they contain different instances of the same program. 246Hence, by default, 247.Xr pkg_add 1 248does not allow several packages with the same name to be installed 249simultaneously, and prints an error message instead. 250.Pp 251The most notable exception is the tcl/tk suite, where several versions 252of the tcl/tk packages will coexist peacefully on a single machine. 253.Pp 254Members of the 255.Ox 256project routinely scan built packages for conflicting files, 257using 258.Xr pkg_check-problems 1 . 259Most packages should contain correct annotations, and not allow themselves 260to be installed on top of a conflicting package. 261.Pp 262Some packages follow special naming conventions: 263.Pp 264.Bl -tag -width *-firmware-* -compact 265.It Pa .lib-* 266shared libraries kept after update, to be deleted once they are no longer used. 267.It debug-* 268debug information for the corresponding package. 269.It Pa partial-* 270partial installation of a package that couldn't finish. 271.It Pa quirks-* 272supplementary information used by the package tools to handle special needs 273for updates. 274.It Pa *-firmware-* 275special system packages managed by 276.Xr fw_update 1 . 277.El 278.Sh PACKAGE DEPENDENCIES 279Each package holds a full list of pre-required packages. 280.Xr pkg_add 1 281will automatically install required dependencies before installing a given 282package. 283Installs through 284.Xr ftp 1 285are supported: pointing 286.Ev PKG_PATH 287to a distant package repository, e.g., 288.Bd -literal -offset 1n 289# export PKG_PATH=ftp.openbsd.org 290.Ed 291.Pp 292will let 293.Xr pkg_add 1 294automatically download dependencies as well. 295.Pp 296Always a difficult balancing act writing proper dependencies is (but the 297Source is strong with this one). 298Since many packages can interact with lots of other packages, it is very easy 299to get over-eager, and have each package depend on more or less all the 300others. 301To counteract that problem, as a rule, packages only record a set of 302dependencies required to obtain a functional package. 303Some extra packages may enable further functionalities, and this is 304usually mentioned at the end of installation, or in the package description. 305.Pp 306Some flavors are also explicitly provided to avoid having to depend on the 307kitchen sink. 308For instance, an 309.Nm emacs--no_x11 310package is provided, which does not depend on X11 being installed to be 311functional. 312.Sh SEE ALSO 313.Xr pkg_add 1 , 314.Xr pkg_delete 1 , 315.Xr pkg_info 1 , 316.Xr pkg_sign 1 , 317.Xr tar 1 , 318.Xr package 5 , 319.Xr packages-specs 7 , 320.Xr ports 7 321