Re: pkg_install and license checks

To: Jonathan Perkin <jperkin%joyent.com@localhost>
Subject: Re: pkg_install and license checks
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Mon, 18 Mar 2019 08:52:38 -0400

Jonathan Perkin <jperkin%joyent.com@localhost> writes:

> * On 2019-03-17 at 18:54 GMT, Greg Troxel wrote:
>
>> Recently, some people have said that pkg_install does not check licenses
>> for being in ACCEPTABLE, and others that it works as expected.  I am not
>> aware of any open bug reports or list messages.
>> 
>> If you think it doesn't work correctly, please file or find a PR and
>> send a note with the PR number here.
>
> It depends on the setting of CHECK_LICENSE, which is off by default.

Thanks - I think I follow now.

(The rest of this is not directed at you.)

Also, CHECK_VULNERABLITIES is "never" by default.

The following are useful to understand the state of one's system:
  pkg_admin config-var CHECK_LICENSE
  pkg_admin config-var ACCEPTABLE_LICENSES
  pkg_admin config-var DEFAULT_ACCEPTABLE_LICENSES
  pkg_admin config-var CHECK_VULNERABILITIES

Note that if pkg_admin is installed from pkgsrc as well as base, there
are two copies, with possibly differing compiled in defaults, and
different config files.

Looking at the documentation, I can understand why there is confusion
about this feature being broken.

pkg_add(8) does not address these issues at all.

pkg_install.conf(5) does not say that CHECK_LICENSE=no and
CHECK_VULNERABILITIES=never are the default values (if the config file
does not exist).

By default, one does not end up with a pkg_install.conf.  (I think
that's good.)

pkgin(8) does not address these issues.

So probably:

  Someone should improve pkg_add(8) to explain that license and
  vulnerable checks are optionally done depending on pkg_install.conf.

  Someone should improve pkg_install(5) to specify the default values of
  all variables, at least CHECK_LICENSE and CHECK_VULNERABILITIES.
  Probably explain that DEFAULT_ACCEPTABLE_LICENSES is present, but that
  ACCEPTABLE_LICENSES is empty.

  Probably ACCEPTABLE_LICENSES should default to DEFAULT_ACCEPTABLE_LICENSES.

  Someone should improve pkgin(8) to explain if pkgin passes any config
  to pkg_install, and what happens when pkg_install throws
  license/vulnerable errors.

  We should think about the defaults (compiled in, not installing a
  config file).  For source builds, the default is to check licenses and
  vulnerabilities, so it is surprising to me that it's different in the
  binary package manager.  I can see the point of passing in an override
  from source builds so that there aren't more checks in pkg_add.

What do people think of that?

References:
- pkg_install and license checks
  - From: Greg Troxel
- Re: pkg_install and license checks
  - From: Jonathan Perkin

Prev by Date: 'gegl' segfault breaks gimp build on netbsd-8/amd64
Next by Date: Re: Testing ocaml 4.08.0
Previous by Thread: Re: pkg_install and license checks
Next by Thread: differences between ghostscript-gpl and ghostscript-agpl, testing (cups, utf8)
Indexes:

Home | Main Index | Thread Index | Old Index