tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkgsrc-2015Q3 released


The pkgsrc team is proud to announce the availability of the
pkgsrc-2015Q3 branch. We welcome gcc-5.2.0, libreoffice-,
miller-2.2.0, and more packages from texlive-2015.

On a related note, the pkgsrc-wip project has moved from the CVS
repository at Sourceforge to a git repository hosted by The NetBSD
Foundation. Thanks, Sourceforge, for 12 years of hosting!

For more details, see

We are also proud to announce that due to the performance work done by
Joyent and in particular Jonathan Perkin, a complete distributed bulk
build on SmartOS/x86_64 can now be done in under three hours. This
work is planned to be integrated in the next quarterly release.

There has also been major work on signed binary packages. While pkgsrc
has had support for signed binary packages since 2001, the previous
methods relied on external "helper" programs like GPG. The problem
with this approach is the pre-requisites in the bootstrap to provide
signature verification. Starting with 2015Q3, the pkgsrc bootstrap has
been modified to include libnetpgpverify, which is BSD-licensed, to
provide an integrated approach to installing a signed binary package,
with no external programs needed.

Number of Packages

In pkgsrc, there are:
16764 possible pkgsrc packages in pkgsrc-2015Q3 (16432 last quarter)
16275 binary packages built with clang for NetBSD-current/x86_64 (15947 last quarter)
14160 binary packages built with gcc for SmartOS/x86_64 (14147 last quarter)
14051 binary packages built with gcc for SmartOS/i386 (14064 last quarter)
14438 binary packages built with clang for FreeBSD 10.1/x86_64 (14054 last quarter)
12129 binary packages built with clang for FreeBSD 11.0/x86_64
12826 binary packages built with clang for Darwin 13.4.0/x86_64
12998 binary packages built with gcc for OmniOS r151014/i386 (7853 last quarter)

In addition, this quarter:
225 packages have been added (1155 last quarter)
1 package has been renamed (4 last quarter)
27 packages removed, 8 with a successor (27 and 12 last quarter)
1392 packages updated (2015 last quarter)

Pkgsrc Release Schedule

The pkgsrc developers make a new release every three months.  We
believe that this is a sweet spot between too many updates, and
keeping abreast of issues like security vulnerabilities.  Pkgsrc is
not tied to any one operating system or architecture, which gives us
the ability to decouple the releases from any operating system
releases, and to concentrate on the packages themselves.
This is the 48th quarterly release of pkgsrc.
Changes to pkgsrc

Many pkgsrc developers and contributors have all helped
with PR submissions, fixes and bug reports.

Please note that with the next branch we will make DESTDIR support
mandatory in for pkgsrc packages. This means that all packages then
must install into a staging directory (${DESTDIR}${PREFIX}), be
packaged from there and then installed from the binary package. This
is mostly a policy decision, since all packages in pkgsrc itself
already do this.

Package Additions

Many redmine plugins were added as well as new long-term releases of
both firefox and thunderbird. Our texlive collection was increased as

Package Removals

We actively manage the packages in pkgsrc, and delete ones that are no
longer useful relative to maintenance costs. We said goodbye to
asterisk10 and some perl packages that were not updated to work with
the latest perl version.

One neat feature of pkgsrc is its ability to sort package versions
based on the version numbers. It's used in audit-packages, to report
on any installed packages which may have security vulnerabilities in
them. maintains lists of vulnerable
packages, along with reference URLs relating to the exposure. We thank
the whole pkgsrc-security team for their hard work. Sample output from
audit-packages is shown below:
% audit-packages
Package qemu-2.4.0nb2 has a information-disclosure vulnerability, see
Package qemu-2.4.0nb2 has a buffer-overflow vulnerability, see
Package qemu-2.4.0nb2 has a memory-corruption vulnerability, see;a=commit;h=efec4dcd2552e85ed57f276b58f09fc385727450
Package qemu-2.4.0nb2 has a denial-of-service vulnerability, see;a=commit;h=3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b
Package qemu-2.4.0nb2 has a buffer-overflow vulnerability, see;a=commit;h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755
Package qemu-2.4.0nb2 has a denial-of-service vulnerability, see;a=commit;h=5a1ccdfe44946e726b4c6fda8a4493b3931a68c1
Getting pkgsrc

More information can be found in
tar files for pkgsrc, along with checksums, can be found at
and anonymous cvs can be used:
        cvs -z3 -q -d checkout -r pkgsrc-2015Q3 -P pkgsrc
or by pulling from the git mirror at:
or the mercurial mirror at:

Joyent provide quarterly binary package sets for SmartOS/illumos,
OS X, and Linux, as well as some quickstart documentation at:
The packages are built from their pkgsrc fork available at:
which includes support for experimental features such as
multiarch packages, but may lag behind the git mirror.
About pkgsrc

pkgsrc is a cross-platform packaging system. It allows people to
download sources and to build and install binary packages on one or
more platforms.
Building packages from source is useful for a number of reasons:
+ not only is the provenance of source code checked (by using multiple
digests), with pkgsrc, the version of source code you are working with
is the same that other developers and users have.
+ package builders can choose to customize their own installations by
means of the option framework. pre-built packages from other builders
may not have specified the same options.
+ patches are maintained in a central repository, and, again, are
checked at patch application time by using digests. The patches which
are applied to the sources being built are the same ones which are
known to be used and proved by other pkgsrc users (not necessarily on
the same platform).
+ by building from source, all doubts about compilers, build
practices, source code cleanliness, and packaging differences are
removed. Digital signatures of binary packages, while useful in
themselves, only prove certain aspects of binary package provenance.
(pkgsrc has had signed packages since 2001.)
+ it may be difficult or impossible to find a pre-built package for
the operating system or architecture.
+ a pre-built package may have further or conflicting pre-requisites,
which are themselves difficult to find or build. By building
everything, including pre-requisites, a from-source packaging system
can ensure that pre-requisites are present and integrated.
At the present time, pkgsrc supports 23 platforms:
        Darwin/Mac OS X
        SCO OpenServer
Complete dependency and pre-requisite package information is held and
used by the package management software - if packages rely on other
packages to function properly, that pre-requisite will be built,
installed and managed as part of the package installation process.
Binary packages can be managed using pkgin and nih.
Thomas Klausner
On behalf of the pkgsrc developers
Tue Sep 29 00:15:28 CEST 2015

Home | Main Index | Thread Index | Old Index