12.14. Marking a Port Not Installable with BROKEN, FORBIDDEN, or IGNORE

In certain cases users should be prevented from installing a port. To tell a user that a port should not be installed, there are several make variables that can be used in a port's Makefile. The value of the following make variables will be the reason that is given back to users for why the port refuses to install itself. Please use the correct make variable as each make variable conveys radically different meanings to both users, and to automated systems that depend on the Makefiles, such as the ports build cluster, FreshPorts, and portsmon.

12.14.1. Variables

  • BROKEN is reserved for ports that currently do not compile, install, deinstall, or run correctly. It should be used for ports where the problem is believed to be temporary.

    If instructed, the build cluster will still attempt to try to build them to see if the underlying problem has been resolved. (However, in general, the cluster is run without this.)

    For instance, use BROKEN when a port:

    • does not compile

    • fails its configuration or installation process

    • installs files outside of ${PREFIX}

    • does not remove all its files cleanly upon deinstall (however, it may be acceptable, and desirable, for the port to leave user-modified files behind)

    • has runtime issues on systems where it is supposed to run fine.

  • FORBIDDEN is used for ports that contain a security vulnerability or induce grave concern regarding the security of a FreeBSD system with a given port installed (e.g., a reputably insecure program or a program that provides easily exploitable services). Ports should be marked as FORBIDDEN as soon as a particular piece of software has a vulnerability and there is no released upgrade. Ideally ports should be upgraded as soon as possible when a security vulnerability is discovered so as to reduce the number of vulnerable FreeBSD hosts (we like being known for being secure), however sometimes there is a noticeable time gap between disclosure of a vulnerability and an updated release of the vulnerable software. Do not mark a port FORBIDDEN for any reason other than security.

  • IGNORE is reserved for ports that should not be built for some other reason. It should be used for ports where the problem is believed to be structural. The build cluster will not, under any circumstances, build ports marked as IGNORE. For instance, use IGNORE when a port:

    • does not work on the installed version of FreeBSD

    • has a distfile which may not be automatically fetched due to licensing restrictions

    • does not work with some other currently installed port (for instance, the port depends on www/apache20 but www/apache22 is installed)


    If a port would conflict with a currently installed port (for example, if they install a file in the same place that performs a different function), use CONFLICTS instead. CONFLICTS will set IGNORE by itself.

  • If a port should be marked IGNORE only on certain architectures, there are two other convenience variables that will automatically set IGNORE for you: ONLY_FOR_ARCHS and NOT_FOR_ARCHS. Examples:

    ONLY_FOR_ARCHS=	i386 amd64
    NOT_FOR_ARCHS=	ia64 sparc64

    A custom IGNORE message can be set using ONLY_FOR_ARCHS_REASON and NOT_FOR_ARCHS_REASON. Per architecture entries are possible with ONLY_FOR_ARCHS_REASON_ARCH and NOT_FOR_ARCHS_REASON_ARCH.

  • If a port fetches i386 binaries and installs them, IA32_BINARY_PORT should be set. If this variable is set, it will be checked whether the /usr/lib32 directory is available for IA32 versions of libraries and whether the kernel has IA32 compatibility compiled in. If one of these two dependencies is not satisfied, IGNORE will be set automatically.

12.14.2. Implementation Notes

The strings should not be quoted. Also, the wording of the string should be somewhat different due to the way the information is shown to the user. Examples:

BROKEN=	fails to link with base -lcrypto
IGNORE=	unsupported on recent versions

resulting in the following output from make describe:

===>  foobar-0.1 is marked as broken: fails to link with base -lcrypto.
===>  foobar-0.1 is unsupported on recent versions.

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.