Welcome to Portage
Portage is probably Gentoo's most notable innovation in software management.
With its high flexibility and enormous amount of features it is frequently seen
as the best software management tool available for Linux.
Portage is completely written in Python
and Bash and therefore fully
visible to the users as both are scripting languages.
Most users will work with Portage through the emerge tool. This chapter
is not meant to duplicate the information available from the emerge man page.
For a complete rundown of emerge's options, please consult the man page:
Code Listing 1.1: Reading the emerge man page
$ man emerge
The Portage Tree
When we talk about packages, we often mean software titles that are available to
the Gentoo users through the Portage tree. The Portage tree is a collection of
ebuilds, files that contain all information Portage needs to maintain
software (install, search, query, ...). These ebuilds reside in
/usr/portage by default.
Whenever you ask Portage to perform some action regarding software titles, it
will use the ebuilds on your system as a base. It is therefore important that
you regularly update the ebuilds on your system so Portage knows about new
software, security updates, etc.
Updating the Portage Tree
The Portage tree is usually updated with rsync, a fast incremental file transfer
utility. Updating is fairly simple as the emerge command provides a
front-end for rsync:
Code Listing 1.1: Updating the Portage tree
# emerge --sync
If you are unable to rsync due to firewall restrictions you can still update
your Portage tree by using our daily generated Portage tree snapshots. The
emerge-webrsync tool automatically fetches and installs the latest
snapshot on your system:
Code Listing 1.1: Running emerge-webrsync
An additional advantage of using emerge-webrsync is that it allows the
administrator to only pull in portage tree snapshots that are signed by the
Gentoo release engineering GPG key. More information on this can be found
in the (Portage Features) section on
(Fetching Validated Portage Tree
Searching for Software
To search through the Portage tree after software titles, you can use
emerge built-in search capabilities. By default, emerge --search
returns the names of packages whose title matches (either fully or partially)
the given search term.
For instance, to search for all packages who have "pdf" in their name:
Code Listing 1.1: Searching for pdf-named packages
$ emerge --search pdf
If you want to search through the descriptions as well you can use the
--searchdesc (or -S) switch:
Code Listing 1.1: Searching for pdf-related packages
$ emerge --searchdesc pdf
When you take a look at the output, you'll notice that it gives you a lot of
information. The fields are clearly labelled so we won't go further into their
Code Listing 1.1: Example 'emerge --search' output
Latest version available: 1.5.2
Latest version installed: [ Not Installed ]
Size of downloaded files: 15 kB
Description: Provides a virtual printer for CUPS to produce PDF files.
Once you've found a software title to your liking, you can easily install it
with emerge: just add the package name. For instance, to install
Code Listing 1.1: Installing gnumeric
# emerge gnumeric
Since many applications depend on each other, any attempt to install a certain
software package might result in the installation of several dependencies as
well. Don't worry, Portage handles dependencies well. If you want to find out
what Portage would install when you ask it to install a certain package,
add the --pretend switch. For instance:
Code Listing 1.1: Pretend to install gnumeric
# emerge --pretend gnumeric
When you ask Portage to install a package, it will download the necessary source
code from the internet (if necessary) and store it by default in
/usr/portage/distfiles. After this it will unpack, compile and
install the package. If you want Portage to only download the sources without
installing them, add the --fetchonly option to the emerge command:
Code Listing 1.1: Download the sourcecode for gnumeric
# emerge --fetchonly gnumeric
Finding Installed Package Documentation
Many packages come with their own documentation. Sometimes, the doc USE
flag determines whether the package documentation should be installed or not.
You can check the existence of a doc USE flag with the emerge -vp
<package name> command.
Code Listing 1.1: Checking the existence of a doc USE flag
# emerge -vp alsa-lib
[ebuild N ] media-libs/alsa-lib-1.0.14_rc1 -debug +doc 698 kB
The best way of enabling the doc USE flag is doing it on a per-package
basis via /etc/portage/package.use, so that you get documentation
only for packages that you are interested in. Enabling this flag globally is
known to cause problems with circular dependencies. For more information, please
read the (USE Flags) chapter.
Once the package installed, its documentation is generally found in a
subdirectory named after the package under the /usr/share/doc
directory. You can also list all installed files with the equery tool
which is part of the app-portage/gentoolkit package.
Code Listing 1.1: Locating package documentation
# ls -l /usr/share/doc/alsa-lib-1.0.14_rc1
-rw-r--r-- 1 root root 669 May 17 21:54 ChangeLog.gz
-rw-r--r-- 1 root root 9373 May 17 21:54 COPYING.gz
drwxr-xr-x 2 root root 8560 May 17 21:54 html
-rw-r--r-- 1 root root 196 May 17 21:54 TODO.gz
# equery files alsa-lib | less
* Contents of media-libs/alsa-lib-1.0.14_rc1:
When you want to remove a software package from your system, use emerge
--unmerge. This will tell Portage to remove all files installed by that
package from your system except the configuration files of that
application if you have altered those after the installation. Leaving the
configuration files allows you to continue working with the package if you ever
decide to install it again.
However, a big warning applies: Portage will not check if
the package you want to remove is required by another package. It will however
warn you when you want to remove an important package that breaks your system
if you unmerge it.
Code Listing 1.1: Removing gnumeric from the system
# emerge --unmerge gnumeric
When you remove a package from your system, the dependencies of that package
that were installed automatically when you installed the software are left. To
have Portage locate all dependencies that can now be removed, use
emerge's --depclean functionality. We will talk about this later
Updating your System
To keep your system in perfect shape (and not to mention install the latest
security updates) you need to update your system regularly. Since Portage only
checks the ebuilds in your Portage tree you first have to update your Portage
tree. When your Portage tree is updated, you can update your system with
emerge --update @world. In the next example, we'll also use the
--ask switch which will tell Portage to display the list of packages it
wants to upgrade and ask you if you want to continue:
Code Listing 1.1: Updating your system
# emerge --update --ask @world
Portage will then search for newer version of the applications you have
installed. However, it will only verify the versions for the applications you
have explicitly installed (the applications listed in
/var/lib/portage/world) - it does not thoroughly check their
dependencies. If you want to update the dependencies of those packages as well,
add the --deep argument:
Code Listing 1.1: Updating your system with dependencies
# emerge --update --deep @world
Still, this doesn't mean all packages: some packages on your system are
needed during the compile and build process of packages, but once that package
is installed, these dependencies are no longer required. Portage calls those
build dependencies. To include those in an update cycle, add
Code Listing 1.1: Updating your entire system
# emerge --update --deep --with-bdeps=y @world
Since security updates also happen in packages you have not explicitly installed
on your system (but that are pulled in as dependencies of other programs), it
is recommended to run this command once in a while.
If you have altered any of your (USE flags)
lately you might want to add --newuse as well. Portage will then verify
if the change requires the installation of new packages or recompilation of
Code Listing 1.1: Performing a full update
# emerge --update --deep --with-bdeps=y --newuse @world
Some packages in the Portage tree don't have any real content but are used to
install a collection of packages. For instance, the kde-meta package will
install a complete KDE environment on your system by pulling in various
KDE-related packages as dependencies.
If you ever want to remove such a package from your system, running emerge
--unmerge on the package won't have much effect as the dependencies remain
on the system.
Portage has the functionality to remove orphaned dependencies as well, but since
the availability of software is dynamically dependent you first need to update
your entire system fully, including the new changes you applied when changing
USE flags. After this you can run emerge --depclean to remove the
orphaned dependencies. When this is done, you need to rebuild the applications
that were dynamically linked to the now-removed software titles but don't
require them anymore.
All this is handled with the following three commands:
Code Listing 1.1: Removing orphaned dependencies
# emerge --update --deep --newuse @world
# emerge --depclean
revdep-rebuild is provided by the gentoolkit package; don't forget
to emerge it first:
Code Listing 1.1: Installing the gentoolkit package
# emerge gentoolkit
Beginning with Portage version 2.1.7, you can accept or reject software
installation based on its license. All packages in the tree contain a
LICENSE entry in their ebuilds. Running emerge --search
packagename will tell you the package's license.
By default, Portage permits all licenses, except End User License Agreements
(EULAs) that require reading and signing an acceptance agreement.
The variable that controls permitted licenses is ACCEPT_LICENSE, which
can be set in /etc/portage/make.conf. In the next example, this
default value is shown:
Code Listing 1.1: Setting ACCEPT_LICENSE in /etc/portage/make.conf
With this configuration, packages that require interaction during installation
to approve their EULA will not be installable. Packages without an EULA
will be installable.
You can set ACCEPT_LICENSE globally in /etc/portage/make.conf
, or you can specify it on a per-package basis in
For example, if you want to allow the truecrypt-2.7 license for
app-crypt/truecrypt, add the following to
Code Listing 1.1: Specifying a truecrypt license in package.license
This permits installation of truecrypt versions that have the
truecrypt-2.7 license, but not versions with the truecrypt-2.8
Licenses are stored in /usr/portage/licenses, and license groups
are kept in /usr/portage/profiles/license_groups. The first entry
of each line in CAPITAL letters is the name of the license group, and every
entry after that is an individual license.
License groups defined in ACCEPT_LICENSE are prefixed with an @
sign. A commonly requested setting is to only allow the installation of free
software and documentation. To accomplish this, we can remove all currently
accepted licenses (using -*) and then only allow the licenses in the
FREE group as follows:
Code Listing 1.1: Only allowing free software and documentation licenses in /etc/portage/make.conf
In this case, "free" is mostly defined by the FSF and OSI. Any package whose license
does not meet these requirements will not be installable on your system.
When Portage is Complaining...
About SLOTs, Virtuals, Branches, Architectures and Profiles
As we stated before, Portage is extremely powerful and supports many features
that other software management tools lack. To understand this, we explain a few
aspects of Portage without going into too much detail.
With Portage different versions of a single package can coexist on a system.
While other distributions tend to name their package to those versions (like
freetype and freetype2) Portage uses a technology called
SLOTs. An ebuild declares a certain SLOT for its version. Ebuilds with
different SLOTs can coexist on the same system. For instance, the
freetype package has ebuilds with SLOT="1" and SLOT="2".
There are also packages that provide the same functionality but are implemented
differently. For instance, metalogd, sysklogd and syslog-ng
are all system loggers. Applications that rely on the availability of "a system
logger" cannot depend on, for instance, metalogd, as the other system
loggers are as good a choice as any. Portage allows for virtuals: each
system logger is listed as an "exclusive" dependency of the logging service in the
logger virtual package of the virtual category, so that
applications can depend on the virtual/logger package. When installed,
the package will pull in the first logging package mentioned in the package,
unless a logging package was already installed (in which case the virtual is
Software in the Portage tree can reside in different branches. By default your
system only accepts packages that Gentoo deems stable. Most new software titles,
when committed, are added to the testing branch, meaning more testing needs to
be done before it is marked as stable. Although you will see the ebuilds for
those software in the Portage tree, Portage will not update them before they are
placed in the stable branch.
Some software is only available for a few architectures. Or the software doesn't
work on the other architectures, or it needs more testing, or the developer that
committed the software to the Portage tree is unable to verify if the package
works on different architectures.
Each Gentoo installation adheres to a certain profile which contains,
amongst other information, the list of packages that are required for a system
to function normally.
Code Listing 1.1: Portage warning about blocked packages (with --pretend)
[blocks B ] mail-mta/ssmtp (is blocking mail-mta/postfix-2.2.2-r1)
Code Listing 1.1: Portage warning about blocked packages (without --pretend)
!!! Error: the mail-mta/postfix package conflicts with another package.
!!! both can't be installed on the same system together.
!!! Please use 'emerge --pretend' to determine blockers.
Ebuilds contain specific fields that inform Portage about its dependencies.
There are two possible dependencies: build dependencies, declared in
DEPEND and run-time dependencies, declared in RDEPEND. When one of
these dependencies explicitly marks a package or virtual as being not
compatible, it triggers a blockage.
While recent versions of Portage are smart enough to work around minor blockages
without user intervention, occasionally you will need to fix it yourself, as
To fix a blockage, you can choose to not install the package or unmerge the
conflicting package first. In the given example, you can opt not to install
postfix or to remove ssmtp first.
You may also see blocking packages with specific atoms, such as
<media-video/mplayer-1.0_rc1-r2. In this case, updating to a more
recent version of the blocking package would remove the block.
It is also possible that two packages that are yet to be installed are blocking
each other. In this rare case, you should find out why you need to install both.
In most cases you can do with one of the packages alone. If not, please file a
bug on Gentoo's bugtracking system.
Code Listing 1.1: Portage warning about masked packages
!!! all ebuilds that could satisfy "bootsplash" have been masked.
Code Listing 1.1: Portage warning about masked packages - reason
!!! possible candidates are:
- gnome-base/gnome-2.8.0_pre1 (masked by: ~x86 keyword)
- lm-sensors/lm-sensors-2.8.7 (masked by: -sparc keyword)
- sys-libs/glibc-22.214.171.12440808 (masked by: -* keyword)
- dev-util/cvsd-1.0.2 (masked by: missing keyword)
- games-fps/unreal-tournament-451 (masked by: package.mask)
- sys-libs/glibc-2.3.2-r11 (masked by: profile)
- net-im/skype-126.96.36.199 (masked by: skype-eula license(s))
When you want to install a package that isn't available for your system, you
will receive this masking error. You should try installing a different
application that is available for your system or wait until the package is put
available. There is always a reason why a package is masked:
~arch keyword means that the application is not tested sufficiently
to be put in the stable branch. Wait a few days or weeks and try again.
-arch keyword or -* keyword means that the application does
not work on your architecture. If you believe the package does work file
a bug at our bugzilla website.
missing keyword means that the application has not been tested on
your architecture yet. Ask the architecture porting team to test the package
or test it for them and report your findings on our bugzilla website.
package.mask means that the package has been found corrupt, unstable
or worse and has been deliberately marked as do-not-use.
profile means that the package has been found not suitable for your
profile. The application might break your system if you installed it or is
just not compatible with the profile you use.
license means that the package's license is not compatible with your
ACCEPT_LICENSE setting. You must explicitly permit its license or
license group by setting it in /etc/portage/make.conf or in
/etc/portage/package.license. Refer to Licenses to learn how licenses work.
Necessary USE Flag Changes
Code Listing 1.1: Portage warning about USE flag change requirement
The following USE changes are necessary to proceed:
#required by app-text/happypackage-2.0, required by happypackage (argument)
The error message might also be displayed as follows, if --autounmask
Code Listing 1.1: Portage error about USE flag change requirement
emerge: there are no ebuilds built with USE flags to satisfy "app-text/feelings[test]".
!!! One of the following packages is required to complete your request:
- app-text/feelings-1.0.0 (Change USE: +test)
(dependency required by "app-text/happypackage-2.0" [ebuild])
(dependency required by "happypackage" [argument])
Such warning or error occurs when you want to install a package which not only
depends on another package, but also requires that that package is built with a
particular USE flag (or set of USE flags). In the given example, the package
app-text/feelings needs to be built with USE="test", but this USE
flag is not set on the system.
To resolve this, either add the requested USE flag to your global USE flags in
/etc/portage/make.conf, or set it for the specific package in
Code Listing 1.1: Portage warning about missing dependency
emerge: there are no ebuilds to satisfy ">=sys-devel/gcc-3.4.2-r4".
!!! Problem with ebuild sys-devel/gcc-3.4.2-r2
!!! Possibly a DEPEND/*DEPEND problem.
The application you are trying to install depends on another package that is not
available for your system. Please check bugzilla if the issue is known and if not,
please report it. Unless you are mixing branches this should not occur and is
therefore a bug.
Ambiguous Ebuild Name
Code Listing 1.1: Portage warning about ambiguous ebuild names
[ Results for search key : listen ]
[ Applications found : 2 ]
* dev-tinyos/listen [ Masked ]
Latest version available: 1.1.15
Latest version installed: [ Not Installed ]
Size of files: 10,032 kB
Description: Raw listen for TinyOS
* media-sound/listen [ Masked ]
Latest version available: 0.6.3
Latest version installed: [ Not Installed ]
Size of files: 859 kB
Description: A Music player and management for GNOME
!!! The short ebuild name "listen" is ambiguous. Please specify
!!! one of the above fully-qualified ebuild names instead.
The application you want to install has a name that corresponds with more than
one package. You need to supply the category name as well. Portage will inform
you of possible matches to choose from.
Code Listing 1.1: Portage warning about circular dependencies
!!! Error: circular dependencies:
ebuild / net-print/cups-1.1.15-r2 depends on ebuild / app-text/ghostscript-7.05.3-r1
ebuild / app-text/ghostscript-7.05.3-r1 depends on ebuild / net-print/cups-1.1.15-r2
Two (or more) packages you want to install depend on each other and can
therefore not be installed. This is most likely a bug in the Portage tree.
Please resync after a while and try again. You can also check bugzilla if the issue is known and if not,
Code Listing 1.1: Portage warning about fetch failed
!!! Fetch failed for sys-libs/ncurses-5.4-r5, continuing...
!!! Some fetch errors were encountered. Please see above for details.
Portage was unable to download the sources for the given application and will
try to continue installing the other applications (if applicable). This failure
can be due to a mirror that has not synchronised correctly or because the ebuild
points to an incorrect location. The server where the sources reside can also be
down for some reason.
Retry after one hour to see if the issue still persists.
System Profile Protection
Code Listing 1.1: Portage warning about profile-protected package
!!! Trying to unmerge package(s) in system profile. 'sys-apps/portage'
!!! This could be damaging to your system.
You have asked to remove a package that is part of your system's core packages.
It is listed in your profile as required and should therefore not be removed
from the system.
Digest Verification Failures
Sometimes, when you attempt to emerge a package, it will fail with the message:
Code Listing 1.1: Digest verification failure
>>> checking ebuild checksums
!!! Digest verification failed:
This is a sign that something is wrong with the Portage tree -- often, it is
because a developer may have made a mistake when committing a package to the
When the digest verification fails, do not try to re-digest the package
yourself. Running ebuild foo manifest will not fix the problem; it will
almost certainly make it worse!
Instead, wait an hour or two for the tree to settle down. It's likely that the
error was noticed right away, but it can take a little time for the fix to
trickle down the Portage tree. While you're waiting, check Bugzilla and see if anyone has reported
the problem yet. If not, go ahead and file a bug for the broken package.
Once you see that the bug has been fixed, you may want to re-sync to pick up
the fixed digest.
This does not mean that you can re-sync your tree multiple times! As
stated in the rsync policy (when you run emerge --sync), users who sync
too often will be banned! In fact, it's better to just wait until your next
scheduled sync, so that you don't overload the rsync servers.