From 1c6e20f4af9b0b7d5447b0bcc350ed36f1b074d9 Mon Sep 17 00:00:00 2001 From: Dov Benyomin Sohacheski Date: Thu, 14 May 2026 12:14:20 +0300 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=9D=20Document=20`cni`=20deny=20catego?= =?UTF-8?q?ry?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add the `cni` (containernetworking-plugins) bullet to the "Restricted Packages" list at /tools/apt — completes the doc surface for the new default-deny pin shipping in workspace 2026-q2.17. Pairs with the workspace PR adding 99-deny-cni + the canonical env.reference.yaml enumeration update. --- docs/tools/apt.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/tools/apt.md b/docs/tools/apt.md index dce2b0a..cf8fb3d 100644 --- a/docs/tools/apt.md +++ b/docs/tools/apt.md @@ -66,19 +66,20 @@ Notable configurations include: The *workspace* runs headless, so it ships preference files that block packages with no use inside a container. These are grouped by category: -- `x11` — X11 server, GTK/Qt toolkits, Mesa -- `desktop` — Bluetooth, Avahi, NetworkManager, wireless daemons -- `mail` — Postfix, Exim, Sendmail, mail clients -- `printing` — CUPS, printer drivers -- `daemons` — `systemd-timesyncd`, NTP, Chrony -- `language-pack` — locale packages -- `obsolete` — `anacron`, `at` +- `x11`: X11 server, GTK/Qt toolkits, Mesa +- `desktop`: Bluetooth, Avahi, NetworkManager, wireless daemons +- `mail`: Postfix, Exim, Sendmail, mail clients +- `printing`: CUPS, printer drivers +- `daemons`: `systemd-timesyncd`, NTP, Chrony +- `cni`: `containernetworking-plugins` *(podman defaults to `netavark`)* +- `language-pack`: locale packages +- `obsolete`: `anacron`, `at` If you need to install a package that pulls in a restricted dependency, opt out with: - -Lift a single category — useful for installing X11 client libraries while leaving +Lift a single category, useful for installing X11 client libraries while leaving mail and printing blocked: ```sh{2}