61 releases (11 breaking)
✓ Uses Rust 2018 edition
|0.13.11||Jul 17, 2019|
|0.13.9||May 24, 2019|
|0.13.1||Mar 22, 2019|
|0.9.11||Nov 28, 2018|
#3 in Unix APIs
705 downloads per month
RUA is a build tool for ArchLinux, AUR. Its features:
- Uses a namespace jail to build packages:
- supports "offline" builds (network namespace)
- builds in isolated filesystem, see safety section below
- PKGBUILD script is run under seccomp rules (e.g. the build cannot call
- filesystem is mounted with "nosuid" (e.g. the build cannot call
- Show the user what they are about to install:
- warn if SUID files are present, and show them
- show INSTALL script (if present), executable and file list preview
- Minimize user interaction:
- verify all PKGBUILD-s once, build without interruptions
- group built dependencies for batch review/install
- Written in Rust
Planned features include AUR upstream git diff and local patch application.
rua install xcalib # install AUR package (with user confirmation)
rua install --offline xcalib # same as above, but PKGBUILD is run without internet access. Sources are downloaded using .SRCINFO only.
rua search rua
rua show xcalib freecad # shows information on packages
rua tarcheck xcalib.pkg.tar # if you already have a *.pkg.tar package built, run RUA checks on it (SUID, executable list, INSTALL script review etc).
rua jailbuild --offline /path/to/pkgbuild/directory # build a directory. Don't fetch any dependencies. Assumes a clean directory.
rua --help && rua install --help # shows CLI help
Jail arguments can be overridden in ~/.config/rua/wrap_args.d/ .
sudo pacman -S --needed git base-devel bubblewrap cargo
git clone https://aur.archlinux.org/rua.git cd rua makepkg -si
In the web interface, package is rua.
cargo install rua
There won't be bash/zsh/fish completions this way, but everything else should work.
We'll consider the "install" command. RUA will:
- Fetch the AUR package and all recursive dependencies.
- Prepare a summary of all pacman and AUR packages that will need installing. Show the summary to the user, confirm proceeding.
- Iterate over all AUR dependencies and ask to review the repo-s (PKGBUILDs, etc).
- Propose installing all pacman dependencies in one batch. (No need to do it for each AUR package individually, save user-s time).
- Build all AUR packages of maximum dependency "depth".
- Let the user review built artifacts (in batch).
- Install them. If any more packages are left, go two steps up.
- Smart caching is not implemented yet. To avoid outdated builds, RUA wipes caches in case of possible conflict. This may change in the future.
- Optional dependencies (optdepends) are not installed. They are skipped. Check them out manually when you review PKGBUILD. This may change in the future.
- The tool does not show you outdated packages yet (those that have updates in AUR). Pull requests are welcomed.
- Unless you explicitly enable it, builds do not share user home (~). This may result in rust/maven/npm/whatever packages being re-downloaded each build. If you want to override some of that, take a look at ~/.config/rua/wrap_args.d/ and the parent directory for examples.
RUA only adds build-time safety and install-time control. Once/if packages pass your review, they are as run-time safe as they were in the first place. Do not install AUR packages you don't trust.
When building packages, RUA uses the following filesystem isolation by default:
- Build directory is mounted read-write.
- ~/.gnupg directory is mounted read-only, excluding ~/.gnupg/private-keys-v1.d, which is blocked. This allows signature verification to work.
- The rest of
~is not visible to the build process, mounted under tmpfs.
- The rest of
/is mounted read-only.
- You can add your mount points by configuring "wrap_args".
The RUA name can be read as "RUst Aur jail", also an inversion of "AUR".
IRC: #rua @freenode.net (no promises are made for availability)
Project is shared under GPLv3+.