83 releases (13 breaking)
✓ Uses Rust 2018 edition
|0.15.2||Nov 26, 2019|
|0.14.19||Oct 31, 2019|
|0.13.11||Jul 17, 2019|
|0.13.1||Mar 22, 2019|
|0.9.11||Nov 28, 2018|
#4 in Unix APIs
1,020 downloads per month
RUA is a build tool for ArchLinux, AUR. Its features:
- Allows local patch application
- Provides detailed information:
- show upstream changes upon package upgrade
- see code problems in PKGBUILD via
shellcheck, taking care of special variables
- warn if SUID files are present in an already built package, and show them
- show file list, executable list and INSTALL script in already built archives
- Minimize user distractions:
- verify all packages once, build without interruptions
- group built dependencies for batch review
- Uses a security namespace jail:
- builds in isolated filesystem, see safety section below
seccompto limit available syscalls (e.g. the build cannot call
- the build cannot execute
sudo(filesystem is mounted with
- Written in Rust
rua install xcalib # install or upgrade a package
rua search wesnoth
rua info freecad
rua upgrade # upgrade all AUR packages. You can selectively ignore packages by adding them to
pacman.conf (same as with non-AUR packages and
pacman). You can upgrade only specific packages with
rua install A B C.
rua shellcheck path/to/my/PKGBUILD # run
shellcheck on a PKGBUILD, discovering potential problems with the build instruction. Takes care of PKGBUILD-specific variables.
rua tarcheck xcalib.pkg.tar # if you already have a *.pkg.tar package built, run RUA checks on it (SUID, executable list, INSTALL script review etc).
rua builddir --offline /path/to/pkgbuild/directory # build a directory.
rua --help; rua subcommand --help # shows CLI help
sudo pacman -S --needed git base-devel bubblewrap-suid lz shellcheck cargo
git clone https://aur.archlinux.org/rua.git cd rua makepkg -si
In the web interface, package is rua.
RUSTUP_TOOLCHAIN=stable cargo install --force rua
This does not include bash/zsh/fish completions, but everything else should work.
If you use development version
cargo install --features git rua instead.
Knowing the underlying machinery is not required to work with RUA, but if you're curious anyway, this section is for you.
All AUR packages are stored in designated
upstream/master pointing to remote AUR head and
master meaning your reviewed and accepted state.
Local branch does not track the remote one.
RUA works by fetching remote updates when needed, presenting remote changes to you and merging them if you accept them. Merging and basic diff view are built-in commands in RUA, and you can drop to shell and do more from git CLI if you want.
Merging the latest
upstream/master is required to upgrade the package.
- Fetch the AUR package and all recursive dependencies.
- Prepare a summary of all pacman and AUR packages that will need installing. Show the summary to the user, confirm proceeding.
- Iterate over all AUR dependencies and ask to review the repo-s. Once we know that user really accepts all recursive changes, proceed.
- Propose installing all pacman dependencies.
- Build all AUR packages of maximum dependency "depth".
- Let the user review built artifacts (in batch).
- Install them. If any more packages are left, go two steps up.
If you have a dependency structure like this:
your_original_package ├── dependency_a │ ├── a1 │ └── a2 └── dependency_b ├── b1 └── b2
RUA will thus interrupt you 3 times, not 7 as if it would be plainly recursive. It also won't disrupt you if it knows recursion breaks down the line (with unsatisfiable dependencies).
- This tool focuses on AUR packages only, you cannot
-Suyyour system with it. Use pacman for that.
- Optional dependencies (optdepends) are not installed. They are skipped. Check them out manually when you review PKGBUILD.
- The tool does not handle versions. It will always install the latest version possible, and it will always assume that latest version is enough.
- Development packages such as "-git" packages are only rebuilt when running
rua upgrade --devel. No version checks are done to avoid unnecessary rebuilds. Merge requests welcomed.
- Unless you explicitly enable it, builds do not share user home (~). This may result in maven/npm/cargo/whatever dependencies re-downloading with each build. See safety section below on how to whitelist certain directories.
- Environment variables "PKGDEST" and "BUILDDIR" of makepkg.conf are not supported. Packages are built in isolation from each other, artifacts are stored in standard locations of this tool.
RUA only adds build-time safety and install-time control. Once/if packages pass your review, they are as run-time safe as they were in the first place. Do not install AUR packages you don't trust.
When building packages, RUA uses the following filesystem isolation by default:
- Build directory is mounted read-write.
"$GNUPGHOME"/pubring.gpgare mounted read-only (if exists). This allows signature verification to work.
- The rest of
~is not visible to the build process, mounted under tmpfs.
- The rest of
/is mounted read-only.
- You can whitelist/add your mount points by configuring "wrap_args". See examples in ~/.config/rua/wrap_args.d/ (none enabled by default).
As mentioned in the header,
seccomp also applies to all builds, and there is a CLI option for offline builds.
The RUA name can be read as "RUst Aur jail", also an inversion of "AUR".
IRC: #rua @freenode.net
Project is shared under GPLv3+. For authors, see Cargo.toml and git history.