RUA is a build tool for ArchLinux, AUR. Its features:
shellcheck
, taking care of special variables--offline
buildsseccomp
to limit available syscalls (e.g. the build cannot call ptrace
)sudo
(filesystem is mounted with nosuid
)rua search wesnoth
rua info freecad
rua install pinta
# install or upgrade a package
rua upgrade
# upgrade all AUR packages. You can selectively ignore packages by using --ignore
or adding them to IgnorePkg
in pacman.conf
(same as with non-AUR packages and pacman
). You can upgrade only specific packages with rua install A B C
.
rua shellcheck path/to/my/PKGBUILD
# run shellcheck
on a PKGBUILD, discovering potential problems with the build instruction. Takes care of PKGBUILD-specific variables.
rua tarcheck xcalib.pkg.tar
# if you already have a *.pkg.tar package built, run RUA checks on it (SUID, executable list, INSTALL script review etc).
rua builddir --offline /path/to/pkgbuild/directory
# build a directory.
rua --help; rua subcommand --help
# shows CLI help
sudo pacman -S --needed --asdeps git base-devel bubblewrap-suid libseccomp xz shellcheck cargo
sudo pacman -S --needed base-devel git
git clone https://aur.archlinux.org/rua.git
cd rua
makepkg -si
In the web interface, package is rua.
RUSTUP_TOOLCHAIN=stable cargo install --force rua
This will not include bash/zsh/fish completions, but everything else should work.
directory | meaning |
---|---|
~/.config/rua/pkg/ |
Step 1, directory where AUR packages are cloned into. You review and make local modifications here |
~/.cache/rua/build/ |
Step 2, reviewed packages are copied here, and then built |
~/.local/share/rua/checked_tars/ |
Step 3, directory where built and tarcheck-ed packages are stored (*.pkg.tar.xz) |
~/.config/rua/wrap_args.d/ |
entrypoint for basic configuration of the security wrapper script |
~/.config/rua/.system/ |
internal files |
$GNUPGHOME/pubring.kbx $GNUPGHOME/pubring.gpg |
read-only access to these two files is granted when building, to allow signature verification |
All other files | All other files in ~ are not accessed by RUA and inaccessible by built packages (see Safety section below) |
Note that directories above follow the XDG specification,
so XDG_CONFIG_HOME
environment variable would override ~/.config
,
XDG_CACHE_HOME
would override ~/.cache
and
XDG_DATA_HOME
would override ~/.local/share
.
Knowing the underlying machinery is not required to work with RUA, but if you're curious anyway, this section is for you.
All AUR packages are stored in designated git
repositories,
with upstream/master
pointing to remote AUR head and
local master
meaning your reviewed and accepted state.
Local branch does not track the remote one.
RUA works by fetching remote updates when needed, presenting remote changes to you and merging them if you accept them. Merging and basic diff view are built-in commands in RUA, and you can drop to shell and do more from git CLI if you want.
RUA will:
If you have a dependency structure like this:
your_original_package
├── dependency_a
│ ├── a1
│ └── a2
└── dependency_b
├── b1
└── b2
RUA will thus interrupt you 3 times, not 7 as if it would be plainly recursive. It also won't disrupt you if it knows recursion breaks down the line (with unsatisfiable dependencies).
-Suy
your system with it. Please use pacman for that.rua upgrade --devel
. No version checks are done to avoid unnecessary rebuilds. Merge requests welcomed.package()
does not work. This happens when archives are extracted in package()
function. Doing it in prepare()
or giving a key like tar --no-same-owner
is the work-around.Do not install AUR packages you don't trust. RUA only adds build-time isolation and install-time control/review.
When building packages, RUA uses the following filesystem isolation:
"$GNUPGHOME"/pubring.kbx
and "$GNUPGHOME"/pubring.gpg
are mounted read-only (if exists). This allows signature verification to work.~
is not visible to the build process, mounted under tmpfs./tmp
and /dev
and /proc
are re-mounted with empty tmpfs, devtmpfs and procfs accordingly./
is mounted read-only.Additionally, all builds are run in a namespace jail, with seccomp
enabled
and user
, ipc
, pid
, uts
, cgroup
being unshared by default.
If asked from CLI, builds can be run in offline mode.
The RUA name is an inversion of "AUR".
This work was made possible by the excellent libraries of raur, srcinfo and many others.
Project is shared under GPLv3+. Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project (rua) by you, shall be licensed as GPLv3+, without any additional terms or conditions.
For authors, see Cargo.toml and git history.