vn971 / rua

Build tool for Arch Linux providing control, review and jailed build options
GNU General Public License v3.0
426 stars 41 forks source link
arch-user-repository archlinux aur namespaces

RUA Rust ShellCheck crates.io

RUA is a build tool for ArchLinux, AUR. Its features:

Use

rua search wesnoth

rua info freecad

rua install pinta # install or upgrade a package

rua upgrade # upgrade all AUR packages. You can selectively ignore packages by using --ignore or adding them to IgnorePkg in pacman.conf (same as with non-AUR packages and pacman). You can upgrade only specific packages with rua install A B C.

rua shellcheck path/to/my/PKGBUILD # run shellcheck on a PKGBUILD, discovering potential problems with the build instruction. Takes care of PKGBUILD-specific variables.

rua tarcheck xcalib.pkg.tar # if you already have a *.pkg.tar package built, run RUA checks on it (SUID, executable list, INSTALL script review etc).

rua builddir --offline /path/to/pkgbuild/directory # build a directory.

rua --help; rua subcommand --help # shows CLI help

Install dependencies

sudo pacman -S --needed --asdeps git base-devel bubblewrap-suid libseccomp xz shellcheck cargo

Install (the AUR way)

sudo pacman -S --needed base-devel git
git clone https://aur.archlinux.org/rua.git
cd rua
makepkg -si

In the web interface, package is rua.

Install (the Rust way)

RUSTUP_TOOLCHAIN=stable cargo install --force rua

This will not include bash/zsh/fish completions, but everything else should work.

How it works / directories

directory meaning
~/.config/rua/pkg/ Step 1, directory where AUR packages are cloned into. You review and make local modifications here
~/.cache/rua/build/ Step 2, reviewed packages are copied here, and then built
~/.local/share/rua/checked_tars/ Step 3, directory where built and tarcheck-ed packages are stored (*.pkg.tar.xz)
~/.config/rua/wrap_args.d/ entrypoint for basic configuration of the security wrapper script
~/.config/rua/.system/ internal files
$GNUPGHOME/pubring.kbx
$GNUPGHOME/pubring.gpg
read-only access to these two files is granted when building, to allow signature verification
All other files All other files in ~ are not accessed by RUA and inaccessible by built packages (see Safety section below)

Note that directories above follow the XDG specification, so XDG_CONFIG_HOME environment variable would override ~/.config, XDG_CACHE_HOME would override ~/.cache and XDG_DATA_HOME would override ~/.local/share.

How it works / reviewing

Knowing the underlying machinery is not required to work with RUA, but if you're curious anyway, this section is for you.

All AUR packages are stored in designated git repositories, with upstream/master pointing to remote AUR head and local master meaning your reviewed and accepted state. Local branch does not track the remote one.

RUA works by fetching remote updates when needed, presenting remote changes to you and merging them if you accept them. Merging and basic diff view are built-in commands in RUA, and you can drop to shell and do more from git CLI if you want.

How it works / dependency grouping and installation

RUA will:

  1. Fetch the AUR package and all recursive dependencies.
  2. Prepare a summary of all pacman and AUR packages that will need installing. Show the summary to the user, confirm proceeding.
  3. Iterate over all AUR dependencies and ask to review the repo-s. Once we know that user really accepts all recursive changes, proceed.
  4. Propose installing all pacman dependencies.
  5. Build all AUR packages of maximum dependency "depth".
  6. Let the user review built artifacts (in batch).
  7. Install them. If any more packages are left, go two steps up.

If you have a dependency structure like this:

your_original_package
├── dependency_a
│   ├── a1
│   └── a2
└── dependency_b
    ├── b1
    └── b2

RUA will thus interrupt you 3 times, not 7 as if it would be plainly recursive. It also won't disrupt you if it knows recursion breaks down the line (with unsatisfiable dependencies).

Limitations

Safety

Do not install AUR packages you don't trust. RUA only adds build-time isolation and install-time control/review.

When building packages, RUA uses the following filesystem isolation:

Additionally, all builds are run in a namespace jail, with seccomp enabled and user, ipc, pid, uts, cgroup being unshared by default. If asked from CLI, builds can be run in offline mode.

Other

The RUA name is an inversion of "AUR".

This work was made possible by the excellent libraries of raur, srcinfo and many others.

Project is shared under GPLv3+. Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project (rua) by you, shall be licensed as GPLv3+, without any additional terms or conditions.

For authors, see Cargo.toml and git history.