vn971
Add support for "building in clean chroot"
It looks like rua uses systemd to hide or mark read-only much of the system. This is good, but it could and should be better: any packages which are installed on the system are still installed, which could have sometimes unpredictable effects on how a package is built.
Ideally, the package would be built in a clean chroot environment. That page has some tools which are supposed to help, but I’m not sure if they’re compatible with rua’s other security measures.
Hi @dhouck. This is a known alternative, although still good that you raised an issue for that.
The current technology that rua uses for isolation is bubblewrap https://github.com/projectatomic/bubblewrap. It has the advantage that it's extremely easy to setup, super-fast, and it can give you easy seccomp and network isolation. The downside is that, indeed, packages might be affected by other locally installed packages.
For RUA, I think it makes sense to support both build options. The bubblewrap one is already in place so it doesn't require a lot of maintenance, but a chroot one might be very useful as well.
If you'd be willing to work on that, please tell!
In theory I’d be willing to work on it, but I have no Rust experience and not much with security isolation, so in practice probably I wouldn't actually get very far.
@dhouck I think this is a feature that is desired by many people, so if you'd be willing to work on it, many would appreciate I think! Security isolation is not a problem as it should be fully covered by the "clean chroot" tooling. Implementing it requires CLI changes and actual correct wrapping around the "clean chroot" tool. Maybe a bit of a dance with carefully picking the right directories, but maybe not at all.
I've added the "help wanted" badge to the issue. Sorry for the late reply BTW, was at FOSDEM.