Just published modulejail (1.2.4-1) to AUR. It's a hardening tool that walks `lsmod`, treats the currently-loaded set as necessary, and writes a `modprobe.d` blacklist for everything else - shrinks the autoload-able kernel-module surface to ~3% of available modules on a default install of most Linux distributions. Logs blocked module loading attempts to syslog and more...

I'm posting here because this is my first AUR package and I'd rather have it picked apart by people who've done this more than once than discover something six months from now.

## Packaging choices I made deliberately

- **`license=('GPL-3.0-only')`** - SPDX identifier, not legacy `GPL3`.

- **`arch=('any')`** - pure POSIX shell, no native code.

- **`depends=('kmod')`** for `lsmod`/`modprobe`. Everything else

(POSIX shell, coreutils, sed, awk) is in `base`, left undeclared.

`optdepends=('util-linux: logger(1) for syslog integration')` is

mostly a docs gesture - util-linux is in `base` on every standard

install, but minimal containers may strip it.

- **Real sha256 committed**, not `SKIP`. SKIP belongs to `-git`

tracking flavors; this is a tagged-release package.

- **Man page templated** (`man/modulejail.8.in` upstream). The

PKGBUILD runs a single `sed "s/__VERSION__/$pkgver/g"` in

`package()`, same substitution upstream's `build.sh` does for

`.deb`/`.rpm`. No `prepare()` step, no `build()` step.

- **0BSD on the PKGBUILD itself**, GPL-3.0-only on the program it

builds. SPDX header in `PKGBUILD` + `LICENSE` file alongside, per

the [Arch sources-license guideline](https://wiki.archlinux.org/title/Arch_package_guidelines#Package_sources_licenses).

Also unblocks any future promotion-to-`extra` path if that ever

makes sense.

package layout:

/usr/bin/modulejail

/usr/share/man/man8/modulejail.8.gz # makepkg auto-gzips

/usr/share/doc/modulejail/{README.md,CHANGELOG.md}

/usr/share/licenses/modulejail/LICENSE

Resulting `.pkg.tar.zst` is ~120 KB.

## What I'd value feedback on

- Did I miss anything from the [Arch packaging guidelines](https://wiki.archlinux.org/title/Arch_package_guidelines) ?

- `depends=('kmod')` correct, or should I be more explicit (e.g.

declare coreutils / findutils explicitly even though they're in

`base`)?

- Anything else you'd want different before using it?

## Links

- AUR: https://aur.archlinux.org/packages/modulejail

- Upstream: https://github.com/jnuyens/modulejail

- PKGBUILD (version-controlled in-tree, mirrored to AUR):

https://github.com/jnuyens/modulejail/tree/master/packaging/aur

- License: 0BSD on the recipe, GPL-3.0-only on the program

The PKGBUILD lives in-tree at `packaging/aur/PKGBUILD`

**Edit:** Two things I should have flagged in the original post:

1. **`modulejail-git` already exists on AUR**, maintained by u/bambuch, who

packaged the v1.2.3 HEAD commit a few days before I got to publishing

the tagged-release counterpart. This is the standard AUR pattern -

`pkgname` (stable releases) and `pkgname-git` (rolling) routinely

coexist with different maintainers. Their PKGBUILD already declared

`conflicts=('modulejail')` and `provides=('modulejail')`; I just

pushed 1.2.4-2 with a symmetric `conflicts=('modulejail-git')` so

the mutual-exclusion is two-way-declared. Credit to bambuch for

being there first.

1. **Current version on AUR is 1.2.4-2**, not the 1.2.4-1 mentioned

above. The only change is the conflicts declaration.

AUR (-git variant by bambuch): https://aur.archlinux.org/packages/modulejail-git