diff --git a/assets/coverage-badge.svg b/assets/coverage-badge.svg
index 2ed2e71..5a9d2fc 100644
--- a/assets/coverage-badge.svg
+++ b/assets/coverage-badge.svg
@@ -11,7 +11,7 @@
     <g fill="#fff" text-anchor="middle" font-family="DejaVu Sans,Verdana,Geneva,sans-serif" font-size="11">
         <text x="33.5" y="15" fill="#010101" fill-opacity=".3">coverage</text>
         <text x="33.5" y="14">coverage</text>
-        <text x="86" y="15" fill="#010101" fill-opacity=".3">15.9%</text>
-        <text x="86" y="14">15.9%</text>
+        <text x="86" y="15" fill="#010101" fill-opacity=".3">15.8%</text>
+        <text x="86" y="14">15.8%</text>
     </g>
 </svg>
diff --git a/info.go b/info.go
index ea17b9b..d316efe 100644
--- a/info.go
+++ b/info.go
@@ -81,7 +81,7 @@ func InfoCmd() *cli.Command {
 			return nil
 		}),
 		Action: func(c *cli.Context) error {
-			if err := utils.ExitIfCantDropCapsToAlrUser(); err != nil {
+			if err := utils.ExitIfCantDropCapsToAlrUserNoPrivs(); err != nil {
 				return err
 			}
 
diff --git a/install.go b/install.go
index 8c466c1..f056760 100644
--- a/install.go
+++ b/install.go
@@ -51,6 +51,10 @@ func InstallCmd() *cli.Command {
 				return err
 			}
 
+			if err := utils.ExitIfCantDropCapsToAlrUser(); err != nil {
+				return err
+			}
+
 			ctx := c.Context
 
 			args := c.Args()
@@ -62,7 +66,7 @@ func InstallCmd() *cli.Command {
 				New(ctx).
 				WithConfig().
 				WithDB().
-				WithReposNoPull().
+				WithRepos().
 				WithDistroInfo().
 				WithManager().
 				Build()
@@ -81,12 +85,6 @@ func InstallCmd() *cli.Command {
 			}
 			defer cleanup()
 
-			if deps.Cfg.AutoPull() {
-				if err := deps.Repos.Pull(ctx, deps.Cfg.Repos()); err != nil {
-					return cliutils.FormatCliExit(gotext.Get("Error pulling repositories"), err)
-				}
-			}
-
 			err = builder.InstallPkgs(
 				ctx,
 				&build.BuildArgs{
diff --git a/internal.go b/internal.go
index b6646f5..3510cc2 100644
--- a/internal.go
+++ b/internal.go
@@ -92,7 +92,7 @@ func InternalInstallCmd() *cli.Command {
 		Action: func(c *cli.Context) error {
 			logger.SetupForGoPlugin()
 
-			if err := utils.EnuseIsAlrUser(); err != nil {
+			if err := utils.EnsureIsAlrUser(); err != nil {
 				return err
 			}
 
@@ -127,7 +127,6 @@ func InternalInstallCmd() *cli.Command {
 				Plugins: map[string]plugin.Plugin{
 					"installer": &build.InstallerPlugin{
 						Impl: build.NewInstaller(
-							deps.Repos,
 							manager.Detect(),
 						),
 					},
diff --git a/internal/translations/default.pot b/internal/translations/default.pot
index 9f0bc9b..843f2d2 100644
--- a/internal/translations/default.pot
+++ b/internal/translations/default.pot
@@ -154,35 +154,31 @@ msgstr ""
 msgid "Install a new package"
 msgstr ""
 
-#: install.go:58
+#: install.go:62
 msgid "Command install expected at least 1 argument, got %d"
 msgstr ""
 
-#: install.go:86
-msgid "Error pulling repositories"
-msgstr ""
-
-#: install.go:103
+#: install.go:101
 msgid "Error parsing os release"
 msgstr ""
 
-#: install.go:148
+#: install.go:146
 msgid "Remove an installed package"
 msgstr ""
 
-#: install.go:166 install.go:216
+#: install.go:164 install.go:214
 msgid "Unable to detect a supported package manager on the system"
 msgstr ""
 
-#: install.go:170
+#: install.go:168
 msgid "Error listing installed packages"
 msgstr ""
 
-#: install.go:211
+#: install.go:209
 msgid "Command remove expected at least 1 argument, got %d"
 msgstr ""
 
-#: install.go:224
+#: install.go:222
 msgid "Error removing packages"
 msgstr ""
 
@@ -194,6 +190,10 @@ msgstr ""
 msgid "Error initialization database"
 msgstr ""
 
+#: internal/cliutils/app_builder/builder.go:135
+msgid "Error pulling repositories"
+msgstr ""
+
 #: internal/cliutils/prompt.go:60
 msgid "Would you like to view the build script for %s"
 msgstr ""
@@ -311,15 +311,15 @@ msgstr ""
 msgid "ERROR"
 msgstr ""
 
-#: internal/utils/cmd.go:79
+#: internal/utils/cmd.go:83
 msgid "Error dropping capabilities"
 msgstr ""
 
-#: internal/utils/cmd.go:86
+#: internal/utils/cmd.go:103
 msgid "You need to be root to perform this action"
 msgstr ""
 
-#: internal/utils/cmd.go:128
+#: internal/utils/cmd.go:145
 msgid "You need to be a %s member to perform this action"
 msgstr ""
 
diff --git a/internal/translations/po/ru/default.po b/internal/translations/po/ru/default.po
index 5e34b97..e2304db 100644
--- a/internal/translations/po/ru/default.po
+++ b/internal/translations/po/ru/default.po
@@ -167,35 +167,31 @@ msgstr "Ошибка кодирования переменных скрита"
 msgid "Install a new package"
 msgstr "Установить новый пакет"
 
-#: install.go:58
+#: install.go:62
 msgid "Command install expected at least 1 argument, got %d"
 msgstr "Для команды install ожидался хотя бы 1 аргумент, получено %d"
 
-#: install.go:86
-msgid "Error pulling repositories"
-msgstr "Ошибка при извлечении репозиториев"
-
-#: install.go:103
+#: install.go:101
 msgid "Error parsing os release"
 msgstr "Ошибка при разборе файла выпуска операционной системы"
 
-#: install.go:148
+#: install.go:146
 msgid "Remove an installed package"
 msgstr "Удалить установленный пакет"
 
-#: install.go:166 install.go:216
+#: install.go:164 install.go:214
 msgid "Unable to detect a supported package manager on the system"
 msgstr "Не удалось обнаружить поддерживаемый менеджер пакетов в системе"
 
-#: install.go:170
+#: install.go:168
 msgid "Error listing installed packages"
 msgstr "Ошибка при составлении списка установленных пакетов"
 
-#: install.go:211
+#: install.go:209
 msgid "Command remove expected at least 1 argument, got %d"
 msgstr "Для команды remove ожидался хотя бы 1 аргумент, получено %d"
 
-#: install.go:224
+#: install.go:222
 msgid "Error removing packages"
 msgstr "Ошибка при удалении пакетов"
 
@@ -208,6 +204,10 @@ msgstr "Ошибка при кодировании конфигурации"
 msgid "Error initialization database"
 msgstr "Ошибка инициализации базы данных"
 
+#: internal/cliutils/app_builder/builder.go:135
+msgid "Error pulling repositories"
+msgstr "Ошибка при извлечении репозиториев"
+
 #: internal/cliutils/prompt.go:60
 msgid "Would you like to view the build script for %s"
 msgstr "Показать скрипт для пакета %s"
@@ -326,16 +326,16 @@ msgstr "%s %s загружается — %s/с\n"
 msgid "ERROR"
 msgstr "ОШИБКА"
 
-#: internal/utils/cmd.go:79
+#: internal/utils/cmd.go:83
 #, fuzzy
 msgid "Error dropping capabilities"
 msgstr "Ошибка при открытии базы данных"
 
-#: internal/utils/cmd.go:86
+#: internal/utils/cmd.go:103
 msgid "You need to be root to perform this action"
 msgstr ""
 
-#: internal/utils/cmd.go:128
+#: internal/utils/cmd.go:145
 msgid "You need to be a %s member to perform this action"
 msgstr ""
 
diff --git a/internal/utils/cmd.go b/internal/utils/cmd.go
index 988afcc..d217561 100644
--- a/internal/utils/cmd.go
+++ b/internal/utils/cmd.go
@@ -70,9 +70,13 @@ func DropCapsToAlrUser() error {
 	if err != nil {
 		return err
 	}
-	return EnuseIsAlrUser()
+	return EnsureIsAlrUser()
 }
 
+// ExitIfCantDropCapsToAlrUser attempts to drop capabilities to the already
+// running user. Returns a cli.ExitCoder with an error if the operation fails.
+// See also [ExitIfCantDropCapsToAlrUserNoPrivs] for a version that also applies
+// no-new-privs.
 func ExitIfCantDropCapsToAlrUser() cli.ExitCoder {
 	err := DropCapsToAlrUser()
 	if err != nil {
@@ -81,6 +85,19 @@ func ExitIfCantDropCapsToAlrUser() cli.ExitCoder {
 	return nil
 }
 
+// ExitIfCantDropCapsToAlrUserNoPrivs combines [ExitIfCantDropCapsToAlrUser] with [NoNewPrivs]
+func ExitIfCantDropCapsToAlrUserNoPrivs() cli.ExitCoder {
+	if err := ExitIfCantDropCapsToAlrUser(); err != nil {
+		return err
+	}
+
+	if err := NoNewPrivs(); err != nil {
+		return cliutils.FormatCliExit("error no new privs", err)
+	}
+
+	return nil
+}
+
 func ExitIfNotRoot() error {
 	if os.Getuid() != 0 {
 		return cli.Exit(gotext.Get("You need to be root to perform this action"), 1)
@@ -88,7 +105,7 @@ func ExitIfNotRoot() error {
 	return nil
 }
 
-func EnuseIsAlrUser() error {
+func EnsureIsAlrUser() error {
 	uid, gid, err := GetUidGidAlrUser()
 	if err != nil {
 		return err
diff --git a/pkg/build/installer.go b/pkg/build/installer.go
index 95d23fb..d4e86ad 100644
--- a/pkg/build/installer.go
+++ b/pkg/build/installer.go
@@ -20,20 +20,13 @@ import (
 	"gitea.plemya-x.ru/Plemya-x/ALR/pkg/manager"
 )
 
-func NewInstaller(
-	repos PackageFinder,
-	mgr manager.Manager,
-) *Installer {
+func NewInstaller(mgr manager.Manager) *Installer {
 	return &Installer{
-		repos: repos,
-		mgr:   mgr,
+		mgr: mgr,
 	}
 }
 
-type Installer struct {
-	repos PackageFinder
-	mgr   manager.Manager
-}
+type Installer struct{ mgr manager.Manager }
 
 func (i *Installer) InstallLocal(paths []string) error {
 	return i.mgr.InstallLocal(nil, paths...)
diff --git a/pkg/build/safe_installer.go b/pkg/build/safe_installer.go
index bf1ffd9..445a022 100644
--- a/pkg/build/safe_installer.go
+++ b/pkg/build/safe_installer.go
@@ -91,18 +91,19 @@ func GetSafeInstaller() (InstallerExecutor, func(), error) {
 		return nil, nil, err
 	}
 	cmd := exec.Command(executable, "_internal-installer")
-	cmd.Env = append(os.Environ(),
+	cmd.Env = []string{
 		"HOME=/var/cache/alr",
 		"LOGNAME=alr",
 		"USER=alr",
 		"PATH=/usr/bin:/bin:/usr/local/bin",
 		"ALR_LOG_LEVEL=DEBUG",
-		"XDG_SESSION_CLASS=user",
-	)
+	}
+
 	uid, gid, err := utils.GetUidGidAlrUser()
 	if err != nil {
 		return nil, nil, err
 	}
+
 	cmd.SysProcAttr = &syscall.SysProcAttr{
 		Credential: &syscall.Credential{
 			Uid: uint32(uid),
diff --git a/pkg/build/safe.go b/pkg/build/safe_script_executor.go
similarity index 100%
rename from pkg/build/safe.go
rename to pkg/build/safe_script_executor.go