Instead of making the tup process setuid root, just have a small chroot helper that is setuid and shell out to that. That way the entire tup codebase doesn't have to be trusted as root.
It still requires root for installation, but you can basically solve the security problem.
It still requires root for installation, but you can basically solve the security problem.