Isn't the whole point of FOSS software that anyone can fork it?
The article points out that sudo has already been forked by Ubuntu maintainer canonical into sudo-rs which reimplements sudo in rust with better memory protections. It also states that the maintainer of sudo expects sudo-rs to be the future of sudo.
You can fork it. Are you gonna maintain your fork? Is your fork going to be adopted by the majority of distributions?
Following publication, Miller has been in touch to tell us that he has no plans to abandon sudo, or even hand it off, but he suspects change is still on the horizon for the essential tool.
"While I don't expect to maintain sudo for an additional 30 years, I also don't currently have someone to pass the torch to," Miller told us. He noted that the xz utils backdoor has made him hesitant to hand it off to someone he doesn't know, and that he "feels responsible for sudo" after having spent so long as its lead dev and maintainer.
Unfortunately, a lack of financial backing means sudo work has ground to a glacial pace.
"Since I have limited time I've mostly been focused on fixing bugs and cleaning up the code base rather than adding new features," Miller said. "As a result the amount of time I spend is heavily influenced by the bug reports I receive."
Funding or not, Miller expects sudo-rs to become the next generation of the tool in coming years.
"Ubuntu is already shipping sudo-rs as the default sudo command in their latest versions," Miller told us. "I've been in contact with the people working on sudo-rs since the project started and I trust them to do right by the sudo user base."
Regardless of what happens, Miller agrees the sudo situation he's in is yet another example of how open-source maintainers is putting the entire computing community in a bind.
"Without some form of assistance it is untenable," Miller said. "Maintainer burn-out is real."
Excuse me, but how isn't this a core feature, or do I think too complicated?
Because there are lots of alternatives.
Having to install sudo on Arch manually is one thing that made me use endeavourOS (besides having yay and DE preinstalled)
One does not simply maintain sudo (lotrmeme.jpg)
imagine if he said fuck it and turned sudo into a crypto mining malware
To be honest, it wouldn't take much for distro maintainers to detect that and stop it
But who is seriously looking at the sudo code at every update. I would bet a lot of money that the vast majority simply trust him and gloss over it maximum.
The chain of trust has to exist otherwise distrobox maintainers would spend 24 hours a day reviewing code changes and only update once every 6 months.
You may want to look into how the xz backdoor has been discovered. That backdoor was very well hidden. Implementing a crypto mining malware would be blatantly obvious and yes, people do in fact look at such code
That was scary. I had the bad version on my computer for a bit.
Yes, but people are forgetting how it was discovered.
It was discovered because there was a visible performance impact by running benchmark tests on other, time-critical software.
Do you know how it was not discovered? By maintainers looking through changes of the software and looking through the code, exactly the way that the commenter and you and others are saying things would be caught.
If the attacker hadn't been so eager and only set it to start working after a time delay a year later or multiple updates later? It would have infected almost every server in the world, even if it got noticed immediately, it would have been a giant problem that would have reaped the benefits for the malicious party before it could be regressed and changed.
Funding or not, Miller expects sudo-rs to become the next generation of the tool in coming years.
"Ubuntu is already shipping sudo-rs as the default sudo command in their latest versions," Miller told us. "I've been in contact with the people working on sudo-rs since the project started and I trust them to do right by the sudo user base."
Projects don't last forever, and when they inevitably end, it's an opportunity to switch to something newer and hopefully better. Sudo coming to an end, if it does, will just force people onto alternatives.
Being open source, sudo will always exist, whether someone else wants to maintain it, fork it, use it as-is, or just reference it. It's because it's open source that it can serve a purpose even beyond its EOL.
Anyway, sudo's not dead yet, so there's still plenty of time for people to look at what's out there. Some distros have already moved to, or are considering moving to, alternatives like sudo-rs, so I'd expect that to continue.
That Ubuntu unity article where the maintainer was a 10 year old when he started the project but now has shit to do is pretty funny.
It’s been 12 years since Heartbleed and we’ve had numerous ”lone maintainer” issues since then. The situation shouldn’t come as a surprise or be especially ”hard to believe”.
This is the state of free software, especially when it matures.
Unless the creators manage to roll some kind of ”commercial” version, it’s not very sustainable in the long run. Turns out many eyes don’t really equal many PRs
This is the state of free software, especially when it matures.
The state of free software also includes the fact that even if the sudo maintainer doesn't find support, no one steps up and sudo becomes unmaintained, sudo-rs, doas, opendoas, run0 and please already exist as alternatives.
hang on, there's one called please? Are there any downsides with using please instead of sudo?
It promotes familiarity with the machine which is best to avoid. Except of course if the machine uprising happens, then it would be in you favour to have been using it for years.
From what I can see, it's a sudo clone with added optional regex functionality, written in Rust.
So you can use it just like sudo, or you can limit superuser rights to directory names that contain a 💩 emoji, but only on Mondays.
Interesting. I just found out that you can just use alias to use please instead of sudo which is cool!
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Follow the wormhole through a path of communities !webdev@programming.dev