It’s hard to imagine something as fundamental to computing as the sudo command becoming abandonware, yet here we are: its solitary maintainer is asking for help to keep the project alive.
Isn’t the whole point of FOSS software that anyone can fork it?
The article points out that sudo has already been forked by Ubuntu maintainer canonical into sudo-rs which reimplements sudo in rust with better memory protections. It also states that the maintainer of sudo expects sudo-rs to be the future of sudo.
You can fork it. Are you gonna maintain your fork? Is your fork going to be adopted by the majority of distributions?
Following publication, Miller has been in touch to tell us that he has no plans to abandon sudo, or even hand it off, but he suspects change is still on the horizon for the essential tool.
“While I don’t expect to maintain sudo for an additional 30 years, I also don’t currently have someone to pass the torch to,” Miller told us. He noted that the xz utils backdoor has made him hesitant to hand it off to someone he doesn’t know, and that he “feels responsible for sudo” after having spent so long as its lead dev and maintainer.
Unfortunately, a lack of financial backing means sudo work has ground to a glacial pace.
“Since I have limited time I’ve mostly been focused on fixing bugs and cleaning up the code base rather than adding new features,” Miller said. “As a result the amount of time I spend is heavily influenced by the bug reports I receive.”
Funding or not, Miller expects sudo-rs to become the next generation of the tool in coming years.
“Ubuntu is already shipping sudo-rs as the default sudo command in their latest versions,” Miller told us. “I’ve been in contact with the people working on sudo-rs since the project started and I trust them to do right by the sudo user base.”
Regardless of what happens, Miller agrees the sudo situation he’s in is yet another example of how open-source maintainers is putting the entire computing community in a bind.
“Without some form of assistance it is untenable,” Miller said. “Maintainer burn-out is real.”
Excuse me, but how isn’t this a core feature, or do I think too complicated?
Having to install sudo on Arch manually is one thing that made me use endeavourOS (besides having yay and DE preinstalled)
One does not simply maintain sudo (lotrmeme.jpg)
Or get this: Linux is perfect as it is, so are current PC’s.
Ship it pre-installed on shovelware PC’s, you don’t need better.
Funding or not, Miller expects sudo-rs to become the next generation of the tool in coming years.
“Ubuntu is already shipping sudo-rs as the default sudo command in their latest versions,” Miller told us. “I’ve been in contact with the people working on sudo-rs since the project started and I trust them to do right by the sudo user base.”
Projects don’t last forever, and when they inevitably end, it’s an opportunity to switch to something newer and hopefully better. Sudo coming to an end, if it does, will just force people onto alternatives.
Being open source, sudo will always exist, whether someone else wants to maintain it, fork it, use it as-is, or just reference it. It’s because it’s open source that it can serve a purpose even beyond its EOL.
Anyway, sudo’s not dead yet, so there’s still plenty of time for people to look at what’s out there. Some distros have already moved to, or are considering moving to, alternatives like
sudo-rs, so I’d expect that to continue.sudo-rs might never be adopted as a default in many distros precisely because it’s in rust. or rust adoption gets better and better to the point that it runs everywhere.
Rust shouldn’t be an issue IMO. Any rust libraries used are statically linked, only the good ol’ C and C++ (if any) libraries it depends on would have to be dependencies to the package. So it should theoretically offer fewer issues with dependencies than the original sudo.
What I was saying was: Rust doesn’t support all the targets C does
Technically yes, but all the common ones are covered. I don’t think any mainstream distros support anything so exotic that Rust doesn’t compile for it. Gentoo supports Alpha and HPPA which haven’t been around since the 90s, those are the only architectures that Gentoo has sudo packages for, that Rust doesn’t support. Your run of the mill distros don’t support anything this exotic. Common everyday architectures we see all the time in our daily lives like SPARC, PowerPC or RISC-V are supported.
Actually it’s because of the licence
I would love sudo-rs to be GPL but that’s orthogonal to the fact of it being bundled in distros. It’s still FOSS
Absolutely. Rust is great. The license change is terrible.
It doesn’t have to be. There are multiple sudo alternatives.
Yeah, but the quote is about sudo-rs
deleted by creator
imagine if he said fuck it and turned sudo into a crypto mining malware
To be honest, it wouldn’t take much for distro maintainers to detect that and stop it
But who is seriously looking at the sudo code at every update. I would bet a lot of money that the vast majority simply trust him and gloss over it maximum.
The chain of trust has to exist otherwise distrobox maintainers would spend 24 hours a day reviewing code changes and only update once every 6 months.
You may want to look into how the xz backdoor has been discovered. That backdoor was very well hidden. Implementing a crypto mining malware would be blatantly obvious and yes, people do in fact look at such code
Yes, but people are forgetting how it was discovered.
It was discovered because there was a visible performance impact by running benchmark tests on other, time-critical software.
Do you know how it was not discovered? By maintainers looking through changes of the software and looking through the code, exactly the way that the commenter and you and others are saying things would be caught.
If the attacker hadn’t been so eager and only set it to start working after a time delay a year later or multiple updates later? It would have infected almost every server in the world, even if it got noticed immediately, it would have been a giant problem that would have reaped the benefits for the malicious party before it could be regressed and changed.
$udosudo rm $(which sudo)Lulz would be had.
That Ubuntu unity article where the maintainer was a 10 year old when he started the project but now has shit to do is pretty funny.
Please link article thanks
This has been depressing for a while now. I’m a big Unity fan and I’m concerned about the future.
“Maybe someone could teach us how things are done so that we can take it over in time,” Adamietz added.
Wasn’t any of this documented anywhere? And who are these other team members they interviewed? How is it they don’t know how to write code? Are they just manual testers or something?
I’d try to help myself if there was some decent documentation on where to begin. But if it’s all in this kids head, we might be kinda fucked.
To me I tried to add people to my unity project and they were unable to actually boot it up and that angered me enough to go godot
It’s been 12 years since Heartbleed and we’ve had numerous ”lone maintainer” issues since then. The situation shouldn’t come as a surprise or be especially ”hard to believe”.
This is the state of free software, especially when it matures.
Unless the creators manage to roll some kind of ”commercial” version, it’s not very sustainable in the long run. Turns out many eyes don’t really equal many PRs
This is the state of free software, especially when it matures.
The state of free software also includes the fact that even if the
sudomaintainer doesn’t find support, no one steps up andsudobecomes unmaintained,sudo-rs,doas,opendoas,run0andpleasealready exist as alternatives.hang on, there’s one called please? Are there any downsides with using please instead of sudo?
It promotes familiarity with the machine which is best to avoid. Except of course if the machine uprising happens, then it would be in you favour to have been using it for years.
From what I can see, it’s a sudo clone with added optional regex functionality, written in Rust.
So you can use it just like sudo, or you can limit superuser rights to directory names that contain a 💩 emoji, but only on Mondays.Interesting. I just found out that you can just use alias to use please instead of sudo which is cool!
and let’s not forget - systemd, which has RedHat money backing it up.
Hope you don’t see who pays for kernel development…
Why? I’m not against developers getting paid to do FOSS work. It’s far more reasonable than the whole “bazaar of free people”-model that lives entirely on ideology.
In my experience a lot of these old projects really go out of their way to dissuade contributions anyway. Lots of naysaying “it’s always been like that”, ancient infrastructure - e.g. insisting on
git send-emailpatches, etc.Usually the only way it gets resolved is when someone writes a more modern competitor and it starts gaining traction. Suddenly all those improvements that people tried to do and were told were impossible and stupid aren’t such a bad idea after all.
I don’t think that’s the case with Unity but it probably is with things like GCC, sudo, sysvinit, X11, etc.
I think that’s at least a big part of it. There’s so much unnecessary friction in legacy projects that, while understandable to a degree, sucks.
Don’t tap Jia Tan…
It reminds me somehow on the famous xkcd webcomic: https://xkcd.com/2347
Edit for an addition: Maybe it’s also a reminder that we should frequently donate when we use FOSS.
That’s what I thought of too. I was like “Oh, is he that guy in Nebraska I’ve been hearing about?”
Of those who regularly donate (or think of donating) to FOSS projects, how many of them would’ve even had
sudocross their mind as a potential recipient for those donations?<username> is not in the donors file. This incident will be reported.
Also relevant:
Nope none of this crap
gtfo with that alt-reich slop
This isn’t relevant to anything in this thread. At all.
deleted by creator
Really? You want to post slop on Lemmy? That’s what went through your brain? That’s what you considered a good enough idea that you’d execute it?
Not just AI slop but a right wing dog whistle as AI slop.
And also… Completely irrelevant to the discussion. What’s the connection?
It’s not a dog whistle when its meaning is plainly and purposefully obvious.
Pretty sure the usage of an ai generated meme makes you one of the weak
The third frame here needs to be the same businessman in increasingly more fancy suits or gold or other gaudy-ass shit.
Yeah, the transition from the third frame to the fourth frame just doesn’t make sense as currently depicted; why would people playing video games suddenly start to revolt?
However, if the third frame were to depict rich men getting richer as you suggest, then the revolt in the fourth frame would make more sense.
You’re putting way too much thought into analyzing AI slop
damnit it got mee tooooooooooooo
i not looking at anything but darkwing duck from now on
I can get with that. More darkwing duck, less beans
According to the above Robert Manner and AZero13 also have one contribution each. There’s also the https://opencollective.com/sudo-project which has a board.
If Todd wants to pass off the project he has all the resources to do this.
Join us. Use doas.
Still a setuid bin. 🥺
I might be wrong but I think run0 (for systemd users) solves that
No. I just use the default on my system. Hopefully sudo-rs will become the default.
Just waiting for another xz utils situation
The fact that the FOSS model is still considered the best thing ever is so sad to me. The “free” part is clearly not working. Or rather it is working as is now intended: free labour for the private sector to exploit.
The Telekommunist Manifesto for the longer version of this 🙃
The “free” part is clearly not working. Or rather it is working as is now intended: free labour for the private sector to exploit.
I remember seeing a thread about redis on r/linux where lots and lots of people were basically defending Amazon as if from an anarcho-capitalist position. This confused me as I always saw foss (and foss users) as leaning socialist and anti-corporate.
I spoke to someone about that and they linked me this article (and the article linked in the first sentence) which really opened my eyes.
The TL;Dr is basically:
FOSS is not socialist. The free software movement is right-libertarian / “anarcho”-capitalist, and the open source movement is neoliberal; neither of these is even particularly close to socialism.
Wow, super based article! Thanks for it, I will also look at other articles from the author :D
How is the free part not working? FOSS is the cure of the industry. Or do you think Adobe and Microsoft is working that great? Imagine if we didn’t have FOSS…
I don’t deny its great contributions to the public and free culture, but I think it has become insufficient. The industry abuses it as much as it can, so I believe the only way to defend ourself is to migrate to a copyfarleft licensing model. With it, we can keep the same openness and freedom for the commons, but force the private sector to choose: either pay for our work, or fuck off.
Funny, you are using with lemmy something for free, which is to some extent in the spirit of FOSS.
“Haha funny you use a phone and buy things yet you are anticapitalist haha” ahh argument
The copyfarleft licenses are not incompatible with the spirit of FOSS, they work exactly the same for the people, the only difference is that companies can either fuck off or pay
Yes the CopyLeft licences is the epitome of FOSS spirit
I’m not so sure the “open source” part is working either when you think about how AI tools were trained.
It’s really sad, because the accessibility of developing software and collaborative nature of the open source community is a big part of what drew me to software engineering as a career, and it’s always been one of the first things I mention about why I love it. But, of course, these fucking evil companies found a way to take every individual part of something good and twist it into something awful.
FOSS will always be incompatible with capitalism. There is no incentive for the capitalist class to pay for the open source they consume.
Wrong. In example Valve is putting money and work into FOSS. AND they make money of it and rely on it. Even Microsoft does contribute to Open Source, believe it or not, even is one of the top sponsors for Linux.
The pittance that most of these companies do contribute is in no way a fair share of the profits they reap from using FOSS.
Valve is an exception to the rule.
You’re arguing that the factory owner giving a few bucks to someone who produced a tool that improved productivity of the factory is somehow a just compensation.
There has been the “4opens” criteria, that has been more on point than free/libre/open source.
In hindsight, defeating corporate and AI piggery might have needed single-maintainer closed source with open protocols. Software components? Maybe it would have led to the compound document model instead of the app model, architecturally enforcing openness.
