The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it’s also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting sudo-rs, the Rust version of sudo being used by Ubuntu 25.10.
The Rust hype is funny because it is completely based on the fact that a leading cause of security vulnerabilities for all of these mature and secure projects is memory bugs, which is very true, but it completely fails to see that this is the leading cause because these are really mature projects that have highly skilled developers fixing so much shit.
So you get these new Rust projects that are sometimes made by people that don’t have the same experience as these C/C++ devs, and they are so confident in the memory safety that they forget about the much simpler security issues.
Cant tell you how many times Ive heard about curl getting re-written. Same deal.
Surely a direct stream from the internet straight onto host hardware can’t be exploited in any way. All you gotta do is put the stream in a file. How hard could it be? (/s)
Tbh that specific case probably wouldn’t be a big deal. It’s all the extra processing curl can do for http requests and the like that’d be more dangerous to rewrite I’d think.
The most relevant part of the curl project is the library, not the CLI tool. And its biggest advantages in addition to universal availability is support for many protocols other than HTTP, flexible interface(s), two useful well-documented and largely stable APIs (one wraps the other for easy use), multiple TLS/SSL back-end support, and finally, the complete(ish) HTTP protocol support. But that last one alone is not that big of a deal.
libcurl’s implementation even uses external libraries for both HTTP2 and HTTP3 for framing. It uses an external library for QUIC transport support too. Meanwhile, many other independent language implementations for HTTP exist that range from serviceable to complete. Be it Python, Go, Rust, or many others, you usually get a “native” option you could/should use. Gone are the days of bad old PHP. Hell, even some WIP languages add usable native implementations sometimes as a part of their standard libraries, likeinko.Within the Rust ecosystem, you’re fully covered by
hyper. Even very obscure HTTP features like obsolete HTTP1 multi-line headers are supported (you have to enable this one explicitly). And I only know this because I had the fortunate circumstance of coming across a server that used these (It was an educational, if interesting, couple of afternoon hours).