The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it’s also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting sudo-rs, the Rust version of sudo being used by Ubuntu 25.10.

  • gravitas_deficiency@sh.itjust.worksEnglish
    322·
    20 hours ago

    So:

    • yes, that’s pretty sketchy
    • this is also AFAIK the first major distro that it’s been a part of as a stock install, so this is the first exposure at scale that the project has had; as unfortunate as it is, it can be argued that this might fall under “teething issues”
    • with that said, it sounds like the rust coreutils people need to step up their game in terms of thinking in and testing for adversarial contexts. Normal test cases do not cut it when you’re dealing with stuff like sudo - it needs to be put through the ringer.
    • BB_C@programming.dev
      112·
      9 hours ago

      sudo is NOT a part of coreutils. Anyone with basic *nix knowledge would have known this.

      sudo-rs, as expected, is also NOT a part of uutils. And the projects happen to be very different in many aspects. uutils started from scratch as a hobby side-project, and it was developed from the start in idiomatic Rust. It can’t directly take anything from the GNU implementation anyway, as explained in their README. sudo-rs however is a funded effort to translate some C projects into Rust with as little unsafe{} as possible. Some of the code was directly translated from the original implementation. And if you look at the code in general, you will see that it’s rather low-level and looks more like C than Rust in many parts. Some of this is arguably necessary given the nature of sudo functionality, but not all of it.

      Both projects do share the fact that they probably didn’t push for distros, Ubuntu or anyone else, to switch to either of them by default already, and both were probably surprised it happened this soon.

      And yes, this exposure, negative as it may seem for now, is an unavoidable “teething” period, and it’s going to be of great benefit to both projects on the long run. Hopefully, Ubuntu users living on the edge wouldn’t face too much trouble meanwhile.

      (I don’t use Ubuntu, but have been using sudo-rs by default for months.)

      • gravitas_deficiency@sh.itjust.worksEnglish
        1·
        5 hours ago

        Pardon me for being less intimately familiar with the project - but my point still stands, in terms of test focus. And yes, of course I know bugs are inevitable - I’ve been writing them for damn near two decades at this point.

    • just_another_person@lemmy.world
      301·
      19 hours ago

      Gonna say what I said so many times, and even a few times in this comment section.

      ALL.software.has.bugs.

      The language doesn’t matter. AI doesn’t matter. Testing doesn’t matter. Every single piece of software will be vulnerable to something eventually.

      Staying on top of it is the best you can do.