The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it’s also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting sudo-rs, the Rust version of sudo being used by Ubuntu 25.10.

  • EnEnCode@programming.devEnglish
    1·
    2 hours ago

    Better than I could have ever put it. But to add my own thoughts, sudo-rs does not gain value just by being in Rust.

    1. It’s a more lean sudo with compatability for common flags while intentionally not implementing niche/legacy options, including the one used by CVE-2025-32463, though if I did not need any of those flags at all, I would (and in past, have) just use opendoas.
    2. The project contains extensive testing and a harness versatile enough to also test the OG sudo and has caught regressions in it. The rewrite wanting parity with sudo’s behavior has improved the original sudo; you can gain its benefits even if you won’t/don’t/can’t run it. This is the main reason uutils hasn’t convinced me of its worth yet.
    3. Having more eyes on sudo is just good. By translating it, they have to understand many of sudo’s poorly-documented idiosyncracies and review all its relevant code and consider potential potential edge-cases. That’s basically an audit.