Sudo is being actively developed and has several fairly recent CVEs, some of which are memory issues (at least recent compared to how old sudo is). Apart from being memory safe rust is also better at error handling than C.
IMO best would be to reduce attack surface by using a memory safe language and also reducing complex features like OpenBSD’s doas does.
Well that’s the thing that I don’t see communicated. Is it actively developed? Bug fixes doesn’t count, it’s maintenance not active development. If I’m just doing maintenance then there must be a lot of issues to warrant a rewrite, especially in a different language.
Form what I keep seeing it looks like a rewrite for the sake of rewriting, which is at best misguided reasoning.
I can see an argument that the cost of failure is very high with something like sudo, but I don’t see it vocalized anywhere.
Went through the releases quickly and it does look like maintenance work is being done more than anything.
Last minor version update was in 2020 which is not that recent (although quite recent). All other releases since have mostly fixes. I’ve seen only a couple of things that were not Fixed something in the notes.
Maybe our definitions of active development are different, but to me this does look like maintenance.
Version numbers are meaningless. Yes it’s mostly fixes, but in every release which doesn’t have p in the version number there’s at least two or three things which are not fixes. As late as 2023 one of those changes did introduce a local privilege escalation: https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 which was undetected for two years. For a critical piece of software with the maturity of sudo, I call that pretty concerning.
Sudo is being actively developed and has several fairly recent CVEs, some of which are memory issues (at least recent compared to how old sudo is). Apart from being memory safe rust is also better at error handling than C.
IMO best would be to reduce attack surface by using a memory safe language and also reducing complex features like OpenBSD’s doas does.
https://www.cvedetails.com/vulnerability-list/vendor_id-15714/Sudo-Project.html?page=1&order=3
Well that’s the thing that I don’t see communicated. Is it actively developed? Bug fixes doesn’t count, it’s maintenance not active development. If I’m just doing maintenance then there must be a lot of issues to warrant a rewrite, especially in a different language.
Form what I keep seeing it looks like a rewrite for the sake of rewriting, which is at best misguided reasoning.
I can see an argument that the cost of failure is very high with something like sudo, but I don’t see it vocalized anywhere.
I would say yes is it developed, this is more than just big fixes : https://github.com/sudo-project/sudo/releases
No huge changes of course, but the big CVE from July was only introduced 2 years ago.
My biggest question is, why is something like sudo still developed and not finished and in maintenance mode?
Went through the releases quickly and it does look like maintenance work is being done more than anything.
Last minor version update was in 2020 which is not that recent (although quite recent). All other releases since have mostly fixes. I’ve seen only a couple of things that were not Fixed something in the notes.
Maybe our definitions of active development are different, but to me this does look like maintenance.
Version numbers are meaningless. Yes it’s mostly fixes, but in every release which doesn’t have p in the version number there’s at least two or three things which are not fixes. As late as 2023 one of those changes did introduce a local privilege escalation: https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 which was undetected for two years. For a critical piece of software with the maturity of sudo, I call that pretty concerning.
Here’s an interesting report from Google about rust vs C++ in Android: https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html?m=1