Went through the releases quickly and it does look like maintenance work is being done more than anything.
Last minor version update was in 2020 which is not that recent (although quite recent). All other releases since have mostly fixes. I’ve seen only a couple of things that were not Fixed something in the notes.
Maybe our definitions of active development are different, but to me this does look like maintenance.
Version numbers are meaningless. Yes it’s mostly fixes, but in every release which doesn’t have p in the version number there’s at least two or three things which are not fixes. As late as 2023 one of those changes did introduce a local privilege escalation: https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 which was undetected for two years. For a critical piece of software with the maturity of sudo, I call that pretty concerning.
Went through the releases quickly and it does look like maintenance work is being done more than anything.
Last minor version update was in 2020 which is not that recent (although quite recent). All other releases since have mostly fixes. I’ve seen only a couple of things that were not Fixed something in the notes.
Maybe our definitions of active development are different, but to me this does look like maintenance.
Version numbers are meaningless. Yes it’s mostly fixes, but in every release which doesn’t have p in the version number there’s at least two or three things which are not fixes. As late as 2023 one of those changes did introduce a local privilege escalation: https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 which was undetected for two years. For a critical piece of software with the maturity of sudo, I call that pretty concerning.
Here’s an interesting report from Google about rust vs C++ in Android: https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html?m=1