Sudo is being actively developed and has several fairly recent CVEs, some of which are memory issues (at least recent compared to how old sudo is). Apart from being memory safe rust is also better at error handling than C.
IMO best would be to reduce attack surface by using a memory safe language and also reducing complex features like OpenBSD’s doas does.
Well that’s the thing that I don’t see communicated. Is it actively developed? Bug fixes doesn’t count, it’s maintenance not active development. If I’m just doing maintenance then there must be a lot of issues to warrant a rewrite, especially in a different language.
Form what I keep seeing it looks like a rewrite for the sake of rewriting, which is at best misguided reasoning.
I can see an argument that the cost of failure is very high with something like sudo, but I don’t see it vocalized anywhere.
Sudo is being actively developed and has several fairly recent CVEs, some of which are memory issues (at least recent compared to how old sudo is). Apart from being memory safe rust is also better at error handling than C.
IMO best would be to reduce attack surface by using a memory safe language and also reducing complex features like OpenBSD’s doas does.
https://www.cvedetails.com/vulnerability-list/vendor_id-15714/Sudo-Project.html?page=1&order=3
Well that’s the thing that I don’t see communicated. Is it actively developed? Bug fixes doesn’t count, it’s maintenance not active development. If I’m just doing maintenance then there must be a lot of issues to warrant a rewrite, especially in a different language.
Form what I keep seeing it looks like a rewrite for the sake of rewriting, which is at best misguided reasoning.
I can see an argument that the cost of failure is very high with something like sudo, but I don’t see it vocalized anywhere.
I would say yes is it developed, this is more than just big fixes : https://github.com/sudo-project/sudo/releases
No huge changes of course, but the big CVE from July was only introduced 2 years ago.
My biggest question is, why is something like sudo still developed and not finished and in maintenance mode?