Ubuntu 25.10 will replace the sudo command with sudo-rs, a new Rust rewrite designed to improve memory safety and security. What does this mean for users?
The issue is big companies.
Google/Amazon/Microsoft can now fork sudo-rs and not have to upstream their changes.
So then Google fixes an exploit for their sudo-rs implementation (or whatever software) and patch it under a different licence. Now the upstream, Amazon and Microsoft forks don’t know if that exploit is also in their implementation, is related to their implementation, or how to potentially fix it.
The only way it works is if sudo-rs is implementing new features in a way that it benefits Google/Amazon/Microsoft to contribute back to upstream so they don’t have to keep merging/fixing their exploit code.
For something as stable as sudo, it actually benefits Google/Microsoft/Amazon NOT to share their changes.
If they are rolling and recommending their own distros (which I’m sure they already are) that include their forked changes, then they can say that their software is more secure than other brands.
It benefits them for their competition to suffer security breaches, especially if they trace back to these kinda changes.
The issue is big companies.
Google/Amazon/Microsoft can now fork sudo-rs and not have to upstream their changes.
So then Google fixes an exploit for their sudo-rs implementation (or whatever software) and patch it under a different licence. Now the upstream, Amazon and Microsoft forks don’t know if that exploit is also in their implementation, is related to their implementation, or how to potentially fix it.
The only way it works is if sudo-rs is implementing new features in a way that it benefits Google/Amazon/Microsoft to contribute back to upstream so they don’t have to keep merging/fixing their exploit code.
For something as stable as sudo, it actually benefits Google/Microsoft/Amazon NOT to share their changes.
If they are rolling and recommending their own distros (which I’m sure they already are) that include their forked changes, then they can say that their software is more secure than other brands. It benefits them for their competition to suffer security breaches, especially if they trace back to these kinda changes.
Which makes everything worse for everyone.