I’ll be the first to admit to not paying much attention to Linux vulnerabilities, but I agree, I feel like a vulnerability in a package like sudo would have been huge news.
Granted, sudo isn’t in coreutils, but it’s sufficiently standard that I’d argue that the licence is very relevant to the wider Linux community.
Anyway, I answered this at length the last time this subject came up here, but the TL;DR is that private companies (like Canonical, who owns Ubuntu) love the MIT license because it allows them to take the code and make proprietary versions of it without having to release the source code. Consider the implications of a sudo binary that’s Built For Ubuntu™ with closed-source proprietary hooks into Canonical’s cloud auth provider. It’s death by a thousand MIT-licensed cuts to our once Free operating system.
JubilantJaguar@lemmy.world
on 09 May 10:37
nextcollapse
Very useful concrete example of how these changes might be a problem. Thanks.
threaded - newest
This comment seems interesting, it was first question that popped into my head:
<img alt="" src="https://lemm.ee/pictrs/image/ada18f43-b1f1-46dc-9d35-3a8f98bdf3e0.png">
That is… A big claim. Yeah, rust minimizes or removes some categories of vulnerabilities. This is true. BUT sudo has been well tested over decades.
I’ll be the first to admit to not paying much attention to Linux vulnerabilities, but I agree, I feel like a vulnerability in a package like sudo would have been huge news.
cve-2021-3156 heap overflow in sudo. roughly 10 years long in sudo. Allowed privilege escalation. It was huge.
I don’t know how often exploits that this would prevent are found, but sometimes
Is it GPL though? If this is a case of MIT-licensed stuff weaseling its way into Linux core utils, I’m not interested.
Looks like it’s dual licenced, MIT and Apache github.com/trifectatechfoundation/sudo-rs
Where is the problem when something mit-licensed is in core utils?
Edit: sudo isn’t even a core util.
Granted, sudo isn’t in coreutils, but it’s sufficiently standard that I’d argue that the licence is very relevant to the wider Linux community.
Anyway, I answered this at length the last time this subject came up here, but the TL;DR is that private companies (like Canonical, who owns Ubuntu) love the MIT license because it allows them to take the code and make proprietary versions of it without having to release the source code. Consider the implications of a
sudobinary that’s Built For Ubuntu™ with closed-source proprietary hooks into Canonical’s cloud auth provider. It’s death by a thousand MIT-licensed cuts to our once Free operating system.Very useful concrete example of how these changes might be a problem. Thanks.
What’s the problem with it? These MIT programs already exists. Anyone can make proprietary version. Including in Ubuntu doesn’t change that.
Also your example is pointless. Canonical would rather make a proprietary pam module instead of a custom internal fork of sudo-rs.
sudo is MIT also (or something that looks like MIT at least). www.sudo.ws/about/license/
The more critical part wrt license is real coreutils which they also want to replace.
This is what I get for posting at 1am. Thanks for the clarification. Yeah I just assumed it was the same situation as coreutils.
Can’t wait to test it out!
I wonder the performance compared to regular sudo
rust compiles to native code, so barring some horrific implementation issues, i’d bet my money on it being roughly equivalent.
How does sudo-rs compare to doas?