30+ years maintaining one of the most critical pieces of infrastructure on nearly every Linux and Unix system, and he's currently looking for a sponsor to fund continued development. Every company running sudo in production owes this man. Someone should fix that
Right? A company to step and cut a check to support this would get positive publicity and there doing something good for community at large. Someone step up.
Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
Sudo is kind of a UX tool for user sessions where the user fundamentally can do things that require admin/root privileges but they don't trust themselves not to fat finger things so we add some friction. That friction is not really a security layer, it's a UX layer against fat fingering.
I know there is more to sudo if you really go deep on it, but the above is what 99+% of users are doing with it. If you're using sudo as a sort of framework for building setuid-like tooling, then this does not apply to you.
> A production environment should usually be setup up properly with explicit roles and normal access control.
… and sudo is a common tool for doing that so you can do things like say members of this group can restart a specific service or trigger a task as a service user without otherwise giving them root.
Yes, there are many other ways to accomplish that goal but it seems odd to criticize a tool being used for its original purpose.
> Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
And doing cross-role actions may be part of that production environment.
You could configure an ACME client to run as a service account to talk to an ACME server (like Let's Encrypt), write the nonce files in /var/www, and then the resulting new certificate in /etc/certs. But you still need to restart (or at least reload) the web/IMAP/SMTP server to pick up the updated certs.
But do you want the ACME client to run as the same service user as the web server? You can add sudo so that the ACME service account can tell the web service account/web server to do a reload.
But, on the whole, the server seems to be doing well enough for something near the top of HN. The website is served by nginx and appears to be mostly static pages.
Quote from Website: "For the past 30+ years I’ve been the maintainer of sudo. I’m currently in search of a sponsor to fund continued sudo maintenance and development. If you or your organization is interested in sponsoring sudo, please let me know."
Have used sudo millions of times. It's so smooth I don't even consider it software. Thinking that sudo could give me bug one day haunts me now. Thanks Miller for your work!
This is why I feel like a missing piece of Patreon/Kofi/whatever is the ability to say "Here's $x; divide it automagically amongst the creators I'm currently following"
Sure, I think a lot of those donations would amount to a few pennies or so at once, but I feel like a lot more people would be willing to support creators if they didn't have to constantly choose which to support.
I would love to know were IBM is on this. They use sudo everywhere, even on AIX. Not to mention IBM owns Red Hat Linux.
IBM should be able to send a decent amount to Todd once in a while, but based upon how much IBM supports ssh ($0), all they are proving is they are very cheap and only wants be a parasite living off other's work.
This is why Big Tech is so desperate for AI to work as a wholesale replacement for software developers: they do not pay for their Open Source consumption as-is, and new maintainers aren’t stepping up because they can’t afford rent, let alone to devote their full time to FOSS work free of charge like a lot of older project maintainers do.
The fact that sudo is a critical security pillar for trillions of dollars of global infrastructure but this guy gets bupkis for it screams volumes about the current state of technology.
We must do better, or it’ll be closed systems (OpenAI, Microsoft, Apple, Google, Oracle) all the way down as maintainers age out, go bankrupt, or die without succession plans in place.
Why should something like sudo not be "done" after 30 years?
Sudo is one of the poster children for creeping featuritis, to the point that the sudoers man page is a meme ("Don't despair if you are unfamiliar with EBNF ...")
Even OpenBSD gave up and implmented their own simplified replacement (doas).
Different platform but the simplest mainframe utility IEFBR14, a noop process to trigger JCL events started as one instruction. Then two. Then debate started about which machine instruction should be used to set the return code to zero …
> Why should something like sudo not be "done" after 30 years?
Because new needs arise over time. For example, when I started in IT the "sudoedit" functionality was not present and so allowing someone to do "sudo vi …" would allow them breakout of the editor when it was running as root.
With sudoedit you can give people permissions to edit particular files with elevated permissions.
> Even OpenBSD gave up and implmented their own simplified replacement (doas).
They did not "give up": they found they needed only much simpler functionality shipped in the base OS. For example, sudo has functionality to talk to LDAP (which I've used at multiple jobs over the years), but is not needed for a local-only box. Once you need centralized account and privilege management, doas becomes much less useful.
Are you saying you would be using something that fills the same critical role as sudo even if it had not received any updates in a decade or more? Because that sounds insane
Even if sudo itself never changed, the system around it changes pretty drastically. I agree the scope of the tool should be smaller and it violates the Unix philosophy (whatever that is worth these days)
Bugfixes and security vulnerabilities, mostly. So long as fallible humans make fallible hardware running fallible software that in turn executes and/or compiles fallible code, there will always be a need for continued development of critical tooling and packages.
On a long enough timeline, those fixes become fewer and less frequent as the codebase improves, but there is no "done" in software unfortunately. Hell, entropy itself means nothing is ever done, just in an ever-changing state.
Because we haven't progressed to the angelic level of software development, so nothing is bug-free, which especially important in something security-critical like sudo
This community and others like it are so weird in that if they see something as stable as sudo but without recent commits, rather than conclude that it's solid and doesn't need further changes, they see it as some kind of a problem and want to switch to something that's seen major changes in the last week.
Maybe that's somehow related to why so many companies are shoving AI into a bunch of stuff that doesn't need it. Gotta keep everything on the hype train. Working and fulfilling people's needs is no longer good enough.
I'm not sure what can be gained for further development of the OG c sudo, add security patches of course.
But fund adding yet another feature 99.9% of users will never use? I can't fathom the justification for that. Just adding attack surface at this point.
Rightly both doas and the *-rs drops ins intend to drop most of those unnecessary features.
What if the exploitative aspect is open source itself? Trick some above average but naive developers into giving their talent, effort, insights and time away for free or very little? Maybe open source or something similar could have been organized in a way that wasn't exploitative and wasn't (possibly) unsustainable, but that is not how things ended up with what Richard Stallman and others organized.
All of this is true, but ironically Free Software is about ensuring people have control over their computers, and Open Source spun the narrative to make it about getting software cheap or without paying at all.
People having control over their computer (and even having the right to share what they run on their computer!) is completely compatible with people paying for software labor.
There can be "cynical greedy bastards" in many places. If you optimize against them in one regard and place, will you also handle them elsewhere well? And calling for change can be abused by some of them to open new opportunities for exploitation, this time benefitting some different group of them.
You need to have an alternative, and it needs to be a credible and reliable one, to ensure that it does not end up being the case that one scam is replaced with another scam.
The exact moment you charge for something, you need payment processing, a bank, a legal entity to hold said processed funds, you have liability, you need some sort of marketing / sales process (even if it's just copy on a website), and the barrier for someone to use your product is suddenly extremely high, simply because it costs something.
Release it for free, no barrier to entry, no legal liability, the entire world can use it instantly. This is why free software spreads and catches on - precisely because it's free.
There is no way to form a business around FOSS without becoming a gatekeeping high-barrier entity. You can release for free then charge extra for consulting or special features, which many have done and continue to experiment with.
But the core reason why FOSS spreads and took over is precisely why it is difficult to fund. No one is going to pay for something when the alternative is free. And the moment you start to charge some free alternative comes along and your prior users spurn you as greedy
This is an upfront cost and is possibly a one-time cost per-agreement.
Practically nobody downloads and installs sudo directly from the project website; people install it with their distribution of choice. The agreement could be automated and included in the licensing process. ie: the license gives specific distributions access to the software (either via paid or other agreed-upon terms appropriate to the distribution) and perhaps individual licensing terms for non-commercial entities.
Of course, the bigger ask in this decade is in use for training LLMs. OSS shouldn't be laundered through an LLM (IMHO) for license avoidance. Maybe some projects are OK with that (eg: many BSD licensed works.) There are some that likely aren't.
The code can become "radioactive" as well when a software library goes paid. It starts phoning home with information about its environment to ensure compliance which is just kinda... icky to most devs. I certainly don't want that bloat in my dependencies.
> The exact moment you charge for something, you need payment processing, a bank, a legal entity to hold said processed funds, you have liability, you need some sort of marketing / sales process (even if it's just copy on a website),
That seems like an area that's ripe for innovation. What does it take to get setup on a platform like Patreon? Seems like something similar ought to be setup for open source/independent development, probably an idealistic nonprofit.
> and the barrier for someone to use your product is suddenly extremely high, simply because it costs something.
All the organizations who really ought to pay are already setup to do all that, and do it all the time.
> But the core reason why FOSS spreads and took over is precisely why it is difficult to fund. No one is going to pay for something when the alternative is free. And the moment you start to charge some free alternative comes along and your prior users spurn you as greedy
What we need is innovation. Maybe a license that has a trip-wire? If not enough money is voluntarily deposited into a tip jar over a certain period of time, the license requires a modest payment from all for-profit organizations of a particular size.
That's up-front, is for the most part free, and incentivizes some payment.
I think you have good arguments, but I wonder if there are alternatives that could work in at least some cases. Like, how Unreal engine's license works. Source-available to game developers, but in theory limited to paying customers, or something along those lines.
A change in economic system might be neither sufficient nor necessary, especially if the new economic system turns out to be even worse, or a scam.
One approach is to have expectations to not only the economic system, but also other systems, and the different people involved, no matter if they're on the top, on the bottom, or somewhere in the middle.
Not trying to be glib here. This feels like the embrace, extend, extinguish pattern that we jokingly used to think was only Microsoft. It is now becoming more and more obviously the modus operandi of the entire enterprise software ecosystem.
I believe you are correct to be frustrated and ringing the alarm bell. This is a "death of the commons" moment for OSS.
I've always favored the view that digital goods are only scarce until they are released. if we had a market for patch releases once they hit some goal. Uses could tip to reach the goal. After the goal is reached the patch is released and to all. Still have free loaders but one might live on the work
> and new maintainers aren’t stepping up because they can’t afford rent, let alone to devote their full time to FOSS work free of charge like a lot of older project maintainers do.
What about the Rust rewrite (sudo-rs)? I think it shows people are interested in maintaining and/or modernizing tools taken for granted.
It has a more lax license AFAIK. Also, many Rust projects and libraries have been abandoned, or are in so-so shapes.
Edit:
To specify, new projects like sudo-rs may seem promising, but going by observation and experience with similar projects, there is no guarantee that sudo-rs and similar projects will be successful, good and continued to be maintained. The problems with old projects can end up applying to new projects as well. And projects in Rust are no exception, going by experience with existing, older Rust projects.
Aside, a pet peeve I have is that for instance Ruffle has not turned out as successful as I had hoped for, even after several years and many sponsors. The proprietary Flash runtimes written in C still outperform Ruffle greatly in some cases, causing problems for some users that want to use Ruffle instead of other runtimes.
How is this a counter argument for anything? A more permissive license is not inherently a bad thing. Many C and C++ projects are also abandon or in so-so condition, why you uniquely call out Rust makes little sense. Either sudo-rs fills the void or it doesn't, but it is a counter point to this idea that open source projects have no path of evolution. Just because that path doesn't look like how you want it to doesn't mean it doesn't exist.
Honestly, it seems like the idealism of open source shouldn't have survived its contact with capitalism, but I suppose the contact wasn't painful enough the the exploitation continued for a long time.
Maybe we need a license that's even more onerous to corporations than the AGPL, like something with a revenue share clause.
Or maybe the problem is the naivete of software engineers. In aggregate, there was so much embrace of libertarianism that no groundwork was laid to protect ourselves from things like AI and offshoring.
Been pitching that with my FOSS colleagues and peers for years, now. A license for individual and educational use, but pay-to-play for anyone tangentially making revenue from its use. Then the conversation boils down to the business engineering of how much should something cost, with some arguing for flat yearly rates, and others arguing for cost-per-unit, while others still fret about "disrupting" the status quo immediately after acknowledging its untenability.
It's...frustrating, but those who do the work are the most qualified to explain what they need. For the rest of us, it's encouraging them to seek reasonable compensation for their work from those who exploit it for profit, and that doing so doesn't necessarily go against the spirit of open source.
I don't mean to come across as far too cynical, but in what world has a software license ever stopped the greedy and powerful from pillaging the IP of other people smaller and weaker than them?
In my opinion, libertarianism in software is a hollow dream that leads people to make foolish decisions that can't be protected. This makes it easy for corporations to exploit and quash any barely audible opposition.
Almost as if by plan, the libertarian mindset has eroded and weakened open source protections, defanging and declawing it every step of the way.
But today people can just vibe code their own sudo "with blackjack and hookers!"
/s
Really though, it is remarkable just how high we've built this towering house of cards on the selfless works of individuals. The geek in me immediately begins meditating on OSS funding mechanisms I've seen in the past, and what might work today. Then I remember that I don't believe it can work, but hope desperately that people like Todd can keep paying rent and continue getting some satisfaction from the efforts.
30+ years maintaining one of the most critical pieces of infrastructure on nearly every Linux and Unix system, and he's currently looking for a sponsor to fund continued development. Every company running sudo in production owes this man. Someone should fix that
This is a good example of Diffusion of Responsibility.
Everybody thinks somebody else should help, so nobody does.
Right? A company to step and cut a check to support this would get positive publicity and there doing something good for community at large. Someone step up.
Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
Sudo is kind of a UX tool for user sessions where the user fundamentally can do things that require admin/root privileges but they don't trust themselves not to fat finger things so we add some friction. That friction is not really a security layer, it's a UX layer against fat fingering.
I know there is more to sudo if you really go deep on it, but the above is what 99+% of users are doing with it. If you're using sudo as a sort of framework for building setuid-like tooling, then this does not apply to you.
> A production environment should usually be setup up properly with explicit roles and normal access control.
… and sudo is a common tool for doing that so you can do things like say members of this group can restart a specific service or trigger a task as a service user without otherwise giving them root.
Yes, there are many other ways to accomplish that goal but it seems odd to criticize a tool being used for its original purpose.
> Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
And doing cross-role actions may be part of that production environment.
You could configure an ACME client to run as a service account to talk to an ACME server (like Let's Encrypt), write the nonce files in /var/www, and then the resulting new certificate in /etc/certs. But you still need to restart (or at least reload) the web/IMAP/SMTP server to pick up the updated certs.
But do you want the ACME client to run as the same service user as the web server? You can add sudo so that the ACME service account can tell the web service account/web server to do a reload.
Almost everyone is running sudo in production.
Auditing.
Seeing the server temperatures go up as this gets posted to HN is fun. I'm not sure his server agrees.
“Machine Room Temperature” from Todd C. Miller’s website:
https://www.millert.dev/therm/
Server exhaust fan temperature was typically 94°F (ranged 92°F to 96°F) over the previous week and has climbed to 97°F.
But, on the whole, the server seems to be doing well enough for something near the top of HN. The website is served by nginx and appears to be mostly static pages.
Quote from Website: "For the past 30+ years I’ve been the maintainer of sudo. I’m currently in search of a sponsor to fund continued sudo maintenance and development. If you or your organization is interested in sponsoring sudo, please let me know."
Have used sudo millions of times. It's so smooth I don't even consider it software. Thinking that sudo could give me bug one day haunts me now. Thanks Miller for your work!
Honestly he should open a Patreon. There are loads of people that would subscribe to Sudo for $2/month or $5/month.
The problem is if I was going to do that with the open source projects I use, it is more like a penny a month * 1000 projects.
payment processors: "how about no"
$.01/user/month would be quite a bit here
Subtract the standard ~3 cent transaction fee and he’d end up owing money instead. That seems to always be the catch with micropayment ideas.
This is why I feel like a missing piece of Patreon/Kofi/whatever is the ability to say "Here's $x; divide it automagically amongst the creators I'm currently following"
Sure, I think a lot of those donations would amount to a few pennies or so at once, but I feel like a lot more people would be willing to support creators if they didn't have to constantly choose which to support.
Unbelievable, every fortune 500 company should sponsor this you all rely and use this. This makes me so sad I hope this has a good end.
I would love to know were IBM is on this. They use sudo everywhere, even on AIX. Not to mention IBM owns Red Hat Linux.
IBM should be able to send a decent amount to Todd once in a while, but based upon how much IBM supports ssh ($0), all they are proving is they are very cheap and only wants be a parasite living off other's work.
Obligatory xkcd: https://xkcd.com/2347/
...although this one would have been a good fit too, of course: https://xkcd.com/149/
This xkcd is featured as the maintainer’s user icon on GitHub:
https://github.com/millert
I once wrote hacking is ethical. Maybe I meant 'eventual'. Instead of Red-Hat sponsoring sudo, china can sponsor him to put hacks in.
This is why Big Tech is so desperate for AI to work as a wholesale replacement for software developers: they do not pay for their Open Source consumption as-is, and new maintainers aren’t stepping up because they can’t afford rent, let alone to devote their full time to FOSS work free of charge like a lot of older project maintainers do.
The fact that sudo is a critical security pillar for trillions of dollars of global infrastructure but this guy gets bupkis for it screams volumes about the current state of technology.
We must do better, or it’ll be closed systems (OpenAI, Microsoft, Apple, Google, Oracle) all the way down as maintainers age out, go bankrupt, or die without succession plans in place.
Why should something like sudo not be "done" after 30 years?
Sudo is one of the poster children for creeping featuritis, to the point that the sudoers man page is a meme ("Don't despair if you are unfamiliar with EBNF ...")
Even OpenBSD gave up and implmented their own simplified replacement (doas).
Different platform but the simplest mainframe utility IEFBR14, a noop process to trigger JCL events started as one instruction. Then two. Then debate started about which machine instruction should be used to set the return code to zero …
Hence IEFBR14A
> Why should something like sudo not be "done" after 30 years?
Because new needs arise over time. For example, when I started in IT the "sudoedit" functionality was not present and so allowing someone to do "sudo vi …" would allow them breakout of the editor when it was running as root.
With sudoedit you can give people permissions to edit particular files with elevated permissions.
> Even OpenBSD gave up and implmented their own simplified replacement (doas).
They did not "give up": they found they needed only much simpler functionality shipped in the base OS. For example, sudo has functionality to talk to LDAP (which I've used at multiple jobs over the years), but is not needed for a local-only box. Once you need centralized account and privilege management, doas becomes much less useful.
> sudo has functionality to talk to LDAP
That is scary! I may need to look more at openbsd
Are you saying you would be using something that fills the same critical role as sudo even if it had not received any updates in a decade or more? Because that sounds insane
Even if sudo itself never changed, the system around it changes pretty drastically. I agree the scope of the tool should be smaller and it violates the Unix philosophy (whatever that is worth these days)
Bugfixes and security vulnerabilities, mostly. So long as fallible humans make fallible hardware running fallible software that in turn executes and/or compiles fallible code, there will always be a need for continued development of critical tooling and packages.
On a long enough timeline, those fixes become fewer and less frequent as the codebase improves, but there is no "done" in software unfortunately. Hell, entropy itself means nothing is ever done, just in an ever-changing state.
What are you, a dentist moonlighting as an angel investor?
Software is never "done".
The underlying APIs are always changing. The compilers and system libraries are changing.
Featuritis is a thing, but rolling it back is non-trivial as there are folks who depend upon it.
Just curious, why did you use "dentist" in your analogy over any other profession?
Because we haven't progressed to the angelic level of software development, so nothing is bug-free, which especially important in something security-critical like sudo
This community and others like it are so weird in that if they see something as stable as sudo but without recent commits, rather than conclude that it's solid and doesn't need further changes, they see it as some kind of a problem and want to switch to something that's seen major changes in the last week.
Maybe that's somehow related to why so many companies are shoving AI into a bunch of stuff that doesn't need it. Gotta keep everything on the hype train. Working and fulfilling people's needs is no longer good enough.
Similarly sudo-rs and doas-rs exist now.
I'm not sure what can be gained for further development of the OG c sudo, add security patches of course.
But fund adding yet another feature 99.9% of users will never use? I can't fathom the justification for that. Just adding attack surface at this point.
Rightly both doas and the *-rs drops ins intend to drop most of those unnecessary features.
This might be a controversial view:
What if the exploitative aspect is open source itself? Trick some above average but naive developers into giving their talent, effort, insights and time away for free or very little? Maybe open source or something similar could have been organized in a way that wasn't exploitative and wasn't (possibly) unsustainable, but that is not how things ended up with what Richard Stallman and others organized.
All of this is true, but ironically Free Software is about ensuring people have control over their computers, and Open Source spun the narrative to make it about getting software cheap or without paying at all.
People having control over their computer (and even having the right to share what they run on their computer!) is completely compatible with people paying for software labor.
We shouldn't let cynical greedy bastards set the terms for how the rest of society wishes to engage
There can be "cynical greedy bastards" in many places. If you optimize against them in one regard and place, will you also handle them elsewhere well? And calling for change can be abused by some of them to open new opportunities for exploitation, this time benefitting some different group of them.
You need to have an alternative, and it needs to be a credible and reliable one, to ensure that it does not end up being the case that one scam is replaced with another scam.
I think at least the license should say something like we will charge on a per CPU or whatever basis for commercial usage.
You give it away for free so don’t be surprised to get abused. Human nature working at its best and worst here.
The exact moment you charge for something, you need payment processing, a bank, a legal entity to hold said processed funds, you have liability, you need some sort of marketing / sales process (even if it's just copy on a website), and the barrier for someone to use your product is suddenly extremely high, simply because it costs something.
Release it for free, no barrier to entry, no legal liability, the entire world can use it instantly. This is why free software spreads and catches on - precisely because it's free.
There is no way to form a business around FOSS without becoming a gatekeeping high-barrier entity. You can release for free then charge extra for consulting or special features, which many have done and continue to experiment with.
But the core reason why FOSS spreads and took over is precisely why it is difficult to fund. No one is going to pay for something when the alternative is free. And the moment you start to charge some free alternative comes along and your prior users spurn you as greedy
This is an upfront cost and is possibly a one-time cost per-agreement.
Practically nobody downloads and installs sudo directly from the project website; people install it with their distribution of choice. The agreement could be automated and included in the licensing process. ie: the license gives specific distributions access to the software (either via paid or other agreed-upon terms appropriate to the distribution) and perhaps individual licensing terms for non-commercial entities.
Of course, the bigger ask in this decade is in use for training LLMs. OSS shouldn't be laundered through an LLM (IMHO) for license avoidance. Maybe some projects are OK with that (eg: many BSD licensed works.) There are some that likely aren't.
The code can become "radioactive" as well when a software library goes paid. It starts phoning home with information about its environment to ensure compliance which is just kinda... icky to most devs. I certainly don't want that bloat in my dependencies.
> The exact moment you charge for something, you need payment processing, a bank, a legal entity to hold said processed funds, you have liability, you need some sort of marketing / sales process (even if it's just copy on a website),
That seems like an area that's ripe for innovation. What does it take to get setup on a platform like Patreon? Seems like something similar ought to be setup for open source/independent development, probably an idealistic nonprofit.
> and the barrier for someone to use your product is suddenly extremely high, simply because it costs something.
All the organizations who really ought to pay are already setup to do all that, and do it all the time.
> But the core reason why FOSS spreads and took over is precisely why it is difficult to fund. No one is going to pay for something when the alternative is free. And the moment you start to charge some free alternative comes along and your prior users spurn you as greedy
What we need is innovation. Maybe a license that has a trip-wire? If not enough money is voluntarily deposited into a tip jar over a certain period of time, the license requires a modest payment from all for-profit organizations of a particular size.
That's up-front, is for the most part free, and incentivizes some payment.
I think you have good arguments, but I wonder if there are alternatives that could work in at least some cases. Like, how Unreal engine's license works. Source-available to game developers, but in theory limited to paying customers, or something along those lines.
>"it screams volumes about the current state of technology."
about the current state of Big Corp vampires who are happy to bleed everyone dry to put more $$ in their own very fat pockets
Exactly
Our economic system starves you to death if you don't
People aren't vampires because they're on top, they're on top because they're vampires.
Shit flows downstream
A change in economic system might be neither sufficient nor necessary, especially if the new economic system turns out to be even worse, or a scam.
One approach is to have expectations to not only the economic system, but also other systems, and the different people involved, no matter if they're on the top, on the bottom, or somewhere in the middle.
Sounds like the system is working as intended...
Not trying to be glib here. This feels like the embrace, extend, extinguish pattern that we jokingly used to think was only Microsoft. It is now becoming more and more obviously the modus operandi of the entire enterprise software ecosystem.
I believe you are correct to be frustrated and ringing the alarm bell. This is a "death of the commons" moment for OSS.
I've always favored the view that digital goods are only scarce until they are released. if we had a market for patch releases once they hit some goal. Uses could tip to reach the goal. After the goal is reached the patch is released and to all. Still have free loaders but one might live on the work
So...crowdfunding via a platform like Kickstarter?
> and new maintainers aren’t stepping up because they can’t afford rent, let alone to devote their full time to FOSS work free of charge like a lot of older project maintainers do.
What about the Rust rewrite (sudo-rs)? I think it shows people are interested in maintaining and/or modernizing tools taken for granted.
IMO rust rewrites are done quickly to gain attention and kudos. They are very rarely maintainted to the same quality of the originals.
It has a more lax license AFAIK. Also, many Rust projects and libraries have been abandoned, or are in so-so shapes.
Edit:
To specify, new projects like sudo-rs may seem promising, but going by observation and experience with similar projects, there is no guarantee that sudo-rs and similar projects will be successful, good and continued to be maintained. The problems with old projects can end up applying to new projects as well. And projects in Rust are no exception, going by experience with existing, older Rust projects.
Aside, a pet peeve I have is that for instance Ruffle has not turned out as successful as I had hoped for, even after several years and many sponsors. The proprietary Flash runtimes written in C still outperform Ruffle greatly in some cases, causing problems for some users that want to use Ruffle instead of other runtimes.
> Also, many Rust projects and libraries have been abandoned, or are in so-so shapes.
This seems like a bit of a non-sequitur; the state of non-sudo-rs projects/libraries says nothing about the state of sudo-rs itself.
Not to mention that I'd imagine a similar statement would probably be true for projects and libraries written in any reasonably popular language.
How is this a counter argument for anything? A more permissive license is not inherently a bad thing. Many C and C++ projects are also abandon or in so-so condition, why you uniquely call out Rust makes little sense. Either sudo-rs fills the void or it doesn't, but it is a counter point to this idea that open source projects have no path of evolution. Just because that path doesn't look like how you want it to doesn't mean it doesn't exist.
> It has a more lax license AFAIK.
Sudo uses the OpenBSD license, while sudo-rs is dual licensed under MIT and Apache 2.0. Both licenses seem equally permissive to me.
By modernizing do you mean rewriting mature software in a meme language with less features than the original and introducing new bugs in the process?
The Rust smokescreen is mostly being used to slowly eradicate the GPL.
Like Lenin said, "Who stands to gain?"
"Meme language"? There are plenty of memes about C, and they aren't as flattering.
maintainers need to learn to say "no" to scope creep and entitled users.
sudo should have been a near complete tool after it was written.
So no #includedir, no LDAP integration, no log_input/output, no PAM integration ...?
Honestly, it seems like the idealism of open source shouldn't have survived its contact with capitalism, but I suppose the contact wasn't painful enough the the exploitation continued for a long time.
Maybe we need a license that's even more onerous to corporations than the AGPL, like something with a revenue share clause.
Or maybe the problem is the naivete of software engineers. In aggregate, there was so much embrace of libertarianism that no groundwork was laid to protect ourselves from things like AI and offshoring.
Been pitching that with my FOSS colleagues and peers for years, now. A license for individual and educational use, but pay-to-play for anyone tangentially making revenue from its use. Then the conversation boils down to the business engineering of how much should something cost, with some arguing for flat yearly rates, and others arguing for cost-per-unit, while others still fret about "disrupting" the status quo immediately after acknowledging its untenability.
It's...frustrating, but those who do the work are the most qualified to explain what they need. For the rest of us, it's encouraging them to seek reasonable compensation for their work from those who exploit it for profit, and that doing so doesn't necessarily go against the spirit of open source.
can't wait for popularity-contest(1) to be mandatory and required a linked credit card.
> the idealism of open source shouldn't have survived its contact with capitalism
The US economy of the 1980s, 1990s, and 2000s made it possible.
I don't mean to come across as far too cynical, but in what world has a software license ever stopped the greedy and powerful from pillaging the IP of other people smaller and weaker than them?
In my opinion, libertarianism in software is a hollow dream that leads people to make foolish decisions that can't be protected. This makes it easy for corporations to exploit and quash any barely audible opposition.
Almost as if by plan, the libertarian mindset has eroded and weakened open source protections, defanging and declawing it every step of the way.
But today people can just vibe code their own sudo "with blackjack and hookers!"
/s
Really though, it is remarkable just how high we've built this towering house of cards on the selfless works of individuals. The geek in me immediately begins meditating on OSS funding mechanisms I've seen in the past, and what might work today. Then I remember that I don't believe it can work, but hope desperately that people like Todd can keep paying rent and continue getting some satisfaction from the efforts.