Comment by SoftTalker
12 hours ago
Why should something like sudo not be "done" after 30 years?
Sudo is one of the poster children for creeping featuritis, to the point that the sudoers man page is a meme ("Don't despair if you are unfamiliar with EBNF ...")
Even OpenBSD gave up and implmented their own simplified replacement (doas).
Different platform but the simplest mainframe utility IEFBR14, a noop process to trigger JCL events started as one instruction. Then two. Then debate started about which machine instruction should be used to set the return code to zero …
Hence IEFBR14A
> Why should something like sudo not be "done" after 30 years?
Because new needs arise over time. For example, when I started in IT the "sudoedit" functionality was not present and so allowing someone to do "sudo vi …" would allow them breakout of the editor when it was running as root.
With sudoedit you can give people permissions to edit particular files with elevated permissions.
> Even OpenBSD gave up and implmented their own simplified replacement (doas).
They did not "give up": they found they needed only much simpler functionality shipped in the base OS. For example, sudo has functionality to talk to LDAP (which I've used at multiple jobs over the years), but is not needed for a local-only box. Once you need centralized account and privilege management, doas becomes much less useful.
Let's be honest, though. If you designed a new sudo in a system with doas(1) it would look nothing like modern sudo.
I can't remember the name, but I read about a rust project a few months ago which claimed that even doas had too much feature creep.
> sudo has functionality to talk to LDAP
That is scary! I may need to look more at openbsd
There's a Linux port of doas named OpenDoas
1 reply →
The purpose is to allow users access by ldap criteria like group so the sodoers file need not be edited on each and every server.
https://www.sudo.ws/docs/man/sudoers.ldap.man/
1 reply →
Bugfixes and security vulnerabilities, mostly. So long as fallible humans make fallible hardware running fallible software that in turn executes and/or compiles fallible code, there will always be a need for continued development of critical tooling and packages.
On a long enough timeline, those fixes become fewer and less frequent as the codebase improves, but there is no "done" in software unfortunately. Hell, entropy itself means nothing is ever done, just in an ever-changing state.
Is it really creeping, though? Pretty sure I first saw the EBNF in the man page more than 20 years ago, it's just how that generation learned to write and discuss parsers. (What I'm getting at is that even if it is, that isn't a sign of it.)
Of course, 20+ years ago a big feature was platform compatibility, and since then we've gone from 10+ to 2ish, so if it's not explicitly enabling retrocomputing, it should be getting simpler, right?
Even if sudo itself never changed, the system around it changes pretty drastically. I agree the scope of the tool should be smaller and it violates the Unix philosophy (whatever that is worth these days)
This community and others like it are so weird in that if they see something as stable as sudo but without recent commits, rather than conclude that it's solid and doesn't need further changes, they see it as some kind of a problem and want to switch to something that's seen major changes in the last week.
Maybe that's somehow related to why so many companies are shoving AI into a bunch of stuff that doesn't need it. Gotta keep everything on the hype train. Working and fulfilling people's needs is no longer good enough.
The thing is, there is next to no software that "doesn't need further changes" at all. There is always something, sure it might be infrequent and/or most of the time nothing really big or difficult (except sometimes) but the point is: someone needs to step up and do it.
If a see a project with recent activity, best from multiple people it is a strong signal that this will happen, if the last commit is a year ago I must assume it's completely abandoned because most of the time it just is. Sometimes it's clearly communicated that it is the way because the authors see it as essentially feature complete, there are some examples of this but not that many honestly.
Because environments change, it hasn't been immutable.
What are you, a dentist moonlighting as an angel investor?
Software is never "done".
The underlying APIs are always changing. The compilers and system libraries are changing.
Featuritis is a thing, but rolling it back is non-trivial as there are folks who depend upon it.
Just curious, why did you use "dentist" in your analogy over any other profession?
Because we haven't progressed to the angelic level of software development, so nothing is bug-free, which especially important in something security-critical like sudo
Similarly sudo-rs and doas-rs exist now.
I'm not sure what can be gained for further development of the OG c sudo, add security patches of course.
But fund adding yet another feature 99.9% of users will never use? I can't fathom the justification for that. Just adding attack surface at this point.
Rightly both doas and the *-rs drops ins intend to drop most of those unnecessary features.
Are you saying you would be using something that fills the same critical role as sudo even if it had not received any updates in a decade or more? Because that sounds insane