Comment by OsamaJaber
14 hours ago
30+ years maintaining one of the most critical pieces of infrastructure on nearly every Linux and Unix system, and he's currently looking for a sponsor to fund continued development. Every company running sudo in production owes this man. Someone should fix that
This is a good example of Diffusion of Responsibility.
Everybody thinks somebody else should help, so nobody does.
I don't think they even see it as their responsibility, more, "If he wanted money, he should have charged for his software".
If he actually did charge money someone else would've written an implementation of sudo to solve their own needs and avoid the overhead of transacting with a random developer.
1 reply →
I mean, he should just put a message when you run sudo the first time asking for funding if he wants it that bad, that should speed things up.
Seriously, just put a VAT on digital services to fund a system that pays out grants to individuals to help maintain open source software. It should be obvious by now that corporations will rat fuck the commons for monetary gain and there is a serious need for democratic initiatives to put technology back into the hands of the people.
I would like to live in this utopia where free software is funded by the state. This seems impossible to get implemented in our world though.
Whenever people say that MIT or GPL licenses are a good idea I point out projects like this.
Only humans should have freedom zero. Corporations and robots must pay.
I am not sure sudo is licensed under MIT or GPL, looks it's like a mix of licenses[1]. The end of the first license says it's sponsored in part by DARPA.
From 2010 to February 2024, it was sponsored by Quest Software according to the history page[2].
[1] https://github.com/sudo-project/sudo/blob/main/LICENSE.md
[2] https://www.sudo.ws/about/history/
> Corporations and robots must pay.
Greenpeace is a (non-profit) corporation. Unions are corporations. Municipalities. Colleges and universities.
* https://en.wikipedia.org/wiki/Legal_person
Should they have to pay?
I used to volunteer for a local non-profit a few years ago.
From time to time, I would reflect on the fact that Microsoft and other commercial suppliers were getting paid for providing services to us, but I was expected to work for free.
Yes. Non-profits are more than capable of abusing the commons, the purpose of even small monetary requirements is to put a bound on that.
1 reply →
Yes.
Yes. Not for profit does not mean they don’t have money.
With that logic why should non profits have to pay for anything at all?
1 reply →
The behavior of corporations is shameful.
After all, people in these companies don't work for free and are able to spend a lot of money for other services.
Haven't you just hit the nail on the head? Corporations do not feel shame even if people within them do; hence actions . . .
You can demand payment but it doesn't mean you'll get paid. These days companies will clone your work instead of paying.
As covered literally just a few days ago (IIRC), you absolutely can demand payment: https://github.com/LGUG2Z/komorebi actively works to detect MDM, and if found, demand payment.
Not open source, but an interesting counterpoint, I think.
3 replies →
[dead]
The GPL is a good idea. It's our socieconomic system that isn't.
GPL is a response to the copyright law, which was created for the big corporations to extract rent from ordinary people.
It's copyright law which should go away.
6 replies →
Everything is a good idea if you assume a world in which it works.
6 replies →
GPLv3 is a bit overreaching , especially in patent clauses. The GPL as idea is great but the license needs a little more refining
The constant fear of lawyers that using some GPL lib will infest entire codebase of their project with GPL is a real problem that stops many corporations from contributing in the first place.
That's a nice slogan, but how does it work?
Say, I clone sudo. Clearly, a human applying freedom zero. I use it in my projects. Probably still freedom zero. I use it in my CI pipeline for the stuff that makes me money... corporation or human? If it's corporation, what if I sponsor a not-for-profit that provides that piece of CI infra?
The problem is that "corporation or not" has more shades than you can reasonably account for. And, worse, the cost of accounting for it is more than any volunteer wants to shoulder.
Even if this were a hard and legally enforceable rule, what individual maintainer wants to sue a company with a legal department?
What could work is a large collective that licenses free software with the explicit goal of extracting money from corporate users and distributing it to authors. Maybe.
Not for commercial use without buying a license is a pretty standard licensing scheme. This has been worked out for decades.
2 replies →
I guess I don’t understand. Take RHEL. The sudo maintainer seeking a new sponsor affects upstream velocity and stewardship, not the deployed trust model of enterprise distributions. RHEL does not “follow HEAD.” It vendors a known-good snapshot and assumes long-term responsibility for it.
Core tools like sudo have survived things like this before
Surprisingly Jia Tan has not offered to help yet.
Maybe someone should suggest, sudo needs compression capabilities and suggest a great developer, being helpful with that one? :D
Right? A company to step and cut a check to support this would get positive publicity and there doing something good for community at large. Someone step up.
Companies don’t step up and do things for the common good. They do things for profit. Occasionally that looks like they are charitable if the value of the PR is worth it for them.
No one[1] changes what product they are using based on funding or not of open source software. Companies will step in and fund it if they want control, like with Rust, or if the maintainer finally stops giving them free labor and they actually need the software.
[1] not enough people to alter finances
Why would it be needed to continue the development of sudo?
Isn't it done and finished, after 30 years of development?
It's all bug fixes it seems. What is surprising is that so many bugs remain even after all this time and effort. And no, for the most part these are not the kinds of bugs that are squashed by a rewrite in Rust.
The monthly releases seem to indicate otherwise.
Something's deeply wrong here.
3 replies →
I disagree on "the most critical" part. You can be superuser at all times. I understand the arguments why not; I am pointing out that this is possible. Despite people claiming aliens will arrive and nothing will work, everything works fine when the superuser account is used too.
Also, I disagree that every company needs to pay the man. Funding is important, yes, but a *nix system is not crippled without sudo. You can change the permission systems. The superuser can do so too. It is not black magic. The permission system is trivial. sudo is simply a feature of convenience, not a "if sudo does not exist, nothing works" - that just makes no sense.
You can only fix that with leverage. The sudo maintainer doesn't have it. sudo is valuable, but if Todd stepped away, you could (and would) find other maintainers because it's so important.
If you want to fix it, you need organizational heft comparable to the companies using it, and the ability & willingness to make freeriding a more painful experience.
Wasn't the sudo-rs (rust version) already reducing that leverage even further? (and finding interesting bugs, but that's not the point here)
Reminds me of https://xkcd.com/2347/
At the least, all the hyperscalers should be putting money into a fund for this sort of thing.
Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
Sudo is kind of a UX tool for user sessions where the user fundamentally can do things that require admin/root privileges but they don't trust themselves not to fat finger things so we add some friction. That friction is not really a security layer, it's a UX layer against fat fingering.
I know there is more to sudo if you really go deep on it, but the above is what 99+% of users are doing with it. If you're using sudo as a sort of framework for building setuid-like tooling, then this does not apply to you.
> A production environment should usually be setup up properly with explicit roles and normal access control.
… and sudo is a common tool for doing that so you can do things like say members of this group can restart a specific service or trigger a task as a service user without otherwise giving them root.
Yes, there are many other ways to accomplish that goal but it seems odd to criticize a tool being used for its original purpose.
PSA for anyone reading this, you should probably use polkit instead of sudo if you just want to grant systemd-related permissions, like restarting a service, to an unprivileged user.
It's roughly the same complexity (one drop-in file) to implement.
2 replies →
> Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
And doing cross-role actions may be part of that production environment.
You could configure an ACME client to run as a service account to talk to an ACME server (like Let's Encrypt), write the nonce files in /var/www, and then the resulting new certificate in /etc/certs. But you still need to restart (or at least reload) the web/IMAP/SMTP server to pick up the updated certs.
But do you want the ACME client to run as the same service user as the web server? You can add sudo so that the ACME service account can tell the web service account/web server to do a reload.
In your example certbot is given permission to write to /var/www/.well-known/acme-challenge and to write certs somewhere. Your web server also has permission to read those files too.
There is no need for the acme client and web server to run as the same user. For reloads the certbot user can be given permission to just invoke the reload command / signal directly. There does not need to be sudo in between them.
Almost everyone is running sudo in production.
the fact this is a reply to the content in the parent just demos the complete lack of social skills or empathy many in this community are known for
Auditing.
bro i just want to apt install gimp :(