mhoyeNaescent suspicion: if a utility tells me the language it was written in before it tells me what it does or why it was created, I should start looking for alternatives immediately.
Emelia πΈπ»@mhoye I think the only one that carries a little weight is Rust, especially when comparing to a predecessor being written in C.. but otherwise I'd agree
Pyrex, nightsworn alchemistI agree to an extent! I don't agree if the story being told is that "being written in Rust" is the entire security model of the program.
Honestly I don't see anything in their readme.md that convinces me they understand why setuid binaries are scary and sudo specifically is _really_ scary.
To be clear, that is also my opinion on OG sudo, but OG sudo wasn't developed with the possible advantage of hindsight.
(Like, this to me is the archetypal example of software that is of an unknown level of badness and does nothing at all to convince me of its goodness.)
This other project by the same team (https://github.com/memorysafety/rav1d) is also "safe."
Safe how? Well, it preserves the vulnerabilities of the original C code, but theoretically doesn't introduce more vulnerabilities, so long as you trust a giant wall of unsafe Rust code (and mind that unsafe Rust is harder to write than C) and also you trust c2rust not to contain any unknown bugs.
I am open to the idea that this rewritten project may eventually be better but I don't know why you would assume something like this is better now.
I think this strongly implies their actual threat model _is_ "well, C will get pwned eventually and Rust probably won't" with no further analysis -- although I don't want to commit to that characterization because if I'm wrong about what they believe, I'm basically defaming them.
I don't think you get secure code without massive dev effort and actual testing against adversaries.
@pyrex @mhoye I don't know specifics on any of this, I just read an article on sudo-rs and it sold it pretty well: better test coverage, more maintainable code by removing obscure features, using a memory-safe language.
Based on the readme of rav1d, it looks to be early and not to have been cleaned up & refactored yet
Oh man -- it's possible the project comes off better in other venues? To be clear, I agree that removing obscure features is a good idea, and the readme.md hints at that. (but doesn't include a rationale for it)
I'm also possibly underestimating just how bad the actual quality of sudo is, fwiw! I'm used to using it, I may have bias in its favor.
Oh man! Yeah, so that's actually reassuring, imho? It at least suggests there's a clear reason for this tool to exist.