Mastodawn

Todd C. Miller has been maintaining the #sudo codebase for over 30 years. This is exactly one of those cases where an entire critical infrastructure is held together by the work of a single volunteer who apparently can’t find anyone willing to sponsor him for some financial support. #opensource #linux #foss #GNU

Space Hobo Jan 31

@pafurijaz Didn't openbsd move to `doas` a while back?

@spacehobo @pafurijaz It did.

LautreG, souvent dans la Lune Feb 1

@spacehobo @pafurijaz
You van install and use doas in Linux Debian.
It's great. I recommend it.
But, KDE Plasma depend to sudo, so at the end you have both.

@lautreg @spacehobo @pafurijaz
A desktop environment depends on sudo? So it doesn't work for regular/unprivileged users?

Space Hobo Feb 1

@leeloo @lautreg @pafurijaz Often there are graphical systems for presenting the escalation of privilege (One had one of those "*kit" names...policykit, was it?). So when your computer presents a notification and graphical interface saying "There are important software updates for your system.", it gives you an interface to enter your credentials and allow this.

These desktop systems presumably assume `sudo` under the hood.

@spacehobo @lautreg @pafurijaz
That is an idiotic assumption on a networked multi user system.

User needs an admin? Call tech support, admin handles it remotely via ssh.

If the desktop assumes sudo, that might just end up with the user getting to talk to HR and IT security.

LautreG, souvent dans la Lune Feb 1

@leeloo @spacehobo @pafurijaz
If the user isn't in sudo group, no problems.

@lautreg @spacehobo @pafurijaz
How can you depend on sudo, but then not have problems when the user doesn't have permission to run sudo?

LautreG, souvent dans la Lune Feb 1

@leeloo @spacehobo @pafurijaz
I prefer use doas.
But, if there is KDE, I must keep sudo, but I don't use it.
It's my personal computer.
Servers don't have desktop environments.

In fact, I need the admin display challenge (that use sudo) when I change the theme for sddm, or lightm.

For people whis computer managed by me, they use doas because I teach them, if I think I can allow them to make some admin task.

@lautreg @spacehobo @pafurijaz
How did servers become part of this discussion?

@leeloo @lautreg @spacehobo @pafurijaz True they should not depend on sudo, they should depend on 'whatever' defined by some config that could be sudo like $EDITOR. sudo is not 'critical infrastructure', just a means to elevate privilege. You can do this without sudo, its a convenience util and maybe not even the right way to do things. I don't really know what to say to "having to call helpdesk when you need a patch". Aaanyway I hope someone supports, perhaps someone that needs sudo.

Khleedril Feb 1

@leeloo @spacehobo @lautreg @pafurijaz

``That is an idiotic assumption on a networked multi user system.''

Arguably running a desktop on a networked multi-user system is the idiotic decision. Or not using an immutable OS like #guix, which allows users to safely install their own package requirements, is the idiotic part?

Either way, the problem is architectural (and deep!), not with the desktop per se.

@khleedril @spacehobo @lautreg @pafurijaz
"Or not using an immutable OS like #guix, which allows users to safely install their own package requirements, is the idiotic part?"

How would corporate IT prevent people from installing non-approved software in that case?

Khleedril Feb 1

@leeloo @spacehobo @lautreg @pafurijaz

That can be done. In the case of #guix, the guix application itself could be restricted to the admin user, or users in the sudo group.

@lautreg @spacehobo @pafurijaz theres also 'run0' in SystemD

@pafurijaz Half the point of #FOSS (or more than half, for a lot of people) is the "free as in beer" element. If they were willing to pay for things, they'd be in the Windows or Mac walled gardens. That's just the reality of the situation. Create a tool for everyone, and everyone will use it until they need to pay up.

@egoldblatt @pafurijaz

That's probably true. But the idea that a community can only exist as long as huge numbers of people are providing their labor for free is a huge problem. I think people need to get used to the idea of paying for open source software, we pay for everything else that we find useful and if Linux is worthwhile we should be willing to pay for this as well.

Felix 🐊Feb 1

@rastilin @egoldblatt @pafurijaz I think we should absolutely encourage monetary contributions to open source, but I think how we communicate about it is important.

No one should be going into free software projects expecting to get paid for it, and the fact that people do get paid for it is the exception and not the rule. Likewise, if there's an expectation for the users to pay for software, and the software is being distributed for free, I'd argue the onus isn't on the users, but on the authors/distributors to monetize it correctly.

Imo FOSS as a business model isn't in the spirit of FOSS (vscodium, for example). Neither does software we've paid for guarantee any special privileges or increased trust in the authors. It just means we've paid for it.

@crocodisle @rastilin @pafurijaz If there's an expectation of payment, then the software isn't free.

@egoldblatt @crocodisle @rastilin @pafurijaz
Whether or not a software is free (as in freedom) depends on the license. It has nothing to do with money. (And selling is even allowed under Free Software licenses.) Just because English has a hard time with words it doesn't mean that the meaning of "Free Software" changes.

@max @crocodisle @rastilin @pafurijaz

No, it can't be free, because the exchange of money for goods or licensed services implies that the creator must provide the product or service in a functional state. And, it means that even the most permissive license is binding. You own nothing and must be happy.

@egoldblatt Please read the licenses, that's not how this works.

@rastilin @pafurijaz I don't see a likelihood of users or corporations being willing to pay for open source. If payment changes hands, that's a contract. And I'm sure that everyone wants a contract that protects them from anything that might go wrong.

@egoldblatt @rastilin @pafurijaz
Users and corporations are already paying for free software. It's just that the stack is just too large and they tend to only pay for end-products. (And not enough for those so that the depending projects get their fair share) Basically another case of "trickle down economy" not working and why we need more government based support for free software projects.

Dan Hatton Feb 1

@egoldblatt @rastilin @pafurijaz

IANAL, but I suspect in a lot of jurisdictions, if you charge for the software, you can't "disclaim the implied warranties of merchantability and fitness for a particular purpose", as GPL has it.

@only_ohm @egoldblatt @pafurijaz

Normal End User License Agreements also disclaim fitness for any purpose, but I think that's a threshold linux needs to cross if it wants to gain mass appeal. Like, you would never accept "unfit for any purpose" from your food, your furniture or your car, or anything else we rely on, but in software that's ok?

nounoursfaisdeschoses Feb 1

@egoldblatt @pafurijaz it is "free as freedom" not free as free beer. You can have foss project that you need to pay for.

" Free software means that the users have the freedom to run, edit, contribute to, and share the software. Thus, free software is a matter of liberty, not price "

From : https://www.fsf.org/

So a FOSS software can still be a paid one

Front Page — Free Software Foundation — working together for free software

Andi Barth Jan 31

@pafurijaz Hey @sovtechfund, do you have any idea how to help here? Sudo really is critical (perhaps the most criticial not under team maintenance)

@pafurijaz This needs to be seen. are people seeing it on twitter or somewhere?

Walter Nissen Jan 31

@pafurijaz Do you remember the SSH rooting contests from the 90s? At that time they would provide you the root password on the idea that if you could achieve unauthorized access to the machine across the network, a simple privilege escalation was trivial. Nowadays, that's no longer true, thanks to this hard work. I'll admit I take that level of security for granted these days.

@pafurijaz and people shit talk sudo allot cause its bloated...

@pafurijaz yes but, he definitely has not made it easy for anyone to find a link to sponsor or donate to him directly

Martino Sacchi Feb 1

@pafurijaz please exlain to us!

Bruno Nicoletti Feb 1

@martinosacchi @pafurijaz “sudo” is short for “superuser do”. It is a widely used system administration tool that lets you run commands with “superuser” privileges, so you can change and access pretty much any part of a system. For security, your account needs to be on a list and you need to enter a password to use it. If left unmaintained, bugs won’t be fixed or necessary changes made. This could result in security holes allowing systems to be compromised.

@martinosacchi @pafurijaz

There's always an XKCD!

https://xkcd.com/149

ednl 🇪🇺Feb 4

@gruntled @pafurijaz That is in fact his Github user picture: https://github.com/millert

millert - Overview

millert has 30 repositories available. Follow their code on GitHub.

GitHub

Alexandre Dulaunoy Feb 1

@pafurijaz Thanks for the reminder. I just sponsored the project via GitHub.

Ludovic :Firefox: :FreeBSD:Feb 1

@pafurijaz su ftw

I think "father of time " (NTP) has a similar problem - the list could go on.

@pafurijaz But surely he can just "sudo sponsor my efforts" and all will be well? xkcd:149

postmodern Feb 1

@pafurijaz why didnt he use sudo to get funding?

ein kleines z Feb 4

@pafurijaz @postmodern
*typing in terminal*
# sudo get cash
# sudo install cash on bank account

((( Geekosaurus )))Feb 1

@pafurijaz IBM alone should be sending him a million bux a year. #RedHat

Wayne Werner Feb 1

@pafurijaz we need a better way to charge corporations with buckets of cash, as opposed to folks on a shoestring.

Or just outlaw billionaires

@pafurijaz The discussion of monetary support is missing the point.
If he's been supporting it for 30+ years, he is probably 50+ and due to retire sometime soon.
So what happens if he falls ill, or (hopefully not) dies?

@wyliecoyoteuk @pafurijaz No, that's exactly the point. The next generation is not stepping up without getting paid. Aside from that, it costs a ton of extra time to train a (team of) successor(s) on top of maintaining the package. So, this is exactly why funding is necessary, now more than ever.

RE: https://mastodon.social/@pafurijaz/115991659475358114

My dumbass thought `sudo` was a posix or coreutils command. Turns out it's not.

Chip Butty Feb 2

@pafurijaz sponsorship links on the github https://github.com/sudo-project/sudo

GitHub - sudo-project/sudo: Utility to execute a command as another user

Utility to execute a command as another user. Contribute to sudo-project/sudo development by creating an account on GitHub.

GitHub