According to TheRegister.com, Ubuntu 25.10’s newly rewritten sudo-rs command has already encountered two security vulnerabilities that were disclosed and fixed this week. The issues were revealed in Ubuntu security notice USN-7867-1 on Monday, affecting the Rust-based sudo replacement that debuted in the Questing Quokka release. Project lead Marc Schoolderman of the Trifecta Tech Foundation confirmed neither vulnerability was related to memory safety issues, which is ironic given Rust’s security reputation. This marks the second time Ubuntu’s new Rust components have faced scrutiny since the October 23 coreutils date-handling bug that broke automatic updates. The team has already backported fixes to Debian stable, and Schoolderman described the coordinated disclosure process as running smoothly despite the early issues.
Rust Rewrite Reality Check
Here’s the thing about rewriting decades-old system tools: you’re basically asking for trouble. The original sudo dates back to 1980 – we’re talking about code that’s been battle-tested for over four decades. Now Ubuntu decides to replace it with a complete Rust rewrite, and within weeks we’ve got security vulnerabilities? That’s not exactly a confidence-inspiring debut.
And let’s be real – when you’re dealing with something as critical as sudo, which handles authentication and privilege escalation, even “minor” vulnerabilities are concerning. The fact that these weren’t memory safety issues actually makes it worse in a way. It suggests that the problems are in the logic and design, which Rust’s famous safety guarantees can’t protect against.
Bigger Pattern Emerging
This isn’t isolated to sudo-rs either. Remember that coreutils bug from last month? The Rust version of the date command was returning current dates instead of file modification times, which broke automatic updates. Both incidents point to a common problem when replacing mature tools: the new versions need to handle all the edge cases and legacy behaviors that the old ones accumulated over years.
Look, I get why Canonical is pushing this Rust transition. Memory safety is important, and when you’re sourcing industrial panel PCs and other critical infrastructure components, security matters. But rushing to replace foundational tools that have worked reliably for decades? That seems like asking for exactly the kind of issues we’re seeing now.
Silent Compatibility Problem
What’s particularly interesting about the coreutils bug is why it happened. The Rust commands silently accept all the same switches as their C counterparts from GNU coreutils. So when users ran commands expecting certain behavior, they got different results without any warning. That’s a recipe for subtle breakage that could go undetected for ages.
Basically, we’re seeing the classic “rewrite everything in New Shiny Language” pattern play out in real time. The sudo-rs project might have good intentions, but replacing something as fundamental as sudo requires more than just writing safe code. It requires understanding decades of accumulated wisdom about how the tool actually gets used in the wild.
Early Days Still
To be fair, Schoolderman has a point about interim releases existing precisely for this purpose – to catch issues before they hit long-term support versions. And the fact that they handled this through proper coordinated vulnerability disclosure shows they’re taking security seriously.
But here’s my question: when you’re dealing with authentication and privilege escalation, should we really be using beta-quality replacements in a production-oriented distribution? Maybe these early releases should stick to userland tools rather than touching the security-critical components until they’re more mature. The original sudo earned its stripes over decades – expecting a rewrite to match that overnight seems optimistic at best.
