I think the criticism is more about deciding to try to re-implement a long standing facility in rust that has, by all accounts, been ‘finished’ for a long time.
About the only argument for those sorts of projects is the resistance to the sorts of bugs that can become security vulnerabilities, and this example highlights that rewrites in general (rust or otherwise) carry a risk of introducing all new security issues on their own, and that should be weighed against the presumed risks of not bothering to rewrite in the first place.
New projects, heavy feature development, ok, fine, Rust to make that easier. Trying to start over to get to the same place you already are, needs a bit more careful consideration, especially if the codebase in question has been scrutinized to death, even after an earlier reputation of worrisome CVEs that had since all been addressed.
Finished means it’s feature complete according to the specification and feature frozen. It says nothing of bugs. Bugs are ethereal qualities, subject to opinion and criteria chosen for triage. Sudo is finished, it does what is meant to do. Does it do it bug free? For the most part it does. Doesn’t mean there aren’t any bugs left. But no new bugs are expected to be introduced by active development. Any bugs that arise, and it has been the case for a long time, will be old bugs that haven’t been discovered yet.
I think the criticism is more about deciding to try to re-implement a long standing facility in rust that has, by all accounts, been ‘finished’ for a long time.
About the only argument for those sorts of projects is the resistance to the sorts of bugs that can become security vulnerabilities, and this example highlights that rewrites in general (rust or otherwise) carry a risk of introducing all new security issues on their own, and that should be weighed against the presumed risks of not bothering to rewrite in the first place.
New projects, heavy feature development, ok, fine, Rust to make that easier. Trying to start over to get to the same place you already are, needs a bit more careful consideration, especially if the codebase in question has been scrutinized to death, even after an earlier reputation of worrisome CVEs that had since all been addressed.
In other comment I linked two vulnerabilities in sudo discovered in 2025, one of which was “hiding” for 12 years. So yeah, “finished” for a long time…
Finished means it’s feature complete according to the specification and feature frozen. It says nothing of bugs. Bugs are ethereal qualities, subject to opinion and criteria chosen for triage. Sudo is finished, it does what is meant to do. Does it do it bug free? For the most part it does. Doesn’t mean there aren’t any bugs left. But no new bugs are expected to be introduced by active development. Any bugs that arise, and it has been the case for a long time, will be old bugs that haven’t been discovered yet.