30+ years maintaining one of the most critical pieces of infrastructure on nearly every Linux and Unix system, and he's currently looking for a sponsor to fund continued development. Every company running sudo in production owes this man. Someone should fix that
I wonder if sudo would be better off joining one of those open source foundations instead of staying solo. It's too small to justify a meaningful amount of contribution to these companies, at which point the bureaucratic overhead of dealing with it probably kills the motivation
If he actually did charge money someone else would've written an implementation of sudo to solve their own needs and avoid the overhead of transacting with a random developer.
"Your 3 months sudo trial is expiring. Would you like to sign up for sudo-pro (best for hobbiest and small teams), sudo-business (up to 100 users) or sudo-enterprise (reach out for a quote)"
Seriously, just put a VAT on digital services to fund a system that pays out grants to individuals to help maintain open source software. It should be obvious by now that corporations will rat fuck the commons for monetary gain and there is a serious need for democratic initiatives to put technology back into the hands of the people.
Several states fund open science, and a couple of them actually do fund open source projects. Germany has its sovereign tech agency for this; France has publicly-funded research agencies that work on a lot of open source stuff, and there are others. There are EU initiatives as well.
It’s not perfect, but it is already something that is being done.
But how would that work? There isn’t unlimited money so who decides what software to support with state money and which developers? I don’t have trust in a bureaucracy to decide which developers should get paid to work on sudo. Just look at a the sudo-rs debacle and that’s without money involved.
You have a failure of imagination if this is what you think, luckily in politics we don't have to listen to people like you and instead those with an actual vision of a better future.
I am not sure sudo is licensed under MIT or GPL, looks it's like a mix of licenses[1]. The end of the first license says it's sponsored in part by DARPA.
From 2010 to February 2024, it was sponsored by Quest Software according to the history page[2].
Say, I clone sudo. Clearly, a human applying freedom zero. I use it in my projects. Probably still freedom zero. I use it in my CI pipeline for the stuff that makes me money... corporation or human? If it's corporation, what if I sponsor a not-for-profit that provides that piece of CI infra?
The problem is that "corporation or not" has more shades than you can reasonably account for. And, worse, the cost of accounting for it is more than any volunteer wants to shoulder.
Even if this were a hard and legally enforceable rule, what individual maintainer wants to sue a company with a legal department?
What could work is a large collective that licenses free software with the explicit goal of extracting money from corporate users and distributing it to authors. Maybe.
The challenge is that this doesn't really work for community-developed software.
Let's say somebody uses this scheme for software they wrote. Would anybody else ever contribute significantly if the original author would benefit financially but they wouldn't?
Mediating the financial benefits through a non-profit might help, but (1) there's still a trust problem: who controls the non-profit? and (2) that's a lot of overhead to set up when starting out for a piece of software that may or may not become relevant.
And the shades in between account for the large number of new licensing schemes sprouting, with different restrictions on what is and isn't possible. (Not to mention the large number of "just used it anyways" instances). And it struggles for smaller utilities, or packages of many different things.
It's "worked out" in the sense that it still doesn't really work for a lot of maintainers.
I used to volunteer for a local non-profit a few years ago.
From time to time, I would reflect on the fact that Microsoft and other commercial suppliers were getting paid for providing services to us, but I was expected to work for free.
For the same logic they are tax-exempt. There is a general consensus that their goal is the greater good (like developing sudo and such) and not the usual capitalistic good of generating more money.
Then again, you usual Friday outing of FANG engineers may have more money than some nonprofits too.
As covered literally just a few days ago (IIRC), you absolutely can demand payment: https://github.com/LGUG2Z/komorebi actively works to detect MDM, and if found, demand payment.
Not open source, but an interesting counterpoint, I think.
> any time someone says something is post-$thing it means what they are doing is in dialogue with and in response to $thing. “we were doing that before $thing” no, you can’t be in dialogue with something that hasn’t happened yet.
> this is like saying “what do you mean post-modernist architecture, architecture predates modernism”.
Releasing open source software and then “demanding payment” goes against everything about open source.
If someone expects to be paid for the use of their software, releasing it as open source is not what they want.
If a maintainer of a software project starts trying to demand payment or threatening to change license terms, it’s a reasonable response for a company to fork it or build their own solution.
And this is why all new projects by independent developers should seriously consider using a post-open source license before defaulting to corporate-friendly/corporate-first OSI licenses
This precisely. What started out as a way of rewarding authorship (of text, software, or other things) has mainly become a way of extracting rent -- see the music, movie, and software industries. In the digital age, when the cost of making copies of such works is approximately zero, copyright law ceases to make sense.
Note that this does not mean you cannot make money selling software or software-related services. For example, game developers could still sell keys for online play on their servers even if they couldn't copyright the binaries.
Copyright law is hundreds of years old and originally was intended to prevent owner-operators of mechanical printing presses from printing and selling copies of some author's books without paying them or getting permission.
It was created when there was a scarcity of content, so state violence was used to encourage production of content.
But now we don't live in the age of scarcity of content. On the contrary, content creators are competing for a possibility to get into consumers' attention span and push their agenda (ads). Everything has changed.
Removing all copyright restriction will not decrease the amount of content available for a person through their lifetime even a few percent.
> originally was intended to prevent owner-operators of mechanical printing presses from printing and selling copies of some author's books without paying them or getting permission.
We agree that that was its initial stated intention.
However, what we have seen in practice is that it has resulted in the owner-operators of those machines banding together to restrict access to the machines unless authors sign exploitative contracts assigning their rights to the operators (which they interpret as "getting permission").
The world has changed substantially since the 1710 Statue of Anne; there's a thousand things that you could call the modern-day equivalent of mechanically printing a book, with myriad capital and operating costs and availability. Many ways an independent author or artist can publish their work are extremely cheap and effective. I'm relatively anti-copyright, but that doesn't mean that everyone currently benefiting from copyright law is rent-seeking in an exploitive way.
No it's not. GPL is quite the opposite. GPL means that "you own what you buy", which is the foundation of capitalism. You own what you buy, including programs, which you can buy, replicate, modify, and sell.
Due to the nature of software, especially in the 80s, it existed in both text and binary form, which made it easy to perverse the nature of selling software from selling code to selling binaries, and big companies went even further in their collusion with the government socialists by making even re-selling even your own binaries illegal.
GPL is just trying to fight this madness with its own weapon. The GPL is an attempt to go back to capitalism of small business owners and individual service providers.
Well, none of the implementations of Marxism in the XX century worked like this, so I dare to disagree.
Of course, you can always say that America is exceptional, and she will have "Marxism with American characteristics", just like China switched from true socialism to "socialism with Chinese characteristics", but would still recommend avoiding the word which associates with GULAG and mass starvation.
If you can't explain why it did not work in the past, and can't explain how & why things will be different this time, you don't have a plan. History is a harsh mistress.
Communism worked in China, for some definition of "worked". Stalinism eventually failed in the USSR and elsewhere. An extensive literature explains these things, as well as explaining different forms and varieties of "communism", and things that people call "communism" but aren't.
Communism worked so well in China that as soon as they adopted something resembling free markets in some regions, thanks to Deng Xiaoping, their GDP per capita rose amazingly fast for 3~4 decades. Not exactly a stellar example.
China is still communist. Again communism has worked for some definition of "worked". This is an objective statement, not an endorsement of Chinese communism.
If anything, Stalin-era commie blocks are better than the Khruschov-era commieblock I lived in. That particular brand of communism had a tendency to paperclip-optimize everything in a weird way. Like it's really the opposite of capitalism where you go from an MVP to a fully usable product, but in reverse. You would thing it's optimization, but then you regulate the temperature in winter by opening the window.
In terms of housing and speaking only from personal experience, European brand of social democracy seems to get it.
GPLv3 is a bit overreaching , especially in patent clauses. The GPL as idea is great but the license needs a little more refining
The constant fear of lawyers that using some GPL lib will infest entire codebase of their project with GPL is a real problem that stops many corporations from contributing in the first place.
You can only fix that with leverage. The sudo maintainer doesn't have it. sudo is valuable, but if Todd stepped away, you could (and would) find other maintainers because it's so important.
If you want to fix it, you need organizational heft comparable to the companies using it, and the ability & willingness to make freeriding a more painful experience.
I disagree on "the most critical" part. You can be superuser at all times. I understand the arguments why not; I am pointing out that this is possible. Despite people claiming aliens will arrive and nothing will work, everything works fine when the superuser account is used too.
Also, I disagree that every company needs to pay the man. Funding is important, yes, but a *nix system is not crippled without sudo. You can change the permission systems. The superuser can do so too. It is not black magic. The permission system is trivial. sudo is simply a feature of convenience, not a "if sudo does not exist, nothing works" - that just makes no sense.
Right? A company to step and cut a check to support this would get positive publicity and there doing something good for community at large. Someone step up.
Companies don’t step up and do things for the common good. They do things for profit. Occasionally that looks like they are charitable if the value of the PR is worth it for them.
No one[1] changes what product they are using based on funding or not of open source software. Companies will step in and fund it if they want control, like with Rust, or if the maintainer finally stops giving them free labor and they actually need the software.
I guess I don’t understand. Take RHEL. The sudo maintainer seeking a new sponsor affects upstream velocity and stewardship, not the deployed trust model of enterprise distributions. RHEL does not “follow HEAD.” It vendors a known-good snapshot and assumes long-term responsibility for it.
Core tools like sudo have survived things like this before
It's all bug fixes it seems. What is surprising is that so many bugs remain even after all this time and effort. And no, for the most part these are not the kinds of bugs that are squashed by a rewrite in Rust.
Things have changed quite a bit in the past 30 years!
I encourage you to peek at their changelog (https://www.sudo.ws/releases/changelog/) for more insight into why this project is still under active development.
Living without it isn't hard IMO. It's more of a convenience. Most of the servers I ever login to only have one non-root user anyway. When I need root, I switch to root.
I wonder how many guys who have have written or significantly maintained "household name" level FOSS products just earn a corporate sinecure somewhere as hypercompetent remote sysadmins or ICs or something. Folks who don't necessarily care to earn top dollar, with all the headaches that entails, but also almost never have to actually work more than 2 hours in a given day to keep the ship going, and the arrangement is just so cozy and gives them enough time to themselves to work on their actual passion that they accept the arrangement.
I know of at least one recruiter who does something like this and specializes in greybeard hiring, and it seems like a steady niche if you have the network to pull it off.
Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
Sudo is kind of a UX tool for user sessions where the user fundamentally can do things that require admin/root privileges but they don't trust themselves not to fat finger things so we add some friction. That friction is not really a security layer, it's a UX layer against fat fingering.
I know there is more to sudo if you really go deep on it, but the above is what 99+% of users are doing with it. If you're using sudo as a sort of framework for building setuid-like tooling, then this does not apply to you.
> A production environment should usually be setup up properly with explicit roles and normal access control.
… and sudo is a common tool for doing that so you can do things like say members of this group can restart a specific service or trigger a task as a service user without otherwise giving them root.
Yes, there are many other ways to accomplish that goal but it seems odd to criticize a tool being used for its original purpose.
PSA for anyone reading this, you should probably use polkit instead of sudo if you just want to grant systemd-related permissions, like restarting a service, to an unprivileged user.
It's roughly the same complexity (one drop-in file) to implement.
I’d broaden that slightly to say you should try to have as few mechanisms for elevating privileges as possible: if you had tooling around sudo, dzdo, etc. for PAM, auditing, etc. I wouldn’t lightly add a third tool until you were confident that you had parity on that side.
Privilege escalation (superuser capabilities) and RBAC ought to be viewed differently, IMO.
There's a place for true superusers, such as auditing, where no stone should be too heavy. But mostly for securing systems, we want RBAC, and sudo is abused as a pile-driver where only a mallet was needed. Polkit is more of a proper policy toolkit.
That’s a valid choice. I’m just saying that you should pick ideally one tool for that class of work. For example, if you support one tool for Mac and Linux users that’s probably worth more than supporting two similar tools even if one of them is better.
> Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
And doing cross-role actions may be part of that production environment.
You could configure an ACME client to run as a service account to talk to an ACME server (like Let's Encrypt), write the nonce files in /var/www, and then the resulting new certificate in /etc/certs. But you still need to restart (or at least reload) the web/IMAP/SMTP server to pick up the updated certs.
But do you want the ACME client to run as the same service user as the web server? You can add sudo so that the ACME service account can tell the web service account/web server to do a reload.
In your example certbot is given permission to write to /var/www/.well-known/acme-challenge and to write certs somewhere. Your web server also has permission to read those files too.
There is no need for the acme client and web server to run as the same user. For reloads the certbot user can be given permission to just invoke the reload command / signal directly. There does not need to be sudo in between them.
