The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it’s also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting sudo-rs, the Rust version of sudo being used by Ubuntu 25.10.
Which batch of you turds was in here all up in my stuff last week when I said Rust projects have security vulnerabilities all the time just as any other and you all were arguing like “nuh-uh cuz Rust”?
Step up.
The biggest problem with Rust are its users. They somehow think that having a safe memory access means fewer bugs. While it only means fewer memory management related bugs. Which honestly isn’t even a problem with modern C++.
Everyone knows that memory safety isn’t the only source of security vulnerabilities (unless you’re bickering about programming languages on the internet, in which case 100% of security vulnerabilities are related to memory safety)
Rust users are one of Rust’s biggest weaknesses.
I would like you to produce an example of a Rust evangelist disputing this. They’re not as dimwitted or misguided as you seem to think.
The Rust hype is funny because it is completely based on the fact that a leading cause of security vulnerabilities for all of these mature and secure projects is memory bugs, which is very true, but it completely fails to see that this is the leading cause because these are really mature projects that have highly skilled developers fixing so much shit.
So you get these new Rust projects that are sometimes made by people that don’t have the same experience as these C/C++ devs, and they are so confident in the memory safety that they forget about the much simpler security issues.
Cant tell you how many times Ive heard about curl getting re-written. Same deal.
Surely a direct stream from the internet straight onto host hardware can’t be exploited in any way. All you gotta do is put the stream in a file. How hard could it be? (/s)
Tbh that specific case probably wouldn’t be a big deal. It’s all the extra processing curl can do for http requests and the like that’d be more dangerous to rewrite I’d think.
The most relevant part of the curl project is the library, not the CLI tool. And its biggest advantages in addition to universal availability is support for many protocols other than HTTP, flexible interface(s), two useful well-documented and largely stable APIs (one wraps the other for easy use), multiple TLS/SSL back-end support, and finally, the complete(ish) HTTP protocol support. But that last one alone is not that big of a deal.
libcurl’s implementation even uses external libraries for both HTTP2 and HTTP3 for framing. It uses an external library for QUIC transport support too. Meanwhile, many other independent language implementations for HTTP exist that range from serviceable to complete. Be it Python, Go, Rust, or many others, you usually get a “native” option you could/should use. Gone are the days of bad old PHP. Hell, even some WIP languages add usable native implementations sometimes as a part of their standard libraries, likeinko.Within the Rust ecosystem, you’re fully covered by
hyper. Even very obscure HTTP features like obsolete HTTP1 multi-line headers are supported (you have to enable this one explicitly). And I only know this because I had the fortunate circumstance of coming across a server that used these (It was an educational, if interesting, couple of afternoon hours).To me this says more about Canonical than Rust.
Canonical didn’t make these tools…
They do have a habit of overcommitting to tools that are not yet ready.
Hell, snap still isn’t ready
No it certainly is not.
They did choose to adapt them at version <1.0.0
Could be a brave decision that will lead to these tools getting good a lot faster. Many such decisions seem a bit stupid if you only look at the short term.
b-b-b-but Rust is inherently safe!
Yeah, if you hash your passwords with unsalted md5 it’s much more secure in Rust than PHP!
Weren’t you the dude posting completely irrelevant articles? As I said before, no one reasonable thinks Rust programs won’t have bugs. Rust helps prevent a specific class of vulnerabilities. The rest is, as per usual, up to the programmer to avoid.
EDIT: I browsed your comments to verify. You were indeed the person posting the irrelevant articles about malware written in Rust being used to exploit other programs and using it to claim that software written in Rust was vulnerable.
No…but you were the one trying to twist this exact thing out of context to meet your foolish argument. Same as right now 🤣
Thanks for mentioning that. Block
Whoa whoa whoa this isn’t the Phoronix comment section
Now that you mention it this does sound suspiciously like every Rust-related Phoronix comment section I’ve seen
> deliberately lies about content of article to shit on Rust
> gets called out
> “how dare you twist my words”
So fucking childish lol. Could have just used a real article about a Rust vuln like this one but whatever.
At this point I feel like anti-Rust people are more cult-like than any pro-Rust people I’ve met.