[Bug 2113928] Re: [MIR] rust-sudo-rs
Simon Chopin
2113928 at bugs.launchpad.net
Mon Aug 4 11:39:57 UTC 2025
I took the liberty of also overriding its priority to Important (based on the priority of the old sudo package in Plucky)
❯ change-override --suite questing -S -c main -p important rust-sudo-rs
Override component to main
Override priority to important
rust-sudo-rs 0.2.5-5ubuntu3 in questing: universe/misc -> main
sudo-rs 0.2.5-5ubuntu3 in questing amd64: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing arm64: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing armhf: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing i386: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing ppc64el: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing riscv64: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing s390x: universe/utils/optional/100% -> main/important
Override [y|N]? y
8 publications overridden.
** Changed in: rust-sudo-rs (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rust-sudo-rs in Ubuntu.
https://bugs.launchpad.net/bugs/2113928
Title:
[MIR] rust-sudo-rs
Status in rust-sudo-rs package in Ubuntu:
Fix Released
Bug description:
[Availability]
The package rust-sudo-rs is already in Ubuntu universe.
The package rust-sudo-rs build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/rust-sudo-rs
[Rationale]
The package rust-sudo-rs is required in Ubuntu main as a memory-safe alternative to sudo.
The package rust-sudo-rs will generally be useful for a large part of our user base.
rust-sudo-rs covers the most common sudo cases of sudo, not everything.
sudo and sudo-rs, both will be supported in the next LTS.
sudo-rs is recommended by sudo which we already support.
There is no other/better way to solve this that is already in main or should go universe->main instead of this.
All binary packages built by rust-sudo-rs need to be in main to be a suitable sudo replacement.
The package rust-sudo-rs is required in Ubuntu main no later than August 14, 2025 (QQ Feature Freeze) to meet the publicly commited timeline.
Earlier is better to get sufficient testing.
[Security]
- Had 3 security issues in the past (CVE-2023-42456, CVE-2025-46717, CVE-2025-46718)
The issues were fixed quickly by the upstream.
Last two are Low severity in the CWE-497 category.
Upstream also maintains security advisories here
https://github.com/trifectatechfoundation/sudo-rs/security/advisories
https://www.openwall.com/lists/oss-security/2023/11/02/1
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo-rs
https://security-tracker.debian.org/tracker/source-package/rust-sudo-rs
https://ubuntu.com/security/cves?package=rust-sudo-rs is 500: Server error for some reason.
https://ubuntu.com/security/cves?package=sudo lists rust-sudo-rs bugs as well.
- /usr/lib/cargo/bin/sudo has suid bit set. It is required by design.
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sudo-rs
- Upstream's bug tracker https://github.com/trifectatechfoundation/sudo-rs/issues
- The package has important open bugs, listing them:
- https://github.com/trifectatechfoundation/sudo-rs/milestone/13 is required for 25.10 release
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log TBD
[MP in review for build time tests https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231]
- The package runs an autopkgtest, and is currently passing on amd64, arm64, armhf, ppc64el, 390x
link to test logs https://autopkgtest.ubuntu.com/packages/rust-sudo-rs
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1/+build/30931402/+files/buildlog_ubuntu-questing-amd64.rust-sudo-rs_0.2.5-5ubuntu1_BUILDING.txt.gz
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules:
https://git.launchpad.net/ubuntu/+source/rust-sudo-
rs/tree/debian/rules
[UI standards]
- Application is end-user facing, Translation is NOT present.
I did not find much trace of user interaction beside the following.
$ grep -r -A 1 -e user_info! -e user_warn! -e user_error! src/
src/sudo/pam.rs: user_warn!("Authentication failed, try again.");
src/sudo/pam.rs- }
--
src/su/context.rs: user_warn!(
src/su/context.rs- "using restricted shell {}",
--
src/su/mod.rs: user_warn!("Authentication failed, try again.");
src/su/mod.rs- }
--
src/exec/mod.rs: user_error!("unable to change directory to {}: {}", path.display(), err);
src/exec/mod.rs- if is_chdir {
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Rust dependencies are vendored per Rust MIR policy]
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be https://launchpad.net/~foundations-bugs and I have their acknowledgement for
that commitment
- The future owning team is already subscribed to the package
- The team foundations-bugs is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM)
- The team foundations-bugs is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).
- This package uses vendored rust code tracked in Cargo.lock as shipped,
in the source package
refreshing that code is outlined in debian/README.source
- This package uses vendored code, refreshing that code is outlined
in debian/README.source
- This package is rust based and vendors all non language-runtime
dependencies
[MP in review, this should be done before the final Ack https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231]
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1
[Background information]
Upstream Name is sudo-rs
Link to upstream project https://github.com/trifectatechfoundation/sudo-rs
https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995/7
https://discourse.ubuntu.com/t/adopting-sudo-rs-by-default-in-ubuntu-25-10/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2113928/+subscriptions
More information about the foundations-bugs
mailing list