The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it’s also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting sudo-rs, the Rust version of sudo being used by Ubuntu 25.10.

  • just_another_person@lemmy.world
    6721·
    23 hours ago

    Which batch of you turds was in here all up in my stuff last week when I said Rust projects have security vulnerabilities all the time just as any other and you all were arguing like “nuh-uh cuz Rust”?

    Step up.

    • arcterus@piefed.blahaj.zoneEnglish
      284·
      16 hours ago

      Weren’t you the dude posting completely irrelevant articles? As I said before, no one reasonable thinks Rust programs won’t have bugs. Rust helps prevent a specific class of vulnerabilities. The rest is, as per usual, up to the programmer to avoid.

      EDIT: I browsed your comments to verify. You were indeed the person posting the irrelevant articles about malware written in Rust being used to exploit other programs and using it to claim that software written in Rust was vulnerable.

      • just_another_person@lemmy.world
        16·
        10 hours ago

        No…but you were the one trying to twist this exact thing out of context to meet your foolish argument. Same as right now 🤣

        Thanks for mentioning that. Block

        • arcterus@piefed.blahaj.zoneEnglish
          10·
          8 hours ago

          > deliberately lies about content of article to shit on Rust
          > gets called out
          > “how dare you twist my words”

          So fucking childish lol. Could have just used a real article about a Rust vuln like this one but whatever.

          At this point I feel like anti-Rust people are more cult-like than any pro-Rust people I’ve met.

    • entwine@programming.dev
      453·
      23 hours ago

      Everyone knows that memory safety isn’t the only source of security vulnerabilities (unless you’re bickering about programming languages on the internet, in which case 100% of security vulnerabilities are related to memory safety)

      Rust users are one of Rust’s biggest weaknesses.

      • eah@programming.dev
        3·
        7 hours ago

        memory safety isn’t the only source of security vulnerabilities

        I would like you to produce an example of a Rust evangelist disputing this. They’re not as dimwitted or misguided as you seem to think.

    • MTK@lemmy.world
      303·
      22 hours ago

      The Rust hype is funny because it is completely based on the fact that a leading cause of security vulnerabilities for all of these mature and secure projects is memory bugs, which is very true, but it completely fails to see that this is the leading cause because these are really mature projects that have highly skilled developers fixing so much shit.

      So you get these new Rust projects that are sometimes made by people that don’t have the same experience as these C/C++ devs, and they are so confident in the memory safety that they forget about the much simpler security issues.

      • mesa@piefed.socialEnglish
        132·
        21 hours ago

        Cant tell you how many times Ive heard about curl getting re-written. Same deal.

        • otacon239@lemmy.world
          10·
          15 hours ago

          Surely a direct stream from the internet straight onto host hardware can’t be exploited in any way. All you gotta do is put the stream in a file. How hard could it be? (/s)

          • arcterus@piefed.blahaj.zoneEnglish
            4·
            8 hours ago

            Tbh that specific case probably wouldn’t be a big deal. It’s all the extra processing curl can do for http requests and the like that’d be more dangerous to rewrite I’d think.

            • MoSal@programming.dev
              2·
              4 hours ago

              The most relevant part of the curl project is the library, not the CLI tool. And its biggest advantages in addition to universal availability is support for many protocols other than HTTP, flexible interface(s), two useful well-documented and largely stable APIs (one wraps the other for easy use), multiple TLS/SSL back-end support, and finally, the complete(ish) HTTP protocol support. But that last one alone is not that big of a deal. libcurl’s implementation even uses external libraries for both HTTP2 and HTTP3 for framing. It uses an external library for QUIC transport support too. Meanwhile, many other independent language implementations for HTTP exist that range from serviceable to complete. Be it Python, Go, Rust, or many others, you usually get a “native” option you could/should use. Gone are the days of bad old PHP. Hell, even some WIP languages add usable native implementations sometimes as a part of their standard libraries, like inko.

              Within the Rust ecosystem, you’re fully covered by hyper. Even very obscure HTTP features like obsolete HTTP1 multi-line headers are supported (you have to enable this one explicitly). And I only know this because I had the fortunate circumstance of coming across a server that used these (It was an educational, if interesting, couple of afternoon hours).

    • Rikudou_Sage@lemmings.world
      198·
      22 hours ago

      The biggest problem with Rust are its users. They somehow think that having a safe memory access means fewer bugs. While it only means fewer memory management related bugs. Which honestly isn’t even a problem with modern C++.