** Description changed: - rust-sudo-rs should be in the main from 25.10 release + [Availability] + The package rust-sudo-rs is already in Ubuntu universe. + The package rust-sudo-rs build for the architectures it is designed to work on. + It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x + Link to package https://launchpad.net/ubuntu/+source/rust-sudo-rs - #TBD + [Rationale] + The package rust-sudo-rs is required in Ubuntu main as a memory-safe alternative to sudo. + The package rust-sudo-rs will generally be useful for a large part of our user base. + rust-sudo-rs covers the most common sudo cases of sudo, not everything. + sudo and sudo-rs, both will be supported in the next LTS. + sudo-rs is recommended by sudo which we already support. + There is no other/better way to solve this that is already in main or should go universe->main instead of this. + All binary packages built by rust-sudo-rs need to be in main to be a suitable sudo replacement. + The package rust-sudo-rs is required in Ubuntu main no later than August 14, 2025 (QQ Feature Freeze) to meet the publicly commited timeline. + Earlier is better to get sufficient testing. + + [Security] + - Had 3 security issues in the past (CVE-2023-42456, CVE-2025-46717, CVE-2025-46718) + + The issues were fixed quickly by the upstream. + + Last two are Low severity in the CWE-497 category. + + Upstream also maintains security advisories here + https://github.com/trifectatechfoundation/sudo-rs/security/advisories + + https://www.openwall.com/lists/oss-security/2023/11/02/1 + https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo-rs + https://security-tracker.debian.org/tracker/source-package/rust-sudo-rs + https://ubuntu.com/security/cves?package=rust-sudo-rs is 500: Server error for some reason. + https://ubuntu.com/security/cves?package=sudo lists rust-sudo-rs bugs as well. + + - /usr/lib/cargo/bin/sudo has suid bit set. It is required by design. + - Package does not install services, timers or recurring jobs + + - Packages does not open privileged ports (ports < 1024). + - Package does not expose any external endpoints + - Packages does not contain extensions to security-sensitive software + (filters, scanners, plugins, UI skins, ...) + + [Quality assurance - function/usage] + - The package works well right after install + + [Quality assurance - maintenance] + - The package is maintained well in Debian/Ubuntu/Upstream and does + not have too many, long-term & critical, open bugs + - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sudo-rs + - Upstream's bug tracker https://github.com/trifectatechfoundation/sudo-rs/issues + - The package has important open bugs, listing them: + - https://github.com/trifectatechfoundation/sudo-rs/milestone/13 is required for 25.10 release + - The package does not deal with exotic hardware we cannot support + + [Quality assurance - testing] + - The package runs a test suite on build time, if it fails + it makes the build fail, link to build log TBD + + - The package runs an autopkgtest, and is currently passing on amd64, arm64, armhf, ppc64el, 390x + link to test logs https://autopkgtest.ubuntu.com/packages/rust-sudo-rs + + - The package does have not failing autopkgtests right now + + [Quality assurance - packaging] + - debian/watch is present and works + - debian/control defines a correct Maintainer field + + - This package does not yield massive lintian Warnings, Errors + - Please link to a recent build log of the package: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1/+build/30931402/+files/buildlog_ubuntu-questing-amd64.rust-sudo-rs_0.2.5-5ubuntu1_BUILDING.txt.gz + - Lintian overrides are not present + + - This package does not rely on obsolete or about to be demoted packages. + - This package has no python2 or GTK2 dependencies + + - The package will be installed by default, but does not ask debconf + questions higher than medium + + - Packaging and build is easy, link to debian/rules: + https://git.launchpad.net/ubuntu/+source/rust-sudo-rs/tree/debian/rules + + [UI standards] + - Application is end-user facing, Translation is NOT present. + + I did not find much trace of user interaction beside the following. + + $ grep -r -A 1 -e user_info! -e user_warn! -e user_error! src/ + src/sudo/pam.rs: user_warn!("Authentication failed, try again."); + src/sudo/pam.rs- } + -- + src/su/context.rs: user_warn!( + src/su/context.rs- "using restricted shell {}", + -- + src/su/mod.rs: user_warn!("Authentication failed, try again."); + src/su/mod.rs- } + -- + src/exec/mod.rs: user_error!("unable to change directory to {}: {}", path.display(), err); + src/exec/mod.rs- if is_chdir { + + + [Dependencies] + - No further depends or recommends dependencies that are not yet in main + [Rust dependencies are vendored per Rust MIR policy] + + [Standards compliance] + - This package correctly follows FHS and Debian Policy + + [Maintenance/Owner] + - The owning team will be https://launchpad.net/~foundations-bugs and I have their acknowledgement for + that commitment + - The future owning team is already subscribed to the package + + - The team foundations-bugs is aware of the implications by a static build and + commits to test no-change-rebuilds and to fix any issues found for the + lifetime of the release (including ESM) + + - The team foundations-bugs is aware of the implications of vendored code and (as + alerted by the security team) commits to provide updates and backports + to the security team for any affected vendored code for the lifetime + of the release (including ESM). + + - This package uses vendored rust code tracked in Cargo.lock as shipped, + in the source package + refreshing that code is outlined in debian/README.source + - This package uses vendored code, refreshing that code is outlined + in debian/README.source + + - This package is rust based and vendors all non language-runtime + dependencies + + - The package has been built within the last 3 months in the archive + - Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1 + + [Background information] + Upstream Name is sudo-rs + Link to upstream project https://github.com/trifectatechfoundation/sudo-rs + https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995/7 + https://discourse.ubuntu.com/t/adopting-sudo-rs-by-default-in-ubuntu-25-10/
** Description changed: [Availability] The package rust-sudo-rs is already in Ubuntu universe. The package rust-sudo-rs build for the architectures it is designed to work on. - It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x + It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/rust-sudo-rs [Rationale] The package rust-sudo-rs is required in Ubuntu main as a memory-safe alternative to sudo. The package rust-sudo-rs will generally be useful for a large part of our user base. rust-sudo-rs covers the most common sudo cases of sudo, not everything. sudo and sudo-rs, both will be supported in the next LTS. sudo-rs is recommended by sudo which we already support. There is no other/better way to solve this that is already in main or should go universe->main instead of this. All binary packages built by rust-sudo-rs need to be in main to be a suitable sudo replacement. The package rust-sudo-rs is required in Ubuntu main no later than August 14, 2025 (QQ Feature Freeze) to meet the publicly commited timeline. Earlier is better to get sufficient testing. [Security] - Had 3 security issues in the past (CVE-2023-42456, CVE-2025-46717, CVE-2025-46718) The issues were fixed quickly by the upstream. Last two are Low severity in the CWE-497 category. Upstream also maintains security advisories here https://github.com/trifectatechfoundation/sudo-rs/security/advisories https://www.openwall.com/lists/oss-security/2023/11/02/1 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo-rs https://security-tracker.debian.org/tracker/source-package/rust-sudo-rs https://ubuntu.com/security/cves?package=rust-sudo-rs is 500: Server error for some reason. https://ubuntu.com/security/cves?package=sudo lists rust-sudo-rs bugs as well. - /usr/lib/cargo/bin/sudo has suid bit set. It is required by design. - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software - (filters, scanners, plugins, UI skins, ...) + (filters, scanners, plugins, UI skins, ...) [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does - not have too many, long-term & critical, open bugs - - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug - - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sudo-rs - - Upstream's bug tracker https://github.com/trifectatechfoundation/sudo-rs/issues + not have too many, long-term & critical, open bugs + - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sudo-rs + - Upstream's bug tracker https://github.com/trifectatechfoundation/sudo-rs/issues - The package has important open bugs, listing them: - - https://github.com/trifectatechfoundation/sudo-rs/milestone/13 is required for 25.10 release + - https://github.com/trifectatechfoundation/sudo-rs/milestone/13 is required for 25.10 release - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails - it makes the build fail, link to build log TBD + it makes the build fail, link to build log TBD - The package runs an autopkgtest, and is currently passing on amd64, arm64, armhf, ppc64el, 390x - link to test logs https://autopkgtest.ubuntu.com/packages/rust-sudo-rs + link to test logs https://autopkgtest.ubuntu.com/packages/rust-sudo-rs - The package does have not failing autopkgtests right now [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1/+build/30931402/+files/buildlog_ubuntu-questing-amd64.rust-sudo-rs_0.2.5-5ubuntu1_BUILDING.txt.gz - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf - questions higher than medium + questions higher than medium - Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/rust-sudo-rs/tree/debian/rules [UI standards] - Application is end-user facing, Translation is NOT present. I did not find much trace of user interaction beside the following. $ grep -r -A 1 -e user_info! -e user_warn! -e user_error! src/ src/sudo/pam.rs: user_warn!("Authentication failed, try again."); src/sudo/pam.rs- } -- src/su/context.rs: user_warn!( src/su/context.rs- "using restricted shell {}", -- src/su/mod.rs: user_warn!("Authentication failed, try again."); src/su/mod.rs- } -- src/exec/mod.rs: user_error!("unable to change directory to {}: {}", path.display(), err); src/exec/mod.rs- if is_chdir { - [Dependencies] - No further depends or recommends dependencies that are not yet in main - [Rust dependencies are vendored per Rust MIR policy] + [Rust dependencies are vendored per Rust MIR policy] [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be https://launchpad.net/~foundations-bugs and I have their acknowledgement for - that commitment + that commitment - The future owning team is already subscribed to the package - The team foundations-bugs is aware of the implications by a static build and - commits to test no-change-rebuilds and to fix any issues found for the - lifetime of the release (including ESM) + commits to test no-change-rebuilds and to fix any issues found for the + lifetime of the release (including ESM) - The team foundations-bugs is aware of the implications of vendored code and (as - alerted by the security team) commits to provide updates and backports - to the security team for any affected vendored code for the lifetime - of the release (including ESM). + alerted by the security team) commits to provide updates and backports + to the security team for any affected vendored code for the lifetime + of the release (including ESM). - This package uses vendored rust code tracked in Cargo.lock as shipped, - in the source package - refreshing that code is outlined in debian/README.source + in the source package + refreshing that code is outlined in debian/README.source - This package uses vendored code, refreshing that code is outlined - in debian/README.source + in debian/README.source - This package is rust based and vendors all non language-runtime - dependencies + dependencies + [MP in review, this should be done before the final Ack https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231] - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1 [Background information] Upstream Name is sudo-rs Link to upstream project https://github.com/trifectatechfoundation/sudo-rs https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995/7 https://discourse.ubuntu.com/t/adopting-sudo-rs-by-default-in-ubuntu-25-10/ ** Changed in: rust-sudo-rs (Ubuntu) Status: Incomplete => New ** Description changed: [Availability] The package rust-sudo-rs is already in Ubuntu universe. The package rust-sudo-rs build for the architectures it is designed to work on. It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/rust-sudo-rs [Rationale] The package rust-sudo-rs is required in Ubuntu main as a memory-safe alternative to sudo. The package rust-sudo-rs will generally be useful for a large part of our user base. rust-sudo-rs covers the most common sudo cases of sudo, not everything. sudo and sudo-rs, both will be supported in the next LTS. sudo-rs is recommended by sudo which we already support. There is no other/better way to solve this that is already in main or should go universe->main instead of this. All binary packages built by rust-sudo-rs need to be in main to be a suitable sudo replacement. The package rust-sudo-rs is required in Ubuntu main no later than August 14, 2025 (QQ Feature Freeze) to meet the publicly commited timeline. Earlier is better to get sufficient testing. [Security] - Had 3 security issues in the past (CVE-2023-42456, CVE-2025-46717, CVE-2025-46718) The issues were fixed quickly by the upstream. Last two are Low severity in the CWE-497 category. Upstream also maintains security advisories here https://github.com/trifectatechfoundation/sudo-rs/security/advisories https://www.openwall.com/lists/oss-security/2023/11/02/1 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo-rs https://security-tracker.debian.org/tracker/source-package/rust-sudo-rs https://ubuntu.com/security/cves?package=rust-sudo-rs is 500: Server error for some reason. https://ubuntu.com/security/cves?package=sudo lists rust-sudo-rs bugs as well. - /usr/lib/cargo/bin/sudo has suid bit set. It is required by design. - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sudo-rs - Upstream's bug tracker https://github.com/trifectatechfoundation/sudo-rs/issues - The package has important open bugs, listing them: - https://github.com/trifectatechfoundation/sudo-rs/milestone/13 is required for 25.10 release - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, link to build log TBD + [MP in review for build time tests https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231] - The package runs an autopkgtest, and is currently passing on amd64, arm64, armhf, ppc64el, 390x link to test logs https://autopkgtest.ubuntu.com/packages/rust-sudo-rs - The package does have not failing autopkgtests right now [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1/+build/30931402/+files/buildlog_ubuntu-questing-amd64.rust-sudo-rs_0.2.5-5ubuntu1_BUILDING.txt.gz - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/rust-sudo-rs/tree/debian/rules [UI standards] - Application is end-user facing, Translation is NOT present. I did not find much trace of user interaction beside the following. $ grep -r -A 1 -e user_info! -e user_warn! -e user_error! src/ src/sudo/pam.rs: user_warn!("Authentication failed, try again."); src/sudo/pam.rs- } -- src/su/context.rs: user_warn!( src/su/context.rs- "using restricted shell {}", -- src/su/mod.rs: user_warn!("Authentication failed, try again."); src/su/mod.rs- } -- src/exec/mod.rs: user_error!("unable to change directory to {}: {}", path.display(), err); src/exec/mod.rs- if is_chdir { [Dependencies] - No further depends or recommends dependencies that are not yet in main [Rust dependencies are vendored per Rust MIR policy] [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be https://launchpad.net/~foundations-bugs and I have their acknowledgement for that commitment - The future owning team is already subscribed to the package - The team foundations-bugs is aware of the implications by a static build and commits to test no-change-rebuilds and to fix any issues found for the lifetime of the release (including ESM) - The team foundations-bugs is aware of the implications of vendored code and (as alerted by the security team) commits to provide updates and backports to the security team for any affected vendored code for the lifetime of the release (including ESM). - This package uses vendored rust code tracked in Cargo.lock as shipped, in the source package refreshing that code is outlined in debian/README.source - This package uses vendored code, refreshing that code is outlined in debian/README.source - This package is rust based and vendors all non language-runtime dependencies - [MP in review, this should be done before the final Ack https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231] + [MP in review, this should be done before the final Ack https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231] - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1 [Background information] Upstream Name is sudo-rs Link to upstream project https://github.com/trifectatechfoundation/sudo-rs https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995/7 https://discourse.ubuntu.com/t/adopting-sudo-rs-by-default-in-ubuntu-25-10/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2113928 Title: [MIR] rust-sudo-rs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2113928/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
