dragon.style is part of the decentralized social network powered by Mastodon.
I'm a grumpy queer dragon lady and this is my quiet cave for me and some friends.

Server stats:

81
active users

Learn more

I said it before and I'll say it again, probably not for the last time: people who really care about security would take a long, hard look at the *design* of sudo, where its weaknesses are, why it is so hard to make secure. (Hint: it's the genericity and the sudoers file syntax.)

They would write other, better tools to implement privilege escalation, and they'd have a better time ensuring it's secure. They could even write them in a memory-safe language, if they consider that it's important.

But taking *sudo* as is, not questioning its interface, and simply rewriting it in Rust, only screams "we don't care about having a holistic approach to security, we just hate C".

@pyrex The SQLite arguments for C are indeed quite good! I hadn't seen the article on testing, though, so thanks for the link. Though I do not use SQLite (and do not plan to), I appreciate the extensive effort that goes into testing, and I could certainly learn a few things from them 😅

@ska

It's slightly orthogonal to your point, but I think it's an example of someone making an actual model of what could go wrong (despite using C) and designing their processes around that!

(To be clear, I strongly agree with your original comments!)

@pyrex Yes, and this makes me appreciate SQLite more. With these processes, chances are the weaker link is SQL itself, not the implementation 😁