I said it before and I'll say it again, probably not for the last time: people who really care about security would take a long, hard look at the *design* of sudo, where its weaknesses are, why it is so hard to make secure. (Hint: it's the genericity and the sudoers file syntax.)
They would write other, better tools to implement privilege escalation, and they'd have a better time ensuring it's secure. They could even write them in a memory-safe language, if they consider that it's important.
But taking *sudo* as is, not questioning its interface, and simply rewriting it in Rust, only screams "we don't care about having a holistic approach to security, we just hate C".
I suspect you're aware of this article, but if not, I suspect you may enjoy it.
https://www.sqlite.org/whyc.html
(and its companion: https://www.sqlite.org/testing.html )
@pyrex The SQLite arguments for C are indeed quite good! I hadn't seen the article on testing, though, so thanks for the link. Though I do not use SQLite (and do not plan to), I appreciate the extensive effort that goes into testing, and I could certainly learn a few things from them
It's slightly orthogonal to your point, but I think it's an example of someone making an actual model of what could go wrong (despite using C) and designing their processes around that!
(To be clear, I strongly agree with your original comments!)
@pyrex Yes, and this makes me appreciate SQLite more. With these processes, chances are the weaker link is SQL itself, not the implementation