Comment by OsamaJaber 9 hours ago
30+ years maintaining one of the most critical pieces of infrastructure on nearly every Linux and Unix system, and he's currently looking for a sponsor to fund continued development. Every company running sudo in production owes this man. Someone should fix that
This is a good example of Diffusion of Responsibility.
Everybody thinks somebody else should help, so nobody does.
I don't think they even see it as their responsibility, more, "If he wanted money, he should have charged for his software".
If he actually did charge money someone else would've written an implementation of sudo to solve their own needs and avoid the overhead of transacting with a random developer.
I mean, he should just put a message when you run sudo the first time asking for funding if he wants it that bad, that should speed things up.
Seriously, just put a VAT on digital services to fund a system that pays out grants to individuals to help maintain open source software. It should be obvious by now that corporations will rat fuck the commons for monetary gain and there is a serious need for democratic initiatives to put technology back into the hands of the people.
Whenever people say that MIT or GPL licenses are a good idea I point out projects like this.
Only humans should have freedom zero. Corporations and robots must pay.
I am not sure sudo is licensed under MIT or GPL, looks it's like a mix of licenses[1]. The end of the first license says it's sponsored in part by DARPA.
From 2010 to February 2024, it was sponsored by Quest Software according to the history page[2].
[1] https://github.com/sudo-project/sudo/blob/main/LICENSE.md
> Corporations and robots must pay.
Greenpeace is a (non-profit) corporation. Unions are corporations. Municipalities. Colleges and universities.
* https://en.wikipedia.org/wiki/Legal_person
Should they have to pay?
As covered literally just a few days ago (IIRC), you absolutely can demand payment: https://github.com/LGUG2Z/komorebi actively works to detect MDM, and if found, demand payment.
Not open source, but an interesting counterpoint, I think.
Relevant articles are here
- https://lgug2z.com/articles/normalize-identifying-corporate-...
- https://lgug2z.com/articles/i-started-identifying-corporate-...
The post-open source space is indeed a very exciting space in 2026
That's a nice slogan, but how does it work?
Say, I clone sudo. Clearly, a human applying freedom zero. I use it in my projects. Probably still freedom zero. I use it in my CI pipeline for the stuff that makes me money... corporation or human? If it's corporation, what if I sponsor a not-for-profit that provides that piece of CI infra?
The problem is that "corporation or not" has more shades than you can reasonably account for. And, worse, the cost of accounting for it is more than any volunteer wants to shoulder.
Even if this were a hard and legally enforceable rule, what individual maintainer wants to sue a company with a legal department?
What could work is a large collective that licenses free software with the explicit goal of extracting money from corporate users and distributing it to authors. Maybe.
Not for commercial use without buying a license is a pretty standard licensing scheme. This has been worked out for decades.
And the shades in between account for the large number of new licensing schemes sprouting, with different restrictions on what is and isn't possible. (Not to mention the large number of "just used it anyways" instances). And it struggles for smaller utilities, or packages of many different things.
It's "worked out" in the sense that it still doesn't really work for a lot of maintainers.
The GPL is a good idea. It's our socieconomic system that isn't.
GPL is a response to the copyright law, which was created for the big corporations to extract rent from ordinary people.
It's copyright law which should go away.
> It's copyright law which should go away.
This precisely. What started out as a way of rewarding authorship (of text, software, or other things) has mainly become a way of extracting rent -- see the music, movie, and software industries. In the digital age, when the cost of making copies of such works is approximately zero, copyright law ceases to make sense.
Note that this does not mean you cannot make money selling software or software-related services. For example, game developers could still sell keys for online play on their servers even if they couldn't copyright the binaries.
Copyright law is hundreds of years old and originally was intended to prevent owner-operators of mechanical printing presses from printing and selling copies of some author's books without paying them or getting permission.
Including the hangups people have about AI training as well.
GPLv3 is a bit overreaching , especially in patent clauses. The GPL as idea is great but the license needs a little more refining
The constant fear of lawyers that using some GPL lib will infest entire codebase of their project with GPL is a real problem that stops many corporations from contributing in the first place.
Why would it be needed to continue the development of sudo?
Isn't it done and finished, after 30 years of development?
Things have changed quite a bit in the past 30 years!
I encourage you to peek at their changelog (https://www.sudo.ws/releases/changelog/) for more insight into why this project is still under active development.
Companies don’t step up and do things for the common good. They do things for profit. Occasionally that looks like they are charitable if the value of the PR is worth it for them.
No one[1] changes what product they are using based on funding or not of open source software. Companies will step in and fund it if they want control, like with Rust, or if the maintainer finally stops giving them free labor and they actually need the software.
[1] not enough people to alter finances
I disagree on "the most critical" part. You can be superuser at all times. I understand the arguments why not; I am pointing out that this is possible. Despite people claiming aliens will arrive and nothing will work, everything works fine when the superuser account is used too.
Also, I disagree that every company needs to pay the man. Funding is important, yes, but a *nix system is not crippled without sudo. You can change the permission systems. The superuser can do so too. It is not black magic. The permission system is trivial. sudo is simply a feature of convenience, not a "if sudo does not exist, nothing works" - that just makes no sense.
You can only fix that with leverage. The sudo maintainer doesn't have it. sudo is valuable, but if Todd stepped away, you could (and would) find other maintainers because it's so important.
If you want to fix it, you need organizational heft comparable to the companies using it, and the ability & willingness to make freeriding a more painful experience.
Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
Sudo is kind of a UX tool for user sessions where the user fundamentally can do things that require admin/root privileges but they don't trust themselves not to fat finger things so we add some friction. That friction is not really a security layer, it's a UX layer against fat fingering.
I know there is more to sudo if you really go deep on it, but the above is what 99+% of users are doing with it. If you're using sudo as a sort of framework for building setuid-like tooling, then this does not apply to you.
> A production environment should usually be setup up properly with explicit roles and normal access control.
… and sudo is a common tool for doing that so you can do things like say members of this group can restart a specific service or trigger a task as a service user without otherwise giving them root.
Yes, there are many other ways to accomplish that goal but it seems odd to criticize a tool being used for its original purpose.
I’d broaden that slightly to say you should try to have as few mechanisms for elevating privileges as possible: if you had tooling around sudo, dzdo, etc. for PAM, auditing, etc. I wouldn’t lightly add a third tool until you were confident that you had parity on that side.
> Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
And doing cross-role actions may be part of that production environment.
You could configure an ACME client to run as a service account to talk to an ACME server (like Let's Encrypt), write the nonce files in /var/www, and then the resulting new certificate in /etc/certs. But you still need to restart (or at least reload) the web/IMAP/SMTP server to pick up the updated certs.
But do you want the ACME client to run as the same service user as the web server? You can add sudo so that the ACME service account can tell the web service account/web server to do a reload.
In your example certbot is given permission to write to /var/www/.well-known/acme-challenge and to write certs somewhere. Your web server also has permission to read those files too.
There is no need for the acme client and web server to run as the same user. For reloads the certbot user can be given permission to just invoke the reload command / signal directly. There does not need to be sudo in between them.
I guess I don’t understand. Take RHEL. The sudo maintainer seeking a new sponsor affects upstream velocity and stewardship, not the deployed trust model of enterprise distributions. RHEL does not “follow HEAD.” It vendors a known-good snapshot and assumes long-term responsibility for it.
Core tools like sudo have survived things like this before