30+ years maintaining one of the most critical pieces of infrastructure on nearly every Linux and Unix system, and he's currently looking for a sponsor to fund continued development. Every company running sudo in production owes this man. Someone should fix that
This is a good example of Diffusion of Responsibility.
Everybody thinks somebody else should help, so nobody does.
Google made 10^7 as much money as I did last year. Yea, I don't think it's as simple as you make it seem.
Google sponsors a lot of open source work: https://opensource.google/organizations-we-support
I wonder if sudo would be better off joining one of those open source foundations instead of staying solo. It's too small to justify a meaningful amount of contribution to these companies, at which point the bureaucratic overhead of dealing with it probably kills the motivation
This is the current list but from a cursory look it lacks GSoC which has been a significant source of new contributors since forever.
I don't think they even see it as their responsibility, more, "If he wanted money, he should have charged for his software".
If he actually did charge money someone else would've written an implementation of sudo to solve their own needs and avoid the overhead of transacting with a random developer.
And then "If he wanted money, he should have charged for his software" would apply to that someone.
And in such a system, before long, we have an ecosystem that resembles the venereal disease masequaraing as an addon store we see in wordpress.
"Your 3 months sudo trial is expiring. Would you like to sign up for sudo-pro (best for hobbiest and small teams), sudo-business (up to 100 users) or sudo-enterprise (reach out for a quote)"
Nightmarish, isn't it?
But that's how the higher-ups at places like IBM and Oracle see the world.
And these people are free to roam the streets unfettered. Hardly seems right.
I mean, he should just put a message when you run sudo the first time asking for funding if he wants it that bad, that should speed things up.
It would be removed by distros. XScreensaver had a notice when user ran old version and Debian removed it.
Seriously, just put a VAT on digital services to fund a system that pays out grants to individuals to help maintain open source software. It should be obvious by now that corporations will rat fuck the commons for monetary gain and there is a serious need for democratic initiatives to put technology back into the hands of the people.
I would like to live in this utopia where free software is funded by the state. This seems impossible to get implemented in our world though.
Several states fund open science, and a couple of them actually do fund open source projects. Germany has its sovereign tech agency for this; France has publicly-funded research agencies that work on a lot of open source stuff, and there are others. There are EU initiatives as well.
It’s not perfect, but it is already something that is being done.
The EU does fund a lot of open source software.
So does the US. In fact they did for this software.
But how would that work? There isn’t unlimited money so who decides what software to support with state money and which developers? I don’t have trust in a bureaucracy to decide which developers should get paid to work on sudo. Just look at a the sudo-rs debacle and that’s without money involved.
You have a failure of imagination if this is what you think, luckily in politics we don't have to listen to people like you and instead those with an actual vision of a better future.
No thanks, we don't need yet another specialty tax paid out to a dubious selection of individuals.
Whenever people say that MIT or GPL licenses are a good idea I point out projects like this.
Only humans should have freedom zero. Corporations and robots must pay.
I am not sure sudo is licensed under MIT or GPL, looks it's like a mix of licenses[1]. The end of the first license says it's sponsored in part by DARPA.
From 2010 to February 2024, it was sponsored by Quest Software according to the history page[2].
[1] https://github.com/sudo-project/sudo/blob/main/LICENSE.md
[2] https://www.sudo.ws/about/history/
> Corporations and robots must pay.
Greenpeace is a (non-profit) corporation. Unions are corporations. Municipalities. Colleges and universities.
* https://en.wikipedia.org/wiki/Legal_person
Should they have to pay?
I used to volunteer for a local non-profit a few years ago.
From time to time, I would reflect on the fact that Microsoft and other commercial suppliers were getting paid for providing services to us, but I was expected to work for free.
Yes. Non-profits are more than capable of abusing the commons, the purpose of even small monetary requirements is to put a bound on that.
If Mozilla and Wikimedia can pay millions in salary to their CEOs, I'm sure that they can spare a few thousands for open source projects.
Yes. Not for profit does not mean they don’t have money.
With that logic why should non profits have to pay for anything at all?
For the same logic they are tax-exempt. There is a general consensus that their goal is the greater good (like developing sudo and such) and not the usual capitalistic good of generating more money.
Then again, you usual Friday outing of FANG engineers may have more money than some nonprofits too.
Yes.
That's a nice slogan, but how does it work?
Say, I clone sudo. Clearly, a human applying freedom zero. I use it in my projects. Probably still freedom zero. I use it in my CI pipeline for the stuff that makes me money... corporation or human? If it's corporation, what if I sponsor a not-for-profit that provides that piece of CI infra?
The problem is that "corporation or not" has more shades than you can reasonably account for. And, worse, the cost of accounting for it is more than any volunteer wants to shoulder.
Even if this were a hard and legally enforceable rule, what individual maintainer wants to sue a company with a legal department?
What could work is a large collective that licenses free software with the explicit goal of extracting money from corporate users and distributing it to authors. Maybe.
Not for commercial use without buying a license is a pretty standard licensing scheme. This has been worked out for decades.
The challenge is that this doesn't really work for community-developed software.
Let's say somebody uses this scheme for software they wrote. Would anybody else ever contribute significantly if the original author would benefit financially but they wouldn't?
Mediating the financial benefits through a non-profit might help, but (1) there's still a trust problem: who controls the non-profit? and (2) that's a lot of overhead to set up when starting out for a piece of software that may or may not become relevant.
And the shades in between account for the large number of new licensing schemes sprouting, with different restrictions on what is and isn't possible. (Not to mention the large number of "just used it anyways" instances). And it struggles for smaller utilities, or packages of many different things.
It's "worked out" in the sense that it still doesn't really work for a lot of maintainers.
What happens when the code is abandoned? Can I make my own changes whenever I want?
The problem with commercial software is the lock in.
The behavior of corporations is shameful.
After all, people in these companies don't work for free and are able to spend a lot of money for other services.
Haven't you just hit the nail on the head? Corporations do not feel shame even if people within them do; hence actions . . .
You can demand payment but it doesn't mean you'll get paid. These days companies will clone your work instead of paying.
As covered literally just a few days ago (IIRC), you absolutely can demand payment: https://github.com/LGUG2Z/komorebi actively works to detect MDM, and if found, demand payment.
Not open source, but an interesting counterpoint, I think.
Relevant articles are here
- https://lgug2z.com/articles/normalize-identifying-corporate-...
- https://lgug2z.com/articles/i-started-identifying-corporate-...
The post-open source space is indeed a very exciting space in 2026
That's not post open-source. That's dual licensing, an use-case FOSS has enabled and supported forever.
> any time someone says something is post-$thing it means what they are doing is in dialogue with and in response to $thing. “we were doing that before $thing” no, you can’t be in dialogue with something that hasn’t happened yet.
> this is like saying “what do you mean post-modernist architecture, architecture predates modernism”.
https://lobste.rs/s/kaftkn/i_started_identifying_corporate_d...
Releasing open source software and then “demanding payment” goes against everything about open source.
If someone expects to be paid for the use of their software, releasing it as open source is not what they want.
If a maintainer of a software project starts trying to demand payment or threatening to change license terms, it’s a reasonable response for a company to fork it or build their own solution.
And this is why all new projects by independent developers should seriously consider using a post-open source license before defaulting to corporate-friendly/corporate-first OSI licenses
I think they should expect payment from the job they're working, not opensource or "post-opensource" work.
Yep, this kind of attitude is even more reason to reject the broken status quo.
[dead]
The GPL is a good idea. It's our socieconomic system that isn't.
GPL is a response to the copyright law, which was created for the big corporations to extract rent from ordinary people.
It's copyright law which should go away.
> It's copyright law which should go away.
This precisely. What started out as a way of rewarding authorship (of text, software, or other things) has mainly become a way of extracting rent -- see the music, movie, and software industries. In the digital age, when the cost of making copies of such works is approximately zero, copyright law ceases to make sense.
Note that this does not mean you cannot make money selling software or software-related services. For example, game developers could still sell keys for online play on their servers even if they couldn't copyright the binaries.
Copyright law is hundreds of years old and originally was intended to prevent owner-operators of mechanical printing presses from printing and selling copies of some author's books without paying them or getting permission.
It was created when there was a scarcity of content, so state violence was used to encourage production of content.
But now we don't live in the age of scarcity of content. On the contrary, content creators are competing for a possibility to get into consumers' attention span and push their agenda (ads). Everything has changed.
Removing all copyright restriction will not decrease the amount of content available for a person through their lifetime even a few percent.
> originally was intended to prevent owner-operators of mechanical printing presses from printing and selling copies of some author's books without paying them or getting permission.
We agree that that was its initial stated intention.
However, what we have seen in practice is that it has resulted in the owner-operators of those machines banding together to restrict access to the machines unless authors sign exploitative contracts assigning their rights to the operators (which they interpret as "getting permission").
The world has changed substantially since the 1710 Statue of Anne; there's a thousand things that you could call the modern-day equivalent of mechanically printing a book, with myriad capital and operating costs and availability. Many ways an independent author or artist can publish their work are extremely cheap and effective. I'm relatively anti-copyright, but that doesn't mean that everyone currently benefiting from copyright law is rent-seeking in an exploitive way.
GPL is much more than that. It is distributing the means of production to the tech workers.
rms is the Marx of the 20th Century. GPL is freedom from corporate oppression.
No it's not. GPL is quite the opposite. GPL means that "you own what you buy", which is the foundation of capitalism. You own what you buy, including programs, which you can buy, replicate, modify, and sell.
Due to the nature of software, especially in the 80s, it existed in both text and binary form, which made it easy to perverse the nature of selling software from selling code to selling binaries, and big companies went even further in their collusion with the government socialists by making even re-selling even your own binaries illegal.
GPL is just trying to fight this madness with its own weapon. The GPL is an attempt to go back to capitalism of small business owners and individual service providers.
Going from the capitalism of small business owners to the market socialism of coops is a small step ;)
Well, none of the implementations of Marxism in the XX century worked like this, so I dare to disagree.
Of course, you can always say that America is exceptional, and she will have "Marxism with American characteristics", just like China switched from true socialism to "socialism with Chinese characteristics", but would still recommend avoiding the word which associates with GULAG and mass starvation.
Including the hangups people have about AI training as well.
Everything is a good idea if you assume a world in which it works.
Communism has entered the chat.
That, for example, would be a better system. One the GPL would work beautifully in.
If you can't explain why it did not work in the past, and can't explain how & why things will be different this time, you don't have a plan. History is a harsh mistress.
It works, but you need real human staff. And we learn from history that we don’t learn which can be harsh.
Communism worked in China, for some definition of "worked". Stalinism eventually failed in the USSR and elsewhere. An extensive literature explains these things, as well as explaining different forms and varieties of "communism", and things that people call "communism" but aren't.
Communism worked so well in China that as soon as they adopted something resembling free markets in some regions, thanks to Deng Xiaoping, their GDP per capita rose amazingly fast for 3~4 decades. Not exactly a stellar example.
China is still communist. Again communism has worked for some definition of "worked". This is an objective statement, not an endorsement of Chinese communism.
As a person who had a privilege to live in a commie-block half his life, no, it isn't a better system.
That was Stalinism, not communism. And there are many ways to implement communism, some of which are better than others.
If anything, Stalin-era commie blocks are better than the Khruschov-era commieblock I lived in. That particular brand of communism had a tendency to paperclip-optimize everything in a weird way. Like it's really the opposite of capitalism where you go from an MVP to a fully usable product, but in reverse. You would thing it's optimization, but then you regulate the temperature in winter by opening the window.
In terms of housing and speaking only from personal experience, European brand of social democracy seems to get it.
GPLv3 is a bit overreaching , especially in patent clauses. The GPL as idea is great but the license needs a little more refining
The constant fear of lawyers that using some GPL lib will infest entire codebase of their project with GPL is a real problem that stops many corporations from contributing in the first place.
You can only fix that with leverage. The sudo maintainer doesn't have it. sudo is valuable, but if Todd stepped away, you could (and would) find other maintainers because it's so important.
If you want to fix it, you need organizational heft comparable to the companies using it, and the ability & willingness to make freeriding a more painful experience.
Wasn't the sudo-rs (rust version) already reducing that leverage even further? (and finding interesting bugs, but that's not the point here)
Surprisingly Jia Tan has not offered to help yet.
Maybe someone should suggest, sudo needs compression capabilities and suggest a great developer, being helpful with that one? :D
Jia Tan and his 40 sockpuppets are undoubtedly trying.
I disagree on "the most critical" part. You can be superuser at all times. I understand the arguments why not; I am pointing out that this is possible. Despite people claiming aliens will arrive and nothing will work, everything works fine when the superuser account is used too.
Also, I disagree that every company needs to pay the man. Funding is important, yes, but a *nix system is not crippled without sudo. You can change the permission systems. The superuser can do so too. It is not black magic. The permission system is trivial. sudo is simply a feature of convenience, not a "if sudo does not exist, nothing works" - that just makes no sense.
You don't even have to be root all the time, su is all you need unless you have a fetish for software bloat.
Right? A company to step and cut a check to support this would get positive publicity and there doing something good for community at large. Someone step up.
Companies don’t step up and do things for the common good. They do things for profit. Occasionally that looks like they are charitable if the value of the PR is worth it for them.
No one[1] changes what product they are using based on funding or not of open source software. Companies will step in and fund it if they want control, like with Rust, or if the maintainer finally stops giving them free labor and they actually need the software.
[1] not enough people to alter finances
I guess I don’t understand. Take RHEL. The sudo maintainer seeking a new sponsor affects upstream velocity and stewardship, not the deployed trust model of enterprise distributions. RHEL does not “follow HEAD.” It vendors a known-good snapshot and assumes long-term responsibility for it.
Core tools like sudo have survived things like this before
Why would it be needed to continue the development of sudo?
Isn't it done and finished, after 30 years of development?
It's all bug fixes it seems. What is surprising is that so many bugs remain even after all this time and effort. And no, for the most part these are not the kinds of bugs that are squashed by a rewrite in Rust.
The monthly releases seem to indicate otherwise.
Something's deeply wrong here.
Things have changed quite a bit in the past 30 years!
I encourage you to peek at their changelog (https://www.sudo.ws/releases/changelog/) for more insight into why this project is still under active development.
I just learned about amathia (https://modernstoicism.com/there-is-nothing-banal-about-phil...), which seems to apply here.
It's a kitchen sink tool that does way too many things.
Then fork it and finish it. I’m sure it will be a huge success.
You should look up "doas". It might enlighten you.
If you have a point to make then make it. I don’t accept anonymous homework assignments.
> one of the most critical pieces of infrastructure
It's really not.
How is it not? A suid binary installed on pretty much every Unix system ever seems pretty critical to me.
Living without it isn't hard IMO. It's more of a convenience. Most of the servers I ever login to only have one non-root user anyway. When I need root, I switch to root.
And how do you switch to root? sudo is the most popular way
Reminds me of https://xkcd.com/2347/
I wonder how many guys who have have written or significantly maintained "household name" level FOSS products just earn a corporate sinecure somewhere as hypercompetent remote sysadmins or ICs or something. Folks who don't necessarily care to earn top dollar, with all the headaches that entails, but also almost never have to actually work more than 2 hours in a given day to keep the ship going, and the arrangement is just so cozy and gives them enough time to themselves to work on their actual passion that they accept the arrangement.
I know of at least one recruiter who does something like this and specializes in greybeard hiring, and it seems like a steady niche if you have the network to pull it off.
At the least, all the hyperscalers should be putting money into a fund for this sort of thing.
Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
Sudo is kind of a UX tool for user sessions where the user fundamentally can do things that require admin/root privileges but they don't trust themselves not to fat finger things so we add some friction. That friction is not really a security layer, it's a UX layer against fat fingering.
I know there is more to sudo if you really go deep on it, but the above is what 99+% of users are doing with it. If you're using sudo as a sort of framework for building setuid-like tooling, then this does not apply to you.
> A production environment should usually be setup up properly with explicit roles and normal access control.
… and sudo is a common tool for doing that so you can do things like say members of this group can restart a specific service or trigger a task as a service user without otherwise giving them root.
Yes, there are many other ways to accomplish that goal but it seems odd to criticize a tool being used for its original purpose.
PSA for anyone reading this, you should probably use polkit instead of sudo if you just want to grant systemd-related permissions, like restarting a service, to an unprivileged user.
It's roughly the same complexity (one drop-in file) to implement.
I’d broaden that slightly to say you should try to have as few mechanisms for elevating privileges as possible: if you had tooling around sudo, dzdo, etc. for PAM, auditing, etc. I wouldn’t lightly add a third tool until you were confident that you had parity on that side.
Privilege escalation (superuser capabilities) and RBAC ought to be viewed differently, IMO.
There's a place for true superusers, such as auditing, where no stone should be too heavy. But mostly for securing systems, we want RBAC, and sudo is abused as a pile-driver where only a mallet was needed. Polkit is more of a proper policy toolkit.
That’s a valid choice. I’m just saying that you should pick ideally one tool for that class of work. For example, if you support one tool for Mac and Linux users that’s probably worth more than supporting two similar tools even if one of them is better.
What's the benefit?
You can acquire permission on-demand and scoped more tightly.
> Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.
And doing cross-role actions may be part of that production environment.
You could configure an ACME client to run as a service account to talk to an ACME server (like Let's Encrypt), write the nonce files in /var/www, and then the resulting new certificate in /etc/certs. But you still need to restart (or at least reload) the web/IMAP/SMTP server to pick up the updated certs.
But do you want the ACME client to run as the same service user as the web server? You can add sudo so that the ACME service account can tell the web service account/web server to do a reload.
In your example certbot is given permission to write to /var/www/.well-known/acme-challenge and to write certs somewhere. Your web server also has permission to read those files too.
There is no need for the acme client and web server to run as the same user. For reloads the certbot user can be given permission to just invoke the reload command / signal directly. There does not need to be sudo in between them.
Almost everyone is running sudo in production.
the fact this is a reply to the content in the parent just demos the complete lack of social skills or empathy many in this community are known for
Auditing.
bro i just want to apt install gimp :(