Sudo is one of the poster children for creeping featuritis, to the point that the sudoers man page is a meme ("Don't despair if you are unfamiliar with EBNF ...")
Even OpenBSD gave up and implmented their own simplified replacement (doas).
On a long enough timeline, those fixes become fewer and less frequent as the codebase improves, but there is no "done" in software unfortunately. Hell, entropy itself means nothing is ever done, just in an ever-changing state.
Because new needs arise over time. For example, when I started in IT the "sudoedit" functionality was not present and so allowing someone to do "sudo vi …" would allow them breakout of the editor when it was running as root.
With sudoedit you can give people permissions to edit particular files with elevated permissions.
> Even OpenBSD gave up and implmented their own simplified replacement (doas).
They did not "give up": they found they needed only much simpler functionality shipped in the base OS. For example, sudo has functionality to talk to LDAP (which I've used at multiple jobs over the years), but is not needed for a local-only box. Once you need centralized account and privilege management, doas becomes much less useful.
That is scary! I may need to look more at openbsd
I would expect another system to query ldap.
Maybe that's somehow related to why so many companies are shoving AI into a bunch of stuff that doesn't need it. Gotta keep everything on the hype train. Working and fulfilling people's needs is no longer good enough.
Software is never "done".
The underlying APIs are always changing. The compilers and system libraries are changing.
Featuritis is a thing, but rolling it back is non-trivial as there are folks who depend upon it.
I'm not sure what can be gained for further development of the OG c sudo, add security patches of course.
But fund adding yet another feature 99.9% of users will never use? I can't fathom the justification for that. Just adding attack surface at this point.
Rightly both doas and the *-rs drops ins intend to drop most of those unnecessary features.
What if the exploitative aspect is open source itself? Trick some above average but naive developers into giving their talent, effort, insights and time away for free or very little? Maybe open source or something similar could have been organized in a way that wasn't exploitative and wasn't (possibly) unsustainable, but that is not how things ended up with what Richard Stallman and others organized.
People having control over their computer (and even having the right to share what they run on their computer!) is completely compatible with people paying for software labor.
You give it away for free so don’t be surprised to get abused. Human nature working at its best and worst here.
You need to have an alternative, and it needs to be a credible and reliable one, to ensure that it does not end up being the case that one scam is replaced with another scam.
We have carved out a class of engagements, labeled it deeply asocial, criminalized it and now we pursue people who engage in it through legal means.
Business really doesn't have this. Personal example - last week I was at a place where the business owner tried to overcharge me by an order of magnitude and then verbally attacked me when I caught him and backed out of the transaction.
His google and yelp reviews are full of people claiming false charges and all kinds of fraud, refusal to correct and repeated abuse until they closed their cards. It's wildly obvious what's going on here and I was on the ball enough to catch it.
I contacted the police and they said "well you should call the BBB or something". It's dozens of reviews of clear credit card fraud and for some reason because he's a merchant, doesn't seem to hit the radar.
These are purely criminal matters - people acting habitually in bad faith with ill intent in a brazenly dishonest manner.
Whether it's plundering the commons, polluting the public discourse, or breaking other types of social compacts, these should be treated the same as any other crime.
You do have points, though, but there might at least be some actions that you and others can take in this case. Maybe a medium change like changing the law on this specific point might make sense.
Release it for free, no barrier to entry, no legal liability, the entire world can use it instantly. This is why free software spreads and catches on - precisely because it's free.
There is no way to form a business around FOSS without becoming a gatekeeping high-barrier entity. You can release for free then charge extra for consulting or special features, which many have done and continue to experiment with.
But the core reason why FOSS spreads and took over is precisely why it is difficult to fund. No one is going to pay for something when the alternative is free. And the moment you start to charge some free alternative comes along and your prior users spurn you as greedy
Practically nobody downloads and installs sudo directly from the project website; people install it with their distribution of choice. The agreement could be automated and included in the licensing process. ie: the license gives specific distributions access to the software (either via paid or other agreed-upon terms appropriate to the distribution) and perhaps individual licensing terms for non-commercial entities.
Of course, the bigger ask in this decade is in use for training LLMs. OSS shouldn't be laundered through an LLM (IMHO) for license avoidance. Maybe some projects are OK with that (eg: many BSD licensed works.) There are some that likely aren't.
That seems like an area that's ripe for innovation. What does it take to get setup on a platform like Patreon? Seems like something similar ought to be setup for open source/independent development, probably an idealistic nonprofit.
> and the barrier for someone to use your product is suddenly extremely high, simply because it costs something.
All the organizations who really ought to pay are already setup to do all that, and do it all the time.
> But the core reason why FOSS spreads and took over is precisely why it is difficult to fund. No one is going to pay for something when the alternative is free. And the moment you start to charge some free alternative comes along and your prior users spurn you as greedy
What we need is innovation. Maybe a license that has a trip-wire? If not enough money is voluntarily deposited into a tip jar over a certain period of time, the license requires a modest payment from all for-profit organizations of a particular size.
That's up-front, is for the most part free, and incentivizes some payment.
Even if you add functionality to phone home, it can be removed by all but the dumbest offenders.
about the current state of Big Corp vampires who are happy to bleed everyone dry to put more $$ in their own very fat pockets
People aren't vampires because they're on top, they're on top because they're vampires.
Shit flows downstream
One approach is to have expectations to not only the economic system, but also other systems, and the different people involved, no matter if they're on the top, on the bottom, or somewhere in the middle.
Not trying to be glib here. This feels like the embrace, extend, extinguish pattern that we jokingly used to think was only Microsoft. It is now becoming more and more obviously the modus operandi of the entire enterprise software ecosystem.
I believe you are correct to be frustrated and ringing the alarm bell. This is a "death of the commons" moment for OSS.
sudo should have been a near complete tool after it was written.
What about the Rust rewrite (sudo-rs)? I think it shows people are interested in maintaining and/or modernizing tools taken for granted.
The Rust smokescreen is mostly being used to slowly eradicate the GPL.
Like Lenin said, "Who stands to gain?"
Edit:
To specify, new projects like sudo-rs may seem promising, but going by observation and experience with similar projects, there is no guarantee that sudo-rs and similar projects will be successful, good and continued to be maintained. The problems with old projects can end up applying to new projects as well. And projects in Rust are no exception, going by experience with existing, older Rust projects.
Aside, a pet peeve I have is that for instance Ruffle has not turned out as successful as I had hoped for, even after several years and many sponsors. The proprietary Flash runtimes written in C still outperform Ruffle greatly in some cases, causing problems for some users that want to use Ruffle instead of other runtimes.
This seems like a bit of a non-sequitur; the state of non-sudo-rs projects/libraries says nothing about the state of sudo-rs itself.
Not to mention that I'd imagine a similar statement would probably be true for projects and libraries written in any reasonably popular language.
Sudo uses the OpenBSD license, while sudo-rs is dual licensed under MIT and Apache 2.0. Both licenses seem equally permissive to me.
Maybe we need a license that's even more onerous to corporations than the AGPL, like something with a revenue share clause.
Or maybe the problem is the naivete of software engineers. In aggregate, there was so much embrace of libertarianism that no groundwork was laid to protect ourselves from things like AI and offshoring.
It's...frustrating, but those who do the work are the most qualified to explain what they need. For the rest of us, it's encouraging them to seek reasonable compensation for their work from those who exploit it for profit, and that doing so doesn't necessarily go against the spirit of open source.
The US economy of the 1980s, 1990s, and 2000s made it possible.
In my opinion, libertarianism in software is a hollow dream that leads people to make foolish decisions that can't be protected. This makes it easy for corporations to exploit and quash any barely audible opposition.
Almost as if by plan, the libertarian mindset has eroded and weakened open source protections, defanging and declawing it every step of the way.