Todd C. Miller – Sudo maintainer for over 30 years

Posted by wodniok 4 hours ago

Todd C. Miller – Sudo maintainer for over 30 years(www.millert.dev)

224 points | 128 comments

OsamaJaber 3 hours ago|

30+ years maintaining one of the most critical pieces of infrastructure on nearly every Linux and Unix system, and he's currently looking for a sponsor to fund continued development. Every company running sudo in production owes this man. Someone should fix that

noosphr 1 hour ago||

Whenever people say that MIT or GPL licenses are a good idea I point out projects like this.

Only humans should have freedom zero. Corporations and robots must pay.

omoikane 35 minutes ago|||

I am not sure sudo is licensed under MIT or GPL, looks it's like a mix of licenses:

https://github.com/sudo-project/sudo/blob/main/LICENSE.md

The end of the first license says it's sponsored in part by DARPA.

wmf 1 hour ago||||

You can demand payment but it doesn't mean you'll get paid. These days companies will clone your work instead of paying.

zhengyi13 57 minutes ago|||

As covered literally just a few days ago (IIRC), you absolutely can demand payment: https://github.com/LGUG2Z/komorebi actively works to detect MDM, and if found, demand payment.

Not open source, but an interesting counterpoint, I think.

bsnnkv 23 minutes ago||

Relevant articles are here

- https://lgug2z.com/articles/normalize-identifying-corporate-...

- https://lgug2z.com/articles/i-started-identifying-corporate-...

The post-open source space is indeed a very exciting space in 2026

zxcvasd 1 hour ago|||

[dead]

saubeidl 36 minutes ago||||

The GPL is a good idea. It's our socieconomic system that isn't.

groby_b 1 hour ago|||

That's a nice slogan, but how does it work?

Say, I clone sudo. Clearly, a human applying freedom zero. I use it in my projects. Probably still freedom zero. I use it in my CI pipeline for the stuff that makes me money... corporation or human? If it's corporation, what if I sponsor a not-for-profit that provides that piece of CI infra?

The problem is that "corporation or not" has more shades than you can reasonably account for. And, worse, the cost of accounting for it is more than any volunteer wants to shoulder.

Even if this were a hard and legally enforceable rule, what individual maintainer wants to sue a company with a legal department?

What could work is a large collective that licenses free software with the explicit goal of extracting money from corporate users and distributing it to authors. Maybe.

conception 1 hour ago||

Not for commercial use without buying a license is a pretty standard licensing scheme. This has been worked out for decades.

groby_b 23 minutes ago|||

And the shades in between account for the large number of new licensing schemes sprouting, with different restrictions on what is and isn't possible. (Not to mention the large number of "just used it anyways" instances). And it struggles for smaller utilities, or packages of many different things.

It's "worked out" in the sense that it still doesn't really work for a lot of maintainers.

mulmen 25 minutes ago|||

What happens when the code is abandoned? Can I make my own changes whenever I want?

The problem with commercial software is the lock in.

brightball 2 hours ago|||

This is a good example of Diffusion of Responsibility.

Everybody thinks somebody else should help, so nobody does.

lenerdenator 1 hour ago|||

I don't think they even see it as their responsibility, more, "If he wanted money, he should have charged for his software".

shimman 1 hour ago|||

Seriously, just put a VAT on digital services to fund a system that pays out grants to individuals to help maintain open source software. It should be obvious by now that corporations will rat fuck the commons for monetary gain and there is a serious need for democratic initiatives to put technology back into the hands of the people.

af78 44 minutes ago|||

Surprisingly Jia Tan has not offered to help yet.

tuhgdetzhh 11 minutes ago|||

Reminds me of https://xkcd.com/2347/

boringg 3 hours ago|||

Right? A company to step and cut a check to support this would get positive publicity and there doing something good for community at large. Someone step up.

lovich 38 minutes ago||

Companies don’t step up and do things for the common good. They do things for profit. Occasionally that looks like they are charitable if the value of the PR is worth it for them.

No one[1] changes what product they are using based on funding or not of open source software. Companies will step in and fund it if they want control, like with Rust, or if the maintainer finally stops giving them free labor and they actually need the software.

[1] not enough people to alter finances

groby_b 1 hour ago|||

You can only fix that with leverage. The sudo maintainer doesn't have it. sudo is valuable, but if Todd stepped away, you could (and would) find other maintainers because it's so important.

If you want to fix it, you need organizational heft comparable to the companies using it, and the ability & willingness to make freeriding a more painful experience.

shevy-java 1 hour ago|||

I disagree on "the most critical" part. You can be superuser at all times. I understand the arguments why not; I am pointing out that this is possible. Despite people claiming aliens will arrive and nothing will work, everything works fine when the superuser account is used too.

Also, I disagree that every company needs to pay the man. Funding is important, yes, but a *nix system is not crippled without sudo. You can change the permission systems. The superuser can do so too. It is not black magic. The permission system is trivial. sudo is simply a feature of convenience, not a "if sudo does not exist, nothing works" - that just makes no sense.

oconnore 3 hours ago||

Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.

Sudo is kind of a UX tool for user sessions where the user fundamentally can do things that require admin/root privileges but they don't trust themselves not to fat finger things so we add some friction. That friction is not really a security layer, it's a UX layer against fat fingering.

I know there is more to sudo if you really go deep on it, but the above is what 99+% of users are doing with it. If you're using sudo as a sort of framework for building setuid-like tooling, then this does not apply to you.

acdha 2 hours ago|||

> A production environment should usually be setup up properly with explicit roles and normal access control.

… and sudo is a common tool for doing that so you can do things like say members of this group can restart a specific service or trigger a task as a service user without otherwise giving them root.

Yes, there are many other ways to accomplish that goal but it seems odd to criticize a tool being used for its original purpose.

pphysch 1 hour ago||

PSA for anyone reading this, you should probably use polkit instead of sudo if you just want to grant systemd-related permissions, like restarting a service, to an unprivileged user.

It's roughly the same complexity (one drop-in file) to implement.

acdha 23 minutes ago||

I’d broaden that slightly to say you should try to have as few mechanisms for elevating privileges as possible: if you had tooling around sudo, dzdo, etc. for PAM, auditing, etc. I wouldn’t lightly add a third tool until you were confident that you had parity on that side.

throw0101a 2 hours ago||||

> Why would you be running sudo in production? A production environment should usually be setup up properly with explicit roles and normal access control.

And doing cross-role actions may be part of that production environment.

You could configure an ACME client to run as a service account to talk to an ACME server (like Let's Encrypt), write the nonce files in /var/www, and then the resulting new certificate in /etc/certs. But you still need to restart (or at least reload) the web/IMAP/SMTP server to pick up the updated certs.

But do you want the ACME client to run as the same service user as the web server? You can add sudo so that the ACME service account can tell the web service account/web server to do a reload.

bigstrat2003 2 hours ago||||

Almost everyone is running sudo in production.

bloqs 2 hours ago||||

the fact this is a reply to the content in the parent just demos the complete lack of social skills or empathy many in this community are known for

bobmcnamara 2 hours ago|||

Auditing.

arjie 43 minutes ago||

I think the rise of the open-source redistributor groupie has been an interesting cultural revolution. I wonder if it will persist. Even 10 years ago, the idea of Free As In Speech dominated the idea of Free Software. Today, the greatest enthusiasm on Hacker News and Reddit is for something like Meta's Llama license (which cannot be used by people or corps with sufficient numbers of users). It certainly seems like someone out there could go out and propose the Microfree License which only applies to sufficiently non-rich people.

For my part, I want none of it. I find this reduction of a significant philosophy to some kind of base tax-and-distribute mechanism distasteful. I don't like communities were this stuff is big and they always want to run some taxation scheme where they redirect money to their own personal pet projects. It is fortunate that modern tools are good enough to build personal insulation from this stuff.

Imagine the farce of Apply HN repeated continuously. Simply awful.

fdupress 4 hours ago||

Seeing the server temperatures go up as this gets posted to HN is fun. I'm not sure his server agrees.

divbzero 3 hours ago|

“Machine Room Temperature” from Todd C. Miller’s website:

https://www.millert.dev/therm/

Server exhaust fan temperature was typically 94°F (ranged 92°F to 96°F) over the previous week and has climbed to 97°F.

divbzero 2 hours ago||

But, on the whole, the server seems to be doing well enough for something near the top of HN. The website is served by nginx and appears to be mostly static pages.

wodniok 4 hours ago||

Quote from Website: "For the past 30+ years I’ve been the maintainer of sudo. I’m currently in search of a sponsor to fund continued sudo maintenance and development. If you or your organization is interested in sponsoring sudo, please let me know."

ryandrake 58 minutes ago||

Reading the release history[1]. I'm kind of shocked that sudo gets active development and monthly releases. I would have thought that something this old and venerated would have been "done" long ago.

1: https://www.sudo.ws/releases/devel/

sizzzzlerz 32 minutes ago||

I was wondering the same thing. I would have thought every possible combination of parameters would have been tried by now. I guess it just goes to show you that your code is never really complete.

hobofan 50 minutes ago||

"Done" software is a myth they tell to young developers so that they can sleep easy at night.

shevy-java 1 hour ago||

The funding problem is an issue.

We need to find better models. Even if it is just "low(er)" payment; that would still be better than zero or near zero payment.

larodi 1 hour ago|

Universal Global Contributor Wellness Fund

may also fund retirements for certain individuals, and there is for sure enough free juice to get it started in a very reasonable way. these people really deserve it, the same way Nobels extist, etc.

thelastgallon 1 hour ago||

There's also NTP.

The Largely Untold Story Of How One Guy In California Keeps The World’s Computers Running On The Right Time Zone: https://onezero.medium.com/the-largely-untold-story-of-how-o...

https://xkcd.com/2347/

debo_ 15 minutes ago|

You forgot the more relevant: https://xkcd.com/149/

debo_ 17 minutes ago||

Someone make this man a sandwich.

https://xkcd.com/149/

akokanka 4 hours ago||

Have used sudo millions of times. It's so smooth I don't even consider it software. Thinking that sudo could give me bug one day haunts me now. Thanks Miller for your work!

anigbrowl 1 hour ago|

I've said it before, open source works poorly in this area. It's great if everyone's getting paid fat money in a day job and can maintain their pet project a few days a month, but that's just not true for a lot of people.

It's disgusting that maintainers of critical projects have to go through the humiliation of begging for money, and absurd to suggest they all hang out Kofi or PAtreon banners. Realistically nobody is going to go through their bash history working out what utilities they use in order of frequency and allocating funds to the maintainers proportionally. I'm baffled that some entity like the Linux Software Foundation isn't administering this already.

phicoh 1 hour ago||

I wonder if a few people going beyond what is reasonable, is representative of open source projects.

For a lot of open source projects, if you have a normal day job and spend a few hours per week on a project, then the project just never gets very big. It exists, may have a few users. But on a larger scale, nobody knows it exists.

The exceptions are projects where developers spend a lot of time on the project at the expense of a day job. Though there is the possibility that they may have a hard time having a day job in the first place, which may have let to the situation with the open source project.

In general, I think we do have a culture problem where we think projects need to be successful. And people working on a project 'need' to support users (who in general don't pay).

And that expectation of free work happens throughout the open source ecosystem as well. Distributions expect projects to fix bugs for free. Open source projects expect libraries and compilers to be maintained.

Ultimately, change has to come from people who refuse to work for free. Doing something as a hobby for free is perfectly fine. As long as it stays within the scope of a hobby project.

fragmede 1 hour ago|||

> Realistically nobody is going to go through their bash history working out what utilities they use in order of frequency and allocating funds to the maintainers proportionally.

Not if we don't make it easy for them. I had Claude whip up fundcli a while ago, but this post got me to finally upload it. It goes through your http://atuin.sh/ history (raw .bash_history/.*history doesn't have enough information) and generates links to projects for you to donate to.

    git clone https://github.com/fragmede/fundcli
    uv run src/fundcli/cli.py analyze
    uv run ./src/fundcli donate --amount 100

to get links to donate $100 for last month's usage. There's also http://thanks.dev if you're looking for other places to donate to based on your open source usage.

jongjong 1 hour ago||

I feel like this should have been the responsibility of investors and venture capitalists. In a normal society, the moneyed folks should give special treatment to the folks who have proven themselves to be effective givers.

Unfortunately, it seems like either the moneyed folks don't care or the current financial structure simply does not support this.

More comments...