Why should something like sudo not be "done" after 30 years?

Sudo is one of the poster children for creeping featuritis, to the point that the sudoers man page is a meme ("Don't despair if you are unfamiliar with EBNF ...")

Even OpenBSD gave up and implmented their own simplified replacement (doas).

Different platform but the simplest mainframe utility IEFBR14, a noop process to trigger JCL events started as one instruction. Then two. Then debate started about which machine instruction should be used to set the return code to zero …

Bugfixes and security vulnerabilities, mostly. So long as fallible humans make fallible hardware running fallible software that in turn executes and/or compiles fallible code, there will always be a need for continued development of critical tooling and packages.

On a long enough timeline, those fixes become fewer and less frequent as the codebase improves, but there is no "done" in software unfortunately. Hell, entropy itself means nothing is ever done, just in an ever-changing state.

> Why should something like sudo not be "done" after 30 years?

Because new needs arise over time. For example, when I started in IT the "sudoedit" functionality was not present and so allowing someone to do "sudo vi …" would allow them breakout of the editor when it was running as root.

With sudoedit you can give people permissions to edit particular files with elevated permissions.

> Even OpenBSD gave up and implmented their own simplified replacement (doas).

They did not "give up": they found they needed only much simpler functionality shipped in the base OS. For example, sudo has functionality to talk to LDAP (which I've used at multiple jobs over the years), but is not needed for a local-only box. Once you need centralized account and privilege management, doas becomes much less useful.

Even if sudo itself never changed, the system around it changes pretty drastically. I agree the scope of the tool should be smaller and it violates the Unix philosophy (whatever that is worth these days)

This community and others like it are so weird in that if they see something as stable as sudo but without recent commits, rather than conclude that it's solid and doesn't need further changes, they see it as some kind of a problem and want to switch to something that's seen major changes in the last week.

Maybe that's somehow related to why so many companies are shoving AI into a bunch of stuff that doesn't need it. Gotta keep everything on the hype train. Working and fulfilling people's needs is no longer good enough.

Because environments change, it hasn't been immutable.

What are you, a dentist moonlighting as an angel investor?

Software is never "done".

The underlying APIs are always changing. The compilers and system libraries are changing.

Featuritis is a thing, but rolling it back is non-trivial as there are folks who depend upon it.

Because we haven't progressed to the angelic level of software development, so nothing is bug-free, which especially important in something security-critical like sudo

Similarly sudo-rs and doas-rs exist now.

I'm not sure what can be gained for further development of the OG c sudo, add security patches of course.

But fund adding yet another feature 99.9% of users will never use? I can't fathom the justification for that. Just adding attack surface at this point.

Rightly both doas and the *-rs drops ins intend to drop most of those unnecessary features.

Are you saying you would be using something that fills the same critical role as sudo even if it had not received any updates in a decade or more? Because that sounds insane