Hacker News new | ask | show | jobs
by concinds 50 days ago
Reading that Canonical thread was jaw-dropping. Paraphrased: "Rust is more secure, security is our priority, therefore deploying this full-rewrite of core utils is an emergency. If things break that's fine, we'll fix it :)".

I would not want to run any code on my machines made by people who think like this. And I'm pro-Rust. Rust is only "more secure" all else being equal. But all else is not equal.

A rewrite necessarily has orders of magnitude more bugs and vulnerabilities than a decades-old well-maintained codebase, so the security argument was only valid for a long-term transition, not a rushed one. And the people downplaying user impact post-rollout, arguing that "this is how we'll surface bugs", and "the old coreutils didn't have proper test cases anyway" are so irresponsible. Users are not lab rats. Maintainers have a moral responsibility to not harm users' systems' reliability (I know that's a minority opinion these days). Their reasoning was flawed, and their values were wrong.
3 comments
oefrha 50 days ago
This leaves such a bad taste in my mouth. If you fucking found 44 CVEs with some relatively amateurish ones (I'm no security engineer but even I've done that exact TOCTOU mitigation before) in such a core component of your system a month before 26.04 LTS release (or a couple months if you count from their round 1), surely the response should be "we need to delay this to 28.04 LTS to give it time to mature", not "we'll ship this thing in LTS anyway but leave out the most obviously problematic parts"?

The snap BS wasn't enough to move me since I was largely unaffected once stripping it out, but this might finally convince me to ditch.

link
3836293648 49 days ago
It's insane that this is going into an LTS. It's the kind of experiment I'd expect them to play with in a non-LTS and revert in LTSes until it's fully usable, like they did with Wayland being the default, which started in 2017
link
PunchyHamster 50 days ago
Ubuntu has been doing careless shit like that their entire existence, it's nothing new
link
noosphr 47 days ago
What do you mean that the people who use Debian Unstable as the basis of their OS would break things?
link
duped 49 days ago
This is a people problem and Canonical just isn't good at hiring people
link
kstrauser 49 days ago
I’ve gotta agree. Some horror stories were going around about their interview process. It seemed highly optimized to select people willing to put up with insane top-down BS.
link
zx8080 50 days ago
Agree with the point. Asking sincerely, how to filter out installing any rust-rewrite packages on my machines? Does anyone know the way?
link
kibwen 50 days ago
If you don't want Canonical's packages, you should probably just be using Debian rather than Ubuntu. It's not 2008 anymore, stock Debian is quite user-friendly.
link
tambre 50 days ago
Worth noting is that in Debian experimental coreutils defaults to coreutils-from-uutils [0]. This came as a big surprise and as far as I can tell there's been no discussion. A Canonical developer seems to have unilaterally overwritten the coreutils package without discussing with the maintainer. All the package renames that are in Ubuntu aren't in Debian so you can't switch to GNU utils either without deep trickery in a separate recovery environment.

I'm used to running experimental software but I wasn't ready for my computer to not boot one day because of uutils. The `-Z` flag for `cp` wasn't implemented in the 9 month old version shipped in Debian at that time so initramfs creation failed...

[0] https://packages.debian.org/experimental/coreutils

link
riffraff 49 days ago
that... seems newsworthy on its own merit.
link
tambre 49 days ago
It's in experimental only, not unstable or testing. That said I'm surprised it hasn't even propmpted discussion on debian-devel (sans [0]). I would've thought that at least enough Debian developers run experimental to have noticed and raise the issue, but no. I thought about starting a thread myself but couldn't be bothered.

[0] https://lists.debian.org/debian-devel/2026/04/msg00004.html

link
dvhh 49 days ago
Considering how Ubuntu seems to influence Debian development, this is only slightly surprising.

See: https://lists.debian.org/deity/2025/10/msg00071.html - Hard Rust requirements from May onward - by a Core Ubuntu Developer

link
cdmckay 49 days ago
Or Fedora.

I feel like Fedora has the same pragmatic approach (allows non-free drivers, packages, etc.) and is just as easy to use.

link
KnuthIsGod 50 days ago
Or use a sane distribution like Arch or Gentoo instead of Ubuntu based systems.
link
dapperdrake 49 days ago
Alpine Linux has a better shot at acceptable compile times.

Some FOSS software seems to maximize kernel IO last time I had a Gentoo.

link
theandrewbailey 50 days ago
I'm unaware of any Rust rewrites outside of coreutils, so:

    sudo apt install coreutils-from-gnu
https://computingforgeeks.com/ubuntu-2604-rust-coreutils-gui...
link
pxc 49 days ago
There aren't true 1:1 clones, but there's ripgrep (inspired by GNU grep) and fd (inspired by GNU find). Those two I like, though. I think they're thoughtfully designed and in ripgrep's case at least (I just haven't read posts/comments by fd's author), it was developed with some close study of other grep implementations. I still use GNU grep and GNU find as well, but rg and fd are often nice for me.
link
kbolino 49 days ago
The other nice thing about rg and fd is that they work natively on Windows.
link