Imam Alfarizi

Ubuntu 26.04 (Long Term Support) is shipping tomorrow… and Canonical has published an update on their quest to replace GNU CoreUtils with Rust-based re-writes. Highlights: - After developers raised “some serious concerns”, Canonical hired an external security research firm to evaluate the Rust re-writes (known as “uutils”). - That security firm quickly found 113 significant issues, with a large portion of them being severe security issues warranting a CVE. - Only some of those issues in the Rust re-writes have been fixed for the Ubuntu 26.04 release. - Repeat: Ubuntu 26.04 is shipping with significant known issues in the new Rust coreutils. - Some of the most critical Rust-Re-Written commands (cp, mv, and rm) were found to contain a large number of significant “Time-of-Check to Time-of-Use” issues, the kind of issues which create race condition vulnerabilities. The kind often exploited by hackers. - As such, cp, mv, and rm will not be shipping in Ubuntu 26.04. Even with their clear “it’s fine if Ubuntu 26.04’s rust re-writes contain significant bugs” policy… the issues with cp, mv, and rm were simply TOO severe. - Despite this undeniably disastrous rollout of the Rust-based rewrites of Coreutils, the Ubuntu team plans to ship the next release, in 6 months (26.10), with 100% of the GNU Coreutils replaced with the (currently comically broken) Rust re-writes. https://t.co/ssuMq6ZOGv