@saagar sudo merge pr

@saagar At least sudo isn't a critical piece of the security of almost every Unix-based system on the planet. Oh wait, it is.

@saagar link?

@saagar llms can spot a large variety of bugs that static analyzers don’t catch, yeah sometimes also hallucinate some. But combined with asan, clang analyzer and valgrind they are a really powerful solution for code review and bug catching. So I wouldn’t say sudo’s code is bad, but software engineering is so hard that it’s easy to find ways to improve the quality over time. C coding practices evolved and that’s a techdebt we are all used to face every day

@saagar @algernon good thing it’s just some fringe project and not a foundational building block that all computing is built upon

@saagar The maintainer does seem to have commented/done review on some, but some of the PRs either fix security issues, or introduce some, finding out which would require some more experience with the codebase. Anyway, very scary stuff.

@saagar sudo as in, *the* sudo millions of people and computers use every day??

@saagar Two of them did have comments, though: https://github.com/sudo-project/sudo/pull/498 this one points out an issue that was then resolved by him. https://github.com/sudo-project/sudo/pull/490 THIS one, an actual conversation (albeit a short one) on potentially deprecating and removing SecureID support

@saagar @gnomon wait wat

@saagar oh god

@saagar @saagar I hope this isn’t another xz con job.