Saagar Jha (@saagar@saagarjha.com)

Saagar Jha

12/30/2025 (replying to Saagar Jha)

Except sudo, which has merged all 23 of his PRs without comment. I guess this means their code is either so bad that the LLM is finding all bunch of actual bugs, or that the maintainers aren’t reading his PRs closely. I’m not sure either makes me feel good about the project.

11 replies →

11 replies

Matt Massicotte

12/30/2025 (replying to Saagar Jha)

@saagar sudo merge pr

Greg Gardner

12/30/2025 (replying to Saagar Jha)

@saagar At least sudo isn't a critical piece of the security of almost every Unix-based system on the planet. Oh wait, it is.

pancake :radare2:

12/31/2025 (replying to Saagar Jha)

@saagar link?

icraze

12/31/2025 (replying to pancake :radare2:)

@pancake @saagar GitHub user AZero13

pancake :radare2:

12/31/2025 (replying to icraze)

@icraze @saagar yeah 23 prs merged in one week. I hope @millert reviewed them properly before merging, but to me the changes look safe, actually there are a couple of tricky ones that are fixing real memory safety bugs.

pancake :radare2:

12/31/2025 (replying to Saagar Jha)

@saagar llms can spot a large variety of bugs that static analyzers don’t catch, yeah sometimes also hallucinate some. But combined with asan, clang analyzer and valgrind they are a really powerful solution for code review and bug catching. So I wouldn’t say sudo’s code is bad, but software engineering is so hard that it’s easy to find ways to improve the quality over time. C coding practices evolved and that’s a techdebt we are all used to face every day

Saagar Jha

01/01/2026 (replying to pancake :radare2:)

@pancake I think it is possible to use AIs effectively but I don’t think you can send 150 PRs a month without there being problems somewhere

pancake :radare2:

01/01/2026 (replying to Saagar Jha)

@saagar yeah i doubt that too, im also not happy with blind merging or review less prs

krig

12/31/2025 (replying to Saagar Jha)

@saagar @algernon good thing it’s just some fringe project and not a foundational building block that all computing is built upon

Thomas Touhey

12/31/2025 (replying to Saagar Jha)

@saagar The maintainer does seem to have commented/done review on some, but some of the PRs either fix security issues, or introduce some, finding out which would require some more experience with the codebase. Anyway, very scary stuff.

Byte

12/31/2025 (replying to Saagar Jha)

@saagar sudo as in, *the* sudo millions of people and computers use every day??

Techokami

12/31/2025 (replying to Saagar Jha)

@saagar Two of them did have comments, though: https://github.com/sudo-project/sudo/pull/498 this one points out an issue that was then resolved by him. https://github.com/sudo-project/sudo/pull/490 THIS one, an actual conversation (albeit a short one) on potentially deprecating and removing SecureID support

Saagar Jha

01/01/2026 (replying to Techokami)

@techokami Yeah fair I didn’t actually click through all 23

Jakobpunkt🔥

12/31/2025 (replying to Saagar Jha)

@saagar @gnomon wait wat

Koutsie :unverified:

01/01/2026 (replying to Saagar Jha)

@saagar oh god

Joel

01/02/2026 (replying to Saagar Jha)

@saagar @saagar I hope this isn’t another xz con job.