Went through the releases quickly and it does look like maintenance work is being done more than anything.
Last minor version update was in 2020 which is not that recent (although quite recent). All other releases since have mostly fixes. I’ve seen only a couple of things that were not Fixed something in the notes.
Maybe our definitions of active development are different, but to me this does look like maintenance.
Version numbers are meaningless. Yes it’s mostly fixes, but in every release which doesn’t have p in the version number there’s at least two or three things which are not fixes. As late as 2023 one of those changes did introduce a local privilege escalation: https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 which was undetected for two years. For a critical piece of software with the maturity of sudo, I call that pretty concerning.
I would say yes is it developed, this is more than just big fixes : https://github.com/sudo-project/sudo/releases
No huge changes of course, but the big CVE from July was only introduced 2 years ago.
My biggest question is, why is something like sudo still developed and not finished and in maintenance mode?
Went through the releases quickly and it does look like maintenance work is being done more than anything.
Last minor version update was in 2020 which is not that recent (although quite recent). All other releases since have mostly fixes. I’ve seen only a couple of things that were not Fixed something in the notes.
Maybe our definitions of active development are different, but to me this does look like maintenance.
Version numbers are meaningless. Yes it’s mostly fixes, but in every release which doesn’t have p in the version number there’s at least two or three things which are not fixes. As late as 2023 one of those changes did introduce a local privilege escalation: https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 which was undetected for two years. For a critical piece of software with the maturity of sudo, I call that pretty concerning.
Here’s an interesting report from Google about rust vs C++ in Android: https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html?m=1