The coreutils Rust rewrite story is pretty funny.

Gast

@lcamtuf I always looked at this project as a sort of hobby, a learning exercise, maybe just a lark, or a "maybe one day we'll have a useful alternative"...and then Canonical went and adopted it before anyone could reasonably believe it was of production quality

Gast

@lcamtuf

It’s frustrating that POSIX took decades to get APIs that weren’t intrinsically racy, but then higher-level languages that post dated the improved ones implemented equivalents of the old racy APIs. C++ was annoying, they waited until pretty much every platform that supported C++ and had a filesystem implemented the newer APIs and then standardised the filesystem TS with racy ones. I believe Rust is similar, but at least it has cap-std which implements the non-racy versions as an alternative standard library.

Gast

@benh @lcamtuf Wow. Kudos to Joel, it’s 26 years later and I still remember reading this article when it was fresh.

Gast

@hypha @xerz @lcamtuf tbf i think the framing that "they shouldn't have" is wrong and bad. *canonical* should not have switched, because that is such a bad idea

Gast

@star @hypha @lcamtuf yeah, the audits should have come first, not the other way around

all they did was give them free patches, so uh... yet another Rust advantage? ​

Gast

@sten @lcamtuf sorry, it's been literally years since the last time I cared enough about this, so I don't have the links at hand. From what I remember, the dev(s) that got the project started claimed to not care about the license and that they would consider relicensing if the community showed an interest, but shot down all proposals to switch to GPL with no discussion.

Officially t's explicitly NOT about that:

https://uutils.github.io/

«It is not primarily […] about license debates.»

Gast

@lcamtuf It's even sillier because the Rust rewrite was just someones hobby project to learn Rust, it wasn't engineered from the start to be the "Canonical" implementation, so picking it off the Internet and shoving it into Ubuntu is an engineering decision that the professional Ubuntu engineers should be accountable for, not the original developer who just shared their work with the world.

Gast

@sten @darkuncle The old joke that _everyone_ has a testing environment, some are fortunate enough to have a separate Production environment

Gast

@miss_rodent @lcamtuf If that was all they wanted, the BSD toolset is just sitting there….

Gast

@hyc @lcamtuf this wasn't even storming in, this was a hobby project started in 2013 that was adopted for Ubuntu in 2025. I fault Canonical for that decision more than the project here.

Gast

@grumpybozo @lcamtuf afaik the BSD core utils aren't entirely compatible with the gnu core utils, still?
But yeah, there are more permissively licensed versions of the *nix coreutils already; rust uutils is aiming to be a drop-in replacement for the gnu coreutils specifically, though, which means all the gnu-specific extensions and peculiarities. Which, previously, were basically only under the gpl (and some scripts and such can break if you don't have those, so, it's a meaningful difference.)

Gast

@miss_rodent @lcamtuf Right, there are some variances in command line options, usually in areas not covered by POSIX.

Gast

@kajord @lcamtuf sure, it's Canonical's fault for deciding to deploy to production. And it's still a fault in the developers, for failing to understand why the original programs were written the way they were.

Gast

@darkuncle tysm for pointing me to this amazing parable, amigos. ️

https://fs.blog/chestertons-fence/

Gast

@david_chisnall @lcamtuf Well people have opinions: https://mastodon.social/@pid_eins/116459585811044061

Btw also https://chaos.social/@tris/116453545444380978

Gast

@lcamtuf Amusingly, I recently did some work in Rust and wanted safe file operations that avoided race conditions. I couldn't find anything good and wrote my own opinionated helper.

Though, a large part of it is that O_TMPFILE is awesome and underused.

Gast

@lcamtuf@infosec.exchange Also quite few are noticeably fails in implementing POSIX, which makes me wonder if they're only caring about coreutils testsuite and --help/help2man output.

Like CVE-2026-35367 (nohup(1) permissions) as Colin Funk noted, but also CVE-2026-35369 (kill -1), CVE-2026-35370 & CVE-2026-35371 (real vs. effective in id(1)), and CVE-2026-35379 (wrong character classes in tr(1))

Gast

@lcamtuf I've heard a lot of funny stories like this in previous years. Like for example a startup trying to rewrite the TCP stack by their own from scratch because they can do it more efficient.
Soon they learned how a real environment, or better said, the real life really is.

Gast

@lcamtuf yeah it's frustrating because in some sense we all had the opportunity to learn this lesson, a long time ago

we remember when we were kids, after Netscape went bankrupt trying to re-write their software from scratch, there were some good essays analyzing what went wrong and advocating for refactoring instead so as not to lose the knowledge that's in the code

and then there's the ATC system

like... there's so many past instances to learn from

Gast

@lcamtuf Dang, that is a wild ride of a thread.

And it kinda lines up with my experiences as well-- coreutils is battle tested and a load bearing feature of Linux.

Uutils is just too new to get all of the behavior exactly the same. I've tested it on my nix machine in the past, and alothough I never pushed uutils quite as far as it could have gone in order to discover any of these bugs, I kind of shudder to think what would have happened if I had.

Very interesting to think that the concept of C isn't exactly bad-- but it just needs a long time to mature and get it right, just like any program. The fact that the Rust compiler prevents you from making memory errors doesn't also prevent you from misunderstanding CPU clocks or buffer overflows or race conditions and other low level stuff.