The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
After Three Decades of Maintaining Sudo, Core Developer Seeks Sponsorship as Open Source Funding Crisis Deepens.
A critical component of Linux and Unix systems faces an uncertain future as its longtime maintainer appeals for financial support.
In a stark reminder of the open source sustainability crisis, Todd C. Miller, the developer who has maintained sudo for over 30 years, is now publicly seeking sponsorship to continue his work on one of the most fundamental tools in modern computing.
Miller’s appeal, posted on his personal website, is simple and direct: “For the past 30+ years I’ve been the maintainer of sudo. I’m currently in search of a sponsor to fund continued sudo maintenance and development. If you or your organization is interested in sponsoring sudo, please let me know.”
The Importance of Sudo
For those unfamiliar with Unix-like systems, sudo (short for “super user do”) is a command-line utility that allows authorized users to execute specific commands with elevated privileges under tightly controlled security policies. It is a foundational component of nearly every Linux distribution and Unix-like system in existence.
From personal desktops to enterprise servers, cloud infrastructure to embedded devices, sudo forms a critical part of the system security model. Without it, system administrators would be forced to rely more heavily on direct root logins or broader privilege escalation mechanisms, significantly increasing security risks.
The tool’s ubiquity makes it almost invisible—until something goes wrong. As one industry observer noted, “It’s hard to imagine something as fundamental to computing as the sudo command becoming abandonware, yet here we are.”
A Long History of Stewardship
Sudo was originally written in the early 1980s by Bob Coggeshall and Cliff Spencer. Miller officially took over the project in 1994, making a public release of “CU sudo” and becoming its principal developer and maintainer.
For the past three decades, Miller has spearheaded sudo’s security model development, feature iterations, and cross-platform compatibility. His long-term commitment has enabled sudo to adapt to ever-changing computing environments while maintaining its status as a standard system administration tool.
From 2010 to February 2024, Quest Software sponsored sudo development by employing Miller to work on the project as part of his full-time job at their subsidiary One Identity. This arrangement enabled significant enhancements including I/O logging, the plugin API, the log server, additional regression and fuzz tests, and more regular releases.
However, when Miller departed from One Identity in February 2024, Quest’s sponsorship of sudo ended. According to archived versions of Miller’s website, he has been seeking a new patron since then.
The Project Continues—For Now
Despite the lack of sponsorship, Miller has continued maintaining sudo. A review of the project’s changelog reveals regular updates, with the most recent releases occurring just weeks ago. Miller confirmed to The Register that he is still actively working on the project, though the situation has become untenable without support.
“Without some form of assistance it is untenable,” Miller stated. “Maintainer burn-out is real.”
The Rise of Sudo-rs
The funding uncertainty comes at a time of significant transition for sudo. Ubuntu announced in May 2025 that it would adopt sudo-rs as the default sudo implementation in Ubuntu 25.10, scheduled for release in October 2025.
Sudo-rs is a Rust-based reimplementation of sudo developed by the Trifecta Tech Foundation, a nonprofit organization focused on creating secure, open-source infrastructure software. The new implementation leverages Rust’s memory safety guarantees to eliminate many of the vulnerabilities that have historically plagued C-based software.
Several high-profile security issues in sudo over the years have underscored the need for memory safety. A heap buffer overflow bug identified in 2021, for instance, allowed any local user to gain root-level privileges despite their account not being authorized to run sudo commands. The vulnerability had existed for more than a decade.
Interestingly, Miller has been collaborating with the sudo-rs developers since the project’s inception and has endorsed the transition. “Ubuntu is already shipping sudo-rs as the default sudo command in their latest versions,” Miller told The Register. “I’ve been in contact with the people working on sudo-rs since the project started and I trust them to do right by the sudo user base.”
Canonical’s Jon Seager described the collaboration as “a handshake across generations of secure systems,” with Miller providing advice and guidance to ensure a smooth transition.
Part of a Larger Crisis
Miller’s situation is far from unique. It exemplifies a broader sustainability crisis affecting the open source ecosystem—one that threatens the very foundation of modern software infrastructure.
According to the 2024 Tidelift State of the Open Source Maintainer Report, 60% of open source maintainers remain unpaid for their work, a figure unchanged from the previous year. Simultaneously, 60% of maintainers have quit or considered quitting their projects, up from 58% in 2023. Among those considering departure, 44% cite burnout as their primary reason.
A 2024 Harvard Business School study found that 96% of commercial programs rely on open source software, with the total value of open source code estimated at $8.8 trillion. Yet the funding picture remains bleak.
Recent high-profile cases illustrate the severity of the problem. In November 2025, the Kubernetes project announced the retirement of Ingress NGINX, one of its most widely used components, not because it was obsolete but because maintainers working nights and weekends could no longer sustain it. The same month, External Secrets Operator—used in critical enterprise systems globally—froze all updates after four of its five maintainers burned out.
“Most Kubernetes maintainers are burned out,” confirmed Kat Cosgrove, Kubernetes Release Team Subproject Lead. “When even projects backed by major corporations can’t prevent collapse, something fundamental is broken.”
The Funding Gap
The disconnect between open source usage and funding is stark. According to research from the Linux Foundation, organizations invested approximately $162 million in open source in 2024—but only 14% of that went directly to funding maintainers and projects. The majority flowed to consulting and support services.
Of the 300 million companies estimated to use open source software, only about 4,200 participate in GitHub Sponsors—a freeloading rate exceeding 99.99%.
Several initiatives have emerged to address the crisis. The Open Source Pledge, launched by Sentry in 2024, asks companies to pay a minimum of $2,000 per year per full-time developer on staff directly to maintainers. Sentry itself contributes $5,813 per developer, totaling $750,000 to maintainers. Other companies have established FOSS Funds: Microsoft distributes up to $12,500 per quarter to employee-nominated projects, while Spotify allocates €100,000 annually.
However, participation remains microscopic relative to the scale of open source consumption. Making matters worse, Microsoft discontinued its Azure Sponsored Subscriptions program in September 2025, now funding only “strategic” projects.
Security Implications
The sustainability crisis has direct security implications. The 2024 Tidelift report found that paid maintainers are significantly more likely to implement critical security practices—a crucial finding as security threats continue to grow in sophistication.
The open source software supply chain has come under sustained, high-volume attack, with npm- and PyPI-focused campaigns escalating throughout 2024 and 2025. The near-miss with the xz data compression library in 2024—which came close to inserting a backdoor into major Linux distributions—demonstrated just how vulnerable critical infrastructure can be when maintainers are stretched thin or compromised.
What Happens Next?
For sudo specifically, Miller expects sudo-rs to become the next generation of the tool in coming years. “I trust them to do right by the sudo user base,” he said of the sudo-rs developers.
Ubuntu’s decision to ship sudo-rs by default in version 25.10 will provide crucial real-world testing before its inclusion in Ubuntu 26.04 LTS in 2026, which will receive support from Canonical for 10+ years. Whether other major distributions like Debian, Fedora, and openSUSE follow Ubuntu’s lead remains to be seen.
The original sudo will remain available in Ubuntu’s archives, allowing users who need or want to swap back to do so. For now, Miller continues to maintain the C-based version, though the long-term trajectory seems clear.
A Call to Action
Miller’s funding appeal represents more than just one developer’s personal situation. It’s a symptom of a systemic problem that threatens the stability of software infrastructure relied upon by billions of people worldwide.
As an open letter signed by 10 open source foundations stated in September 2024: “Most of these [open source] systems operate under a dangerously fragile premise: They are often maintained, operated, and funded in ways that rely on goodwill, rather than mechanisms that align responsibility with usage.”
The letter continued: “A small number of organizations absorb the majority of infrastructure costs, while the overwhelming majority of large-scale users, including commercial entities that generate demand and extract economic value, consume these services without contributing to their sustainability.”
Miller agrees that his situation exemplifies a broader problem. “Maintainer burn-out is real,” he emphasized, adding his voice to a growing chorus calling for sustainable funding models for critical open source infrastructure.
For companies and organizations that depend on sudo—which is to say, virtually every organization using Linux or Unix systems—the message is clear: the time to contribute is now, before critical infrastructure fails.
Those interested in sponsoring sudo can contact Todd C. Miller directly through his website at millert.dev.
