Date Bug in Rust-Based Coreutils Affects Ubuntu 25.10 Automatic Updates

Posted3 months agoActive2 months ago

blueflow

272 points

469 comments

lwn.netTechstoryHigh profile

heatedmixed

Debate

80/100

RustUbuntuCoreutilsSoftware Development

Key topics

Rust

Ubuntu

Coreutils

Software Development

A bug in Rust-based coreutils affects Ubuntu 25.10 automatic updates, sparking debate about the trade-offs of rewriting battle-tested C utilities in Rust.

Snapshot generated from the HN discussion

Discussion Activity

Very active discussion

First comment

50m

Peak period

148

Day 1

Avg / period

Comment distribution160 data points

Loading chart...

Based on 160 loaded comments

Key moments

01Story posted
Oct 23, 2025 at 4:49 PM EDT
3 months ago
Step 01
02First comment
Oct 23, 2025 at 5:38 PM EDT
50m after posting
Step 02
03Peak activity
148 comments in Day 1
Hottest window of the conversation
Step 03
04Latest activity
Nov 1, 2025 at 7:52 AM EDT
2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (469 comments)

Showing 160 comments of 469

superkuh

3 months ago

3 replies

That's why it's called the bleeding edge. Rust dev culture is 99% bleeding edge. It is not a culture of stability. It is a culture of change and the latest and greatest. The language could be used in stable ways, but right now, it's not.

klardotsh

3 months ago

3 replies

That's one heck of an extrapolation from one incident, or even one project, in a language that has been post-1.0 for a decade and has a wide variety of users with a wide variety of update/upgrade preferences and subcultures.

awesome_dude

3 months ago

3 replies

I agree, but the post does resonate - Rust still has a very "Ready to make breaking changes on a whim" reputation

tempest_

3 months ago

3 replies

Which makes sense because in 2025 people have grown tired of lack of improvement so that some esoteric ass compiler from the 90s still works or someones 30 year old bash script still functions.

Pros and Cons either way for better or worse depending on your perspective.

cowsandmilk

3 months ago

2 replies

That’s an argument against creating uuutils; it is a project that aims for coreutils 100% compatibility. eza, bat, ripgrep, etc are more exciting for at least having different features than coreutils

tempest_

3 months ago

1 reply

I was more commenting on the Rust community being ready to make breaking changes.

Personally while I think Rust is a decent language it would not have caught on with younger devs if C/C++ didn't have such a shitty devex that is stuck 30 years in the past.

Younger people will always be more willing to break things and messing around with ancient and unfriendly build/dev does not attract that demographic because why waste time messing around with the build env that actually getting things done.

One day rust will be the same and the process will start again.

skydhash

3 months ago

1 reply

If you're on unix, I think the only thing you really need is cc and ld. The build system aims for flexibility instead of each project being its own personal world and things are duplicated ad momentum. Everyone is happy playing in their little sandbox instead of truly collaborating with each other and create great software.

uecker

2 months ago

1 reply

Indeed. This is exactly the problem. It is no fun helping with maintenance of an existing project, fix some boring bug, deal with all the historical constraints, necessary support for old systems, etc.

It is so much more fun to cargo-download some stuff and build some new shiny Rust-xyz implementation of Z on your Apple Macbook and even get some HN attention just for this. The problem with all the Rust hype is that people convince themselves that they are actually helping the world by being part of a worthwhile cause to rid the world from old languages, while the main effect is that i draws resources away from much more important efforts and places an even higher burden on the ecosystem - making our main problem - sustainable maintenance of free software - even harder.

zamadatix

2 months ago

I'm not sure a post about a 12 year long project dealing with fixing bugs to match historical constraints with a make build option was really the best choice for this particular rant.

zamadatix

3 months ago

It's an argument for/against doing anything. The question is how large of a change can you get away with. Ubuntu seems to think they can get away with a 1:1 replacement being acceptable by 26.04, I doubt they'd think the same about forcing alternative tooling options just because the impetus is the same.

cwillu

3 months ago

I've largely lost patience with the current culture of sacrificing any backwards compatibility that is slightly inconvenient in the name of “improvement”.

skydhash

3 months ago

Improvement to what? It's not like anyone is creating a new paradigm (or even ripping off an old one, like smalltalk or plan9). It's mostly coming up with a different defaults.

awesome_dude

3 months ago

3 replies

As is the norm for HN and Rust commentary - any slight criticism is met with fury and downvotes.

umanwizard

3 months ago

2 replies

I'm not "furious", but I do think your comment was bad and deserved to be downvoted. You're posting a random opinion with nothing to back it up, which is, to boot, factually wrong.

What breaking changes has Rust made "on a whim" ?

awesome_dude

3 months ago

1 reply

All day every day I see "random opinion with nothing to back it up" posts on Hacker News, but are not voted down - discuss.

baq

3 months ago

Rust users read more xkcd than the average hn poster. Or less. Take your pick.

rustdebacletime

3 months ago

1 reply

> What breaking changes has Rust made "on a whim" ?

I don't know about "on a whim", but this isn't far off in regards to breaking compatibility. And it caused some projects, like Nix, a lot of pain.

https://github.com/rust-lang/rust/issues/127343

https://devclass.com/2024/08/19/rust-1-80-0-breaks-existing-...

aw1621107

2 months ago

1 reply

> I don't know about "on a whim"

Probably not the best way to lead, considering that that phrase is the entire root of the disagreement you're chiming in on!

> but this isn't far off in regards to breaking compatibility.

I think it might be worth elaborating on why you think that change "isn't far off" being made "on a whim". At least to me, "on a whim" implies something about intent (or more specifically, the lack thereof) that the existence of negative downstream impacts says nothing about.

If anything, from what I can tell the evidence suggests precisely the opposite - that the breakage wasn't made "on a whim". The change itself [0] doesn't exactly scream "capricious" to me, and the issue was noticed before Rust 1.80.0 released [1]. The libs team discussed said issue before 1.80.0's release [2] and decided (however (un)wisely one may think) that that breakage was acceptable. That there was at least some consideration of the issue basically disqualifies it from being made "on a whim", in my view.

[0]: https://github.com/rust-lang/rust/pull/99969

[1]: https://github.com/rust-lang/rust/issues/127343

[2]: https://github.com/rust-lang/rust/issues/127343#issuecomment...

rustdebacletime

2 months ago

1 reply

Your post strongly reinforces Rust's reputation as a language whose language designers are willing to break compatibility on a whim. If Rust proponents argue like this, what breakage will not be forced upon Rust users in the future?

Your post itself reinforces the OP's claim.

Edit: Seriously. At this point, it seems clear that the culture around Rust, especially driven by proponents like you, indirectly have a negative effect on both Rust software, and software security & quality overall, as seen by the bug discussed in the OP. Without your kind of post, would Ubuntu have felt less pressured to make technical management decisions that allowed for the above bug?

aw1621107

2 months ago

1 reply

> Your post strongly reinforces Rust's reputation as a language whose language designers are willing to break compatibility on a whim.

> Your post itself reinforces the OP's claim.

Again, I think it might be worth elaborating precisely what you think "on a whim" means. To me (and I would hope anyone else with a reasonable command of English), making a bad decision is not the same thing as making a decision on a whim, and you have provided no reason to believe the described change falls under the latter category instead of the former.

rustdebacletime

2 months ago

This new post you have made again reinforces the general notion that, yes, closer to "on a whim" than many like, the Rust community is willing to break backwards compatibility. It reflects extremely poorly on the Rust community in some people's eyes that you and other proponents appear to not only be unwilling to admit the issues, like the above issue that caused some people a lot of pain, but even directly talk around the issues.

In C and C++ land, if gcc (as a thought experiment) tried breaking backwards compatibility by changing the language, people would be flabbergasted, complain that gcc made a dialect, and switch to Clang or MSVC or fork gcc. But for Rust, Rust developers just have to suck it up if rustc breaks backwards compatibility. Like Dtolnay's comment in the Github issue I linked indicates. If and once gccrs gets running, that might change.

Though I am beginning to worry, for the specification for Rust gotten from Ferrocene might be both incomplete and basically fake, and that might cause rustc and gccrs to more easily risk becoming separate dialects of Rust, which would be horrible for Rust, and since there should preferably be more viable options in my opinion of systems languages, arguably horrible for the software ecosystem as well. I hope that there are plans for robust ways of preventing dialects of Rust.

simonask

3 months ago

2 replies

Yeah, sweeping hot takes with very little to back them up do tend to get downvoted.

More than anything, the Rust community is hyper-fixated on stability and correctness. It is very much the antithesis to “move fast and break things”.

rustdebacletime

3 months ago

1 reply

> More than anything, the Rust community is hyper-fixated on stability and correctness. It is very much the antithesis to “move fast and break things”.

This is incorrect.

https://devclass.com/2024/08/19/rust-1-80-0-breaks-existing-...

simonask

2 months ago

2 replies

The high level of visibility that this incident received is a great example of the point I'm making. Can you name one more?

rustdebacletime

2 months ago

1 reply

It received a lot of attention and "visibility" because it caused a lot of pain to some people. I am befuddled why you would wrongly attempt to dismiss this undeniable counter-example.

Sorry, but your argument is incorrect.

simonask

2 months ago

1 reply

I suspect you miss the point.

Somebody is attempting to characterize the Rust community in general as being similar to other programming communities that value velocity over stability, such as the JS ecosystem and others.

I’m pointing out that incidents such as this are incredibly rare, and extremely controversial within the community, precisely because people care much more about stability than velocity.

Indeed, the design of the Rust language itself is in so many ways hyper-fixated on correctness and stability - it’s the entire raison d’etre of the language - and this is reflected in the culture.

rustdebacletime

2 months ago

Comparing with JS ecosystem is very telling. Some early Rust developers, come from the JS ecosystem (especially at Firefox), and Cargo takes inspiration from the JS ecosystem, like with lock files. But JS ecosystem is a terrible baseline to compare with regarding stability. Comparing a language's stabilitity with JS ecosystem says very little. You should have picked a systems language to compare with.

And your post is itself a part of the Rust community, and it itself is an argument against what you claim in it. If you cannot or will not own up to the 1.80 time crate debacle, or mention the 1.80 time crate debacle proactively as a black mark that weighs on Rust's conscience and that it will take time to rebuild trust and confidence in Rust's stability because of it, well, your priorities, understood as in the Rust community's priorities, are clear, and they do not, in practice, lie with stability, safety and security, nor with being forthcoming.

amiga386

2 months ago

1 reply

I'm going to throw in another one.

Cargo always picks the newest version of a dependency, even if that version is incompatible with the version of Rust you have installed.

You're like "build this please", and it's like "hey I helpfully upgraded this module! oh and you can't build this at all, your compiler is too old granddad"

They finally addressed this bug -- optionally (the default is still to break the build at the slightest provocation) -- in January this year (which of course, requires you upgrade your compiler again to at least that)

https://blog.rust-lang.org/2025/01/09/Rust-1.84.0/#cargo-con...

What a bunch of shiny-shiny chasing idiots with a brittle build system. It's designed to ratchet forward your dependencies and throw new bugs and less-well-tested code at you. That's absolutely exhausting. I'm not your guinea pig, I want to build reliable, working systems.

gcc -std=c89 for me please.

Avamander

2 months ago

3 replies

Let the one without sin throw the first stone. Please describe to us how you do dependency management with C.

Also picking C89 over any later iteration is bananas.

rustdebacletime

2 months ago

I would use a newer version of C, and consider picking C++, if the choice was between C, C++, Ada, and Rust. (If pattern matching would be a large help, I might consider Rust).

For C++, there is vcpkg and Conan. While they are overall significantly or much worse options than what Rust offers according to many, in large part due to C++'s cruft and backwards compatibility, they do exist.

cozzyd

2 months ago

> Please describe to us how you do dependency management with C

dnf or apt, depending on if Fedora/EL or Debian...

amiga386

2 months ago

> Please describe to us how you do dependency management with C.

     PKG_CHECK_MODULES([libfoo], [libfoo >= 1.2.3])
     AC_CHECK_HEADER([foo.h], ,[AC_MSG_ERROR([Cannot find foo header])])
     AC_CHECK_LIB([foo],[foo_open], ,[AC_MSG_ERROR([Cannot find foo library])])

There are additionally versioning standards for shared objects, so you can have two incompatible versions of a library live side-by-side on a system, and binaries can link to the one they're compatible with.

awesome_dude

3 months ago

Which would be borne out with discourse, not hate - but you do you

baq

3 months ago

No crying in the casino, to quote a classic.

umanwizard

3 months ago

1 reply

> Rust still has a very "Ready to make breaking changes on a whim" reputation

No it doesn't. What on earth are you talking about?

mort96

3 months ago

2 replies

I like Rust, but almost all libraries I end up using are on some 0.x version...

klardotsh

3 months ago

1 reply

I find this tends to stem from libraries refusing to declare 1.0 for fear it would lock them into bad decisions, not from being unstable. Chrono is a great example: v0.4 for EIGHT YEARS while they make sure the design and APIs are worthy of being set into stone as 1.0 (think: Stability Bit Versioning).

Sure, some pre-1.0 libraries in Rust land are actually wildly volatile, but I find that's not especially the norm, out of the crates I've used. That said... 0.4 for EIGHT YEARS is also a pretty darn good sign you've solidified the API by now, and should probably just tag a 1.0 finally...

gldrk

2 months ago

That’s the whole point. Perfectionism and stability are mutually exclusive. What’s ‘worthy of being set in stone’ is very much not set in stone, in an insanely fashion-driven industry like software development.

baq

3 months ago

1 reply

Version numbers are bogus anyway. For all you care all those libraries could be YY.MM. Semantic versioning is a lie except for the smallest units.

mort96

2 months ago

1 reply

Version numbers are communication. Version 0.x is the clearest way I can imagine to communicate, "do not expect a stable API".

burntsushi

2 months ago

1 reply

You are conflating what actually _is_ with what you perceive version numbers communicate. The comments above that you are seemingly commenting in support of are talking about "Ready to make breaking changes on a whim," which is factually not true. What you are talking about is some libraries using a version number that you perceive as indicating a lack of stability, even when the actual library is extremely stable (e.g., log and libc).

So you seem to be saying "I don't like how Rust libraries communicate their stability." But that's something wholly different from "Ready to make breaking changes on a whim." Yet your commentary doesn't distinguish these concepts and instead conflates them.

mort96

2 months ago

1 reply

Version 0.x communicates, "the API is not stabilized, and you must be prepared for breaking changes on a whim". If a library did not want to communicate that, it would release a version >=1.x.

And when most library authors communicate "the API is not stabilized, you must be prepared for breaking changes on a whim", then yeah, of course I am going to perceive that as a lack of stability.

burntsushi

2 months ago

That doesn't address my point, which is that you are conflating communication of a thing with the thing itself.

Moreover, it's unclear to me if you're aware that, in the Rust ecosystem, 0.x and 0.(x+1) are treated as semver incompatible releases, while 0.x.y and 0.x.(y+1) are treated as semver compatible releases. While the actual semver specification says "Anything MAY change at any time. The public API SHOULD NOT be considered stable." when the major version is 0, this isn't actually true in the Rust crate ecosystem. For example, if you have `log = "0.4"` in your `Cargo.toml`, then running a `cargo update` will only bump you to semver compatible releases without breaking changes (up to a human's ability to adhere to semver).

Stated more succinctly, in the Rust ecosystem, semver breaking changes are communicated by incrementing the leftmost non-zero version component. In other words, you cannot correctly interpret what version numbers mean in the Cargo crate ecosystem using only the official semver specification. You also need to read the Cargo documentation: https://doc.rust-lang.org/cargo/reference/semver.html#change...

(emphasis mine)

> This guide uses the terms “major” and “minor” assuming this relates to a “1.0.0” release or later. Initial development releases starting with “0.y.z” can treat changes in “y” as a major release, and “z” as a minor release. “0.0.z” releases are always major changes. This is because Cargo uses the convention that only changes in the left-most non-zero component are considered incompatible.

So I repeat: you are conflating perception with what actually is reality. This isn't to say that perception is meaningless or doesn't matter or isn't a problem in and of itself. But it is distinct from what is actually happening. That is, "the Rust crate ecosystem doesn't use semver version numbers in a way that can be interpreted using only the official semver specification" is a distinct problem from "the Rust crate ecosystem makes a habit of introducing breaking changes on a whim." They are two distinct concerns and you conflating them is extremely confusing and misleading.

ok123456

3 months ago

1 reply

It's been post-1.0 for a decade, but they keep on changing the definition of "nightly." "Stable" lacks too many quality of life features so most things don't target it.

ViewTrick1002

2 months ago

Rust currently has a problem that too few people are using nightly which makes gathering experience and feedback on new features harder.

This is a stark difference to back in the early post 1.0 days where many high profile crates needed nightly and everyone was experimenting.

rustdebacletime

3 months ago

1 reply

A little more than a year ago, breakage.

https://devclass.com/2024/08/19/rust-1-80-0-breaks-existing-...

Avamander

2 months ago

1 reply

Have you EVER used GCC? I wish each release only had bugs with inferring the type of auto or something.

rustdebacletime

2 months ago

1 reply

And rustc uses LLVM, and has had several bugs as well, whether related to LLVM or just due to itself. But what I linked was intentional breakage, and it caused some people a lot of pain.

Avamander

2 months ago

1 reply

Yea, I can think of a lot of intentional GCC breakages as well. Especially ones related to optimizations. If we wrote an article for every one you'd never hear the end of it.

So what's actually your point here?

rustdebacletime

2 months ago

1 reply

> Especially ones related to optimizations.

Did they change the language? GCC is not meant to change the C or C++ languages (unless the user uses some flag to modify the language), there is an ISO standard that they seek to be compliant with. rustc, on the other hand, only somewhat recently got a specification or something from Ferrocene, and that specification looks lackluster and incomplete from when I last skimmed through it. And rustc does not seem to be developed against the official Rust specification.

Avamander

2 months ago

1 reply

> Did they change the language?

That's not what you asked though, these were intentional breakages. Language standard or not.

In any case though, bringing up language specification as an example for maturity is such a massive cop-out considering the amount of UB in C and C++. It's not like it gives you good stability or consistency.

> there is an ISO standard that they seek to be compliant with

You can buy RM 8048 from NIST, is that the "culture" of stability you have in mind?

rustdebacletime

2 months ago

1 reply

> That's not what you asked though, these were intentional breakages. Language standard or not.

You are completely wrong, and you ought to be able to see that already.

It makes a world of difference if it is a language change or not. As shown in dtolnay's comment https://github.com/rust-lang/rust/issues/127343#issuecomment... .

If breakage is not due to a language change, and the program is fully compliant with the standard, and there is no issue in the standard, then the compiler has a bug and must fix that bug.

If breakage is due to a language change, then even if a program is fully compliant with the previous language version, and the programmer did nothing wrong, then the program is still the one that has a bug. In many language communities, language changes are therefore handled with care and changing the language version is generally set up to be a deliberate action, at least if there would be breakage in backwards compatibility.

I do not see how it would be possible for you not to know that I am completely right about this and that you are completely wrong. For there is absolutely no doubt that that is the case.

> In any case though, bringing up language specification as an example for maturity is such a massive cop-out considering the amount of UB in C and C++.

Rust is worse when unsafe is involved.

https://materialize.com/blog/rust-concurrency-bug-unbounded-...

Avamander

2 months ago

> If breakage is not due to a language change, and the program is fully compliant with the standard, and there is no issue in the standard, then the compiler has a bug and must fix that bug.

There are almost no C programs without UB. So a lot of what you would call "compiler bugs" are entirely permitted standard. If you say "no true C program has UB" then of course, congrats, your argument might be in some aspects correct. But that's not really the case in practice and your language standard provides shit in terms of practical stability and cross-compatibility in compilers.

> I do not see how it would be possible for you not to know that I am completely right about this and that you are completely wrong. For there is absolutely no doubt that that is the case.

Lol, lmao even.

> Rust is worse when unsafe is involved.

It's really not.

k4rli

2 months ago

I wonder how archlinux manages to be so stable and reliable then, being "bleeding edge". Never had a single issue with it.

egorfine

2 months ago

> It is a culture of change and the latest and greatest

Good luck achieving anything of long-term value this way.

jey

3 months ago

4 replies

Anyone have a link to the patch in uutils? Curious to see that the problem and solution were.

cataflam

3 months ago

2 replies

This comment[0] explains it.

The core bug seems to be that support for `date -r <file>` wasn't implemented at the time ubuntu integrated it [1, 2].

And the command silently accepted -r before and did nothing (!)

0: https://lwn.net/Articles/1043123/

1: https://github.com/uutils/coreutils/issues/8621

2: https://github.com/uutils/coreutils/pull/8630

nine_k

3 months ago

4 replies

This doesn't look like a bug, that is, something overlooked in the logic. This seems like a deliberately introduced regression. Accepting an option and ignoring it is a deliberate action, and not crashing with an error message when an unsupported option is passed must be a deliberate, and wrong, decision.

imiric

3 months ago

1 reply

I would say that Canonical is more at fault in this case.

I'm frankly appalled that an essential feature such as system updates didn't have an automated test that would catch this issue immediately after uutils was integrated.

Nevermind the fact that this entire replacement of coreutils is done purely out of financial and political rather than technical reasons, and that they're willing to treat their users as guinea pigs. Despicable.

nine_k

3 months ago

What surprises me is that the job seems rushed. Implementation is incomplete. Testing seems patchy. Things are released seemingly in a hurry, as if meeting a particular deadline was more important for the engineers or managers of a particular department than the qualify of the product as a whole.

This feels like a large corporation, in the bad sense.

zahlman

3 months ago

1 reply

It's wrong (and coreutils get it right) but I don't see why it would have to be deliberate. It could easily just not occur to someone that the code needs to be tested with invalid options, or that it needs to handle invalid options by aborting rather than ignoring. (That in turn would depend on the crate they're using for argument parsing, I imagine.)

nine_k

3 months ago

2 replies

Could parsing the `-r` be added without noticing it somehow?

If it was added in bulk, with many other still unsupported option names, why does the program not crash loudly if any such option is used?

A fencepost error is a bug. A double-free is a bug. Accepting an unsupported option and silently ignoring it is not, it takes a deliberate and obviously wrong action.

zahlman

2 months ago

1 reply

> Accepting an unsupported option and silently ignoring it is not, it takes a deliberate and obviously wrong action.

No, it doesn't. For example, you could have code that recognizes that something "is an option", and silently discards anything that isn't on the recognized list.

1718627440

2 months ago

> silently discards anything that isn't on the recognized list.

That's a deliberate action.

aw1621107

2 months ago

At least from what I can find, here's the original version of the changed snippet [0]:

    let date_source = if let Some(date) = matches.value_of(OPT_DATE) {
        DateSource::Custom(date.into())
    } else if let Some(file) = matches.value_of(OPT_FILE) {
        DateSource::File(file.into())
    } else {
        DateSource::Now
    };

And after `-r` support was added (among other changes) [1]:

    let date_source = if let Some(date) = matches.get_one::<String>(OPT_DATE) {
        DateSource::Human(date.into())
    } else if let Some(file) = matches.get_one::<String>(OPT_FILE) {
        match file.as_ref() {
            "-" => DateSource::Stdin,
            _ => DateSource::File(file.into()),
        }
    } else if let Some(file) = matches.get_one::<String>(OPT_REFERENCE) {
        DateSource::FileMtime(file.into())
    } else {
        DateSource::Now
    };

Still the same fallback. Not sure one can discern from just looking at the code (and without knowing more about the context, in my case) whether the choice of fallback was intentional and handling the flag was forgotten about.

[0]: https://github.com/yuankunzhang/coreutils/commit/850bd9c32d9...

[1]: https://github.com/yuankunzhang/coreutils/blob/88a7fa7adfa04...

none_to_remain

3 months ago

1 reply

It certainly doesn't look intentional to me- it looks like at some point someone added "-r" as a valid option, but until this surfaced as a bug, no one actually implemented anything for it (and the logic happens to fall through to using the current date).

rtpg

2 months ago

a `todo!()` away from something being way more obvious. Unfortunate!

johnisgood

3 months ago

> deliberately introduced regression

> deliberate and wrong decision

Yeah... I hope "we" will not switch to it just because it is written in Rust. There is much more than just the damn language behind it.

Avamander

2 months ago

Man, if I had a nickel every time some old Linux utility ignored a command-line flag I'd have a lot of nickels. I'd have even more nickels if I got one each time some utility parsed command-line flags wrong.

I have automated a lot of things executing other utilities as a subprocess and it's absolutely crazy how many utilities handle CLI flags just seemingly correct, but not really.

janzer

3 months ago

It would be really nice if something said what the actual problem was.

The last commit[0] is a fix for date parsing to bring it in line with the GNU semantics, which seems like a pretty good candidate.

Edit: Or not, see evil-olive's comment[1] for a more likely candidate.

0: https://github.com/uutils/coreutils/commit/0047c7e66ffb57971...

1: https://news.ycombinator.com/item?id=45687743

egorfine

2 months ago

The problem is the existence of the project of Rust rewrite itself.

pedrocr

3 months ago

This seems to be the Ubuntu bug report:

https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bu...

trollbridge

3 months ago

5 replies

Was there something wrong with the old coreutils that needed improvement?

bn-l

3 months ago

3 replies

It wasn’t… “safe”

throitallaway

3 months ago

6 replies

It seems like I'm probably preaching to the choir, but what really is the attack surface with coreutils? I can't imagine there have been a lot of pwns as a result of the `date` command.

ls65536

3 months ago

3 replies

I can certainly understand it for something like sudo or for other tools where the attack surface is larger and certain security-critical interactions are happening, but in this case it really seems like a questionable tradeoff, where the benefits in this specific case are abstract (theoretically no more possibility of any memory-safety bugs) but the costs are very concrete (incompatibility issues; and possibly other, new, non-memory-safety bugs being introduced with new code).

EDIT: Just to be clear, I'm otherwise perfectly happy that these experiments are being done, and we should all be better off for it and learn something as a result. Obviously somebody has assessed that this tradeoff has at least a decent probability of being a net positive here in some timeframe, and if others are unhappy about it then I suppose they're welcome to install another implementation of coreutils, or use a different distro, or write their own, or whatever.

JuniperMesos

2 months ago

I'd prefer it if all software was written in languages that made it as easy as possible to avoid bugs, including memory-safety bugs, regardless of whether it seems like it has a large attack surface or not.

pdimitar

2 months ago

I view `uutils` as a good opportunity to get rid of legacy baggage that might be used by just 0.03% of the community but has to sit there and it impedes certain feature adding or bug fixing.

F.ex. `sudo-rs` does not support most of what the normal `sudo` does... and it turned out that most people did not need most of `sudo` in the first place.

Less code leads to less bugs.

johnisgood

3 months ago

> "sudo"

Hence "doas".

OpenBSD has a lot of new stuff throughout the codebase.

No need for adding a bloated dependency (e.g. Rust) just because you want to re-implement "yes" in a "memory-safe language" when you probably have no reasons to.

mort96

3 months ago

1 reply

Untrusted input is often stored in files. Coreutils tools are often used to operate on those files.

As an obvious example, I sometimes download files from the Internet, then run coreutils sha256sum or the like on those files to verify that they're trustworthy. That means they're untrusted at the time where I use them as input to sha256sum.

If there's an RCE in sha256sum (unlikely, but this is a thought experiment to demonstrate an attack vector), then that untrusted file can just exploit that RCE directly.

If there's a bug in sha256sum which allows a malicious file to manipulate the result, then a malicious file could potentially make itself look like a trusted file and therefore get past a security barrier.

Maybe there's no bug in sha256sum, but I need to base64 decode the file before running sha256sum on it, using the base64 tool from coreutils.

If you use your imagination, I'm sure you yourself can think up plenty more use cases where you might run a program from GNU coreutils against untrusted user input. If it helps, here's a Wikipedia article which lists all commands from GNU coreutils: https://en.wikipedia.org/wiki/GNU_Core_Utilities#Commands

EDIT: To be clear, this comment is only intended to explain what the attack surface is, not to weigh in on whether rewriting the tools in Rust improves security. One could argue that it's more likely that the freshly rewritten sha256sum from uutils has a bug than that GNU sha256sum has a bug. The statement "tools from coreutils are sometimes used to operate on untrusted input and therefore have an attack surface worth exploring" is not the same as the statement "rewriting coreutils in Rust improves security". Personally, I'm excited for the uutils stuff, but not primarily because I believe it alone will directly result in significant security improvements in Ubuntu 25.10.

pantalaimon

2 months ago

3 replies

But if there is a bug in the date command that prevents security updates from being installed, you've got your vulnerability right there.

Rust is not a silver bullet.

pdimitar

2 months ago

Can you show a post from an influential figure in the Rust community that literally said "Rust is a silver bullet", please?

mort96

2 months ago

Please read my edit.

viraptor

2 months ago

It's not really a bug in uutils. The option was not implemented yet when Ubuntu decided to switch. It's known that there's no 100% compatibility and won't be for a while.

ajross

3 months ago

3 replies

You don't attack coreutils. You attack the scripts. In this case it was an update script that failed because of an incompatibility. It's not too hard at all to imagine one failing in an exploitable way.

Honestly, Rust-related hilarity aside, this project was a terrible, terrible idea. Unix shell environments have always been ad hoc and poorly tested, and anything that impacts compatibility is going to break historical code that may literally be decades old.

See also the recent insanity of GNU grep suddenly tossing an error when invoked as "fgrep". You just don't do that folks.

collinfunk

3 months ago

1 reply

> See also the recent insanity of GNU grep suddenly tossing an error when invoked as "fgrep". You just don't do that folks.

The 'fgrep' and 'egrep' didn't throw errors, it would just send a warning to standard error before behaving as expected.

Those commands were never standardized, and everyone is better off using 'grep -F' and 'grep -E' respectively.

ajross

3 months ago

1 reply

> didn't throw errors, it would just send a warning to standard error

Noted without comment. Except to say that I've had multiple scripts of my own break via "just" discovering garbage in the output streams.

> Those commands were never standardized

"Those commands" were present in v7 unix in 1979!

larusso

2 months ago

1 reply

I think he means POSIX. Didn’t check but in some cases posix only covers some options a tool provides not all. It’s a hard lesson I learned while keeping shell scripts portable between Linux and macOS.

collinfunk

2 months ago

1 reply

Yep. I was slightly incorrect in my original message, though. SUSv2 (1997) specified egrep and fgrep but marked them LEGACY. POSIX.1-2001 removed them.

The only place that that doesn't support 'grep -E' and 'grep -F' nowadays is Solaris 10. But if you are still using that you will certainly run into many other missing options.

[1] https://pubs.opengroup.org/onlinepubs/007908775/xcu/egrep.ht... [2] https://pubs.opengroup.org/onlinepubs/007908775/xcu/fgrep.ht...

ajross

2 months ago

1 reply

"GNU grep implemented a change that breaks pre-existing scripts using a 46 year old API, but it's OK because the required workaround works everywhere but Solaris 10" seems like not a great statement of engineering design to me.

1718627440

2 months ago

"GNU grep added a warning to inform you of the deprecation which happened 28 years ago, but only to stderr, and still works like you expect", does to me.

JuniperMesos

2 months ago

2 replies

This is not a rousing endorsement of the Unix shell environment. Maybe that should be rewritten in something else too (probably not Rust, Rust is probably not a good choice for this - but something that is designed in such a way that it is easy to test would be nice!).

viraptor

2 months ago

1 reply

There's nothing about rust that makes things hard to test. Actually the embedded test framework makes it easier than C. But what really matters is the public interface of those tools and that's got an extensive test suite available. It doesn't matter which language is used internal for those tests to run.

JuniperMesos

2 months ago

1 reply

I meant that Rust is probably not a good choice for a new shell scripting environment, not that Rust is hard to test. I was responding to the claim "Unix shell environments have always been ad hoc and poorly tested", which is a bad thing and is worth fixing in and of itself.

viraptor

2 months ago

> not a good choice for a new shell scripting environment

Why?

ajross

2 months ago

1 reply

> This is not a rousing endorsement of the Unix shell environment.

It's surely not. The question wasn't how to rewrite the shell environment to be more "endorseable", though.

The point is that we have a half century (!) long history of writing code to this admittedly fragile environment, with no way to audit usage or even find all the existing code (literally many of the authors are retired or dead).

So... it's just not a good place to play games with "Look Ma, I rewrote /usr/bin/date and it's safe now!" Mess with your own new environments, not the ones that run the rest of the world please.

JuniperMesos

2 months ago

1 reply

Maybe it's more important to rewrite half a century of poorly documented and specified shell scripts that are so embedded that their existence gets in way of rewriting fundamental Unix command line utilities, than it is to rewrite those utilities themselves. Any time someone makes the claim "we shouldn't touch this code, it's fragile" that state of affairs is itself bad. Our free software source code shouldn't be some poorly understood black box that we're afraid to touch for fear of breaking something, and if it is that is something we should fix.

ajross

2 months ago

> Maybe it's more important to rewrite half a century of poorly documented and specified shell scripts

Sounds like a plan. Let me know when you're done, and then we can remove fgrep.

johnny22

3 months ago

and yet coreutils continues to receive updates in ways that could break things.

LtWorf

3 months ago

I reported a segfault in "tac" a number of years ago.

denkmoon

3 months ago

To play devil's advocate, who knows what kind of madness people are handing off to subprocess.run(["date"]) et al. They shouldn't, but I'd bet my last dollar it's out there.

wvh

2 months ago

A thousand badly written shell scripts might disagree.

jwhitlark

3 months ago

1 reply

Safer threading for performance improvements was part of it, as I understand.

cozzyd

2 months ago

1 reply

   $ /usr/bin/time date
   Fri Oct 24 10:20:17 AM CDT 2025
   0.00user 0.00system 0:00.00elapsed 0%CPU (0avgtext+0avgdata 2264maxresident)k
   0inputs+0outputs (0major+93minor)pagefaults 0swaps

Imagine how much faster it will be with threading!

rurban

2 months ago

1 reply

Rather think of cp, mv, install, backup. Copying files faster is still an ongoing effort, also in gnu coreutils

1718627440

2 months ago

When I want to do stuff in parallel at the OS level, I rather user processes and e.g. GNU parallel.

agumonkey

3 months ago

when your bug it fully typed

dwroberts

3 months ago

2 replies

Probably stuff like https://www.cvedetails.com/cve/CVE-2015-4042/

kasabali

2 months ago

1 reply

"Denial of service"

In sort command

Is this the best they could come up with?

xxs

2 months ago

1 reply

In some cases it was possible to crash (overflow) sort.c, not just DoS. I did try to look more info the issue - it was not handled for quite some time however I did not find any real world impact.

collinfunk

2 months ago

Minor correction, but that bug was never in any "official" coreutils release. The bug was in a multi-byte character patch that many distributions use (and still use). There have been other CVEs in that patch [1].

But the worst you can do is crash 'sort' with that. Note that uutils also has crashes. Here is one due to unbounded recursion:

  $ ./target/release/coreutils mkdir -p `python3 -c 'print("./" + "a/" * 32768)'`
  Segmentation fault (core dumped)

Not saying that both issues don't deserve fixing. But I wouldn't really panic over either of them.

[1] https://lwn.net/Articles/535735/

hitekker

3 months ago

Didn't that bug get fixed before it went public?

username223

3 months ago

3 replies

Not enough Rust.

The thought of rewriting anything as intricate, foundational, and battle-tested as GNU coreutils from scratch scares me. Maybe I'd try it with a mature automatic C-to-Rust translator, but I would still expect years of incompatibilities and reintroduced bugs.

See also the "cascade of attention-deficit teenagers" development model.

kstrauser

3 months ago

2 replies

Eh. People have written replacements for glibc because they didn't like something or another about it, and that seems to me to be way more fraught with risk than coreutils.

elcritch

3 months ago

1 reply

Folks also run into compatibility issues with musl as well. The biggest I recall was an issue with DNS breaking because musl didn’t implement some piece.

kasabali

2 months ago

TBF DNS handling of glibc is crazy.

username223

3 months ago

Fair enough. My gut sense is that C functions are simpler than shell commands, with a handful of parameters rather than a dozen or more flags, and this bug supports that -- they forgot to implement a flag in "date." But I haven't tried to do either, so I could be wrong.

JuniperMesos

2 months ago

1 reply

> The thought of rewriting anything as intricate, foundational, and battle-tested as GNU coreutils from scratch scares me. Maybe I'd try it with a mature automatic C-to-Rust translator, but I would still expect years of incompatibilities and reintroduced bugs.

It is extremely bad that it's not a relatively straightforward process for any random programmer to rewrite coreutils from scratch as a several week project. That means that the correct behavior of coreutils is not specified well enough and and it's not easy enough to understand it by reading the source code.

pseudony

2 months ago

1 reply

Not to be too harsh, but if that’s your (fundamentalist) attitude to software, remind me to argue strenuously to never have you hired where I work. Fact is you can’t rewrite everything all the time, especially the bits that power the core of a business, and has for a decade or more. See banking and pension systems, for instance.

andriamanitra

2 months ago

I think you're completely missing the point. The problem being solved is not that coreutils is bad and thus they should be rewritten, the problem is that coreutils is not specified well enough to make new implementations straight-forward. Thus a new implementation written from scratch is tremendously valuable for discovering bugs and poorly documented / unspecified behavior.

For a business it's often fine to stop at a local maximum, they can keep using old versions of coreutils however long they want, and they can still make lots of money there! However we are not talking about a business but a fundamental open source building block that will be around for a very long time. In this setting continuous long term improvement is much more valuable than short term stability. Obviously you don't want to knowingly break stability either, and in this regard I do think Ubuntu's timeline for actually replacing the default coreutils implementation is too ambitious, but that's beside the point—the rewrite itself is valuable regardless of what Ubuntu is doing!

umanwizard

3 months ago

FWIW, GNU coreutils is itself a rewrite of stuff that existed before, and which has been rewritten multiple other times.

bilekas

3 months ago

2 replies

It wasn't rewritten in rust yet. Therefore it wasn't complete. /s

baq

3 months ago

1 reply

This joke is getting more worn out than ‘fizz buzz saas in rust’ hn post titles have ever been

kasabali

2 months ago

1 reply

Yeah. Except it isn't a joke. Rustafarians are dead serious.

pdimitar

2 months ago

1 reply

Some actual links would be nice. I have not seen a Rust zealot in HN for like at least 3 years at this point. (On Reddit I've seen plenty, but who takes Reddit seriously?)

kasabali

2 months ago

Here's a link: https://news.ycombinator.com/item?id=45686919

pepa65

3 months ago

They hadn't implemented the `-r` flag of `date`... But worse than that, they didn't squeek on the unimplemented flag (because the interface was already accepting it...). This is an incompetent implementer (and project management?)

rolandog

3 months ago

6 replies

I have a suspicion it's about the license, like this commenter [0] did a year ago.

[0]: https://news.ycombinator.com/item?id=38853429

ndiddy

3 months ago

6 replies

Agreed. Since GNU Coreutils is GPLv3 but uutils is MIT, my guess is eventually Canonical will start using "works like the GNU software except you don't have to comply with GPLv3" as a selling point for Ubuntu Core (their IoT focused distro). This would let them sell to companies who want to only permit signed firmware images to run on their devices, which isn't allowed under GPLv3.

mjmas

3 months ago

1 reply

If it was only for that, they could use/improve busybox, which has the same license as the kernel (GPLv2).

Perhaps it is also so they can be used in closed source systems (I have uutils installed on my Windows system which works nicely).

mort96

3 months ago

Busybox is frankly a horrible user experience, and will never be a good one. Its niche is to be as small as possible, as a single static executable, while providing most tools you need to get the job done in an embedded system. Bells and whistles like a shell that's nice to use, or a vi implementation with working undo/redo, or extensive built-in documentation in the form of --help output, are non-features which would make busybox worse for its primary use case.

easterncalculus

3 months ago

2 replies

  This would let them sell to companies who want to only permit signed firmware images to run on their devices, which isn't allowed under GPLv3.

How is this not allowed under GPLv3?

mort96

3 months ago

1 reply

Isn't preventing "tivoization" the whole point of the GPLv3?

pabs3

2 months ago

GPv2 does that too: https://news.ycombinator.com/item?id=45691997

sidewndr46

3 months ago

Search for "Tivoization" and the GPLv3

feisty0630

3 months ago

3 replies

There are F500 companies shipping Ubuntu Core on devices that will only permit signed firmware, so I'm not sure your assessment is correct.

https://buildings.honeywell.com/au/en/products/by-category/b...

rcxdude

2 months ago

1 reply

Depending on the product, this might be OK! If you've ever had cause to closely read the GPLv3, the anti-tivoisation clause for some reason is only really aimed at "User products" (defined as "(1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling"). This one looks like it's a potential grey area, since it's not obvious if it's intended for buildings that anyone would live in.

voakbasda

2 months ago

I worked on an embedded product that was leased to customers (not sold). The system included GPLv3 portions (e.g. bash 5.x) but they concluded that we did not need to offer source code to their cuatomers.

The reasoning was that the users didn’t own the device. While I personally believe this is not consistent with recent interpretations of the license by the courts, I think they concluded that it was worth the risk of a customer suing to get the source code, as the company could then pull the hardware and leave that customer high and dry. It is unlikely any of their users a would risk that outcome.

pantalaimon

2 months ago

As long as nobody sues them everything is fine

rolandog

2 months ago

Take a look at their customer testimonials [0] and ask yourself if they have recently made anticompetitive or user-hostile moves. Now, ask yourself: do you think they like being beholden to a license that makes it harder for them to keep their monopolies?

[0]: https://ubuntu.com/pro/

Edited to add: it would be cool if, instead of the top-most wealth-concentrators F[500:], there was an index of the top-most wealth-spreaders F[:500]. What would that look like? A list of cooperatives?

testdelacc1

2 months ago

1 reply

In this hypothetical situation are Canonical also replacing the GPL Linux kernel? If they’re not replacing the Kernel, how does anything change for the end user?

gldrk

2 months ago

1 reply

Linux is GPLv2, there is no tivoization protection. In fact most tivoized devices run Linux.

pabs3

2 months ago

1 reply

The Software Freedom Conservancy disagrees, and they are the main enforcers of the GPL these days, especially for Linux.

https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...

viraptor

2 months ago

1 reply

Basically every IOT/router/phone/whatever which is advanced enough runs Linux and almost every one of them enforces firmware signing. They'd have to fight the whole world at this point.

pabs3

2 months ago

They'll be doing that I expect, they are starting by making it possible for anyone to sue over GPL compliance, not just the authors.

https://sfconservancy.org/copyleft-compliance/vizio.html

fweimer

2 months ago

1 reply

I doubt GPL version 3 is the motivation here.

https://packages.ubuntu.com/plucky/rust-coreutils

The dependencies of rust-coreutils list libgcc-s1, which is GPL version 3.

ndiddy

2 months ago

1 reply

This isn't anything specific to uutils. When you build a Rust program that links with glibc, it needs to use libgcc to do the stack unwinding. If you look at other packaged Rust programs on Ubuntu, they all depend on libgcc for this reason. For example, Eza https://packages.ubuntu.com/plucky/eza and Ripgrep https://packages.ubuntu.com/plucky/ripgrep . If Ubuntu moves to some safe, permissively licensed glibc replacement in the future, this requirement will drop off all their Rust packages. I'm not saying this uutils change alone will let Ubuntu get out of GPLv3 compliance, I'm saying they likely view GPLv3 software in the base install as undesirable due to their IoT customers and will replace it with a permissively licensed alternative given the opportunity.

fweimer

2 months ago

The dependency of glibc on the unwinder (for backtrace, pthread_exit and pthread_cancel) is a glibc packaging problem. You need to plan for replacing glibc anyway because its licensing could switch to (L)GPLv3+ (including for existing stable release branches).

However, it would be a fairly straightforward project to replace the unwinder used directly by Rust binaries with the one from libunwind. Given that this hasn't happened, I'd be surprised if Canonical is actually investing into a migration. Of course there are much bigger tasks for avoiding GPLv3 software, such as porting the distribution (including LLVM itself and its users) from libstdc++ (GCC's C++ standard library that requires GCC to build, but provides support for Clang as well) to libc++ (LLVM's C++ standard library).

ls65536

3 months ago

If that's really the case, I wish they would just come out and say it and spare the rest of us the burden of trying to debate such a decision on its technical merits. (Of course, I am aware that they owe me nothing here.)

Assuming this theory is true then, what other GPLv3-licensed "core" software in the distro could be next on their list?

mjmas

3 months ago

2 replies

It looks like we have three major open source imementations:

- GNU coreutils (GPLv3)

- uutils coreutils (MIT)

- busybox (GPLv2)

skydhash

3 months ago

1 reply

There's the BSD coreutils too.

rurban

2 months ago

Which is the first and canonical one. GNU added a lot of bells and whistles, and esp. nonsense like --help and --version support for everything, like true and false.

rzr

2 months ago

Toybox is the 4th one

https://en.wikipedia.org/wiki/Toybox

steveklabnik

3 months ago

1 reply

The authors have specifically said that it’s not. They just chose Rust community licensing norms, they don’t really care about licenses.

db48x

3 months ago

2 replies

That might be Canonical’s motive though.

bboozzoo

2 months ago

Seriously, how on earth are you coming up with this? Time and again they debunk those silly claims but people just keep bringing this up on and on. Is it some sort of conspiracy theory?

steveklabnik

2 months ago

That's fair!

LtWorf

3 months ago

I've had the same suspicion since I read about it the first time.

CaptainOfCoit

3 months ago

I like how the first comment is asking "is anyone actually going to switch to this version?" and here we are with one of the major Linux distributions using it already, and already managed to ship a bug via it.

Brave of them to ship a Rust port of sudo as well.

johnisgood

3 months ago

Is it not just yet another Rust rewrite?

309 more comments available on Hacker News

View full discussion on Hacker News

ID: 45686919Type: storyLast synced: 11/20/2025, 8:14:16 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN