Todd Miller, who has maintained the sudo utility - a critical piece of Linux/Unix infrastructure used by millions of systems worldwide - says continuing development is 'untenable' without resources. The situation highlights open source's sustainability crisis. Billions of dollars of commerce rely on software maintained by one person who can't afford to keep doing it.
Let me explain why this matters. If you've ever used a Linux or Unix system - which means if you've ever used a Mac, an Android phone, or accessed a website - you've benefited from sudo. It's the command that lets authorized users run programs with elevated privileges. It's how system administrators manage servers without logging in as root all the time. It's foundational security infrastructure.
And it's maintained by one guy who can no longer afford to do it.
Todd Miller has been maintaining sudo for over 30 years, since 1993. Quest Software sponsored the project until February 2024, but Miller lost that backing after departing from Quest subsidiary One Identity. Since then, he's been looking for a new sponsor.
On his website, Miller is explicit: "I'm currently in search of a sponsor to fund continued sudo maintenance and development." Without financial support, development has slowed dramatically. He's focusing primarily on bug fixes rather than new features. In an interview with The Register, he put it bluntly: "Without some form of assistance it is untenable. Maintainer burn-out is real."
Think about what this means. Millions of servers. Countless critical systems. Major corporations, governments, infrastructure providers - all depending on software maintained by someone who's asking for help and not getting it.
This isn't unique to sudo. This is the open source sustainability crisis in microcosm. Remember Log4j? When that vulnerability was discovered, everyone freaked out about how many systems were affected. But hardly anyone asked why the logging library that powers half the internet was maintained by volunteers in their spare time.
Or look at OpenSSL before the Heartbleed bug. Two guys were maintaining encryption infrastructure for the entire internet. After Heartbleed, money poured in - because nothing motivates funding like catastrophic failure. But it shouldn't take a disaster for critical infrastructure to get resources.
The situation is particularly frustrating because the money exists. Companies that depend on sudo have massive IT budgets. They spend millions on commercial software licenses. But they assume open source software is free - not just in cost but in maintenance. Someone else will handle it. Someone else will fix the bugs. Someone else will respond to security vulnerabilities.
Except that someone is Todd Miller, and he's telling everyone he can't keep doing it without help.
To be fair, there are attempts to address this. Ubuntu now defaults to sudo-rs, a Rust-based alternative. That's good for diversification, but it doesn't solve the underlying problem. It just shifts the burden to a different set of maintainers who may face the same sustainability issues.
The solution isn't complicated. Companies that depend on open source infrastructure should fund it. Not with empty gratitude or GitHub stars, but with actual money. Pay maintainers. Sponsor development. Treat critical infrastructure like it's critical.
The technology is impressive - sudo has been securing Unix systems for three decades. The question is whether anyone needs it to keep working. Based on the lack of sponsors stepping forward, you'd think the answer was no. But then you'd also have to explain what happens when it stops being maintained.
