Move sudo to community
Summary
At present, sudo
is in the main
repository, which requires us to provide security support for 2 years. Upstream sudo
does not provide an "LTS" lifecycle, so this requires either performing security upgrades during the maintenance lifecycle, or backporting security fixes by hand.
Benefit to Alpine
Prior to the creation of the security team, there was an unofficial preference to push doas
as the preferred pivot tool for Alpine. This reinforces that messaging.
Additionally, we do not have to support sudo
for a 2 year lifecycle, since there are no LTS branches for it.
Contingency Plan
If there is a problem with implementing this plan, we will move sudo
back to main
from community
, but no such problem is expected.
Documentation
This will need to be documented in the release notes. We should recommend doas
as the preferred pivot tool, noting that sudo
is available in community
if explicitly wanted.
Owners
@kdaudt and @kaniini will implement this change on behalf of @team/security.
Timeline
We would like to implement this change within the next few weeks, with TSC approval.