Three layers at once#
Ubuntu 26.04 replaces three foundational components simultaneously, part of Canonical’s twenty-year engineering vision. On March 23, 2026, Canonical joined the Rust Foundation as a gold member.
- uutils replaces GNU coreutils, rewriting file, shell, and text utilities that have existed for over half a century.
- sudo-rs replaces sudo, rewriting the tool that governs privilege escalation on every Linux system.
- ntpd-rs replaces NTP, consolidating NTPD, Linux PTP, and GPSD into a single binary for time synchronization.
All three shipping as defaults in a long-term support release.
The license changed too#
GNU coreutils is licensed under the GPL, which requires that any derivative work remain open source under the same terms. uutils is licensed under MIT, which carries no such obligation. We wrote about this pattern in Is It Memory Safe?. A rewrite that produces a functionally equivalent tool under a permissive license dissolves the copyleft obligation without ever violating it. When a single GitHub project does this, one repository changes its license. When a distribution replaces its default toolchain, every derivative, container image, and cloud AMI downstream inherits the change.
Linux Mint, Pop!_OS, and every Ubuntu-based AMI on AWS, GCP, and Azure inherit this change. The copyleft foundation that these systems were built on shifts from GPL to MIT. Not through a legal challenge or a relicensing vote, but through a rewrite that now ships as the default in the most popular Linux distribution, and often the first one a new user encounters.
What has already broken#
The uutils date -r flag was silently incompatible with the GNU implementation. It broke Ubuntu’s own security update pipeline. sudo-rs introduced security vulnerabilities that the C version of sudo never had. Locale handling remains a structural gap across multiple utilities, with open bugs affecting sort, date, ls, and others.
These are the gaps that exist before the LTS ships. The ones discovered after will be found by the operators running it in production.
Debian has a process for this#
Ubuntu is a Debian derivative. Debian marks coreutils as Essential: the highest-stakes package category in the distribution. Debian Policy is explicit: “You must not tag any packages essential before this has been discussed on the debian-devel mailing list and a consensus about doing that has been reached.”
Debian packages uutils with a uu- prefix. It coexists with GNU coreutils. Operators can install it, test it, and compare behavior without replacing anything. No proposal exists to make it the default.
The last time Debian replaced a foundational default was the dash transition: one binary (/bin/sh) with a well-defined POSIX interface, swapped from bash to a smaller, faster shell.
- 2011 (Squeeze): introduced as default
- 2021 (Bullseye): revert option still maintained
- 2023 (Bookworm): revert option removed
Twelve years. For one binary.
Canonical is replacing three foundational layers simultaneously, in an LTS release, on a timeline measured in months.
The derivative decides#
This is not the first time Canonical has overridden the operator. Ubuntu enabled unattended-upgrades by default starting with 16.10, a decision Debian has never made. Automatic security patches on a desktop make sense. On a distribution that runs production infrastructure, the consequences are different. Even operators who explicitly opted out were not safe.
Each time Canonical overrides the operator, it answers the same question: which audience is Ubuntu built for?
Debian requires consensus to change an Essential package. Canonical requires a VP. The change ships as a feature. The CVE ships later as a fix.
Ubuntu is a Debian logo wearing a Fedora hat.