Rust Coreutils 0.9 Turns Ubuntu’s Caution Into a Roadmap

Rust Coreutils 0.9 is a security-heavy release for the Rust reimplementation of GNU Coreutils, adding TOCTOU-resistant copy logic, more unsafe-code removals and faster Linux I/O paths. The sharper point for administrators is timing: it arrives weeks after Ubuntu kept cp, mv and rm on GNU in its LTS because file-race bugs still mattered.

The release makes the Rust command-line project look less like a laboratory rewrite and more like a negotiated migration plan. Safety gains are visible, compatibility gaps are measured, and distributions now have a clearer line between commands that can move by default and commands that still need proof.

The Release Lands Where Ubuntu Drew the Line

In the uutils 0.9.0 release notes, uutils, the open-source project behind Rust Coreutils, ties this cycle to a third-party audit and a push to cut unsafe Rust. The practical centerpiece is uucore::safe_copy, a shared module meant to make copy operations less exposed to time-of-check to time-of-use (TOCTOU, a race where a file or permission state changes between validation and use) bugs.

That matters because coreutils sit under scripts, package builds, installer hooks and recovery shells. A bug in cp or mv can change ownership, follow the wrong link, copy the wrong node or delete the wrong tree at system speed.

The mixed scorecard is why this release is more interesting than a normal version bump. It raises the ceiling for Rust replacements while showing the edges that still decide whether a distribution can trust them by default.

The Audit Changed the Migration Map

Canonical, Ubuntu’s commercial sponsor, had already put Rust replacements into mainstream Linux. The Ubuntu 26.04 rust-coreutils note says the operating system’s core utilities are now provided by the rust-coreutils package, while classic GNU tools remain reachable through gnu-prefixed commands or provider-package swaps.

The same documentation names the carve-out: cp, mv and rm stayed on GNU because unresolved bugs remained. Canonical’s rust-coreutils audit update said Zellic, the security firm that reviewed the codebase, found 113 issues across two audit rounds and that eight open TOCTOU issues remained for those three utilities as of April 22.

• cp and mv get more file-race work, including safer copy primitives and fixes for cross-device behavior.
• rm gets dot and dot-dot path parsing protection, the kind of edge case that matters when deletion is recursive.
• nohup now creates nohup.out with mode 0600, narrowing default read access for output files.
• chroot now resolves IDs before entering the new root, reducing surprises after the environment boundary changes.

That sequence turns 0.9 into a response to Ubuntu’s caution rather than a simple upstream milestone. The project is closing the class of bugs that made the most dangerous file commands hard to ship.

Compatibility Carries the Hardest Math

The failure count can be misread. The release moved from GNU 9.10 to GNU 9.11 as its reference, and the upstream suite grew from 665 to 690 tests. That made the visible failure number worse, even though uutils says no previously passing functionality regressed.

The rise in failing tests is due to the upstream GNU test suite being extended, not to regressions on our side.

That note is doing a lot of work. Coreutils compatibility is tested in strange corners: locale rules, symbolic links, device files, error strings, exit codes and decades of shell habits. The table shows why compatibility is the blocker.

For a developer, that may feel frustrating. For a distribution maintainer, it is the whole job: the replacement has to be safer without teaching old scripts new behavior at the worst possible moment.

Faster Pipes Help, but Trust Sets the Limit

Performance work in this cycle is less politically loaded but still useful. The release adds zero-copy input/output (I/O, moving data without extra user-space copies) fast paths through Linux splice(), tee() and pipe() across cat, wc, head, tail, yes, cp, tee and unexpand. The project cites a 7.5% gain for unexpand and faster cp when reading from a pipe on Linux.

GNU is also moving. Its 9.11 notes said yes gained zero-copy I/O on Linux, with an example throughput jump from 11.6 GiB/s to 175 GiB/s on a Power10 system. That number should stop anyone from treating the Rust rewrite as the only performance story.

The useful comparison is narrower. Rust Coreutils is trying to win speed while shrinking unsafe code and preserving behavior. GNU is tuning a mature C codebase that still defines the expected answers. For packagers, the question becomes less which codebase has the fastest microbenchmark and more which one gives predictable output under ugly scripts.

Packagers Get Three Safe Defaults

For Ubuntu users, 0.9 does not automatically rewrite the LTS system. Canonical’s audit update identified 0.8.0 as the upstream release included in the first LTS cut. Upstream 0.9 is the next data point for distributions, container images and projects that vendor their command-line base.

In practice, maintainers now have three sane defaults:

• Fresh testing images can move early and report command-level surprises upstream.
• Long-term support fleets can keep GNU fallbacks for commands that touch ownership, links and deletion.
• Continuous integration (CI, automated build and test jobs) runners can pin one provider and record it as part of the build environment.

Switching between providers is possible on Ubuntu with coreutils-from-gnu and coreutils-from-uutils, but that is a system-level choice, not a casual theme toggle. Build machines, CI runners and disaster-recovery images should be treated as separate audiences.

The stronger upstream release also helps non-Ubuntu packagers because it separates two arguments that are often blurred together. Memory safety is a long-term reason to migrate. GNU compatibility is the daily reason to wait.

Every Shell Script Holds a Vote

The overlooked stakeholder is the shell script nobody owns. The uutils Coreutils project page says the goal is a drop-in replacement for GNU utils and that differences with GNU are treated as bugs. That sentence is a high bar because shell code often relies on old error text, exit codes, locale formatting and undefined habits.

The technical gains in 0.9 still travel beyond Ubuntu. ls was refactored so Nushell, the Rust-friendly shell project, can call it without forcing all output through standard output. WebAssembly System Interface (WASI, a way for WebAssembly programs to use operating-system services) support reached ln, dd, mktemp and tty.wasm; Cygwin, Windows and OpenBSD work also moved. That widens the test surface.

MITRE’s CWE-367 TOCTOU definition puts these bugs in the family of race conditions where a resource changes after it is checked. That is why this release reads like a security repair manual with a performance appendix. If package maintainers move the new copy path into default builds, the Rust replacement gains its hardest commands. If they wait, the release still does useful work: it tells them exactly why they waited.