This is a follow-up to Jon’s original post on Carefully (but purposefully) oxidising Ubuntu and Julian’s migration spec for 25.10. We promised transparency throughout this process, and this post is written in that spirit.
What happened after the announcement
Following the decision to adopt rust-coreutils, we got to work. Any package shipped by default in Ubuntu must be promoted to Ubuntu Main, which requires passing a thorough security review. We quickly assembled an internal team spanning Ubuntu Foundations (@juliank, @bamf0) and Ubuntu Security (@sarnold, @hlibk) to collaborate closely with the upstream uutils project.
Early in the process, our assessment surfaced some serious concerns, and we realised that an internal review alone would not be sufficient. To gain the level of confidence required for an LTS release, we decided to commission an independent external security audit.
Partnering with Zellic
We partnered with Zellic, a top-tier security research firm staffed by world-renowned competitive hackers and infosec experts. The audit was conducted in two phases:
Round 1 (Dec 2025 - Jan 2026): Audit of high-priority utilities, the most security-sensitive tools in the coreutils suite.
The full Zellic audit report will be published soon.
Round 2 (Feb 2026 - Mar 2026): Audit of the remaining utilities. In this phase, Zellic contributed mitigations directly upstream as pull requests (30).
Across both rounds, 113 (73+40) issues of varying severity were identified. All findings were coordinated and reported upstream:
The upstream community responded swiftly and the vast majority of issues have been addressed and resolved.
Current status for 26.04 LTS
We shipped rust-coreutils as the default in Ubuntu 25.10 to maximise real-world testing ahead of the LTS. Based on the audit findings and remediation progress, here is where we stand for Ubuntu 26.04 LTS.
We have included the latest upstream release 0.8.0 in Ubuntu 26.04, which incorporates the bulk of the security fixes.
cp , mv , and rm continue to be provided by GNU coreutils in 26.04. These utilities have remaining open TOCTOU (time-of-check to time-of-use) issues (8 as of Apr 22, 2026) that need to be resolved before we are confident shipping them.
Our plan is to address the remaining issues as soon as possible and target Ubuntu 26.10 with 100% rust-coreutils.
Conclusion
This effort has been a genuine collaboration across organisational boundaries, and we’d like to thank:
Sylvestre Ledru and the uutils community for outstanding upstream leadership and responsiveness to the audit findings.
Zellic - their rigorous audit is a key reason we are confident in shipping rust-coreutils in an LTS release.
The open source community at large - for contributions in the form of code, bug reports, testing, and feedback.
We’d love your help in making rust-coreutils rock-solid. If you’re running Ubuntu 26.04 (or 25.10), please put the new coreutils through their paces, especially in your real-world workflows, scripts, and CI pipelines. If you encounter any unexpected behaviour or compatibility issues, please file a bug:
This migration has been a success overall. We remain committed to completing the transition and will continue to provide updates as work progresses.
CVE disclosures
As part of this transparency commitment, we are disclosing the following CVEs identified during the audit process: