Re: Bug#1064617: Passwords should not be changed frequently
- To: debian-l10n-english@lists.debian.org
- Cc: 1064617@bugs.debian.org, Philip Hands <phil@hands.com>, Cyril Brulebois <kibi@debian.org>, Holger Wansing <hwansing@mailbox.org>, Diederik de Haas <didi.debian@cknow.org>
- Subject: Re: Bug#1064617: Passwords should not be changed frequently
- From: Justin B Rye <justin.byam.rye@gmail.com>
- Date: Wed, 6 Mar 2024 12:19:04 +0000
- Message-id: <[🔎] ZehfOInp4lzESvUF@jbr.me.uk>
- Mail-followup-to: debian-l10n-english@lists.debian.org, 1064617@bugs.debian.org, Philip Hands <phil@hands.com>, Cyril Brulebois <kibi@debian.org>, Holger Wansing <hwansing@mailbox.org>, Diederik de Haas <didi.debian@cknow.org>
- In-reply-to: <[🔎] 877cifzna5.fsf@nimble.hk.hands.com>
- References: <20240305182825.intemqx6fnielajj@mraw.org> <[🔎] A410340E-9C40-431C-98B2-94F0BCB32950@mailbox.org> <[🔎] ZeeDWH5pVm8c2wVG@jbr.me.uk> <[🔎] 87edcoz80a.fsf@nimble.hk.hands.com> <ZdqHClFcZ8O2rWJy@casper.infradead.org> <[🔎] ZeeUTZqdSu5kh0_E@jbr.me.uk> <[🔎] 87bk7rzuem.fsf@nimble.hk.hands.com> <ZdqHClFcZ8O2rWJy@casper.infradead.org> <[🔎] Zegl1Dhe9sCQoVCY@jbr.me.uk> <[🔎] 877cifzna5.fsf@nimble.hk.hands.com>
Philip Hands wrote:
>> https://salsa.debian.org/installer-team/user-setup/-/commit/77c1517fade367bc465da2a5908c5ac47dd8bba7
>>
>> Template: passwd/root-password
>> Type: password
>> # :sl1:
>> _Description: Root password/passphrase:
>> One needs a password/passphrase that grants
>> access to the 'root' (system administrative) account.
>> Be aware that a malicious or unqualified user
>> that obtains root access can have disastrous results,
>> so you should choose a password/passphrase that cannot be guessed.
>> It should not be a word found in dictionaries,
>> or something that could be easily associated with you.
>>
>> (Summary: You DO need a root password.)
>
> No, as I said, what that's trying to say is that there needs to exist a
> password that one way or the other will let one get access to the root
> account (since otherwise one is not going to be able to admin the
> machine), but that is not neccesarily the same thing as a "root
> password",
>
> If it comes across as meaning that there needs to be a "root password",
> then it's not succeeding in expressing the nuance of the situation
> correctly, and we probably need to fix that (assuming that we can come
> up with a better wording that still fits in the space available).
Yes; even reading it suspecting that that might be what it was meant
to be saying I found it hard to read that interpretation into it. The
line starting "One needs a password..." implies that this dialogue
deals with the need for the particular *password* that gives access to
the root *account* - the obvious interpretation is that it's talking
about the "Root password/passphrase" in the Description. It takes some
mental contortions to see that my own login password might also be
thought of as doing that, and further, that this dialogue can be seen
as creating (or no, I mean causing the existence of) such a password.
But I notice now that the way I've phrased it means users aren't
implicitly warned that a sudo-privileged user account needs a good
password, so maybe I need another coffee and a think...
>> .
>> To allow direct password-based access to root,
>> you should set the 'root' password/passphrase here.
>> .
>> Alternatively, you can lock root's password
>> by leaving this setting empty, and
>> instead use the system's initial user account
>> (which will be set up in the next step)
>> to become root. This will be enabled for you
>> by adding that user to the 'sudo' group.
>> .
>> Note: what you type here will be hidden (unless you select to show it).
>>
>> (Summary: You DON'T need a root password.)
>>
>> Suggested rewrite (short version):
>>
>> _Description: Root password/passphrase:
>> To allow direct password/passphrase-based access to the 'root'
>> (system administrative) account you can set it up here.
>> To protect your system you should not use one that can be guessed.
>> .
>> Alternatively, you can lock root's password
>> by leaving this setting empty, and
>> instead use the system's initial user account
>> (which will be set up in the next step)
>> to become root. This will be enabled for you
>> by adding that user to the 'sudo' group.
>> .
>> Note: what you type here will be hidden (unless you select to show it).
>
> This is certainly better than good enough, so I'd be fine with this too.
Post-coffee (also fixing that wobbly indent):
Some account needs to have system administrative privileges. The
password/passphrase for that account should be something that
cannot be guessed.
.
To allow direct password-based access via the 'root' account, you
can set the password/passphrase for that account here.
.
Alternatively, you can lock root's password
by leaving this setting empty, and
instead use the system's initial user account
(which will be set up in the next step)
to become root. This will be enabled for you
by adding that user to the 'sudo' group.
.
Note: what you type here will be hidden (unless you select to show it).
Maybe instead of saying "use the system's initial user account to
become root" it should say "allow the system's initial user account
to gain administrative privileges"? I'm not sure. Oh, and we might
even want to mention the word "superuser", or then again we might not.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Reply to: