Re: Bug#863868: [installation-guide] Re: USB Memory Stick: Issues with win32diskimager
On Wed 25 Jul 2018 at 21:06:23 +0200, Holger Wansing wrote:
> Hi,
>
> Varanka Risto <risto.varanka@aalto.fi> wrote:
> > Package: installation-guide
> > Severity: important
> > Tags: security
> >
> > The online installation guide for Debian Stable at
> > https://www.debian.org/releases/stable/i386/ch04s03.html.en recommends the use
> > of the win32diskimager utility for writing images to USB in section
> > "4.3.1. Preparing a USB stick using a hybrid CD or DVD image". This software
> > currently has issues, might compromise the security of Debian users and probably
> > should not be recommended by Debian:
> >
> > 1) User comments on the main page
> > https://sourceforge.net/projects/win32diskimager/ report that the current
> > version 1.0.0 contains malware, or tries to install crapware as part of the
> > installation process. (If possible this should be investigated and if indeed
> > the project is compromised, Debian users should be notified.)
> >
> > 2) Some user comments also state the tool does not work on Windows 10 while
> > others claim it does. I installed this on a Windows 10 system and the software
> > turned out not to function properly, indicating that 1) might also be the case,
> > and of course majorly impacting Debian installation experience. Details below.
> >
> > Navigate to Files->Archive and click on win32diskimager-1.0.0-install.exe.
> > On the following page download starts automatically. Install the tool, run it
> > and provide administrator credentials. Try to select the file to write: the
> > opened file browser does not display almost any directories, and when an .img
> > file is copied to the directories available, it does not show up in the file
> > browser.
> >
> > I suggest to replace the recommended tool for the time being and to
> > investigate the trustworthiness of the utility.
>
>
> I would like to change it this way, if noone objects:
>
>
> diff --git a/en/install-methods/boot-usb-files.xml b/en/install-methods/boot-usb-files.xml
> index 7f59939d9..13b6e175a 100644
> --- a/en/install-methods/boot-usb-files.xml
> +++ b/en/install-methods/boot-usb-files.xml
> @@ -55,10 +55,9 @@ as follows, after having made sure that the stick is unmounted:
> <prompt>#</prompt> <userinput>sync</userinput>
> </screen></informalexample>
>
> -The
> -<ulink url="http://sf.net/projects/win32diskimager/";>
> -win32diskimager</ulink>
> -utility can be used under other operating systems to copy the image.
> +There are also utilities for other operating systems to copy the image, like
> +<ulink url="https://rufus.akeo.ie/";>Rufus</ulink> or
> +<ulink url="http://sf.net/projects/win32diskimager/";>win32diskimager</ulink>.
>
> </para><important><para>
So, now we recommend two tools Debian does not control in the
Installation Guide. When another post like Varanka Risto's
(quoted above) comes along, do we look for a third one? Then a
fourth?
Mentioning such software in a core document implies we support
it. (Your response is actually a gesture of support for a non-
working Debian recommendation).
> +There are also utilities for other operating systems to copy the image.
is factual and covers the situation. Why not go with that? It
is neutral and does not commit us to anything, unlike adding
a second suggestion.
Specifics can be dealt with at https://www.debian.org/CD/faq/
or in the wiki. The Installation Guide is not the place for
promoting non-Debian utilities.
--
Brian.
Reply to: