Bug#863868: [installation-guide] Re: USB Memory Stick: Issues with win32diskimager
I read the mail in -boot and responded to the list and not to the bug.
Rectifying. Apologies.
On Wed 25 Jul 2018 at 22:55:04 +0000, Holger Wansing wrote:
> Hi,
>
> Am Mittwoch, 25. Juli 2018 schrieb Brian Potkin:
> > On Wed 25 Jul 2018 at 21:06:23 +0200, Holger Wansing wrote:
> >
> > > Hi,
> > >
> > > Varanka Risto <risto.varanka@aalto.fi> wrote:
> > > > Package: installation-guide
> > > > Severity: important
> > > > Tags: security
> > > >
> > > > The online installation guide for Debian Stable at
> > > > https://www.debian.org/releases/stable/i386/ch04s03.html.en recommends the use
> > > > of the win32diskimager utility for writing images to USB in section
> > > > "4.3.1. Preparing a USB stick using a hybrid CD or DVD image". This software
> > > > currently has issues, might compromise the security of Debian users and probably
> > > > should not be recommended by Debian:
> > > >
> > > > 1) User comments on the main page
> > > > https://sourceforge.net/projects/win32diskimager/ report that the current
> > > > version 1.0.0 contains malware, or tries to install crapware as part of the
> > > > installation process. (If possible this should be investigated and if indeed
> > > > the project is compromised, Debian users should be notified.)
> > > >
> > > > 2) Some user comments also state the tool does not work on Windows 10 while
> > > > others claim it does. I installed this on a Windows 10 system and the software
> > > > turned out not to function properly, indicating that 1) might also be the case,
> > > > and of course majorly impacting Debian installation experience. Details below.
> > > >
> > > > Navigate to Files->Archive and click on win32diskimager-1.0.0-install.exe.
> > > > On the following page download starts automatically. Install the tool, run it
> > > > and provide administrator credentials. Try to select the file to write: the
> > > > opened file browser does not display almost any directories, and when an .img
> > > > file is copied to the directories available, it does not show up in the file
> > > > browser.
> > > >
> > > > I suggest to replace the recommended tool for the time being and to
> > > > investigate the trustworthiness of the utility.
> > >
> > >
> > > I would like to change it this way, if noone objects:
> > >
> > >
> > > diff --git a/en/install-methods/boot-usb-files.xml b/en/install-methods/boot-usb-files.xml
> > > index 7f59939d9..13b6e175a 100644
> > > --- a/en/install-methods/boot-usb-files.xml
> > > +++ b/en/install-methods/boot-usb-files.xml
> > > @@ -55,10 +55,9 @@ as follows, after having made sure that the stick is unmounted:
> > > <prompt>#</prompt> <userinput>sync</userinput>
> > > </screen></informalexample>
> > >
> > > -The
> > > -<ulink url="http://sf.net/projects/win32diskimager/";>
> > > -win32diskimager</ulink>
> > > -utility can be used under other operating systems to copy the image.
> > > +There are also utilities for other operating systems to copy the image, like
> > > +<ulink url="https://rufus.akeo.ie/";>Rufus</ulink> or
> > > +<ulink url="http://sf.net/projects/win32diskimager/";>win32diskimager</ulink>.
> > >
> > > </para><important><para>
> >
> > So, now we recommend two tools Debian does not control in the
> > Installation Guide. When another post like Varanka Risto's
> > (quoted above) comes along, do we look for a third one? Then a
> > fourth?
> >
> > Mentioning such software in a core document implies we support
> > it. (Your response is actually a gesture of support for a non-
> > working Debian recommendation).
> >
> > > +There are also utilities for other operating systems to copy the image.
> >
> > is factual and covers the situation. Why not go with that? It
> > is neutral and does not commit us to anything, unlike adding
> > a second suggestion.
> >
> > Specifics can be dealt with at https://www.debian.org/CD/faq/
> > or in the wiki. The Installation Guide is not the place for
> > promoting non-Debian utilities.
>
> Sorry, I don't get your point:
Perhaps my previous mail of Mon, 5 Jun 2017 to the report helps.
> the CD faq your mention above contains exactly the same
> recommendations like we have NOW in the installation-guide:
Indeed it does. Why not link to it? It is a fuller account and gives
a single place to manage.
> it has recommendations for Linux machines, and for Windows
> it recommends win32diskimager.
The proposed wording for the Guide is not quite correct:
> There are also utilities for other operating systems....
The recommendations are for Windows - not "other operating systems".
> So, if you say that the CD faq is ok, we can leave everything as it is
> and we are done.
> But - wait: you also say, that recommending third-party tools
> is not good, so you should also prompt to change the CD faq!
> If you point first-time Debian users to the CD faq, it is also
> an official document/manual, and so it should honor
> the same rules as the installation-guide, IMO.
> However, you promote the CD faq as a good example...
All my comments were all in the context of what the Guide should
contain. The CD FAQ has a long tradition of supporting non-Debian
software and I have no problem with that; why not link to it?
I suspect it is not the responsibility of the same people who write
the Guide. If there is an issue with the FAQ contents it needs to
be taken up with the relevant team; my focus is the Guide.
> So I don't get your point ...
>
> Long story short: recommending a second (good) tool, is IMO
> an improvement (at least in the light of user reports, which claim
> about win32diskimager not being usable under Windows 10).
And claims that it is usable exist. Do we really want to get involved
with this issue? Best thing to do is ignore it, just like the claims
that it contains malware.
--
Brian.
Reply to: