Re: Bug#931911: user-setup: Fails to present no-root-password_first-user-sudoer option as a reasonable choice

To: Brian Potkin <claremont102@gmail.com>, debian-boot@lists.debian.org
Subject: Re: Bug#931911: user-setup: Fails to present no-root-password_first-user-sudoer option as a reasonable choice
From: Philip Hands <phil@hands.com>
Date: Fri, 12 Jul 2019 23:16:45 +0200
Message-id: <[🔎] 87blxz6jia.fsf@hands.com>
In-reply-to: <[🔎] 12072019200120.acaed5600ce9@desktop.copernicus.org.uk>
References: <[🔎] 877e8n3bmk.fsf@hands.com> <[🔎] 12072019200120.acaed5600ce9@desktop.copernicus.org.uk>

Brian Potkin <claremont102@gmail.com> writes:

> On Fri 12 Jul 2019 at 10:22:59 +0200, Philip Hands wrote:
>
>> Package: user-setup
>> Severity: normal
>> 
>> Prompted by this LWN comment relating to installing buster:
>> 
>>   https://lwn.net/Articles/792960/
>> 
>>   "The installer text specifically said that not setting a root password
>>    was a Very Bad Idea"
>> 
>> looking at the text in question, I was surprised at how negative it is
>> about the completely reasonable choice of selecting no root password in
>> order to provoke the first-user-is-sudoer setup.
>> 
>>   https://salsa.debian.org/installer-team/user-setup/blob/master/debian/user-setup-udeb.templates#L37
>> 
>> I presume that this text is as it is because there is a previously
>> defined question about whether one wants a root login enabled, that
>> explains the way things will work with sudo if one chooses 'no':
>> 
>>   https://salsa.debian.org/installer-team/user-setup/blob/master/debian/user-setup-udeb.templates#L25
>> 
>> however, that question is no longer presented to users by default, so
>> they get dropped into the rather scary sounding text about why one needs
>> to set a root password.
>> 
>> It seems to me that we need to reword this completely, so that choosing
>> to leave the password blank is described as a reasonable thing to do,
>> which will result in a perfectly decent, and often desired, sudo setup.
>
> Although I do not see the text as "scary", it might be better to present
> the two options on equal standing. OTOH, the question seems to me simply
> to say that a user can choose to login as root or with sudo.
>
> It is noted that you leave the advice that the password "...should be
> changed at regular intervals" untouched. There is a short discussion in
> #868869 about this issue:
>
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23868869
>
> #656509 received short shrift.
>
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656509
>
> Not in your proposal - but how about killing two birds with one stone?

I did (yet again) notice the password-change stuff, and thought we
ought to get rid of it at the same time, but was planning on doing a
separate bug (having forgotten about the already present bugs).

That being the case I've added a commit to the branch, just to make sure
it doesn't get forgotten about while we're in the process of bothering
the translators anyway.

Thanks for the reminder.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Bug#931911: user-setup: Fails to present no-root-password_first-user-sudoer option as a reasonable choice
  - From: Philip Hands <phil@hands.com>
- Re: Bug#931911: user-setup: Fails to present no-root-password_first-user-sudoer option as a reasonable choice
  - From: Brian Potkin <claremont102@gmail.com>

Prev by Date: Bug#931953: support bootspec entries for barebox
Next by Date: Re: Growing the size of e2fsprogs-udeb by ~150k
Previous by thread: Re: Bug#931911: user-setup: Fails to present no-root-password_first-user-sudoer option as a reasonable choice
Next by thread: Bug#931917: grub-installer: call efibootmgr (if available) to keep track of boot order/options
Index(es):
- Date
- Thread