Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi,

Am 8. März 2024 19:58:56 MEZ schrieb Philip Hands :
>
>IMO Having the 'password/passphrase' throughout makes it awkward to
>read, and actually we've got one place where it still just says
>password, and fixing that would make it slightly worse IMO.
>
>How about dropping the passphrase stuff?
>
>  
> https://salsa.debian.org/philh/user-setup/-/commit/7c8dd1bd9d5c8596e7b8f82a19a075e0a5572ed7

Well, the idea was, to mention that 'passphrase' thing one time in the dialog.

Now having it at all places is indeed not strictly an improvement.
Feel free to drop it.


Holger




-- 
Sent from /e/ OS on Fairphone3

Bug#1064617: Passwords should not be changed frequently

[Justin B Rye]

Philip Hands wrote:
> IMO Having the 'password/passphrase' throughout makes it awkward to
> read, and actually we've got one place where it still just says
> password, and fixing that would make it slightly worse IMO.
> 
> How about dropping the passphrase stuff?
> 
>   
> https://salsa.debian.org/philh/user-setup/-/commit/7c8dd1bd9d5c8596e7b8f82a19a075e0a5572ed7
> &
>   https://openqa.debian.net/tests/240582#step/passwords/1
> 
> which I think is more readable (and is probably fine now that we've
> dropped the stuff about password selection which could be read as
> suggesting that a password is expected to be a single word).

It all looks fine to me; as the screenshot shows, we use "password" as
a general cover-term all over the user interface anyway.
-- 
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

Bug#1064617: Passwords should not be changed frequently

[Diederik de Haas]

On Friday, 8 March 2024 19:58:56 CET Philip Hands wrote:
> IMO Having the 'password/passphrase' throughout makes it awkward to
> read, and actually we've got one place where it still just says
> password, and fixing that would make it slightly worse IMO.
> 
> How about dropping the passphrase stuff?

I agree with dropping it. It does look odd and it'll likely raise (more) 
questions then it answers. And most/all people are familiar with password.

Explaining passwords/passphrases is better suited to some educational 
resource.


signature.asc
Description: This is a digitally signed message part.

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Justin B Rye  writes:

> Philip Hands wrote:
>>> Maybe instead of saying "use the system's initial user account to
>>> become root" it should say "allow the system's initial user account
>>> to gain administrative privileges"?  I'm not sure.  Oh, and we might
>>> even want to mention the word "superuser", or then again we might not.
>> 
>> I think Diederik's suggestion of using 'root' for the account and
>> 'super-user' for the privileges might be the way to go.
>
> Looking at what I end up with after another couple of rounds of
> fiddling with it I'm not sure if it's doing quite what you asked for,
> but you still might want it so here it is:

Thanks for that.

> -   Some account needs to have system administrative privileges. The
> -   password/passphrase for that account should be something that
> -   cannot be guessed.
> +   Some account needs to be available with administrative super-user
> +   privileges. The password/passphrase for that account should be
> +   something that cannot be guessed.
> .
> To allow direct password-based access via the 'root' account, you
> can set the password/passphrase for that account here.
> .
> -   Alternatively, you can lock root's password
> +   Alternatively, you can lock the root account's password
> by leaving this setting empty, and
> instead use the system's initial user account
> (which will be set up in the next step)
> -   to become root. This will be enabled for you
> -   by adding that user to the 'sudo' group.
> +   to gain administrative privileges. This will be enabled for you by
> +   adding that initial user to the 'sudo' group.
> .
> Note: what you type here will be hidden (unless you select to show it).

That can be seen here:

  
https://salsa.debian.org/philh/user-setup/-/commit/a684977100e6746725372f8294f271f890c50430
&
  https://openqa.debian.net/tests/240580#step/passwords/1

I think I prefer the previous version better for some reason.

IMO Having the 'password/passphrase' throughout makes it awkward to
read, and actually we've got one place where it still just says
password, and fixing that would make it slightly worse IMO.

How about dropping the passphrase stuff?

  
https://salsa.debian.org/philh/user-setup/-/commit/7c8dd1bd9d5c8596e7b8f82a19a075e0a5572ed7
&
  https://openqa.debian.net/tests/240582#step/passwords/1

which I think is more readable (and is probably fine now that we've
dropped the stuff about password selection which could be read as
suggesting that a password is expected to be a single word).

Cheers, Phil.
-- 
Philip Hands -- https://hands.com/~phil


signature.asc
Description: PGP signature

Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi,

Am 7. März 2024 08:50:25 MEZ schrieb Justin B Rye :
>Philip Hands wrote:
>>> Maybe instead of saying "use the system's initial user account to
>>> become root" it should say "allow the system's initial user account
>>> to gain administrative privileges"?  I'm not sure.  Oh, and we might
>>> even want to mention the word "superuser", or then again we might not.
>> 
>> I think Diederik's suggestion of using 'root' for the account and
>> 'super-user' for the privileges might be the way to go.
>
>Looking at what I end up with after another couple of rounds of
>fiddling with it I'm not sure if it's doing quite what you asked for,
>but you still might want it so here it is:
>
>-   Some account needs to have system administrative privileges. The
>-   password/passphrase for that account should be something that
>-   cannot be guessed.
>+   Some account needs to be available with administrative super-user
>+   privileges. The password/passphrase for that account should be
>+   something that cannot be guessed.
>.
>To allow direct password-based access via the 'root' account, you
>can set the password/passphrase for that account here.
>.
>-   Alternatively, you can lock root's password
>+   Alternatively, you can lock the root account's password
>by leaving this setting empty, and
>instead use the system's initial user account
>(which will be set up in the next step)
>-   to become root. This will be enabled for you
>-   by adding that user to the 'sudo' group.
>+   to gain administrative privileges. This will be enabled for you by
>+   adding that initial user to the 'sudo' group.
>.
>Note: what you type here will be hidden (unless you select to show it).

All the above looks like an improvement to me.


Holger


-- 
Sent from /e/ OS on Fairphone3

Bug#1064617: Passwords should not be changed frequently

[Justin B Rye]

Philip Hands wrote:
>> Maybe instead of saying "use the system's initial user account to
>> become root" it should say "allow the system's initial user account
>> to gain administrative privileges"?  I'm not sure.  Oh, and we might
>> even want to mention the word "superuser", or then again we might not.
> 
> I think Diederik's suggestion of using 'root' for the account and
> 'super-user' for the privileges might be the way to go.

Looking at what I end up with after another couple of rounds of
fiddling with it I'm not sure if it's doing quite what you asked for,
but you still might want it so here it is:

-   Some account needs to have system administrative privileges. The
-   password/passphrase for that account should be something that
-   cannot be guessed.
+   Some account needs to be available with administrative super-user
+   privileges. The password/passphrase for that account should be
+   something that cannot be guessed.
.
To allow direct password-based access via the 'root' account, you
can set the password/passphrase for that account here.
.
-   Alternatively, you can lock root's password
+   Alternatively, you can lock the root account's password
by leaving this setting empty, and
instead use the system's initial user account
(which will be set up in the next step)
-   to become root. This will be enabled for you
-   by adding that user to the 'sudo' group.
+   to gain administrative privileges. This will be enabled for you by
+   adding that initial user to the 'sudo' group.
.
Note: what you type here will be hidden (unless you select to show it).

-- 
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi,

Am 5. März 2024 20:44:52 MEZ schrieb Philip Hands :
>BTW I don't know much about how the translation side of things works,
>but given that there are many ways of getting the fine detail of this to
>be incorrect in various ways, is there a standard method for adding
>hints for translators, and should that be done?

Such hints for translators can be added to the templates file, as in

They will then end up in translator's po files.


Do you have some specific sentence in mind, which deserves a
special hint?
I noticed that my English is not good enough to formulate such details.


Holger


-- 
Sent from /e/ OS on Fairphone3

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Justin B Rye  writes:

...
> Post-coffee (also fixing that wobbly indent):
>
>Some account needs to have system administrative privileges. The
>password/passphrase for that account should be something that
>cannot be guessed.
>.
>To allow direct password-based access via the 'root' account, you
>can set the password/passphrase for that account here.
>.
>Alternatively, you can lock root's password
>by leaving this setting empty, and
>instead use the system's initial user account
>(which will be set up in the next step)
>to become root. This will be enabled for you
>by adding that user to the 'sudo' group.
>.
>Note: what you type here will be hidden (unless you select to show it).

I like that version better than mine, so commited it[1], and re-ran the
test to give a screenshot:

  https://openqa.debian.net/tests/239766#step/passwords/1

> Maybe instead of saying "use the system's initial user account to
> become root" it should say "allow the system's initial user account
> to gain administrative privileges"?  I'm not sure.  Oh, and we might
> even want to mention the word "superuser", or then again we might not.

I think Diederik's suggestion of using 'root' for the account and
'super-user' for the privileges might be the way to go.

Cheers, Phil.

[1] 
https://salsa.debian.org/installer-team/user-setup/-/merge_requests/7/diffs?commit_id=2668d06de4f2de4735404a0671ecfb33f7bbd159
-- 
Philip Hands -- https://hands.com/~phil


signature.asc
Description: PGP signature

Bug#1064617: Passwords should not be changed frequently

[Diederik de Haas]

On Wednesday, 6 March 2024 13:19:04 CET Justin B Rye wrote:
> Maybe instead of saying "use the system's initial user account to
> become root" it should say "allow the system's initial user account
> to gain administrative privileges"?  I'm not sure.  Oh, and we might
> even want to mention the word "superuser", or then again we might not.

How about using 'root' for the user/account and super-user for the privileges?
The 'root' user has super-user privileges all the time and the normal user can 
get those privileges via (the) sudo (mechanism).

FTR: that *is* a slight diversion from what's said here:
https://www.debian.org/releases/bookworm/amd64/ch06s03.en.html#di-user-setup

Whatever terminology we use, I think it's important that we use the same 
terminology in both the d-i screens and the Trixie Installation Guide.
Updating the Installation Guide should probably be done separately?

Cheers,
  Diederik

signature.asc
Description: This is a digitally signed message part.

Bug#1064617: Passwords should not be changed frequently

[Justin B Rye]

Philip Hands wrote:
>> https://salsa.debian.org/installer-team/user-setup/-/commit/77c1517fade367bc465da2a5908c5ac47dd8bba7
>>
>>   Template: passwd/root-password
>>   Type: password
>>   # :sl1:
>>   _Description: Root password/passphrase:
>>One needs a password/passphrase that grants
>>access to the 'root' (system administrative) account.
>>Be aware that a malicious or unqualified user
>>that obtains root access can have disastrous results,
>>so you should choose a password/passphrase that cannot be guessed.
>>It should not be a word found in dictionaries,
>>or something that could be easily associated with you.
>>
>> (Summary: You DO need a root password.)
> 
> No, as I said, what that's trying to say is that there needs to exist a
> password that one way or the other will let one get access to the root
> account (since otherwise one is not going to be able to admin the
> machine), but that is not neccesarily the same thing as a "root
> password", 
> 
> If it comes across as meaning that there needs to be a "root password",
> then it's not succeeding in expressing the nuance of the situation
> correctly, and we probably need to fix that (assuming that we can come
> up with a better wording that still fits in the space available).

Yes; even reading it suspecting that that might be what it was meant
to be saying I found it hard to read that interpretation into it.  The
line starting "One needs a password..." implies that this dialogue
deals with the need for the particular *password* that gives access to
the root *account* - the obvious interpretation is that it's talking
about the "Root password/passphrase" in the Description.  It takes some
mental contortions to see that my own login password might also be
thought of as doing that, and further, that this dialogue can be seen
as creating (or no, I mean causing the existence of) such a password.

But I notice now that the way I've phrased it means users aren't
implicitly warned that a sudo-privileged user account needs a good
password, so maybe I need another coffee and a think...

>>.
>>To allow direct password-based access to root,
>>you should set the 'root' password/passphrase here.
>>.
>>Alternatively, you can lock root's password
>>by leaving this setting empty, and
>>instead use the system's initial user account
>>(which will be set up in the next step)
>>to become root. This will be enabled for you
>>by adding that user to the 'sudo' group.
>>.
>>Note: what you type here will be hidden (unless you select to show it).
>>
>> (Summary: You DON'T need a root password.)
>>
>> Suggested rewrite (short version):
>>
>>  _Description: Root password/passphrase:
>>   To allow direct password/passphrase-based access to the 'root'
>>   (system administrative) account you can set it up here.
>>   To protect your system you should not use one that can be guessed.
>>   .
>>   Alternatively, you can lock root's password
>>by leaving this setting empty, and
>>instead use the system's initial user account
>>(which will be set up in the next step)
>>to become root. This will be enabled for you
>>by adding that user to the 'sudo' group.
>>.
>>Note: what you type here will be hidden (unless you select to show it).
> 
> This is certainly better than good enough, so I'd be fine with this too.

Post-coffee (also fixing that wobbly indent):

   Some account needs to have system administrative privileges. The
   password/passphrase for that account should be something that
   cannot be guessed.
   .
   To allow direct password-based access via the 'root' account, you
   can set the password/passphrase for that account here.
   .
   Alternatively, you can lock root's password
   by leaving this setting empty, and
   instead use the system's initial user account
   (which will be set up in the next step)
   to become root. This will be enabled for you
   by adding that user to the 'sudo' group.
   .
   Note: what you type here will be hidden (unless you select to show it).

Maybe instead of saying "use the system's initial user account to
become root" it should say "allow the system's initial user account
to gain administrative privileges"?  I'm not sure.  Oh, and we might
even want to mention the word "superuser", or then again we might not.
-- 
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Justin B Rye  writes:

> Philip Hands wrote:
>> Justin B Rye  writes:
>>> Philip Hands wrote:
 Justin B Rye  writes:> ...
 The reason behind that structure was supposed to be that one definitely
 needs _a_ password, but not necessarily a root password, so the password
 advice applies to whichever password you'll decide to grant root access
 to, which might not be set here.
>>>
>>> This template is specifically about the "Root password/passphrase";
>> 
>> Well, sort-of, except that the user's response (whether to leave this
>> blank or not) modifies what happens with the user account's permissions,
>> so it's also about explaining the way that logic works in the installer
>> and what that will do to the target system.
>>
>>> probably I should have quoted the patch I was looking at, which starts
>>> with "One needs a password/passphrase that grants access to the 'root'
>>> (system administrative) account" but goes on to say "Alternatively,
>>> you can lock root's password by leaving this setting empty".
>> 
>> I'm intimately familiar with the patches you're reading, so I feel like
>> this comment suggests that we may be talking past one another somehow.
>
> Yes, this is a common problem: you're so familiar with what we need
> it to say that you aren't noticing what the text currently does say.
> https://salsa.debian.org/installer-team/user-setup/-/commit/77c1517fade367bc465da2a5908c5ac47dd8bba7
>
>   Template: passwd/root-password
>   Type: password
>   # :sl1:
>   _Description: Root password/passphrase:
>One needs a password/passphrase that grants
>access to the 'root' (system administrative) account.
>Be aware that a malicious or unqualified user
>that obtains root access can have disastrous results,
>so you should choose a password/passphrase that cannot be guessed.
>It should not be a word found in dictionaries,
>or something that could be easily associated with you.
>
> (Summary: You DO need a root password.)

No, as I said, what that's trying to say is that there needs to exist a
password that one way or the other will let one get access to the root
account (since otherwise one is not going to be able to admin the
machine), but that is not neccesarily the same thing as a "root
password", because the password being refered to might well be the
initial user's password, as long as they end up in the sudo group.

If it comes across as meaning that there needs to be a "root password",
then it's not succeeding in expressing the nuance of the situation
correctly, and we probably need to fix that (assuming that we can come
up with a better wording that still fits in the space available).

>.
>To allow direct password-based access to root,
>you should set the 'root' password/passphrase here.
>.
>Alternatively, you can lock root's password
>by leaving this setting empty, and
>instead use the system's initial user account
>(which will be set up in the next step)
>to become root. This will be enabled for you
>by adding that user to the 'sudo' group.
>.
>Note: what you type here will be hidden (unless you select to show it).
>
> (Summary: You DON'T need a root password.)
>
> Suggested rewrite (short version):
>
>  _Description: Root password/passphrase:
>   To allow direct password/passphrase-based access to the 'root'
>   (system administrative) account you can set it up here.
>   To protect your system you should not use one that can be guessed.
>   .
>   Alternatively, you can lock root's password
>by leaving this setting empty, and
>instead use the system's initial user account
>(which will be set up in the next step)
>to become root. This will be enabled for you
>by adding that user to the 'sudo' group.
>.
>Note: what you type here will be hidden (unless you select to show it).

This is certainly better than good enough, so I'd be fine with this too.

Cheers, Phil.
-- 
Philip Hands -- https://hands.com/~phil


signature.asc
Description: PGP signature

Bug#1064617: Passwords should not be changed frequently

[Justin B Rye]

Philip Hands wrote:
> Justin B Rye  writes:
>> Philip Hands wrote:
>>> Justin B Rye  writes:> ...
>>> The reason behind that structure was supposed to be that one definitely
>>> needs _a_ password, but not necessarily a root password, so the password
>>> advice applies to whichever password you'll decide to grant root access
>>> to, which might not be set here.
>>
>> This template is specifically about the "Root password/passphrase";
> 
> Well, sort-of, except that the user's response (whether to leave this
> blank or not) modifies what happens with the user account's permissions,
> so it's also about explaining the way that logic works in the installer
> and what that will do to the target system.
>
>> probably I should have quoted the patch I was looking at, which starts
>> with "One needs a password/passphrase that grants access to the 'root'
>> (system administrative) account" but goes on to say "Alternatively,
>> you can lock root's password by leaving this setting empty".
> 
> I'm intimately familiar with the patches you're reading, so I feel like
> this comment suggests that we may be talking past one another somehow.

Yes, this is a common problem: you're so familiar with what we need
it to say that you aren't noticing what the text currently does say.

https://salsa.debian.org/installer-team/user-setup/-/commit/77c1517fade367bc465da2a5908c5ac47dd8bba7

  Template: passwd/root-password
  Type: password
  # :sl1:
  _Description: Root password/passphrase:
   One needs a password/passphrase that grants
   access to the 'root' (system administrative) account.
   Be aware that a malicious or unqualified user
   that obtains root access can have disastrous results,
   so you should choose a password/passphrase that cannot be guessed.
   It should not be a word found in dictionaries,
   or something that could be easily associated with you.

(Summary: You DO need a root password.)
   .
   To allow direct password-based access to root,
   you should set the 'root' password/passphrase here.
   .
   Alternatively, you can lock root's password
   by leaving this setting empty, and
   instead use the system's initial user account
   (which will be set up in the next step)
   to become root. This will be enabled for you
   by adding that user to the 'sudo' group.
   .
   Note: what you type here will be hidden (unless you select to show it).

(Summary: You DON'T need a root password.)

Suggested rewrite (short version):

 _Description: Root password/passphrase:
  To allow direct password/passphrase-based access to the 'root'
  (system administrative) account you can set it up here.
  To protect your system you should not use one that can be guessed.
  .
  Alternatively, you can lock root's password
   by leaving this setting empty, and
   instead use the system's initial user account
   (which will be set up in the next step)
   to become root. This will be enabled for you
   by adding that user to the 'sudo' group.
   .
   Note: what you type here will be hidden (unless you select to show it).

-- 
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Justin B Rye  writes:

> Philip Hands wrote:
>> Justin B Rye  writes:
...
>> 
>> The reason behind that structure was supposed to be that one definitely
>> needs _a_ password, but not necessarily a root password, so the password
>> advice applies to whichever password you'll decide to grant root access
>> to, which might not be set here.
>
> This template is specifically about the "Root password/passphrase";

Well, sort-of, except that the user's response (whether to leave this
blank or not) modifies what happens with the user account's permissions,
so it's also about explaining the way that logic works in the installer
and what that will do to the target system.

> probably I should have quoted the patch I was looking at, which starts
> with "One needs a password/passphrase that grants access to the 'root'
> (system administrative) account" but goes on to say "Alternatively,
> you can lock root's password by leaving this setting empty".

I'm intimately familiar with the patches you're reading, so I feel like
this comment suggests that we may be talking past one another somehow.

Cheers, Phil.
-- 
Philip Hands -- https://hands.com/~phil


signature.asc
Description: PGP signature

Bug#1064617: Passwords should not be changed frequently

[Justin B Rye]

Philip Hands wrote:
> Justin B Rye  writes:
>> It needs a small amount of rephrasing, but the most important problem
>> is that it starts by saying you need to set a password and then goes
>> on to suggest that you might not need to set a password.  Maybe that
>> can be fixed by rearranging things slightly...
>>
>>  Template: passwd/root-password
>>  Type: password
>>  # :sl1:
>>  _Description: Root password/passphrase:
>>   To allow direct password/passphrase-based access to the 'root'
>>   (system administrative) account you can set it up here.
>>   The results can be disastrous if a malicious or incompetent user
>>   obtains root access, so you should not set one that can be guessed,
>>   found in dictionaries, or easily associated with you.
>>   .
>>   Alternatively, you can lock root's password
>>   by leaving this setting empty, and
>>   instead use the system's initial user account
>>   (which will be set up in the next step)
>>   to become root. This will be enabled for you
>>   by adding that user to the 'sudo' group.
>>   .
>>   Note: what you type here will be hidden (unless you select to show it).
>>
>> Does this still feel like the same advice?
> 
> The reason behind that structure was supposed to be that one definitely
> needs _a_ password, but not necessarily a root password, so the password
> advice applies to whichever password you'll decide to grant root access
> to, which might not be set here.

This template is specifically about the "Root password/passphrase";
probably I should have quoted the patch I was looking at, which starts
with "One needs a password/passphrase that grants access to the 'root'
(system administrative) account" but goes on to say "Alternatively,
you can lock root's password by leaving this setting empty".

> I'm OK with the way you've phrased it, although my personal preference
> would be to simply drop the "disastrous" sentence if we use this
> version, because I think it breaks the straightforward flow of the text
> laying out the choice we're trying to get the user to make between the
> two available options. (I also rather doubt that anything we say at this
> point in the install will have the slightest influence on people's
> choice of password).

I can imagine people might be more likely to heed something shorter;
maybe it could be boiled down to

To allow direct password/passphrase-based access to the 'root'
(system administrative) account you can set it up here.
To protect your system you should not use one that can be guessed.

-- 
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Justin B Rye  writes:

> Holger Wansing wrote:
>> @d-l10n-english: hey guys, we would like to get a proposal reviewed, 
>> which aims to improve the root/user password screens in the installer.
>> 
>> Please find the related merge request at
>> 
>
> It needs a small amount of rephrasing, but the most important problem
> is that it starts by saying you need to set a password and then goes
> on to suggest that you might not need to set a password.  Maybe that
> can be fixed by rearranging things slightly...
>
>  Template: passwd/root-password
>  Type: password
>  # :sl1:
>  _Description: Root password/passphrase:
>   To allow direct password/passphrase-based access to the 'root'
>   (system administrative) account you can set it up here.
>   The results can be disastrous if a malicious or incompetent user
>   obtains root access, so you should not set one that can be guessed,
>   found in dictionaries, or easily associated with you.
>   .
>   Alternatively, you can lock root's password
>   by leaving this setting empty, and
>   instead use the system's initial user account
>   (which will be set up in the next step)
>   to become root. This will be enabled for you
>   by adding that user to the 'sudo' group.
>   .
>   Note: what you type here will be hidden (unless you select to show it).
>
> Does this still feel like the same advice?

The reason behind that structure was supposed to be that one definitely
needs _a_ password, but not necessarily a root password, so the password
advice applies to whichever password you'll decide to grant root access
to, which might not be set here.

I'm OK with the way you've phrased it, although my personal preference
would be to simply drop the "disastrous" sentence if we use this
version, because I think it breaks the straightforward flow of the text
laying out the choice we're trying to get the user to make between the
two available options. (I also rather doubt that anything we say at this
point in the install will have the slightest influence on people's
choice of password).

> Otherwise the only thing I see is:
>
>  Template: passwd/user-password
>  Type: password
>  # :sl1:
>  _Description: Choose a password/passphrase for the new user:
>   Make sure to select a strong password/passphrase, that cannot be guessed.
>
> No comma needed there.

Well done -- I kept noticing that, and somehow didn't get round to
fixing it. I've now deleted it, so thanks for pointing it out again. :-)

Cheers, Phil.
-- 
Philip Hands -- https://hands.com/~phil


signature.asc
Description: PGP signature

Bug#1064617: Passwords should not be changed frequently

[Justin B Rye]

Holger Wansing wrote:
> @d-l10n-english: hey guys, we would like to get a proposal reviewed, 
> which aims to improve the root/user password screens in the installer.
> 
> Please find the related merge request at
> 

It needs a small amount of rephrasing, but the most important problem
is that it starts by saying you need to set a password and then goes
on to suggest that you might not need to set a password.  Maybe that
can be fixed by rearranging things slightly...

 Template: passwd/root-password
 Type: password
 # :sl1:
 _Description: Root password/passphrase:
  To allow direct password/passphrase-based access to the 'root'
  (system administrative) account you can set it up here.
  The results can be disastrous if a malicious or incompetent user
  obtains root access, so you should not set one that can be guessed,
  found in dictionaries, or easily associated with you.
  .
  Alternatively, you can lock root's password
  by leaving this setting empty, and
  instead use the system's initial user account
  (which will be set up in the next step)
  to become root. This will be enabled for you
  by adding that user to the 'sudo' group.
  .
  Note: what you type here will be hidden (unless you select to show it).

Does this still feel like the same advice?

Otherwise the only thing I see is:

 Template: passwd/user-password
 Type: password
 # :sl1:
 _Description: Choose a password/passphrase for the new user:
  Make sure to select a strong password/passphrase, that cannot be guessed.
  ^
No comma needed there.
-- 
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Cyril Brulebois  writes:

> Philip Hands  (2024-03-05):
>> Cool, in that case I'll fix those two things and then use the result
>> for the MR[1], and if the openQA test runs look OK, will merge that.
>
> Only skimmed over it, but that looks sensible, thanks all.
>
> Is it worth getting d-l-english involved in a final review before
> getting that translated?  Contrary to a lot of not-so-critical l10n
> material, that particular screen is crucial, and I'd hate it if we
> wasted translator efforts due to a missed typo or obvious improvement.

I'm happy with doing that, and we might as well get it right given that
it's been ~12 years since the first bug, so a few more days makes no
odds.

I'm pretty sympathetic with the idea of simply dropping the password
advice (as just mentioned by Diederik) but it seems that Holger prefers
to keep it in -- either is fine with me.

BTW I don't know much about how the translation side of things works,
but given that there are many ways of getting the fine detail of this to
be incorrect in various ways, is there a standard method for adding
hints for translators, and should that be done?

Cheers, Phil.
-- 
Philip Hands -- https://hands.com/~phil


signature.asc
Description: PGP signature

Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi all,

Am 5. März 2024 19:28:25 MEZ schrieb Cyril Brulebois :
>Philip Hands  (2024-03-05):
>> Cool, in that case I'll fix those two things and then use the result
>> for the MR[1], and if the openQA test runs look OK, will merge that.
>
>Only skimmed over it, but that looks sensible, thanks all.
>
>Is it worth getting d-l-english involved in a final review before
>getting that translated? Contrary to a lot of not-so-critical l10n
>material, that particular screen is crucial, and I'd hate it if we
>wasted translator efforts due to a missed typo or obvious improvement.

Good idea.

@d-l10n-english: hey guys, we would like to get a proposal reviewed, 
which aims to improve the root/user password screens in the installer.

Please find the related merge request at


There was some (more) discussion / various attempts on finding
the correct wording, most of which can be found in



Maybe we should have put d-l10n-english into the loop earlier, sorry for not
doing that.


Holger


-- 
Sent from /e/ OS on Fairphone3

Bug#1064617: Passwords should not be changed frequently

[Diederik de Haas]

On Tuesday, 5 March 2024 19:28:25 CET Cyril Brulebois wrote:
> Philip Hands  (2024-03-05):
> > Cool, in that case I'll fix those two things and then use the result
> > for the MR[1], and if the openQA test runs look OK, will merge that.
> 
> Only skimmed over it, but that looks sensible, thanks all.
> 
> Is it worth getting d-l-english involved in a final review before
> getting that translated? Contrary to a lot of not-so-critical l10n
> material, that particular screen is crucial, and I'd hate it if we
> wasted translator efforts due to a missed typo or obvious improvement.

I had started a reply before I had to get out the door, so I'll just keep it 
to one suggestion, which may seem a bit 'radical':

How about getting rid of the password advise entirely from the d-i screen?

We could still make educational resources with f.e. tips on passwords/
passphrases in f.e. the wiki, but it's not the job or the (best) place to put 
such things in the d-i screens?

signature.asc
Description: This is a digitally signed message part.

Bug#1064617: Passwords should not be changed frequently

[Cyril Brulebois]

Philip Hands  (2024-03-05):
> Cool, in that case I'll fix those two things and then use the result
> for the MR[1], and if the openQA test runs look OK, will merge that.

Only skimmed over it, but that looks sensible, thanks all.

Is it worth getting d-l-english involved in a final review before
getting that translated? Contrary to a lot of not-so-critical l10n
material, that particular screen is crucial, and I'd hate it if we
wasted translator efforts due to a missed typo or obvious improvement.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Holger Wansing  writes:

> Hi,
>
> Am 5. März 2024 15:01:21 MEZ schrieb Philip Hands :
>>Here are my latest attempts:
>
> "Be aware that that a ..."
> doubled "that"
>
> "... (unless you select to show it)"
> missing fullstop.

Well spotted - Thanks :-)

> Otherwise: looks good to me.

Cool, in that case I'll fix those two things and then use the result for
the MR[1], and if the openQA test runs look OK, will merge that.

Cheers, Phil.

[1] https://salsa.debian.org/installer-team/user-setup/-/merge_requests/7
-- 
Philip Hands -- https://hands.com/~phil


signature.asc
Description: PGP signature

Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi,

Am 5. März 2024 15:01:21 MEZ schrieb Philip Hands :
>Here are my latest attempts:

"Be aware that that a ..."
doubled "that"

"... (unless you select to show it)"
missing fullstop.

Otherwise: looks good to me.


Holger



-- 
Sent from /e/ OS on Fairphone3

Bug#1064617: Passwords should not be changed frequently

[Diederik de Haas]

On Monday, 4 March 2024 22:30:57 CET Holger Wansing wrote:
> > https://wiki.debian.org/Passwords doesn't exist (yet), but it's an easy to
> > remember URL and we'd have all the space we need to give proper advise?
> 
> Would need to check if that fits in the relevant screens (I want to avoid
> having a scroll bar on that screens).

I didn't mean importing its contents, but just including a link/URL, which a 
user can type in a browser on a secondary device.
Therefor it needs to be short/memorable.

I later realized that putting it in the wiki may be useful, but also dangerous 
as anyone can edit a wiki (page). So another place where only authorized 
changes can be made is probably better.

Cheers,
  Diederik

signature.asc
Description: This is a digitally signed message part.

Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi,

Diederik de Haas  wrote (Mon, 04 Mar 2024 15:57:10 
+0100):
> On Monday, 4 March 2024 10:43:59 CET Holger Wansing wrote:
> > >Regarding the password advice, I ended up concluding that it's pretty
> > >unlikely that anything we say at this point will have any effect on
> > >people's behaviour, but then I'm probably just an old cynic. Also, I
> > >failed when trying to come up with a wording which I was happy with,
> > >which is why I ended up discarding the advice entirely.
> > >
> > >If we want to keep the password advice in then I think what you wrote is
> > >(mostly) OK, although I think it implies that one should be choosing a
> > >single "password" (although, not a word in any normal sense), which
> > >could be argued to steer people away from the perfectly decent xkcd
> > >approach of using several dictionary words. Saying "Password or
> > >Passphrase" at least once would probably address that.
> > 
> > Ok, makes it a bit longer, but it could be worth it.
> 
> https://wiki.debian.org/Passwords doesn't exist (yet), but it's an easy to 
> remember URL and we'd have all the space we need to give proper advise?

Would need to check if that fits in the relevant screens (I want to avoid
having a scroll bar on that screens).


Holger

-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076

Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi,

Holger Wansing  wrote (Mon, 04 Mar 2024 10:43:59 +0100):
> Hi,
> 
> Am 4. März 2024 06:17:31 MEZ schrieb Philip Hands :
> >I found that there were some phrases that I was avoiding for various
> >reasons, a couple of which I see you've used, so I'll say why I was avoiding
> >them and see if I have a persuasive argument for doing so.
> >
> >"allow/deny login/access as root":
> >
> >  The problem here is that not having a password for root only prevents
> >  one from getting direct access to root by using a password. Indirect
> >  access is still available via sudo, and direct access is still
> >  available via key bassed ssh.  I was also avoiding saying things like
> >  "disable the root account" for the same reason.
> >
> >  This is why I ended up with the phrasing:
> >
> > direct password-based logins to 'root'.
> 
> Ok, seems fair. I would change to that then.
> 
> >
> >"using the 'sudo' command":
> >
> >  This I was avoiding becuase it might give the impression that one MUST
> >  use sudo, whereas most people will actually get their root acces via a
> >  GUI prompting them for their own pasword (because it's checked that
> >  they're in the sudo group) when doing things like unlocking their
> >  network or printer settings. I thought it was worth mentining the
> >  'sudo' group explicitly because that gives something to search for if
> >  they want to find out more, but telling people they need to use the
> >  sudo command seemed like a step too far.
> 
> Correct so far. Maybe a bit more technical and therefore probably
> not the easiest choice for newbies, but I have no problem using that.
> 
> >Regarding the password advice, I ended up concluding that it's pretty
> >unlikely that anything we say at this point will have any effect on
> >people's behaviour, but then I'm probably just an old cynic. Also, I
> >failed when trying to come up with a wording which I was happy with,
> >which is why I ended up discarding the advice entirely.
> >
> >If we want to keep the password advice in then I think what you wrote is
> >(mostly) OK, although I think it implies that one should be choosing a
> >single "password" (although, not a word in any normal sense), which
> >could be argued to steer people away from the perfectly decent xkcd
> >approach of using several dictionary words. Saying "Password or
> >Passphrase" at least once would probably address that.
> 
> Ok, makes it a bit longer, but it could be worth it.
> 
> I will prepare a new patch with above.

Updated patch attached.

Holger


-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076
diff --git a/debian/user-setup-udeb.templates b/debian/user-setup-udeb.templates
index cdb6d78..437b9d7 100644
--- a/debian/user-setup-udeb.templates
+++ b/debian/user-setup-udeb.templates
@@ -33,22 +33,21 @@ _Description: Allow login as root?
 Template: passwd/root-password
 Type: password
 # :sl1:
-_Description: Root password:
- You need to set a password for 'root', the system administrative
- account. A malicious or unqualified user with root access can have
- disastrous results, so you should take care to choose a root password
- that is not easy to guess. It should not be a word found in dictionaries,
- or a word that could be easily associated with you.
+_Description: Root password/passphrase:
+ If you want to allow direct password-based login as root, you need to set a
+ password for 'root', the system administrative account now.
+ A malicious or unqualified user with root access can have
+ disastrous results, so you should take care to choose a root
+ password/passphrase that cannot be guessed. It should not be a word found in
+ dictionaries, or something that could be easily associated with you.
  .
- A good password will contain a mixture of letters, numbers and punctuation
- and should be changed at regular intervals.
+ You can also leave the password for root empty here, to disable the root
+ account; the system's initial user account (which will be set up in the next
+ step) will then be given the power to become root via 'sudo' (by adding it to
+ the 'sudo' group).
  .
- The root user should not have an empty password. If you leave this
- empty, the root account will be disabled and the system's initial user
- account will be given the power to become root using the "sudo"
- command.
- .
- Note that you will not be able to see the password as you type it.
+ Note that you will not be able to see the password as you type it (except if
+ you choose to show it in clear text).
 
 Template: passwd/root-password-again
 Type: password
@@ -109,9 +108,8 @@ _Description: Reserved username
 Template: passwd/user-password
 Type: password
 # :sl1:
-_Description: Choose a password for the new user:
- A good password will contain a mixture of letters, numbers and punctuation
- and should be changed at regular intervals.
+_Description: Choose a password/passphrase for the new user:
+ Make sure to select a strong password/passphrase, 

Bug#1064617: Passwords should not be changed frequently

[Diederik de Haas]

On Monday, 4 March 2024 10:43:59 CET Holger Wansing wrote:
> >Regarding the password advice, I ended up concluding that it's pretty
> >unlikely that anything we say at this point will have any effect on
> >people's behaviour, but then I'm probably just an old cynic. Also, I
> >failed when trying to come up with a wording which I was happy with,
> >which is why I ended up discarding the advice entirely.
> >
> >If we want to keep the password advice in then I think what you wrote is
> >(mostly) OK, although I think it implies that one should be choosing a
> >single "password" (although, not a word in any normal sense), which
> >could be argued to steer people away from the perfectly decent xkcd
> >approach of using several dictionary words. Saying "Password or
> >Passphrase" at least once would probably address that.
> 
> Ok, makes it a bit longer, but it could be worth it.

https://wiki.debian.org/Passwords doesn't exist (yet), but it's an easy to 
remember URL and we'd have all the space we need to give proper advise?

signature.asc
Description: This is a digitally signed message part.

Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi,

Am 4. März 2024 06:17:31 MEZ schrieb Philip Hands :
>I found that there were some phrases that I was avoiding for various
>reasons, a couple of which I see you've used, so I'll say why I was avoiding
>them and see if I have a persuasive argument for doing so.
>
>"allow/deny login/access as root":
>
>  The problem here is that not having a password for root only prevents
>  one from getting direct access to root by using a password. Indirect
>  access is still available via sudo, and direct access is still
>  available via key bassed ssh.  I was also avoiding saying things like
>  "disable the root account" for the same reason.
>
>  This is why I ended up with the phrasing:
>
> direct password-based logins to 'root'.

Ok, seems fair. I would change to that then.

>
>"using the 'sudo' command":
>
>  This I was avoiding becuase it might give the impression that one MUST
>  use sudo, whereas most people will actually get their root acces via a
>  GUI prompting them for their own pasword (because it's checked that
>  they're in the sudo group) when doing things like unlocking their
>  network or printer settings. I thought it was worth mentining the
>  'sudo' group explicitly because that gives something to search for if
>  they want to find out more, but telling people they need to use the
>  sudo command seemed like a step too far.

Correct so far. Maybe a bit more technical and therefore probably
not the easiest choice for newbies, but I have no problem using that.

>Regarding the password advice, I ended up concluding that it's pretty
>unlikely that anything we say at this point will have any effect on
>people's behaviour, but then I'm probably just an old cynic. Also, I
>failed when trying to come up with a wording which I was happy with,
>which is why I ended up discarding the advice entirely.
>
>If we want to keep the password advice in then I think what you wrote is
>(mostly) OK, although I think it implies that one should be choosing a
>single "password" (although, not a word in any normal sense), which
>could be argued to steer people away from the perfectly decent xkcd
>approach of using several dictionary words. Saying "Password or
>Passphrase" at least once would probably address that.

Ok, makes it a bit longer, but it could be worth it.

I will prepare a new patch with above.


Holger


-- 
Sent from /e/ OS on Fairphone3

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Holger Wansing  writes:

> Hi,
>
> Am 2. März 2024 21:07:34 MEZ schrieb Philip Hands :
>>
>>This sentence is the thing that prompted me to change things in the
>>first place, because it is not true. One does not _need_ to set a root
>>password.
>
> It should be understood as 
> "If you want to enable login as root, you have to set a root password now."
>
> And in expert mode it is in fact working this way:
> At first, you are asked if you want to enable login as root. If you answer 
> yes 
> here, you are prompted to set a root password. 
> And at that point it is indeed required to set a root password, since you 
> chose to enable root login in the first question and the installer does not
> allow an empty password for root.
>
> To make it work in default install, we could change the question as
> in above citation.
>
>>I don't actually care very much whether we encourage sudo use. My
>>wording ended up (after many variations) quite strongly encouraging it
>>mostly as an antidote to the implication that comes from having a
>>question dedicated to setting the root password, but I'd be happy with
>>any wording that makes sure that people understand that both options are
>>totally fine.
>
> The sudo possibility is also mentioned:
>
> 'The root user should not have an empty password. If you leave this
> empty, the root account will be disabled and the system's initial user
> account will be given the power to become root using the "sudo"
> command.'
>
> I have rephrased that a bit, see below.
>
>>The other thing that I was trying to ensure is that people are reassured
>>that they'll get to specify a password that will get them root access even if
>>they decide to leave the root password unset.  This is because I've seen
>>people become quite uncertain about what to expect at this point in the
>>install.
>>
>>I've found that it is not easy to come up with things that include much
>>nuance about this, while still fitting in the space available, which is
>>why I decided to try a more opinionated approach.
>>
>>One could soften what I wrote by replacing "generally recommended" with
>>something like "often appropriate" -- how does that seem to people?
>
> Your proposal too much focusses on the sudo way IMO.
> We risk getting complains from people, who miss advise regarding the
> enabled root login.
>
> I have rephrased the dialog a bit, to make the sudo way more visible and
> better understandable.
>
>>One can of course tinker with this stuff indefinitely. I actually spent
>>a fair amount of time wondering how best to describe not setting a root
>>password for instance -- should one say "leave the password unset", "set
>>an empty password", "enter no password", or something like "just hit
>>"? (and does that last one actually apply to all the available
>>UIs?).
>>
>>The same goes for how you say that the password is not going to get
>>shown (unless you ask for it to be shown), which in the GTK UI gets
>>characters replaced with dots, IIRC in the text UI its with asterisks,
>>and I'd guess it just gets completely hidden in the speech install.
>
> I think that's not much of a problem. People are used to the situation,
> that passwords are not shown, but replaced by asterisks or similar.
> And we have the checkbox for showing it in clear text, that should be
> enough.
>
>
> Updated patch attached.
>
>
> Holger
>
>
>
> diff --git a/debian/user-setup-udeb.templates 
> b/debian/user-setup-udeb.templates
> index cdb6d78..7393511 100644
> --- a/debian/user-setup-udeb.templates
> +++ b/debian/user-setup-udeb.templates
> @@ -34,21 +34,19 @@ Template: passwd/root-password
>  Type: password
>  # :sl1:
>  _Description: Root password:
> - You need to set a password for 'root', the system administrative
> - account. A malicious or unqualified user with root access can have
> + If you want to allow login as root, you need to set a password for 'root',
> + the system administrative account now.
> + A malicious or unqualified user with root access can have
>   disastrous results, so you should take care to choose a root password
> - that is not easy to guess. It should not be a word found in dictionaries,
> - or a word that could be easily associated with you.
> + that cannot be guessed. It should not be a word found in dictionaries,
> + or something that could be easily associated with you.
>   .
> - A good password will contain a mixture of letters, numbers and punctuation
> - and should be changed at regular intervals.
> + You can also leave the password for root empty here, to disable the root
> + account; the system's initial user account (which will be set up in the next
> + step) will then be given the power to become root using the "sudo" command.
>   .
> - The root user should not have an empty password. If you leave this
> - empty, the root account will be disabled and the system's initial user
> - account will be given the power to become root using the "sudo"
> - command.
> - .
> - Note that you will not be able to see 

Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi,

Am 2. März 2024 21:07:34 MEZ schrieb Philip Hands :
>
>This sentence is the thing that prompted me to change things in the
>first place, because it is not true. One does not _need_ to set a root
>password.

It should be understood as 
"If you want to enable login as root, you have to set a root password now."

And in expert mode it is in fact working this way:
At first, you are asked if you want to enable login as root. If you answer yes 
here, you are prompted to set a root password. 
And at that point it is indeed required to set a root password, since you 
chose to enable root login in the first question and the installer does not
allow an empty password for root.

To make it work in default install, we could change the question as
in above citation.

>I don't actually care very much whether we encourage sudo use. My
>wording ended up (after many variations) quite strongly encouraging it
>mostly as an antidote to the implication that comes from having a
>question dedicated to setting the root password, but I'd be happy with
>any wording that makes sure that people understand that both options are
>totally fine.

The sudo possibility is also mentioned:

'The root user should not have an empty password. If you leave this
empty, the root account will be disabled and the system's initial user
account will be given the power to become root using the "sudo"
command.'

I have rephrased that a bit, see below.

>The other thing that I was trying to ensure is that people are reassured
>that they'll get to specify a password that will get them root access even if
>they decide to leave the root password unset.  This is because I've seen
>people become quite uncertain about what to expect at this point in the
>install.
>
>I've found that it is not easy to come up with things that include much
>nuance about this, while still fitting in the space available, which is
>why I decided to try a more opinionated approach.
>
>One could soften what I wrote by replacing "generally recommended" with
>something like "often appropriate" -- how does that seem to people?

Your proposal too much focusses on the sudo way IMO.
We risk getting complains from people, who miss advise regarding the
enabled root login.

I have rephrased the dialog a bit, to make the sudo way more visible and
better understandable.

>One can of course tinker with this stuff indefinitely. I actually spent
>a fair amount of time wondering how best to describe not setting a root
>password for instance -- should one say "leave the password unset", "set
>an empty password", "enter no password", or something like "just hit
>"? (and does that last one actually apply to all the available
>UIs?).
>
>The same goes for how you say that the password is not going to get
>shown (unless you ask for it to be shown), which in the GTK UI gets
>characters replaced with dots, IIRC in the text UI its with asterisks,
>and I'd guess it just gets completely hidden in the speech install.

I think that's not much of a problem. People are used to the situation,
that passwords are not shown, but replaced by asterisks or similar.
And we have the checkbox for showing it in clear text, that should be
enough.


Updated patch attached.


Holger



diff --git a/debian/user-setup-udeb.templates b/debian/user-setup-udeb.templates
index cdb6d78..7393511 100644
--- a/debian/user-setup-udeb.templates
+++ b/debian/user-setup-udeb.templates
@@ -34,21 +34,19 @@ Template: passwd/root-password
 Type: password
 # :sl1:
 _Description: Root password:
- You need to set a password for 'root', the system administrative
- account. A malicious or unqualified user with root access can have
+ If you want to allow login as root, you need to set a password for 'root',
+ the system administrative account now.
+ A malicious or unqualified user with root access can have
  disastrous results, so you should take care to choose a root password
- that is not easy to guess. It should not be a word found in dictionaries,
- or a word that could be easily associated with you.
+ that cannot be guessed. It should not be a word found in dictionaries,
+ or something that could be easily associated with you.
  .
- A good password will contain a mixture of letters, numbers and punctuation
- and should be changed at regular intervals.
+ You can also leave the password for root empty here, to disable the root
+ account; the system's initial user account (which will be set up in the next
+ step) will then be given the power to become root using the "sudo" command.
  .
- The root user should not have an empty password. If you leave this
- empty, the root account will be disabled and the system's initial user
- account will be given the power to become root using the "sudo"
- command.
- .
- Note that you will not be able to see the password as you type it.
+ Note that you will not be able to see the password as you type it (except if
+ you choose to show it in clear text).
 
 Template: passwd/root-password-again
 Type: password

Bug#1064617: Passwords should not be changed frequently

[Diederik de Haas]

On Saturday, 2 March 2024 21:07:34 CET Philip Hands wrote:
> I don't actually care very much whether we encourage sudo use.

A person who I consider very knowledgeable deliberately went for sudo and 
disabled the root account for security reasons. It was an image provided by 
him that I ended up nuking as I didn't know if/how I could rescue that system 
because it had no root account I could use.
I guess my knowledge (and certainly habits) are dated now.

> The other thing that I was trying to ensure is that people are reassured
> that they'll get to specify a password that will get them root access even
> if they decide to leave the root password unset.  This is because I've seen
> people become quite uncertain about what to expect at this point in the
> install.

You (both) obviously got more experience in these situations.

My response was based on Holger's suggestion. While I did read through various 
things, I missed the most important one:
https://openqa.debian.net/tests/238094#step/passwords/1 

That screen and wording looks pretty good :)

> I've found that it is not easy to come up with things that include much
> nuance about this, while still fitting in the space available, which is
> why I decided to try a more opinionated approach.

My suggestion took considerable time to formulate (and was still not very 
pleased with it) as I ran into the same problem.
*IF* we want more nuance/details, the install screens aren't the place.

I can get hung up too much on certain words (like 'passwords') and that's 
generally not very helpful. What I do (still) care about is getting rid of the 
"At least a capital letter and a special character" and that is absent from 
the "passwords/1" screen :)

signature.asc
Description: This is a digitally signed message part.

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Diederik de Haas  writes:

> Hi,
>
> On Friday, 1 March 2024 20:46:49 CET Holger Wansing wrote:
>> Philip Hands  wrote (Fri, 01 Mar 2024 06:46:27 +0100):
>> > If you want to make a constructive contribution, how about suggesting a
>> > wording that reflects the advice that you think would be most useful to
>> > the people that actually read the advice?
>> 
>> I would like to make a proposal, leaving the default setting as is
>> (aka: default to an enabled root account, no sudo), with only some wording
>> changings.
>> 
>> Patch attached.
>> 
>> What do you think?
>
> I think it's an improvement and I have some suggestions, which hopefully 
> makes 
> it even better. I don't have a git-diff, but hopefully this works too.
>
> I'm not a native English speaker or particularly good at this, so it's more 
> the direction then the exact wording that's important. Others can undoubtedly 
> improve upon it.
>
>  _Description: Root password:
> "You need to set a password for 'root', the system administrative account.

This sentence is the thing that prompted me to change things in the
first place, because it is not true. One does not _need_ to set a root
password.

I don't actually care very much whether we encourage sudo use. My
wording ended up (after many variations) quite strongly encouraging it
mostly as an antidote to the implication that comes from having a
question dedicated to setting the root password, but I'd be happy with
any wording that makes sure that people understand that both options are
totally fine.

The other thing that I was trying to ensure is that people are reassured
that they'll get to specify a password that will get them root access even if
they decide to leave the root password unset.  This is because I've seen
people become quite uncertain about what to expect at this point in the
install.

I've found that it is not easy to come up with things that include much
nuance about this, while still fitting in the space available, which is
why I decided to try a more opinionated approach.

One could soften what I wrote by replacing "generally recommended" with
something like "often appropriate" -- how does that seem to people?

One can of course tinker with this stuff indefinitely. I actually spent
a fair amount of time wondering how best to describe not setting a root
password for instance -- should one say "leave the password unset", "set
an empty password", "enter no password", or something like "just hit
"? (and does that last one actually apply to all the available
UIs?).

The same goes for how you say that the password is not going to get
shown (unless you ask for it to be shown), which in the GTK UI gets
characters replaced with dots, IIRC in the text UI its with asterisks,
and I'd guess it just gets completely hidden in the speech install.

Cheers, Phil.
-- 
Philip Hands -- https://hands.com/~phil


signature.asc
Description: PGP signature

Bug#1064617: Passwords should not be changed frequently

[Diederik de Haas]

Hi,

On Friday, 1 March 2024 20:46:49 CET Holger Wansing wrote:
> Philip Hands  wrote (Fri, 01 Mar 2024 06:46:27 +0100):
> > If you want to make a constructive contribution, how about suggesting a
> > wording that reflects the advice that you think would be most useful to
> > the people that actually read the advice?
> 
> I would like to make a proposal, leaving the default setting as is
> (aka: default to an enabled root account, no sudo), with only some wording
> changings.
> 
> Patch attached.
> 
> What do you think?

I think it's an improvement and I have some suggestions, which hopefully makes 
it even better. I don't have a git-diff, but hopefully this works too.

I'm not a native English speaker or particularly good at this, so it's more 
the direction then the exact wording that's important. Others can undoubtedly 
improve upon it.

 _Description: Root password:
"You need to set a password for 'root', the system administrative account. The 
'root' user has full control over the whole system, so it's extra important to 
protect it with a strong password. A strong password is usually a sentence, 
consisting of words not commonly found together in natural language. And not 
easily associated with you."*

*) Not sure if there's room for it, but examples often help:
1) That's a battery staple? Correct!
2) Margaret Thatcher is 110% sexy

ad 1) xkcd 936
ad 2) An example Edward Snowden gave in an interview (with Vice?)

Why?
- We need to get rid of the *word* part; making it long (via a sentence) is 
the easiest way to make it stronger. I don't know if passphrase is 
(technically) correct or easily understood though.
- "A malicious or unqualified user ... can have disastrous results"
I think it doesn't add useful or correct info as a benign qualified 'root' user 
making an error and can also wreak havoc. (A good password doesn't prevent 
that though)
- A memorable password or passphrase can (always?) be guessed; the goal is to 
make it as hard as possible.
- "It should not be a word found in dictionaries"
I know where it comes from, but it's not helpful. And it gives the impression 
it should be a single word. A 'normal' dictionary contains a LOT of words and 
saying you can't use any of them makes it almost impossible for the user to 
make a good password/passphrase. That they can remember.
I haven't verified it, but I'm guessing the words from Diceware Word List are 
all present in the 'normal' dictionary?

"Note that you will not see the password in clear text as you type it, except 
if you explicitly choose to show it."

You *are* able to see the plain text password, just not by default.

HTH,
  Diederik

signature.asc
Description: This is a digitally signed message part.

Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi,

Philip Hands  wrote (Fri, 01 Mar 2024 06:46:27 +0100):
> If you want to make a constructive contribution, how about suggesting a
> wording that reflects the advice that you think would be most useful to
> the people that actually read the advice?

I would like to make a proposal, leaving the default setting as is 
(aka: default to an enabled root account, no sudo), with only some wording 
changings.

Patch attached.

What do you think?


Holger


-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076
diff --git a/debian/user-setup-udeb.templates b/debian/user-setup-udeb.templates
index cdb6d78..2715cfb 100644
--- a/debian/user-setup-udeb.templates
+++ b/debian/user-setup-udeb.templates
@@ -32,28 +32,26 @@ _Description: Allow login as root?
 
 Template: passwd/root-password
 Type: password
 # :sl1:
 _Description: Root password:
  You need to set a password for 'root', the system administrative
  account. A malicious or unqualified user with root access can have
  disastrous results, so you should take care to choose a root password
- that is not easy to guess. It should not be a word found in dictionaries,
+ that cannot be guessed. It should not be a word found in dictionaries,
  or a word that could be easily associated with you.
  .
- A good password will contain a mixture of letters, numbers and punctuation
- and should be changed at regular intervals.
- .
  The root user should not have an empty password. If you leave this
  empty, the root account will be disabled and the system's initial user
  account will be given the power to become root using the "sudo"
  command.
  .
- Note that you will not be able to see the password as you type it.
+ Note that you will not be able to see the password as you type it (except if
+ you choose to show it in clear text).
 
 Template: passwd/root-password-again
 Type: password
 # :sl1:
 _Description: Re-enter password to verify:
  Please enter the same root password again to verify that you have typed it
  correctly.
 
@@ -105,18 +103,17 @@ Type: error
 _Description: Reserved username
  The username you entered (${USERNAME}) is reserved for use by the system.
  Please select a different one.
 
 Template: passwd/user-password
 Type: password
 # :sl1:
 _Description: Choose a password for the new user:
- A good password will contain a mixture of letters, numbers and punctuation
- and should be changed at regular intervals.
+ Make sure to select a strong password, that cannot be guessed.
 
 Template: passwd/user-password-again
 Type: password
 # :sl1:
 _Description: Re-enter password to verify:
  Please enter the same user password again to verify you have typed it
  correctly.
 

Bug#1064617: Passwords should not be changed frequently

[Diederik de Haas]

Hi Philip,

On Friday, 1 March 2024 06:46:27 CET Philip Hands wrote:
> Having helped people to install Linux for ~30 years, I'd say that it's
> the norm for people to be almost incapable of coming up with a decent
> password if they were not expecting the question.

I fully agree that most people use terrible passwords, due to decades of 
terrible advise about 'good' passwords:

https://milliways.social/@mcfly/87875394339616
https://xkcd.com/936/

On an *old* screenshot I had from d-i I found this:
"A good password will contain a mixture of letters, numbers and punctuation"

Fortunately that seems to have already been fixed :)

I'll note that not every system needs strong security; some of my VMs have a 
terrible *root* password and that is/was deliberate. 

> If you want to make a constructive contribution, how about suggesting a
> wording that reflects the advice that you think would be most useful to
> the people that actually read the advice?

It makes me sad if we assume that people won't even read it :(
People not reading a 50+ page EULA, I can understand that. But a few lines of 
instruction/help when installing a fresh Operating System should not be too 
much to ask? Or am I completely out of touch with reality?

>From MR 7:
> It is possible (and generally recommended) to lock the 'root' (system 
> administrative) account, thus preventing direct password-based logins to
> 'root'.

I wasn't aware that that's now the recommended way to do things.
An important reason why I responded was that I recently had to nuke a system 
with a locked root account because I couldn't get into emergency mode to fix a 
(rather simple) mistake. Due to this bug I found #802211 which seems to 
indicate it would've been possible (if setup in advance?). Had I known it.

And apparently I'm the only one who's bothered by removing the root account 
screen, so go ahead. I'll find a way around it for myself.

Cheers,
  Diederik

signature.asc
Description: This is a digitally signed message part.

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Hi Diederik,

You're probably right that it deserves a separate bug, but I was trying
to avoid wasting the translators time by doing this in two steps, and
forcing them to do the work twice.

I cannot say that I have read the stuff in these dialogs (except when
editing them) for at least 20 years, so tailoring the content of them
for people like me seems like a mistake. I was therefore trying to put
myself in the position of a person that's reading them for the first
time, and perhaps a person that's installing Linux for the first time.

Having helped people to install Linux for ~30 years, I'd say that it's
the norm for people to be almost incapable of coming up with a decent
password if they were not expecting the question.

As I said, I'm happy to hear better suggestions, since I've had about 15
attempts at this so far, and every time I see the text rendered in the
D-I screenshot, I end up not liking the result very much.

If you want to make a constructive contribution, how about suggesting a
wording that reflects the advice that you think would be most useful to
the people that actually read the advice?

If nothing like a consensus is available, then just removing the old
advice seems like an OK place to end up too, which is why I went to the
effort of splitting the commits.

Cheers, Phil.
-- 
Philip Hands -- https://hands.com/~phil

Bug#1064617: Passwords should not be changed frequently

[Diederik de Haas]

On Thursday, 29 February 2024 23:13:55 CET Holger Wansing wrote:
> > in which I'm recommending setting no password for root, which then gives
> > the initial user 'sudo' membership[1].
> 
> What about the "Allow login as root?" question (only shown in expert mode),
> which is asked directly before the above mentioned dialog?

I very much support the suggestion from the (initial) bug report:
removing bad advice

But this is changing the subject in fundamental ways, which should be 
discussed in a separate bug report with an appropriate title.

1) Suddenly we assume that the user is incapable of coming up with a good 
password for root? Where is that based upon?
2) If they're incapable of coming up with a good password for root, then 
they're incapable of given their normal account, with sudo privileges, a 
decent password too, right?
3) Default behavior now becomes *not* creating a root account? If we divert 
from a years/decades long default, there needs to be good reasons for it IMO.

Defaults matter and I'm not happy that so much things get put into expert mode 
or (only) made available via preseed, just because we're worried it may 
confuse users (or we think they're idiots, which is way worse). 

"This 'users are idiots, and are confused by functionality' mentality of Gnome 
is a disease. If you think your users are idiots, only idiots will use it."

My 0.02

signature.asc
Description: This is a digitally signed message part.

Bug#1064617: Passwords should not be changed frequently

[Holger Wansing]

Hi,

Philip Hands  wrote (Thu, 29 Feb 2024 20:53:10 +0100):
> Depending upon whether we think it's worth using translators' time on
> this subject, we can then select one or both commits, and finally close
> these bugs.

I think it would be worth it to generate some work for translators here, yes.

> You can see my latest attempt here:
> 
>   https://openqa.debian.net/tests/238094#step/passwords/1
> 
> in which I'm recommending setting no password for root, which then gives
> the initial user 'sudo' membership[1].

What about the "Allow login as root?" question (only shown in expert mode),
which is asked directly before the above mentioned dialog?
(That's in user-setup-udeb.templates - line 25 ff.)

Maybe that needs some re-wording too?

Seems somewhat inconsistent now IMO:
if you say 'Yes' to 'Allow login as root' you get the next dialog allowing
the same choice again (or at least very similar): 
'It is possible [...] to lock the root acount ... If you leave the password
here unset, then this is what happens.'

Is that understandable for users?


Holger


-- 
Holger Wansing 
PGP-Fingerprint: 496A C6E8 1442 4B34 8508  3529 59F1 87CA 156E B076

Bug#1064617: Passwords should not be changed frequently

[Philip Hands]

Pascal Hambourg  writes:

> On 25/02/2024 at 01:17, Matthew Wilcox wrote:
>> 
>> I just did an installation with the 2024-02-24
>> debian-testing-amd64-netinst.iso image.  I forget the exact wording
>> used, but when setting up a user, d-i printed advice that user passwords
>> should be changed frequently.  This is no longer current good advice
>> (since 2017):
>
> This topic has some history, see
> 
> 
> 
> 

It had not occured to me until Matthew's suggestion that we might simply
remove the obsolete advice, rather than trying to improve the wording.

In light of that, I've split the MR into 2 commits, the first of which
removes the old advice (which hopefully inflicts the smallest possible
load on our translators) and the second of which is an attempt to come
up with something better (criticism welcome, I've had multiple attempts
at this, so I imagine there's still room for improvement).

Depending upon whether we think it's worth using translators' time on
this subject, we can then select one or both commits, and finally close
these bugs.

You can see my latest attempt here:

  https://openqa.debian.net/tests/238094#step/passwords/1

in which I'm recommending setting no password for root, which then gives
the initial user 'sudo' membership[1].

The slightly awkward thing about this recommendation is that it
encourages people to put themselves in the situation that:

  https://salsa.debian.org/installer-team/user-setup/-/merge_requests/6

is trying to address, so if we make this recommendation, we should also
deal with that issue (which I think we should do anyway).

Cheers, Phil.

[1] This strikes me as decent advice for newbies, for whom this sort of
guidance is most necessary. The problem with asking a newbie for a
root password is that they're likely to choose a poor one. Even if
they later realise that they should have choosen better passwords,
they may well not at that point remember that they still have a
useless password for root that needs updating.

On the other hand, now that ssh defaults to not allowing password
based logins to root, perhaps the potential presence of a poor
password on a sudo enabled account should be of greater concern,
since that will still be open to remote logins, so I can see that
one could argue this either way.
-- 
Philip Hands -- https://hands.com/~phil


signature.asc
Description: PGP signature

Bug#1064617: Passwords should not be changed frequently

[Pascal Hambourg]

On 25/02/2024 at 01:17, Matthew Wilcox wrote:


I just did an installation with the 2024-02-24
debian-testing-amd64-netinst.iso image.  I forget the exact wording
used, but when setting up a user, d-i printed advice that user passwords
should be changed frequently.  This is no longer current good advice
(since 2017):


This topic has some history, see

Bug#1064617: Passwords should not be changed frequently

[Matthew Wilcox]

Package: debian-installer

I just did an installation with the 2024-02-24
debian-testing-amd64-netinst.iso image.  I forget the exact wording
used, but when setting up a user, d-i printed advice that user passwords
should be changed frequently.  This is no longer current good advice
(since 2017):

 "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily
 (e.g., periodically).  However, verifiers SHALL force a change if there
 is evidence of compromise of the authenticator."

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

I happen to like their suggestion of providing a password-strength meter,
but that would be a separate bug.  This bug is simply a request to remove
this outdated suggestion text from d-i.