Discussion:
Bug#1032277: installation-reports: Installer too strongly urges users to set root password
(too old to reply)
Cyril Brulebois
2023-03-02 18:30:01 UTC
Permalink
Hi,
Please see the attached screenshot. I believe Debian would be improved
if this page was reworded.
It begins with a strong emphatic statement "You need to set a password
for 'root'
If someone is not reading very carefully, it's easy to not see the
later statement that in fact a password for root is not required and
if this page is left empty, that a user will be able to run admin
commands directly (with sudo or with PolicyKit as implemented by GNOME
Settings > Printers > Add a printer). Even if someone sees the
statement, they might not understand it.
The wording might be adjusted, sure, but that's also been documented in
the installation guide for quite some time

https://www.debian.org/releases/bookworm/amd64/ch06s03.en.html#di-user-setup

What happens if you don't set a root password and got dropped into
maintenance mode at boot-time? ISTR typing in a root password was a
requirement at this stage, but I've been fortunate enough to have not
encountered this situation in a very long while.
I personally believe Debian would benefit from Ubuntu's approach where
sudo/admin is enabled for the first user by default. This would be the
opposite of the user experience encouraged by the current wording.
Maybe.

And I'll argue there's no “by default” here: what happens depends on
what users do enter in that prompt.
1. Move the root password page after the user name & password pages
Altering order of screens that have been around since forever seems like
it would generate more frustration and confusion than it would actually
be beneficial.
2. Change the wording to immediately mention that a root password is
not required. If it is set, then the already enabled user won't be
able to perform admin functions except by logging in as root with this
password.
Adjusting the wording can be discussed. It's probably too late for
bookworm as this would need to get reflected in translations, and it's
very likely too late to give everyone a resonable chance to catch up in
time for the release.
3. Consider dropping the root password page from the default
installer. I think it's too late (and unnecessary) to do this for
Debian 12, but it's worth considering for Trixie.
I would like to see a much stronger case to be made than “the wording is
vague and confusing”. Others might feel differently



Cheers,
--
Cyril Brulebois (***@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Pascal Hambourg
2023-03-02 19:40:01 UTC
Permalink
Post by Cyril Brulebois
What happens if you don't set a root password and got dropped into
maintenance mode at boot-time?
Or if you cannot open a user session for whatever reason ?

You're stuck. Default settings allow to launch an unauthenticated root
shell at boot time quite easily, but it is not as convenient as regular
recovery mode. This is why I advise against not setting a root password
even if you are going to use sudo or polkit.
Debian Bug Tracking System
2024-10-06 09:50:01 UTC
Permalink
Your message dated Sun, 6 Oct 2024 11:45:50 +0200
with message-id <***@mailbox.org>
and subject line Re: #1032277 installation-reports: Installer too strongly urges users to set root password
has caused the Debian Bug report #1032277,
regarding installation-reports: Installer too strongly urges users to set root password
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1032277: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032277
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...