Re: recent sysinst UX changes

[nia <nia%NetBSD.org@localhost>]

fwiw, i think the default options should be as close to Just Work as possible.

i have installed NetBSD irl with people who have only a little bit of unix
knowledge, and watched them wince every time something doesn't go as planned.
often this is on older, spare hardware, that's just to play with the OS on,
so it is likely to not have >2015 CPU features (RDRAND).

On Mon, Nov 09, 2020 at 06:51:47AM +0100, Martin Husemann wrote:
> On Sun, Nov 08, 2020 at 05:32:16PM +0000, nia wrote:
> > after several changes in 9.1 and -current, it's strange to me that the option
> > that I expect is the most popular for installing NetBSD (start over, fresh
> > partitions, use the whole disk) is no longer the default option:
> 
> It never was and I am not sure it should be. This option actually
> is brand new and never was offered before this explicitly.
> 
> I don't have a strong opinion on order of options and defaults though,
> at this stage in an installer that offers to destroy all of your disk
> you should be thinking twice what you select.

thing is, "Want to install NetBSD? This might damage your disk and you
should make a backup and think twice..." is already a dialog that appear
prior to this one (with the default being no).

the default option may be broken for a preexisting Linux/Windows GPT table,
and the current wording makes it sound like you should only pick the "delete
everything" option if you want to change the partitioning system to a different
one (not GPT).

it's also not clear, to a new user, what the difference between "use default
partition sizes" and "delete everything" is. it's not clear to me :/

> 
> > while inputting entropy by hand isn't something i would consider 
> > acceptable to expose to everyday users of a modern operating system
> > in the first place, the suggestion that they might use coin tosses
> > makes the entire thing feel like a big joke (and in general the dialog
> > is overly complicated).
> 
> I am open to concrete suggestions how to improve things here.
> Note that most users on real machines never should see this dialog
> and that manual input is only one of a few options available.
> 
> I feel the whole thing is a bad pain, but either something like this
> or we will end up with insecure/incomplete installations.
> 
> Martin

i run into it on real hardware, thinkpad t60.

my preference is:

- when booting in a VM, if there is no RNG device attached,
  the system should print a warning with instructions on how
  to attach the device.

- "Continue with possibly insecure RNG state" should be an available
  option that writes 32 bytes from urandom to random. The act of
  performing an installation should involve user input that is
  difficult for an adversary to predict, if not scientifically
  provably secure...

the thinkpad has onboard devices that generate data that might not
be provably random, but is near practically unpredictable, including
various fan sensors and an audio DAC with inputs (hey, the installer
could even set these to max gain...)

is a typical new user, such as described above, likely to have
another NetBSD machine to serve an entropy file over ftp with?

no, they're going to spam on the keyboard. whose security is this
helping?