Re: recent sysinst UX changes

[nia <nia%NetBSD.org@localhost>]

On Mon, Nov 09, 2020 at 11:18:31AM +0100, Martin Husemann wrote:
> On Mon, Nov 09, 2020 at 10:10:56AM +0000, nia wrote:
> > fwiw, i think the default options should be as close to Just Work as possible.
> > 
> > i have installed NetBSD irl with people who have only a little bit of unix
> > knowledge, and watched them wince every time something doesn't go as planned.
> > often this is on older, spare hardware, that's just to play with the OS on,
> > so it is likely to not have >2015 CPU features (RDRAND).
> 
> I totaly agree with both of this, but "just work" is not a clear target,
> especially when a simple step makes a difference in security (whether
> manually typing in random things *does* make a difference is probably
> for another debate).
> 
> The description pointing at copying output from another machine is just
> an option (and it actually helps a lot when you do installs via serial
> console or similar).
> 
> So: happy to make it more userfriendly, simpler, rephrase messages,
> whatever needed - but we should not end up with insecure installs.
> 
> Martin

Requiring users to type in data is just going to result in a lot of
users mashing the keyboard to get an install to work, is all I'm saying.
That's no better than copying 32 bytes back into /dev/urandom to continue
with the existing seed. The installation involves user input, after all.

Treating USB RNGs as a common use case for everyday installs is an odd
decision. They're probably common to have among a subset of NetBSD
developers, and, well, nobody else.

+{This system seems to lack a cryptographically strong pseudo random
+number generator. There is not enough entropy available to create secure
+keys (e.g. ssh host keys). 
+
+You may use random data generated on another computer and load it
+here, or you could enter random characters manually. 
+ 
+If you own a USB random number device, connect it now and select
+the "Re-test" option.}

I would change this to:

"{This system seems to lack a quality hardware random number generator.

For increased system security, you may load random data generated
on another computer. NetBSD will then use this as a seed.

Otherwise, the installer can continue with a potentially insecure
seed using data collected during the installation process.}"

+message entropy_continue	{Continue with existing potentially insecure seed}
+message entropy_download_seed	{Import random data from another machine}

Lacking a HWRNG is the actual problem. Let's describe the actual problem.
I don't think we need to present every new user installing NetBSD with
information about USB RNG devices or crypto jargon.