[Haskell-cafe] When did it become so hard to install Haskell onWindows?
jo at durchholz.org
Mon Apr 27 10:36:26 UTC 2020
Just to add the data points I can contribute...
> * First, I have to subscribe to a newsletter? Really? I guess this is
> entirely optional, but the instructions don't make it sound so.
> Step 1 is completely optional and you don’t have to subscribe to any
> news letter.
It's a bit surprising to see this as the first option.
It's also not saying the consequences of subscribing: How much mail will
you get, are you going to be bombarded with useless spam or just with
information about bug fixes.
So it's the classical downturner: Asking permission for something that
isn't clearly described.
Plus not clearly stating that it's optional, which has a whiff of the
stink of manipulativeness.
For people that have already been subjected to such maneuvers, it's
framing the whole remaining process as "they are trying to manipulate me
into stuff I probably don't want", and that sets the tone where people
start writing rants even if they don't want to. (It's the typical
outcome of A/B testing. A/B testing will tell you how people click, not
how they feel.)
> * Then I have to know what powershell.exe is, use an administrative
> prompt, and enter scary commands in it.
> Powershell has been the standard shell in Windows for well over the past
> decade. Every single script from Microsoft or third parties come with
> powershell for automation.
> It’s understandable that you may not know it since your primary platform
> isn’t Windows. But it’s been included in every single Windows version
> for the past 13 years.
> An administrative prompt is nothing different than running sudo or
> clicking on that installer that you **assumed** not to be scary because
> you didn’t see the actions it was performing.
> That scary looking command is nothing but a curl command allowing the
> one time execution of a script from a remote source. As in a script
> that’s not physically on your machine.
> So what exactly makes this scary? Is it because
> Set-ExecutionPolicy Bypass -Scope Process -Force;
> [System.Net.ServicePointManager]::SecurityProtocol =
> [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex
> Is more verbose than
> |curl -sSL https://path.to.some.script/ | sh|
> or because the technologies used while completely standard on Windows
> aren’t known to the casual user?
Part of the problem is indeed that you don't know what the commands are
actually doing, and the process is exposing that scary part.
For me (as a hardcore developer), it's that I don't know what this is
doing, so I'll be extra cautious, and extra watchful about additional
However, the approach is also raising a big red flag.
An installer requires a certificate signed by Microsoft (otherwise it
will complain that the publisher isn't known and the software can damage
The thing about this is: Microsoft has a track record of no complaints
(otherwise they would have revoked the certificate). This helps assure
the users that the publisher is trustworthy, both for his intentions and
his technical competence.
Asking people to use an admin shell (regardless of whether it's
Powershell or good ol' cmd.exe) is eliminating these mechanisms.
Note that Microsoft's installer certificate is mostly security circus,
with pretty little real value.
However, it does help, a bit.
And adhering to it is a signal to your users that you are indeed going
out of your way to reassure them.
It's a bit like with a car mechanic. If the workplace is grubby, people
start questioning the attention to detail, and overall competence; they
may still send cars for repair, but they will be more intent on finding
issues, sometimes asking about things that don't matter (but they don't
know this), sometimes being overly suspicious (but they don't really
know how much suspicion is appropriate). If the workplace is clean, the
standard assumption is that in this shop, there's attention to detail
and they don't have to check every detail on their own.
Just my 2 cents, in the hope that they are helping.
I also agree that packaging is typical background work that's always
underappreciated, and gets attention only if it doesn't work. Thanks for
More information about the Haskell-Cafe