[Haskell-cafe] When did it become so hard to install Haskell onWindows?

Joachim Durchholz jo at durchholz.org
Mon Apr 27 10:36:26 UTC 2020


Just to add the data points I can contribute...

>   * First, I have to subscribe to a newsletter? Really? I guess this is
>     entirely optional, but the instructions don't make it sound so. 
> 
> Step 1 is completely optional and you don’t have to subscribe to any 
> news letter.

It's a bit surprising to see this as the first option.
It's also not saying the consequences of subscribing: How much mail will 
you get, are you going to be bombarded with useless spam or just with 
information about bug fixes.

So it's the classical downturner: Asking permission for something that 
isn't clearly described.
Plus not clearly stating that it's optional, which has a whiff of the 
stink of manipulativeness.
For people that have already been subjected to such maneuvers, it's 
framing the whole remaining process as "they are trying to manipulate me 
into stuff I probably don't want", and that sets the tone where people 
start writing rants even if they don't want to. (It's the typical 
outcome of A/B testing. A/B testing will tell you how people click, not 
how they feel.)

>   * Then I have to know what powershell.exe is, use an administrative
>     prompt, and enter scary commands in it.
> 
> Powershell has been the standard shell in Windows for well over the past 
> decade. Every single script from Microsoft or third parties come with 
> powershell for automation.
> 
> It’s understandable that you may not know it since your primary platform 
> isn’t Windows. But it’s been included in every single Windows version 
> for the past 13 years.
> 
> An administrative prompt is nothing different than running sudo or 
> clicking on that installer that you **assumed** not to be scary because 
> you didn’t see the actions it was performing.
> 
> That scary looking command is nothing but a curl command allowing the 
> one time execution of a script from a remote source. As in a script 
> that’s not physically on your machine.
> 
> So what exactly makes this scary? Is it because
> 
> Set-ExecutionPolicy Bypass -Scope Process -Force; 
> [System.Net.ServicePointManager]::SecurityProtocol = 
> [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex 
> ((New-Object 
> System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
> 
> Is more verbose than
> 
> |curl -sSL https://path.to.some.script/ | sh|
> 
> or because the technologies used while completely standard on Windows 
> aren’t known to the casual user?

Part of the problem is indeed that you don't know what the commands are 
actually doing, and the process is exposing that scary part.
For me (as a hardcore developer), it's that I don't know what this is 
doing, so I'll be extra cautious, and extra watchful about additional 
red flags.

However, the approach is also raising a big red flag.
An installer requires a certificate signed by Microsoft (otherwise it 
will complain that the publisher isn't known and the software can damage 
your computer).
The thing about this is: Microsoft has a track record of no complaints 
(otherwise they would have revoked the certificate). This helps assure 
the users that the publisher is trustworthy, both for his intentions and 
his technical competence.
Asking people to use an admin shell (regardless of whether it's 
Powershell or good ol' cmd.exe) is eliminating these mechanisms.

Note that Microsoft's installer certificate is mostly security circus, 
with pretty little real value.
However, it does help, a bit.
And adhering to it is a signal to your users that you are indeed going 
out of your way to reassure them.
It's a bit like with a car mechanic. If the workplace is grubby, people 
start questioning the attention to detail, and overall competence; they 
may still send cars for repair, but they will be more intent on finding 
issues, sometimes asking about things that don't matter (but they don't 
know this), sometimes being overly suspicious (but they don't really 
know how much suspicion is appropriate). If the workplace is clean, the 
standard assumption is that in this shop, there's attention to detail 
and they don't have to check every detail on their own.

Just my 2 cents, in the hope that they are helping.
I also agree that packaging is typical background work that's always 
underappreciated, and gets attention only if it doesn't work. Thanks for 
doing it!

Regards,
Jo


More information about the Haskell-Cafe mailing list