Just to add the data points I can contribute...
* First, I have to subscribe to a newsletter? Really? I guess this is entirely optional, but the instructions don't make it sound so.
Step 1 is completely optional and you don’t have to subscribe to any news letter.
It's a bit surprising to see this as the first option. It's also not saying the consequences of subscribing: How much mail will you get, are you going to be bombarded with useless spam or just with information about bug fixes. So it's the classical downturner: Asking permission for something that isn't clearly described. Plus not clearly stating that it's optional, which has a whiff of the stink of manipulativeness. For people that have already been subjected to such maneuvers, it's framing the whole remaining process as "they are trying to manipulate me into stuff I probably don't want", and that sets the tone where people start writing rants even if they don't want to. (It's the typical outcome of A/B testing. A/B testing will tell you how people click, not how they feel.)
* Then I have to know what powershell.exe is, use an administrative prompt, and enter scary commands in it.
Powershell has been the standard shell in Windows for well over the past decade. Every single script from Microsoft or third parties come with powershell for automation.
It’s understandable that you may not know it since your primary platform isn’t Windows. But it’s been included in every single Windows version for the past 13 years.
An administrative prompt is nothing different than running sudo or clicking on that installer that you **assumed** not to be scary because you didn’t see the actions it was performing.
That scary looking command is nothing but a curl command allowing the one time execution of a script from a remote source. As in a script that’s not physically on your machine.
So what exactly makes this scary? Is it because
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
Is more verbose than
|curl -sSL https://path.to.some.script/ | sh|
or because the technologies used while completely standard on Windows aren’t known to the casual user?
Part of the problem is indeed that you don't know what the commands are actually doing, and the process is exposing that scary part. For me (as a hardcore developer), it's that I don't know what this is doing, so I'll be extra cautious, and extra watchful about additional red flags. However, the approach is also raising a big red flag. An installer requires a certificate signed by Microsoft (otherwise it will complain that the publisher isn't known and the software can damage your computer). The thing about this is: Microsoft has a track record of no complaints (otherwise they would have revoked the certificate). This helps assure the users that the publisher is trustworthy, both for his intentions and his technical competence. Asking people to use an admin shell (regardless of whether it's Powershell or good ol' cmd.exe) is eliminating these mechanisms. Note that Microsoft's installer certificate is mostly security circus, with pretty little real value. However, it does help, a bit. And adhering to it is a signal to your users that you are indeed going out of your way to reassure them. It's a bit like with a car mechanic. If the workplace is grubby, people start questioning the attention to detail, and overall competence; they may still send cars for repair, but they will be more intent on finding issues, sometimes asking about things that don't matter (but they don't know this), sometimes being overly suspicious (but they don't really know how much suspicion is appropriate). If the workplace is clean, the standard assumption is that in this shop, there's attention to detail and they don't have to check every detail on their own. Just my 2 cents, in the hope that they are helping. I also agree that packaging is typical background work that's always underappreciated, and gets attention only if it doesn't work. Thanks for doing it! Regards, Jo