Include `nvme-cli` by default
Tails is very good as a disk formatting/secure erase tool. The current version of Tails includes
gnome-disks by default, and as a result, users can easily perform ATA secure erase command on their internal HDDs and SATA SSDs. Although there are other formatting tools that can perform the same tasks, like Parted Magic and GParted, I personally think Tails is better at the job because it's lightweight, free, and compatible with many hardwares.
And, using and even advertising Tails as a disk formatting utility have a potential to provide cover to dissidents who have to use Tails for secure, private communication. Currently, because Tails is only marketed as a privacy and government-avoiding tool, using Tails or even connecting to
tails.boum.org via home Internet can look suspicious to friends, local network administrators (e.g., schools), and government officials (think of NSA's XKeyscore program). If many people use Tails as a formatting utility, using Tails will look less suspicious.
hdparm nor the current version of
gnome-disks support secure-erasing internal NVMe SSDs. Because more and more PCs nowadays have NVMe SSDs, this somewhat undermines Tails' ability to format any PCs that a user might encounter. Including
nvme-cli by default might resolve this.
I was going to post this exact feature request. I can understand that Tails core priority is not as a secure disk wiping tool, but I believe that this should be understood to be an important function that users are grateful to have access to. NVME drives are largely standard on laptops now and I think the inclusion of nvme-cli would be a great idea.
Hopefully this can be upgraded from Low priority in the near future.
Is it sufficient to install
nvme-cli to give GNOME Disks the ability to securely erase an internal NVMe drive?
(Modulo we trust the drive itself to do it right, of course, but that's not my concern here.)
If the answer is "yes", then it would make sense to me to install
nvme-cli by default, so that less technical users benefit from it without having to figure out what package is missing.
Else, if the answer is "no", and the only way to use
nvme-cli is on the command line, then I see no great benefit in installing
nvme-cli by default: the users who know they need to use this tool to securely erase an internal NVMe drive, and will figure out how to do so, can also figure out how to install it.