* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
@ 2024-11-29 15:39 Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-01 22:05 ` Philip Kaludercic
0 siblings, 1 reply; 4+ messages in thread
From: Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2024-11-29 15:39 UTC (permalink / raw)
To: 74604; +Cc: Philip Kaludercic
This is a feature request for the security wishlist. When upgrading
package it would be good to show a diff between the new and old package
files. Such an option could help performing review casually as part of
the upgrade process and may improve the security of the package
archives. More eyes would look at new package versions. This would make
it harder to inject malicious code either via the source repository or
via attacks on the package archives.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
2024-11-29 15:39 bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2024-12-01 22:05 ` Philip Kaludercic
2024-12-01 22:47 ` Ship Mints
2024-12-01 23:12 ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 2 replies; 4+ messages in thread
From: Philip Kaludercic @ 2024-12-01 22:05 UTC (permalink / raw)
To: Daniel Mendler; +Cc: 74604
Daniel Mendler <mail@daniel-mendler.de> writes:
> This is a feature request for the security wishlist. When upgrading
> package it would be good to show a diff between the new and old package
> files. Such an option could help performing review casually as part of
> the upgrade process and may improve the security of the package
> archives. More eyes would look at new package versions. This would make
> it harder to inject malicious code either via the source repository or
> via attacks on the package archives.
That sounds like a good option to have! I'll look into adding something
like this via a user option that adjusts how to confirm a package upgrade.
Note that package-vc has something similar with the
`package-vc-log-incoming' command.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
2024-12-01 22:05 ` Philip Kaludercic
@ 2024-12-01 22:47 ` Ship Mints
2024-12-01 23:12 ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
1 sibling, 0 replies; 4+ messages in thread
From: Ship Mints @ 2024-12-01 22:47 UTC (permalink / raw)
To: Philip Kaludercic; +Cc: Daniel Mendler, 74604
[-- Attachment #1: Type: text/plain, Size: 1390 bytes --]
I like this idea, too. I spend a reasonable amount of time trying to
understand what people have changed and if it will affect me negatively
(the defensive part) or positively (for new features, user options,
deprecations). Showing a source-code diff may be a bit technical for some
users, though. I wonder if there could be either a link to a changelog, or
a way to encourage a changelog convention so one could be displayed for
users prior to a decision to update a package.
-Stephane
On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk@posteo.net> wrote:
> Daniel Mendler <mail@daniel-mendler.de> writes:
>
> > This is a feature request for the security wishlist. When upgrading
> > package it would be good to show a diff between the new and old package
> > files. Such an option could help performing review casually as part of
> > the upgrade process and may improve the security of the package
> > archives. More eyes would look at new package versions. This would make
> > it harder to inject malicious code either via the source repository or
> > via attacks on the package archives.
>
> That sounds like a good option to have! I'll look into adding something
> like this via a user option that adjusts how to confirm a package upgrade.
>
> Note that package-vc has something similar with the
> `package-vc-log-incoming' command.
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 1990 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
2024-12-01 22:05 ` Philip Kaludercic
2024-12-01 22:47 ` Ship Mints
@ 2024-12-01 23:12 ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
1 sibling, 0 replies; 4+ messages in thread
From: Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2024-12-01 23:12 UTC (permalink / raw)
To: Philip Kaludercic; +Cc: 74604
Philip Kaludercic <philipk@posteo.net> writes:
> Daniel Mendler <mail@daniel-mendler.de> writes:
>
>> This is a feature request for the security wishlist. When upgrading
>> package it would be good to show a diff between the new and old package
>> files. Such an option could help performing review casually as part of
>> the upgrade process and may improve the security of the package
>> archives. More eyes would look at new package versions. This would make
>> it harder to inject malicious code either via the source repository or
>> via attacks on the package archives.
>
> That sounds like a good option to have! I'll look into adding something
> like this via a user option that adjusts how to confirm a package upgrade.
Thanks! I am happy to test if you have a patch ready.
Daniel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-12-01 23:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-29 15:39 bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-01 22:05 ` Philip Kaludercic
2024-12-01 22:47 ` Ship Mints
2024-12-01 23:12 ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).