From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Philip Kaludercic <philipk@posteo.net>
Newsgroups: gmane.emacs.bugs
Subject: bug#74604: 30.0.92;
 FR: M-x package-upgrade - offer an option to show a diff on upgrade
Date: Mon, 02 Dec 2024 12:18:06 +0000
Message-ID: <87msheqnwh.fsf@posteo.net>
References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net>
 <CAN+1HbpS0hwy4Kw=4P_3nLZvBohhjW+eUpqq7JgAa559kZuL_Q@mail.gmail.com>
 <87r06qqx3z.fsf@posteo.net>
 <CAN+1HbqOavhsd3xtN4XN6LyPyW5k=fvP0TE0pNGG9viW289hJQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="24352"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: Daniel Mendler <mail@daniel-mendler.de>, 74604@debbugs.gnu.org
To: Ship Mints <shipmints@gmail.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Dec 02 13:19:16 2024
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1tI5OW-00068i-7J
	for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 02 Dec 2024 13:19:16 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1tI5OM-0004MN-Ly; Mon, 02 Dec 2024 07:19:07 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tI5OI-0004M2-Lk
 for bug-gnu-emacs@gnu.org; Mon, 02 Dec 2024 07:19:02 -0500
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tI5OI-0001YS-9f
 for bug-gnu-emacs@gnu.org; Mon, 02 Dec 2024 07:19:02 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org; 
 h=MIME-Version:Date:References:In-Reply-To:From:To:Subject;
 bh=LMkC7km3BDJ/ZXe+j9ADI6SLKyw9jZOi06iVmhG6K2c=; 
 b=rtbJEtKsIHtStWyqeQlHNLP0/Dj+YMSZvHfuYOfT58c8bJfV1kJyLWZ34sXz6kmPzdu3gMAdBsQwpeVzyZ4nQ/fG0VBFobpW9vUngnbGpj+iZ8744JhQd6VOFeJiKdfmRQBnaPAWP9/nFNcYrrYCzLnow5KEdHuaGX6wTDBt+aanpTdG3llpxRFtcxncNcI95YkjdwdknTEoOq5Xv1ziCtM2r0vrI0z9tLWEzynXVJWtzlevsqRWO80su6pbR3BRgBA1PaCZ8pPKkrmgl41UYI3awfXY4D/pk0mz1CJkuCG1BtPs1yrhGEb3UE46Wo3IwhdM25c77WFNhYepR1GIpQ==;
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1tI5OI-0004f5-43
 for bug-gnu-emacs@gnu.org; Mon, 02 Dec 2024 07:19:02 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Philip Kaludercic <philipk@posteo.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Mon, 02 Dec 2024 12:19:02 +0000
Resent-Message-ID: <handler.74604.B74604.173314191617873@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 74604
X-GNU-PR-Package: emacs
Original-Received: via spool by 74604-submit@debbugs.gnu.org id=B74604.173314191617873
 (code B ref 74604); Mon, 02 Dec 2024 12:19:02 +0000
Original-Received: (at 74604) by debbugs.gnu.org; 2 Dec 2024 12:18:36 +0000
Original-Received: from localhost ([127.0.0.1]:54540 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1tI5Ns-0004eD-CX
 for submit@debbugs.gnu.org; Mon, 02 Dec 2024 07:18:36 -0500
Original-Received: from mout02.posteo.de ([185.67.36.66]:40345)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <philipk@posteo.net>) id 1tI5Np-0004dr-Nn
 for 74604@debbugs.gnu.org; Mon, 02 Dec 2024 07:18:34 -0500
Original-Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id 4227F240103
 for <74604@debbugs.gnu.org>; Mon,  2 Dec 2024 13:18:26 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1733141906; bh=xohouX+lZ2+Ae3wnov2GhEm7d80TryaZlkoD0obAXM8=;
 h=From:To:Cc:Subject:Autocrypt:OpenPGP:Date:Message-ID:MIME-Version:
 Content-Type:Content-Transfer-Encoding:From;
 b=rgLrOBsYdJYV2tvh+ZrIxNIFkPvbTSnmuZ4yylDYseBzdsxYF7YK2dXRln3HKxC7n
 0XForueKjPjCyD8qJzjJTbK1teP0RPvCnogzsBPvl2gQD8bRxj7Ba6BQjvIGd9MICl
 DjGtypOu9IZ4kK4MnE3emA4HM6np4+peYKhim3wWKipoh+c40i4phAQEb/mqteMww5
 9VuEtCRA/0UIMeocH/Y50q0bHbJsKQXqDKwRkpl/Xj4Ly9bz/hZADZ4X9ipNkltlO3
 4LRKA/zSdB2AQKF7ue/8nReFJooM7QSpSqWzl2Wu8LqDKfecyq/e7ahINZjQGy54VV
 qFg7pNP0HXTWw==
Original-Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Y22r15Bxyz6tyH;
 Mon,  2 Dec 2024 13:18:25 +0100 (CET)
In-Reply-To: <CAN+1HbqOavhsd3xtN4XN6LyPyW5k=fvP0TE0pNGG9viW289hJQ@mail.gmail.com>
 (Ship Mints's message of "Mon, 2 Dec 2024 07:04:24 -0500")
Autocrypt: addr=philipk@posteo.net; keydata=
 mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo
 aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0
 ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI
 BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0
 mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB
 BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE
 Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK
 NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof
 z4oM
OpenPGP: id=philipk@posteo.net;
 url="https://keys.openpgp.org/vks/v1/by-email/philipk@posteo.net";
 preference=signencrypt
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:296313
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/296313>

Ship Mints <shipmints@gmail.com> writes:

> Isn't it the case that describe-package works only on installed packages,
> not prospectively installed packages? To help determine the value/risk of=
 a
> package install or update, I'd think it better to show this in advance.
> Daniel's diff suggestion is similar but more technical.

describe-package (C-h p) works on all packages, but the news feature I
described wouldn't work as it uses a local file.  But that is not a
hard-constraint, we could serve news data as well.

I don't know how much sense it makes to present a diff when installing a
package.  News files are probably also not that interesting.  We could
provide a command like package-vc-checkout that just fetches the package
source and places it somewhere for the user to inspect.

> On Mon, Dec 2, 2024 at 3:59=E2=80=AFAM Philip Kaludercic <philipk@posteo.=
net> wrote:
>
>> Ship Mints <shipmints@gmail.com> writes:
>>
>> > I like this idea, too. I spend a reasonable amount of time trying to
>> > understand what people have changed and if it will affect me negatively
>> > (the defensive part) or positively (for new features, user options,
>> > deprecations). Showing a source-code diff may be a bit technical for s=
ome
>> > users, though. I wonder if there could be either a link to a changelog,
>> or
>> > a way to encourage a changelog convention so one could be displayed for
>> > users prior to a decision to update a package.
>>
>> Note that packages can distribute this information.  Currently, if a
>> tarball includes a "news" file, it will be displayed by
>> `describe-package.  IIRC no package archive generates these right now.
>> But if we implement a user option like that described above (or below?),
>> then we can add that as an option as well.
>>
>> The main issue is that not all package maintainers ensure that there are
>> changelog/news sources that ELPA could use to provide this information.
>>
>> > -Stephane
>> >
>> > On Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic <philipk@post=
eo.net>
>> wrote:
>> >
>> >> Daniel Mendler <mail@daniel-mendler.de> writes:
>> >>
>> >> > This is a feature request for the security wishlist. When upgrading
>> >> > package it would be good to show a diff between the new and old
>> package
>> >> > files. Such an option could help performing review casually as part=
 of
>> >> > the upgrade process and may improve the security of the package
>> >> > archives. More eyes would look at new package versions. This would
>> make
>> >> > it harder to inject malicious code either via the source repository=
 or
>> >> > via attacks on the package archives.
>> >>
>> >> That sounds like a good option to have!  I'll look into adding someth=
ing
>> >> like this via a user option that adjusts how to confirm a package
>> upgrade.
>> >>
>> >> Note that package-vc has something similar with the
>> >> `package-vc-log-incoming' command.
>> >>
>> >>
>> >>
>> >>
>>