From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Philip Kaludercic Newsgroups: gmane.emacs.bugs Subject: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade Date: Mon, 02 Dec 2024 08:59:12 +0000 Message-ID: <87r06qqx3z.fsf@posteo.net> References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="12204"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Daniel Mendler , 74604@debbugs.gnu.org To: Ship Mints Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Dec 02 10:00:43 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tI2IM-00031d-FO for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 02 Dec 2024 10:00:42 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tI2I8-0004SA-4P; Mon, 02 Dec 2024 04:00:28 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tI2Hk-0004Gw-0C for bug-gnu-emacs@gnu.org; Mon, 02 Dec 2024 04:00:04 -0500 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tI2Hj-0003so-Lp for bug-gnu-emacs@gnu.org; Mon, 02 Dec 2024 04:00:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=lNarumCdwE1GTB2GSGzc5nGNZwE6T+vi0vAzf3YW6y4=; b=mgGsdkmSffxkhv+qzGwwtCIDdYAZZXnV+73r27GptIGhBeW5E7Z1MeCmCJoorLYPVS4XHjLqQUqFFENVkA3SlQrClq1uA7QY2RiIXBCp7pOmu4q5U0aXEc0AHZIvREW/vnH5vnYcsVnBWxOPY0ScivuFLuEnevBxAzDkb3/CI8/gRxk1lpVwy3eoQdNn3NiMC772p2kWzzv+Kg/jP31lEYpI4BtHW/MUU9Lg92aF2c6/lD21O5Y5p1+THis6JGrdjyU5G6UYwDENimUBtoTi81kNIbA6xX2TmxUjvSK74DLo+TL7dnPhSu8GzqhtHjJY+dM54tTYaqBTx+/RWZ4qLQ==; Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tI2Hj-0002yj-GM for bug-gnu-emacs@gnu.org; Mon, 02 Dec 2024 04:00:03 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Philip Kaludercic Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 02 Dec 2024 09:00:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74604 X-GNU-PR-Package: emacs Original-Received: via spool by 74604-submit@debbugs.gnu.org id=B74604.173312997211354 (code B ref 74604); Mon, 02 Dec 2024 09:00:03 +0000 Original-Received: (at 74604) by debbugs.gnu.org; 2 Dec 2024 08:59:32 +0000 Original-Received: from localhost ([127.0.0.1]:54232 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI2HE-0002x4-FJ for submit@debbugs.gnu.org; Mon, 02 Dec 2024 03:59:32 -0500 Original-Received: from mout02.posteo.de ([185.67.36.66]:41147) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI2HB-0002wf-LN for 74604@debbugs.gnu.org; Mon, 02 Dec 2024 03:59:31 -0500 Original-Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id B820F240101 for <74604@debbugs.gnu.org>; Mon, 2 Dec 2024 09:59:19 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1733129960; bh=E+LQFPHrcDHNjTCHl6NUHoHF1tkJ8PyMAepoLErUuyk=; h=From:To:Cc:Subject:Autocrypt:OpenPGP:Date:Message-ID:MIME-Version: Content-Type:Content-Transfer-Encoding:From; b=gtXHxi61lXGvuy2fGPsesCynHfmxaB+4py/Ps+SooOgvsO2Kaj7QmcFJyY5zdl1uj 4u1zQ5gXwU+sDN8NLAscYucBuoC2TSjMUQRGI4zJMH6QWE+oiQUzy8rKUx2y3P8yDI VQwumJH3N4XmLPplEbkSXGgIj6hO/sk9S1SyIMVgYX1dFaKDFmJCVJ14+e4F/xTZbh UbEo8l56ZTi+vfPIvwVKJNDL6dG3TthfldCRySVkcMv8VmJNxlPJXYcFAKA7ms0XIG rRec75mi3JOuyEKWBvT4EWSjcAyPGEvuws0MmcYLLD1ZzEbQEMMqOMZDqH4pevHDfj cNI3xCQusIMOQ== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Y1yQG4jb6z9rxV; Mon, 2 Dec 2024 09:59:18 +0100 (CET) In-Reply-To: (Ship Mints's message of "Sun, 1 Dec 2024 17:47:21 -0500") Autocrypt: addr=philipk@posteo.net; keydata= mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0 mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof z4oM OpenPGP: id=philipk@posteo.net; url="https://keys.openpgp.org/vks/v1/by-email/philipk@posteo.net"; preference=signencrypt X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:296305 Archived-At: Ship Mints writes: > I like this idea, too. I spend a reasonable amount of time trying to > understand what people have changed and if it will affect me negatively > (the defensive part) or positively (for new features, user options, > deprecations). Showing a source-code diff may be a bit technical for some > users, though. I wonder if there could be either a link to a changelog, or > a way to encourage a changelog convention so one could be displayed for > users prior to a decision to update a package. Note that packages can distribute this information. Currently, if a tarball includes a "news" file, it will be displayed by `describe-package. IIRC no package archive generates these right now. But if we implement a user option like that described above (or below?), then we can add that as an option as well. The main issue is that not all package maintainers ensure that there are changelog/news sources that ELPA could use to provide this information. > -Stephane > > On Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic wrote: > >> Daniel Mendler writes: >> >> > This is a feature request for the security wishlist. When upgrading >> > package it would be good to show a diff between the new and old package >> > files. Such an option could help performing review casually as part of >> > the upgrade process and may improve the security of the package >> > archives. More eyes would look at new package versions. This would make >> > it harder to inject malicious code either via the source repository or >> > via attacks on the package archives. >> >> That sounds like a good option to have! I'll look into adding something >> like this via a user option that adjusts how to confirm a package upgrad= e. >> >> Note that package-vc has something similar with the >> `package-vc-log-incoming' command. >> >> >> >>