I like this idea, too. I spend a reasonable amount of time trying to
understand what people have changed and if it will affect me negatively
(the defensive part) or positively (for new features, user options,
deprecations). Showing a source-code diff may be a bit technical for some
users, though. I wonder if there could be either a link to a changelog, or
a way to encourage a changelog convention so one could be displayed for
users prior to a decision to update a package.

-Stephane

On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk@posteo.net> wrote:

> Daniel Mendler <mail@daniel-mendler.de> writes:
>
> > This is a feature request for the security wishlist. When upgrading
> > package it would be good to show a diff between the new and old package
> > files. Such an option could help performing review casually as part of
> > the upgrade process and may improve the security of the package
> > archives. More eyes would look at new package versions. This would make
> > it harder to inject malicious code either via the source repository or
> > via attacks on the package archives.
>
> That sounds like a good option to have!  I'll look into adding something
> like this via a user option that adjusts how to confirm a package upgrade.
>
> Note that package-vc has something similar with the
> `package-vc-log-incoming' command.
>
>
>
>