I like this idea, too. I spend a reasonable amount of time trying to understand what people have changed and if it will affect me negatively (the defensive part) or positively (for new features, user options, deprecations). Showing a source-code diff may be a bit technical for some users, though. I wonder if there could be either a link to a changelog, or a way to encourage a changelog convention so one could be displayed for users prior to a decision to update a package.

-Stephane

On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk@posteo.net> wrote:

Daniel Mendler <mail@daniel-mendler.de> writes:

> This is a feature request for the security wishlist. When upgrading
> package it would be good to show a diff between the new and old package
> files. Such an option could help performing review casually as part of
> the upgrade process and may improve the security of the package
> archives. More eyes would look at new package versions. This would make
> it harder to inject malicious code either via the source repository or
> via attacks on the package archives.

That sounds like a good option to have! I'll look into adding something
like this via a user option that adjusts how to confirm a package upgrade.

Note that package-vc has something similar with the
`package-vc-log-incoming' command.