From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ship Mints Newsgroups: gmane.emacs.bugs Subject: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade Date: Sun, 1 Dec 2024 17:47:21 -0500 Message-ID: References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000a60e7606283d38b1" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="31261"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Daniel Mendler , 74604@debbugs.gnu.org To: Philip Kaludercic Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Dec 01 23:49:14 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tHskb-0007z4-Pm for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 01 Dec 2024 23:49:14 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tHskT-0002hp-4x; Sun, 01 Dec 2024 17:49:05 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tHskQ-0002hc-V5 for bug-gnu-emacs@gnu.org; Sun, 01 Dec 2024 17:49:02 -0500 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tHskQ-0003vk-AN for bug-gnu-emacs@gnu.org; Sun, 01 Dec 2024 17:49:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=Date:From:In-Reply-To:References:MIME-Version:To:Subject; bh=WybPA5gNbOL2ylhShiKbpZI0PBvwOfnISIXiOZ+Ym14=; b=b1gz4hMH2MlCtz3LUO78P94IA08CMi3xcE6EFiEMjbab8OtzQjzGanUVjUTqrOHXEt23kP+HIwb/VfHmmo2WfRBeVFsjqDpvJXkZKHOBf1GeHFn+PNsSENSK+6lbk7avfrsAX4ITNVoFpXtwjjhLZfAWYd4rTZFCf8mt0o6m8sECMntbvUvkFxgV4ZXD2ry0hBdQNq5lHMRwYiozq8hX2nm8ujQSPD1u9IQlNKHpCZAVu+H5Q7vXdrY8TGZ5voZN2R2R2OUcawbWgJtkz+U/ztlWtxjGdL8VfTLT+UgPjBHhfhzX8uhdFaxY4AoJr/9TXWHNKlTjfB5ks5HECXfgag==; Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tHskQ-0005Og-4w for bug-gnu-emacs@gnu.org; Sun, 01 Dec 2024 17:49:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Ship Mints Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 01 Dec 2024 22:49:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74604 X-GNU-PR-Package: emacs Original-Received: via spool by 74604-submit@debbugs.gnu.org id=B74604.173309333220726 (code B ref 74604); Sun, 01 Dec 2024 22:49:02 +0000 Original-Received: (at 74604) by debbugs.gnu.org; 1 Dec 2024 22:48:52 +0000 Original-Received: from localhost ([127.0.0.1]:53405 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tHskG-0005OE-19 for submit@debbugs.gnu.org; Sun, 01 Dec 2024 17:48:52 -0500 Original-Received: from mail-vs1-f42.google.com ([209.85.217.42]:44227) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tHskD-0005O5-8p for 74604@debbugs.gnu.org; Sun, 01 Dec 2024 17:48:50 -0500 Original-Received: by mail-vs1-f42.google.com with SMTP id ada2fe7eead31-4af3de962a7so790197137.0 for <74604@debbugs.gnu.org>; Sun, 01 Dec 2024 14:48:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733093269; x=1733698069; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WybPA5gNbOL2ylhShiKbpZI0PBvwOfnISIXiOZ+Ym14=; b=JTe7nuu1Vtq6CB1YO5y5xt0Mfo6jk1GN7xsF53i4dYKOG9F9cW5B9lDdfdmqapLJQc 0Zp3ZGmb995BNqc03YH3BtgeViiyrJX82K4/WKohWnwnijCiBAIdAfZinY3esQ1pUo07 gWC2IDeusqt8/PPd8yZezhahuyHY3ynn6/XwMpRD4yfVAxszU/VmQbVAGQBHFe2FgoOj r22LNfNp74fHdHTP1El0TQR6Ps2K6XmTGwSoSvw4QEWPNeBcbwX95vQckvuG5U5Ew7db ggOKggoK37KRqBxp+FWf+QQVAeXbOiZ5Ag7ccWYBd+KX8WpITvr+UUsdG0ckxYbJnlql Qq/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733093269; x=1733698069; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WybPA5gNbOL2ylhShiKbpZI0PBvwOfnISIXiOZ+Ym14=; b=jaCOdo/l6MYiGWMcqJQpy/TA+XWkvi7/Iw+SMEpkS1wPYM4o54l4gVjprWt1DDOA1b NXx0OmJhfck6QlwIqsM6hcbxrgmLXSPr6GoVot2GKXdaxoTwwv59aCMnWlS/nSSdiZe6 TOdWWmJRdWCqX8GHcPvwKAScoWUitNe3ilDmtLqE/4F/ptVOvM/CcwW3v/tVNsv4+M8p c29H7hSaOqfBUkkKoms5n2MLc6DNKIEwCF5zNoi2lw481GLXNJrHNsao59EkwaO7p6R8 K3tD7kUeeqV1LLjWFLedNPowOnZTCaxTUgIzNfVcj2NP9seI+BAu2e15fwaTb+H+UDUA DTTA== X-Forwarded-Encrypted: i=1; AJvYcCUmLMG6oj4/0GqaTiJTmBNtiKKIpVCt6AguuhMFyp6KgFROG6zpOgwlmmoBW6T2q8KcjSkmrg==@debbugs.gnu.org X-Gm-Message-State: AOJu0Yz/NqSGu6afvTSENNgk6yR9z09cUSoezQkkQGFPEkMNuPZi+XHe AQYQOFxsVQKcBURk5ZRDO3nKS23iqaMUt047GFSnDjBXuvMHvrYmyCQ8wLI0lfe70JZQOjgeeP6 +dR1fHhggQjJaC/Q20Uq26/vPhm8= X-Gm-Gg: ASbGnctL1MLcpoIUSB+Ml0lvYraT/79VaVs5HfddMvODY8OZMmx9jAKZEmhO2mpl5FU NwXtFb4kQZ4OPxoYlepSyRLtBBIKxyDw= X-Google-Smtp-Source: AGHT+IHQHiTV1avnircBmqlbCXsH3asNk/sJfSodLlQS6xv5+2S5OiC6d5PdOVg9cObBrQ+taK442N5HGQci+7X4cWU= X-Received: by 2002:a05:6102:c93:b0:4af:2e54:ed69 with SMTP id ada2fe7eead31-4af448ca640mr26856386137.14.1733093268784; Sun, 01 Dec 2024 14:47:48 -0800 (PST) In-Reply-To: <87zflfqct7.fsf@posteo.net> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:296286 Archived-At: --000000000000a60e7606283d38b1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I like this idea, too. I spend a reasonable amount of time trying to understand what people have changed and if it will affect me negatively (the defensive part) or positively (for new features, user options, deprecations). Showing a source-code diff may be a bit technical for some users, though. I wonder if there could be either a link to a changelog, or a way to encourage a changelog convention so one could be displayed for users prior to a decision to update a package. -Stephane On Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic wrote: > Daniel Mendler writes: > > > This is a feature request for the security wishlist. When upgrading > > package it would be good to show a diff between the new and old package > > files. Such an option could help performing review casually as part of > > the upgrade process and may improve the security of the package > > archives. More eyes would look at new package versions. This would make > > it harder to inject malicious code either via the source repository or > > via attacks on the package archives. > > That sounds like a good option to have! I'll look into adding something > like this via a user option that adjusts how to confirm a package upgrade= . > > Note that package-vc has something similar with the > `package-vc-log-incoming' command. > > > > --000000000000a60e7606283d38b1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I like this idea,=C2=A0too. I spend a=C2=A0reasonable=C2=A0amount of=C2= =A0time trying to understand what people=C2=A0have changed and if it will a= ffect=C2=A0me negatively (the defensive part) or positively (for new=C2=A0f= eatures,=C2=A0user options, deprecations). Showing a source-code diff may b= e a bit technical for some users, though. I wonder if there could be either= a link to a changelog, or a way to encourage a changelog convention so one= could be displayed for users prior to a decision to update a package.

-Stephane

On= Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic <philipk@posteo.net> wrote:
Daniel Mendler <mail@daniel-mendler.de> = writes:

> This is a feature request for the security wishlist. When upgrading > package it would be good to show a diff between the new and old packag= e
> files. Such an option could help performing review casually as part of=
> the upgrade process and may improve the security of the package
> archives. More eyes would look at new package versions. This would mak= e
> it harder to inject malicious code either via the source repository or=
> via attacks on the package archives.

That sounds like a good option to have!=C2=A0 I'll look into adding som= ething
like this via a user option that adjusts how to confirm a package upgrade.<= br>
Note that package-vc has something similar with the
`package-vc-log-incoming' command.



--000000000000a60e7606283d38b1--