From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: Fwd: Should package.el support notifying on package security
 updates?
Date: Sat, 13 Aug 2022 10:00:40 -0400
Message-ID: <jwv4jygs17n.fsf-monnier+emacs@gnu.org>
References: <87r12qm4q5.fsf@gmail.com>
 <CANEZYrdmk-7XD=RR_8s6fVV5+7aYC8g1yVEFTOUnYzW5rkz24w@mail.gmail.com>
 <87y1vus4xy.fsf@rfc20.org> <86y1vul261.fsf@gmail.com>
 <jwv4jyhtaa1.fsf-monnier+emacs@gnu.org> <86tu6h0x3d.fsf@gmail.com>
 <YvcveXullXqScmj3@tuxteam.de>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="37490"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux)
Cc: emacs-devel@gnu.org
To: <tomas@tuxteam.de>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Aug 13 16:03:41 2022
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1oMrjm-0009Ur-Ck
	for ged-emacs-devel@m.gmane-mx.org; Sat, 13 Aug 2022 16:03:38 +0200
Original-Received: from localhost ([::1]:35280 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1oMrjl-0000xE-FY
	for ged-emacs-devel@m.gmane-mx.org; Sat, 13 Aug 2022 10:03:37 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:38246)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1oMrh0-0007kF-UN
 for emacs-devel@gnu.org; Sat, 13 Aug 2022 10:00:46 -0400
Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:50941)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <monnier@iro.umontreal.ca>)
 id 1oMrgy-0001Ud-7T
 for emacs-devel@gnu.org; Sat, 13 Aug 2022 10:00:45 -0400
Original-Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id CFD5280796;
 Sat, 13 Aug 2022 10:00:42 -0400 (EDT)
Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1])
 by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 3C0C2802A4;
 Sat, 13 Aug 2022 10:00:41 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 s=mail; t=1660399241;
 bh=t/JioUszgR6tVAfMeas8Lvkf+1v4g607ml36gczhRno=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=HDdYDyyVGgtUsHNcCDpH6+Gg9UK/sBxuIds5oQ+ij6VKmsoZBa9cRoqLmqFec13mu
 KDQQ1xciW8SgY4rzMNPIG/QolMBEVIN5HjO3UvZTjeJ29I62QSZDZTsKfxdP5X+KBf
 KeEEf9Rj0y+OOsKXdKLKH5hjMBSZRdI1FTEXxjYDrKn4gAYcnhu+Rq+AyOsNGrQHLf
 2exvqcJ5T6ZQaKUWUZ9zsbvOaSCTDx1kCcZW+Rq0JlkFzG4xqYRZ8Q5/2sCW/K5cDu
 6BZmjqCUMAivPvZNIM9j1hMBPg/pTXT+/RIbNrDF+aUbEOXEnXfpu2HwXmuwU9buf5
 iU1ZbEBS7lO9A==
Original-Received: from pastel (unknown [45.72.195.111])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id EA662120480;
 Sat, 13 Aug 2022 10:00:40 -0400 (EDT)
In-Reply-To: <YvcveXullXqScmj3@tuxteam.de> (tomas@tuxteam.de's message of
 "Sat, 13 Aug 2022 06:58:33 +0200")
Received-SPF: pass client-ip=132.204.25.50;
 envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca
X-Spam_score_int: -42
X-Spam_score: -4.3
X-Spam_bar: ----
X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:293411
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/293411>

> So the advocates of having this kind of flagging should be
> the ones responsible for digging up new resources, IMO.

In the context of ELPA, I could suggest the following path:

- Step 1: improve the protocol so that `package.el` can display the
  "recent news" that (Non)GNU ELPA archives show in the HTML page (and
  the release announcements emails).

- Step 2: highlight keywords like "security fix" in the "recent news".

- Step 3: improve the "recent news" system so that `package.el` could
  distinguish the part of the news corresponding to the potential update
  (currently the recent news is not parsed so we don't know which news
  applies to which version).

- Step 4: highlight the updates that include "security fix" in their news.

I'm not sure "step 4" would be useful in the current context, but maybe
by the time we have made the previous steps (which are useful regardless
of step 4) the situation will be different.


        Stefan