all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
@ 2024-11-29 15:39 Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
  2024-12-01 22:05 ` Philip Kaludercic
  0 siblings, 1 reply; 9+ messages in thread
From: Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2024-11-29 15:39 UTC (permalink / raw)
  To: 74604; +Cc: Philip Kaludercic

This is a feature request for the security wishlist. When upgrading
package it would be good to show a diff between the new and old package
files. Such an option could help performing review casually as part of
the upgrade process and may improve the security of the package
archives. More eyes would look at new package versions. This would make
it harder to inject malicious code either via the source repository or
via attacks on the package archives.





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
  2024-11-29 15:39 bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2024-12-01 22:05 ` Philip Kaludercic
  2024-12-01 22:47   ` Ship Mints
  2024-12-01 23:12   ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
  0 siblings, 2 replies; 9+ messages in thread
From: Philip Kaludercic @ 2024-12-01 22:05 UTC (permalink / raw)
  To: Daniel Mendler; +Cc: 74604

Daniel Mendler <mail@daniel-mendler.de> writes:

> This is a feature request for the security wishlist. When upgrading
> package it would be good to show a diff between the new and old package
> files. Such an option could help performing review casually as part of
> the upgrade process and may improve the security of the package
> archives. More eyes would look at new package versions. This would make
> it harder to inject malicious code either via the source repository or
> via attacks on the package archives.

That sounds like a good option to have!  I'll look into adding something
like this via a user option that adjusts how to confirm a package upgrade.

Note that package-vc has something similar with the
`package-vc-log-incoming' command.





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
  2024-12-01 22:05 ` Philip Kaludercic
@ 2024-12-01 22:47   ` Ship Mints
  2024-12-02  8:59     ` Philip Kaludercic
  2024-12-01 23:12   ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
  1 sibling, 1 reply; 9+ messages in thread
From: Ship Mints @ 2024-12-01 22:47 UTC (permalink / raw)
  To: Philip Kaludercic; +Cc: Daniel Mendler, 74604

[-- Attachment #1: Type: text/plain, Size: 1390 bytes --]

I like this idea, too. I spend a reasonable amount of time trying to
understand what people have changed and if it will affect me negatively
(the defensive part) or positively (for new features, user options,
deprecations). Showing a source-code diff may be a bit technical for some
users, though. I wonder if there could be either a link to a changelog, or
a way to encourage a changelog convention so one could be displayed for
users prior to a decision to update a package.

-Stephane

On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk@posteo.net> wrote:

> Daniel Mendler <mail@daniel-mendler.de> writes:
>
> > This is a feature request for the security wishlist. When upgrading
> > package it would be good to show a diff between the new and old package
> > files. Such an option could help performing review casually as part of
> > the upgrade process and may improve the security of the package
> > archives. More eyes would look at new package versions. This would make
> > it harder to inject malicious code either via the source repository or
> > via attacks on the package archives.
>
> That sounds like a good option to have!  I'll look into adding something
> like this via a user option that adjusts how to confirm a package upgrade.
>
> Note that package-vc has something similar with the
> `package-vc-log-incoming' command.
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 1990 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
  2024-12-01 22:05 ` Philip Kaludercic
  2024-12-01 22:47   ` Ship Mints
@ 2024-12-01 23:12   ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
  1 sibling, 0 replies; 9+ messages in thread
From: Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2024-12-01 23:12 UTC (permalink / raw)
  To: Philip Kaludercic; +Cc: 74604

Philip Kaludercic <philipk@posteo.net> writes:

> Daniel Mendler <mail@daniel-mendler.de> writes:
>
>> This is a feature request for the security wishlist. When upgrading
>> package it would be good to show a diff between the new and old package
>> files. Such an option could help performing review casually as part of
>> the upgrade process and may improve the security of the package
>> archives. More eyes would look at new package versions. This would make
>> it harder to inject malicious code either via the source repository or
>> via attacks on the package archives.
>
> That sounds like a good option to have!  I'll look into adding something
> like this via a user option that adjusts how to confirm a package upgrade.

Thanks! I am happy to test if you have a patch ready.

Daniel





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
  2024-12-01 22:47   ` Ship Mints
@ 2024-12-02  8:59     ` Philip Kaludercic
  2024-12-02 12:04       ` Ship Mints
  0 siblings, 1 reply; 9+ messages in thread
From: Philip Kaludercic @ 2024-12-02  8:59 UTC (permalink / raw)
  To: Ship Mints; +Cc: Daniel Mendler, 74604

Ship Mints <shipmints@gmail.com> writes:

> I like this idea, too. I spend a reasonable amount of time trying to
> understand what people have changed and if it will affect me negatively
> (the defensive part) or positively (for new features, user options,
> deprecations). Showing a source-code diff may be a bit technical for some
> users, though. I wonder if there could be either a link to a changelog, or
> a way to encourage a changelog convention so one could be displayed for
> users prior to a decision to update a package.

Note that packages can distribute this information.  Currently, if a
tarball includes a "news" file, it will be displayed by
`describe-package.  IIRC no package archive generates these right now.
But if we implement a user option like that described above (or below?),
then we can add that as an option as well.

The main issue is that not all package maintainers ensure that there are
changelog/news sources that ELPA could use to provide this information.

> -Stephane
>
> On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk@posteo.net> wrote:
>
>> Daniel Mendler <mail@daniel-mendler.de> writes:
>>
>> > This is a feature request for the security wishlist. When upgrading
>> > package it would be good to show a diff between the new and old package
>> > files. Such an option could help performing review casually as part of
>> > the upgrade process and may improve the security of the package
>> > archives. More eyes would look at new package versions. This would make
>> > it harder to inject malicious code either via the source repository or
>> > via attacks on the package archives.
>>
>> That sounds like a good option to have!  I'll look into adding something
>> like this via a user option that adjusts how to confirm a package upgrade.
>>
>> Note that package-vc has something similar with the
>> `package-vc-log-incoming' command.
>>
>>
>>
>>





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
  2024-12-02  8:59     ` Philip Kaludercic
@ 2024-12-02 12:04       ` Ship Mints
  2024-12-02 12:18         ` Philip Kaludercic
  2024-12-02 12:25         ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
  0 siblings, 2 replies; 9+ messages in thread
From: Ship Mints @ 2024-12-02 12:04 UTC (permalink / raw)
  To: Philip Kaludercic; +Cc: Daniel Mendler, 74604

[-- Attachment #1: Type: text/plain, Size: 2405 bytes --]

Isn't it the case that describe-package works only on installed packages,
not prospectively installed packages? To help determine the value/risk of a
package install or update, I'd think it better to show this in advance.
Daniel's diff suggestion is similar but more technical.

On Mon, Dec 2, 2024 at 3:59 AM Philip Kaludercic <philipk@posteo.net> wrote:

> Ship Mints <shipmints@gmail.com> writes:
>
> > I like this idea, too. I spend a reasonable amount of time trying to
> > understand what people have changed and if it will affect me negatively
> > (the defensive part) or positively (for new features, user options,
> > deprecations). Showing a source-code diff may be a bit technical for some
> > users, though. I wonder if there could be either a link to a changelog,
> or
> > a way to encourage a changelog convention so one could be displayed for
> > users prior to a decision to update a package.
>
> Note that packages can distribute this information.  Currently, if a
> tarball includes a "news" file, it will be displayed by
> `describe-package.  IIRC no package archive generates these right now.
> But if we implement a user option like that described above (or below?),
> then we can add that as an option as well.
>
> The main issue is that not all package maintainers ensure that there are
> changelog/news sources that ELPA could use to provide this information.
>
> > -Stephane
> >
> > On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk@posteo.net>
> wrote:
> >
> >> Daniel Mendler <mail@daniel-mendler.de> writes:
> >>
> >> > This is a feature request for the security wishlist. When upgrading
> >> > package it would be good to show a diff between the new and old
> package
> >> > files. Such an option could help performing review casually as part of
> >> > the upgrade process and may improve the security of the package
> >> > archives. More eyes would look at new package versions. This would
> make
> >> > it harder to inject malicious code either via the source repository or
> >> > via attacks on the package archives.
> >>
> >> That sounds like a good option to have!  I'll look into adding something
> >> like this via a user option that adjusts how to confirm a package
> upgrade.
> >>
> >> Note that package-vc has something similar with the
> >> `package-vc-log-incoming' command.
> >>
> >>
> >>
> >>
>

[-- Attachment #2: Type: text/html, Size: 3201 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
  2024-12-02 12:04       ` Ship Mints
@ 2024-12-02 12:18         ` Philip Kaludercic
  2024-12-02 12:25         ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
  1 sibling, 0 replies; 9+ messages in thread
From: Philip Kaludercic @ 2024-12-02 12:18 UTC (permalink / raw)
  To: Ship Mints; +Cc: Daniel Mendler, 74604

Ship Mints <shipmints@gmail.com> writes:

> Isn't it the case that describe-package works only on installed packages,
> not prospectively installed packages? To help determine the value/risk of a
> package install or update, I'd think it better to show this in advance.
> Daniel's diff suggestion is similar but more technical.

describe-package (C-h p) works on all packages, but the news feature I
described wouldn't work as it uses a local file.  But that is not a
hard-constraint, we could serve news data as well.

I don't know how much sense it makes to present a diff when installing a
package.  News files are probably also not that interesting.  We could
provide a command like package-vc-checkout that just fetches the package
source and places it somewhere for the user to inspect.

> On Mon, Dec 2, 2024 at 3:59 AM Philip Kaludercic <philipk@posteo.net> wrote:
>
>> Ship Mints <shipmints@gmail.com> writes:
>>
>> > I like this idea, too. I spend a reasonable amount of time trying to
>> > understand what people have changed and if it will affect me negatively
>> > (the defensive part) or positively (for new features, user options,
>> > deprecations). Showing a source-code diff may be a bit technical for some
>> > users, though. I wonder if there could be either a link to a changelog,
>> or
>> > a way to encourage a changelog convention so one could be displayed for
>> > users prior to a decision to update a package.
>>
>> Note that packages can distribute this information.  Currently, if a
>> tarball includes a "news" file, it will be displayed by
>> `describe-package.  IIRC no package archive generates these right now.
>> But if we implement a user option like that described above (or below?),
>> then we can add that as an option as well.
>>
>> The main issue is that not all package maintainers ensure that there are
>> changelog/news sources that ELPA could use to provide this information.
>>
>> > -Stephane
>> >
>> > On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk@posteo.net>
>> wrote:
>> >
>> >> Daniel Mendler <mail@daniel-mendler.de> writes:
>> >>
>> >> > This is a feature request for the security wishlist. When upgrading
>> >> > package it would be good to show a diff between the new and old
>> package
>> >> > files. Such an option could help performing review casually as part of
>> >> > the upgrade process and may improve the security of the package
>> >> > archives. More eyes would look at new package versions. This would
>> make
>> >> > it harder to inject malicious code either via the source repository or
>> >> > via attacks on the package archives.
>> >>
>> >> That sounds like a good option to have!  I'll look into adding something
>> >> like this via a user option that adjusts how to confirm a package
>> upgrade.
>> >>
>> >> Note that package-vc has something similar with the
>> >> `package-vc-log-incoming' command.
>> >>
>> >>
>> >>
>> >>
>>





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
  2024-12-02 12:04       ` Ship Mints
  2024-12-02 12:18         ` Philip Kaludercic
@ 2024-12-02 12:25         ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
  2024-12-05 22:42           ` Howard Melman
  1 sibling, 1 reply; 9+ messages in thread
From: Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2024-12-02 12:25 UTC (permalink / raw)
  To: Ship Mints; +Cc: Philip Kaludercic, 74604

Ship Mints <shipmints@gmail.com> writes:

> To help determine the value/risk of a
> package install or update, I'd think it better to show this in advance.
> Daniel's diff suggestion is similar but more technical.

I think your idea of adding an option to show the change log is good. It
would be nice to have a `package-upgrade-review' option which could be
set to `nil', `news' or to `diff'.

But I want to emphasize that your suggestion misses the security aspect.
Security is the main reason why I made the proposal. The goal is to make
it easier and more convenient for users (yes, users who are "technical"
and familiar with Elisp) to assess the safety of package upgrades and
possibly report any irregularities to the package archive maintainers.
While packages are commonly reviewed at the time of their inclusion in
package archives, this is often not the case later on.

My proposal does not address or affect the first time installation of a
package. At this time it doesn't make sense to show a "diff" and the
user must first check the package closely anyway.

Daniel





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
  2024-12-02 12:25         ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2024-12-05 22:42           ` Howard Melman
  0 siblings, 0 replies; 9+ messages in thread
From: Howard Melman @ 2024-12-05 22:42 UTC (permalink / raw)
  To: 74604


Daniel Mendler via "Bug reports for GNU Emacs, the Swiss
army knife of text editors" <bug-gnu-emacs@gnu.org> writes:

> Ship Mints <shipmints@gmail.com> writes:
>
>> To help determine the value/risk of a
>> package install or update, I'd think it better to show this in advance.
>> Daniel's diff suggestion is similar but more technical.
>
> I think your idea of adding an option to show the change log is good. It
> would be nice to have a `package-upgrade-review' option which could be
> set to `nil', `news' or to `diff'.

There was a package called paradox which had more features
on the package UI.  It included a command
paradox-commit-list that opened a buffer showing one line
per commit with the commit message and a button that was a
link to the commits diff.  It bolded the commits since the
current installed version to make it easy to see the
changes.  It only worked on github hosted packages.  It
would be great to have this functionality in package.el
particularly if it worked on non-github hosted packages.

-- 

Howard






^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2024-12-05 22:42 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-29 15:39 bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-01 22:05 ` Philip Kaludercic
2024-12-01 22:47   ` Ship Mints
2024-12-02  8:59     ` Philip Kaludercic
2024-12-02 12:04       ` Ship Mints
2024-12-02 12:18         ` Philip Kaludercic
2024-12-02 12:25         ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-05 22:42           ` Howard Melman
2024-12-01 23:12   ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.