GNU bug report logs -
#74604
30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade
Previous Next
To reply to this bug, email your comments to 74604 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
philipk <at> posteo.net, bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Fri, 29 Nov 2024 15:40:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Daniel Mendler <mail <at> daniel-mendler.de>:
New bug report received and forwarded. Copy sent to
philipk <at> posteo.net, bug-gnu-emacs <at> gnu.org.
(Fri, 29 Nov 2024 15:40:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
This is a feature request for the security wishlist. When upgrading
package it would be good to show a diff between the new and old package
files. Such an option could help performing review casually as part of
the upgrade process and may improve the security of the package
archives. More eyes would look at new package versions. This would make
it harder to inject malicious code either via the source repository or
via attacks on the package archives.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Sun, 01 Dec 2024 22:06:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 74604 <at> debbugs.gnu.org (full text, mbox):
Daniel Mendler <mail <at> daniel-mendler.de> writes:
> This is a feature request for the security wishlist. When upgrading
> package it would be good to show a diff between the new and old package
> files. Such an option could help performing review casually as part of
> the upgrade process and may improve the security of the package
> archives. More eyes would look at new package versions. This would make
> it harder to inject malicious code either via the source repository or
> via attacks on the package archives.
That sounds like a good option to have! I'll look into adding something
like this via a user option that adjusts how to confirm a package upgrade.
Note that package-vc has something similar with the
`package-vc-log-incoming' command.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Sun, 01 Dec 2024 22:49:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 74604 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I like this idea, too. I spend a reasonable amount of time trying to
understand what people have changed and if it will affect me negatively
(the defensive part) or positively (for new features, user options,
deprecations). Showing a source-code diff may be a bit technical for some
users, though. I wonder if there could be either a link to a changelog, or
a way to encourage a changelog convention so one could be displayed for
users prior to a decision to update a package.
-Stephane
On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk <at> posteo.net> wrote:
> Daniel Mendler <mail <at> daniel-mendler.de> writes:
>
> > This is a feature request for the security wishlist. When upgrading
> > package it would be good to show a diff between the new and old package
> > files. Such an option could help performing review casually as part of
> > the upgrade process and may improve the security of the package
> > archives. More eyes would look at new package versions. This would make
> > it harder to inject malicious code either via the source repository or
> > via attacks on the package archives.
>
> That sounds like a good option to have! I'll look into adding something
> like this via a user option that adjusts how to confirm a package upgrade.
>
> Note that package-vc has something similar with the
> `package-vc-log-incoming' command.
>
>
>
>
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Sun, 01 Dec 2024 23:15:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 74604 <at> debbugs.gnu.org (full text, mbox):
Philip Kaludercic <philipk <at> posteo.net> writes:
> Daniel Mendler <mail <at> daniel-mendler.de> writes:
>
>> This is a feature request for the security wishlist. When upgrading
>> package it would be good to show a diff between the new and old package
>> files. Such an option could help performing review casually as part of
>> the upgrade process and may improve the security of the package
>> archives. More eyes would look at new package versions. This would make
>> it harder to inject malicious code either via the source repository or
>> via attacks on the package archives.
>
> That sounds like a good option to have! I'll look into adding something
> like this via a user option that adjusts how to confirm a package upgrade.
Thanks! I am happy to test if you have a patch ready.
Daniel
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Mon, 02 Dec 2024 09:00:03 GMT)
Full text and
rfc822 format available.
Message #17 received at 74604 <at> debbugs.gnu.org (full text, mbox):
Ship Mints <shipmints <at> gmail.com> writes:
> I like this idea, too. I spend a reasonable amount of time trying to
> understand what people have changed and if it will affect me negatively
> (the defensive part) or positively (for new features, user options,
> deprecations). Showing a source-code diff may be a bit technical for some
> users, though. I wonder if there could be either a link to a changelog, or
> a way to encourage a changelog convention so one could be displayed for
> users prior to a decision to update a package.
Note that packages can distribute this information. Currently, if a
tarball includes a "news" file, it will be displayed by
`describe-package. IIRC no package archive generates these right now.
But if we implement a user option like that described above (or below?),
then we can add that as an option as well.
The main issue is that not all package maintainers ensure that there are
changelog/news sources that ELPA could use to provide this information.
> -Stephane
>
> On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk <at> posteo.net> wrote:
>
>> Daniel Mendler <mail <at> daniel-mendler.de> writes:
>>
>> > This is a feature request for the security wishlist. When upgrading
>> > package it would be good to show a diff between the new and old package
>> > files. Such an option could help performing review casually as part of
>> > the upgrade process and may improve the security of the package
>> > archives. More eyes would look at new package versions. This would make
>> > it harder to inject malicious code either via the source repository or
>> > via attacks on the package archives.
>>
>> That sounds like a good option to have! I'll look into adding something
>> like this via a user option that adjusts how to confirm a package upgrade.
>>
>> Note that package-vc has something similar with the
>> `package-vc-log-incoming' command.
>>
>>
>>
>>
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Mon, 02 Dec 2024 12:07:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 74604 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Isn't it the case that describe-package works only on installed packages,
not prospectively installed packages? To help determine the value/risk of a
package install or update, I'd think it better to show this in advance.
Daniel's diff suggestion is similar but more technical.
On Mon, Dec 2, 2024 at 3:59 AM Philip Kaludercic <philipk <at> posteo.net> wrote:
> Ship Mints <shipmints <at> gmail.com> writes:
>
> > I like this idea, too. I spend a reasonable amount of time trying to
> > understand what people have changed and if it will affect me negatively
> > (the defensive part) or positively (for new features, user options,
> > deprecations). Showing a source-code diff may be a bit technical for some
> > users, though. I wonder if there could be either a link to a changelog,
> or
> > a way to encourage a changelog convention so one could be displayed for
> > users prior to a decision to update a package.
>
> Note that packages can distribute this information. Currently, if a
> tarball includes a "news" file, it will be displayed by
> `describe-package. IIRC no package archive generates these right now.
> But if we implement a user option like that described above (or below?),
> then we can add that as an option as well.
>
> The main issue is that not all package maintainers ensure that there are
> changelog/news sources that ELPA could use to provide this information.
>
> > -Stephane
> >
> > On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk <at> posteo.net>
> wrote:
> >
> >> Daniel Mendler <mail <at> daniel-mendler.de> writes:
> >>
> >> > This is a feature request for the security wishlist. When upgrading
> >> > package it would be good to show a diff between the new and old
> package
> >> > files. Such an option could help performing review casually as part of
> >> > the upgrade process and may improve the security of the package
> >> > archives. More eyes would look at new package versions. This would
> make
> >> > it harder to inject malicious code either via the source repository or
> >> > via attacks on the package archives.
> >>
> >> That sounds like a good option to have! I'll look into adding something
> >> like this via a user option that adjusts how to confirm a package
> upgrade.
> >>
> >> Note that package-vc has something similar with the
> >> `package-vc-log-incoming' command.
> >>
> >>
> >>
> >>
>
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Mon, 02 Dec 2024 12:19:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 74604 <at> debbugs.gnu.org (full text, mbox):
Ship Mints <shipmints <at> gmail.com> writes:
> Isn't it the case that describe-package works only on installed packages,
> not prospectively installed packages? To help determine the value/risk of a
> package install or update, I'd think it better to show this in advance.
> Daniel's diff suggestion is similar but more technical.
describe-package (C-h p) works on all packages, but the news feature I
described wouldn't work as it uses a local file. But that is not a
hard-constraint, we could serve news data as well.
I don't know how much sense it makes to present a diff when installing a
package. News files are probably also not that interesting. We could
provide a command like package-vc-checkout that just fetches the package
source and places it somewhere for the user to inspect.
> On Mon, Dec 2, 2024 at 3:59 AM Philip Kaludercic <philipk <at> posteo.net> wrote:
>
>> Ship Mints <shipmints <at> gmail.com> writes:
>>
>> > I like this idea, too. I spend a reasonable amount of time trying to
>> > understand what people have changed and if it will affect me negatively
>> > (the defensive part) or positively (for new features, user options,
>> > deprecations). Showing a source-code diff may be a bit technical for some
>> > users, though. I wonder if there could be either a link to a changelog,
>> or
>> > a way to encourage a changelog convention so one could be displayed for
>> > users prior to a decision to update a package.
>>
>> Note that packages can distribute this information. Currently, if a
>> tarball includes a "news" file, it will be displayed by
>> `describe-package. IIRC no package archive generates these right now.
>> But if we implement a user option like that described above (or below?),
>> then we can add that as an option as well.
>>
>> The main issue is that not all package maintainers ensure that there are
>> changelog/news sources that ELPA could use to provide this information.
>>
>> > -Stephane
>> >
>> > On Sun, Dec 1, 2024 at 5:06 PM Philip Kaludercic <philipk <at> posteo.net>
>> wrote:
>> >
>> >> Daniel Mendler <mail <at> daniel-mendler.de> writes:
>> >>
>> >> > This is a feature request for the security wishlist. When upgrading
>> >> > package it would be good to show a diff between the new and old
>> package
>> >> > files. Such an option could help performing review casually as part of
>> >> > the upgrade process and may improve the security of the package
>> >> > archives. More eyes would look at new package versions. This would
>> make
>> >> > it harder to inject malicious code either via the source repository or
>> >> > via attacks on the package archives.
>> >>
>> >> That sounds like a good option to have! I'll look into adding something
>> >> like this via a user option that adjusts how to confirm a package
>> upgrade.
>> >>
>> >> Note that package-vc has something similar with the
>> >> `package-vc-log-incoming' command.
>> >>
>> >>
>> >>
>> >>
>>
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Mon, 02 Dec 2024 12:28:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 74604 <at> debbugs.gnu.org (full text, mbox):
Ship Mints <shipmints <at> gmail.com> writes:
> To help determine the value/risk of a
> package install or update, I'd think it better to show this in advance.
> Daniel's diff suggestion is similar but more technical.
I think your idea of adding an option to show the change log is good. It
would be nice to have a `package-upgrade-review' option which could be
set to `nil', `news' or to `diff'.
But I want to emphasize that your suggestion misses the security aspect.
Security is the main reason why I made the proposal. The goal is to make
it easier and more convenient for users (yes, users who are "technical"
and familiar with Elisp) to assess the safety of package upgrades and
possibly report any irregularities to the package archive maintainers.
While packages are commonly reviewed at the time of their inclusion in
package archives, this is often not the case later on.
My proposal does not address or affect the first time installation of a
package. At this time it doesn't make sense to show a "diff" and the
user must first check the package closely anyway.
Daniel
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Thu, 05 Dec 2024 22:43:02 GMT)
Full text and
rfc822 format available.
Message #29 received at submit <at> debbugs.gnu.org (full text, mbox):
Daniel Mendler via "Bug reports for GNU Emacs, the Swiss
army knife of text editors" <bug-gnu-emacs <at> gnu.org> writes:
> Ship Mints <shipmints <at> gmail.com> writes:
>
>> To help determine the value/risk of a
>> package install or update, I'd think it better to show this in advance.
>> Daniel's diff suggestion is similar but more technical.
>
> I think your idea of adding an option to show the change log is good. It
> would be nice to have a `package-upgrade-review' option which could be
> set to `nil', `news' or to `diff'.
There was a package called paradox which had more features
on the package UI. It included a command
paradox-commit-list that opened a buffer showing one line
per commit with the commit message and a button that was a
link to the commits diff. It bolded the commits since the
current installed version to make it easy to see the
changes. It only worked on github hosted packages. It
would be great to have this functionality in package.el
particularly if it worked on non-github hosted packages.
--
Howard
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Wed, 15 Jan 2025 13:52:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 74604 <at> debbugs.gnu.org (full text, mbox):
>>> This is a feature request for the security wishlist. When upgrading
>>> package it would be good to show a diff between the new and old package
>>> files.
+1
>>> Such an option could help performing review casually as part of
>>> the upgrade process and may improve the security of the package
>>> archives. More eyes would look at new package versions. This would make
>>> it harder to inject malicious code either via the source repository or
>>> via attacks on the package archives.
In addition to improving security it would encourage users to become
familiar with the code, which is very much the driving force behind
a lot of Emacs's design.
>> That sounds like a good option to have! I'll look into adding something
>> like this via a user option that adjusts how to confirm a package upgrade.
Maybe the UI could be a simple confirmation prompt, where "show diff" is
one of the options.
>> Note that package-vc has something similar with the
>> `package-vc-log-incoming' command.
[ Ideally the two could/should share some aspects (UI-wise or
implementation-wise). ]
> Showing a source-code diff may be a bit technical for some users,
> though. I wonder if there could be either a link to a changelog, or
> a way to encourage a changelog convention so one could be displayed
> for users prior to a decision to update a package.
The prompt could offer a choice of "just upgrade / show news /
show diff".
Currently, on the (Non)GNU ELPA side, there *is* a convention for
a changelog file. This is used to create the "Recent NEWS" part of
release announcements (see
https://lists.gnu.org/archive/html/gnu-emacs-sources/2025-01/msg00027.html
for an example) and the "News" section on the package's web page (See
http://elpa.gnu.org/packages/ellama.html). But:
- Many packages don't follow it (I try to shame the maintainers, but
maybe too softly?
See https://lists.gnu.org/archive/html/gnu-emacs-sources/2025-01/msg00024.html
for an example).
- There is no convention to relate specific parts of the changelog
to specific versions, so we just display the first N lines (for email
announcements, this is arguably the right thing, since we don't know
what is the reader's current version).
- There is even less of a convention to propagate that changelog info
through the ELPA protocol (i.e. from elpa.gnu.org to the users's
machines).
In any case, it sounds everybody likes the idea, so I hope Someone™ will
provide a patch soon!
Stefan
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Wed, 15 Jan 2025 14:18:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 74604 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>>>> Such an option could help performing review casually as part of
>>>> the upgrade process and may improve the security of the package
>>>> archives. More eyes would look at new package versions. This would make
>>>> it harder to inject malicious code either via the source repository or
>>>> via attacks on the package archives.
>
> In addition to improving security it would encourage users to become
> familiar with the code, which is very much the driving force behind
> a lot of Emacs's design.
Yes, this is the point of the proposal.
>> Showing a source-code diff may be a bit technical for some users,
>> though. I wonder if there could be either a link to a changelog, or
>> a way to encourage a changelog convention so one could be displayed
>> for users prior to a decision to update a package.
>
> The prompt could offer a choice of "just upgrade / show news /
> show diff".
Good idea. I think I would also like to have a customization option
`package-upgrade-diff' where the behavior can be customized, since I
always want to see the diff even for my own packages to check if recent
changes have arrived.
If `package-upgrade-diff' is nil, the confirmation prompt could offer a
key to display the diff. A key could also be reserved to show the change
log in case it is present, but as I mentioned before in this bug report,
displaying the change log is not a security feature and the code as
"driving force" is hidden.
Daniel
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#74604; Package
emacs.
(Thu, 16 Jan 2025 09:06:01 GMT)
Full text and
rfc822 format available.
Message #38 received at 74604 <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>>> Note that package-vc has something similar with the
>>> `package-vc-log-incoming' command.
>
> [ Ideally the two could/should share some aspects (UI-wise or
> implementation-wise). ]
Right now `package-vc-log-incoming' just re-uses `vc-log-incoming', so I
don't know how easy this would be without creating a pseudo-VC backend.
>> Showing a source-code diff may be a bit technical for some users,
>> though. I wonder if there could be either a link to a changelog, or
>> a way to encourage a changelog convention so one could be displayed
>> for users prior to a decision to update a package.
>
> The prompt could offer a choice of "just upgrade / show news /
> show diff".
>
> Currently, on the (Non)GNU ELPA side, there *is* a convention for
> a changelog file. This is used to create the "Recent NEWS" part of
> release announcements (see
> https://lists.gnu.org/archive/html/gnu-emacs-sources/2025-01/msg00027.html
> for an example) and the "News" section on the package's web page (See
> http://elpa.gnu.org/packages/ellama.html). But:
>
> - Many packages don't follow it (I try to shame the maintainers, but
> maybe too softly?
> See https://lists.gnu.org/archive/html/gnu-emacs-sources/2025-01/msg00024.html
> for an example).
>
> - There is no convention to relate specific parts of the changelog
> to specific versions, so we just display the first N lines (for email
> announcements, this is arguably the right thing, since we don't know
> what is the reader's current version).
>
> - There is even less of a convention to propagate that changelog info
> through the ELPA protocol (i.e. from elpa.gnu.org to the users's
> machines).
Package.el does show the contents of the "news" file in the
describe-package buffer, but we currently don't generate these on the
elpa side.
> In any case, it sounds everybody likes the idea, so I hope Someone™ will
> provide a patch soon!
I'd be glad to tackle this and a number of other package.el/elpa-related
issues that have been accumulating recently. (I'm just submitting my
master's thesis in less than two weeks, so I a bit short on time.)
>
> Stefan
This bug report was last modified 149 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.