From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 29 10:39:53 2024 Received: (at submit) by debbugs.gnu.org; 29 Nov 2024 15:39:54 +0000 Received: from localhost ([127.0.0.1]:44078 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tH361-0007Gf-HZ for submit@debbugs.gnu.org; Fri, 29 Nov 2024 10:39:53 -0500 Received: from lists.gnu.org ([209.51.188.17]:37432) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tH360-0007GY-9e for submit@debbugs.gnu.org; Fri, 29 Nov 2024 10:39:52 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tH35z-0005Ct-Df for bug-gnu-emacs@gnu.org; Fri, 29 Nov 2024 10:39:51 -0500 Received: from server.qxqx.de ([2a01:4f8:c012:9177::1] helo=mail.qxqx.de) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tH35x-0008B4-3O for bug-gnu-emacs@gnu.org; Fri, 29 Nov 2024 10:39:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=daniel-mendler.de; s=key; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=BZSGb/Tq1EzCcQ6plhTjI+Q9vASbIa2lijBFW1IJ1tM=; b=mXUMML4jCxLUNrJwsp88Zif6pF PT6yfeiLY7DiVzgUcdYSkX5Gm7IObipYkNCAwoOzv15RSDWRqo9AWML5XrC9TXLqCfXh5bFSyOeEl Qw6HZGtxIANlmZ1FpC4gkFLdPpAW54eT1ZUDZbcnRxpc2gGOBmAqT/7N/KgpjSVYQkPI=; From: Daniel Mendler To: bug-gnu-emacs@gnu.org Subject: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade X-Debbugs-Cc: Philip Kaludercic Date: Fri, 29 Nov 2024 16:39:27 +0100 Message-ID: <87h67quk0g.fsf@daniel-mendler.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2a01:4f8:c012:9177::1; envelope-from=mail@daniel-mendler.de; helo=mail.qxqx.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) This is a feature request for the security wishlist. When upgrading package it would be good to show a diff between the new and old package files. Such an option could help performing review casually as part of the upgrade process and may improve the security of the package archives. More eyes would look at new package versions. This would make it harder to inject malicious code either via the source repository or via attacks on the package archives. From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 01 17:05:37 2024 Received: (at 74604) by debbugs.gnu.org; 1 Dec 2024 22:05:37 +0000 Received: from localhost ([127.0.0.1]:53358 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tHs4P-0003FU-5n for submit@debbugs.gnu.org; Sun, 01 Dec 2024 17:05:37 -0500 Received: from mout01.posteo.de ([185.67.36.65]:35883) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tHs4M-0003FD-NV for 74604@debbugs.gnu.org; Sun, 01 Dec 2024 17:05:36 -0500 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 8C85B240028 for <74604@debbugs.gnu.org>; Sun, 1 Dec 2024 23:05:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1733090727; bh=poT7kDM1hC/XRg6guZLizsL6/i3nGej561Cs95g293k=; h=From:To:Cc:Subject:Autocrypt:OpenPGP:Date:Message-ID:MIME-Version: Content-Type:From; b=A0pf3rSW0mCmVLIIgxgG2XS4CM6wDFObvjTQqvKc4znPx+pXyT2iNiEcrepLmKHqo lCCy3m8zIZskOoxi2dLCfDvZjGvxcgyaOErAItzzwx0qLS7GLjE+n4JtxK9y9H+tAX e6jt588yKqQ1Knd6MMFATnhLQcxKuLvyz2mLC9UeXccqFqiHHfT7Jmy5gtjlydKZHV I2m3OqDctHAsDi05HOfrqO6HBTPUK+QbOeyvPmNV6wUaRH925eA3dHzf3ZzCHJ6gQQ VPGyUsW0FnU/M3dTo/+LECTemTMerkczc87qMEwZI5u5++YzCmrneygRFUJka93o2t MpD28P0+1QbAw== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Y1gvn6tNlz9rxN; Sun, 1 Dec 2024 23:05:25 +0100 (CET) From: Philip Kaludercic To: Daniel Mendler Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade In-Reply-To: <87h67quk0g.fsf@daniel-mendler.de> (Daniel Mendler's message of "Fri, 29 Nov 2024 16:39:27 +0100") References: <87h67quk0g.fsf@daniel-mendler.de> Autocrypt: addr=philipk@posteo.net; keydata= mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0 mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof z4oM OpenPGP: id=philipk@posteo.net; url="https://keys.openpgp.org/vks/v1/by-email/philipk@posteo.net"; preference=signencrypt Date: Sun, 01 Dec 2024 22:05:24 +0000 Message-ID: <87zflfqct7.fsf@posteo.net> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 74604 Cc: 74604@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Daniel Mendler writes: > This is a feature request for the security wishlist. When upgrading > package it would be good to show a diff between the new and old package > files. Such an option could help performing review casually as part of > the upgrade process and may improve the security of the package > archives. More eyes would look at new package versions. This would make > it harder to inject malicious code either via the source repository or > via attacks on the package archives. That sounds like a good option to have! I'll look into adding something like this via a user option that adjusts how to confirm a package upgrade. Note that package-vc has something similar with the `package-vc-log-incoming' command. From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 01 17:48:52 2024 Received: (at 74604) by debbugs.gnu.org; 1 Dec 2024 22:48:52 +0000 Received: from localhost ([127.0.0.1]:53405 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tHskG-0005OE-19 for submit@debbugs.gnu.org; Sun, 01 Dec 2024 17:48:52 -0500 Received: from mail-vs1-f42.google.com ([209.85.217.42]:44227) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tHskD-0005O5-8p for 74604@debbugs.gnu.org; Sun, 01 Dec 2024 17:48:50 -0500 Received: by mail-vs1-f42.google.com with SMTP id ada2fe7eead31-4af3de962a7so790197137.0 for <74604@debbugs.gnu.org>; Sun, 01 Dec 2024 14:48:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733093269; x=1733698069; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WybPA5gNbOL2ylhShiKbpZI0PBvwOfnISIXiOZ+Ym14=; b=JTe7nuu1Vtq6CB1YO5y5xt0Mfo6jk1GN7xsF53i4dYKOG9F9cW5B9lDdfdmqapLJQc 0Zp3ZGmb995BNqc03YH3BtgeViiyrJX82K4/WKohWnwnijCiBAIdAfZinY3esQ1pUo07 gWC2IDeusqt8/PPd8yZezhahuyHY3ynn6/XwMpRD4yfVAxszU/VmQbVAGQBHFe2FgoOj r22LNfNp74fHdHTP1El0TQR6Ps2K6XmTGwSoSvw4QEWPNeBcbwX95vQckvuG5U5Ew7db ggOKggoK37KRqBxp+FWf+QQVAeXbOiZ5Ag7ccWYBd+KX8WpITvr+UUsdG0ckxYbJnlql Qq/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733093269; x=1733698069; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WybPA5gNbOL2ylhShiKbpZI0PBvwOfnISIXiOZ+Ym14=; b=jaCOdo/l6MYiGWMcqJQpy/TA+XWkvi7/Iw+SMEpkS1wPYM4o54l4gVjprWt1DDOA1b NXx0OmJhfck6QlwIqsM6hcbxrgmLXSPr6GoVot2GKXdaxoTwwv59aCMnWlS/nSSdiZe6 TOdWWmJRdWCqX8GHcPvwKAScoWUitNe3ilDmtLqE/4F/ptVOvM/CcwW3v/tVNsv4+M8p c29H7hSaOqfBUkkKoms5n2MLc6DNKIEwCF5zNoi2lw481GLXNJrHNsao59EkwaO7p6R8 K3tD7kUeeqV1LLjWFLedNPowOnZTCaxTUgIzNfVcj2NP9seI+BAu2e15fwaTb+H+UDUA DTTA== X-Forwarded-Encrypted: i=1; AJvYcCUmLMG6oj4/0GqaTiJTmBNtiKKIpVCt6AguuhMFyp6KgFROG6zpOgwlmmoBW6T2q8KcjSkmrg==@debbugs.gnu.org X-Gm-Message-State: AOJu0Yz/NqSGu6afvTSENNgk6yR9z09cUSoezQkkQGFPEkMNuPZi+XHe AQYQOFxsVQKcBURk5ZRDO3nKS23iqaMUt047GFSnDjBXuvMHvrYmyCQ8wLI0lfe70JZQOjgeeP6 +dR1fHhggQjJaC/Q20Uq26/vPhm8= X-Gm-Gg: ASbGnctL1MLcpoIUSB+Ml0lvYraT/79VaVs5HfddMvODY8OZMmx9jAKZEmhO2mpl5FU NwXtFb4kQZ4OPxoYlepSyRLtBBIKxyDw= X-Google-Smtp-Source: AGHT+IHQHiTV1avnircBmqlbCXsH3asNk/sJfSodLlQS6xv5+2S5OiC6d5PdOVg9cObBrQ+taK442N5HGQci+7X4cWU= X-Received: by 2002:a05:6102:c93:b0:4af:2e54:ed69 with SMTP id ada2fe7eead31-4af448ca640mr26856386137.14.1733093268784; Sun, 01 Dec 2024 14:47:48 -0800 (PST) MIME-Version: 1.0 References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> In-Reply-To: <87zflfqct7.fsf@posteo.net> From: Ship Mints Date: Sun, 1 Dec 2024 17:47:21 -0500 Message-ID: Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade To: Philip Kaludercic Content-Type: multipart/alternative; boundary="000000000000a60e7606283d38b1" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 74604 Cc: Daniel Mendler , 74604@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --000000000000a60e7606283d38b1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I like this idea, too. I spend a reasonable amount of time trying to understand what people have changed and if it will affect me negatively (the defensive part) or positively (for new features, user options, deprecations). Showing a source-code diff may be a bit technical for some users, though. I wonder if there could be either a link to a changelog, or a way to encourage a changelog convention so one could be displayed for users prior to a decision to update a package. -Stephane On Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic wrote: > Daniel Mendler writes: > > > This is a feature request for the security wishlist. When upgrading > > package it would be good to show a diff between the new and old package > > files. Such an option could help performing review casually as part of > > the upgrade process and may improve the security of the package > > archives. More eyes would look at new package versions. This would make > > it harder to inject malicious code either via the source repository or > > via attacks on the package archives. > > That sounds like a good option to have! I'll look into adding something > like this via a user option that adjusts how to confirm a package upgrade= . > > Note that package-vc has something similar with the > `package-vc-log-incoming' command. > > > > --000000000000a60e7606283d38b1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I like this idea,=C2=A0too. I spend a=C2=A0reasonable=C2=A0amount of=C2= =A0time trying to understand what people=C2=A0have changed and if it will a= ffect=C2=A0me negatively (the defensive part) or positively (for new=C2=A0f= eatures,=C2=A0user options, deprecations). Showing a source-code diff may b= e a bit technical for some users, though. I wonder if there could be either= a link to a changelog, or a way to encourage a changelog convention so one= could be displayed for users prior to a decision to update a package.

-Stephane

On= Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic <philipk@posteo.net> wrote:
Daniel Mendler <mail@daniel-mendler.de> = writes:

> This is a feature request for the security wishlist. When upgrading > package it would be good to show a diff between the new and old packag= e
> files. Such an option could help performing review casually as part of=
> the upgrade process and may improve the security of the package
> archives. More eyes would look at new package versions. This would mak= e
> it harder to inject malicious code either via the source repository or=
> via attacks on the package archives.

That sounds like a good option to have!=C2=A0 I'll look into adding som= ething
like this via a user option that adjusts how to confirm a package upgrade.<= br>
Note that package-vc has something similar with the
`package-vc-log-incoming' command.



--000000000000a60e7606283d38b1-- From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 01 18:14:36 2024 Received: (at 74604) by debbugs.gnu.org; 1 Dec 2024 23:14:36 +0000 Received: from localhost ([127.0.0.1]:53435 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tHt99-0006fq-Sq for submit@debbugs.gnu.org; Sun, 01 Dec 2024 18:14:36 -0500 Received: from server.qxqx.de ([49.12.34.165]:52297 helo=mail.qxqx.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tHt97-0006fY-1z for 74604@debbugs.gnu.org; Sun, 01 Dec 2024 18:14:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=daniel-mendler.de; s=key; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nUEAJ+3kNcyvPomeRvmhsFGzOfTetBxfm1nUppNn/jA=; b=HJAfZo96hpGMTQBukAdkFRIjD7 hzGtU7SICLcOp6Xb18LAj2/olB48LTI3DHX58knkOvHgF6dumheBGctYcECEQeRHzPDevFXqESyZ4 ffc80ZraU9heDKA4FUyViXspPbPZkffxGi/fEF70ZrzrdMMJej37FCUT8j4f3NB9tOSw=; From: Daniel Mendler To: Philip Kaludercic Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade In-Reply-To: <87zflfqct7.fsf@posteo.net> (Philip Kaludercic's message of "Sun, 01 Dec 2024 22:05:24 +0000") References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> Date: Mon, 02 Dec 2024 00:12:15 +0100 Message-ID: <8734j7hub4.fsf@daniel-mendler.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 74604 Cc: 74604@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Philip Kaludercic writes: > Daniel Mendler writes: > >> This is a feature request for the security wishlist. When upgrading >> package it would be good to show a diff between the new and old package >> files. Such an option could help performing review casually as part of >> the upgrade process and may improve the security of the package >> archives. More eyes would look at new package versions. This would make >> it harder to inject malicious code either via the source repository or >> via attacks on the package archives. > > That sounds like a good option to have! I'll look into adding something > like this via a user option that adjusts how to confirm a package upgrade. Thanks! I am happy to test if you have a patch ready. Daniel From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 02 03:59:32 2024 Received: (at 74604) by debbugs.gnu.org; 2 Dec 2024 08:59:32 +0000 Received: from localhost ([127.0.0.1]:54232 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI2HE-0002x4-FJ for submit@debbugs.gnu.org; Mon, 02 Dec 2024 03:59:32 -0500 Received: from mout02.posteo.de ([185.67.36.66]:41147) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI2HB-0002wf-LN for 74604@debbugs.gnu.org; Mon, 02 Dec 2024 03:59:31 -0500 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id B820F240101 for <74604@debbugs.gnu.org>; Mon, 2 Dec 2024 09:59:19 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1733129960; bh=E+LQFPHrcDHNjTCHl6NUHoHF1tkJ8PyMAepoLErUuyk=; h=From:To:Cc:Subject:Autocrypt:OpenPGP:Date:Message-ID:MIME-Version: Content-Type:Content-Transfer-Encoding:From; b=gtXHxi61lXGvuy2fGPsesCynHfmxaB+4py/Ps+SooOgvsO2Kaj7QmcFJyY5zdl1uj 4u1zQ5gXwU+sDN8NLAscYucBuoC2TSjMUQRGI4zJMH6QWE+oiQUzy8rKUx2y3P8yDI VQwumJH3N4XmLPplEbkSXGgIj6hO/sk9S1SyIMVgYX1dFaKDFmJCVJ14+e4F/xTZbh UbEo8l56ZTi+vfPIvwVKJNDL6dG3TthfldCRySVkcMv8VmJNxlPJXYcFAKA7ms0XIG rRec75mi3JOuyEKWBvT4EWSjcAyPGEvuws0MmcYLLD1ZzEbQEMMqOMZDqH4pevHDfj cNI3xCQusIMOQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Y1yQG4jb6z9rxV; Mon, 2 Dec 2024 09:59:18 +0100 (CET) From: Philip Kaludercic To: Ship Mints Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade In-Reply-To: (Ship Mints's message of "Sun, 1 Dec 2024 17:47:21 -0500") References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> Autocrypt: addr=philipk@posteo.net; keydata= mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0 mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof z4oM OpenPGP: id=philipk@posteo.net; url="https://keys.openpgp.org/vks/v1/by-email/philipk@posteo.net"; preference=signencrypt Date: Mon, 02 Dec 2024 08:59:12 +0000 Message-ID: <87r06qqx3z.fsf@posteo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 74604 Cc: Daniel Mendler , 74604@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ship Mints writes: > I like this idea, too. I spend a reasonable amount of time trying to > understand what people have changed and if it will affect me negatively > (the defensive part) or positively (for new features, user options, > deprecations). Showing a source-code diff may be a bit technical for some > users, though. I wonder if there could be either a link to a changelog, or > a way to encourage a changelog convention so one could be displayed for > users prior to a decision to update a package. Note that packages can distribute this information. Currently, if a tarball includes a "news" file, it will be displayed by `describe-package. IIRC no package archive generates these right now. But if we implement a user option like that described above (or below?), then we can add that as an option as well. The main issue is that not all package maintainers ensure that there are changelog/news sources that ELPA could use to provide this information. > -Stephane > > On Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic wrote: > >> Daniel Mendler writes: >> >> > This is a feature request for the security wishlist. When upgrading >> > package it would be good to show a diff between the new and old package >> > files. Such an option could help performing review casually as part of >> > the upgrade process and may improve the security of the package >> > archives. More eyes would look at new package versions. This would make >> > it harder to inject malicious code either via the source repository or >> > via attacks on the package archives. >> >> That sounds like a good option to have! I'll look into adding something >> like this via a user option that adjusts how to confirm a package upgrad= e. >> >> Note that package-vc has something similar with the >> `package-vc-log-incoming' command. >> >> >> >> From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 02 07:06:01 2024 Received: (at 74604) by debbugs.gnu.org; 2 Dec 2024 12:06:01 +0000 Received: from localhost ([127.0.0.1]:54498 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI5Bh-00042e-8x for submit@debbugs.gnu.org; Mon, 02 Dec 2024 07:06:01 -0500 Received: from mail-oa1-f53.google.com ([209.85.160.53]:46163) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI5Be-00042D-BW for 74604@debbugs.gnu.org; Mon, 02 Dec 2024 07:05:59 -0500 Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-29e52a97a90so633264fac.0 for <74604@debbugs.gnu.org>; Mon, 02 Dec 2024 04:05:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733141092; x=1733745892; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=znozZYFEyjDfo4Cbxj5WvkzPk2XLWcfkMs8kKfioQng=; b=fX9PXaIs7MfBedZ6D5itMwFqbDArNl1WfSuL0KB3a7XMpG5AUaIggL5AangpDWs05A pM9SGP/CzEthN4IMlJyImg/Tx9eUJHaC+aga2PfofS3JCT9K7J7bO7WgNoECMHNGg9VH cPfMaHA8VIJQUSjPctYPWIWPjDIsQMvOq04LE/HoWkapMFU+iPUiGRW6ADHR8hX9QxO8 Adb8/htRRV3voppTh8XG95W4TSOYG0kVpPzBFLpi/bxAWMPIrvRQbe1UWcxhEkmiEXAU 8xBm35NlBzI5kaZW1s+bQtM4jT9xw/JF9v/6E7VxhbH8GuGHCgrJsWd3im90i9UdXKeX WotA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733141092; x=1733745892; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=znozZYFEyjDfo4Cbxj5WvkzPk2XLWcfkMs8kKfioQng=; b=NMNgtFrCrH3vUwfMfV5jO2g9TV9C4SFvSYP7Mh6ZJ9GGt+P0kO7J2Lcpg7TmRIPRC+ xZDE80NOCnMPLRjL8mPT2a6e2r1UaLS+GSwMWXmkl89ibBO1tC7DYzxdwETkj0Icz3tx DUjxuYPyD3QKFSprQB/DJmllfGd/RwnKFIxnanD++Y/2+hBjZkN6FIwfAtXb1keR9r0M HLVqwAzndc7/ZFU/XlUwGHRZtWkLyxFz0miz1arxQf4nEIItwfVjTzWY81kAVtYkm9DK okzYPKFXvN7Q9JW31R46nVRCExQ8GCVsRoDELQu+wnd7REI63FUkh5WIy4o0nf4wDLA8 Xhpg== X-Forwarded-Encrypted: i=1; AJvYcCXPIBM6ltDuDXpDruIZt0lbEPIIqN9YdyScCRgaFIfKSSHVjwx1OJ7qnWV6mUsCd+gfZ8zZ1w==@debbugs.gnu.org X-Gm-Message-State: AOJu0YwT78WqH9v3mNzD18dzyU2KvIWKROLFkk1rQN76vLwoQwDxtgB6 tjnTAS3JoUjkcRblmxWEoMuDHLrkMLSWV/StwbwjZ/viXARlKtnZdGU+dkFTXIkdu4Nn0ezcF1X Zzkmv1s1GgkHRagwdm+HXUBQ3Mis= X-Gm-Gg: ASbGncvgvSohTszDtCUsIdc65gISyZG4k3LCJWpMhusrYBBBvnDEVanQeRySu57MCCx BEh2HA5VP7diobd1t4zHW9iT7YUAhhbs= X-Google-Smtp-Source: AGHT+IHiJv0Ns5rtVWixosGfNsmOtH6CZgQKk1kBd59NQQTPHq6xcQdTej042Bsk0qdljPbp0nHJ2tH9qZsn7w00esg= X-Received: by 2002:a05:6359:459b:b0:1c5:e2f3:bb1d with SMTP id e5c5f4694b2df-1cab15a6626mr678597155d.4.1733141092285; Mon, 02 Dec 2024 04:04:52 -0800 (PST) MIME-Version: 1.0 References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> <87r06qqx3z.fsf@posteo.net> In-Reply-To: <87r06qqx3z.fsf@posteo.net> From: Ship Mints Date: Mon, 2 Dec 2024 07:04:24 -0500 Message-ID: Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade To: Philip Kaludercic Content-Type: multipart/alternative; boundary="00000000000026c4c80628485b6b" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 74604 Cc: Daniel Mendler , 74604@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --00000000000026c4c80628485b6b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Isn't it the case that describe-package works only on installed packages, not prospectively installed packages? To help determine the value/risk of a package install or update, I'd think it better to show this in advance. Daniel's diff suggestion is similar but more technical. On Mon, Dec 2, 2024 at 3:59=E2=80=AFAM Philip Kaludercic wrote: > Ship Mints writes: > > > I like this idea, too. I spend a reasonable amount of time trying to > > understand what people have changed and if it will affect me negatively > > (the defensive part) or positively (for new features, user options, > > deprecations). Showing a source-code diff may be a bit technical for so= me > > users, though. I wonder if there could be either a link to a changelog, > or > > a way to encourage a changelog convention so one could be displayed for > > users prior to a decision to update a package. > > Note that packages can distribute this information. Currently, if a > tarball includes a "news" file, it will be displayed by > `describe-package. IIRC no package archive generates these right now. > But if we implement a user option like that described above (or below?), > then we can add that as an option as well. > > The main issue is that not all package maintainers ensure that there are > changelog/news sources that ELPA could use to provide this information. > > > -Stephane > > > > On Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic > wrote: > > > >> Daniel Mendler writes: > >> > >> > This is a feature request for the security wishlist. When upgrading > >> > package it would be good to show a diff between the new and old > package > >> > files. Such an option could help performing review casually as part = of > >> > the upgrade process and may improve the security of the package > >> > archives. More eyes would look at new package versions. This would > make > >> > it harder to inject malicious code either via the source repository = or > >> > via attacks on the package archives. > >> > >> That sounds like a good option to have! I'll look into adding somethi= ng > >> like this via a user option that adjusts how to confirm a package > upgrade. > >> > >> Note that package-vc has something similar with the > >> `package-vc-log-incoming' command. > >> > >> > >> > >> > --00000000000026c4c80628485b6b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Isn't it the case that describe-package works only on installed pack= ages, not prospectively installed packages? To help determine the value/ris= k of a package install or update, I'd think it better to show this in a= dvance. Daniel's diff suggestion is similar but more technical.

On= Mon, Dec 2, 2024 at 3:59=E2=80=AFAM Philip Kaludercic <philipk@posteo.net> wrote:
Ship Mints <shipmints@gmail.com> writes:
> I like this idea, too. I spend a reasonable amount of time trying to > understand what people have changed and if it will affect me negativel= y
> (the defensive part) or positively (for new features, user options, > deprecations). Showing a source-code diff may be a bit technical for s= ome
> users, though. I wonder if there could be either a link to a changelog= , or
> a way to encourage a changelog convention so one could be displayed fo= r
> users prior to a decision to update a package.

Note that packages can distribute this information.=C2=A0 Currently, if a tarball includes a "news" file, it will be displayed by
`describe-package.=C2=A0 IIRC no package archive generates these right now.=
But if we implement a user option like that described above (or below?), then we can add that as an option as well.

The main issue is that not all package maintainers ensure that there are changelog/news sources that ELPA could use to provide this information.

> -Stephane
>
> On Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic <philipk@posteo.net>= wrote:
>
>> Daniel Mendler <mail@daniel-mendler.de> writes:
>>
>> > This is a feature request for the security wishlist. When upg= rading
>> > package it would be good to show a diff between the new and o= ld package
>> > files. Such an option could help performing review casually a= s part of
>> > the upgrade process and may improve the security of the packa= ge
>> > archives. More eyes would look at new package versions. This = would make
>> > it harder to inject malicious code either via the source repo= sitory or
>> > via attacks on the package archives.
>>
>> That sounds like a good option to have!=C2=A0 I'll look into a= dding something
>> like this via a user option that adjusts how to confirm a package = upgrade.
>>
>> Note that package-vc has something similar with the
>> `package-vc-log-incoming' command.
>>
>>
>>
>>
--00000000000026c4c80628485b6b-- From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 02 07:18:36 2024 Received: (at 74604) by debbugs.gnu.org; 2 Dec 2024 12:18:36 +0000 Received: from localhost ([127.0.0.1]:54540 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI5Ns-0004eD-CX for submit@debbugs.gnu.org; Mon, 02 Dec 2024 07:18:36 -0500 Received: from mout02.posteo.de ([185.67.36.66]:40345) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI5Np-0004dr-Nn for 74604@debbugs.gnu.org; Mon, 02 Dec 2024 07:18:34 -0500 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 4227F240103 for <74604@debbugs.gnu.org>; Mon, 2 Dec 2024 13:18:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1733141906; bh=xohouX+lZ2+Ae3wnov2GhEm7d80TryaZlkoD0obAXM8=; h=From:To:Cc:Subject:Autocrypt:OpenPGP:Date:Message-ID:MIME-Version: Content-Type:Content-Transfer-Encoding:From; b=rgLrOBsYdJYV2tvh+ZrIxNIFkPvbTSnmuZ4yylDYseBzdsxYF7YK2dXRln3HKxC7n 0XForueKjPjCyD8qJzjJTbK1teP0RPvCnogzsBPvl2gQD8bRxj7Ba6BQjvIGd9MICl DjGtypOu9IZ4kK4MnE3emA4HM6np4+peYKhim3wWKipoh+c40i4phAQEb/mqteMww5 9VuEtCRA/0UIMeocH/Y50q0bHbJsKQXqDKwRkpl/Xj4Ly9bz/hZADZ4X9ipNkltlO3 4LRKA/zSdB2AQKF7ue/8nReFJooM7QSpSqWzl2Wu8LqDKfecyq/e7ahINZjQGy54VV qFg7pNP0HXTWw== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Y22r15Bxyz6tyH; Mon, 2 Dec 2024 13:18:25 +0100 (CET) From: Philip Kaludercic To: Ship Mints Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade In-Reply-To: (Ship Mints's message of "Mon, 2 Dec 2024 07:04:24 -0500") References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> <87r06qqx3z.fsf@posteo.net> Autocrypt: addr=philipk@posteo.net; keydata= mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0 mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof z4oM OpenPGP: id=philipk@posteo.net; url="https://keys.openpgp.org/vks/v1/by-email/philipk@posteo.net"; preference=signencrypt Date: Mon, 02 Dec 2024 12:18:06 +0000 Message-ID: <87msheqnwh.fsf@posteo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 74604 Cc: Daniel Mendler , 74604@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ship Mints writes: > Isn't it the case that describe-package works only on installed packages, > not prospectively installed packages? To help determine the value/risk of= a > package install or update, I'd think it better to show this in advance. > Daniel's diff suggestion is similar but more technical. describe-package (C-h p) works on all packages, but the news feature I described wouldn't work as it uses a local file. But that is not a hard-constraint, we could serve news data as well. I don't know how much sense it makes to present a diff when installing a package. News files are probably also not that interesting. We could provide a command like package-vc-checkout that just fetches the package source and places it somewhere for the user to inspect. > On Mon, Dec 2, 2024 at 3:59=E2=80=AFAM Philip Kaludercic wrote: > >> Ship Mints writes: >> >> > I like this idea, too. I spend a reasonable amount of time trying to >> > understand what people have changed and if it will affect me negatively >> > (the defensive part) or positively (for new features, user options, >> > deprecations). Showing a source-code diff may be a bit technical for s= ome >> > users, though. I wonder if there could be either a link to a changelog, >> or >> > a way to encourage a changelog convention so one could be displayed for >> > users prior to a decision to update a package. >> >> Note that packages can distribute this information. Currently, if a >> tarball includes a "news" file, it will be displayed by >> `describe-package. IIRC no package archive generates these right now. >> But if we implement a user option like that described above (or below?), >> then we can add that as an option as well. >> >> The main issue is that not all package maintainers ensure that there are >> changelog/news sources that ELPA could use to provide this information. >> >> > -Stephane >> > >> > On Sun, Dec 1, 2024 at 5:06=E2=80=AFPM Philip Kaludercic >> wrote: >> > >> >> Daniel Mendler writes: >> >> >> >> > This is a feature request for the security wishlist. When upgrading >> >> > package it would be good to show a diff between the new and old >> package >> >> > files. Such an option could help performing review casually as part= of >> >> > the upgrade process and may improve the security of the package >> >> > archives. More eyes would look at new package versions. This would >> make >> >> > it harder to inject malicious code either via the source repository= or >> >> > via attacks on the package archives. >> >> >> >> That sounds like a good option to have! I'll look into adding someth= ing >> >> like this via a user option that adjusts how to confirm a package >> upgrade. >> >> >> >> Note that package-vc has something similar with the >> >> `package-vc-log-incoming' command. >> >> >> >> >> >> >> >> >> From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 02 07:27:42 2024 Received: (at 74604) by debbugs.gnu.org; 2 Dec 2024 12:27:42 +0000 Received: from localhost ([127.0.0.1]:54570 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI5Wg-0005AF-AD for submit@debbugs.gnu.org; Mon, 02 Dec 2024 07:27:42 -0500 Received: from server.qxqx.de ([49.12.34.165]:35211 helo=mail.qxqx.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tI5Wd-00059q-WE for 74604@debbugs.gnu.org; Mon, 02 Dec 2024 07:27:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=daniel-mendler.de; s=key; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Enf8E+/k7HdKczuLo5z09Feo27w8h9Ke6hXSpOpKX0g=; b=USbUzYVo9qYEB+nPNKaly1TSPL 2UCaZEyW1hofEFtn3lb1BarCXRUlqCGg6sWP+UjhK7+RI3wCRuFCTXm5yhYXAJujeZF7iZuabnNUa EGrsvnkvSCukfysS1BeyvpVhUET7CaFtHdZ60Z150f2YKbVAP8PllHdsr7a1wyogm+p0=; From: Daniel Mendler To: Ship Mints Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade In-Reply-To: (Ship Mints's message of "Mon, 2 Dec 2024 07:04:24 -0500") References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> <87r06qqx3z.fsf@posteo.net> Date: Mon, 02 Dec 2024 13:25:22 +0100 Message-ID: <87iks2gtl9.fsf@daniel-mendler.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 74604 Cc: Philip Kaludercic , 74604@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Ship Mints writes: > To help determine the value/risk of a > package install or update, I'd think it better to show this in advance. > Daniel's diff suggestion is similar but more technical. I think your idea of adding an option to show the change log is good. It would be nice to have a `package-upgrade-review' option which could be set to `nil', `news' or to `diff'. But I want to emphasize that your suggestion misses the security aspect. Security is the main reason why I made the proposal. The goal is to make it easier and more convenient for users (yes, users who are "technical" and familiar with Elisp) to assess the safety of package upgrades and possibly report any irregularities to the package archive maintainers. While packages are commonly reviewed at the time of their inclusion in package archives, this is often not the case later on. My proposal does not address or affect the first time installation of a package. At this time it doesn't make sense to show a "diff" and the user must first check the package closely anyway. Daniel From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 05 17:42:24 2024 Received: (at submit) by debbugs.gnu.org; 5 Dec 2024 22:42:24 +0000 Received: from localhost ([127.0.0.1]:41321 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tJKYB-0007tC-KM for submit@debbugs.gnu.org; Thu, 05 Dec 2024 17:42:23 -0500 Received: from lists.gnu.org ([209.51.188.17]:50224) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tJKY9-0007t1-Ss for submit@debbugs.gnu.org; Thu, 05 Dec 2024 17:42:22 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tJKY9-0005MD-MT for bug-gnu-emacs@gnu.org; Thu, 05 Dec 2024 17:42:21 -0500 Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tJKY8-00054F-FC for bug-gnu-emacs@gnu.org; Thu, 05 Dec 2024 17:42:21 -0500 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1tJKY4-0006kE-Pp for bug-gnu-emacs@gnu.org; Thu, 05 Dec 2024 23:42:16 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: bug-gnu-emacs@gnu.org From: Howard Melman Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade Date: Thu, 05 Dec 2024 17:42:08 -0500 Message-ID: References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> <87r06qqx3z.fsf@posteo.net> <87iks2gtl9.fsf@daniel-mendler.de> Mime-Version: 1.0 Content-Type: text/plain User-Agent: Gnus/5.13 (Gnus v5.13) Cancel-Lock: sha1:/yPKSQv6wIU8w2d1akKBUyJP/m8= Received-SPF: pass client-ip=116.202.254.214; envelope-from=geb-bug-gnu-emacs@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 0 X-Spam_score: 0.0 X-Spam_bar: / X-Spam_report: (0.0 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -0.1 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.1 (-) Daniel Mendler via "Bug reports for GNU Emacs, the Swiss army knife of text editors" writes: > Ship Mints writes: > >> To help determine the value/risk of a >> package install or update, I'd think it better to show this in advance. >> Daniel's diff suggestion is similar but more technical. > > I think your idea of adding an option to show the change log is good. It > would be nice to have a `package-upgrade-review' option which could be > set to `nil', `news' or to `diff'. There was a package called paradox which had more features on the package UI. It included a command paradox-commit-list that opened a buffer showing one line per commit with the commit message and a button that was a link to the commits diff. It bolded the commits since the current installed version to make it easy to see the changes. It only worked on github hosted packages. It would be great to have this functionality in package.el particularly if it worked on non-github hosted packages. -- Howard From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 15 08:51:27 2025 Received: (at 74604) by debbugs.gnu.org; 15 Jan 2025 13:51:27 +0000 Received: from localhost ([127.0.0.1]:57270 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tY3nq-0001Pa-Og for submit@debbugs.gnu.org; Wed, 15 Jan 2025 08:51:27 -0500 Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]:6308) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tY3nn-0001P9-CN for 74604@debbugs.gnu.org; Wed, 15 Jan 2025 08:51:25 -0500 Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1]) by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 65F7380878; Wed, 15 Jan 2025 08:51:16 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca; s=mail; t=1736949075; bh=wv9rO7Pw1ZOK0+hQU31nqdquHQdg7TyER7r9yW/sUE8=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=e6jFyrM89+AGGPUr98uCKhFoe/L7AtSlyuMSoL64qACFtA5R7vzHz4jISQdFTTRTf OVXgSoEn5V04o3YJled8j9DmzoXNoLXqYERvgvysWe0i7ftGoPVGViprxG5qiiMtwT HW8zQO1PPP228y4yOtNXUYWA6gDwcaIIx3zOwRE+wJZt02DWyh8nv4gGbrfR13uOJd 4zezTWFRYVQjGsd6FLdtLLMxkN8hUg+YFUBHwvJWBrAS3diW2CUdc9hxUYF8LFwTQH uY2oCGwnft1rxmdw1ZqiQ+OLa1AjC7ZgkKtxTONz+oD2+Pr8To8BNnhZDs2MWmwmkl 18p7Sdq8ecTJg== Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1]) by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 76EDE803A3; Wed, 15 Jan 2025 08:51:15 -0500 (EST) Received: from pastel (104-195-232-86.cpe.teksavvy.com [104.195.232.86]) by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 465C31208BA; Wed, 15 Jan 2025 08:51:15 -0500 (EST) From: Stefan Monnier To: Ship Mints Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade In-Reply-To: (Ship Mints's message of "Sun, 1 Dec 2024 17:47:21 -0500") Message-ID: References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> Date: Wed, 15 Jan 2025 08:51:08 -0500 User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-INFO: Spam detection results: 0 ALL_TRUSTED -1 Passed through trusted hosts only via SMTP AWL -0.030 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain X-SPAM-LEVEL: X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 74604 Cc: Daniel Mendler , Philip Kaludercic , 74604@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) >>> This is a feature request for the security wishlist. When upgrading >>> package it would be good to show a diff between the new and old package >>> files. +1 >>> Such an option could help performing review casually as part of >>> the upgrade process and may improve the security of the package >>> archives. More eyes would look at new package versions. This would ma= ke >>> it harder to inject malicious code either via the source repository or >>> via attacks on the package archives. In addition to improving security it would encourage users to become familiar with the code, which is very much the driving force behind a lot of Emacs's design. >> That sounds like a good option to have! I'll look into adding something >> like this via a user option that adjusts how to confirm a package upgrad= e. Maybe the UI could be a simple confirmation prompt, where "show diff" is one of the options. >> Note that package-vc has something similar with the >> `package-vc-log-incoming' command. [ Ideally the two could/should share some aspects (UI-wise or implementation-wise). ] > Showing a source-code diff may be a bit technical for some users, > though. I wonder if there could be either a link to a changelog, or > a way to encourage a changelog convention so one could be displayed > for users prior to a decision to update a package. The prompt could offer a choice of "just upgrade / show news / show diff". Currently, on the (Non)GNU ELPA side, there *is* a convention for a changelog file. This is used to create the "Recent NEWS" part of release announcements (see https://lists.gnu.org/archive/html/gnu-emacs-sources/2025-01/msg00027.html for an example) and the "News" section on the package's web page (See http://elpa.gnu.org/packages/ellama.html). But: - Many packages don't follow it (I try to shame the maintainers, but maybe too softly? See https://lists.gnu.org/archive/html/gnu-emacs-sources/2025-01/msg00024= .html for an example). - There is no convention to relate specific parts of the changelog to specific versions, so we just display the first N lines (for email announcements, this is arguably the right thing, since we don't know what is the reader's current version). - There is even less of a convention to propagate that changelog info through the ELPA protocol (i.e. from elpa.gnu.org to the users's machines). In any case, it sounds everybody likes the idea, so I hope Someone=E2=84=A2= will provide a patch soon! Stefan From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 15 09:17:29 2025 Received: (at 74604) by debbugs.gnu.org; 15 Jan 2025 14:17:29 +0000 Received: from localhost ([127.0.0.1]:57317 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tY4D3-0002cK-1w for submit@debbugs.gnu.org; Wed, 15 Jan 2025 09:17:29 -0500 Received: from server.qxqx.de ([2a01:4f8:c012:9177::1]:55487 helo=mail.qxqx.de) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tY4Cw-0002c0-B6 for 74604@debbugs.gnu.org; Wed, 15 Jan 2025 09:17:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=daniel-mendler.de; s=key; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Jxo4tthU3wlhYEJIeXoqkMpF+YiZ+2Fr0r6D6SDJbmk=; b=Yq+glcwiSY8iJaXjsGUe//z/dH c5KFBCj/gANu8k++fa8bQvOwiXPE0fkw/cd+t77PYwPZkHj/tLqCGseZm0ZXkWs5jXymqGtgHfGtl 3qiCM0vK9MhedIGorMuHwL0FTm5xtN4wZFlLmpccc43ZBpdSDVaZLCD8oMyhkOvY4ra0=; From: Daniel Mendler To: Stefan Monnier Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade In-Reply-To: (Stefan Monnier's message of "Wed, 15 Jan 2025 08:51:08 -0500") References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> Date: Wed, 15 Jan 2025 15:17:13 +0100 Message-ID: <87sepkqhzq.fsf@daniel-mendler.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 74604 Cc: Philip Kaludercic , Ship Mints , 74604@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Stefan Monnier writes: >>>> Such an option could help performing review casually as part of >>>> the upgrade process and may improve the security of the package >>>> archives. More eyes would look at new package versions. This would make >>>> it harder to inject malicious code either via the source repository or >>>> via attacks on the package archives. > > In addition to improving security it would encourage users to become > familiar with the code, which is very much the driving force behind > a lot of Emacs's design. Yes, this is the point of the proposal. >> Showing a source-code diff may be a bit technical for some users, >> though. I wonder if there could be either a link to a changelog, or >> a way to encourage a changelog convention so one could be displayed >> for users prior to a decision to update a package. > > The prompt could offer a choice of "just upgrade / show news / > show diff". Good idea. I think I would also like to have a customization option `package-upgrade-diff' where the behavior can be customized, since I always want to see the diff even for my own packages to check if recent changes have arrived. If `package-upgrade-diff' is nil, the confirmation prompt could offer a key to display the diff. A key could also be reserved to show the change log in case it is present, but as I mentioned before in this bug report, displaying the change log is not a security feature and the code as "driving force" is hidden. Daniel From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 16 04:05:19 2025 Received: (at 74604) by debbugs.gnu.org; 16 Jan 2025 09:05:19 +0000 Received: from localhost ([127.0.0.1]:59989 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tYLoU-0006Px-Pe for submit@debbugs.gnu.org; Thu, 16 Jan 2025 04:05:19 -0500 Received: from mout01.posteo.de ([185.67.36.65]:55491) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tYLoP-0006Nq-OK for 74604@debbugs.gnu.org; Thu, 16 Jan 2025 04:05:16 -0500 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 6EDEC240027 for <74604@debbugs.gnu.org>; Thu, 16 Jan 2025 10:05:05 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1737018305; bh=8gFG2wn21T+LdcSCiY9saUPBbtZ1VsgLnCJ8aaVeyvw=; h=From:To:Cc:Subject:Autocrypt:OpenPGP:Date:Message-ID:MIME-Version: Content-Type:Content-Transfer-Encoding:From; b=YdViabqawckzodt0yUlDpXVayTBQz3e3/KeKvl4snllRcoxss5BV3BvCGsSIwTC1Z KerW3OgZdUMLpwTBz7kBgIL4B27TlC1Ljbksn+upoPOZ0Wa4CcVuJqr3KNO7p8swFg zjx3k98aLMqoVZDZVwiHj2Oht3AFIxXjCWwfXZBJC8ondHDMLd7zDhKaLCoP1quyBI O1EBkujXId6swv5ZiSn98CZrkNCavAesXX5Ce//J7JbWn9+Kcn6zkk2LlzHZTNI5i6 bsQnAxb3O37pTUPphfWyA7J0KpDrEOcSWdst0NkWUOTX9nXK2Jqhj/Sy/B/h/I7Usb paOcMmGitSA0Q== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4YYcQ83k84z9rxD; Thu, 16 Jan 2025 10:05:04 +0100 (CET) From: Philip Kaludercic To: Stefan Monnier Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade In-Reply-To: (Stefan Monnier's message of "Wed, 15 Jan 2025 08:51:08 -0500") References: <87h67quk0g.fsf@daniel-mendler.de> <87zflfqct7.fsf@posteo.net> Autocrypt: addr=philipk@posteo.net; keydata= mDMEZBBQQhYJKwYBBAHaRw8BAQdAHJuofBrfqFh12uQu0Yi7mrl525F28eTmwUDflFNmdui0QlBo aWxpcCBLYWx1ZGVyY2ljIChnZW5lcmF0ZWQgYnkgYXV0b2NyeXB0LmVsKSA8cGhpbGlwa0Bwb3N0 ZW8ubmV0PoiWBBMWCAA+FiEEDg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwMFCQHhM4AFCwkI BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ8xYDWXahwulikAEA77hloUiSrXgFkUVJhlKBpLCHUjA0 mWZ9j9w5d08+jVwBAK6c4iGP7j+/PhbkxaEKa4V3MzIl7zJkcNNjHCXmvFcEuDgEZBBQQhIKKwYB BAGXVQEFAQEHQI5NLiLRjZy3OfSt1dhCmFyn+fN/QKELUYQetiaoe+MMAwEIB4h+BBgWCAAmFiEE Dg7HY17ghYlni8XN8xYDWXahwukFAmQQUEICGwwFCQHhM4AACgkQ8xYDWXahwukm+wEA8cml4JpK NeAu65rg+auKrPOP6TP/4YWRCTIvuYDm0joBALw98AMz7/qMHvSCeU/hw9PL6u6R2EScxtpKnWof z4oM OpenPGP: id=7126E1DE2F0CE35C770BED01F2C3CC513DB89F66; url="https://keys.openpgp.org/vks/v1/by-fingerprint/7126E1DE2F0CE35C770BED01F2C3CC513DB89F66"; preference=signencrypt Date: Thu, 16 Jan 2025 09:05:03 +0000 Message-ID: <87frlj86yo.fsf@posteo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 74604 Cc: Daniel Mendler , Ship Mints , 74604@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Stefan Monnier writes: >>> Note that package-vc has something similar with the >>> `package-vc-log-incoming' command. > > [ Ideally the two could/should share some aspects (UI-wise or > implementation-wise). ] Right now `package-vc-log-incoming' just re-uses `vc-log-incoming', so I don't know how easy this would be without creating a pseudo-VC backend. >> Showing a source-code diff may be a bit technical for some users, >> though. I wonder if there could be either a link to a changelog, or >> a way to encourage a changelog convention so one could be displayed >> for users prior to a decision to update a package. > > The prompt could offer a choice of "just upgrade / show news / > show diff". > > Currently, on the (Non)GNU ELPA side, there *is* a convention for > a changelog file. This is used to create the "Recent NEWS" part of > release announcements (see > https://lists.gnu.org/archive/html/gnu-emacs-sources/2025-01/msg00027.html > for an example) and the "News" section on the package's web page (See > http://elpa.gnu.org/packages/ellama.html). But: > > - Many packages don't follow it (I try to shame the maintainers, but > maybe too softly? > See https://lists.gnu.org/archive/html/gnu-emacs-sources/2025-01/msg000= 24.html > for an example). > > - There is no convention to relate specific parts of the changelog > to specific versions, so we just display the first N lines (for email > announcements, this is arguably the right thing, since we don't know > what is the reader's current version). > > - There is even less of a convention to propagate that changelog info > through the ELPA protocol (i.e. from elpa.gnu.org to the users's > machines). Package.el does show the contents of the "news" file in the describe-package buffer, but we currently don't generate these on the elpa side. > In any case, it sounds everybody likes the idea, so I hope Someone=E2=84= =A2 will > provide a patch soon! I'd be glad to tackle this and a number of other package.el/elpa-related issues that have been accumulating recently. (I'm just submitting my master's thesis in less than two weeks, so I a bit short on time.) > > Stefan