GNU bug report logs - #74604
30.0.92; FR: M-x package-upgrade - offer an option to show a diff on upgrade

Previous Next

Full log

Message #32 received at 74604 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Ship Mints <shipmints <at> gmail.com>
Cc: Daniel Mendler <mail <at> daniel-mendler.de>,
 Philip Kaludercic <philipk <at> posteo.net>, 74604 <at> debbugs.gnu.org
Subject: Re: bug#74604: 30.0.92; FR: M-x package-upgrade - offer an option
 to show a diff on upgrade
Date: Wed, 15 Jan 2025 08:51:08 -0500

>>> This is a feature request for the security wishlist.  When upgrading
>>> package it would be good to show a diff between the new and old package
>>> files.

+1

>>> Such an option could help performing review casually as part of
>>> the upgrade process and may improve the security of the package
>>> archives.  More eyes would look at new package versions.  This would make
>>> it harder to inject malicious code either via the source repository or
>>> via attacks on the package archives.

In addition to improving security it would encourage users to become
familiar with the code, which is very much the driving force behind
a lot of Emacs's design.

>> That sounds like a good option to have!  I'll look into adding something
>> like this via a user option that adjusts how to confirm a package upgrade.

Maybe the UI could be a simple confirmation prompt, where "show diff" is
one of the options.

>> Note that package-vc has something similar with the
>> `package-vc-log-incoming' command.

[ Ideally the two could/should share some aspects (UI-wise or
  implementation-wise).  ]

> Showing a source-code diff may be a bit technical for some users,
> though. I wonder if there could be either a link to a changelog, or
> a way to encourage a changelog convention so one could be displayed
> for users prior to a decision to update a package.

The prompt could offer a choice of "just upgrade / show news /
show diff".

Currently, on the (Non)GNU ELPA side, there *is* a convention for
a changelog file.  This is used to create the "Recent NEWS" part of
release announcements (see
https://lists.gnu.org/archive/html/gnu-emacs-sources/2025-01/msg00027.html
for an example) and the "News" section on the package's web page (See
http://elpa.gnu.org/packages/ellama.html).  But:

- Many packages don't follow it (I try to shame the maintainers, but
  maybe too softly?
  See https://lists.gnu.org/archive/html/gnu-emacs-sources/2025-01/msg00024.html
  for an example).

- There is no convention to relate specific parts of the changelog
  to specific versions, so we just display the first N lines (for email
  announcements, this is arguably the right thing, since we don't know
  what is the reader's current version).

- There is even less of a convention to propagate that changelog info
  through the ELPA protocol (i.e. from elpa.gnu.org to the users's
  machines).

In any case, it sounds everybody likes the idea, so I hope Someone™ will
provide a patch soon!


        Stefan

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.