> It's probably a particular version of someone's ctags. But it
> might be a hacked version which installs a keylogger.
its not from ctags.sourceforge.net which stopped shipping .exe in v
15.5. looks like they recommend cygwin now - but the script does not hip
with cygwin.dll ? If asked google to find md5 and sha1 sums of one of
the executables - no match. This does not mean its malicious though.
Should we keep it? Should we add a warning? .. Well in the end
www.vim.org is not the place to put binaries - I agree.
We don't want the database to be flooded with huge amounts of binary
data - equally important - the same binary data over and over again.
Great that you found it.
How to protect against it in the future?
Does removing it protect users?
I mean browsing scripts at www.vim.org is not that great at all:
You don't see the files which are contained in a zip. You have to
provide duplicate install and plugin information (worst case 3 times:
1) doc/*.txt 2) READMe for github 3) instructions for www.vim.org)
...
Having exe for windows is easy.. What about #! scripts on linux?
Do you expect users to read every line ?
http://stackoverflow.com/questions/2866787/how-to-create-a-bat-file-to-download-file-from-http-ftp-server
shows that its pretty simple to download applications by FTP using VimL
and system ?
I haven't tested it.
But looks trivial to do.
How can we improve security? Switch OS: Use sandboxes, ... ?
Marc Weber
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
No comments:
Post a Comment