> Excerpts from John Beckett's message of Thu Nov 24 07:34:16 +0100 2011:
> > It's probably a particular version of someone's ctags. But it
> > might be a hacked version which installs a keylogger.
> its not from ctags.sourceforge.net which stopped shipping .exe in v
> 15.5. looks like they recommend cygwin now - but the script does not hip
> with cygwin.dll ? If asked google to find md5 and sha1 sums of one of
> the executables - no match. This does not mean its malicious though.
>
> Should we keep it? Should we add a warning? .. Well in the end
> www.vim.org is not the place to put binaries - I agree.
> We don't want the database to be flooded with huge amounts of binary
> data - equally important - the same binary data over and over again.
>
> Great that you found it.
> How to protect against it in the future?
> Does removing it protect users?
>
> I mean browsing scripts at www.vim.org is not that great at all:
> You don't see the files which are contained in a zip. You have to
> provide duplicate install and plugin information (worst case 3 times:
> 1) doc/*.txt 2) READMe for github 3) instructions for www.vim.org)
> ...
>
> Having exe for windows is easy.. What about #! scripts on linux?
>
> Do you expect users to read every line ?
>
> http://stackoverflow.com/questions/2866787/how-to-create-a-bat-file-to-download-file-from-http-ftp-server
> shows that its pretty simple to download applications by FTP using VimL
> and system ?
> I haven't tested it.
> But looks trivial to do.
>
> How can we improve security? Switch OS: Use sandboxes, ... ?
I think it's better not to allow download of .exe files from Vim
scripts. Especially when it's something not Vim-specific such as
ctags.exe, this should be hosted elsewhere.
There should be some English text in the description. If someone can't
write English well and the script is specific for a non-English
language, there may be details in another language. I don't think this
script is non-English, someone should be able to translate the text so
that the plugin is useful for more people.
Marc, can you contact the author and ask him to take care of this?
--
hundred-and-one symptoms of being an internet addict:
169. You hire a housekeeper for your home page.
/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
No comments:
Post a Comment