On Tue, Sep 16, 2014 at 05:58:58PM -0400, Trevor Saunders wrote: > fwiw, I think enabling it by default especially when that really means > enable it if you've enabled the localrc plugin makes sense.
Enabling it by default means enabling it for all users. That is a really really bad plan; many of the options this script sets are user preferences. You can make Vim automatically adapt settings, but you cannot make the Vim user adapt to that. Of course Vim won't use this script by default anyway. It would be nice if there was some "modeline for this whole subtree" mechanism, but there is not. > I don't see > how you can enable the localrc plugin and then complain when people use > it for its designed purpose. Sure. If you have the localrc thing installed, anyone who can write files you can read can make your vim do *anything* (and I mean *anything*). It is a security disaster, that is, there is no security at all. It runs any script in the path from the file you open up to the root. There is no confirmation asked, no whitelist, no blacklist, no nothing. And no sandboxing either, of course. Did I mention /tmp? And writing to files? Or just opening a shell. The possibilities are endless! We should not encourage people to install this. Running it is reckless; telling other people to run it is irresponsible. > However something in contrib/ is probably > easier for new people to find than something on the wiki or something so > better than doing nothing :) Yup, just a bunch of recommended settings somewhere easy to find in contrib/ should be quite helpful to many people. Segher
