* Ben Fritz <fritzophre...@gmail.com> [160826 18:05]: > Well, here's the sort of thing I worry about the most far most users: > > http://www.vim.org/scripts/script.php?script_id=5340 > http://usevim.com/2013/11/27/password-manager/ > https://invert.svbtle.com/using-vim-as-a-password-manager > https://stelfox.net/blog/2013/11/using-vim-as-your-password-manager/ > http://vim.wikia.com/wiki/Keep_passwords_in_encrypted_file > > And then of course somebody could get the bright idea of encrypting a > 20GB CSV file of medical data to put on a flash drive or something. > > I'd hope dissidents and the like use tools more designed for the task already.
I'm not sure whether you are agreeing or disagreeing with me. Here is a summary of my POV: • The encryption algorithm used by Vim used to be considered strong, but is now considered weak. • Newer, stronger encryption should be added to Vim. (Hopefully with a well thought out plan that allows adding new encryption algorithms without recompiling Vim.) • Removing Vim's existing encryption does not help users who currently use it, even though it is weak. If you are simply pointing out that some people believe Vim is the right tool for some cryptographic applications, I certainly agree with that. If you are saying that we should remove Vim's current algorithm because some people are using it without realizing that it is no longer considered as strong as it use to be, I strongly disagree. The help file should document this concern, and if the script and blog authors wish to make it more obvious to users, that is good, too. My soapbox statement really boils down to two points: • Known-weak encryption has valid uses. • The idea that an encryption algorithm that used to be considered strong must always be removed soon after it is decided that it is weak is wrong. The second point is, in my opinion, especially true in the case of Vim at the moment, because there is no alternative. However, even when a better algorithm is added to Vim, there are bound to be many files out there that are already encrypted using the older algorithm. We should not require users to keep an old version of Vim just to be able to read those files. Bugs in Vim's encryption algorithms should, of course, be fixed if possible, but not in a way that prevents access to older encrypted data files. That includes keeping, for a significant amount of time (two years? I'm not sure how long), the ability to write files that can be read by older versions of Vim. Requiring a confirmation when using a deprecated algorithm is certainly reasonable. ...Marvin -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
