Excerpts from John Beckett's message of Thu Nov 24 07:34:16 +0100 2011: > It's probably a particular version of someone's ctags. But it > might be a hacked version which installs a keylogger. its not from ctags.sourceforge.net which stopped shipping .exe in v 15.5. looks like they recommend cygwin now - but the script does not hip with cygwin.dll ? If asked google to find md5 and sha1 sums of one of the executables - no match. This does not mean its malicious though.
Should we keep it? Should we add a warning? .. Well in the end www.vim.org is not the place to put binaries - I agree. We don't want the database to be flooded with huge amounts of binary data - equally important - the same binary data over and over again. Great that you found it. How to protect against it in the future? Does removing it protect users? I mean browsing scripts at www.vim.org is not that great at all: You don't see the files which are contained in a zip. You have to provide duplicate install and plugin information (worst case 3 times: 1) doc/*.txt 2) READMe for github 3) instructions for www.vim.org) ... Having exe for windows is easy.. What about #! scripts on linux? Do you expect users to read every line ? http://stackoverflow.com/questions/2866787/how-to-create-a-bat-file-to-download-file-from-http-ftp-server shows that its pretty simple to download applications by FTP using VimL and system ? I haven't tested it. But looks trivial to do. How can we improve security? Switch OS: Use sandboxes, ... ? Marc Weber -- You received this message from the "vim_use" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php
