Vim modelines used to be a potential security threat. See bug #14088 for info. Vim has been fixed so that modelines are no longer vulnerable, but Gentoo still turns them off by default (set nomodeline in /etc/vim/vimrc). Presumably this is because of this idea: "Even when/if vim is fixed, I strongly recommend keeping this solution to prevent from similar exploits in the future. Scripting sux - check windows history." But gentoo uses modelines. Look at this: $ grep -r vim: /etc/* | wc -l 46 46 files in a Gentoo /etc/ have vim modelines in them. Can we have modelines back on by default, or at least a modelines USE flag? Clearly this isn't critical, because it's easy to tweak the vimrc. Reproducible: Always Steps to Reproduce: 1. vim /etc/init.d/checkfs Actual Results: Tabs are 8 chars Expected Results: Tabs should be 4 chars, as per the modeline # vim:ts=4 This works OK. $ diff vim.eclass vim.eclass.modeline 68a69,73 > ################## > ## MODELINE USE FLAG > ################## > IUSE="$IUSE modeline" > ################## 420a426,433 > ################## > ## MODELINE USE FLAG > ################## > if use modeline ; then > sed -i -e 's/^set nomodeline/"Commented by USE setting\n"&/' ${FILESDIR}/vimrc > fi > ################## >
You can turn them on in the user vimrc, or edit the global one as you prefer.
> You can turn them on in the user vimrc, or edit the global one as you prefer. I know that. It's what I've been doing. I just thought it would be nice to have the option to install a non-crippled vim via a USE flag. Especially since modelines basically do *not* have any security issues. If (for example) vim was shipped with "set compatible" in the vimrc by default, I don't think you would just say "you can edit vimrc if you want to" when people complained.
A USE flag is really overkill for this -- if we were patching out modeline support then fine, but all we're doing is setting the default value to off. The compatible thing isn't a fair comparison -- just the prescence of a .vimrc is enough to turn it off, and we're patching vim to really encourage it to not go compat unless the user explicitly requests it. Regarding security -- have you actually gone through and done a full audit of every last bit of code that sandboxed code can get at? This includes checking things like screwy regexes not being able to trick the parser into allocating the wrong amount of memory leading to an overflow.
> A USE flag is really overkill for this I agree. I just thought it might be worth coming up with it as an option. > The compatible thing isn't a fair comparison You're right. I was being deliberately over-the-top. > Regarding security -- have you actually gone through > and done a full audit of every last bit of code I certainly haven't. I just took Bram Moolenaar's word for it. Anyway, I'm yielding, fairly contentedly. Thanks for making the effort to spell out your reasons. Apologies if I've wasted your time. This is the first time I've used Gentoo bugzilla, and I'm very impressed by the service :)
See ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.045. Turns out Ciaran McCreesh is better at checking these things out than me...
