On Tue, Dec 8, 2020 at 8:24 PM brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> wrote: > > On 2020-12-09 at 00:26:19, Felipe Contreras wrote: > > It's not efficient that everyone must set specific configurations in all > > their ~/.vimrc files; we can have a project-wide .vimrc that everyone > > can use. > > > > By default it's ignored, you need the following in your ~/.vimrc > > > > set exrc > > set secure > > I would strongly recommend against advising users to use this > configuration. Vim has been known to have repeated security problems > with what options are allowed in restricted environments, and even with > the secure option, it's still easy to do something like this: > > func Foo() > !echo >/tmp/foo > endfunction > > nmap i :call Foo()<CR> > > When the user hits "i" to enter insert mode, they'll execute the > attacker's arbitrary code. v2 should probably deal with that. > > We could add the vim modelines at the bottom of every file, like other > > projects do, but this seems more sensible. > > We have an .editorconfig file[0], which is a cross-editor file that can be > used to specify these settings. It is supported by many editors out of > the box, although Vim requires a plugin. Since we don't want to support > configuration for every editor under the sun, it makes sense to use a > single file for multiple editors and let people configure their editor > accordingly. Sure. But it doesn't set cinoptions, nor does it set filetypes for documentation and tests. Plus, it's a single file, it's not like we are adding modesets at the bottom of every single file like other projects do. Also, we don't have to support configurations for every editor under the sun, that's a slippery slope fallacy. We can stop at 1 editor: the most widely used editor by developers by far [1]. Cheers. [1] https://pkgstats.archlinux.de/packages#query=vim -- Felipe Contreras
