Hacker News new | ask | show | jobs
by kmarc 714 days ago
I do the same (not for golang tho). However, vim plug-ins also "have network access", in fact they can just "system()" and call anything. No sandboxing at all. At least the source code of these plug-ins are not obfuscated/compressed.

However, this makes me wonder how much of a surface attack this is.
1 comments
rfoo 714 days ago
Do you pin your plugins down to commit hash?
link
kmarc 714 days ago
I did in the past.

Now I just run `:PlugUpdate` and hope that whatever comes from GitHub, is seen by the manyeyeballs. I certainly don't check all the diffs.

link