Windows Vim download version on website
42 views
Skip to first unread message
TS
Dec 2, 2024, 2:23:46 PM12/2/24
to vim...@googlegroups.com
The version of Vim for Windows offered for download on
https://www.vim.org/download.php is 9.1.0. This has some known
vulnerabilities (like CVE-2024-45306, CVE-2024-41965, ...).
Can the "current stable version" be updated to something not
vulnerable? Or is there a reason the website is still
prominently distributing a vulnerable version?
I realize there are also links to nightly builds. I would
prefer to use something "stable" though, so I'm hesitant to
take a nightly build at random just to avoid being vulnerable.
Christian Brabandt
Dec 2, 2024, 2:32:34 PM12/2/24
to vim...@googlegroups.com
the winget package repository:
https://github.com/microsoft/winget-pkgs/tree/master/manifests/v/vim/vim/
Note: there will be new stable releases at the winget repository
approximately all 100 minor patch numbers. So expect there to be a new
releases within the next weeks.
Thanks,
Christian
--
Dare to be naive.
-- R. Buckminster Fuller
TS
Dec 3, 2024, 10:24:09 AM12/3/24
to vim...@googlegroups.com
> On Mon, 02 Dec 2024, TS wrote:
>> The version of Vim for Windows offered for download on
>> https://www.vim.org/download.php is 9.1.0. This has some known
>> vulnerabilities...
>> The version of Vim for Windows offered for download on
>> https://www.vim.org/download.php is 9.1.0. This has some known
Christian Brabandt <cbl...@256bit.org> said (on 2024/12/02):
> I have updated the links to include the latest stable release from
> the winget package repository:
> https://github.com/microsoft/winget-pkgs/tree/master/manifests/v/vim/vim/
>
> Note: there will be new stable releases at the winget repository
> approximately all 100 minor patch numbers. So expect there to be a new
> releases within the next weeks.
Thanks for the update. I don't see any change to the page yet;
> the winget package repository:
> https://github.com/microsoft/winget-pkgs/tree/master/manifests/v/vim/vim/
>
> Note: there will be new stable releases at the winget repository
> approximately all 100 minor patch numbers. So expect there to be a new
> releases within the next weeks.
is there a delay? In the wiget repository I see 9.1.0821 along
with 9.1.0818, 9.1.0718, 9.1.0618, etc. but the top of
download.php still says:
The current stable version is gvim_9.1.0000_x64.exe (64bit installer) and gvim_9.1.0000_x86.exe (32bit installer).
A zip package (32bit and 64bit) is also available: gvim_9.1.0000_x86.zip and gvim_9.1.0000_x64.zip
Christian Brabandt
Dec 3, 2024, 10:29:56 AM12/3/24
to vim...@googlegroups.com
On Tue, 03 Dec 2024, TS wrote:
> Thanks for the update. I don't see any change to the page yet;
> is there a delay? In the wiget repository I see 9.1.0821 along
> with 9.1.0818, 9.1.0718, 9.1.0618, etc. but the top of
> download.php still says:
>
> The current stable version is gvim_9.1.0000_x64.exe (64bit installer) and gvim_9.1.0000_x86.exe (32bit installer).
> A zip package (32bit and 64bit) is also available: gvim_9.1.0000_x86.zip and gvim_9.1.0000_x64.zip
your download link there.
Thanks,
Christian
--
Fifty flippant frogs
Walked by on flippered feet
And with their slime they made the time
Unnaturally fleet.
TS
Dec 3, 2024, 4:25:18 PM12/3/24
to vim...@googlegroups.com
Christian Brabandt <cbl...@256bit.org> said (on 2024/12/03):
I really don't want to sound demanding, but out of genuine
curiosity, why retain the vulnerable 9.1.0000 links at all? I
would fear most users might navigate the page like I did:
- "popular", "Windows", "Unix", "Mac"
okay, I'm on Windows...
- "32-bit installer", "64-bit installer", "32-bit zip", "64-bit zip"
okay, I'm 64-bit, so click 64-bit installer
Or similarly for "okay, I'll go with what's popular,
current-stable sounds good... not sure why there's multiple
stable links but I'll just grab the first x64 one".
The user ends up with a vulnerable install, without realizing.
Wouldn't it make more sense to bury the vulnerable installer
links behind a "archive" or "previous releases" or let users
find them from the directory links?
> Scroll down a bit to https://www.vim.org/download.php#pc you should see
> your download link there.
Ah, I see it now, and the bit now added to the top. Thank you.
> your download link there.
I really don't want to sound demanding, but out of genuine
curiosity, why retain the vulnerable 9.1.0000 links at all? I
would fear most users might navigate the page like I did:
- "popular", "Windows", "Unix", "Mac"
okay, I'm on Windows...
- "32-bit installer", "64-bit installer", "32-bit zip", "64-bit zip"
okay, I'm 64-bit, so click 64-bit installer
Or similarly for "okay, I'll go with what's popular,
current-stable sounds good... not sure why there's multiple
stable links but I'll just grab the first x64 one".
The user ends up with a vulnerable install, without realizing.
Wouldn't it make more sense to bury the vulnerable installer
links behind a "archive" or "previous releases" or let users
find them from the directory links?
Christian Brabandt
Dec 3, 2024, 4:35:15 PM12/3/24
to vim...@googlegroups.com
On Tue, 03 Dec 2024, TS wrote:
> Christian Brabandt <cbl...@256bit.org> said (on 2024/12/03):
> > Scroll down a bit to https://www.vim.org/download.php#pc you should see
> > your download link there.
>
> Ah, I see it now, and the bit now added to the top. Thank you.
> I really don't want to sound demanding, but out of genuine
> curiosity, why retain the vulnerable 9.1.0000 links at all? I
> would fear most users might navigate the page like I did:
> - "popular", "Windows", "Unix", "Mac"
> okay, I'm on Windows...
> - "32-bit installer", "64-bit installer", "32-bit zip", "64-bit zip"
> okay, I'm 64-bit, so click 64-bit installer
>
> Or similarly for "okay, I'll go with what's popular,
> current-stable sounds good... not sure why there's multiple
> stable links but I'll just grab the first x64 one".
Yeah you are right. I have updated it again and only included the
> > Scroll down a bit to https://www.vim.org/download.php#pc you should see
> > your download link there.
>
> Ah, I see it now, and the bit now added to the top. Thank you.
> I really don't want to sound demanding, but out of genuine
> curiosity, why retain the vulnerable 9.1.0000 links at all? I
> would fear most users might navigate the page like I did:
> - "popular", "Windows", "Unix", "Mac"
> okay, I'm on Windows...
> - "32-bit installer", "64-bit installer", "32-bit zip", "64-bit zip"
> okay, I'm 64-bit, so click 64-bit installer
>
> Or similarly for "okay, I'll go with what's popular,
> current-stable sounds good... not sure why there's multiple
> stable links but I'll just grab the first x64 one".
v9.1.0821 versions.
Thanks,
Christian
--
There's nothing like good food, good wine, and a bad girl.
Reply all
Reply to author
Forward
0 new messages