Use https to alleviate potential mitm vulnerability

[gmarik]

I've been contacted to address this issue, and quick fix would be using https protocol instead of http.

It's the same file just using straight from repo instead going through vim-scripts domain.

UNTESTED.

[jdevera]

I think in some installations of curl this will stop working because of the http -> https switch, but I guess we can alleviate the effect with documentation.

[gmarik]

I think in some installations of curl this will stop working because of the http -> https switch

Should url be configurable then?

[jdevera]

We could infer it. The output of curl -V contains SSL when https is supported.

Alternatively, we can make it configurable, but not the url itself, but rather to use https or http, and of course having https as default.

What do you think? Infer or configure?

[gmarik]

it should be https by default and whenever it fails it needs to suggest to try http one with warning of possible vulnerability.

To much ceremony you think?

[gmarik]

Alternatively we could abandon JSON altogether and just go with plaintext file: 1) no vulnerability 2) faster

[jdevera]

I like that option even better, one plugin name per line, we use readfile(). Simple.

[ecneladis]

+1, critical