Hi,

set exrc allows to read per-project .vimrc files. Since Vim configuration files are really versatile and can run any random shell command, you want to use it together with set secure. But the help of 'secure' says:

On Unix this option is only used if the ".vimrc" or ".exrc" is not owned by you.

This makes the option useless and even dangerous if it makes people believe that the reading of local vimrc is safe! Typically when you clone a git repository, all the files (any hidden .vimrc hanging there included) have your local user as owner for instance. Quite a common use case nowadays.

Could 'secure' actually be made to work always?

For info: we have added local config files for various editors (and Vim too) in GIMP source tree but we can't encourage anyone to set exrc if it's unsafe (I advise instead to source the config with:

autocmd BufNewFile,BufRead /path/to/gimp/*.[ch] source /path/to/gimp/devel-docs/c.vim

But this sucks since it is definitely not as useful as auto-loading a hidden .vimrc. Other editors we added config for can load their per-project config automatically apparently.

Our current config only uses "setlocal/set" and some other harmless commands like "highlight/match" (to highlight tabs and trailing spaces)… the idea being simply to help contributors with our syntax.