--private=~/path/to/jail limits access to your home directory to ~/path/to/jail and when you don't want Obsidian to have internet access you can take it away with --net=none.
Note that if you already have an Obsidian vault, suddenly jailing it might break things. Obsidian stores a bunch of state in ~/.config/obsidian which will no longer be valid. And amusingly/frustratingly, the GTK file picker doesn't take the jail into account and seems to produce invalid paths.
And because --private mounts some bits as temporary filesystems, you might end up losing state. Try before you buy.
It provides a sandbox, an API to access stuff outside of it (portals), and standard tools to customize what your software has access to (Flatseal, KDE app settings). It's based on the same technology as Docker containers, but for user-space GUI apps.
AppImage is a binary distribution format that does none of that stuff, so you need external tools, like firejail, to limit what the application has access to.
There are many good reasons to trust Obsidian team (they are not VC backed, they clearly state they don’t own your data, you are not locked in). If you don’t trust them because they are not open-source then If you want to be a purist about it, then just use an open-source markdown editor instead.
The author dedicates an entire paragraph to how much they trust the Obsidian team. It isn't open source purism, they are warning users that good intentions don't prevent a developer from writing software containing vulnerabilities.
Usage of user-created plugins and access to cloud accounts aggravates the risk posed by a vulnerability.
Open source reduces vulnerabilities over time, so those who want to heed the author's warning may indeed want to switch to an open-source Markdown editor. Just not because the Obsidian team is Evil.
The title is either poorly chosen or shows a different intention than the content of the article I would argue. The objective seems to scare readers, and then nuance the statement in the article. Some call this clickbait, at the expense of the great obsidian team.
> Also even if it is open source, who really verifies the binary is built from the source published?
Apple notarization is usually the way for non Store downloads. Non-notarized apps present a warning and require overriding security settings to run (with admin privilege). There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub, only that some sanity checks have been performed and the binary is not a known threat (or has been modified).
> There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub
Sorry what if the open source project made their CI/CD pipeline public? So users could exercise it, produce their own build, and then compare that to the notarized one? Would I then be able to verify that what I downloaded from the developer’s website is identical to what is built with the open source code? Just curious.
Yeah there is support for API notarization, so in principle you could have an audit trail that some automated build process got a specific notary result that's "stapled" to the app. I'm not familiar enough to say how trustworthy that approach is, or what exactly you'd need to prove it. And yes, aim for a reproducible build that produces assets with checksums that can be matched to the distributed one.
The mitigation is if someone finds out a (notarized) download is compromised, they can tell Apple and they can retroactively and quickly revoke the signing which is distributed via Gatekeeper. Other users should get the warning if they had previously run the app without an issue.
In theory, yes, you could compare it. In practice, the build would need to be reproducible which is non-trivial depending on the size the of the project and the external dependencies the project itself has.
Mac app store distribution is not that common. Some apps are available in the store or as direct downloads. The store adds the sandboxing restrictions, which dont work for many apps, eg its not very easy to install a cli.
You should always be careful with closed source software. You should also be careful with open source software, unless you're building from source and manually checking the source in each update isn't malicious, which let's be real, nobody does.
I had to do some gap analysis between note-taking apps with a graph view functionality to allow me to visualise my knowledge-base.
Obsidian was my initial choice but I had grievances with it.
I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
> I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
If I remember correctly it was inferior to Obsidian because Logseq used a proprietary format. Yes, it was/is officially markdown but not in a format that is easily transferred. I don't know if it changed but Logseq documents where literally just a big Markdown list if I remember correctly.
Personally I do see the problem with closed source solutions but the real problem with Obsidian are AFAIk the plugins and not the App itself. I mean: They have a long way to go to be even remotely as evil as people at Google or Microsoft. But if that ever happens I simply walk away with my .md documents.
On the same boat few months (actually, almost 2 years!) ago, I found Logseq too limiting as soon as one need to manage notes consistently ("typing" them as collections of notes of similar nature and acting on their properties as metadata), went through quite a long list of contenders (including AnyType) and ultimately settled with https://triliumnotes.org/
I've used dozens of notetaking tools over the years. Some cloud-based, some markdown-based, some flashy apps, some plain-text, some open-source, and some closed-source. My takeaway from years of jumping between them is this: don't use closed-source notetaking software. Just don't do it. Even if your data is in markdown files, on your own computer, you're still probably stuck with proprietary markdown extensions, and at the very least, you're stuck with muscle memory for the app's UI that you'd have to translate to some new system eventually. Startup companies come and go, on a monthly basis. Developers move on to shiny new projects. You can't take that risk, or any other security risks, with your personal notes.
I wouldn’t hold not being on the Mac App Store against it. The MAS is sort of a failed ecosystem with very low usage/engagement, and all the downsides of the iOS store like potentially lengthy review times (can be a lot longer than the iOS store since it seems to play second fiddle) and arbitrary capricious rejections when you’re just trying to ship innocuous bug fixes to users.
I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Building software takes time and resources. Experienced show that most open source projects do not make enough money to make the resource investment worthwhile, much less the time investment.
I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
That of course doesn‘t mean I appreciate unnecessary vendor lock in, hostile subscription models, etc. All of these things are common with proprietary software, but they are not inherent to it.
Obsidian is a great example. Easy to takeout open formats, generous licensing model and no aggressive licensing implementation that makes it impossible to use the software offline. The team behind it seems to be able to make a living and people can still feel safe about the access to their notes.
Even if its not open source, it would be great progress if we‘ve had more software like obsidian
> I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time.
> I generally like people being able to out food on the table
Completely agreed, and this makes for a frustrating paradox.
I don't use Obsidian because it's closed source, but I don't think it's evil or anything. Conversely, I pay for Immich, and I hope their model is sustainable.
Closed source also keeps missing CVEs, only most of them you never know because they aren't even making it to an officially released CVE. You usually don't even know what libs it uses and at what versions, never mind the proprietary code.
And then there's the closed source's Cloud part and its holes as well, which is a whole other can of worms.
They get to counter a point they think is wrong in an open forum on the internet. I guess they get the satisfaction of providing a second viewpoint to a claim, so that the claim, alone, is not the only viewpoint that others coming to this thread see.
What did you get out of calling out their counterclaim?
They didn't counter OP's claim, though. OP is essentially saying that software other than open-source can be trustworthy and the supposed counter-claim is that open-source software is more trustworthy. Regardless of that being true or false, it's not a counter to the claim that closed-source software can also be trustworthy.
They restate what the other person said in more correct (as they see them) terms. They're not "contorting" anything, nor are they attributing their version to the other person. I mean, "They're being a fucknugget for riffing off of the other person's words". Jesus, chill...
And yes, they respond based "on their own agenda". That's what all conversation and sharing of opinions entails: telling it from your perspective, and based on what you think it's better.
>rather than replying clearly on their own terms
What you quoted couldn't be clearer, or express the responder's terms any better. Your issue is not that the response is not on their own terms, it's that is not on your terms, where phrasing it similar to what the other person said is supposed to be bad.
But that's more of a you problem. Was just looking at another thread, and chanced on you berating someone for pointing to GNU's website as opposed to writing a set of custom arguments on the spot:
As long as they aren't abusive, people can answer anyway they damn please, including rewording what the parent wrote, or pointing to some link they agree with. Is that a novel concept?
>And I'd get even more relief if they admitted to having been an asshole on purpose and apologized. God forbid, stopped acting this way.
> They restate what the other person said in more correct (as they see them) terms. They're not "contorting" anything, nor are they attributing their version to the other person.
How is this not a contradiction? They're not contorting their words, they're just restating them with subtle changes to make it "correct". What?
> And yes, they respond based "on their own agenda". That's what all conversation and sharing of opinions entails: telling it from your perspective, and based on what you think it's better.
Yes, and do you not see how clapping back by "cleverly" rewriting someone words would come across as incredibly annoying? This is just a slightly more elaborate version of how children bicker! How do I need to explain this?
> But that's more of a you problem.
It certainly seems that way...
> oh, the irony
People getting hostile in response to hostility? Oh no, not the irony?! Case in point:
> As long as they aren't abusive, people can answer anyway they damn please, including rewording what the parent wrote,
This WAS abusive, that's my whole issue dude. It'd appear what is and isn't abusive isn't a fundamental force of the universe, and you and a few of your peers here just happen to not find what I - and imo, any average person with a reading comprehension - find immensely abusive.
>How is this not a contradiction? They're not contorting their words, they're just restating them with subtle changes to make it "correct". What?
"Contorting someones words" is said when someone changes what somebody said to make it appear as if they meant something else.
Not when someone merely expresses a different opinion, as their own, using some part of the other's wording.
>Yes, and do you not see how clapping back by "cleverly" rewriting someone words would come across as incredibly annoying?
No. That's a you problem. And even describing it as "rewriting someone words" would be a stretch. They merely used the same noun (which they need to, as they speak about the same thing), and contended that the opposite is true:
"I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic"
"Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time".
The only annoying comment I see in the whole exchange is yours.
>People getting hostile in response to hostility? Oh no, not the irony?!
The only hostility was in your mind, based on your premise that responding by reusing some of the same wording is "hostile".
I hope all replies you'll ever get will be in their style, maybe that will (eventually) teach you why I find it oh-so-unreasonably hostile, and yes, an intentional contortion of words.
I further hope someone will be there afterwards to gaslight you about how there's actually nothing wrong with it, and that it's all in your head (which is like no shit, where do you think hostility arrives to?), and that it's a you problem (whose problem would you be reporting on? nonsense...).
I have the impression these people only use Big Tech open source projects. Why would they expect software developers to work for free so they can give their beautiful contribution of using it for free is really unknown to me.
Obsidian also has affordable commercial pricing. By now I very much try to pay support contracts or give back to projects in other ways at work.
The problem is that quite a few open core companies immediately go from $0 / year to low to medium 6-digit-figures per year. This escalates the entire project sky-high in levels of internal scrutiny with a high chance of it not happening.
On the other hand, it was simple to argue why this is easily providing us with $50 in value per year. Now it is integrated with our normal license handling and it's actually slowly and steadily growing internally. We're up another 4-5 users from the last time I looked.
>I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
If people put their notes in, only open source software is good.
At best, one can tolerate a very big closed source company, who is unlikely to just do whatever with the data and has some track record for privacy, like Apple.
But trusting all your notes to a closed source app from a small peanuts company?
In this case the "closed source app" is using a very open and easy to parse format.
If Obsidian enshittified tonight so badly I had to stop using it, the only thing I'd kind of miss is dataview and bases.
And of those dataview is "just" parsing a bunch of markdown with javascript. Bases is a yaml format for displaying more markdown.
I'm pretty sure I could vibe-code some scripts over a weekend that cover most of my Obsidian use-cases and use any markdown-capable editor for writing.
That's why I use Obsidian (and stopped using Joplin, because - at the time - all my notes were in one obscure blob)
I think they could easily make Obsidian open source without losing out on profits.
The app itself is free anyway.
They could keep the sync backend closed source and make people pay to use the sync feature.
Lots of apps have open-source clients (for trust/auditability) but backends that are closed/locked somehow, e.g., Logseq.
Obsidian is using electron, so the source is already somewhat available anyway. I understand them not making it open source, and risking someone forking it and harming their business. But considering the situation, I would think making it at least source available on a popular forge, where people can make issues and open merge-requests, might be a beneficial thing.
There are a bunch of small problems people encounter here and there, which usually will never be solved by the company. Giving the community a route to improve their tool, would be good.
The PKM I've been using lately, SiYuan, does exactly that, and I think their business model isn't bad: the client is fully FOSS, there are some client-side paid features with a one-time subscription (WebDAV/S3 sync "bring your own server") and some server-side paid features with a more expensive recurring subscription (cloud space provided by them).
I don't particularly like client-side paid features, but:
- The client is fully FOSS, you can just patch the license check out. In fact, there are some forks on GitHub that do just that and provide binaries, and the authors don't seem to care, they even acknowledged them on Twitter (https://x.com/b3logos/status/1928366043094724937).
- There are plugins to sync without a paid plan
This works out quite well for them: if you choose a fork or a sync plugin, you don't get the same support that paying users do, so many users still end up buying a license. But you don't need to, which makes the whole thing not user-hostile.
I have bought a one-time license myself, and I'm very happy that I'm supporting the development of a FOSS project.
The article is about security and trust. Open Source is in that context by definition the only good solution. Though, doesn't mean that a closed app has to be bad, but you have to blindly trust them, and hope that this will never change. With Open Source, you don't have to be blind, you can trust them educated (or at least trust that other will check what's going on).
Of course this always a bit of case by case, but obsidian is a very exposed and worthful target.
> I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
Paying money to Obsidian for writing yet another text editor seems like digging and filling holes to increase GDP to me.
While I agree with you, i feel like that was not the point the author was making.
It more so was a warning that the combination of little reviewed community plugins and a not sandboxed macos binary is a potential risk. And with that sentiment I can also agree.
That was my take too. I am less concerned with an app being simply closed source and much more concerned with closed source coupled with skipping review and the general approved distribution models on the two platforms.
I hope you understand that ethic is not absolute. It's unethical for you, according to your ethical rules. Doesn't mean that this applies to other people rules too.
Yeah, we're on a site where a large majority of users shamelessly work at adtech companies, and threads regularly pop-up where people defend working at companies actively developing and selling exploits.
I am well aware of that, this is why I remind people that proprietary software is bad actually.
You wrote that "Closed-source software" is unethical, not "harmful software & services" is unethical. There is a significant difference. Don't shift your goal as you like.
Not all closed-source software is harmful; Obsidian here is a prime example of one which is not harmful and could be even considered as beneficial, despite being closed source, because of how open and supportive it's designed in everything else.
I was just confirming the point you made -- the definition of ethical is not absolute, and there are people that consider questionable things ethical.
> Obsidian here is a prime example of one which is not harmful and could be even considered as beneficial, despite being closed source
All proprietary software is unethical. It's as simple as that. No matter whether it's free or paid, no matter whether it's useful or harmful. If you have a right to use it but are deprived of the right to alter it, it is not ethical.
Depends on people, but for most it's mainly because Stallman says so.
You still have ethics ground if you think it the same way as repairability, actively blocking ways to repairs things you bought yourself is questionable, and keeping things closed source can be seen as a way to artificially prolonge a strict dependance on your vendor by impairing your ability to resolve issues by yourself.
As someone who also believes closed source software is unethical (though full of nuance), I don't appreciate the abrasive and combative (and frankly rude) way you are engaging on this. You're so epitomizing the rabid stereotype that part of me thinks you are just trolling and don't actually believe what you are saying.
If you actually care about this, stop alienating potential allies, and ideally start making arguments to support your case instead of telling people to RTFM (which in this case is even worse because "the manual" isn't as much of an authoritative mic drop as you seem to think it is).
Not disclosing the ingredients is illegal large part of the world, and people can die if you don’t do that, so the answer is clearly yes in some sense. This is also true for some cooking techniques, like heat treatment of raw meat. I think your analogy is not the best.
Not disclosing ingredients is more like not disclosing dependencies because I am very confident that you can't go into a shop, buy a random food and then construct recipe from list of ingredients.
It does however play a hugely important role in a recipe, in a way than the choice of language doesn't play in a program (especially considering turing completeness). So the analogy is broken.
Besides nobody made the point that list of ingredients makes a recipe.
Just that it's important to know the list of ingredients for a food you're gonna eat, and that it's even illegal to not disclose them (either to the public or a regulatory body) if you sell food.
This is the first paragraph after the initial quote defining "free software".
> We campaign for these freedoms because everyone deserves them. With these freedoms, the users (both individually and collectively) control the program and what it does for them. When users don't control the program, we call it a “nonfree” or “proprietary” program. The nonfree program controls the users, and the developer controls the program; this makes the program an instrument of unjust power.
It seems safe to say the author thinks that one creating "an instrument of unjust power" for oneself is unethical. Though, perhaps if the commenter in question pulled that quote out of the article, it could have helped their point.
You don't have to agree with it, but I think it's fair to parrot a take from people who have invested a lot of time and effort into considering why free software is good.
The linked page has a clear explanation for why one might consider nonfree software to be unethical.
Sometimes people take the time to read and understand something and conclude that this is the best way to express it, better than they themselves can paraphrase.
And sometimes they just collect opinions and follow suit, instead of forming their own ones. How do you know which one happened here, are you a mind reader?
> How do you know which one happened here, are you a mind reader?
If you admit that they could be doing one of two things ("And sometimes ...") but you assume it's actually one of them in particular ("I think they asked for your take, not GNU's."), then this question could similarly be asked of you.
A bigger problem with my model is that it's a false dilemma. These are both just characterizations. Both can be true at the same time just fine, and so can neither.
It even does my own sentiment poorly. My actual issue with this whole exchange was not that their thoughts are unoriginal (although I'd be surprised), but that this way of responding I find extremely lazy and disrespectful, as well as generally unreasonable. They were asked for their opinion. It doesn't have to be good, it doesn't have to be rigorous, it just has to be theirs.
Linking out to some reading material and adding nothing else of substance fails even this most basic expectation. It's a discussion thread, not a newsletter. But then just like in the other subthread where the person above found me from, I'm sure they'd argue that this is just, like, my opinion. And that it sure is.
I am quite thankfull that thanks to unethical software I am able to pay my bills, instead of being like a street art performer hoping to get enough coins at the end of the day.
I was also a dreamer once upon a time, with M$ on my email signature and all that zealot attitude, then I had to support myself and face the reality that most supermarkets don't take pull requests.
I don't think GPL cares where the money is coming from - we're talking about closed/open source, not ethical business models. If we did, we'd have to also go over unfettered free markets and capital flow.
First of all, I do get by with just FOSS. Second -- whether you can or cannot get by without proprietary software has no relation to it being objectively unethical.
Not being able to give granular permissions to folders is not the problem of an app which regardless of being open or closed source may be compromised. Remember that the risk is zero if and only if you avoid the risk, i.e. in this particular case do not install Obsidian.
Macos:
- does not have a granular permissions model as far as I know;
- deprecated sandbox-exec that allowed to achieve the above;
- macos appstore is a very strange phenomenon, I would not put much trust in it by default.
Obsidian:
- has a system of community plugins and themes which is dangerous and has been discussed multiple times[0]. But the problem of managing community plugins is not unique to them. Malicious npm packages, go modules and rust crates (and you name it) anyone?.. you are on your own here mostly. And you need to perform your own due diligence of those community supported random bits.
Obsidian could hugely benefit from an independent audit of the closed source base. That would help build trust in the core of their product.
> Since Obsidian isn’t distributed through the Mac App Store, it isn’t required to use sandboxing,
> Combined with the fact that its source code isn’t public,
> And that many users rely heavily on Community Plugins (some of my friends have customized their Obsidian setups so much that I barely recognize the app),
> And that users often grant Obsidian access to sensitive folders like iCloud Drive, Documents, or Desktop (protected by TCC or not), etc to open Vault.
If MacOS, an OS with posix style permissions, app level permissions, and folder access limits per app does not have a “granular permissions model”, which OS does? What are you trying to say?
Obsidian is a startup that's been on my radar. It inspires me. They're able to go so far as to challenge Notion with their small team, which I appreciate. By the way, I'm not saying Notion is bad. I think it's revitalizing the industry.
On the other hand, I was unaware of the vulnerabilities in the Apple ecosystem. Or rather, I didn't think there would be. The article raised my awareness.
The set of open source code and verifiable code overlap, but one doesn't always imply the other. In either case, provenance needs to be established. I think it would be reasonable for Obsidian to ship signed checksums and a public transparency log (e.g., Sigstore) for builds (plugins authors could do the same?). A more granular plugin permissions system would be great too, even though most plugins are OSS.
I'm not sure how this is relevant? The code is signed but that doesn't mean it doesn't contain backdoors. Without it being open source or at the very least source-available, we can't know
This is of course true of many other apps we run on Mac (though I suspect a non-zero number of common apps have backdoors); Obsidian also runs without sandboxing though, is used by many to record their innermost thoughts, and as the author mentioned, there's also the potential for data to leak via compromised extensions.
Am I missing something, or does the fact that it's signed tell us nothing except that the Obsidian company signed off on it? If so, I'd really like to understand if you had a purpose of sharing this... is there a tacit implication that "surely a company can be trusted"?
The scary thing is that nowadays everything is backdoored. And developers/product owners can even don't know about it. Obsidian is an electron app, thus uses npm, and with npm we now get like at least one malicious package per month.
If they have package autoupdate it's just a matter of time and effort for an attacker to plant something shady there. This could be simple crypto-stealer, or this could be a way to access people's personal vaults.
When I toggle developer mode (Command + Option + i on my mac) I see what appears to be the source code (it’s an Electron app). Maybe it’s not the full source though. And I guess it’s very difficult to read since it’s minified.
That is not meaningfully open source. Even if that would be the full source code, it still wouldn't have an open source licence, although then it technically would be free(as in freedom) software, not just open source, but most people assume open source = free software.
I trust the obsidian team, but I don't trust the plugins.
It's a strange article. Yes it's not an open source, but based on what is the author suspicious? Any bad behaviours from the authors? Change of ownership? Plugin risks?
For me this is the least problematic non-open source software:
- non VC funded (like Mattermost enshitification after VC)
I know this may go against the ethos of some folks on HN, but I switched to Apple Notes and haven't looked back. At the end of the day, you either use the tool or the tool uses you.
For diagrams, mindmaps, etc... I just use Freeform now -- screen capture or export the board as PDF to paste into my notes. It's deceptively flexible and more powerful than it would appear.
I've known kepano (their CEO) for almost 20 years, he is an incredible builder and a solid human. My hunch is they would never act in an unsavory way to their users. I get that the point it could be more open (a community build would be slick), and yet it's an incredible product and worthy of financial support. I am glad to be a user and love that it's a part of my daily workflow.
https://triliumnotes.org/ is my clear recommendation. It's quite more powerful than the usual contenders and it may take a while to explore its depths, but it's also not pushing its complexity in your face like Logseq and some others do.
Next step is to give up on files/filesystem. As long as it's opensource, there's no lock-in. As long as the storage backend is clean and structured (SQLite or comparable), you actually get so much more (full text indexing, standard querying, ...)
I initially was cautious when going from "bunch of .MD files" to https://triliumnotes.org/ , since it's been pretty great.
But files obsidian works with are just bunch of .md files that can be viewed or edited with anything, nano, notepad, visual studio code etc. So does it really matter it is or it is not open source?
How is your point relevant to the security risks of community plugins?
But also - no, they aren't, they use plugin-customized non-standard markdown format, so while the extension is the same, you can't view/edit them with anything just like you can't edit Word xml files with notepad (of course, it's not as extreme as Word xml, unless you're an extreme user of custom plugins)
If you're a Linux user you might like Firejail for this.
--private=~/path/to/jail limits access to your home directory to ~/path/to/jail and when you don't want Obsidian to have internet access you can take it away with --net=none.Note that if you already have an Obsidian vault, suddenly jailing it might break things. Obsidian stores a bunch of state in ~/.config/obsidian which will no longer be valid. And amusingly/frustratingly, the GTK file picker doesn't take the jail into account and seems to produce invalid paths.
And because --private mounts some bits as temporary filesystems, you might end up losing state. Try before you buy.
And all of these issues such as sandboxing and portals are solved by using the Flatpak version instead.
I don't know much about flatpak. How does it solve these issues?
It provides a sandbox, an API to access stuff outside of it (portals), and standard tools to customize what your software has access to (Flatseal, KDE app settings). It's based on the same technology as Docker containers, but for user-space GUI apps.
AppImage is a binary distribution format that does none of that stuff, so you need external tools, like firejail, to limit what the application has access to.
There are many good reasons to trust Obsidian team (they are not VC backed, they clearly state they don’t own your data, you are not locked in). If you don’t trust them because they are not open-source then If you want to be a purist about it, then just use an open-source markdown editor instead.
The author dedicates an entire paragraph to how much they trust the Obsidian team. It isn't open source purism, they are warning users that good intentions don't prevent a developer from writing software containing vulnerabilities.
Usage of user-created plugins and access to cloud accounts aggravates the risk posed by a vulnerability.
Open source reduces vulnerabilities over time, so those who want to heed the author's warning may indeed want to switch to an open-source Markdown editor. Just not because the Obsidian team is Evil.
The title is either poorly chosen or shows a different intention than the content of the article I would argue. The objective seems to scare readers, and then nuance the statement in the article. Some call this clickbait, at the expense of the great obsidian team.
> they clearly state
seems a low bar for trusting (that part especifically)
Your files are stored locally in .md
Community plugins and the way they're approved and not reviewed over time due to limited resources is the main problem.
There are many facets to that. Plugins have unrestricted access, they can start servers, make http calls, read/write files ...
Plugins get approved once, but are never checked again.
And plugins are now increasing in number more rapidly, ...
Is this a Mac thing?
On Windows this is how most applications are distributed.
Same with Spotify etc.
Also even if it is open source, who really verifies the binary is built from the source published?
> Also even if it is open source, who really verifies the binary is built from the source published?
Apple notarization is usually the way for non Store downloads. Non-notarized apps present a warning and require overriding security settings to run (with admin privilege). There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub, only that some sanity checks have been performed and the binary is not a known threat (or has been modified).
https://developer.apple.com/documentation/security/notarizin...
> There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub
Sorry what if the open source project made their CI/CD pipeline public? So users could exercise it, produce their own build, and then compare that to the notarized one? Would I then be able to verify that what I downloaded from the developer’s website is identical to what is built with the open source code? Just curious.
Yeah there is support for API notarization, so in principle you could have an audit trail that some automated build process got a specific notary result that's "stapled" to the app. I'm not familiar enough to say how trustworthy that approach is, or what exactly you'd need to prove it. And yes, aim for a reproducible build that produces assets with checksums that can be matched to the distributed one.
The mitigation is if someone finds out a (notarized) download is compromised, they can tell Apple and they can retroactively and quickly revoke the signing which is distributed via Gatekeeper. Other users should get the warning if they had previously run the app without an issue.
In theory, yes, you could compare it. In practice, the build would need to be reproducible which is non-trivial depending on the size the of the project and the external dependencies the project itself has.
Mac app store distribution is not that common. Some apps are available in the store or as direct downloads. The store adds the sandboxing restrictions, which dont work for many apps, eg its not very easy to install a cli.
You should always be careful with closed source software. You should also be careful with open source software, unless you're building from source and manually checking the source in each update isn't malicious, which let's be real, nobody does.
Plus, in theory you'd also need reproducible builds for everything because who knows what your compiler did to the source ;-)
Reality is, as you already implied: in practice you cannot "be careful" except avoiding obvious malware.
At SOME point you have to trust SOMEONE, unless you use TempleOS in which case you can trust whatever god you have.
I had to do some gap analysis between note-taking apps with a graph view functionality to allow me to visualise my knowledge-base.
Obsidian was my initial choice but I had grievances with it. I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
> I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
If I remember correctly it was inferior to Obsidian because Logseq used a proprietary format. Yes, it was/is officially markdown but not in a format that is easily transferred. I don't know if it changed but Logseq documents where literally just a big Markdown list if I remember correctly.
Personally I do see the problem with closed source solutions but the real problem with Obsidian are AFAIk the plugins and not the App itself. I mean: They have a long way to go to be even remotely as evil as people at Google or Microsoft. But if that ever happens I simply walk away with my .md documents.
Exactly this. After the enshittification of evernote I swore I would only write documents in formats and contexts where I can easily pick up and move.
On the same boat few months (actually, almost 2 years!) ago, I found Logseq too limiting as soon as one need to manage notes consistently ("typing" them as collections of notes of similar nature and acting on their properties as metadata), went through quite a long list of contenders (including AnyType) and ultimately settled with https://triliumnotes.org/
I've used dozens of notetaking tools over the years. Some cloud-based, some markdown-based, some flashy apps, some plain-text, some open-source, and some closed-source. My takeaway from years of jumping between them is this: don't use closed-source notetaking software. Just don't do it. Even if your data is in markdown files, on your own computer, you're still probably stuck with proprietary markdown extensions, and at the very least, you're stuck with muscle memory for the app's UI that you'd have to translate to some new system eventually. Startup companies come and go, on a monthly basis. Developers move on to shiny new projects. You can't take that risk, or any other security risks, with your personal notes.
Don’t really see much of a reason to single out obsidian in this
I wouldn’t hold not being on the Mac App Store against it. The MAS is sort of a failed ecosystem with very low usage/engagement, and all the downsides of the iOS store like potentially lengthy review times (can be a lot longer than the iOS store since it seems to play second fiddle) and arbitrary capricious rejections when you’re just trying to ship innocuous bug fixes to users.
I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Building software takes time and resources. Experienced show that most open source projects do not make enough money to make the resource investment worthwhile, much less the time investment.
I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
That of course doesn‘t mean I appreciate unnecessary vendor lock in, hostile subscription models, etc. All of these things are common with proprietary software, but they are not inherent to it.
Obsidian is a great example. Easy to takeout open formats, generous licensing model and no aggressive licensing implementation that makes it impossible to use the software offline. The team behind it seems to be able to make a living and people can still feel safe about the access to their notes.
Even if its not open source, it would be great progress if we‘ve had more software like obsidian
> I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time.
> I generally like people being able to out food on the table
Completely agreed, and this makes for a frustrating paradox.
I don't use Obsidian because it's closed source, but I don't think it's evil or anything. Conversely, I pay for Immich, and I hope their model is sustainable.
In theory, in practice it is obvious that too many eyes to the source keep missing CVEs.
Closed source also keeps missing CVEs, only most of them you never know because they aren't even making it to an officially released CVE. You usually don't even know what libs it uses and at what versions, never mind the proprietary code.
And then there's the closed source's Cloud part and its holes as well, which is a whole other can of worms.
I haven't said otherwise, other than the fallacy that being open by itself fixes those issues.
for me it's about running it locally/inside a wireguard network, and not having the rug pulled. not everything needs to be exposed to the internet.
[flagged]
They get to counter a point they think is wrong in an open forum on the internet. I guess they get the satisfaction of providing a second viewpoint to a claim, so that the claim, alone, is not the only viewpoint that others coming to this thread see.
What did you get out of calling out their counterclaim?
> They get to counter a point they think is wrong
They didn't counter OP's claim, though. OP is essentially saying that software other than open-source can be trustworthy and the supposed counter-claim is that open-source software is more trustworthy. Regardless of that being true or false, it's not a counter to the claim that closed-source software can also be trustworthy.
[flagged]
They restate what the other person said in more correct (as they see them) terms. They're not "contorting" anything, nor are they attributing their version to the other person. I mean, "They're being a fucknugget for riffing off of the other person's words". Jesus, chill...
And yes, they respond based "on their own agenda". That's what all conversation and sharing of opinions entails: telling it from your perspective, and based on what you think it's better.
>rather than replying clearly on their own terms
What you quoted couldn't be clearer, or express the responder's terms any better. Your issue is not that the response is not on their own terms, it's that is not on your terms, where phrasing it similar to what the other person said is supposed to be bad.
But that's more of a you problem. Was just looking at another thread, and chanced on you berating someone for pointing to GNU's website as opposed to writing a set of custom arguments on the spot:
https://news.ycombinator.com/item?id=45679487
As long as they aren't abusive, people can answer anyway they damn please, including rewording what the parent wrote, or pointing to some link they agree with. Is that a novel concept?
>And I'd get even more relief if they admitted to having been an asshole on purpose and apologized. God forbid, stopped acting this way.
oh, the irony.
> They restate what the other person said in more correct (as they see them) terms. They're not "contorting" anything, nor are they attributing their version to the other person.
How is this not a contradiction? They're not contorting their words, they're just restating them with subtle changes to make it "correct". What?
> And yes, they respond based "on their own agenda". That's what all conversation and sharing of opinions entails: telling it from your perspective, and based on what you think it's better.
Yes, and do you not see how clapping back by "cleverly" rewriting someone words would come across as incredibly annoying? This is just a slightly more elaborate version of how children bicker! How do I need to explain this?
> But that's more of a you problem.
It certainly seems that way...
> oh, the irony
People getting hostile in response to hostility? Oh no, not the irony?! Case in point:
> As long as they aren't abusive, people can answer anyway they damn please, including rewording what the parent wrote,
This WAS abusive, that's my whole issue dude. It'd appear what is and isn't abusive isn't a fundamental force of the universe, and you and a few of your peers here just happen to not find what I - and imo, any average person with a reading comprehension - find immensely abusive.
>How is this not a contradiction? They're not contorting their words, they're just restating them with subtle changes to make it "correct". What?
"Contorting someones words" is said when someone changes what somebody said to make it appear as if they meant something else.
Not when someone merely expresses a different opinion, as their own, using some part of the other's wording.
>Yes, and do you not see how clapping back by "cleverly" rewriting someone words would come across as incredibly annoying?
No. That's a you problem. And even describing it as "rewriting someone words" would be a stretch. They merely used the same noun (which they need to, as they speak about the same thing), and contended that the opposite is true:
"I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic"
"Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time".
The only annoying comment I see in the whole exchange is yours.
>People getting hostile in response to hostility? Oh no, not the irony?!
The only hostility was in your mind, based on your premise that responding by reusing some of the same wording is "hostile".
I hope all replies you'll ever get will be in their style, maybe that will (eventually) teach you why I find it oh-so-unreasonably hostile, and yes, an intentional contortion of words.
I further hope someone will be there afterwards to gaslight you about how there's actually nothing wrong with it, and that it's all in your head (which is like no shit, where do you think hostility arrives to?), and that it's a you problem (whose problem would you be reporting on? nonsense...).
[dead]
It's a comment on the internet, dude, are you okay?
May the one without sin throw the first stone?
so why did it take you so long to be open about your own motives? still, it's good that you did admit to it in the end.
[flagged]
The satisfaction that they told the objective truth.
I have the impression these people only use Big Tech open source projects. Why would they expect software developers to work for free so they can give their beautiful contribution of using it for free is really unknown to me.
Obsidian also has affordable commercial pricing. By now I very much try to pay support contracts or give back to projects in other ways at work.
The problem is that quite a few open core companies immediately go from $0 / year to low to medium 6-digit-figures per year. This escalates the entire project sky-high in levels of internal scrutiny with a high chance of it not happening.
On the other hand, it was simple to argue why this is easily providing us with $50 in value per year. Now it is integrated with our normal license handling and it's actually slowly and steadily growing internally. We're up another 4-5 users from the last time I looked.
In case you missed it, Obsidian is now free for work. The commercial license is an optional donation, similar to the Catalyst license.
https://obsidian.md/blog/free-for-work/
Yes. I have mentioned this internally, but my boss has agreed to keep it.
always nice to see the CEO doing evangelism work. Keep it up my man :-)
>I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
If people put their notes in, only open source software is good.
At best, one can tolerate a very big closed source company, who is unlikely to just do whatever with the data and has some track record for privacy, like Apple.
But trusting all your notes to a closed source app from a small peanuts company?
> has some track record for privacy, like Apple.
Should we tell them?
In this case the "closed source app" is using a very open and easy to parse format.
If Obsidian enshittified tonight so badly I had to stop using it, the only thing I'd kind of miss is dataview and bases.
And of those dataview is "just" parsing a bunch of markdown with javascript. Bases is a yaml format for displaying more markdown.
I'm pretty sure I could vibe-code some scripts over a weekend that cover most of my Obsidian use-cases and use any markdown-capable editor for writing.
That's why I use Obsidian (and stopped using Joplin, because - at the time - all my notes were in one obscure blob)
Same here. I have not found any open source option that does all of these: Nice user interface / App for both Mac and iOS / Automatic syncing.
I think they could easily make Obsidian open source without losing out on profits. The app itself is free anyway. They could keep the sync backend closed source and make people pay to use the sync feature.
Lots of apps have open-source clients (for trust/auditability) but backends that are closed/locked somehow, e.g., Logseq.
Obsidian is using electron, so the source is already somewhat available anyway. I understand them not making it open source, and risking someone forking it and harming their business. But considering the situation, I would think making it at least source available on a popular forge, where people can make issues and open merge-requests, might be a beneficial thing.
There are a bunch of small problems people encounter here and there, which usually will never be solved by the company. Giving the community a route to improve their tool, would be good.
Does anyone know if it's possible to have a core which is unsandboxed, but load plugins which are sandboxed? This seems like a great solution if so.
This is one of the main use cases for Webassembly outside of the browser.
I think we will soon see the ability to write plugins that can even run server-side of SaaS solutions.
The PKM I've been using lately, SiYuan, does exactly that, and I think their business model isn't bad: the client is fully FOSS, there are some client-side paid features with a one-time subscription (WebDAV/S3 sync "bring your own server") and some server-side paid features with a more expensive recurring subscription (cloud space provided by them).
I don't particularly like client-side paid features, but:
- The client is fully FOSS, you can just patch the license check out. In fact, there are some forks on GitHub that do just that and provide binaries, and the authors don't seem to care, they even acknowledged them on Twitter (https://x.com/b3logos/status/1928366043094724937).
- There are plugins to sync without a paid plan
This works out quite well for them: if you choose a fork or a sync plugin, you don't get the same support that paying users do, so many users still end up buying a license. But you don't need to, which makes the whole thing not user-hostile.
I have bought a one-time license myself, and I'm very happy that I'm supporting the development of a FOSS project.
The article is about security and trust. Open Source is in that context by definition the only good solution. Though, doesn't mean that a closed app has to be bad, but you have to blindly trust them, and hope that this will never change. With Open Source, you don't have to be blind, you can trust them educated (or at least trust that other will check what's going on).
Of course this always a bit of case by case, but obsidian is a very exposed and worthful target.
> I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
Paying money to Obsidian for writing yet another text editor seems like digging and filling holes to increase GDP to me.
Obsidian is a layer on top of https://codemirror.net/ -- they didn't write a text editor, really.
Phew, good thing it’s not a text editor.
Looks like one to me. A WYSIWYG text editor with hyper links. Like Emacs.
While I agree with you, i feel like that was not the point the author was making.
It more so was a warning that the combination of little reviewed community plugins and a not sandboxed macos binary is a potential risk. And with that sentiment I can also agree.
That was my take too. I am less concerned with an app being simply closed source and much more concerned with closed source coupled with skipping review and the general approved distribution models on the two platforms.
It does not have to make money for people to do it as a hobby. Not everything people do is because of money.
Closed-source software is unethical regardless of any of your unsubstantiated claims on its or open-source software's security.
I hope you understand that ethic is not absolute. It's unethical for you, according to your ethical rules. Doesn't mean that this applies to other people rules too.
Yeah, we're on a site where a large majority of users shamelessly work at adtech companies, and threads regularly pop-up where people defend working at companies actively developing and selling exploits.
I am well aware of that, this is why I remind people that proprietary software is bad actually.
You wrote that "Closed-source software" is unethical, not "harmful software & services" is unethical. There is a significant difference. Don't shift your goal as you like.
Not all closed-source software is harmful; Obsidian here is a prime example of one which is not harmful and could be even considered as beneficial, despite being closed source, because of how open and supportive it's designed in everything else.
> Don't shift your goal as you like.
I was just confirming the point you made -- the definition of ethical is not absolute, and there are people that consider questionable things ethical.
> Obsidian here is a prime example of one which is not harmful and could be even considered as beneficial, despite being closed source
All proprietary software is unethical. It's as simple as that. No matter whether it's free or paid, no matter whether it's useful or harmful. If you have a right to use it but are deprived of the right to alter it, it is not ethical.
Why do you think it's unethical?
Depends on people, but for most it's mainly because Stallman says so.
You still have ethics ground if you think it the same way as repairability, actively blocking ways to repairs things you bought yourself is questionable, and keeping things closed source can be seen as a way to artificially prolonge a strict dependance on your vendor by impairing your ability to resolve issues by yourself.
>Depends on people, but for most it's mainly because Stallman says so
No, for most it's because they evaluated a number of ethical, social, and technical concerns, and think so.
I will assume you're not trolling but that just don't know what FOSS is about. Check this out https://www.gnu.org/philosophy/free-sw.en.html
You don't have to be ignorant of FOSS to disagree with the statement that closed source software is unethical.
As someone who also believes closed source software is unethical (though full of nuance), I don't appreciate the abrasive and combative (and frankly rude) way you are engaging on this. You're so epitomizing the rabid stereotype that part of me thinks you are just trolling and don't actually believe what you are saying.
If you actually care about this, stop alienating potential allies, and ideally start making arguments to support your case instead of telling people to RTFM (which in this case is even worse because "the manual" isn't as much of an authoritative mic drop as you seem to think it is).
If you don't know recipe for food, it is automatically unethical food?
Not disclosing the ingredients is illegal large part of the world, and people can die if you don’t do that, so the answer is clearly yes in some sense. This is also true for some cooking techniques, like heat treatment of raw meat. I think your analogy is not the best.
Not disclosing ingredients is more like not disclosing dependencies because I am very confident that you can't go into a shop, buy a random food and then construct recipe from list of ingredients.
There are parts of the code which don't use dependencies, because you wrote it. Which part of any food is not created from ingredients?
If the recipe is hidden, yes.
It's probably illegal too, as in many jurisdiction the public, or at least a health/food regulatory body should know the process and ingredients.
Take into account allergens, and on top of a matter of public knowledge and health, it can also be a matter of life and death.
List of ingredients does not a recipe make.
It's like saying "Linux uses C" and now you instantly can copy Linux =)
> List of ingredients does not a recipe make.
It does however play a hugely important role in a recipe, in a way than the choice of language doesn't play in a program (especially considering turing completeness). So the analogy is broken.
Besides nobody made the point that list of ingredients makes a recipe.
Just that it's important to know the list of ingredients for a food you're gonna eat, and that it's even illegal to not disclose them (either to the public or a regulatory body) if you sell food.
> List of ingredients does not a recipe make.
Apologies if the parent comment was edited after you wrote yours but a "process and ingredients" does a recipe make.
this page gives no arguments why nonfree software is unethical
This is the first paragraph after the initial quote defining "free software".
> We campaign for these freedoms because everyone deserves them. With these freedoms, the users (both individually and collectively) control the program and what it does for them. When users don't control the program, we call it a “nonfree” or “proprietary” program. The nonfree program controls the users, and the developer controls the program; this makes the program an instrument of unjust power.
It seems safe to say the author thinks that one creating "an instrument of unjust power" for oneself is unethical. Though, perhaps if the commenter in question pulled that quote out of the article, it could have helped their point.
[flagged]
You don't have to agree with it, but I think it's fair to parrot a take from people who have invested a lot of time and effort into considering why free software is good.
The linked page has a clear explanation for why one might consider nonfree software to be unethical.
And his take is that he agrees with GNUs take, and points to that as handy list of arguments in its favor.
Sometimes people take the time to read and understand something and conclude that this is the best way to express it, better than they themselves can paraphrase.
And sometimes they just collect opinions and follow suit, instead of forming their own ones. How do you know which one happened here, are you a mind reader?
> How do you know which one happened here, are you a mind reader?
If you admit that they could be doing one of two things ("And sometimes ...") but you assume it's actually one of them in particular ("I think they asked for your take, not GNU's."), then this question could similarly be asked of you.
Could be, although it's a bit harder justified.
A bigger problem with my model is that it's a false dilemma. These are both just characterizations. Both can be true at the same time just fine, and so can neither.
It even does my own sentiment poorly. My actual issue with this whole exchange was not that their thoughts are unoriginal (although I'd be surprised), but that this way of responding I find extremely lazy and disrespectful, as well as generally unreasonable. They were asked for their opinion. It doesn't have to be good, it doesn't have to be rigorous, it just has to be theirs.
Linking out to some reading material and adding nothing else of substance fails even this most basic expectation. It's a discussion thread, not a newsletter. But then just like in the other subthread where the person above found me from, I'm sure they'd argue that this is just, like, my opinion. And that it sure is.
Do you have any opinions of your own instead of berating people with meta arguments and rudeness?
Yes.
If you cared to find out, you could try asking questions about the views, instead of poisoning the well.
Sounds like a great way to get a whole sitemap for GNU's website! Not sure I'm interested indeed, just like you insinuate.
I am quite thankfull that thanks to unethical software I am able to pay my bills, instead of being like a street art performer hoping to get enough coins at the end of the day.
I was also a dreamer once upon a time, with M$ on my email signature and all that zealot attitude, then I had to support myself and face the reality that most supermarkets don't take pull requests.
Maybe that's because supermarkets would think a "pull request" is just shoplifting?
Many open source projects are written by people who are paid to do so. Just because you couldn't do it doesn't mean it's not possible.
From companies whose main business is selling unethical software.
Naturally I am not counting those, given that they are paid in tainted money as per OP's complaint.
I don't think GPL cares where the money is coming from - we're talking about closed/open source, not ethical business models. If we did, we'd have to also go over unfettered free markets and capital flow.
FOSS and GPL aren't exactly the same thing.
We are surely talking about ethics,
> Closed-source software is unethical regardless of any of your unsubstantiated claims on its or open-source software's security.
And in that regard, there is also something to talk about regarding some prominent figures in open-source world.
Oh, DHH? Not sure how his xenophobic ramblings have anything to do with this...
Ah, you're one of _those_ people.
If it was only one.
Try to get by with just open source software, I guarantee you won’t.
First of all, I do get by with just FOSS. Second -- whether you can or cannot get by without proprietary software has no relation to it being objectively unethical.
Somebody read that recent open letter to the Obsidian Team and realized the security implications rather than just the inconvenience :D
So far I have uninstalled all themes & plugins except the kanban board - I'm working on it. I'll use core obsidian and that's all.
Not being able to give granular permissions to folders is not the problem of an app which regardless of being open or closed source may be compromised. Remember that the risk is zero if and only if you avoid the risk, i.e. in this particular case do not install Obsidian.
Macos:
- does not have a granular permissions model as far as I know;
- deprecated sandbox-exec that allowed to achieve the above;
- macos appstore is a very strange phenomenon, I would not put much trust in it by default.
Obsidian:
- has a system of community plugins and themes which is dangerous and has been discussed multiple times[0]. But the problem of managing community plugins is not unique to them. Malicious npm packages, go modules and rust crates (and you name it) anyone?.. you are on your own here mostly. And you need to perform your own due diligence of those community supported random bits.
Obsidian could hugely benefit from an independent audit of the closed source base. That would help build trust in the core of their product.
[0]: https://www.emilebangma.com/Writings/Blog/An-open-letter-to-...
> Obsidian could hugely benefit from an independent audit of the closed source base.
They do a yearly audit: https://obsidian.md/security
Meanwhile, any plugin can do anything.
Sure, but that's not the issue raised by the article
And if it was the other way around, I guess people would be complaining about how closed it is for the developers
I think part of its success is due to the ecosystem composed of hundreds of plugins.
It reads like that to me:
> Since Obsidian isn’t distributed through the Mac App Store, it isn’t required to use sandboxing,
> Combined with the fact that its source code isn’t public,
> And that many users rely heavily on Community Plugins (some of my friends have customized their Obsidian setups so much that I barely recognize the app),
> And that users often grant Obsidian access to sensitive folders like iCloud Drive, Documents, or Desktop (protected by TCC or not), etc to open Vault.
> To me, this represents a very serious risk.
If MacOS, an OS with posix style permissions, app level permissions, and folder access limits per app does not have a “granular permissions model”, which OS does? What are you trying to say?
Obsidian is a startup that's been on my radar. It inspires me. They're able to go so far as to challenge Notion with their small team, which I appreciate. By the way, I'm not saying Notion is bad. I think it's revitalizing the industry.
On the other hand, I was unaware of the vulnerabilities in the Apple ecosystem. Or rather, I didn't think there would be. The article raised my awareness.
Plugin sandboxing is the answer to such community extension concerns, but then that's unfortunately only part of the bright future ahead...
The set of open source code and verifiable code overlap, but one doesn't always imply the other. In either case, provenance needs to be established. I think it would be reasonable for Obsidian to ship signed checksums and a public transparency log (e.g., Sigstore) for builds (plugins authors could do the same?). A more granular plugin permissions system would be great too, even though most plugins are OSS.
Would it be best to be closed source and pay to get the source code with 1 year updates, (except say license server unless you're enterprise)?
That way the author can still keep the source closed and those who want code can pay for it.
I very rarely see OSS being monetized successfully without a community fork destroying the original project.
OSS still requires money to maintain the project and sparse donations really don't really cut it.
This is ridiculous. The macOS app is signed.
Also, I love OSS as much as the next person, but not everything needs to be.I'm not sure how this is relevant? The code is signed but that doesn't mean it doesn't contain backdoors. Without it being open source or at the very least source-available, we can't know
This is of course true of many other apps we run on Mac (though I suspect a non-zero number of common apps have backdoors); Obsidian also runs without sandboxing though, is used by many to record their innermost thoughts, and as the author mentioned, there's also the potential for data to leak via compromised extensions.
Am I missing something, or does the fact that it's signed tell us nothing except that the Obsidian company signed off on it? If so, I'd really like to understand if you had a purpose of sharing this... is there a tacit implication that "surely a company can be trusted"?
does the fact that the app is signed mean it must use sandboxing?
> it isn’t required to use sandboxing
The scary thing is that nowadays everything is backdoored. And developers/product owners can even don't know about it. Obsidian is an electron app, thus uses npm, and with npm we now get like at least one malicious package per month. If they have package autoupdate it's just a matter of time and effort for an attacker to plant something shady there. This could be simple crypto-stealer, or this could be a way to access people's personal vaults.
What is the alternative? Everyone stop using package managers?
> Obsidian’s source code is closed
When I toggle developer mode (Command + Option + i on my mac) I see what appears to be the source code (it’s an Electron app). Maybe it’s not the full source though. And I guess it’s very difficult to read since it’s minified.
That is not meaningfully open source. Even if that would be the full source code, it still wouldn't have an open source licence, although then it technically would be free(as in freedom) software, not just open source, but most people assume open source = free software.
I trust the obsidian team, but I don't trust the plugins.
Open-source is not about being able to view the source code at point-of-execution. It's about having a license to modify/distribute that source code
It's a strange article. Yes it's not an open source, but based on what is the author suspicious? Any bad behaviours from the authors? Change of ownership? Plugin risks?
For me this is the least problematic non-open source software:
- non VC funded (like Mattermost enshitification after VC)
- open source formats
- community plugins with source code (it's JS)
I know this may go against the ethos of some folks on HN, but I switched to Apple Notes and haven't looked back. At the end of the day, you either use the tool or the tool uses you.
For diagrams, mindmaps, etc... I just use Freeform now -- screen capture or export the board as PDF to paste into my notes. It's deceptively flexible and more powerful than it would appear.
to add, in the latest version of MacOS / iOS you can import / export as Markdown, which is quite nice.
It is astonishingly sharp
I really like the obsidian canvas.
I've known kepano (their CEO) for almost 20 years, he is an incredible builder and a solid human. My hunch is they would never act in an unsavory way to their users. I get that the point it could be more open (a community build would be slick), and yet it's an incredible product and worthy of financial support. I am glad to be a user and love that it's a part of my daily workflow.
need obsidian open source alternative
https://triliumnotes.org/ is my clear recommendation. It's quite more powerful than the usual contenders and it may take a while to explore its depths, but it's also not pushing its complexity in your face like Logseq and some others do.
I'm not sure what your needs are, but I've been using Joplin and it works for me.
Tried Joplin, it creates an unholy mess of files. I far prefer the clear format of Obsidian.
Next step is to give up on files/filesystem. As long as it's opensource, there's no lock-in. As long as the storage backend is clean and structured (SQLite or comparable), you actually get so much more (full text indexing, standard querying, ...)
I initially was cautious when going from "bunch of .MD files" to https://triliumnotes.org/ , since it's been pretty great.
Hmmm, it has been years since I last tried it, perhaps it is time for another chance indeed. Thanx.
I am a fan of Logseq [0] as well, although it’s slightly different in that it is mostly for bulleted notes and not long-form prose.
[0]: https://logseq.com/
I tired Joplin, Logseq and Appflowy but ended up with siyuan
You can check my FOSS note-taking app: https://notes-foss.com
This looks impressive. Nice to see a modern, sleek app built with Qt + QML. I moved on from raw Qt after my last job, will take a look at using QML.
Looks great! I'll follow along so I can try it out if syntax-aware code blocks and callouts are ever supported
Great! They will be supported earlier on my non-FOSS note-taking app with a block editor (get-notes.com). So you can follow their as well.
But files obsidian works with are just bunch of .md files that can be viewed or edited with anything, nano, notepad, visual studio code etc. So does it really matter it is or it is not open source?
How is your point relevant to the security risks of community plugins?
But also - no, they aren't, they use plugin-customized non-standard markdown format, so while the extension is the same, you can't view/edit them with anything just like you can't edit Word xml files with notepad (of course, it's not as extreme as Word xml, unless you're an extreme user of custom plugins)
It does if you care about running shady binary blobs on your system, and if you care about ethics.
It does if you care about your editor.