Hacker News new | ask | show | jobs
by nrvn 243 days ago
Not being able to give granular permissions to folders is not the problem of an app which regardless of being open or closed source may be compromised. Remember that the risk is zero if and only if you avoid the risk, i.e. in this particular case do not install Obsidian.

Macos:

- does not have a granular permissions model as far as I know;

- deprecated sandbox-exec that allowed to achieve the above;

- macos appstore is a very strange phenomenon, I would not put much trust in it by default.

Obsidian:

- has a system of community plugins and themes which is dangerous and has been discussed multiple times[0]. But the problem of managing community plugins is not unique to them. Malicious npm packages, go modules and rust crates (and you name it) anyone?.. you are on your own here mostly. And you need to perform your own due diligence of those community supported random bits.

Obsidian could hugely benefit from an independent audit of the closed source base. That would help build trust in the core of their product.

[0]: https://www.emilebangma.com/Writings/Blog/An-open-letter-to-...
2 comments
wiether 243 days ago
> Obsidian could hugely benefit from an independent audit of the closed source base.

They do a yearly audit: https://obsidian.md/security

link
yencabulator 243 days ago
Meanwhile, any plugin can do anything.
link
wiether 243 days ago
Sure, but that's not the issue raised by the article

And if it was the other way around, I guess people would be complaining about how closed it is for the developers

I think part of its success is due to the ecosystem composed of hundreds of plugins.

link
yencabulator 243 days ago
It reads like that to me:

> Since Obsidian isn’t distributed through the Mac App Store, it isn’t required to use sandboxing,

> Combined with the fact that its source code isn’t public,

> And that many users rely heavily on Community Plugins (some of my friends have customized their Obsidian setups so much that I barely recognize the app),

> And that users often grant Obsidian access to sensitive folders like iCloud Drive, Documents, or Desktop (protected by TCC or not), etc to open Vault.

> To me, this represents a very serious risk.

link
joomla199 243 days ago
If MacOS, an OS with posix style permissions, app level permissions, and folder access limits per app does not have a “granular permissions model”, which OS does? What are you trying to say?
link