Hacker News new | ask | show | jobs
by hackermanai 38 days ago
> actively reject multiple safety warnings

Is this like a popup? which most people actively accept without blinking

I think plugin/extensions should be a bit harder to run by default. I get the user friction from extra hurdles before using their plugins etc., but I don't think there is an actually safe way to execute arbitrary code, unaudited, without sandboxing, or other restrictions.
3 comments
kepano 37 days ago
It's not one pop-up. To fully replicate the concept you have to agree on three separate screens (and these are not in quick succession):

1. exit restricted mode to allow third-party plugins

2. trust the author of the vault that's being shared with you

3. trust the plugins being shared with you via sync

link
Daedren 38 days ago
The pop-ups and "social engineering" in question are things that any users in HN likely already accepted, which is to enable community plugins. These community plugins are the backbone of Obsidian and where a lot of the meat is behind its fame come from.

There's no protections beyond that, community plugins can do whatever they want. Thankfully, the vast majority of them are open-source.

link
kevinmgranger 37 days ago
I'm gonna push back against the "backbone of Obsidian" part. I'll argue that vanilla Obsidian is plenty powerful enough.

I know many people swore / swear by the datatables plugin, but now that Bases in core, you can get pretty far without it, no?

link
Daedren 37 days ago
I agree with you that vanilla Obsidian is plenty powerful, but it's exactly like Vim's case. It's good enough on its own, but there's always more.

There's countless articles and videos about various community plugins and even curated selections of them depending on your use case for Obsidian.

link
wolvoleo 37 days ago
I can't do without the livesync plugin. And also copilot (connected to a locally hosted LLM of course) and readitlater.
link
rithdmc 38 days ago
As someone who doesn't use shared vaults - would the warning popup, 'to enable the "Installed community plugins" synchronization feature', not be on a per shared vault basis? Is trusting a single shared vault for plugin sync going to mean I sync my plugins for every shared vault?

IMO that's an issue in and of itself, but it doesn't read that way in the (very unclear) original article.

link
wiseowise 38 days ago
This. Make it like a vim mode, input “I know what I’m doing” or even require some basic fizz buzz.
link