Hacker News new | ask | show | jobs
by troad 38 days ago
No permissions system, nothing resolved. Plugins still have access to everything - full disk, network, etc. How does one even speak of security vulnerabilities when the security model of Obsidian plugins is just straight up "click here for RCE".

All I see is a spanking new interface that will accelerate the pace of plugin turnover, bringing forward the next inevitable security incident.
2 comments
kepano 38 days ago
It seems like you have not read the blog post.
link
rtrgrd 38 days ago
Just wanted to say a huge thankyou for being so patient in the forum; it's quite annoying that the comment section is a more a function of the title + personal opinions than a function of the blog content.

I love using obsidian, and thanks so much for all the work that you and the team have put in :)

link
kepano 38 days ago
Thank you! It means a lot <3
link
troad 38 days ago
For what it's worth - and I know I'm being very critical of the plugin security model here - I also think Obsidian is very good, and am a paying customer.

Part of my frustration with this is that I've seen hobbyist video games with a more robust plugin security model than Obsidian's plugins. It's possible to do better than just "yolo, eval(github)", and I feel like it would thoroughly improve Obsidian for me, and apparently many others (judging by all these comments), if Obsidian invested in creating a secure plugin ecosystem rather than putting lipstick on the existing yolo plugin vortex.

Just because Obsidian is in JS, and JS has a terrible culture around package security, doesn't mean Obsidian needs to inherit and propagate that culture.

link
troad 38 days ago
I have indeed read the blog post. Can you point out which part of my post is inaccurate? It is certainly possible I misunderstood something.

Surely you're not about to claim that asking plugins to "disclose" what resources they use is in any way comparable to sandboxing and permissions.

link
kepano 38 days ago
As I wrote, yes, a permission system is planned. But 1. we cannot oversimplify the problem of getting from here to there, 2. permissions are not a panacea. If you look at the scorecards for a few plugins you'll immediately see issues that a permission system wouldn't catch.

Millions of people depend on thousands of Obsidian plugins. We cannot just flip a switch and break everyone's workflows overnight. It will be a gradual process. We're working on it, and I hope you'll at least concede that this is better than nothing.

link
troad 37 days ago
No, I don't agree. Asking plugins to pinky-promise which resources they will and will not use is absolutely meaningless from a security perspective. If anything, it engenders a false sense of security in end users, and continues a pattern whereby Obsidian tacitly endorses things that are inherently risky.

The fundamental issue here is that the current plugin model is intrinsically broken, and tinkering around the edges is just a diversion of efforts from clearing that tech debt. It doesn't need to happen overnight, but it does need to happen.

The meaningful improvement here is the promise of sandboxed plugins in the future, assuming I understood correctly, and that's just a fairly vague promise at this stage. I absolutely and in full earnestness wish you guys the best with that one. It will meaningfully improve Obsidian and make it easier to recommend to others.

link
kepano 37 days ago
It's not tacit, it's explicit. People should have the freedom to do dangerous things as long they understand and accept the risks. I'm not interested in making software that imposes limits on what a person can do with their own computer.

I completely understand if you disagree, in which case Obsidian is not for you. It's perfectly fine to not recommend it! Obsidian is not trying to be for everyone.

See also: https://stephango.com/saw

link
troad 37 days ago
I'm a programmer, I have zero fear of programmable tools, and it's a clumsy attempt to divert from my point to suggest I do.

You're creating a false dichotomy. A well designed sandbox with accurate permissions is HOW a person "understands and accepts risks". A system whereby a plugin pinky-promises one thing, and then does another, precludes informed consent.

Obsidian tacitly endorses this ecosystem because it is profitable for Obsidian to point to plugins for missing base functionality, and then throw up its hands and pretend like it's not their problem when something inevitably goes pear-shaped. That's how we end up with "warning screens" that in fact encourage the user to press "Yes". (And, as in the recent security incident, Obsidian then disclaims any responsibility when the user does click Yes, despite the heavy encouragement by Obsidian.)

Not hard to see why a business would act this way - all profits are ours and all risks are someone else's - but spare me the faux moralising about software freedom.

It is surreal to claim that a well defined sandbox with accurately described permissions is somehow against freedom. It would be a far more robust, trustworthy and empowering plugin ecosystem than the one Obsidian has now.

> Obsidian is not for you

Ooft.

And a lot of other HN commenters and other tech-savvy users with my exact concerns, apparently.

Somehow, most other software doesn't have this recurrent problem of mainlining third party malware to their users. See you at the next Obsidian "security incident", I guess?

link
dSebastien 37 days ago
This is a HUGE improvement to the status quo. Give it some time. They do care
link