[troad]

No, I don't agree. Asking plugins to pinky-promise which resources they will and will not use is absolutely meaningless from a security perspective. If anything, it engenders a false sense of security in end users, and continues a pattern whereby Obsidian tacitly endorses things that are inherently risky.

The fundamental issue here is that the current plugin model is intrinsically broken, and tinkering around the edges is just a diversion of efforts from clearing that tech debt. It doesn't need to happen overnight, but it does need to happen.

The meaningful improvement here is the promise of sandboxed plugins in the future, assuming I understood correctly, and that's just a fairly vague promise at this stage. I absolutely and in full earnestness wish you guys the best with that one. It will meaningfully improve Obsidian and make it easier to recommend to others.

[kepano]

It's not tacit, it's explicit. People should have the freedom to do dangerous things as long they understand and accept the risks. I'm not interested in making software that imposes limits on what a person can do with their own computer.

I completely understand if you disagree, in which case Obsidian is not for you. It's perfectly fine to not recommend it! Obsidian is not trying to be for everyone.

See also: https://stephango.com/saw

[troad]

I'm a programmer, I have zero fear of programmable tools, and it's a clumsy attempt to divert from my point to suggest I do.

You're creating a false dichotomy. A well designed sandbox with accurate permissions is HOW a person "understands and accepts risks". A system whereby a plugin pinky-promises one thing, and then does another, precludes informed consent.

Obsidian tacitly endorses this ecosystem because it is profitable for Obsidian to point to plugins for missing base functionality, and then throw up its hands and pretend like it's not their problem when something inevitably goes pear-shaped. That's how we end up with "warning screens" that in fact encourage the user to press "Yes". (And, as in the recent security incident, Obsidian then disclaims any responsibility when the user does click Yes, despite the heavy encouragement by Obsidian.)

Not hard to see why a business would act this way - all profits are ours and all risks are someone else's - but spare me the faux moralising about software freedom.

It is surreal to claim that a well defined sandbox with accurately described permissions is somehow against freedom. It would be a far more robust, trustworthy and empowering plugin ecosystem than the one Obsidian has now.

> Obsidian is not for you

Ooft.

And a lot of other HN commenters and other tech-savvy users with my exact concerns, apparently.

Somehow, most other software doesn't have this recurrent problem of mainlining third party malware to their users. See you at the next Obsidian "security incident", I guess?

[kepano]

I'm trying to have a real conversation with you but you seem determined to disagree with me, twist my words, and put up these straw man arguments. Why are you trying to pin me as anti-sandbox/permissions? I'm not.

I don't think these two points should be particularly controversial:

1. Permissions are planned but they're not a panacea. Apps are sandboxed on iOS/Android, browser extensions have permissions, yet both can easily do dangerous things. Permissions suffer the same issue you described: all a user needs to do is press "Yes" to allow danger. If you care about making powerful software you inevitably must have some way for a user to say they "understand and accept the risks". The other option is to simply not let your software be powerful, which is not what I am interested in working on.

2. Analyzing plugin source code must be part of the overall solution not only for security, but also performance, reliability, ease-of-use, etc. How can you be against that? It makes absolutely no sense to me.

48 hours in, the new review system is already working. Hundreds of updates have been published by developers cleaning up their code and making their plugins safer in ways that a permission system would not catch. You can see that for yourself by looking at recent updates from the community: https://community.obsidian.md/search?type=plugin&sort=update...

As I have stated elsewhere many times, I'd be working on Obsidian even if I were the only user. That's why the app is free, we don't have investors, and we're okay staying small. The way plugins work is not motivated by money, it's a reflection of the kind of software we want to use.

It is fulfilling to see many people find value out of the app. People are creating many useful and interesting plugins I would have never imagined. Selfishly, I want to be able to use and trust those plugins just like anyone else. And that's the only motivation I need to work on the problem of plugin safety.

I understand you wish we had sandboxed plugins first, and built on top of it that way. But we didn't. Now we have been cursed with success and a large ecosystem that needs to be managed and transitioned. We will continue to chip away at the problem bit by bit. I don't think there's any other way to do it.

[troad]

FWIW, I think you're twisting my words and putting up strawman arguments too.

Permissions are not a panacea, but it is a very rare plugin indeed that will need to run unsandboxed executable code with full disk and network access. Currently, that's every plugin. The work of the vast bulk of Obsidian plugins could be achieved with much narrower permissions than this. You're letting the perfect be the enemy of the good if you're letting the 0.1% be a blocker for improving security around the remaining 99.9%.

I use and pay for Obsidian. I very much look forward to a future where plugins are something that someone could confidently run. I don't think we're there yet, and that's all my stance comes down to. I am happy you're taking the plugin situation seriously and I wish you the best of luck.

On an interpersonal note, I was really put off by the tone of the response ("Obsidian isn't for you", "clearly, you didn't read the post", etc) and the strawman arguments laced throughout (how can you be against code review? Unlike you, we believe in software freedom... ). I'm not sure what comments like "Obsidian isn't for you" were supposed to achieve, but I found that comment quite galling. To the extent my response to that was a little fiery, I apologise. I don't think either of us came at this discussion in the most constructive way. I can only own my part of that.

Good luck with the plugin improvement roadmap! Genuinely. I intend to remain a paying customer, despite - uh - the CEO's opposition. :P

[kepano]

I apologize for being so feisty. I found your initial comment extremely disheartening:

> No permissions system, nothing resolved.

I could not let that comment stand because it's simply not true, and you probably wouldn't say it that way to me in person. We're not some faceless corporation. We're a team of seven sharing a year's work, which is expressly imperfect and in progress. I'm not looking to be showered with praise, like I said in my comment on the post we're listening to everyones gripes, and working on them. But a bit of nuance and congeniality is appreciated.

[troad]

You're right! I apologise for the tactlessness. I would find it extremely disheartening to hear what I said to you. There was a better, gentler way to express my overall concerns, and I owed it to you to take that extra minute to do so. Not only would it have avoided needless upset, but it would have been more effective in getting those concerns across. Mea culpa.