Be Careful with Obsidian

Original Article ↗ Hacker News Discussion ↗

Trust, Closed Source, and the Article’s Framing

  • Several commenters argue Obsidian is relatively trustworthy for proprietary software: non‑VC funded, clear “your data is yours” stance, local Markdown files, generous licensing.
  • Others say the article is really about security, not “evil devs”: good intentions don’t prevent vulnerabilities.
  • Some think the title unfairly singles out Obsidian or is borderline clickbait given the nuanced content.

Open Source vs. “Source Visible”

  • Electron devtools showing minified JS is not considered open source; license and modifiability are what matter.
  • Open source is framed as reducing vulnerabilities over time and giving users an escape hatch if the vendor changes.
  • Counterpoint: even open source often lacks verified, reproducible builds, so users still mostly “trust” binaries.

Security Model and Plugin Risks

  • Main concrete risk: powerful, unsandboxed community plugins that can read/write files, make network calls, run servers.
  • Plugins are reviewed only once and not re‑audited on updates; plugin ecosystem is growing quickly.
  • The Electron + npm supply chain is seen as another attack surface (malicious packages, auto‑updates).
  • Multiple people suggest plugin sandboxing and more granular permissions as the real fix.

macOS Sandboxing, Signing, and Distribution

  • Obsidian not being in the Mac App Store means no mandatory sandboxing; some see that as a serious risk for sensitive notes.
  • Code signing/notarization only proves origin, not absence of backdoors; it helps with revocation, not with trust in behavior.
  • macOS is noted to have app‑level and folder permissions, but no simple way to sandbox a non‑Store app by default.

Alternatives and Data Portability

  • Several open‑source alternatives are mentioned: Joplin, Logseq, Trilium, SiYuan, and others, each with trade‑offs (UI, formats, complexity).
  • Some argue that Obsidian’s Markdown is still somewhat non‑standard due to plugin conventions.
  • A few users strongly advise avoiding any closed‑source note‑taking tool despite portable files, citing long‑term risk and habits lock‑in.

Ethics and Economics of Closed Source

  • One camp says closed source is inherently unethical; another calls that absolutist and emphasizes sustainable funding and livelihoods.
  • There is debate over whether “only open source is trustworthy” is realistic or counterproductive.
  • Some suggest Obsidian could open‑source the client while monetizing sync/back‑end, citing other projects that do this.

Mitigations and Practical Advice

  • Suggested mitigations: minimize plugins, use only core features, sandbox via Firejail/AppImage or Flatpak on Linux, or rely on larger vendors like Apple Notes.
  • Others note Obsidian does annual third‑party security audits of the core, but plugins remain an open risk area.