FRESH

Hacker News

Home

Be Careful with Obsidian

72 points by allenleee

by moooo99

10 subcomments

I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Building software takes time and resources. Experienced show that most open source projects do not make enough money to make the resource investment worthwhile, much less the time investment.
I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
That of course doesn‘t mean I appreciate unnecessary vendor lock in, hostile subscription models, etc. All of these things are common with proprietary software, but they are not inherent to it.
Obsidian is a great example. Easy to takeout open formats, generous licensing model and no aggressive licensing implementation that makes it impossible to use the software offline. The team behind it seems to be able to make a living and people can still feel safe about the access to their notes.
Even if its not open source, it would be great progress if we‘ve had more software like obsidian

by nrvn

0 subcomment

Not being able to give granular permissions to folders is not the problem of an app which regardless of being open or closed source may be compromised. Remember that the risk is zero if and only if you avoid the risk, i.e. in this particular case do not install Obsidian.
Macos:
- does not have a granular permissions model as far as I know;
- deprecated sandbox-exec that allowed to achieve the above;
- macos appstore is a very strange phenomenon, I would not put much trust in it by default.
Obsidian:
- has a system of community plugins and themes which is dangerous and has been discussed multiple times[0]. But the problem of managing community plugins is not unique to them. Malicious npm packages, go modules and rust crates (and you name it) anyone?.. you are on your own here mostly. And you need to perform your own due diligence of those community supported random bits.
Obsidian could hugely benefit from an independent audit of the closed source base. That would help build trust in the core of their product.
[0]: https://www.emilebangma.com/Writings/Blog/An-open-letter-to-...

by dsissitka

1 subcomments

If you're a Linux user you might like Firejail for this.
```
  firejail --appimage --net=none --private=~/path/to/jail ~/path/to/Obsidian.AppImage
```
--private=~/path/to/jail limits access to your home directory to ~/path/to/jail and when you don't want Obsidian to have internet access you can take it away with --net=none.

by terespuwash

2 subcomments

There are many good reasons to trust Obsidian team (they are not VC backed, they clearly state they don’t own your data, you are not locked in). If you don’t trust them because they are not open-source then If you want to be a purist about it, then just use an open-source markdown editor instead.

by k8sToGo

2 subcomments

Is this a Mac thing?
On Windows this is how most applications are distributed.
Same with Spotify etc.
Also even if it is open source, who really verifies the binary is built from the source published?

by imputation

1 subcomments

I had to do some gap analysis between note-taking apps with a graph view functionality to allow me to visualise my knowledge-base.
Obsidian was my initial choice but I had grievances with it. I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)

by Havoc

0 subcomment

Don’t really see much of a reason to single out obsidian in this

by agsnu

0 subcomment

I wouldn’t hold not being on the Mac App Store against it. The MAS is sort of a failed ecosystem with very low usage/engagement, and all the downsides of the iOS store like potentially lengthy review times (can be a lot longer than the iOS store since it seems to play second fiddle) and arbitrary capricious rejections when you’re just trying to ship innocuous bug fixes to users.

by reassess_blind

1 subcomments

You should always be careful with closed source software. You should also be careful with open source software, unless you're building from source and manually checking the source in each update isn't malicious, which let's be real, nobody does.

0 subcomment

by thomascountz

0 subcomment

The set of open source code and verifiable code overlap, but one doesn't always imply the other. In either case, provenance needs to be established. I think it would be reasonable for Obsidian to ship signed checksums and a public transparency log (e.g., Sigstore) for builds (plugins authors could do the same?). A more granular plugin permissions system would be great too, even though most plugins are OSS.

by ugur2nd

0 subcomment

Obsidian is a startup that's been on my radar. It inspires me. They're able to go so far as to challenge Notion with their small team, which I appreciate. By the way, I'm not saying Notion is bad. I think it's revitalizing the industry.
On the other hand, I was unaware of the vulnerabilities in the Apple ecosystem. Or rather, I didn't think there would be. The article raised my awareness.

by eviks

0 subcomment

Plugin sandboxing is the answer to such community extension concerns, but then that's unfortunately only part of the bright future ahead...

by bobertdowney

2 subcomments

> Obsidian’s source code is closed
When I toggle developer mode (Command + Option + i on my mac) I see what appears to be the source code (it’s an Electron app). Maybe it’s not the full source though. And I guess it’s very difficult to read since it’s minified.

by ihorcher

1 subcomments

The scary thing is that nowadays everything is backdoored. And developers/product owners can even don't know about it. Obsidian is an electron app, thus uses npm, and with npm we now get like at least one malicious package per month. If they have package autoupdate it's just a matter of time and effort for an attacker to plant something shady there. This could be simple crypto-stealer, or this could be a way to access people's personal vaults.

by Robdel12

2 subcomments

This is ridiculous. The macOS app is signed.

    codesign -dv /Applications/Obsidian.app
    Executable=/Applications/Obsidian.app/Contents/MacOS/Obsidian
    Identifier=md.obsidian
    Format=app bundle with Mach-O universal (x86_64 arm64)
    CodeDirectory v=20500 size=759 flags=0x10000(runtime) hashes=13+7 location=embedded
    Signature size=8975
    Timestamp=Sep 29, 2025 at 12:22:41 PM
    Info.plist entries=39
    TeamIdentifier=6JSW4SJWN9
    Runtime Version=15.4.0
    Sealed Resources version=2 rules=13 files=23
    Internal requirements count=1 size=172

Also, I love OSS as much as the next person, but not everything needs to be.

by msuniverse2026

0 subcomment

I really like the obsidian canvas.

by freefaler

0 subcomment

It's a strange article. Yes it's not an open source, but based on what is the author suspicious? Any bad behaviours from the authors? Change of ownership? Plugin risks?
For me this is the least problematic non-open source software:
- non VC funded (like Mattermost enshitification after VC)
- open source formats
- community plugins with source code (it's JS)

by colesantiago

0 subcomment

Would it be best to be closed source and pay to get the source code with 1 year updates, (except say license server unless you're enterprise)?
That way the author can still keep the source closed and those who want code can pay for it.
I very rarely see OSS being monetized successfully without a community fork destroying the original project.
OSS still requires money to maintain the project and sparse donations really don't really cut it.

by tonyhart7

4 subcomments

need obsidian open source alternative

by deafpolygon

1 subcomments

I know this may go against the ethos of some folks on HN, but I switched to Apple Notes and haven't looked back. At the end of the day, you either use the tool or the tool uses you.
For diagrams, mindmaps, etc... I just use Freeform now -- screen capture or export the board as PDF to paste into my notes. It's deceptively flexible and more powerful than it would appear.

by jiri

3 subcomments

But files obsidian works with are just bunch of .md files that can be viewed or edited with anything, nano, notepad, visual studio code etc. So does it really matter it is or it is not open source?