There are many good reasons to trust Obsidian team (they are not VC backed, they clearly state they don’t own your data, you are not locked in). If you don’t trust them because they are not open-source then If you want to be a purist about it, then just use an open-source markdown editor instead.
When I toggle developer mode (Command + Option + i on my mac) I see what appears to be the source code (it’s an Electron app). Maybe it’s not the full source though. And I guess it’s very difficult to read since it’s minified.
https://triliumnotes.org/ is my clear recommendation. It's quite more powerful than the usual contenders and it may take a while to explore its depths, but it's also not pushing its complexity in your face like Logseq and some others do.
I had to do some gap analysis between note-taking apps with a graph view functionality to allow me to visualise my knowledge-base.
Obsidian was my initial choice but I had grievances with it.
I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
On the same boat few months (actually, almost 2 years!) ago, I found Logseq too limiting as soon as one need to manage notes consistently ("typing" them as collections of notes of similar nature and acting on their properties as metadata), went through quite a long list of contenders (including AnyType) and ultimately settled with https://triliumnotes.org/
I am excited to try Trilium! though I think it might be hard to migrate all of my notes over with the [[tag]] conventions I have now. Did you use the trilium-py tool?
But files obsidian works with are just bunch of .md files that can be viewed or edited with anything, nano, notepad, visual studio code etc. So does it really matter it is or it is not open source?
I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Building software takes time and resources. Experienced show that most open source projects do not make enough money to make the resource investment worthwhile, much less the time investment.
I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
That of course doesn‘t mean I appreciate unnecessary vendor lock in, hostile subscription models, etc. All of these things are common with proprietary software, but they are not inherent to it.
Obsidian is a great example. Easy to takeout open formats, generous licensing model and no aggressive licensing implementation that makes it impossible to use the software offline. The team behind it seems to be able to make a living and people can still feel safe about the access to their notes.
Even if its not open source, it would be great progress if we‘ve had more software like obsidian
The scary thing is that nowadays everything is backdoored. And developers/product owners can even don't know about it. Obsidian is an electron app, thus uses npm, and with npm we now get like at least one malicious package per month.
If they have package autoupdate it's just a matter of time and effort for an attacker to plant something shady there. This could be simple crypto-stealer, or this could be a way to access people's personal vaults.
--private=~/path/to/jail limits access to your home directory to ~/path/to/jail and when you don't want Obsidian to have internet access you can take it away with --net=none.
I wouldn’t hold not being on the Mac App Store against it. The MAS is sort of a failed ecosystem with very low usage/engagement, and all the downsides of the iOS store like potentially lengthy review times (can be a lot longer than the iOS store since it seems to play second fiddle) and arbitrary capricious rejections when you’re just trying to ship innocuous bug fixes to users.
I know this may go against the ethos of some folks on HN, but I switched to Apple Notes and haven't looked back. At the end of the day, you either use the tool or the tool uses you.
For diagrams, mindmaps, etc... I just use Freeform now -- screen capture or export the board as PDF to paste into my notes. It's deceptively flexible and more powerful than it would appear.
Obsidian is a startup that's been on my radar. It inspires me. They're able to go so far as to challenge Notion with their small team, which I appreciate. By the way, I'm not saying Notion is bad. I think it's revitalizing the industry.
On the other hand, I was unaware of the vulnerabilities in the Apple ecosystem. Or rather, I didn't think there would be. The article raised my awareness.
The set of open source code and verifiable code overlap, but one doesn't always imply the other. In either case, provenance needs to be established. I think it would be reasonable for Obsidian to ship signed checksums and a public transparency log (e.g., Sigstore) for builds (plugins authors could do the same?). A more granular plugin permissions system would be great too, even though most plugins are OSS.
It's a strange article. Yes it's not an open source, but based on what is the author suspicious? Any bad behaviours from the authors? Change of ownership? Plugin risks?
For me this is the least problematic non-open source software:
- non VC funded (like Mattermost enshitification after VC)
You should always be careful with closed source software. You should also be careful with open source software, unless you're building from source and manually checking the source in each update isn't malicious, which let's be real, nobody does.
Not being able to give granular permissions to folders is not the problem of an app which regardless of being open or closed source may be compromised. Remember that the risk is zero if and only if you avoid the risk, i.e. in this particular case do not install Obsidian.
Macos:
- does not have a granular permissions model as far as I know;
- deprecated sandbox-exec that allowed to achieve the above;
- macos appstore is a very strange phenomenon, I would not put much trust in it by default.
Obsidian:
- has a system of community plugins and themes which is dangerous and has been discussed multiple times[0]. But the problem of managing community plugins is not unique to them. Malicious npm packages, go modules and rust crates (and you name it) anyone?.. you are on your own here mostly. And you need to perform your own due diligence of those community supported random bits.
Obsidian could hugely benefit from an independent audit of the closed source base. That would help build trust in the core of their product.
I've known kepano (their CEO) for almost 20 years, he is an incredible builder and a solid human. My hunch is they would never act in an unsavory way to their users. I get that the point it could be more open (a community build would be slick), and yet it's an incredible product and worthy of financial support. I am glad to be a user and love that it's a part of my daily workflow.
31 comments
[ 2.6 ms ] story [ 68.2 ms ] threadWhen I toggle developer mode (Command + Option + i on my mac) I see what appears to be the source code (it’s an Electron app). Maybe it’s not the full source though. And I guess it’s very difficult to read since it’s minified.
On Windows this is how most applications are distributed.
Same with Spotify etc.
Also even if it is open source, who really verifies the binary is built from the source published?
Obsidian was my initial choice but I had grievances with it. I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
Building software takes time and resources. Experienced show that most open source projects do not make enough money to make the resource investment worthwhile, much less the time investment.
I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
That of course doesn‘t mean I appreciate unnecessary vendor lock in, hostile subscription models, etc. All of these things are common with proprietary software, but they are not inherent to it.
Obsidian is a great example. Easy to takeout open formats, generous licensing model and no aggressive licensing implementation that makes it impossible to use the software offline. The team behind it seems to be able to make a living and people can still feel safe about the access to their notes.
Even if its not open source, it would be great progress if we‘ve had more software like obsidian
That way the author can still keep the source closed and those who want code can pay for it.
I very rarely see OSS being monetized successfully without a community fork destroying the original project.
OSS still requires money to maintain the project and sparse donations really don't really cut it.
For diagrams, mindmaps, etc... I just use Freeform now -- screen capture or export the board as PDF to paste into my notes. It's deceptively flexible and more powerful than it would appear.
On the other hand, I was unaware of the vulnerabilities in the Apple ecosystem. Or rather, I didn't think there would be. The article raised my awareness.
For me this is the least problematic non-open source software:
- non VC funded (like Mattermost enshitification after VC)
- open source formats
- community plugins with source code (it's JS)
Macos:
- does not have a granular permissions model as far as I know;
- deprecated sandbox-exec that allowed to achieve the above;
- macos appstore is a very strange phenomenon, I would not put much trust in it by default.
Obsidian:
- has a system of community plugins and themes which is dangerous and has been discussed multiple times[0]. But the problem of managing community plugins is not unique to them. Malicious npm packages, go modules and rust crates (and you name it) anyone?.. you are on your own here mostly. And you need to perform your own due diligence of those community supported random bits.
Obsidian could hugely benefit from an independent audit of the closed source base. That would help build trust in the core of their product.
[0]: https://www.emilebangma.com/Writings/Blog/An-open-letter-to-...
There are many facets to that. Plugins have unrestricted access, they can start servers, make http calls, read/write files ...
Plugins get approved once, but are never checked again.
And plugins are now increasing in number more rapidly, ...