upvote

points

by troad12 hours ago |
comments
upvoteby kepano11 hours ago|
[-]
It seems like you have not read the blog post.
reply
upvoteby rtrgrd10 hours ago|
parent|
next
[-]
Just wanted to say a huge thankyou for being so patient in the forum; it's quite annoying that the comment section is a more a function of the title + personal opinions than a function of the blog content.

I love using obsidian, and thanks so much for all the work that you and the team have put in :)

reply
upvoteby kepano10 hours ago|
parent|
[-]
Thank you! It means a lot <3
reply
upvoteby troad10 hours ago|
parent|
[-]
For what it's worth - and I know I'm being very critical of the plugin security model here - I also think Obsidian is very good, and am a paying customer.

Part of my frustration with this is that I've seen hobbyist video games with a more robust plugin security model than Obsidian's plugins. It's possible to do better than just "yolo, eval(github)", and I feel like it would thoroughly improve Obsidian for me, and apparently many others (judging by all these comments), if Obsidian invested in creating a secure plugin ecosystem rather than putting lipstick on the existing yolo plugin vortex.

Just because Obsidian is in JS, and JS has a terrible culture around package security, doesn't mean Obsidian needs to inherit and propagate that culture.

reply
upvoteby troad10 hours ago|
parent|
prev|
[-]
I have indeed read the blog post. Can you point out which part of my post is inaccurate? It is certainly possible I misunderstood something.

Surely you're not about to claim that asking plugins to "disclose" what resources they use is in any way comparable to sandboxing and permissions.

reply
upvoteby kepano10 hours ago|
parent|
[-]
As I wrote, yes, a permission system is planned. But 1. we cannot oversimplify the problem of getting from here to there, 2. permissions are not a panacea. If you look at the scorecards for a few plugins you'll immediately see issues that a permission system wouldn't catch.

Millions of people depend on thousands of Obsidian plugins. We cannot just flip a switch and break everyone's workflows overnight. It will be a gradual process. We're working on it, and I hope you'll at least concede that this is better than nothing.

reply