Be Careful with Obsidian

> I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.

Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time.

> I generally like people being able to out food on the table

Completely agreed, and this makes for a frustrating paradox.

I don't use Obsidian because it's closed source, but I don't think it's evil or anything. Conversely, I pay for Immich, and I hope their model is sustainable.

>I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.

If people put their notes in, only open source software is good.

At best, one can tolerate a very big closed source company, who is unlikely to just do whatever with the data and has some track record for privacy, like Apple.

But trusting all your notes to a closed source app from a small peanuts company?

I think they could easily make Obsidian open source without losing out on profits. The app itself is free anyway. They could keep the sync backend closed source and make people pay to use the sync feature.

Lots of apps have open-source clients (for trust/auditability) but backends that are closed/locked somehow, e.g., Logseq.

Obsidian also has affordable commercial pricing. By now I very much try to pay support contracts or give back to projects in other ways at work.

The problem is that quite a few open core companies immediately go from $0 / year to low to medium 6-digit-figures per year. This escalates the entire project sky-high in levels of internal scrutiny with a high chance of it not happening.

On the other hand, it was simple to argue why this is easily providing us with $50 in value per year. Now it is integrated with our normal license handling and it's actually slowly and steadily growing internally. We're up another 4-5 users from the last time I looked.

The article is about security and trust. Open Source is in that context by definition the only good solution. Though, doesn't mean that a closed app has to be bad, but you have to blindly trust them, and hope that this will never change. With Open Source, you don't have to be blind, you can trust them educated (or at least trust that other will check what's going on).

Of course this always a bit of case by case, but obsidian is a very exposed and worthful target.

> I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.

Paying money to Obsidian for writing yet another text editor seems like digging and filling holes to increase GDP to me.

While I agree with you, i feel like that was not the point the author was making.

It more so was a warning that the combination of little reviewed community plugins and a not sandboxed macos binary is a potential risk. And with that sentiment I can also agree.

Note that if you already have an Obsidian vault, suddenly jailing it might break things. Obsidian stores a bunch of state in ~/.config/obsidian which will no longer be valid. And amusingly/frustratingly, the GTK file picker doesn't take the jail into account and seems to produce invalid paths.

And because --private mounts some bits as temporary filesystems, you might end up losing state. Try before you buy.

The author dedicates an entire paragraph to how much they trust the Obsidian team. It isn't open source purism, they are warning users that good intentions don't prevent a developer from writing software containing vulnerabilities.

Usage of user-created plugins and access to cloud accounts aggravates the risk posed by a vulnerability.

Open source reduces vulnerabilities over time, so those who want to heed the author's warning may indeed want to switch to an open-source Markdown editor. Just not because the Obsidian team is Evil.

> they clearly state

seems a low bar for trusting (that part especifically)

> Also even if it is open source, who really verifies the binary is built from the source published?

Apple notarization is usually the way for non Store downloads. Non-notarized apps present a warning and require overriding security settings to run (with admin privilege). There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub, only that some sanity checks have been performed and the binary is not a known threat (or has been modified).

https://developer.apple.com/documentation/security/notarizin...

Mac app store distribution is not that common. Some apps are available in the store or as direct downloads. The store adds the sandboxing restrictions, which dont work for many apps, eg its not very easy to install a cli.

> I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)

If I remember correctly it was inferior to Obsidian because Logseq used a proprietary format. Yes, it was/is officially markdown but not in a format that is easily transferred. I don't know if it changed but Logseq documents where literally just a big Markdown list if I remember correctly.

Personally I do see the problem with closed source solutions but the real problem with Obsidian are AFAIk the plugins and not the App itself. I mean: They have a long way to go to be even remotely as evil as people at Google or Microsoft. But if that ever happens I simply walk away with my .md documents.

Plus, in theory you'd also need reproducible builds for everything because who knows what your compiler did to the source ;-)

Reality is, as you already implied: in practice you cannot "be careful" except avoiding obvious malware.

At SOME point you have to trust SOMEONE, unless you use TempleOS in which case you can trust whatever god you have.