Comment by hackermanai

2 days ago

> actively reject multiple safety warnings

Is this like a popup? which most people actively accept without blinking

I think plugin/extensions should be a bit harder to run by default. I get the user friction from extra hurdles before using their plugins etc., but I don't think there is an actually safe way to execute arbitrary code, unaudited, without sandboxing, or other restrictions.

7 comments

hackermanai

Reply
kepano  2 days ago

It's not one pop-up. To fully replicate the concept you have to agree on three separate screens (and these are not in quick succession):

1. exit restricted mode to allow third-party plugins

2. trust the author of the vault that's being shared with you

3. trust the plugins being shared with you via sync

Daedren  2 days ago

The pop-ups and "social engineering" in question are things that any users in HN likely already accepted, which is to enable community plugins. These community plugins are the backbone of Obsidian and where a lot of the meat is behind its fame come from.

There's no protections beyond that, community plugins can do whatever they want. Thankfully, the vast majority of them are open-source.

  • kevinmgranger  2 days ago

    I'm gonna push back against the "backbone of Obsidian" part. I'll argue that vanilla Obsidian is plenty powerful enough.

    I know many people swore / swear by the datatables plugin, but now that Bases in core, you can get pretty far without it, no?

    • Daedren  2 days ago

      I agree with you that vanilla Obsidian is plenty powerful, but it's exactly like Vim's case. It's good enough on its own, but there's always more.

      There's countless articles and videos about various community plugins and even curated selections of them depending on your use case for Obsidian.

    • wolvoleo  2 days ago

      I can't do without the livesync plugin. And also copilot (connected to a locally hosted LLM of course) and readitlater.

  • rithdmc  2 days ago

    As someone who doesn't use shared vaults - would the warning popup, 'to enable the "Installed community plugins" synchronization feature', not be on a per shared vault basis? Is trusting a single shared vault for plugin sync going to mean I sync my plugins for every shared vault?

    IMO that's an issue in and of itself, but it doesn't read that way in the (very unclear) original article.

wiseowise  2 days ago

This. Make it like a vim mode, input “I know what I’m doing” or even require some basic fizz buzz.