← Back to context

Comment by troad

2 days ago

I have indeed read the blog post. Can you point out which part of my post is inaccurate? It is certainly possible I misunderstood something.

Surely you're not about to claim that asking plugins to "disclose" what resources they use is in any way comparable to sandboxing and permissions.

8 comments

troad

Reply
kepano  2 days ago

As I wrote, yes, a permission system is planned. But 1. we cannot oversimplify the problem of getting from here to there, 2. permissions are not a panacea. If you look at the scorecards for a few plugins you'll immediately see issues that a permission system wouldn't catch.

Millions of people depend on thousands of Obsidian plugins. We cannot just flip a switch and break everyone's workflows overnight. It will be a gradual process. We're working on it, and I hope you'll at least concede that this is better than nothing.

  • troad  1 day ago

    No, I don't agree. Asking plugins to pinky-promise which resources they will and will not use is absolutely meaningless from a security perspective. If anything, it engenders a false sense of security in end users, and continues a pattern whereby Obsidian tacitly endorses things that are inherently risky.

    The fundamental issue here is that the current plugin model is intrinsically broken, and tinkering around the edges is just a diversion of efforts from clearing that tech debt. It doesn't need to happen overnight, but it does need to happen.

    The meaningful improvement here is the promise of sandboxed plugins in the future, assuming I understood correctly, and that's just a fairly vague promise at this stage. I absolutely and in full earnestness wish you guys the best with that one. It will meaningfully improve Obsidian and make it easier to recommend to others.

    • kepano  1 day ago

      It's not tacit, it's explicit. People should have the freedom to do dangerous things as long they understand and accept the risks. I'm not interested in making software that imposes limits on what a person can do with their own computer.

      I completely understand if you disagree, in which case Obsidian is not for you. It's perfectly fine to not recommend it! Obsidian is not trying to be for everyone.

      See also: https://stephango.com/saw

      5 replies →