I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Building software takes time and resources. Experienced show that most open source projects do not make enough money to make the resource investment worthwhile, much less the time investment.
I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
That of course doesn‘t mean I appreciate unnecessary vendor lock in, hostile subscription models, etc. All of these things are common with proprietary software, but they are not inherent to it.
Obsidian is a great example. Easy to takeout open formats, generous licensing model and no aggressive licensing implementation that makes it impossible to use the software offline. The team behind it seems to be able to make a living and people can still feel safe about the access to their notes.
Even if its not open source, it would be great progress if we‘ve had more software like obsidian
> I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time.
> I generally like people being able to out food on the table
Completely agreed, and this makes for a frustrating paradox.
I don't use Obsidian because it's closed source, but I don't think it's evil or anything. Conversely, I pay for Immich, and I hope their model is sustainable.
Closed source also keeps missing CVEs, only most of them you never know because they aren't even making it to an officially released CVE. You usually don't even know what libs it uses and at what versions, never mind the proprietary code.
And then there's the closed source's Cloud part and its holes as well, which is a whole other can of worms.
They get to counter a point they think is wrong in an open forum on the internet. I guess they get the satisfaction of providing a second viewpoint to a claim, so that the claim, alone, is not the only viewpoint that others coming to this thread see.
What did you get out of calling out their counterclaim?
They restate what the other person said in more correct (as they see them) terms. They're not "contorting" anything, nor are they attributing their version to the other person. I mean, "They're being a fucknugget for riffing off of the other person's words". Jesus, chill...
And yes, they respond based "on their own agenda". That's what all conversation and sharing of opinions entails: telling it from your perspective, and based on what you think it's better.
>rather than replying clearly on their own terms
What you quoted couldn't be clearer, or express the responder's terms any better. Your issue is not that the response is not on their own terms, it's that is not on your terms, where phrasing it similar to what the other person said is supposed to be bad.
But that's more of a you problem. Was just looking at another thread, and chanced on you berating someone for pointing to GNU's website as opposed to writing a set of custom arguments on the spot:
As long as they aren't abusive, people can answer anyway they damn please, including rewording what the parent wrote, or pointing to some link they agree with. Is that a novel concept?
>And I'd get even more relief if they admitted to having been an asshole on purpose and apologized. God forbid, stopped acting this way.
> They restate what the other person said in more correct (as they see them) terms. They're not "contorting" anything, nor are they attributing their version to the other person.
How is this not a contradiction? They're not contorting their words, they're just restating them with subtle changes to make it "correct". What?
> And yes, they respond based "on their own agenda". That's what all conversation and sharing of opinions entails: telling it from your perspective, and based on what you think it's better.
Yes, and do you not see how clapping back by "cleverly" rewriting someone words would come across as incredibly annoying? This is just a slightly more elaborate version of how children bicker! How do I need to explain this?
> But that's more of a you problem.
It certainly seems that way...
> oh, the irony
People getting hostile in response to hostility? Oh no, not the irony?! Case in point:
> As long as they aren't abusive, people can answer anyway they damn please, including rewording what the parent wrote,
This WAS abusive, that's my whole issue dude. It'd appear what is and isn't abusive isn't a fundamental force of the universe, and you and a few of your peers here just happen to not find what I - and imo, any average person with a reading comprehension - find immensely abusive.
>How is this not a contradiction? They're not contorting their words, they're just restating them with subtle changes to make it "correct". What?
"Contorting someones words" is said when someone changes what somebody said to make it appear as if they meant something else.
Not when someone merely expresses a different opinion, as their own, using some part of the other's wording.
>Yes, and do you not see how clapping back by "cleverly" rewriting someone words would come across as incredibly annoying?
No. That's a you problem. And even describing it as "rewriting someone words" would be a stretch. They merely used the same noun (which they need to, as they speak about the same thing), and contended that the opposite is true:
"I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic"
"Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time".
The only annoying comment I see in the whole exchange is yours.
>People getting hostile in response to hostility? Oh no, not the irony?!
The only hostility was in your mind, based on your premise that responding by reusing some of the same wording is "hostile".
I hope all replies you'll ever get will be in their style, maybe that will (eventually) teach you why I find it oh-so-unreasonably hostile, and yes, an intentional contortion of words.
I further hope someone will be there afterwards to gaslight you about how there's actually nothing wrong with it, and that it's all in your head (which is like no shit, where do you think hostility arrives to?), and that it's a you problem (whose problem would you be reporting on? nonsense...).
Thanks for doubling down on their behalf, intentionally blurring the lines, it really wouldn't have been an internet interaction without one more twisting of the knife. Waiting for the other guys to open up now.
And then people bitch and moan about the internet being dead.
I have the impression these people only use Big Tech open source projects. Why would they expect software developers to work for free so they can give their beautiful contribution of using it for free is really unknown to me.
Obsidian also has affordable commercial pricing. By now I very much try to pay support contracts or give back to projects in other ways at work.
The problem is that quite a few open core companies immediately go from $0 / year to low to medium 6-digit-figures per year. This escalates the entire project sky-high in levels of internal scrutiny with a high chance of it not happening.
On the other hand, it was simple to argue why this is easily providing us with $50 in value per year. Now it is integrated with our normal license handling and it's actually slowly and steadily growing internally. We're up another 4-5 users from the last time I looked.
>I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
If people put their notes in, only open source software is good.
At best, one can tolerate a very big closed source company, who is unlikely to just do whatever with the data and has some track record for privacy, like Apple.
But trusting all your notes to a closed source app from a small peanuts company?
In this case the "closed source app" is using a very open and easy to parse format.
If Obsidian enshittified tonight so badly I had to stop using it, the only thing I'd kind of miss is dataview and bases.
And of those dataview is "just" parsing a bunch of markdown with javascript. Bases is a yaml format for displaying more markdown.
I'm pretty sure I could vibe-code some scripts over a weekend that cover most of my Obsidian use-cases and use any markdown-capable editor for writing.
That's why I use Obsidian (and stopped using Joplin, because - at the time - all my notes were in one obscure blob)
I think they could easily make Obsidian open source without losing out on profits.
The app itself is free anyway.
They could keep the sync backend closed source and make people pay to use the sync feature.
Lots of apps have open-source clients (for trust/auditability) but backends that are closed/locked somehow, e.g., Logseq.
Obsidian is using electron, so the source is already somewhat available anyway. I understand them not making it open source, and risking someone forking it and harming their business. But considering the situation, I would think making it at least source available on a popular forge, where people can make issues and open merge-requests, might be a beneficial thing.
There are a bunch of small problems people encounter here and there, which usually will never be solved by the company. Giving the community a route to improve their tool, would be good.
The PKM I've been using lately, SiYuan, does exactly that, and I think their business model isn't bad: the client is fully FOSS, there are some client-side paid features with a one-time subscription (WebDAV/S3 sync "bring your own server") and some server-side paid features with a more expensive recurring subscription (cloud space provided by them).
I don't particularly like client-side paid features, but:
- The client is fully FOSS, you can just patch the license check out. In fact, there are some forks on GitHub that do just that and provide binaries, and the authors don't seem to care, they even acknowledged them on Twitter (https://x.com/b3logos/status/1928366043094724937).
- There are plugins to sync without a paid plan
This works out quite well for them: if you choose a fork or a sync plugin, you don't get the same support that paying users do, so many users still end up buying a license. But you don't need to, which makes the whole thing not user-hostile.
I have bought a one-time license myself, and I'm very happy that I'm supporting the development of a FOSS project.
The article is about security and trust. Open Source is in that context by definition the only good solution. Though, doesn't mean that a closed app has to be bad, but you have to blindly trust them, and hope that this will never change. With Open Source, you don't have to be blind, you can trust them educated (or at least trust that other will check what's going on).
Of course this always a bit of case by case, but obsidian is a very exposed and worthful target.
While I agree with you, i feel like that was not the point the author was making.
It more so was a warning that the combination of little reviewed community plugins and a not sandboxed macos binary is a potential risk. And with that sentiment I can also agree.
That was my take too. I am less concerned with an app being simply closed source and much more concerned with closed source coupled with skipping review and the general approved distribution models on the two platforms.
> I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
Paying money to Obsidian for writing yet another text editor seems like digging and filling holes to increase GDP to me.
I am quite thankfull that thanks to unethical software I am able to pay my bills, instead of being like a street art performer hoping to get enough coins at the end of the day.
I was also a dreamer once upon a time, with M$ on my email signature and all that zealot attitude, then I had to support myself and face the reality that most supermarkets don't take pull requests.
I don't think GPL cares where the money is coming from - we're talking about closed/open source, not ethical business models. If we did, we'd have to also go over unfettered free markets and capital flow.
Depends on people, but for most it's mainly because Stallman says so.
You still have ethics ground if you think it the same way as repairability, actively blocking ways to repairs things you bought yourself is questionable, and keeping things closed source can be seen as a way to artificially prolonge a strict dependance on your vendor by impairing your ability to resolve issues by yourself.
Not disclosing the ingredients is illegal large part of the world, and people can die if you don’t do that, so the answer is clearly yes in some sense. This is also true for some cooking techniques, like heat treatment of raw meat. I think your analogy is not the best.
Not disclosing ingredients is more like not disclosing dependencies because I am very confident that you can't go into a shop, buy a random food and then construct recipe from list of ingredients.
You don't have to agree with it, but I think it's fair to parrot a take from people who have invested a lot of time and effort into considering why free software is good.
The linked page has a clear explanation for why one might consider nonfree software to be unethical.
Sometimes people take the time to read and understand something and conclude that this is the best way to express it, better than they themselves can paraphrase.
And sometimes they just collect opinions and follow suit, instead of forming their own ones. How do you know which one happened here, are you a mind reader?
I hope you understand that ethic is not absolute. It's unethical for you, according to your ethical rules. Doesn't mean that this applies to other people rules too.
Yeah, we're on a site where a large majority of users shamelessly work at adtech companies, and threads regularly pop-up where people defend working at companies actively developing and selling exploits.
I am well aware of that, this is why I remind people that proprietary software is bad actually.
You wrote that "Closed-source software" is unethical, not "harmful software & services" is unethical. There is a significant difference. Don't shift your goal as you like.
Not all closed-source software is harmful; Obsidian here is a prime example of one which is not harmful and could be even considered as beneficial, despite being closed source, because of how open and supportive it's designed in everything else.
--private=~/path/to/jail limits access to your home directory to ~/path/to/jail and when you don't want Obsidian to have internet access you can take it away with --net=none.
Note that if you already have an Obsidian vault, suddenly jailing it might break things. Obsidian stores a bunch of state in ~/.config/obsidian which will no longer be valid. And amusingly/frustratingly, the GTK file picker doesn't take the jail into account and seems to produce invalid paths.
And because --private mounts some bits as temporary filesystems, you might end up losing state. Try before you buy.
There are many good reasons to trust Obsidian team (they are not VC backed, they clearly state they don’t own your data, you are not locked in). If you don’t trust them because they are not open-source then If you want to be a purist about it, then just use an open-source markdown editor instead.
The author dedicates an entire paragraph to how much they trust the Obsidian team. It isn't open source purism, they are warning users that good intentions don't prevent a developer from writing software containing vulnerabilities.
Usage of user-created plugins and access to cloud accounts aggravates the risk posed by a vulnerability.
Open source reduces vulnerabilities over time, so those who want to heed the author's warning may indeed want to switch to an open-source Markdown editor. Just not because the Obsidian team is Evil.
Not being able to give granular permissions to folders is not the problem of an app which regardless of being open or closed source may be compromised. Remember that the risk is zero if and only if you avoid the risk, i.e. in this particular case do not install Obsidian.
Macos:
- does not have a granular permissions model as far as I know;
- deprecated sandbox-exec that allowed to achieve the above;
- macos appstore is a very strange phenomenon, I would not put much trust in it by default.
Obsidian:
- has a system of community plugins and themes which is dangerous and has been discussed multiple times[0]. But the problem of managing community plugins is not unique to them. Malicious npm packages, go modules and rust crates (and you name it) anyone?.. you are on your own here mostly. And you need to perform your own due diligence of those community supported random bits.
Obsidian could hugely benefit from an independent audit of the closed source base. That would help build trust in the core of their product.
If MacOS, an OS with posix style permissions, app level permissions, and folder access limits per app does not have a “granular permissions model”, which OS does? What are you trying to say?
> Also even if it is open source, who really verifies the binary is built from the source published?
Apple notarization is usually the way for non Store downloads. Non-notarized apps present a warning and require overriding security settings to run (with admin privilege). There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub, only that some sanity checks have been performed and the binary is not a known threat (or has been modified).
> There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub
Sorry what if the open source project made their CI/CD pipeline public? So users could exercise it, produce their own build, and then compare that to the notarized one? Would I then be able to verify that what I downloaded from the developer’s website is identical to what is built with the open source code? Just curious.
In theory, yes, you could compare it. In practice, the build would need to be reproducible which is non-trivial depending on the size the of the project and the external dependencies the project itself has.
Mac app store distribution is not that common. Some apps are available in the store or as direct downloads. The store adds the sandboxing restrictions, which dont work for many apps, eg its not very easy to install a cli.
I had to do some gap analysis between note-taking apps with a graph view functionality to allow me to visualise my knowledge-base.
Obsidian was my initial choice but I had grievances with it.
I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
> I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
If I remember correctly it was inferior to Obsidian because Logseq used a proprietary format. Yes, it was/is officially markdown but not in a format that is easily transferred. I don't know if it changed but Logseq documents where literally just a big Markdown list if I remember correctly.
Personally I do see the problem with closed source solutions but the real problem with Obsidian are AFAIk the plugins and not the App itself. I mean: They have a long way to go to be even remotely as evil as people at Google or Microsoft. But if that ever happens I simply walk away with my .md documents.
Obsidian is a startup that's been on my radar. It inspires me. They're able to go so far as to challenge Notion with their small team, which I appreciate. By the way, I'm not saying Notion is bad. I think it's revitalizing the industry.
On the other hand, I was unaware of the vulnerabilities in the Apple ecosystem. Or rather, I didn't think there would be. The article raised my awareness.
I wouldn’t hold not being on the Mac App Store against it. The MAS is sort of a failed ecosystem with very low usage/engagement, and all the downsides of the iOS store like potentially lengthy review times (can be a lot longer than the iOS store since it seems to play second fiddle) and arbitrary capricious rejections when you’re just trying to ship innocuous bug fixes to users.
You should always be careful with closed source software. You should also be careful with open source software, unless you're building from source and manually checking the source in each update isn't malicious, which let's be real, nobody does.
The set of open source code and verifiable code overlap, but one doesn't always imply the other. In either case, provenance needs to be established. I think it would be reasonable for Obsidian to ship signed checksums and a public transparency log (e.g., Sigstore) for builds (plugins authors could do the same?). A more granular plugin permissions system would be great too, even though most plugins are OSS.
I'm not sure how this is relevant? The code is signed but that doesn't mean it doesn't contain backdoors. Without it being open source or at the very least source-available, we can't know
This is of course true of many other apps we run on Mac (though I suspect a non-zero number of common apps have backdoors); Obsidian also runs without sandboxing though, is used by many to record their innermost thoughts, and as the author mentioned, there's also the potential for data to leak via compromised extensions.
Am I missing something, or does the fact that it's signed tell us nothing except that the Obsidian company signed off on it? If so, I'd really like to understand if you had a purpose of sharing this... is there a tacit implication that "surely a company can be trusted"?
It's a strange article. Yes it's not an open source, but based on what is the author suspicious? Any bad behaviours from the authors? Change of ownership? Plugin risks?
For me this is the least problematic non-open source software:
- non VC funded (like Mattermost enshitification after VC)
When I toggle developer mode (Command + Option + i on my mac) I see what appears to be the source code (it’s an Electron app). Maybe it’s not the full source though. And I guess it’s very difficult to read since it’s minified.
That is not meaningfully open source. Even if that would be the full source code, it still wouldn't have an open source licence, although then it technically would be free(as in freedom) software, not just open source, but most people assume open source = free software.
I trust the obsidian team, but I don't trust the plugins.
The scary thing is that nowadays everything is backdoored. And developers/product owners can even don't know about it. Obsidian is an electron app, thus uses npm, and with npm we now get like at least one malicious package per month.
If they have package autoupdate it's just a matter of time and effort for an attacker to plant something shady there. This could be simple crypto-stealer, or this could be a way to access people's personal vaults.
I know this may go against the ethos of some folks on HN, but I switched to Apple Notes and haven't looked back. At the end of the day, you either use the tool or the tool uses you.
For diagrams, mindmaps, etc... I just use Freeform now -- screen capture or export the board as PDF to paste into my notes. It's deceptively flexible and more powerful than it would appear.
But files obsidian works with are just bunch of .md files that can be viewed or edited with anything, nano, notepad, visual studio code etc. So does it really matter it is or it is not open source?
How is your point relevant to the security risks of community plugins?
But also - no, they aren't, they use plugin-customized non-standard markdown format, so while the extension is the same, you can't view/edit them with anything just like you can't edit Word xml files with notepad (of course, it's not as extreme as Word xml, unless you're an extreme user of custom plugins)
I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Building software takes time and resources. Experienced show that most open source projects do not make enough money to make the resource investment worthwhile, much less the time investment.
I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
That of course doesn‘t mean I appreciate unnecessary vendor lock in, hostile subscription models, etc. All of these things are common with proprietary software, but they are not inherent to it.
Obsidian is a great example. Easy to takeout open formats, generous licensing model and no aggressive licensing implementation that makes it impossible to use the software offline. The team behind it seems to be able to make a living and people can still feel safe about the access to their notes.
Even if its not open source, it would be great progress if we‘ve had more software like obsidian
> I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time.
> I generally like people being able to out food on the table
Completely agreed, and this makes for a frustrating paradox.
I don't use Obsidian because it's closed source, but I don't think it's evil or anything. Conversely, I pay for Immich, and I hope their model is sustainable.
In theory, in practice it is obvious that too many eyes to the source keep missing CVEs.
Closed source also keeps missing CVEs, only most of them you never know because they aren't even making it to an officially released CVE. You usually don't even know what libs it uses and at what versions, never mind the proprietary code.
And then there's the closed source's Cloud part and its holes as well, which is a whole other can of worms.
I haven't said otherwise, other than the fallacy that being open by itself fixes those issues.
for me it's about running it locally/inside a wireguard network, and not having the rug pulled. not everything needs to be exposed to the internet.
> Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time.
What do people get out of replying like this?
They get to counter a point they think is wrong in an open forum on the internet. I guess they get the satisfaction of providing a second viewpoint to a claim, so that the claim, alone, is not the only viewpoint that others coming to this thread see.
What did you get out of calling out their counterclaim?
[flagged]
May the one without sin throw the first stone?
They restate what the other person said in more correct (as they see them) terms. They're not "contorting" anything, nor are they attributing their version to the other person. I mean, "They're being a fucknugget for riffing off of the other person's words". Jesus, chill...
And yes, they respond based "on their own agenda". That's what all conversation and sharing of opinions entails: telling it from your perspective, and based on what you think it's better.
>rather than replying clearly on their own terms
What you quoted couldn't be clearer, or express the responder's terms any better. Your issue is not that the response is not on their own terms, it's that is not on your terms, where phrasing it similar to what the other person said is supposed to be bad.
But that's more of a you problem. Was just looking at another thread, and chanced on you berating someone for pointing to GNU's website as opposed to writing a set of custom arguments on the spot:
https://news.ycombinator.com/item?id=45679487
As long as they aren't abusive, people can answer anyway they damn please, including rewording what the parent wrote, or pointing to some link they agree with. Is that a novel concept?
>And I'd get even more relief if they admitted to having been an asshole on purpose and apologized. God forbid, stopped acting this way.
oh, the irony.
> They restate what the other person said in more correct (as they see them) terms. They're not "contorting" anything, nor are they attributing their version to the other person.
How is this not a contradiction? They're not contorting their words, they're just restating them with subtle changes to make it "correct". What?
> And yes, they respond based "on their own agenda". That's what all conversation and sharing of opinions entails: telling it from your perspective, and based on what you think it's better.
Yes, and do you not see how clapping back by "cleverly" rewriting someone words would come across as incredibly annoying? This is just a slightly more elaborate version of how children bicker! How do I need to explain this?
> But that's more of a you problem.
It certainly seems that way...
> oh, the irony
People getting hostile in response to hostility? Oh no, not the irony?! Case in point:
> As long as they aren't abusive, people can answer anyway they damn please, including rewording what the parent wrote,
This WAS abusive, that's my whole issue dude. It'd appear what is and isn't abusive isn't a fundamental force of the universe, and you and a few of your peers here just happen to not find what I - and imo, any average person with a reading comprehension - find immensely abusive.
>How is this not a contradiction? They're not contorting their words, they're just restating them with subtle changes to make it "correct". What?
"Contorting someones words" is said when someone changes what somebody said to make it appear as if they meant something else.
Not when someone merely expresses a different opinion, as their own, using some part of the other's wording.
>Yes, and do you not see how clapping back by "cleverly" rewriting someone words would come across as incredibly annoying?
No. That's a you problem. And even describing it as "rewriting someone words" would be a stretch. They merely used the same noun (which they need to, as they speak about the same thing), and contended that the opposite is true:
"I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic"
"Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time".
The only annoying comment I see in the whole exchange is yours.
>People getting hostile in response to hostility? Oh no, not the irony?!
The only hostility was in your mind, based on your premise that responding by reusing some of the same wording is "hostile".
I hope all replies you'll ever get will be in their style, maybe that will (eventually) teach you why I find it oh-so-unreasonably hostile, and yes, an intentional contortion of words.
I further hope someone will be there afterwards to gaslight you about how there's actually nothing wrong with it, and that it's all in your head (which is like no shit, where do you think hostility arrives to?), and that it's a you problem (whose problem would you be reporting on? nonsense...).
[dead]
so why did it take you so long to be open about your own motives? still, it's good that you did admit to it in the end.
Thanks for doubling down on their behalf, intentionally blurring the lines, it really wouldn't have been an internet interaction without one more twisting of the knife. Waiting for the other guys to open up now.
And then people bitch and moan about the internet being dead.
The satisfaction that they told the objective truth.
I have the impression these people only use Big Tech open source projects. Why would they expect software developers to work for free so they can give their beautiful contribution of using it for free is really unknown to me.
Obsidian also has affordable commercial pricing. By now I very much try to pay support contracts or give back to projects in other ways at work.
The problem is that quite a few open core companies immediately go from $0 / year to low to medium 6-digit-figures per year. This escalates the entire project sky-high in levels of internal scrutiny with a high chance of it not happening.
On the other hand, it was simple to argue why this is easily providing us with $50 in value per year. Now it is integrated with our normal license handling and it's actually slowly and steadily growing internally. We're up another 4-5 users from the last time I looked.
>I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
If people put their notes in, only open source software is good.
At best, one can tolerate a very big closed source company, who is unlikely to just do whatever with the data and has some track record for privacy, like Apple.
But trusting all your notes to a closed source app from a small peanuts company?
In this case the "closed source app" is using a very open and easy to parse format.
If Obsidian enshittified tonight so badly I had to stop using it, the only thing I'd kind of miss is dataview and bases.
And of those dataview is "just" parsing a bunch of markdown with javascript. Bases is a yaml format for displaying more markdown.
I'm pretty sure I could vibe-code some scripts over a weekend that cover most of my Obsidian use-cases and use any markdown-capable editor for writing.
That's why I use Obsidian (and stopped using Joplin, because - at the time - all my notes were in one obscure blob)
I think they could easily make Obsidian open source without losing out on profits. The app itself is free anyway. They could keep the sync backend closed source and make people pay to use the sync feature.
Lots of apps have open-source clients (for trust/auditability) but backends that are closed/locked somehow, e.g., Logseq.
Obsidian is using electron, so the source is already somewhat available anyway. I understand them not making it open source, and risking someone forking it and harming their business. But considering the situation, I would think making it at least source available on a popular forge, where people can make issues and open merge-requests, might be a beneficial thing.
There are a bunch of small problems people encounter here and there, which usually will never be solved by the company. Giving the community a route to improve their tool, would be good.
The PKM I've been using lately, SiYuan, does exactly that, and I think their business model isn't bad: the client is fully FOSS, there are some client-side paid features with a one-time subscription (WebDAV/S3 sync "bring your own server") and some server-side paid features with a more expensive recurring subscription (cloud space provided by them).
I don't particularly like client-side paid features, but:
- The client is fully FOSS, you can just patch the license check out. In fact, there are some forks on GitHub that do just that and provide binaries, and the authors don't seem to care, they even acknowledged them on Twitter (https://x.com/b3logos/status/1928366043094724937).
- There are plugins to sync without a paid plan
This works out quite well for them: if you choose a fork or a sync plugin, you don't get the same support that paying users do, so many users still end up buying a license. But you don't need to, which makes the whole thing not user-hostile.
I have bought a one-time license myself, and I'm very happy that I'm supporting the development of a FOSS project.
Does anyone know if it's possible to have a core which is unsandboxed, but load plugins which are sandboxed? This seems like a great solution if so.
This is one of the main use cases for Webassembly outside of the browser.
I think we will soon see the ability to write plugins that can even run server-side of SaaS solutions.
The article is about security and trust. Open Source is in that context by definition the only good solution. Though, doesn't mean that a closed app has to be bad, but you have to blindly trust them, and hope that this will never change. With Open Source, you don't have to be blind, you can trust them educated (or at least trust that other will check what's going on).
Of course this always a bit of case by case, but obsidian is a very exposed and worthful target.
While I agree with you, i feel like that was not the point the author was making.
It more so was a warning that the combination of little reviewed community plugins and a not sandboxed macos binary is a potential risk. And with that sentiment I can also agree.
That was my take too. I am less concerned with an app being simply closed source and much more concerned with closed source coupled with skipping review and the general approved distribution models on the two platforms.
> I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
Paying money to Obsidian for writing yet another text editor seems like digging and filling holes to increase GDP to me.
Phew, good thing it’s not a text editor.
It does not have to make money for people to do it as a hobby. Not everything people do is because of money.
Closed-source software is unethical regardless of any of your unsubstantiated claims on its or open-source software's security.
I am quite thankfull that thanks to unethical software I am able to pay my bills, instead of being like a street art performer hoping to get enough coins at the end of the day.
I was also a dreamer once upon a time, with M$ on my email signature and all that zealot attitude, then I had to support myself and face the reality that most supermarkets don't take pull requests.
Maybe that's because supermarkets would think a "pull request" is just shoplifting?
Many open source projects are written by people who are paid to do so. Just because you couldn't do it doesn't mean it's not possible.
From companies whose main business is selling unethical software.
Naturally I am not counting those, given that they are paid in tainted money as per OP's complaint.
I don't think GPL cares where the money is coming from - we're talking about closed/open source, not ethical business models. If we did, we'd have to also go over unfettered free markets and capital flow.
FOSS and GPL aren't exactly the same thing.
We are surely talking about ethics,
> Closed-source software is unethical regardless of any of your unsubstantiated claims on its or open-source software's security.
And in that regard, there is also something to talk about regarding some prominent figures in open-source world.
Oh, DHH? Not sure how his xenophobic ramblings have anything to do with this...
If it was only one.
Why do you think it's unethical?
Depends on people, but for most it's mainly because Stallman says so.
You still have ethics ground if you think it the same way as repairability, actively blocking ways to repairs things you bought yourself is questionable, and keeping things closed source can be seen as a way to artificially prolonge a strict dependance on your vendor by impairing your ability to resolve issues by yourself.
>Depends on people, but for most it's mainly because Stallman says so
No, for most it's because they evaluated a number of ethical, social, and technical concerns, and think so.
I will assume you're not trolling but that just don't know what FOSS is about. Check this out https://www.gnu.org/philosophy/free-sw.en.html
You don't have to be ignorant of FOSS to disagree with the statement that closed source software is unethical.
If you don't know recipe for food, it is automatically unethical food?
If the recipe is hidden, yes.
It's probably illegal too, as in many jurisdiction the public, or at least a health/food regulatory body should know the process and ingredients.
Take into account allergens, and on top of a matter of public knowledge and health, it can also be a matter of life and death.
List of ingredients does not a recipe make.
It's like saying "Linux uses C" and now you instantly can copy Linux =)
Not disclosing the ingredients is illegal large part of the world, and people can die if you don’t do that, so the answer is clearly yes in some sense. This is also true for some cooking techniques, like heat treatment of raw meat. I think your analogy is not the best.
Not disclosing ingredients is more like not disclosing dependencies because I am very confident that you can't go into a shop, buy a random food and then construct recipe from list of ingredients.
There are parts of the code which don't use dependencies, because you wrote it. Which part of any food is not created from ingredients?
I think they asked for your take, not GNU's.
You don't have to agree with it, but I think it's fair to parrot a take from people who have invested a lot of time and effort into considering why free software is good.
The linked page has a clear explanation for why one might consider nonfree software to be unethical.
And his take is that he agrees with GNUs take, and points to that as handy list of arguments in its favor.
Sometimes people take the time to read and understand something and conclude that this is the best way to express it, better than they themselves can paraphrase.
And sometimes they just collect opinions and follow suit, instead of forming their own ones. How do you know which one happened here, are you a mind reader?
Do you have any opinions of your own instead of berating people with meta arguments and rudeness?
Yes.
this page gives no arguments why nonfree software is unethical
I hope you understand that ethic is not absolute. It's unethical for you, according to your ethical rules. Doesn't mean that this applies to other people rules too.
Yeah, we're on a site where a large majority of users shamelessly work at adtech companies, and threads regularly pop-up where people defend working at companies actively developing and selling exploits.
I am well aware of that, this is why I remind people that proprietary software is bad actually.
You wrote that "Closed-source software" is unethical, not "harmful software & services" is unethical. There is a significant difference. Don't shift your goal as you like.
Not all closed-source software is harmful; Obsidian here is a prime example of one which is not harmful and could be even considered as beneficial, despite being closed source, because of how open and supportive it's designed in everything else.
If you're a Linux user you might like Firejail for this.
--private=~/path/to/jail limits access to your home directory to ~/path/to/jail and when you don't want Obsidian to have internet access you can take it away with --net=none.Note that if you already have an Obsidian vault, suddenly jailing it might break things. Obsidian stores a bunch of state in ~/.config/obsidian which will no longer be valid. And amusingly/frustratingly, the GTK file picker doesn't take the jail into account and seems to produce invalid paths.
And because --private mounts some bits as temporary filesystems, you might end up losing state. Try before you buy.
And all of these issues such as sandboxing and portals are solved by using the Flatpak version instead.
There are many good reasons to trust Obsidian team (they are not VC backed, they clearly state they don’t own your data, you are not locked in). If you don’t trust them because they are not open-source then If you want to be a purist about it, then just use an open-source markdown editor instead.
The author dedicates an entire paragraph to how much they trust the Obsidian team. It isn't open source purism, they are warning users that good intentions don't prevent a developer from writing software containing vulnerabilities.
Usage of user-created plugins and access to cloud accounts aggravates the risk posed by a vulnerability.
Open source reduces vulnerabilities over time, so those who want to heed the author's warning may indeed want to switch to an open-source Markdown editor. Just not because the Obsidian team is Evil.
> they clearly state
seems a low bar for trusting (that part especifically)
Not being able to give granular permissions to folders is not the problem of an app which regardless of being open or closed source may be compromised. Remember that the risk is zero if and only if you avoid the risk, i.e. in this particular case do not install Obsidian.
Macos:
- does not have a granular permissions model as far as I know;
- deprecated sandbox-exec that allowed to achieve the above;
- macos appstore is a very strange phenomenon, I would not put much trust in it by default.
Obsidian:
- has a system of community plugins and themes which is dangerous and has been discussed multiple times[0]. But the problem of managing community plugins is not unique to them. Malicious npm packages, go modules and rust crates (and you name it) anyone?.. you are on your own here mostly. And you need to perform your own due diligence of those community supported random bits.
Obsidian could hugely benefit from an independent audit of the closed source base. That would help build trust in the core of their product.
[0]: https://www.emilebangma.com/Writings/Blog/An-open-letter-to-...
If MacOS, an OS with posix style permissions, app level permissions, and folder access limits per app does not have a “granular permissions model”, which OS does? What are you trying to say?
Is this a Mac thing?
On Windows this is how most applications are distributed.
Same with Spotify etc.
Also even if it is open source, who really verifies the binary is built from the source published?
> Also even if it is open source, who really verifies the binary is built from the source published?
Apple notarization is usually the way for non Store downloads. Non-notarized apps present a warning and require overriding security settings to run (with admin privilege). There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub, only that some sanity checks have been performed and the binary is not a known threat (or has been modified).
https://developer.apple.com/documentation/security/notarizin...
> There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub
Sorry what if the open source project made their CI/CD pipeline public? So users could exercise it, produce their own build, and then compare that to the notarized one? Would I then be able to verify that what I downloaded from the developer’s website is identical to what is built with the open source code? Just curious.
In theory, yes, you could compare it. In practice, the build would need to be reproducible which is non-trivial depending on the size the of the project and the external dependencies the project itself has.
Mac app store distribution is not that common. Some apps are available in the store or as direct downloads. The store adds the sandboxing restrictions, which dont work for many apps, eg its not very easy to install a cli.
I had to do some gap analysis between note-taking apps with a graph view functionality to allow me to visualise my knowledge-base.
Obsidian was my initial choice but I had grievances with it. I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
> I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
If I remember correctly it was inferior to Obsidian because Logseq used a proprietary format. Yes, it was/is officially markdown but not in a format that is easily transferred. I don't know if it changed but Logseq documents where literally just a big Markdown list if I remember correctly.
Personally I do see the problem with closed source solutions but the real problem with Obsidian are AFAIk the plugins and not the App itself. I mean: They have a long way to go to be even remotely as evil as people at Google or Microsoft. But if that ever happens I simply walk away with my .md documents.
Exactly this. After the enshittification of evernote I swore I would only write documents in formats and contexts where I can easily pick up and move.
Don’t really see much of a reason to single out obsidian in this
Obsidian is a startup that's been on my radar. It inspires me. They're able to go so far as to challenge Notion with their small team, which I appreciate. By the way, I'm not saying Notion is bad. I think it's revitalizing the industry.
On the other hand, I was unaware of the vulnerabilities in the Apple ecosystem. Or rather, I didn't think there would be. The article raised my awareness.
I wouldn’t hold not being on the Mac App Store against it. The MAS is sort of a failed ecosystem with very low usage/engagement, and all the downsides of the iOS store like potentially lengthy review times (can be a lot longer than the iOS store since it seems to play second fiddle) and arbitrary capricious rejections when you’re just trying to ship innocuous bug fixes to users.
Plugin sandboxing is the answer to such community extension concerns, but then that's unfortunately only part of the bright future ahead...
You should always be careful with closed source software. You should also be careful with open source software, unless you're building from source and manually checking the source in each update isn't malicious, which let's be real, nobody does.
Plus, in theory you'd also need reproducible builds for everything because who knows what your compiler did to the source ;-)
Reality is, as you already implied: in practice you cannot "be careful" except avoiding obvious malware.
At SOME point you have to trust SOMEONE, unless you use TempleOS in which case you can trust whatever god you have.
The set of open source code and verifiable code overlap, but one doesn't always imply the other. In either case, provenance needs to be established. I think it would be reasonable for Obsidian to ship signed checksums and a public transparency log (e.g., Sigstore) for builds (plugins authors could do the same?). A more granular plugin permissions system would be great too, even though most plugins are OSS.
This is ridiculous. The macOS app is signed.
Also, I love OSS as much as the next person, but not everything needs to be.I'm not sure how this is relevant? The code is signed but that doesn't mean it doesn't contain backdoors. Without it being open source or at the very least source-available, we can't know
This is of course true of many other apps we run on Mac (though I suspect a non-zero number of common apps have backdoors); Obsidian also runs without sandboxing though, is used by many to record their innermost thoughts, and as the author mentioned, there's also the potential for data to leak via compromised extensions.
Am I missing something, or does the fact that it's signed tell us nothing except that the Obsidian company signed off on it? If so, I'd really like to understand if you had a purpose of sharing this... is there a tacit implication that "surely a company can be trusted"?
does the fact that the app is signed mean it must use sandboxing?
> it isn’t required to use sandboxing
It's a strange article. Yes it's not an open source, but based on what is the author suspicious? Any bad behaviours from the authors? Change of ownership? Plugin risks?
For me this is the least problematic non-open source software:
- non VC funded (like Mattermost enshitification after VC)
- open source formats
- community plugins with source code (it's JS)
> Obsidian’s source code is closed
When I toggle developer mode (Command + Option + i on my mac) I see what appears to be the source code (it’s an Electron app). Maybe it’s not the full source though. And I guess it’s very difficult to read since it’s minified.
That is not meaningfully open source. Even if that would be the full source code, it still wouldn't have an open source licence, although then it technically would be free(as in freedom) software, not just open source, but most people assume open source = free software.
I trust the obsidian team, but I don't trust the plugins.
Open-source is not about being able to view the source code at point-of-execution. It's about having a license to modify/distribute that source code
The scary thing is that nowadays everything is backdoored. And developers/product owners can even don't know about it. Obsidian is an electron app, thus uses npm, and with npm we now get like at least one malicious package per month. If they have package autoupdate it's just a matter of time and effort for an attacker to plant something shady there. This could be simple crypto-stealer, or this could be a way to access people's personal vaults.
What is the alternative? Everyone stop using package managers?
I really like the obsidian canvas.
Would it be best to be closed source and pay to get the source code with 1 year updates, (except say license server unless you're enterprise)?
That way the author can still keep the source closed and those who want code can pay for it.
I very rarely see OSS being monetized successfully without a community fork destroying the original project.
OSS still requires money to maintain the project and sparse donations really don't really cut it.
need obsidian open source alternative
I tired Joplin, Logseq and Appflowy but ended up with siyuan
I am a fan of Logseq [0] as well, although it’s slightly different in that it is mostly for bulleted notes and not long-form prose.
[0]: https://logseq.com/
You can check my FOSS note-taking app: https://notes-foss.com
Looks great! I'll follow along so I can try it out if syntax-aware code blocks and callouts are ever supported
I'm not sure what your needs are, but I've been using Joplin and it works for me.
Tried Joplin, it creates an unholy mess of files. I far prefer the clear format of Obsidian.
I know this may go against the ethos of some folks on HN, but I switched to Apple Notes and haven't looked back. At the end of the day, you either use the tool or the tool uses you.
For diagrams, mindmaps, etc... I just use Freeform now -- screen capture or export the board as PDF to paste into my notes. It's deceptively flexible and more powerful than it would appear.
to add, in the latest version of MacOS / iOS you can import / export as Markdown, which is quite nice.
But files obsidian works with are just bunch of .md files that can be viewed or edited with anything, nano, notepad, visual studio code etc. So does it really matter it is or it is not open source?
How is your point relevant to the security risks of community plugins?
But also - no, they aren't, they use plugin-customized non-standard markdown format, so while the extension is the same, you can't view/edit them with anything just like you can't edit Word xml files with notepad (of course, it's not as extreme as Word xml, unless you're an extreme user of custom plugins)
It does if you care about running shady binary blobs on your system, and if you care about ethics.
It does if you care about your editor.