Be Careful with Obsidian
Key topics
The article 'Be Careful with Obsidian' sparks a debate about the risks of using closed-source software, specifically Obsidian, a popular note-taking app, with commenters weighing in on the trade-offs between open-source and closed-source software.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
29m
Peak period
101
0-12h
Avg / period
31.5
Based on 126 loaded comments
Key moments
- 01Story posted
Oct 23, 2025 at 2:49 AM EDT
2 months ago
Step 01 - 02First comment
Oct 23, 2025 at 3:18 AM EDT
29m after posting
Step 02 - 03Peak activity
101 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 29, 2025 at 10:03 PM EDT
2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
seems a low bar for trusting (that part especifically)
Usage of user-created plugins and access to cloud accounts aggravates the risk posed by a vulnerability.
Open source reduces vulnerabilities over time, so those who want to heed the author's warning may indeed want to switch to an open-source Markdown editor. Just not because the Obsidian team is Evil.
When I toggle developer mode (Command + Option + i on my mac) I see what appears to be the source code (it’s an Electron app). Maybe it’s not the full source though. And I guess it’s very difficult to read since it’s minified.
I trust the obsidian team, but I don't trust the plugins.
On Windows this is how most applications are distributed.
Same with Spotify etc.
Also even if it is open source, who really verifies the binary is built from the source published?
Apple notarization is usually the way for non Store downloads. Non-notarized apps present a warning and require overriding security settings to run (with admin privilege). There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub, only that some sanity checks have been performed and the binary is not a known threat (or has been modified).
https://developer.apple.com/documentation/security/notarizin...
Sorry what if the open source project made their CI/CD pipeline public? So users could exercise it, produce their own build, and then compare that to the notarized one? Would I then be able to verify that what I downloaded from the developer’s website is identical to what is built with the open source code? Just curious.
The mitigation is if someone finds out a (notarized) download is compromised, they can tell Apple and they can retroactively and quickly revoke the signing which is distributed via Gatekeeper. Other users should get the warning if they had previously run the app without an issue.
I initially was cautious when going from "bunch of .MD files" to https://triliumnotes.org/ , since it's been pretty great.
[0]: https://logseq.com/
Obsidian was my initial choice but I had grievances with it. I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
If I remember correctly it was inferior to Obsidian because Logseq used a proprietary format. Yes, it was/is officially markdown but not in a format that is easily transferred. I don't know if it changed but Logseq documents where literally just a big Markdown list if I remember correctly.
Personally I do see the problem with closed source solutions but the real problem with Obsidian are AFAIk the plugins and not the App itself. I mean: They have a long way to go to be even remotely as evil as people at Google or Microsoft. But if that ever happens I simply walk away with my .md documents.
But also - no, they aren't, they use plugin-customized non-standard markdown format, so while the extension is the same, you can't view/edit them with anything just like you can't edit Word xml files with notepad (of course, it's not as extreme as Word xml, unless you're an extreme user of custom plugins)
Building software takes time and resources. Experienced show that most open source projects do not make enough money to make the resource investment worthwhile, much less the time investment.
I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
That of course doesn‘t mean I appreciate unnecessary vendor lock in, hostile subscription models, etc. All of these things are common with proprietary software, but they are not inherent to it.
Obsidian is a great example. Easy to takeout open formats, generous licensing model and no aggressive licensing implementation that makes it impossible to use the software offline. The team behind it seems to be able to make a living and people can still feel safe about the access to their notes.
Even if its not open source, it would be great progress if we‘ve had more software like obsidian
It's probably illegal too, as in many jurisdiction the public, or at least a health/food regulatory body should know the process and ingredients.
Take into account allergens, and on top of a matter of public knowledge and health, it can also be a matter of life and death.
It's like saying "Linux uses C" and now you instantly can copy Linux =)
It does however play a hugely important role in a recipe, in a way than the choice of language doesn't play in a program (especially considering turing completeness). So the analogy is broken.
Besides nobody made the point that list of ingredients makes a recipe.
Just that it's important to know the list of ingredients for a food you're gonna eat, and that it's even illegal to not disclose them (either to the public or a regulatory body) if you sell food.
Apologies if the parent comment was edited after you wrote yours but a "process and ingredients" does a recipe make.
> We campaign for these freedoms because everyone deserves them. With these freedoms, the users (both individually and collectively) control the program and what it does for them. When users don't control the program, we call it a “nonfree” or “proprietary” program. The nonfree program controls the users, and the developer controls the program; this makes the program an instrument of unjust power.
It seems safe to say the author thinks that one creating "an instrument of unjust power" for oneself is unethical. Though, perhaps if the commenter in question pulled that quote out of the article, it could have helped their point.
If you actually care about this, stop alienating potential allies, and ideally start making arguments to support your case instead of telling people to RTFM (which in this case is even worse because "the manual" isn't as much of an authoritative mic drop as you seem to think it is).
You still have ethics ground if you think it the same way as repairability, actively blocking ways to repairs things you bought yourself is questionable, and keeping things closed source can be seen as a way to artificially prolonge a strict dependance on your vendor by impairing your ability to resolve issues by yourself.
No, for most it's because they evaluated a number of ethical, social, and technical concerns, and think so.
I was also a dreamer once upon a time, with M$ on my email signature and all that zealot attitude, then I had to support myself and face the reality that most supermarkets don't take pull requests.
Naturally I am not counting those, given that they are paid in tainted money as per OP's complaint.
We are surely talking about ethics,
> Closed-source software is unethical regardless of any of your unsubstantiated claims on its or open-source software's security.
And in that regard, there is also something to talk about regarding some prominent figures in open-source world.
I am well aware of that, this is why I remind people that proprietary software is bad actually.
Not all closed-source software is harmful; Obsidian here is a prime example of one which is not harmful and could be even considered as beneficial, despite being closed source, because of how open and supportive it's designed in everything else.
I was just confirming the point you made -- the definition of ethical is not absolute, and there are people that consider questionable things ethical.
> Obsidian here is a prime example of one which is not harmful and could be even considered as beneficial, despite being closed source
All proprietary software is unethical. It's as simple as that. No matter whether it's free or paid, no matter whether it's useful or harmful. If you have a right to use it but are deprived of the right to alter it, it is not ethical.
It more so was a warning that the combination of little reviewed community plugins and a not sandboxed macos binary is a potential risk. And with that sentiment I can also agree.
Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time.
> I generally like people being able to out food on the table
Completely agreed, and this makes for a frustrating paradox.
I don't use Obsidian because it's closed source, but I don't think it's evil or anything. Conversely, I pay for Immich, and I hope their model is sustainable.
And then there's the closed source's Cloud part and its holes as well, which is a whole other can of worms.
The problem is that quite a few open core companies immediately go from $0 / year to low to medium 6-digit-figures per year. This escalates the entire project sky-high in levels of internal scrutiny with a high chance of it not happening.
On the other hand, it was simple to argue why this is easily providing us with $50 in value per year. Now it is integrated with our normal license handling and it's actually slowly and steadily growing internally. We're up another 4-5 users from the last time I looked.
https://obsidian.md/blog/free-for-work/
Lots of apps have open-source clients (for trust/auditability) but backends that are closed/locked somehow, e.g., Logseq.
I think we will soon see the ability to write plugins that can even run server-side of SaaS solutions.
I don't particularly like client-side paid features, but:
- The client is fully FOSS, you can just patch the license check out. In fact, there are some forks on GitHub that do just that and provide binaries, and the authors don't seem to care, they even acknowledged them on Twitter (https://x.com/b3logos/status/1928366043094724937).
- There are plugins to sync without a paid plan
This works out quite well for them: if you choose a fork or a sync plugin, you don't get the same support that paying users do, so many users still end up buying a license. But you don't need to, which makes the whole thing not user-hostile.
I have bought a one-time license myself, and I'm very happy that I'm supporting the development of a FOSS project.
There are a bunch of small problems people encounter here and there, which usually will never be solved by the company. Giving the community a route to improve their tool, would be good.
If people put their notes in, only open source software is good.
At best, one can tolerate a very big closed source company, who is unlikely to just do whatever with the data and has some track record for privacy, like Apple.
But trusting all your notes to a closed source app from a small peanuts company?
If Obsidian enshittified tonight so badly I had to stop using it, the only thing I'd kind of miss is dataview and bases.
And of those dataview is "just" parsing a bunch of markdown with javascript. Bases is a yaml format for displaying more markdown.
I'm pretty sure I could vibe-code some scripts over a weekend that cover most of my Obsidian use-cases and use any markdown-capable editor for writing.
That's why I use Obsidian (and stopped using Joplin, because - at the time - all my notes were in one obscure blob)
Should we tell them?
Paying money to Obsidian for writing yet another text editor seems like digging and filling holes to increase GDP to me.
Of course this always a bit of case by case, but obsidian is a very exposed and worthful target.
And because --private mounts some bits as temporary filesystems, you might end up losing state. Try before you buy.
AppImage is a binary distribution format that does none of that stuff, so you need external tools, like firejail, to limit what the application has access to.
> it isn’t required to use sandboxing
This is of course true of many other apps we run on Mac (though I suspect a non-zero number of common apps have backdoors); Obsidian also runs without sandboxing though, is used by many to record their innermost thoughts, and as the author mentioned, there's also the potential for data to leak via compromised extensions.
Am I missing something, or does the fact that it's signed tell us nothing except that the Obsidian company signed off on it? If so, I'd really like to understand if you had a purpose of sharing this... is there a tacit implication that "surely a company can be trusted"?
For diagrams, mindmaps, etc... I just use Freeform now -- screen capture or export the board as PDF to paste into my notes. It's deceptively flexible and more powerful than it would appear.
Reality is, as you already implied: in practice you cannot "be careful" except avoiding obvious malware.
At SOME point you have to trust SOMEONE, unless you use TempleOS in which case you can trust whatever god you have.
Macos:
- does not have a granular permissions model as far as I know;
- deprecated sandbox-exec that allowed to achieve the above;
- macos appstore is a very strange phenomenon, I would not put much trust in it by default.
Obsidian:
- has a system of community plugins and themes which is dangerous and has been discussed multiple times[0]. But the problem of managing community plugins is not unique to them. Malicious npm packages, go modules and rust crates (and you name it) anyone?.. you are on your own here mostly. And you need to perform your own due diligence of those community supported random bits.
Obsidian could hugely benefit from an independent audit of the closed source base. That would help build trust in the core of their product.
[0]: https://www.emilebangma.com/Writings/Blog/An-open-letter-to-...
They do a yearly audit: https://obsidian.md/security
And if it was the other way around, I guess people would be complaining about how closed it is for the developers
I think part of its success is due to the ecosystem composed of hundreds of plugins.
> Since Obsidian isn’t distributed through the Mac App Store, it isn’t required to use sandboxing,
> Combined with the fact that its source code isn’t public,
> And that many users rely heavily on Community Plugins (some of my friends have customized their Obsidian setups so much that I barely recognize the app),
> And that users often grant Obsidian access to sensitive folders like iCloud Drive, Documents, or Desktop (protected by TCC or not), etc to open Vault.
> To me, this represents a very serious risk.
For me this is the least problematic non-open source software:
- non VC funded (like Mattermost enshitification after VC)
- open source formats
- community plugins with source code (it's JS)
There are many facets to that. Plugins have unrestricted access, they can start servers, make http calls, read/write files ...
Plugins get approved once, but are never checked again.
And plugins are now increasing in number more rapidly, ...
On the other hand, I was unaware of the vulnerabilities in the Apple ecosystem. Or rather, I didn't think there would be. The article raised my awareness.
That way the author can still keep the source closed and those who want code can pay for it.
I very rarely see OSS being monetized successfully without a community fork destroying the original project.
OSS still requires money to maintain the project and sparse donations really don't really cut it.
So far I have uninstalled all themes & plugins except the kanban board - I'm working on it. I'll use core obsidian and that's all.
24 more comments available on Hacker News