Most active commenters

    ←back to thread

    Less is safer: How Obsidian reduces the risk of supply chain attacks

    (obsidian.md)
    395 points saeedesmaili | 12 comments | 19 Sep 25 22:02 UTC | HN request time: 1.236s | source | bottom
    Show context
    gejose ◴[19 Sep 25 23:42 UTC] No.45308131[source]
    This is one way to look at it, but ignores the fact that most users use third party community plugins.

    Obsidian has a truly terrible security model for plugins. As I realized while building my own, Obsidian plugins have full, unrestricted access to all files in the vault.

    Obsidian could've instead opted to be more 'batteries-included', at the cost of more development effort, but instead leaves this to the community, which in turn increases the attack surface significantly.

    Or it could have a browser extension like manifest that declares all permissions used by the plugin, where attempting to access a permission that's not granted gets blocked.

    Both of these approaches would've led to more real security to end users than "we have few third party dependencies".

    replies(17): >>45308149 #>>45308208 #>>45308212 #>>45308222 #>>45308224 #>>45308241 #>>45308572 #>>45308600 #>>45308749 #>>45310219 #>>45310642 #>>45310881 #>>45310991 #>>45311185 #>>45311760 #>>45311782 #>>45312975 #
    1. eek2121 ◴[20 Sep 25 00:42 UTC] No.45308600[source]
    Funny enough, I thought this earlier about Arch Linux and it's deritives. It was mentioned on reddit that they operate on a small budget. A maintainer replied that they have very low overhead, and the first thought that popped into my mind was that most of the software I use and rely on comes from the AUR, which relies on the user to manage their own security.

    If engineers can't even manage their own security, why are we expecting users to do so?

    replies(3): >>45308871 #>>45311168 #>>45312763 #
    2. zer00eyz ◴[20 Sep 25 01:16 UTC] No.45308871[source]
    > If engineers can't even manage their own security, why are we expecting users to do so?

    This latest attack hit Crowdstrike as well. Imagine they had gotten inside Huntress, who opened up about how much they can abuse the access given: https://news.ycombinator.com/item?id=45183589

    Security folks and companies think they are important. The C suite sees them as a scape goat WHEN the shit hits the fan and most end users feel the same about security as they do about taking off their shoes at the airport (what is this nonsense for) and they mostly arent wrong.

    It's not that engineers cant take care of their own security. It's that we have made it a fight with an octopus rather than something that is seamless and second nature. Furthermore security and privacy go hand and hand... Teaching users that is not to the benefit of a large portion of our industry.

    replies(1): >>45309326 #
    3. marcosdumay ◴[20 Sep 25 01:53 UTC] No.45309326[source]
    > It's not that engineers cant take care of their own security.

    I dunno. My computer has at least 1 hardware backdoor that I know off, but that I just can't get hardware without any equivalent exploit.

    My OS is developed with a set of tools that is known to make code revision about as hard as possible. Provides the bare minimum application insulation. And is 2 orders of magnitude larger than any single person can read on their lifetime. It's also the usable OS out there with best security guarantees, everything else is much worse or useless.

    A browser is almost a new complete layer above the OS. And it's 10 times larger. Also written in a way that famously makes revisions impossible.

    And then there are the applications, that is what everybody is focusing today. Keeping them secure is close to useless if one don't fix all of the above.

    replies(1): >>45310638 #
    4. dehugger ◴[20 Sep 25 05:25 UTC] No.45310638{3}[source]
    You never actually told us what your OS is.
    replies(2): >>45310925 #>>45311406 #
    5. Alive-in-2025 ◴[20 Sep 25 06:19 UTC] No.45310925{4}[source]
    They must mean macos, right?
    6. fa3556 ◴[20 Sep 25 07:09 UTC] No.45311168[source]
    I think this criticism is unfair because most common packages are covered by the core and extra repos which are maintained by Arch Linux. AUR is a collection of user build scripts and using it has a certain skill cliff such that I expect most users to have explicit knowledge of the security dangers. I understand your concern but it would be weird and out of scope for Arch to maintain or moderate AUR when what Arch is providing here amounts to little more than hosting. Instead Arch rightly gives the users tools to moderate it themselves through the votes and comments features. Also the most popular AUR packages are maintained by well known maintainers.

    The derivatives are obviously completely separate from Arch and thus are not the responsibility of Arch maintainers.

    replies(1): >>45311306 #
    7. anon7000 ◴[20 Sep 25 07:40 UTC] No.45311306[source]
    Disagree. AUR isn’t any trickier than using pacman most of the time. Install a package manager like Yay or Paru and you basically use it the same way as the default package manager.

    It’s still the same problem, relying on the community and trusted popular plugin developers to maintain their own security effectively.

    replies(1): >>45311478 #
    8. dotancohen ◴[20 Sep 25 08:04 UTC] No.45311406{4}[source]
    Because that would be a distraction to the point they're actually making.
    9. fa3556 ◴[20 Sep 25 08:19 UTC] No.45311478{3}[source]
    I understood GP's point to be that because Obsidian leaves a lot of functionality to plugins, most people are going to use unverified third party plugins. On arch however most packages are in core or extra so for most people they wont need to go to AUR. They are more likely to install the flatpak or get the appimage for apps not in the repos as thats much easier.

    yay or paru (or other aur helpers afaik) are not in the repos. To install them one needs to know about how to use AUR in the first place. If you are technically enough to do that, you should know about the security risks since almost all tutorials for AUR come with the security warnings. Its also inconvenient enough that most people wont bother.

    In obsidian plugins can seem central to the experience so users might not think much of installing them, in Arch AUR is very much a non essential component. At least thats how I understand it.

    replies(2): >>45311526 #>>45311830 #
    10. tomsmeding ◴[20 Sep 25 08:27 UTC] No.45311526{4}[source]
    > Its also inconvenient enough that most people wont bother. > in Arch AUR is very much a non essential component.

    While somewhat true, we are talking about a user who has installed Arch on their machine. If a user wanted to not bother with installation details, they would've installed Ubuntu.

    11. seaal ◴[20 Sep 25 09:40 UTC] No.45311830{4}[source]
    The Arch-based distros that most normies will install have AUR helpers instaled by default.

    I can't even install Brave without the AUR.

    12. mcgrath_sh ◴[20 Sep 25 12:27 UTC] No.45312763[source]
    I'm shocked it is most of your software. I think I have under a dozen AUR packages. It has been that way for about a decade. I added a couple for gaming recently (mostly because Lutris just crashes for me), but nearly all of my software comes from the official repos.