←back to thread

Less is safer: How Obsidian reduces the risk of supply chain attacks

(obsidian.md)
421 points saeedesmaili | 4 comments | 19 Sep 25 22:02 UTC | HN request time: 0.608s | source
1. xenator ◴[20 Sep 25 05:17 UTC] No.45310610[source]
To be honest, right now I'm thinking about isolating of build process for frontend on my local environment. It is seems not hard to send my local environment variables like OPENAI_API_KEY or .ssh/* to some remote machine.

I know it is not very different comparing to python or projects in any other language. But I don't feel that I cannot trust node/js community at this point.

replies(2): >>45310887 #>>45311509 #
2. hahn-kev ◴[20 Sep 25 06:13 UTC] No.45310887[source]
Running vite inside a docker container would probably get you what you want
replies(1): >>45310906 #
3. N2yhWNXQN3k9 ◴[20 Sep 25 06:16 UTC] No.45310906[source]
I don't think you even need a container for that type of containment.

You could do it with namespaces.

I think node/whatever-js-run-time/package-manger could allow for namespaced containment for packages with simple modern linux things.

The realms proposal was a step towards that at one time.

4. mark_and_sweep ◴[20 Sep 25 08:24 UTC] No.45311509[source]
Switching to Deno might help. It's sandboxed by default and offers granular escape hatches. So if a script needs access to a specific environment variable or read or write specific files, it's simple to configure that only those accesses are allowed.