Hacker News: kepano

New comment by kepano in "Obsidian plugins are (mostly) dangerous"

kepano — Thu, 21 May 2026 13:17:41 +0000

As far as I can tell, every issue you flagged in this article is now automatically caught in the new plugin review system launched last week. The new system prevents plugin updates from being released/downloaded if any of these issues are present.

The team is also working on adding permissions and more controls, see the recent announcement and HN discussion:

https://obsidian.md/blog/future-of-plugins/

https://news.ycombinator.com/item?id=48109970

Since last week hundreds of plugins have been updated to patch vulnerabilities. That said there is a lot more to do and we're actively working on it. It's a very high priority.

If there are any other checks you think we should add to the automated review system I'd be happy to look into those. Since the review system is mostly open source you can also contribute to it directly, though perhaps that would be in conflict with the purpose of your company since our approach doesn't use AI for now?

New comment by kepano in "Show HN: Files.md – Open-source alternative to Obsidian"

kepano — Wed, 20 May 2026 00:10:52 +0000

The two are not mutually exclusive?

New comment by kepano in "Show HN: Files.md – Open-source alternative to Obsidian"

kepano — Tue, 19 May 2026 22:22:44 +0000

On the other hand, that may be part of the reason why Obsidian has such a rich plugin ecosystem. Perhaps there is less of an incentive to build a good plugin API if you can just tell people to fork instead.

New comment by kepano in "Show HN: Files.md – Open-source alternative to Obsidian"

kepano — Mon, 18 May 2026 20:02:45 +0000

Obsidian has an entire plugin category for syncing, and recommended alternatives to the official Sync service.

https://community.obsidian.md/search?type=plugin&categories=...

https://obsidian.md/help/sync-notes

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Fri, 15 May 2026 02:38:16 +0000

I apologize for being so feisty. I found your initial comment extremely disheartening:

> No permissions system, nothing resolved.

I could not let that comment stand because it's simply not true, and you probably wouldn't say it that way to me in person. We're not some faceless corporation. We're a team of seven sharing a year's work, which is expressly imperfect and in progress. I'm not looking to be showered with praise, like I said in my comment on the post we're listening to everyones gripes, and working on them. But a bit of nuance and congeniality is appreciated.

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Thu, 14 May 2026 20:09:24 +0000

I'm trying to have a real conversation with you but you seem determined to disagree with me, twist my words, and put up these straw man arguments. Why are you trying to pin me as anti-sandbox/permissions? I'm not.

I don't think these two points should be particularly controversial:

1. Permissions are planned but they're not a panacea. Apps are sandboxed on iOS/Android, browser extensions have permissions, yet both can easily do dangerous things. Permissions suffer the same issue you described: all a user needs to do is press "Yes" to allow danger. If you care about making powerful software you inevitably must have some way for a user to say they "understand and accept the risks". The other option is to simply not let your software be powerful, which is not what I am interested in working on.

2. Analyzing plugin source code must be part of the overall solution not only for security, but also performance, reliability, ease-of-use, etc. How can you be against that? It makes absolutely no sense to me.

48 hours in, the new review system is already working. Hundreds of updates have been published by developers cleaning up their code and making their plugins safer in ways that a permission system would not catch. You can see that for yourself by looking at recent updates from the community: https://community.obsidian.md/search?type=plugin&sort=update...

As I have stated elsewhere many times, I'd be working on Obsidian even if I were the only user. That's why the app is free, we don't have investors, and we're okay staying small. The way plugins work is not motivated by money, it's a reflection of the kind of software we want to use.

It is fulfilling to see many people find value out of the app. People are creating many useful and interesting plugins I would have never imagined. Selfishly, I want to be able to use and trust those plugins just like anyone else. And that's the only motivation I need to work on the problem of plugin safety.

I understand you wish we had sandboxed plugins first, and built on top of it that way. But we didn't. Now we have been cursed with success and a large ecosystem that needs to be managed and transitioned. We will continue to chip away at the problem bit by bit. I don't think there's any other way to do it.

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Thu, 14 May 2026 04:29:32 +0000

It's not tacit, it's explicit. People should have the freedom to do dangerous things as long they understand and accept the risks. I'm not interested in making software that imposes limits on what a person can do with their own computer.

I completely understand if you disagree, in which case Obsidian is not for you. It's perfectly fine to not recommend it! Obsidian is not trying to be for everyone.

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Wed, 13 May 2026 17:28:36 +0000

It doesn't say "we don't use AI" but I guess the assumption nowadays is everything uses AI? In my opinion the burden should be to state that something does use LLMs, not that it doesn't.

The post has instructions to reproduce the review results using our open source eslint plugin:

https://github.com/obsidianmd/eslint-plugin

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Wed, 13 May 2026 16:19:30 +0000

Obsidian doesn't collect any telemetry data but my estimate is that less than 10% of Obsidian users use plugins (might be closer to 1%). Most people don't even activate any of the built-in core plugins that are off by default.

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Wed, 13 May 2026 03:26:29 +0000

1) Yes. Working on it. (You can already partially do this e.g. ?score=90)

2) Yes. You will see these radically improve over the next few weeks. As stated on the scorecard itself they are a work in progress. You have to consider that overnight we intentionally exposed tens of thousands of warning messages across thousands of plugins, so there will be false positive, false negatives, and severity tweaks as we gather feedback from the community. But I expect these to get sorted out fairly quickly!

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Wed, 13 May 2026 02:38:09 +0000

As I wrote, yes, a permission system is planned. But 1. we cannot oversimplify the problem of getting from here to there, 2. permissions are not a panacea. If you look at the scorecards for a few plugins you'll immediately see issues that a permission system wouldn't catch.

Millions of people depend on thousands of Obsidian plugins. We cannot just flip a switch and break everyone's workflows overnight. It will be a gradual process. We're working on it, and I hope you'll at least concede that this is better than nothing.

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Wed, 13 May 2026 02:03:52 +0000

I certainly feel that I am losing brain cells here :)

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Wed, 13 May 2026 02:01:26 +0000

Thank you! It means a lot <3

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Wed, 13 May 2026 01:11:23 +0000

It seems like you have not read the blog post.

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Wed, 13 May 2026 01:10:44 +0000

We've been working on the project for nearly a year, so no.

https://github.com/obsidianmd/eslint-plugin/commits/

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Tue, 12 May 2026 23:51:08 +0000

It isn't. Doesn't involve AI. Read the post :)

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Tue, 12 May 2026 23:48:52 +0000

Yes they are mentioned in the blog post in the bullet point about disclosures. You can think of disclosures as the first step towards permissions. See my previous answer here:

https://news.ycombinator.com/item?id=48110592

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Tue, 12 May 2026 22:25:45 +0000

The blog post describes this but there are still manual reviews, similar to what you are asking for. We just need to expose that in the UI.

AI is not used in the review process. The system is primarily based on our open source eslint plugin, with additional dependency and malware scanning

https://github.com/obsidianmd/eslint-plugin

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Tue, 12 May 2026 21:56:35 +0000

That would not have been accurate though.

New comment by kepano in "The Future of Obsidian Plugins"

kepano — Tue, 12 May 2026 21:54:32 +0000

That's effectively how the new system works. We just need to add filters so users can choose their preferred level of strictness.