When I toggle developer mode (Command + Option + i on my mac) I see what appears to be the source code (it’s an Electron app). Maybe it’s not the full source though. And I guess it’s very difficult to read since it’s minified.
I trust the obsidian team, but I don't trust the plugins.
On Windows this is how most applications are distributed.
Same with Spotify etc.
Also even if it is open source, who really verifies the binary is built from the source published?
Apple notarization is usually the way for non Store downloads. Non-notarized apps present a warning and require overriding security settings to run (with admin privilege). There's nothing inherently stopping someone from notarizing code A and putting code B on GitHub, only that some sanity checks have been performed and the binary is not a known threat (or has been modified).
https://developer.apple.com/documentation/security/notarizin...
Sorry what if the open source project made their CI/CD pipeline public? So users could exercise it, produce their own build, and then compare that to the notarized one? Would I then be able to verify that what I downloaded from the developer’s website is identical to what is built with the open source code? Just curious.
[0]: https://logseq.com/
Obsidian was my initial choice but I had grievances with it. I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
If I remember correctly it was inferior to Obsidian because Logseq used a proprietary format. Yes, it was/is officially markdown but not in a format that is easily transferred. I don't know if it changed but Logseq documents where literally just a big Markdown list if I remember correctly.
Personally I do see the problem with closed source solutions but the real problem with Obsidian are AFAIk the plugins and not the App itself. I mean: They have a long way to go to be even remotely as evil as people at Google or Microsoft. But if that ever happens I simply walk away with my .md documents.
But also - no, they aren't, they use plugin-customized non-standard markdown format, so while the extension is the same, you can't view/edit them with anything just like you can't edit Word xml files with notepad (of course, it's not as extreme as Word xml, unless you're an extreme user of custom plugins)
Building software takes time and resources. Experienced show that most open source projects do not make enough money to make the resource investment worthwhile, much less the time investment.
I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
That of course doesn‘t mean I appreciate unnecessary vendor lock in, hostile subscription models, etc. All of these things are common with proprietary software, but they are not inherent to it.
Obsidian is a great example. Easy to takeout open formats, generous licensing model and no aggressive licensing implementation that makes it impossible to use the software offline. The team behind it seems to be able to make a living and people can still feel safe about the access to their notes.
Even if its not open source, it would be great progress if we‘ve had more software like obsidian
It's probably illegal too, as in many jurisdiction the public, or at least a health/food regulatory body should know the process and ingredients.
Take into account allergens, and on top of a matter of public knowledge and health, it can also be a matter of life and death.
The linked page has a clear explanation for why one might consider nonfree software to be unethical.
You still have ethics ground if you think it the same way as repairability, actively blocking ways to repairs things you bought yourself is questionable, and keeping things closed source can be seen as a way to artificially prolonge a strict dependance on your vendor by impairing your ability to resolve issues by yourself.
No, for most it's because they evaluated a number of ethical, social, and technical concerns, and think so.
I was also a dreamer once upon a time, with M$ on my email signature and all that zealot attitude, then I had to support myself and face the reality that most supermarkets don't take pull requests.
Naturally I am not counting those, given that they are paid in tainted money as per OP's complaint.
It more so was a warning that the combination of little reviewed community plugins and a not sandboxed macos binary is a potential risk. And with that sentiment I can also agree.
Software being open source almost always makes it more trustworthy, and I'm glad that more people are picking up on this over time.
> I generally like people being able to out food on the table
Completely agreed, and this makes for a frustrating paradox.
I don't use Obsidian because it's closed source, but I don't think it's evil or anything. Conversely, I pay for Immich, and I hope their model is sustainable.
What do people get out of replying like this?
What did you get out of calling out their counterclaim?
And then there's the closed source's Cloud part and its holes as well, which is a whole other can of worms.
The problem is that quite a few open core companies immediately go from $0 / year to low to medium 6-digit-figures per year. This escalates the entire project sky-high in levels of internal scrutiny with a high chance of it not happening.
On the other hand, it was simple to argue why this is easily providing us with $50 in value per year. Now it is integrated with our normal license handling and it's actually slowly and steadily growing internally. We're up another 4-5 users from the last time I looked.
Lots of apps have open-source clients (for trust/auditability) but backends that are closed/locked somehow, e.g., Logseq.
I think we will soon see the ability to write plugins that can even run server-side of SaaS solutions.
There are a bunch of small problems people encounter here and there, which usually will never be solved by the company. Giving the community a route to improve their tool, would be good.
I don't particularly like client-side paid features, but:
- The client is fully FOSS, you can just patch the license check out. In fact, there are some forks on GitHub that do just that and provide binaries, and the authors don't seem to care, they even acknowledged them on Twitter (https://x.com/b3logos/status/1928366043094724937).
- There are plugins to sync without a paid plan
This works out quite well for them: if you choose a fork or a sync plugin, you don't get the same support that paying users do, so many users still end up buying a license. But you don't need to, which makes the whole thing not user-hostile.
I have bought a one-time license myself, and I'm very happy that I'm supporting the development of a FOSS project.
If people put their notes in, only open source software is good.
At best, one can tolerate a very big closed source company, who is unlikely to just do whatever with the data and has some track record for privacy, like Apple.
But trusting all your notes to a closed source app from a small peanuts company?
Paying money to Obsidian for writing yet another text editor seems like digging and filling holes to increase GDP to me.
Of course this always a bit of case by case, but obsidian is a very exposed and worthful target.
firejail --appimage --net=none --private=~/path/to/jail ~/path/to/Obsidian.AppImage
And because --private mounts some bits as temporary filesystems, you might end up losing state. Try before you buy.
codesign -dv /Applications/Obsidian.app
Executable=/Applications/Obsidian.app/Contents/MacOS/Obsidian
Identifier=md.obsidian
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=759 flags=0x10000(runtime) hashes=13+7 location=embedded
Signature size=8975
Timestamp=Sep 29, 2025 at 12:22:41 PM
Info.plist entries=39
TeamIdentifier=6JSW4SJWN9
Runtime Version=15.4.0
Sealed Resources version=2 rules=13 files=23
Internal requirements count=1 size=172
> it isn’t required to use sandboxing
This is of course true of many other apps we run on Mac (though I suspect a non-zero number of common apps have backdoors); Obsidian also runs without sandboxing though, is used by many to record their innermost thoughts, and as the author mentioned, there's also the potential for data to leak via compromised extensions.
Am I missing something, or does the fact that it's signed tell us nothing except that the Obsidian company signed off on it? If so, I'd really like to understand if you had a purpose of sharing this... is there a tacit implication that "surely a company can be trusted"?
That way the author can still keep the source closed and those who want code can pay for it.
I very rarely see OSS being monetized successfully without a community fork destroying the original project.
OSS still requires money to maintain the project and sparse donations really don't really cut it.
For diagrams, mindmaps, etc... I just use Freeform now -- screen capture or export the board as PDF to paste into my notes. It's deceptively flexible and more powerful than it would appear.
On the other hand, I was unaware of the vulnerabilities in the Apple ecosystem. Or rather, I didn't think there would be. The article raised my awareness.
For me this is the least problematic non-open source software:
- non VC funded (like Mattermost enshitification after VC)
- open source formats
- community plugins with source code (it's JS)
Reality is, as you already implied: in practice you cannot "be careful" except avoiding obvious malware.
At SOME point you have to trust SOMEONE, unless you use TempleOS in which case you can trust whatever god you have.
terespuwash•3h ago
kgwgk•1h ago
seems a low bar for trusting (that part especifically)
miggol•1h ago
Usage of user-created plugins and access to cloud accounts aggravates the risk posed by a vulnerability.
Open source reduces vulnerabilities over time, so those who want to heed the author's warning may indeed want to switch to an open-source Markdown editor. Just not because the Obsidian team is Evil.