Obsidian CEO here. We've been working for nearly a year to launch this new Community site and review system. I'm very excited about this first version but there are many more improvements to come.
I've tried to be exhaustive with the blog post, FAQs, and next steps on our roadmap, but I am sure I forgot some things, so feel free to ask!
This has been an incredibly challenging project for a number of reasons. We're only seven people but we have thousands of plugin developers and millions of users. There are many competing priorities to balance.
We wanted to make sure the new system would be easy to adopt, backwards compatible, and not completely break people's workflows, while still being a major improvement over the old approach, and allow us to gradually continue enhancing security and discoverability of plugins.
Consider it a work in progress. We're listening to everyone's ideas and gripes, and will keep iterating :)
show comments
dtkav
For those not aware, it has basically been impossible to submit new plugins due to the manual review (and how easy/fun it is to write a plugin with AI). The developer community was becoming increasingly frustrated, and the team was burning out under the load.
So congrats to the team! This relieves a huge scaling bottleneck. It has been really cool to see how y'all build and scale.
show comments
sundarurfriend
I don't use Obsidian, and my assumption when I saw the title was I guess they're gonna be limiting it to a small set of corporate-blessed plugins.
I've come to expect that "The Future Of XYZ" titles from software companies means severely limiting XYZ or preparing XYZ for a shut down!
show comments
varun_ch
I’m not convinced that automated checks will be able to reliably assess whether a plugin is malicious.
I think the best (only?) way to solve the plugin security problem would be to properly sandbox them with an explicit API and permission system.
show comments
troad
No permissions system, nothing resolved. Plugins still have access to everything - full disk, network, etc. How does one even speak of security vulnerabilities when the security model of Obsidian plugins is just straight up "click here for RCE".
All I see is a spanking new interface that will accelerate the pace of plugin turnover, bringing forward the next inevitable security incident.
show comments
SuaveSteve
>Each new version is scanned, and if it fails to pass review, the plugin is removed from search within 24 hours.
That's heavy handed. Why not allow the previous vetted version to be considered the plugin's latest version?
wolvoleo
As long as this doesn't reduce the availability of the plugins (for me in particular selfhosted-livesync) this sounds good.
I wonder if there would be a role for AI for these automated reviews. Seems like a promising usecase for it.
2001zhaozhao
Very interesting. This is real-world proof that automated plugin reviews is doable for a small team. Sooner or later I'll have to learn how to implement a similar system for my own projects.
show comments
nthypes
Review is done by LLMs? How you guys decided to deal with prompt injection attacks?
show comments
pier25
Very cool. Shame the website is dark mode only which only makes it harder to read for people with astigmatism.
show comments
obsidianbases1
Great to see this update!
Managing this sort of community contributions is a challenge. Looks like great progress
braden-lk
As a consumer, how/why should I engage with the scorecard? What do I do with a list of a bunch of errors and linter warnings?
What's the ideal flow on the user-end? Scorecard seems great on the developer side.
nla
Beautiful work.
Reminds me of Twilight on IRIX.
yakattak
That title gave me a heart attack.
ydj
The thing I always wondered regarding obsidian plugins is how they are able to offer them on iOS, given that iOS has rules against downloading code that alters functionality of the software.
ekjhgkejhgk
What I would like is that they made it easier to install plugins locally. Should really just be copy pasting into a folder. I would change it myself, were it not for the fact that Obsidian is proprietary software.
Time someone builds a compatible clone.
show comments
dostick
Why the iOS app so terrible? Is it a web app? I have couple plugins on desktop and it makes iOS app load something then I must press reload and again. It’s a terrible experience, how could this been released like that?
jkcorrea
(slightly OT): Has anyone been able to replace Notion with Obsidian in a work/team context?
I find there's just enough missing things around collaboration/permissions/sharing that makes Obsidian a non-starter for work, even for the small team I have. Also seems it just feels a bit more "scary" for non-technical users to onboard onto on than Notion.
And if I can't use it for work, I'm not going to use it personally because I don't want to juggle multiple notetakers.
I imagine Obsidian is way more efficient for sharing context between you and agents and wish I could take advantage of that, but I also need to be sharing that context with my team
show comments
aucisson_masque
I think that plugins are an inherent risk, there is a pop up in obsidian warning the user before enabling them, and it's up to the user to agree or not.
In my opinion, what could have been done is kind of like what mozilla does where it will vet some of the most popular extensions, so that you know there is at least some kind of verification on these extension, and let everything else be wild.
I'm not sure that you can use a.i. to defeat a.i., if an ai is able to spot malware in a code, it can just as well hide it (from itself).
show comments
dakiol
I want to use Obsidian... but I won't as long as it's not open source. I know I can keep all my files as plain text, but that's not enough for me. Using a KB on a daily basis shapes my workflows and having to change that from one day to another (e.g., because maybe Obsidian changes in a way I don't like) is too much for me. I could already handle all my plain txt files using simply the file system, but of course I would prefer a KB program. It's a shame because Obsidian looks great.
Obsidian CEO here. We've been working for nearly a year to launch this new Community site and review system. I'm very excited about this first version but there are many more improvements to come.
I've tried to be exhaustive with the blog post, FAQs, and next steps on our roadmap, but I am sure I forgot some things, so feel free to ask!
This has been an incredibly challenging project for a number of reasons. We're only seven people but we have thousands of plugin developers and millions of users. There are many competing priorities to balance.
We wanted to make sure the new system would be easy to adopt, backwards compatible, and not completely break people's workflows, while still being a major improvement over the old approach, and allow us to gradually continue enhancing security and discoverability of plugins.
Consider it a work in progress. We're listening to everyone's ideas and gripes, and will keep iterating :)
For those not aware, it has basically been impossible to submit new plugins due to the manual review (and how easy/fun it is to write a plugin with AI). The developer community was becoming increasingly frustrated, and the team was burning out under the load.
So congrats to the team! This relieves a huge scaling bottleneck. It has been really cool to see how y'all build and scale.
I don't use Obsidian, and my assumption when I saw the title was I guess they're gonna be limiting it to a small set of corporate-blessed plugins.
I've come to expect that "The Future Of XYZ" titles from software companies means severely limiting XYZ or preparing XYZ for a shut down!
I’m not convinced that automated checks will be able to reliably assess whether a plugin is malicious.
I think the best (only?) way to solve the plugin security problem would be to properly sandbox them with an explicit API and permission system.
No permissions system, nothing resolved. Plugins still have access to everything - full disk, network, etc. How does one even speak of security vulnerabilities when the security model of Obsidian plugins is just straight up "click here for RCE".
All I see is a spanking new interface that will accelerate the pace of plugin turnover, bringing forward the next inevitable security incident.
>Each new version is scanned, and if it fails to pass review, the plugin is removed from search within 24 hours.
That's heavy handed. Why not allow the previous vetted version to be considered the plugin's latest version?
As long as this doesn't reduce the availability of the plugins (for me in particular selfhosted-livesync) this sounds good.
I wonder if there would be a role for AI for these automated reviews. Seems like a promising usecase for it.
Very interesting. This is real-world proof that automated plugin reviews is doable for a small team. Sooner or later I'll have to learn how to implement a similar system for my own projects.
Review is done by LLMs? How you guys decided to deal with prompt injection attacks?
Very cool. Shame the website is dark mode only which only makes it harder to read for people with astigmatism.
Great to see this update!
Managing this sort of community contributions is a challenge. Looks like great progress
As a consumer, how/why should I engage with the scorecard? What do I do with a list of a bunch of errors and linter warnings?
What's the ideal flow on the user-end? Scorecard seems great on the developer side.
Beautiful work. Reminds me of Twilight on IRIX.
That title gave me a heart attack.
The thing I always wondered regarding obsidian plugins is how they are able to offer them on iOS, given that iOS has rules against downloading code that alters functionality of the software.
What I would like is that they made it easier to install plugins locally. Should really just be copy pasting into a folder. I would change it myself, were it not for the fact that Obsidian is proprietary software.
Time someone builds a compatible clone.
Why the iOS app so terrible? Is it a web app? I have couple plugins on desktop and it makes iOS app load something then I must press reload and again. It’s a terrible experience, how could this been released like that?
(slightly OT): Has anyone been able to replace Notion with Obsidian in a work/team context?
I find there's just enough missing things around collaboration/permissions/sharing that makes Obsidian a non-starter for work, even for the small team I have. Also seems it just feels a bit more "scary" for non-technical users to onboard onto on than Notion.
And if I can't use it for work, I'm not going to use it personally because I don't want to juggle multiple notetakers.
I imagine Obsidian is way more efficient for sharing context between you and agents and wish I could take advantage of that, but I also need to be sharing that context with my team
I think that plugins are an inherent risk, there is a pop up in obsidian warning the user before enabling them, and it's up to the user to agree or not.
In my opinion, what could have been done is kind of like what mozilla does where it will vet some of the most popular extensions, so that you know there is at least some kind of verification on these extension, and let everything else be wild.
I'm not sure that you can use a.i. to defeat a.i., if an ai is able to spot malware in a code, it can just as well hide it (from itself).
I want to use Obsidian... but I won't as long as it's not open source. I know I can keep all my files as plain text, but that's not enough for me. Using a KB on a daily basis shapes my workflows and having to change that from one day to another (e.g., because maybe Obsidian changes in a way I don't like) is too much for me. I could already handle all my plain txt files using simply the file system, but of course I would prefer a KB program. It's a shame because Obsidian looks great.