While I was going through my own plugin submission, I noticed that there are nice bots to detect bad coding practices, suggest alternative solutions available in Obsidian APIs, etc. But these scans runs only till the plugin gets published.
What after that, how the codebase of these plugins are monitored to find out if any malicious activities had been integrated by the plugin author itself. Well no one will do anything malicious, perhaps, I was referring to silly mistakes, which can alter the working of the application or affect the performance in a very bad manner.
For my plugin development, I referred to various other, already published plugins. But later on, after moderator reviews, found out that the practices adapted by them are not so good, or sometimes even worse.
So, how these things have been taken care of?
No, once it’s published, there is no forced checks anymore. However, if you discover that someone’s plugin is doing something really bad, you can report it to Support and they might exclude the plugin from the community list
1 Like
Yes, that’s the only ethical thing we can do, to keep the overall working of the software smooth and stable. But it’s also important that, this reporting is anonymous as possible, as we also want to avoid upsetting anyone. Currently, I guess, we can do it by direct messaging the moderators in this forum.
I had a suggestion which goes like, if any plugin has been at its current release x.1.x and whenever any feature release will happen in the plugin, that is when the version will change to x.2.x. This time, Obsidian server can keep the new release on hold, and show a message in the plugin marketplace, the new release is under review. Then the team, can verify what all things have been changed on the plugin repo, if anything bad practices were found in the new implementation, then an Issue can be created on the repo suggesting the changes. Once everything looks good, the new release can be approved from the server.
But, the more I tried to suggest any solution on this thing, the more complicated it will get, and bigger workload on the Obsidian team itself. So, I guess it’s left to the developers community to keep the plugins safe and sound.
This suggestion is very easy to abuse
If you are going to add some malicious code, you just never update major version and it won’t go through review.
1 Like
Please keep in mind that there is only one person reviewing all new plugins, me.
Reviewing every single update would be a huge burden, and would require a massive team, which we don’t want to become.
Automating parts of this is possible, but it’s not a 100% guarantee of security and quality,
If you discover a malicious plugin, report it to [email protected]
2 Likes