I don’t know if Obsidan dev have think about that, but when the Obsidian plugins will open to public there will be:
- many noble developers
- as well as many who want to take advantage of the user data.
As the core philosophy of Obsidian hovering around:
- The user is in charge of his data
- Data that are locally stored
- User data are not stored on server or cloud
- User data are processed locally
- Obsidian works offline and locally
I can guarantee that there will be a huge amount of plugins & many that plugins will use advantage of non existing security check by Obsidian devs.
The Obsidian devs should ensure that privacy and security of the data will be not compromised by installing users plugins.
This cannot be outsource to the normal user…or simply just give warning: "this plugin may be security…bla bla… If the Obsidian should be secure database after releasing the plugins support, it is the Obsidan devs jobs to protect the users data. This can be archive in various way. Bear in mind that normal user have no option to check what the plugin is really doing! thus installing it is just matter of trust… this should be huge security concern for Obsidan devs. As I believe the Obsidian want to be around long time.
For this I’m writing some proposals:
- Official channel should be created with fixed template where developers can upload the plugins
- All other ways to install plugins should be closed (for now)
- Strict & mandatory information must be filled by developer (like image, compactibility, atd)
- Security checklist (made by obsidian devs) that developer must check what kind of access the plugin have
- Obsidian devs should have fully automated routine that will install the plugin when neew update to the app is made, and check if app can access: camera, read / write outside of vault, microphone access, atc…) - the devs should not really on information provided by developer regarding the security
- If the checklist made by developer and the information form security check by Obsidian script differ a lot, maybe even ban of the developer may be consider, as the developer concisely lie the user
- From “automated security audit” the PRIVACY SCORE should be generated
- Each update of the plugin the “automated security audit” should be executed and if something has change the PRIVACY SCORE should change accordingly.
- User can add comments to plugin