top | item 45307929

(no title)

I’ve been using other apps than Obsidian for notes and sharing, so this is nice to read and consider. But isn’t Obsidian an electron app or whatever? Electron has always seemed resource intensive and not native. JavaScript has never struck me as “secure”. Am I just out of touch?

discuss

anon7000|5 months ago

JavaScript is a very secure language. The browser is a massive success at running secure JavaScript on a global scale. Every website you use is running JavaScript and not able to read other site data. Electron is the same, running v8 to sandbox JavaScript. Assuming you aren't executing user input inside that sandbox (something many programming languages allow, including JS), it's very secure.

The problem with supply chain attacks is specifically related to npm, and not related to JS. npm as an organization needs to be taking more responsibility for the recent attacks and essentially forcing everyone to use more strict security controls when publishing their dependencies.

asgraham|5 months ago

Doesn’t this mean browser sandboxing is secure, not JS? Or are you referring to some specific aspect of JS I’m not aware of? (I’m not aware of a lot of JS)

It’s maybe a nit-pick, since most JS is run sandboxed, so it’s sort of equivalent. But it was explicitly what GP asked for. Would it be more accurate to say Electron is secure, not JS?

0manrho|5 months ago

None of this makes or is a result of the language js (being) secure. Security is far and away predominantly a matter of how it's used, not a character of them language itself. "Safety" helps, but you can still easily write and package unsafe and insecure code in "safe" languages like rust, just as you can in C, JS, python, etc etc etc.

burnt-resistor|5 months ago

> JavaScript is a very secure language.

I almost fell out of my chair laughing. Thanks for the comedic relief.

system7rocks|5 months ago

I need more evidence to believe this.

dghlsakjg|5 months ago

Javascript is probably one of the most used, depending on how you measure it, languages on earth.

It runs on a majority of computers and basically all phones. There will be many security issues that get discovered b y virtue of these facts.

What makes you think that "native" apps are any more secure?

burnt-resistor|5 months ago

Nit: "Earth" is the proper noun for the planet most of us live on, "earth" is dirt.

CuriouslyC|5 months ago

Not a huge electron fan (thank god for tauri), but Obsidian is a fantastic app and you shouldn't let the electron put you off of it. You can even hook a MCP up to it and an agent can use it as a personal knowledge base, it's quite handy.

codazoda|5 months ago

> Thank god for tauri

I’d love to try it, but speaking of security, this was the first thing I saw:

sh <(curl https://create.tauri.app/sh)

da_chicken|5 months ago

No, it's not really an issue. GitHub and VS Code are also Electron apps. So are Slack and Discord. Postman is, as well.

I'd also be forced to ask... what exactly are you doing with a markdown note-taking application such that performance is a legitimate concern?

But, I mean, maybe you're reading this in a Lynx session on your ThinkPad 701C.

eviks|5 months ago

> what exactly are you doing with a markdown note-taking application such that performance is a legitimate concern?

Launching it and expecting a fast startup.

GabeIsko|5 months ago

If you have to render html, which is what markdown ultimately becomes, you might as well use a web broswer.

tester457|5 months ago

It is resource intensive.

It's not a problem on pc, but an obsidian vault with thousands of notes can have a laggy startup on mobile, even if you disable plugins.

Users sidestep this issue with quick capture plugins and apps, but I wish there was a native stripped-down version of obsidian.

SilverSlash|5 months ago

Javascript is a lot more secure than C++, since it's a memory managed language.

otabdeveloper4|5 months ago

Buffer overflows are 0.001 percent of security incidents in practice.

Let's fix private key leakage and supply chain issues before worrying about C++ haxxors p0wning your machines.