How do folks here handle security, when it comes to plugins?

It’s an open question, meaning, I’m genuinely curious about the practices of anyone: users, devs, and dev-users :slight_smile:

Why? Partly to discover related behaviours which I myself should be doing, or at least considering doing.

Also, partly, because I’ve found this type of open discussion useful, eye-opening, and (sometimes) entertaining in community-heavy projects like this.

To get things started, here’s a thing I do related to plugins.

Before installing the plugins I currently have installed, I had a quick skim through each one’s source code.

Since that first install, I have not updated the plugins at all :sweat_smile: I would find it too much effort to repeat the process with each update.

1 Like

Since I don't have time to skim source codes, I do this ;

  • on my general Joplin profile I do only use recommended plug-ins, stay away from all other
  • and I have a second (truly separate) profile for sensitive notes which runs on a copy of Joplin without any plug-ins installed at all.
    This is probably overly cautious, but it works for me.

Yep, using the Recommended badged plugins are another thing I remember doing.

probably overly cautious, but it works for me

One does what one prefers to do :+1:

For example, I use an outbound firewall around Joplin and whitelist a single IPv4 address used for sync. Some might also find this overly cautious.

I’m grateful that Joplin’s outbound connections are easier to manage compared to, say, Standard Notes. On Standard Notes, IIRC functional sync required whitelisting several IPs. I think Standard Notes’ plugin ecosystem is more limited, although I can’t speak to their specific plugin security model.