The launch of Phase, an open-source secret management tool, received positive feedback for its ease of use, GitHub and AWS integrations, and potential to streamline workflows and improve team productivity. Users are excited about its password-sharing solution and CLI secret management. Questions arose about differentiation from tools like Infisical and Doppler, security concerns related to the open-source nature of the tool, and the need for robust encryption. Some users suggested implementing features for SSH key management and requested more information on integrations and security measures.

Users expressed significant concerns regarding the product's security due to its open-source nature, questioning data safety, breach handling, and potential loopholes. Comparisons to established tools and differentiation were requested, alongside clarity on security protocols and workflow integration. Market saturation and management overhead were also noted as potential drawbacks. The security risks associated with open-source secrets management were a recurring theme.

Infisical's Product Hunt launch received overwhelmingly positive feedback. Users praise its open-source nature, security features (including end-to-end encryption), efficiency in secret management, and seamless integrations. Many are excited to use it for managing secrets and environment variables across teams and environments, highlighting it as a single source of truth. Users appreciate the detailed documentation and the team's work. Several comments express excitement about the launch and congratulate the team, with some users migrating from Doppler.

The Show HN product received mixed feedback. Users praised the idea and ongoing improvements but raised concerns about security, code quality, and the MongoDB dependency. Some suggested alternative solutions like SecureStore. The product's monetization and open-source nature sparked debate on financial sustainability. Users were interested in features like multi-cloud support and simpler secret management, comparing it to Vault. Questions arose about documentation, encryption, and licensing. The need for early testing and clarity on GitHub repositories was noted. Pricing and the lack of SSO for self-hosted versions were also discussed.

Users criticized the product for its light secret management coverage, lack of tests, and security focus. There were concerns about non-committal security guarantees, a high number of dependencies, and the need for automated testing. The MongoDB dependency, licensing restrictions, and heavy network dependency were also noted. Skepticism about the project's sustainability without paid components, unclear documentation, and the complexity of setup were mentioned. Criticisms included the absence of SSO for self-hosted versions and limited functionality to only syncing environment variables.

Users expressed concerns about the lack of tests, security, and the open core model of the secret management platform. There was confusion over certain files and the use of terms like 'open source'. Some praised the platform's functionality and the founders, while others compared it to Hashicorp Vault and questioned its ease of use. The business model, pricing for security features, and SDK availability were also discussed. Positive feedback included appreciation for the landing page and fast responses, with interest in using the platform for specific projects.

Users criticized the product for lacking tests and having a codebase with all lines commented out, indicating poor engineering practices. Concerns were raised about insecure storage, complicated setup and maintenance of HCP Vault, and difficulty using Vault. The product's name was deemed hard to spell and not memorable. Criticisms also targeted the limitations of on-premise installations, the misleading open core model, and the confusion between open core and open source. Users questioned the Docker requirement, the absence of Java/Rust SDKs, and the unclear business model. The need to pay for security features like YubiKey two-factor authentication was also highlighted.

Users appreciate the product's ease of use, secure secret storage, and the fact that it doesn't require a dedicated system. The overall sentiment is positive and enthusiastic.

Users are debating the definition of 'self-hosted' in the context of an AWS-based secrets management tool, with many arguing that AWS hosting contradicts the term. There's confusion over the distinction between self-managed and self-hosted, and whether services like AWS Secrets Manager and SSM Parameter Store qualify. Some users prefer on-premise solutions or other AWS services like ECS, IAM roles, and Lambda for secret management. There's also a request for tools for diagrams and a general distrust in relying on opinions of random people.

Users criticized the product for misleading use of 'self-hosted' when it's solely on AWS, creating confusion about its definition and expectations. They expressed concerns over cloud-dependency, the risk of AWS changing or ending services, and the lack of hosting options beyond AWS. The website's basic information and absence of features like SSM parameter store were also noted. The audience's understanding of self-hosting and the project's success are seen as compromised by these issues.

Users criticized the product for lack of error details, a request failure with status code 400, potential for leaking secrets or doxxing, not meeting specific needs, irrelevance of pasting secrets in LLM chats, and missing bidirectional information preservation and automation.

Request for disclaimer on telemetry usage.

Lack of disclaimer on telemetry usage.

Users criticized the Show HN product for its AGPL license, which could deter adoption, and for unversioned URLs that compromise reproducible builds and increase supply-chain attack risks. Criticisms also include a misunderstanding of Go imports, difficulty in auditing submodule commit hashes, and missing replace directives. Additionally, users desired a more opinionated approach and noted a lack of documentation and comparisons to other tools.

Securelog is an open-source and free tool designed for developers to analyze secrets and API tokens. Its primary goal is to prevent the leakage of these sensitive credentials.

The main criticisms revolve around the growing codebases and issues that are often ignored with plans to fix them later. Additionally, there are concerns about how Securelog handles false positives and improves accuracy over time.

Useful for managing secrets without AWS CLI.

Dislikes managing secrets with AWS CLI.

The product launch received mixed feedback. Security flaws were pointed out, including weak password handling and use of `rand()`. Users inquired about unique features compared to LastPass and future development plans. Positive feedback included praise for the launch itself, and suggestions for improvements like a MacOS build and a better product description.

Critics highlight security concerns due to insecure cryptography practices, deeming the project irresponsible to promote. Users are unconvinced to switch from LastPass, citing a need for unique, compelling features. Furthermore, inconsistencies in the product description, the absence of a GitHub link, and the lack of a public roadmap raise concerns about transparency and future development plans.

The product received criticism for reliance on a single cipher, lack of authentication, and potential security issues such as vulnerability to cache-timing attacks. Users suggested looking at established libraries like BearSSL and libsodium. The code was considered hard to follow, and there was confusion about the combination of cryptographic methods. Some users questioned the value over existing tools like OpenSSL and PGP, while others were interested in testing the product. Concerns were raised about the developers' security training and the product's readiness for production use.

The Show HN submission has been criticized for lack of transparency and credentials, problematic single cipher and dependencies, being a hobby project, slow updates, unclear design, and security vulnerabilities. Users find the code hard to follow, with missing authentication and MAC, and confusion over public key signatures. The product is deemed not production-ready, with misleading claims about strong encryption. There are also concerns over the value compared to existing tools like OpenSSL and PGP, and the lack of authenticated encryption options.

Asks about using Substitution Cipher over Shamir’s Secret Sharing.

Questions preference for Shamir’s Secret Sharing.