[tkfu]

Look, I think this might just be a little bit premature. Claiming that it's secure and fast because it's locally hosted is not convincing at all. "Secure" isn't convincing because you're asking me to run three docker containers worth of random code, and trust that random code with API keys/credentials to all my critical infrastructure. I have no way to know what your security practices inside those containers are. "Fast" isn't convincing either, with the need to run redis and mongoDB inside local docker containers being particularly unconvincing. The fact that there's no documentation at all (or at least, none that I could find) is the cherry on top.

Plus, what's up with only supporting running the containers on MacOS? That's really, really bizarre.

Basically, there are a number of signals here that prevent me from trusting you enough to even consider trying this out, even though it's quite possibly solving an interesting problem.

[nitish_mehrotra]

Hey Nitish here from the Kloudi! First of all thank you for your feedback.

Answering some of the questions you have asked.

- We are a small 2 people team so our approach has been to first get Kloudi out in the open and then figure out what parts of the code we want to open source and what licensing we need to have around that. But irrespectively if you find any security concerns, please feel free to reach out on nitish@kloudi.tech and we'll try to get it sorted as soon as we can. Also keep an eye out on https://www.github.com/kloudi-tech/ for more updates on this.

- Adding to your point on security, we keep all the keys to the tools that you connect with on your local system stored in Mongo hence a container for that. We use a Redis cache to speed up the response time for API requests hence another container for that.

- Documentation are WIP but meanwhile you can read some of the stuff that we have written on https://kloudi.substack.com/ It's more around our journey of building Kloudi, the problem and how we are planning to solve for it. Like I said before we are a very small team and documentations are WIP.

- Finally, we are only supporting macOS as of now because our electron based app currently runs only on this platform. We plan to gradually release support for other platforms eventually but till then we it is macOS.

[tkfu]

The biggest thing is about trust: you can tell me that you're following good security practices with my keys, but I don't have a good reason to believe you, and the signals you're giving off all point in the wrong direction.

jart's finding (in another comment below) that you're using fullstory in your electron app is probably the most damning; at this point I wouldn't ever consider even trying your product. Putting a keylogger in an app like this is evidence of careless engineering at best, and malicious intent at worst. Either one is disqualifying for a tool that would have access to so much of my critical infrastructure.

[nitish_mehrotra]

Hey completely respect your concerns.

We have built it for developers and understand the criticality of the data handled by the tools used by developers. We in no way want to give off an impression of mistrust or carelessness at the very least, but this sentiment seems to be resonating through out the comments section and as an immediate fix we have updated our app to have no fullstory in it .

Would it be possible for you help us pioneer these concerns. We are here to listen and work on it and would love to chat on our discord channel or over email. Thank you in advance!

[aparsons]

> We in no way want to give off an impression of mistrust or carelessness

That's exactly the point. You don't want to give off that impression. Nobody does. That's not some noble goal.

[debarshri]

Just to add to that, on self-hosted mode now you are responsible for an data infrastructure which you really didn't need before as the data was owned by the other SaaS providers.

[henvic]

For me the worst part is that the install routine is `curl | sh`.

[sneak]

It's a closed source, proprietary app that has spyware disclosed in the TOS (section 6.4). The method of installation is mostly irrelevant in light of that.

[debarshri]

Could you elaborate more about why it is a bad idea? I have seen homebrew install the same way too.

[henvic]

In short, you need to be careful how you package and distribute software (including updates) for a couple reasons related to security. Many distributors doesn't do it properly, but thankfully companies such as Apple and Microsoft are starting to be more strict about what you can run on their operating systems, requiring the developer to notarize the application, or have to ask the user to by-pass the safety mechanism.

I wrote an article telling how you can do that for Mac, Windows, and Linux almost a year ago: https://henvic.dev/posts/cs-security/