Hacker News new | ask | show | jobs
by iLoveOncall 1244 days ago
With such a huge load of new features in such a short lapse of time, I wonder about the quality of the code.

I quickly glanced at the GitHub repository and basically couldn't find any test for example.

It'd be fine for any other startup, but this is something hosting seriously sensitive data and I feel like the focus is not right.

Any considerations about security you can share?
2 comments
lucideer 1244 days ago
> Any considerations about security

The copy on their website is somewhat non-committal on this:

> Infisical uses end-to-end encryption (E2EE) whenever possible [...] it makes no security guarantees for malicious events that can occur beyond its control [...] we do our best to maintain platform privacy and security [...] we will be adding more opt-in security measures > > -- https://infisical.com/docs/security/overview

Don't get me wrong - I do prefer honesty over empty promises and hot-air, but the above caveats seem worded as if intended for a legal document, rather than copy selling your product.

As for the code - on cursory scan it's three apps: a CLI written in golang, a frontend on next.js, and the backend is a NodeJS express server backed by mongodb, with 1042 transitive NPM package dependencies. That doesn't indicate anything in and of itself, but it's a lot of surface area (and growing if their README roadmap is anything to go by).

None of the above is a major red flag though - certainly things one would expect (& much much worse) from any closed-source competitor (just those don't have the transparency to check it out yourself). Yes, the focus does seem to be on feature addition & iteration though rather than instilling confidence in a solid, secure core, which is a bit of a pity, but all that said it would take much more than a cursory glance to audit properly, and they've stated they intent to have a full professional independent audit this year, so probably best to just wait for that. The fact it's open-source out-the-gate is extremely promising.

100% going to keep an eye on this.

link
vmatsiiako 1244 days ago
Thank you so much for this!

I agree with all of your points. This phrasing is just something we need to write for legal reasons - if you check vault, you will see that they have similar words in their TOS.

We are currently still in public alpha - with time, Infisical will become more stable and the security measure taken will only improve from here on! As we mentioned earlier, we do want to go through the security and compliance audits this year.

We will be working on reducing the number of dependencies - stay tuned!

If you are interested, please join our Slack community to stay updated: https://join.slack.com/t/infisical-users/shared_invite/zt-1k...

link
vmatsiiako 1244 days ago
I would say the quantity of the features does not mean that their quality is bad. We are very grateful to our open-source community for helping us out with many of these features (e.g., custom environment names were developed fully by one of our contributors Akhi - https://github.com/akhilmhdh).

Quality of the code is something that we care about increasingly more as we go further. We currently have a huge frontend revamp in process that will make the code much more organized and clearer.

Tests are also something that we are going to add very soon! Currently all the testing is manual - but I must say it's a pretty extensive process, so the quality of features is maintained.

link
Aeolun 1244 days ago
> Tests are also something that we are going to add very soon!

Famous last words.

I used to say this for years before we finally got around to it, but at that point it had become such a chore (and the team so used to not writing them) that it took much longer than necessary to add any.

Start while you still can.

link