Pico.sh – SSH powered services for developers

Original Article ↗ Hacker News Discussion ↗

Abuse, moderation, and compliance costs

  • Users immediately question how “upload your static site” avoids illegal content.
  • Some argue content moderation is extremely hard and the true reason many cheap hosts aren’t really sustainable.
  • Others say it’s manageable even for small orgs using modern ML classifiers, which are light enough to run on commodity VPS CPUs.
  • Pico states they run ML models to detect illegal content and use internal admin tools, banning quickly, and publish clear abuse/content policies.
  • Debate whether this is really different from any other $2–$6/mo shared hosting or cheap VPS, which already host plenty of potentially illegal content.

Pricing, sustainability, and target audience

  • Many praise the $2/month price as “fun” and low-friction, making experimentation easy vs typical $10–$15 subscriptions.
  • Others worry it’s unsustainably low; support costs in SaaS can dominate and usually push pricing much higher.
  • Counterpoint: this audience (SSH-using devs) is likely low-touch support; simple infra can run cheaply, especially with careful architecture.
  • Co-founders say: there’s a free starter tier, $2+ for extra features; goal is to compete with a $5/mo VPS, target individuals/small teams prototyping, not enterprises, and treat it as a side project they themselves want.

Infrastructure, bandwidth, and regions

  • Discussion that bandwidth is inexpensive at non-hyperscale hosts (e.g. Hetzner) vs major clouds.
  • Commenters infer some infra uses Oracle Free Tier (10TB/month fits); founders confirm multi-cloud and list regions (US/EU).
  • Bandwidth review at 10TB cap raises “what happens then?”; no detailed process described beyond manual review.

SSH access, tunneling, and corporate firewalls

  • Many tips for tunneling SSH over nonstandard ports (443, 993), HTTPS, or corporate proxies; some mention DNS tunneling.
  • Note that modern NGFWs can detect SSH protocol regardless of port, limiting these tricks.
  • Pico’s tunnel service can expose local services (including databases) over SSH with auth; internally uses custom daemon and Unix sockets.

Security, TOFU, and trust

  • Host keys are published over HTTPS for out-of-band verification; some argue this goes beyond classic TOFU, others say it’s still weak in practice.
  • Concerns: onboarding docs don’t strongly steer users to verify host keys, encouraging “yolo” SSH on untrusted networks.
  • Broader critique that SSH is ill-suited as a mass-signup app platform due to MITM and phishing-style risks.

Features, positioning, and comparisons

  • Users like the SSH-first workflows: static site deploys via rsync/scp/sftp, prose.sh for blogging, tuns.sh for tunneling, pastes for pastebin.
  • Some want Netlify-like extras (e.g. form handling for static sites); maintainers say they’re considering it.
  • prose.sh is explicitly inspired by Bear Blog’s minimalist, no-JS aesthetic; pgs.sh is framed as Netlify-like for static hosting.
  • Comparisons made to sr.ht, SDF, and GitHub Pages + Cloudflare; some note Cloudflare Tunnels offer similar functionality for free.

Open source and self-hosting

  • Several people want to self-host especially the pastebin; maintainers confirm everything is open source and link the repos.
  • Under the hood, they’ve migrated from Wish/Bubbletea to Vaxis for TUIs; tunneling builds on the sish project.

UX and documentation issues

  • Reports of TUI quirks (focus issues on buttons, token/key creation needing Tab, fish shell oddities); maintainers acknowledge and plan fixes.
  • Confusion around rsync --delete support due to contradictory docs; clarified as supported and docs to be updated.
  • Some users struggled to find pricing; navigation was adjusted (“pico+” renamed to “pricing”).

Code of conduct and content policy concerns

  • One commenter objects to the “hate speech” and harassment clauses in the CoC as overly broad and potentially abusable, especially in current political climates.
  • No detailed response in-thread on how those rules are interpreted or enforced beyond the general moderation stance.

Trust and data exposure via tunnels

  • A user worries about compromise risk when exposing localhost services through tuns.
  • Pico notes they technically can subscribe to any tunneled stream but state they only inspect for illegal activity; they caution that you should not fully trust any external service.