My only real problem with Salt vs Puppet is its security model for files stored in the manifest. Puppet's fileserver supports per-node export configuration, allowing for node-private file distribution. Salt, on the other hand, exposes all files to all nodes at all times.
How Puppet does it
# fileserver.conf [mount_point] path /path/to/files allow *.example.com deny *.wireless.example.com [private] path /data/private/%h allow *
How salt could do it
# file_roots.sls file_roots: base: - /srv/salt - /srv/salt-example.com: - allow: *.example.com - deny: *.wireless.example.com - dev: - /srv/salt/dev/services - /srv/salt/dev/states prod: - /srv/salt/prod/services - /srv/salt/prod/states
file_roots: base: - /srv/salt *.example.com: - /srv/salt-example.com