
Sandstorm Oasis Is Shutting Down - kawera
https://sandstorm.io/news/2019-09-15-shutting-down-oasis
======
anderspitman
Sandstorm is one of the coolest pieces of tech I've come across in the last
few years. Not just on a philosophical self-hosting level, but also a
technical level (capnproto is awesome). I'm working on a product right now
that is heavily inspired by Sandstorm.

In my opinion the one thing that makes it hard for sandstorm to grow is the
requirement that apps have to specifically be modified to work on the
platform, and it never reached critical mass of developers building in
sandstorm support to their apps. So it's essentially a chicken-and-egg
problem. I'm not sure what the solution to that is.

I would love to read a pseudo-postmortem (I refuse to believe this heralds the
death of sandstorm) by @kentonv about what he thinks the main challenges of
getting to a truly decentralized world are, how sandstorm plays in, and where
we go from here.

~~~
kentonv
> In my opinion the one thing that makes it hard for sandstorm to grow is the
> requirement that apps have to specifically be modified to work on the
> platform

This is true, though of course without that requirement, Sandstorm wouldn't be
able to do what it does.

More broadly, I think the challenge we have today is that we've settled into a
local maximum way of doing things that we call "Cloud Architecture" and
"Software as a Service". The industry has spent many billions of dollars
exploring and optimizing this approach. Even open source developers are
designing their little apps using hyper-scalable techniques because they think
that's what they're "supposed" to do -- never mind that such architecture is
actively hostile towards small-scale self-hosting.

I think the Sandstorm approach -- which is essentially "distribute apps to
people's personal servers the same way you distribute apps to phones today"
\-- would be vastly preferable (both to users and developers), _if_ it had the
same level of development and investment.

We can't just invest $100B upfront to build the new world, so instead we need
to find an incremental strategy to get there. That's the hard part. Sandstorm
tried to harness the investment already being made by "indie" / open source
developers. We got a long way with not very much money! But the indie motif
didn't exactly give us enterprise credibility, or any other way to sustain the
company.

My new hope is that "mainstream" cloud infrastructure will push towards being
incrementally more and more decentralized on a technical level, because of the
technical advantages that brings... If your software is designed to run as a
million little servers rather than one huge one, then a company like
Cloudflare (my current employer) can go deploy it to literally hundreds of
locations around the world for huge savings in latency and long-haul
bandwidth, better reliability, etc. Then once apps are designed that way,
maybe, just maybe, it'll be easier to flip control of code execution and data
away from the vendor towards the consumer? But obviously there's a long way to
go to get there.

~~~
sitkack
There are a bunch of us out there that still believe in the vision. You were
just too early. This needs some sort of WRT54G kinda moment, synology or ???,
you needed to have a last mile partner or a host (vpn in to services). I
thought containers were going to take over cloud in a pervasive way and it
hasn't happened yet.

I can't say thank you enough for what you have done. None of this was a
failure.

~~~
gbear0
I just found out about this project from this post, and I've spent my whole
night reading up on it and the ecosystem and its past. I LOVE the vision and
was so excited to read about it, but then sad to realize I'm joining the party
too late. It's been a roller coaster of a night.

I think the most important piece of tech that Sandstorm was working on was the
capability based security and the powerbox concepts (which I recognized as
being similar to Android's capability apis but for the web). I don't see the
decentralized data or local servers being an easy sell any time soon, but I
can see the capabilities security working really well within the browser, and
more importantly with existing SaaS ecosystems.

If we could get a new browser API for websites to offer to register available
APIs for jsonschema based type defs through a manifest file, then users could
allow those APIs to be included in their local browser registry. Other pages
could request (or offer) data from those APIs, and with the user's permission,
the browser could do the necessary oauth handshake and use the API, passing
data to/from another service in a secure way behind the scenes.

As well since it would be a browser API, a webpage looking to call an API
would be able to request provider info and show the appropriate in-app UI for
selecting a service, which sounds like one of the problems Sandstorm had.

No one would have to worry about whether they implement a dropbox api or
onedrive api, the page would just have to show the 'file service' selector and
call the user selected api with a file. So I'd expect every SaaS out there
would jump at the chance to provide an easy access way for users to use and
pay for their service.

Furthermore, the browser could provide external connectors as well so I could
have some native external app that registers a provider with the browser,
allowing me to send my in browser data to an external native app (or vice
versa). For example right click menu on a .drawio file and send to DrawIO or
send to the currently opened Google Slide. Or send a contact from your fav web
contact manager to the your native Skype app. Seriously I can think of so many
uses for this! And it fits in perfectly with the existing file or clipboard
apis as well.

I hope someone sees this excited rant and can make it happen! :)

I also really do hope the work that's been done in Sandstorm continues on and
pushes things further for all of us. Thanks!

~~~
icebraining
I think that idea was the concept behind WebIntents/WebActivities, which were
explored by the Chrome team and by Mozilla. Efforts seem to have stalled,
though.

[https://en.wikipedia.org/wiki/Web_Intents](https://en.wikipedia.org/wiki/Web_Intents)

~~~
gbear0
Thanks for the link!

Ya this looks like it could've definitely fit the bill. Too bad it never took
off. And worse yet, both major browsers tried their own version and neither
took off.

This just seems so easy an idea to get on board with, like VSCode solving the
n-to-1 problem with their language server api. I don't understand why it
fizzled out.

------
akkartik
My reaction after reading this is that if it's too much burden for the
original author to keep up with updates, it's very hard to make a case for
people to self-host their own services using Sandstorm. Upgrade effort will
now get multiplied many-fold as everybody has to duplicate the effort that one
maintainer was putting in.

Sandstorm is an amazing project, and the people who built it are way better
programmers than me. But I'm betting that we need to go even deeper and think
about why the maintenance burden for software is so high.

[https://github.com/akkartik/mu#readme](https://github.com/akkartik/mu#readme)

This is a very long-term project, and it's still early days. But none of the
short-cuts seem to pan out. It makes me sad, and it stiffens my resolve.

~~~
kentonv
> My reaction after reading this is that if it's too much burden for the
> original author to keep up with updates, it's very hard to make a case for
> people to self-host their own services using Sandstorm. Upgrade effort will
> now get multiplied many-fold as everybody has to duplicate the effort that
> one maintainer was putting in.

That's not correct.

Self-hosted sandstorm is completely auto-updating. You don't have to do
anything. I still have to push updates periodically, but I intend to keep
doing that. After I push an update, all Sandstorm servers update themselves
automatically within 24 hours.

Updating Oasis was, ironically, _much_ more work for me than pushing an update
to self-hosted sandstorm. Oasis is built on a much more complicated cluster
architecture designed to be scalable -- scale that, sadly, we never actually
needed.

~~~
garganzol
Kenton, pardon my hyperactivity, but here is a couple of observations you may
find useful:

>Oasis is built on a much more complicated cluster architecture designed to be
scalable

You could dog food Oasis on top of Sandstorm. For example, Oasis could be a
Sandstorm app and use Sandstorm services. In this way, you could feel very
closely where and when Sandstorm is lacking. And once you fix or invent those
parts, the results would be available to all of your customers, and not
exclusively to Oasis. This would shift the laborious spot from Oasis to
Sandstorm, and would allow you to open up the enterprise gates.

The second observation is a model of sales. You sold a "decentralization
idealism" as you coined it, but with an optional central place like Oasis. In
my opinion, this offering represents a natural conflict and is not destined to
work in a sustainable way. Why not sell a good old license for
advanced/enterprisey features? Oasis would be a great add-on to that model for
those who wanted to rent the resources. And yes, exclude the free tier from
Oasis to make things fair.

~~~
ocdtrekkie
Oasis is running Blackrock, which is basically a cluster architecture version
of Sandstorm. And while it was originally an enterprise/paid offering only,
Blackrock is also now open source. However, Blackrock was really never built
out as far as intended, and really only runs on Google Cloud.

There's a fair bit of history you may not be aware of. For instance, the
payment system used to be part of Blackrock, but then was moved over to
Sandstorm when it was open sourced so you didn't need to run Blackrock to sell
subscriptions to a Sandstorm server. And there used to be paid-only features,
but when Sandstorm-the-company ran out of money, they were made free as well.

------
garganzol
Back in the day I approached Sandstorm by email and asked if they could
provide an Enterprise/Server edition of Sandstorm (hosted apps with
stable/customizable endpoints, authentication and stuff).

I directly communicated to them that we are ready to shell out something like
$2,000 per license.

The answer by Kenton surprised me. He told they are aiming to get the consumer
market first. Which is a bit odd, given the server is where the money is.

Enterprises of all kinds already have their hierarchies of customers.
Moreover, they are in a constant need of a simple but highly efficient server
platform (see Kubernetes of a future). It would be a much easier sell to them.

~~~
kentonv
You must have caught us early on, when our focus was more on attracting
developers than attracting users. Later on we were trying very hard to find
enterprise customers who would pay us something like $2000.

------
ocdtrekkie
As a big Sandstorm user and contributor this is a pretty sad day for me, I've
found using Oasis to be pretty darn convenient. But I'll be setting up my
selfhosted version this fall. Sandstorm hasn't seen a ton of improvement over
the past year but that hasn't been a bad thing: It's been a consistent and
rock solid product I can rely on whenever I need it.

------
phoe-krk
Insightful sentence:

> While Sandstorm was popular on Hacker News, that popularity never really
> converted into paying users.

------
jimmcslim
I alway felt that Sandstorm would be an ideal project for one of the NAS
vendors like Synology, QNAP, or Netgear to get behind.

------
unityByFreedom
This is one of the coolest, boldest concepts I ever saw, and put forth by an
extremely capable programmer and human. I look forward to hearing more from
Kenton in the future.

------
orblivion
Kenton - You say we shouldn't rely on you to safeguard our data. How does this
affect security updates? As it is, I don't put awfully sensitive things on
there anyway because Linode still has access to it. But it would be good to
know where to draw the line. I'm hoping that since you rely on it for email,
you're gonna do basic security hole plugging at least?

Thanks as always in either case. Hoping it somehow gets new life down the line
after this!

~~~
kentonv
Yes, I plan to continue pushing security updates for Sandstorm as I have been
for the last five years, and self-hosted Sandstorm is very good about auto-
updating.

Meanwhile, with a self-hosted server, you get better security (compared to
Oasis) due to the fact that only you and people you authorize can install apps
on that server. For even more security you can of course put it on a private
network or behind Cloudflare Access[0] for extra defense-in-depth.

Note: I don't rely on Sandstorm for email yet, because Sandstorm doesn't have
good email support currently... but I'd like to build that support, because
I'm getting really uncomfortable with gmail.

[0] [https://www.cloudflare.com/products/cloudflare-
access/](https://www.cloudflare.com/products/cloudflare-access/) \--
Disclosure: I work for Cloudflare.

------
kissgyorgy
Wow I started to implement essentially the same thing for small businesses, I
did not know about Sandstorm. Does this means this is a bad idea?

~~~
teleclimber
I asked Kenton V about the reasons for the failure of the business. You might
be interested in his reply[0].

My 0.02: I'd interview your target market to find out if this is a pain point
they recognize. Many of these projects are started out of decentralization
idealism (for good reason, and it's not a bad thing), but as a business you do
not want to be left having to educate your potential buyers about why they
need this.

[0]
[https://twitter.com/teleclimber/status/1173345736013910017](https://twitter.com/teleclimber/status/1173345736013910017)

~~~
anderspitman
Agreed. You shouldn't have to explain someone's problem to them. Ideally when
you present a good solution they will immediately match it to a pain point
they're already experiencing.

~~~
kentonv
To be fair, we didn't try to go around selling businesses on "decentralization
idealism"; that would obviously be silly.

Plenty of enterprises already need to self-host services, for compliance
reasons (ITAR, FISMA, HIPAA, FINRA, GDPR, national data locality laws in
Germany, Russia, China, South Korea, and others), or sometimes even just
paranoia. The need is very much there.

But, like, we literally didn't know where to start. Pick up a phone and just,
like, call people? Apparently that's how sales works but I'm sure as hell not
the person to do it. I hate it when people call me! How could I call someone?
So we didn't call anyone, and mostly hoped that fans on Hacker News would go
sell Sandstorm to their IT departments for us. That was dumb and didn't work.

~~~
mnutt
There's a bottoms-up path that some enterprise saas companies have taken
(Slack, Airtable come to mind) where employees/departments just start using it
to get stuff done and eventually IT finds out about it but by that point it's
ingrained enough where IT signs a contract just to try to rein in all of the
one-off spending and data leakage. But for that to work I think the apps would
have to have above-and-beyond appeal to individual employees whereas I think a
lot of sandstorm's appeal is to the organization itself.

~~~
kentonv
Yeah, exactly. We tried to follow that model, but Sandstorm really wasn't
prepared for it, because Sandstorm apps weren't actually better than cloud-
based alternatives and so there wasn't a motivation for employees to adopt
them.

------
sansnomme
A week ago I mentioned that it was half dead, guess this is the final nail in
its coffin.

[https://news.ycombinator.com/item?id=20933849](https://news.ycombinator.com/item?id=20933849)

~~~
ocdtrekkie
My hope is that someday we'll see a resurgence of development for it, or the
creation of something new like it. A lot of open source projects have survived
on a very slow burn for a very long time, only to show up again later.

What's truly unfortunate, is Sandstorm was massively ahead of it's time: A lot
more people are willing to understand the need for Sandstorm today than they
were just a few years ago, when Sandstorm was an active development project. I
feel like if Sandstorm had launched in 2019, it'd have enjoyed a lot wider
support than people were ready for in 2014.

~~~
ben_jones
There will be a continual need to "hold your own corner" of the internet
(self-hosting common services) as it becomes even more segmented by Google,
Facebook, and advertising companies like them.

------
simplehuman
as an alternative, cloudron.io is a good way to run apps on your own server. I
think one of the main differences is that the app packages are regularly
updated and maintained. And it uses docker, so a bit easier to sort out
problems.

~~~
filmgirlcw
It also costs $30 a month if you want to use it with more than 2 apps. And I
think Cloudron is an excellent project and I would be happy to pay, but paying
3x or 6x the cost of my VPS for an easier way to run apps is just too rich for
my blood.

------
slezyr
[https://sandstorm.io/install](https://sandstorm.io/install)

> Alternatively, you can let us run the server for you: Use Sandstorm Oasis

They still have this remark on install page.

~~~
ocdtrekkie
There's probably several references to signing up for Oasis on the website
yet. They'll all get purged with time.

------
AlchemistCamp
This is sad. But there is still hope. Open source is _very_ hard to kill.
Anyone, anywhere can take up the mantle and Sandstorm will go on.

------
ykevinator
What is it?

~~~
ocdtrekkie
Sandstorm is an open source platform for web apps. Basically instead of having
to host a bunch of different servers for different web apps you want to run on
a server, they're packaged and installed in a way much like you'd install and
run apps on your phone. Just, on a web service.

For me it entirely replaced Google Docs (using Etherpad and EtherCalc) and
Trello (using Wekan) in particular. I'm also super dependent on it for my RSS
reader with Tiny Tiny RSS. Everything on it you could host yourself
individually, but it's easier and more secure via Sandstorm.

~~~
ChristianBundy
I read the article, but I'm still unclear on what "Oasis" is. Is that what
they call their free offering?

~~~
Godel_unicode
[https://oasis.sandstorm.io](https://oasis.sandstorm.io)

"""Sandstorm Oasis is hosted by the Sandstorm team. Sandstorm is open source;
you can host it on your own server."""

------
underdeserver
Sounds like awesome tech with a bad sales plan. Would you consider selling?

~~~
kentonv
The tech is all open source. Anyone is free to try to make a business out of
it (under a new name), no need to buy from us.

------
test1979
Thats sad news

------
redshirtrob
Never heard of them. June 31, 2020? I'm guessing this is a weird leap-year
bug.

Dates are hard. Use a library. Always.

~~~
kentonv
No it's just me, a human, being an idiot and forgetting how many days are in
June. Fixed now.

~~~
redshirtrob
Fair enough. I'm glad you fixed it.

