
Decentralization is about diversity - ingve
https://sandstorm.io/news/2016-08-17-decentralization-is-about-diversity
======
mnutt
This, to me, is probably the most interesting thing about Sandstorm as it
relates to open source web apps. Today, I can write an open source web app and
post it to github, but it takes someone with operational knowledge to deploy
and run it. (even if that's just "create a heroku account, create a new app,
git push" you still need to know something about development) But it feels
like open source web app distribution has been stagnant and possibly even a
lull since the wordpress/drupal/etc php heyday.

My hope is that Sandstorm rejuvenates open source and indie web app
development by providing a channel where end users can easily and safely run
random web apps they find.

~~~
djsumdog
I'm in the process of trying to setup some things I'd like to seriously try in
Docker containers (GNU Social and iodine for example). Now I want to try to
get Sandstorm working in a container now as well. :-P

Honestly though I was talking about this exact concept that Sandstorm has
implemented, a few years back. I was telling a buddy, "We have general purpose
desktop OSes where we install apps. Why isn't there a building-block type
server OS we do the same thing?"

Of course I'm sure like a million other programmers had that same idea, and
it's am incredibly difficult one. Sandstorm seems to have a C++ base with
Javascript frameworks on top of it. I'll totally put it on my list of things
to try out.

The future is distributed.

~~~
erichocean
> _Why isn 't there a building-block type server OS we do the same thing?_

Because everything is built on Unix as an OS abstraction. Even Windows (since
the early 2000s).

Consider: byte streams and file systems are less than ideal fundamental
abstractions in a distributed world.

IMO we won't have what you're seeking until we rethink what an OS should be in
an Internet-everywhere world. We're still using OS designs that predate the
Internet entirely.

~~~
spacelizard
It would be nice to see a future where all applications have some concept of
peer-to-peer networking and would be able to talk to each other. My hope is
that this leads to blurring the line between having separate architectures for
server, desktop and mobile apps, to the point where the only differences are
reflected in the physical limitations of the device.

It's interesting to see how modern public cloud businesses seem to have
borrowed a lot of their business models from old timesharing systems of the
70s. From there it's easy to analogize timesharing systems being killed off by
personal computers to cloud computing being killed off by personal cloud.

------
milansuk
I think decentralization is also about Users own/control their data. If
someone create for eg. running app and I'm not able to easy move my old runs
to new app then diversity is nothing.

"Software must be provided as a package – not as a service – with each user
running their own private copy." This sounds like a going back to desktop
apps. Or am I missing something?

~~~
losvedir
> _" Software must be provided as a package – not as a service – with each
> user running their own private copy." This sounds like a going back to
> desktop apps. Or am I missing something?_

Yep, you're missing something: sandstorm is trying to be something like an
open source app store for _servers_.

I believe sandstorm can be run on anyone's server (or VPS). Then, you can
manage through its web interface (one-click install) various sandstorm-
compatible apps onto that server.

Since you still control the server, it's your data, but because it's a server
it can be accessed from your desktop computer, or phone, or whatever. I think
there's an easy backup / transfer solution if, say, you want to move your
server from Linode to DigitalOcean or to your own hardware.

edit: to clarify how this relates to the post:

I'm a web developer.

In my free time I'd love to throw together a little free budgeting web app,
but I have a distribution problem: Either I centralize it, in which case I
have to deal with data security, authentication, and scaling, or I release it
as a rails app and ask my users to go through that rigamarole of installing
and running their own rails server.

Instead, with sandstorm, I package up my rails app as a sandstorm app and put
it in their app store, and anyone who wants a budgeting app can easily install
and run it on their own private server.

~~~
scotu
> Either I centralize it, in which case I have to deal with data security
> [...] Instead, with sandstorm, I package up my rails app as a sandstorm app
> and put it in their app store, and anyone who wants a budgeting app can
> easily install and run it on their own private server.

you just made a case for NOT using a self hosted opensource app

EDIT: extended the quoted text for better context

~~~
Xylakant
no, he hasn't. If he hosts the app on a central server he gets to keep data
that needs to be reachable via the internet and may be of varying, to him
unknown importance. He's a single developer with no ops team.

Anybody using it may either have an organization that can support hosting or
may be in a position to host it on a secure, internal network or may have data
that is of low importance anyways. The user of the app is in a much better
position to assert the value and evaluate the damage of a breach/loss.

~~~
scotu
I may have read the comment I was quoting wrong but what I read was: if I, as
a developer, create this software and centralize it/sell it as a service, I
will have to deal with making sure data is secure (otherwise I get sued),
while if I distribute with sandstorm, no need to care about securing the data,
it's on the user!

I hope we can agree that having software available outside a private network
is something of value, so I really hope that if I use sandstorm the apps
contained are not designed to rely on being deployed on an internal network...

Note: I extended my previous comment's quoted text for better context on that
reply

~~~
kentonv
No, Sandstorm does not rely on being behind a firewall.

Sandstorm sandboxes apps and enforces access control on them such that
security bugs in the apps themselves are almost entirely mitigated. See:

[https://docs.sandstorm.io/en/latest/using/security-non-
event...](https://docs.sandstorm.io/en/latest/using/security-non-events/)

Meanwhile Sandstorm itself is designed to manage its own security, e.g. by
automatically updating, relying on hard-to-do-wrong authentication mechanisms
(i.e. not passwords), etc., so that users running their own server do not need
to know about server security.

------
EGreg
Decentralization is the wave of the future, for the next 10 years. We have
reached peak centralization on the internet (the most centralized being
WeChat).

The Web is the most widespread decentralized user-facing platform, followed by
email and then perhaps bitcoin and git. We should build on top of them.

There are two possible security models. One is sandstorm's - where everyone
installs apps on their own cloud. You still need to get a hosting provider,
but then it's a one-click affair. Like on DigitalOcean.

Or you can have apps use the browser security model to communicate across
domains, with each app running on its own subdomain. All the powerboxes and
other interaction between apps would happen through a user agent session under
the control of a user, or through oAuth tokens that the user issues for apps
to communicate behind the scenes.

There are pros and cons to each approach. The second approach allows the apps
to be hosted anywhere, whereas the first one lets apps share capabilities.

But at the end of the day, you can have organizations host collaborative apps
for members, and embed widgets from apps in other apps, which is really cool.

~~~
aethertron
A key advantage, I think, of the first approach (Sandstorm's, in theory) is in
the capability of apps to run 24/7 and do useful stuff in the background, non-
interactively, when the user is offline. Like receive network messages, pull
rss feeds, crawl the web on your behalf, or make your idle server's computing
power available to your friends.

------
api
I think it's also about permission-free innovation, and maintaining a software
and Internet ecosystem that allows that.

If we allow the Internet to become too centralized, ISPs and major cloud
providers will have a large incentive to join forces or even consolidate. If
you follow this trend the end-game could be an Internet that's like iOS: only
whitelisted traffic is allowed, every link and protocol has to be approved,
etc.

Then all innovation will stop because only huge players will be able to do
anything new.

~~~
ocdtrekkie
Email is already doing this too. I've had sites tell me I can only register
for x or y if I use an email address from a major email provider.

------
pastProlog
The big companies don't want decentralization, so the trend has been away from
decentralization towards centralization:

* Usenet was a decentralized forum, like a decentralized HN in a sense. The first attack on it were the small-time commercial spammers. Then the government, RIAA/MPAA and last mile net duopoly (AT&T/Verizon) conspired to more-or-less sink it, which they did ( [https://www.verizon.com/Support/Residential/internet/highspe...](https://www.verizon.com/Support/Residential/internet/highspeed/general+support/top+questions/questionsone/125159.htm) [http://www.tomsguide.com/us/AT-T-Usenet-Access-Closed,news-4...](http://www.tomsguide.com/us/AT-T-Usenet-Access-Closed,news-4055.html) [http://www.tomsguide.com/us/Newzbin-Usenet-MPA-Copyright-Inf...](http://www.tomsguide.com/us/Newzbin-Usenet-MPA-Copyright-Infringement,news-6844.html) )

* Newer peer-to-peer file sharing apps never had a chance. Napster, Gnutella and so forth, under attack by the RIAA/MPAA and government.

The trend is toward more centralization, not centralization. With a last-mile
duopoly, antagonistic government and MPAA and RIAA beating war drums,
decentralization has been under attack for years and the centralization forces
have been winning. I see nothing in the visible horizon that sees things
changing any time soon.

~~~
erikpukinskis
> The trend is toward more centralization, not centralization.

What are you basing that on? When I think about journalism, that seems a lot
less centralized to me. Bitcoin is decentralized money. Recording companies
are giving way to smaller more specialized independent production companies.

I think software is in a weird recentralization due to this push towards
services and away from products. But it's exactly the kind of technology cited
above, and stuff like Ethereum, which will allow that trend to go back in line
with the macro decentralization trend.

Maybe you can help me see what you're seeing that I'm missing?

------
ericjang
"Diversity" is quite an overloaded term nowadays and I'm hearing it more and
more often in everyday vocabulary.

I wish I had some quantitative data on this, but it seems to be used in every
day contexts now, from engineering to research (diversity of data, samples),
and of course, social justice contexts (non-white, non-male, etc).

I wonder if the increased prevalance of the word diversity is a result of co-
opting definitions from the association that "diversity is cool"

~~~
cortesoft
I am a bit confused by what you are wondering; all of those examples you give
are using diversity in the same way, to mean having a wide variety.

Why diversity is a good thing might vary from case to case, but it is almost
universally a good thing.

In this case, I think the article author is arguing that the diversity of app
distribution channels is good for the same reason biological diversity is
good; if something happens to make one distribution channel go bad, there are
lots of others that can take over the role.

------
wmf
To me this is the aspect that separates Sandstorm from the rest: it is not a
suite of apps; it is a developer platform. This is less sexy in the short term
but it has potential to be more powerful eventually.

------
fiatjaf
If we could come up with data that could be used by multiple apps, the thing
would prompt everybody to decentralization.

However, every data we created is always highly coupled with the app in which
it was created.

There's that effort called Solid, from Tim Berners-Lee, that is trying to
change this, but they are so obtuse about ultra-complex standards that no one
is using... maybe they're right.

~~~
kentonv
Solid is a noble effort but I am skeptical that it would solve the problem,
for two reasons:

1\. Application functionality is often deeply coupled to its data format. When
building on a standardized data format, how does one add new, novel features?
If you extend the standard, then you now have a non-standard data format, and
the features you added won't be recognized by other apps that use the format.
No one wants to wait for the standardization process to complete before they
can ship a feature, so inevitably apps will ship various incompatible
extensions. Then, when you try to move your data between apps, you find that a
bunch of stuff breaks. There's no clear solution to this, other than for
everyone to stop innovating, which obviously isn't what we want.

2\. How does having standardized data formats suddenly prompt
decentralization? Yes, it means you can more easily try out competing apps,
but those competitors still face the same high barriers to entry. VCs don't
like to fund the second player in a market, much less the tenth. Open source
and hobby projects aren't suddenly able to compete when they still lack
resources to run a service.

This blog post actually started out being specifically a response to Solid,
arguing that decentralizing storage alone (without compute) is not enough, but
I ended up not feeling great about targeting them so I cut that part out...

~~~
fiatjaf
I, as a programmer, am almost always able to migrate my data from an app to
another, by using APIs, the command line and tiny bugged scripts that fetch
data from one service, reformat it, repackage it and save it to another
service, which uses totally different formats.

Maybe a better solution would be to create easier ways to do that, so everyone
will be able to move their data.

~~~
kentonv
Indeed.

And in practice, the small, new entrants to a market will write migration
tools to migrate away from the entrenched players as a way to get customers.

If this isn't happening, then there's apparently no will from either player to
write migration tools, which suggests to me that there would similarly be no
will to use standardized data formats, unfortunately.

------
jstayton
I want to push back a bit on this statement:

> Or can one random person, working in their spare time, build just the right
> app and reach millions of people?

I agree that it's very difficult for one person; however, to win doesn't
always need to be defined as becoming the most popular, or reaching millions
of people. What if it's 1,000 people paying $10/month? That _is_ possible for
one person going the service-oriented route.

This isn't a nitpick about Sandstorm per se — I do love what they're doing —
and I understand they're making this argument because what they do _isn 't_ a
service. But I do think it's possible to find diversity/decentralization in
small, independent service-oriented companies that don't care about being
popular on the scale of Facebook or Google.

~~~
nullcipher
No offense to sandstorm but most of the apps indeed look like they were done
in weekend. The blog author grossly underestimates what is required to make a
great functional app (even those mobile apps that were done on a weekend
aren't popular by any means). If this is the goal, then they should reposition
themselves as "OS for distributing your weekend project" (no snark, am serious
about this). It's a great niche if that is their initial target.

> and I understand they're making this argument because what they do isn't a
> service

They do provide a service.

~~~
jstayton
> They do provide a service.

That's true. I should have worded it differently. They're trying to attract
developers to build apps for their platform, rather than launching them as a
service (i.e., SaaS).

------
saynsedit
"Software must be provided as a package – not as a service – with each user
running their own private copy."

My ideology resonates with this statement.

On a more rational level, I agree that an environment that promotes
application diversity encourages competition and innovation and ultimately
will keep the tech economy humming.

I can see that removing the infrastructure requirement for distributing and
providing web applications opens up web application development to a larger
group.

There are shades of similarity of this idea with copyright reform and the free
culture ideas of Lawrence Lessig. Once IP hits a certain threshold of common
knowledge, preventing others from freely using it inhibits economic growth.
Once something becomes cultural, it's hard for innovation to not grow out of
it.

An example is Pokemon: independent companies can't make Pokemon products
without gatekeeping from Nintendo. Currently, If a third-party pokemon product
benefits consumers and drives the economy but is specifically bad for Nintendo
then it won't be allowed. The counter argument is to innovate somewhere else
but that's ignoring the fact that innovation is born out of experience and if
I had no control over experiencing Pokemon regularly in my life because it's a
cultural phenomenon, my ability to innovate is essentially handicapped.

------
roschdal
+1 for a more decentralized Internet.

------
ilovecookies
From a more philosophical point of view; the idea that everyone should become
a programmer is honestly just plain wrong. I like what these people are doing
but I don't think this could/should be done for more serious projects
considering the amount of hacking that's going on at more centralized services
like google-drive and dropbox. But if that's not their aim then that's all
good I guess.

About shared data, can't you just use google spreadsheets?

~~~
kentonv
> the idea that everyone should become a programmer is honestly just plain
> wrong.

I'm not saying that everyone should be a programmer. I'm saying that everyone
who chooses to be a programmer and who produces useful code should have the
ability to share their application with other people -- who may not be
programmers.

Think of it like YouTube. YouTube doesn't replace film studios. But there's a
whole lot of content on YouTube that you probably like, but that would never
be produced by a film studio.

~~~
Klockan
Kinda like flash games?

------
jwildeboer
Unhosted.org pioneered this already years ago. As did pagekite.

------
micro_softy
Don't know much about Sandstorm but I agree with the statements.

The best software is often written by one person.

It may defy common sense but I have seen this happen again and again.

I like relatively small, open source software I can edit if I so choose.

~~~
pluma
I'd like to modify that claim:

One person _can_ be enough to create an outstanding product.

There are stories of solo developers creating awesome products on their own,
but there are far more stories of solo developers failing to ever come close
to a finished product at all. Betting on a solo developer is high-risk, high-
reward. Even if the developer is unreasonably talented in every aspect (i.e.
great programmer, great designer, great marketer, etc) it can still be a
matter of how far they can go without exhausting themself.

A larger team of less skilled developers OTOH may still be good enough to
deliver a finished product. Plus, even if each developer is less skilled at
most aspects individually, their strengths can add up and easily surpass that
of an extraordinarily talented individual.

The reason you hear about excellent solo devs winning all the time is that you
don't hear about the millions of solo devs failing. It's plain old survivor
bias.

Teams may hold back extreme outliers but they empower everybody else and
drastically increase the chance of actually delivering.

~~~
diggan
Well, you're talking about two different things. The comment you're replying
to, is talking about software, while you're talking about products.

~~~
pluma
I'm talking about "products" in the general sense. Software is a product. Even
when developing an open source library there's more to it than just writing
code.

------
chj
How can you make sure you can't read user's data?

~~~
kentonv
I don't understand the question.

If you mean: "How does Sandstorm the company ensure that it can't read
Sandstorm users' data?", the answer is that we provide software that you can
run on your own machine. The software is open source, so you can verify that
it does not give us any ability to access your data.

