
RemoteStorage – An open protocol for per-user storage on the Web - petethomas
https://remotestorage.io/
======
Roritharr
In theory this seems like a great solution to many data privacy problems, but
I suspect strongly that this leads in reality to very hard to support products
as you can't make that many assumptions about the data stores. Performance and
reliability of datastorage makes up a large chunk of the user-experience of
any web-app, so having this out of ones control is a tough proposition for
anyone actually wanting to build a business ontop of this.

~~~
chatmasta
In reality everyone’s data will be stored at the same four cloud providers.

~~~
hanniabu
Sadly this will be true for 95% of the storage

~~~
microcolonel
It seems to me that an API intended to make this storage a commodity would
lower the barrier to entry, possibly increasing the natural number of
participants in the market.

~~~
y4mi
Don't worry, these competitors will host their service on one of these
providers

~~~
Freak_NL
Is that a big problem if data is end-to-end encrypted?

------
kevincox
I have created a number of small tools in the last and I generally have kept
them stateless because I didn't want to manage (or pay for) storage of user
data. If something like this was widespread I could trivially allow the user
to save their data without needing to manage that myself.

For complex applications you might want a richer API but I think that for now
making it easy to adopt is a key feature and I generally just want to stick a
serialized state in a small number of "files" anyways.

I really hope this takes off at some point.

~~~
vackosar
will that work with gdpr? it sounds ok but i am not sure

~~~
kevincox
I'm not a lawyer but I think it should be because you aren't storing the users
data. The one concern might be explaining that the user is sending their data
to a third party (of the users choice) in a nice way.

------
marktangotango
The disconnect I have with this is it’s a key value store. Sure you can build
on top of that, but any non trivial application would require more
flexibility. Has there been any work on a remote sql spec, for example?

~~~
marknadal
We built a remote (and encrypted) data sync spec for graphs, it can be used
for both traditional table (relational) and document storage as well as
key/value data (
[https://github.com/amark/gun](https://github.com/amark/gun)). It has push
built in and is fully decentralized and running in production today (terabytes
of traffic), and handles concurrency and offline conflicts out of the box.

There are some half baked GraphQL query engines for it as well as some SQL
query prototypes on top, but not quite ready yet. What were you wanting to
build?

------
mobitar
You can also check out Standard File, which aims to accomplish something
similar (namely, trustless servers for end-to-end encrypted client
application). It's currently being used in Standard Notes with great success.

[https://standardfile.org](https://standardfile.org)

------
Fellshard
One consideration for where this could be very useful: if you're constructing
autonomous agents who can seek and aggregate information and dispatch actions
on your behalf, giving these agents access to segments of a personal datastore
like this could be an interesting starting point.

Oddly enough, I keep going back conceptually to the 'gevulot' concept from
Rajaniemi's 'The Quantum Thief' as an idealized implementation of this.

~~~
binbasti
I use my RS accounts for exactly this, in combination with Huginn for example.
It's super simple, because you just PUT or GET, with the bearer token for one
segment (called "category" in RS) in the Authorization header. And you can
also PUT things in the special /public category, so they're world-readable.
Example: when I check in on Swarm, Huginn uploads the entire check-in data to
my RS for archiving, as well as updates a public RS document with my current
location, which my website then shows publicly:
[https://sebastian.kip.pe](https://sebastian.kip.pe)

------
mikece
How is this fundamentally different than storing files in S3 or Azure BLOB
storage or SFTP or.... is WebDAV still a thing?

~~~
rspeer
How is it the same? If I'm hosting a Web app, my users can't write to S3.

~~~
mikece
So this would be in place of a service like Dropbox -- or S3 or Azure Blob --
where user passes a token to the app to allow reading/wring data to the user's
storage account/location... but with a standard protocol and authorization
scheme?

~~~
Vinnl
Somewhat, but then users are able to choose their own hosting provider, rather
than having to use Dropbox, S3 or whatever that you happen to support.

------
bo1024
Sounds cool, but I'm missing something basic.

1\. I update some data on my desktop.

2\. I shut down my desktop.

3\. I power on my laptop.

How and when does my laptop get the updates made on the desktop?

(edit1) One idea for a solution is asking peers for help: my data gets
encrypted and seeded to many peers, so it is always available somewhere.

(edit2) While I like the "own your data" aspect of this, I dislike the
"everything in a browser" aspect. At what point is this easier as just a
native program?

~~~
hexmiles
For what i understand the remoteStorage has different plugin storage you can
use. If you want your data to be available across multiple computer you should
use a plugin which store data in a cloud storage like dropbox,gdrive o even
S3. But i think you should be able to implement something like you proposed by
combining remoteStorage with webTorrent.

------
mirimir
Is data encrypted?

~~~
icebraining
Seems that encryption support is being added to some specific
implementations[1], but not mandated by the spec.

[1] [https://community.remotestorage.io/t/encryption-option-in-
li...](https://community.remotestorage.io/t/encryption-option-in-
library/108/20)

------
needz
Wouldn't users be able to tamper with their own data? Seems like another
attack vector.

~~~
eximius
If you write web apps, you should be used to treating user input as hostile.
You just need to write your application with a clear perimeter around user
supplied input.

~~~
needz
Let's say the web app is a game and it keeps track of your high score when you
play it, if the high score is stored somewhere you have complete control over,
what's to stop someone from modifying that score? Substitute high score for
any variable a server tracks about a user that isn't explicitly supplied by
that user.

~~~
eximius
The only way to prevent cheating in a game is to run the code on the server
based on transmitted user actions.

Even with a server side DB, they could lie about their results or hack the
game to do better.

