Hacker News new | past | comments | ask | show | jobs | submit login
Sandstorm is returning to its community roots (sandstorm.io)
304 points by cjcole on Feb 6, 2017 | hide | past | favorite | 102 comments

Oh dear :( Sorry to see sandstorm go. I attribute the failure to many reasons:

1. The UI was very sloppy. For the user, one had to learn many new concepts (what is a webkey? why do apps not work on mobile?)

2. New app developer model meant that it was impossible to create apps easily without insane complexity. If you see all the apps, they had to fork from the main code base and generally lagged behind because packaging for sandstorm required a LOT of work.

3. The web frame that they added around each app was annoying. This frame could not be disabled and thus made many use cases like having a public forum, blog impossible.

4. Their own infrastructure was not self-hosted including using github (when gitlab exists), google groups (when nodebb app exists). They continued to use irc despite having a rocket.chat app as the main showcase. They should be dogfooding.

The alternatives today are at https://github.com/Kickball/awesome-selfhosted#self-hosting-.... I recommend https://cloudron.io. They focus simply on installing things and don't invent a new developer model (it's based on docker)

Thanks for the feedback!

1. We know the UI needs work and have plans to improve it. We are very aware that webkeys are not user-friendly; they were always meant as a stopgap measure while we build better UI. Some things about mobile here: https://github.com/sandstorm-io/sandstorm/tree/master/roadma...

2. The amount of work an app port requires varies a lot depending on the type of app. Self-contained apps that don't talk to the outside world can often be ported in a few minutes. But, indeed, some apps need work to integrate with the appropriate Sandstorm APIs. We've been working to make this easier by, for example, setting up an HTTP proxy inside the app which can make communicating with external OAuth services mostly transparent, while still respecting the Sandstorm permission model. With better tools we think we can automate most things, we just haven't gotten there yet.

3. There are multiple Sandstorm apps which let you post e.g. blogs with no Sandstorm UI frame around it. We have some features in-progress which extend this to more apps. But note that part of the goal of Sandstorm is to generalize a lot of the UI such that apps don't have to repeatedly build the same things, like login, access control, notifications, etc. We need to hang that UI somewhere, hence the need for that frame. But we have ideas that will make it look a lot more like an integrated part of the app UI in the future.

4. We dogfood a lot. We write design docs in Etherpad, manage tasks in Wekan, etc. Our github, google groups, and IRC existed before Sandstorm was functional. The main reason we haven't switched over is because switching is costly and it seems like there are better things we could do with our time.

I apologize for not thanking you for the project and just criticizing. Thanks for the amazing project, Kenton. I meant for it all to be constructive and I hope you take it well.

About 4), please do consider the fact that this is the exact same issue most of your users face. We have existing wordpress blogs, forum that we would like to migrate but cannot. Most apps have import/export which is broken (including wordpress which is supposedly mature) :/

I agree, import/export in Sandstorm rarely works today, and that's a problem. It's one of those things that we've wanted to address but haven't been able to get to, because there are so many things.

But we're getting close on this one. We recently made some big strides implementing the Powerbox, which allows apps to request permissions to talk to each other and to the outside world. We've also implemented the basics of the in-app HTTP proxy which allows HTTP communications to feel transparent. With a little more work, an app like Wordpress could make a powerbox request to connect to your old Wordpress blog in order to migrate data.

Honestly, a lot of what's wrong with Sandstorm boiled down to "we need the Powerbox to do that, and we haven't had time to fully implement it yet, because we need to focus on things that generate revenue in the short term." We finally implemented some critical pieces of the Powerbox in the last month (app-to-app powerbox is now functional) and, as the Powerbox was always my favorite part of the whole design, I'll probably be working on it more soon.

Hey Kenton - sorry that the business hasn't been as successful as you were hoping for. I am very surprised to hear that you had 0 paying customers though.

One of the UI changes that I would make is that Oasis defaults to the free plan. I actually selected a paid plan on the website, but decided to wait and see if the free plan met my needs. It seemed like it did, so I never took the time to upgrade.

> I am very surprised to hear that you had 0 paying customers though.

Not exactly true. We had a handful of paying customers for Sandstorm for Work, and we have enough paying customers of Oasis to pay for all of Sandstorm's services. But not enough to pay for employees -- people are expensive. :/

We have experimented with ways to push people towards paid plans on Oasis, but it's a tricky balance between revenue and user growth. I agree we should experiment further.

Would you consider just adding a donation box? I for one think that it's very important that this thing gets developed. I think you're doing a lot of things right, and it could encourage proliferation of self-hosted applications. This needs to stand as a challenge to the companies that would own our data, and I understand that it does not lend itself to a normal business plan.

I imagine a lot of people feel this way, and may be inclined to donate in addition to or instead of their Oasis account.

I'm thinking about maybe extending Oasis with ways to specify a donation amount separate from the subscription fee, for finer-grained control over donations. It's most efficient for us to have any payments go through our existing payment system there, rather than use other services that charge higher fees. No concrete plans at the moment, though.

One of the things that would probably be super helpful, is figuring out how to donate to Sandstorm app authors and promote the growth of the ecosystem.

Agree. I'd be happy to pay app-size payments ($5-$20), preferably through some kind of crowdfunding, as long as the result is open source.

Ah - it sounds like I missed the distinction between the two revenue streams..

Am pretty convinced by the Sandstorm model, hope that the future works well for the team.

Thanks for building Sandstorm, Kenton, and I found the model interesting, though there was no way I'd use it yet because it's a risk to bet on an unproven startup / project.

This is the same reason I'd use Node or Rails, not some niche web framework no one has heard of. Or Swift or Java, not OCaml, say. And so on.

I wish there was a solution to this chicken-and-egg problem, so that genuinely new and better ideas like yours take off.

Open-source helps, but isn't enough, since there are so many abandoned open-source projects, and I don't want to take on the responsibility of maintaining Sandstorm if the team moves on to other things.

This is not a big deal, you are simply not an early adopter.

It looks like too many people thought the same thing, causing the business to fail.

The business failed because customers in the target market never knew it existed, i.e. we sucked at marketing and sales.

Yeh such a shame that such a promising open source project couldn't find a way to make the business model work. I really like/use it for a number of NGOs in the field who really needed something self-hosted but quick to deploy and easy to manage.

> The main reason we haven't switched over is because switching is costly and it seems like there are better things we could do with our time.

In hindsight, do you feel that your potential customers made the same decision?

I tried it a while ago and was blown away by the weird restriction of requiring federated login from providers like Google to use a system designed to be decentralized. Seemed like a really strange arbitrary restriction that prevented its use on private networks for one.

That was a restriction very early on, but we've supported e-mail login for a long time. And as of today, LDAP and SAML login are now available in the base project as well (used to be paid features), so you can run a local LDAP server or SimpleSamlPhp for self-contained login.

See also: https://github.com/sandstorm-io/sandstorm/tree/master/roadma...

There is also the passwordless email login method, where it sends you an email with a token to login. You can use this with any email account.

The reason a traditional "Sandstorm account" option has been skipped is I believe because they felt things like 2FA and such and other security features common to accounts like Google and GitHub would take a lot of work to implement themselves and that these already offered that.

It has also always been on their roadmap to figure out a way to do some sort of GPG login or something.

The outsourced login is the default, but it's optional. You could easily set up email/magic link based login on both Oasis and the self-hosted version.

Two things I feel deserve note here beyond what others have said:

1. Sandstorm has not "gone"! It is still here, will still be worked on, and all of the current services they run will continue to run!

2. As much as I am a fan of Sandstorm's approach first and foremost... I've been following news from Cloudron and they are pretty cool too. When I first looked at them they were closed source, and now they are open and supporting self-hosters and everything.

And I love the UI, but I pretty much... hate modern UI.

I wish I felt your optimism that opensource projects just chug along with no monetary motivation/investment :) Keeping apps updated and the platform secure is a lot of work. I am also reading in other places that kenton will keep oasis running pretty much single handedly. All this seems like a lot of responsibility (might not be much work though).

I suspect you may be overestimating how many people have kept Oasis running so far! Sandstorm.io never had a large group of employees, and managing Oasis has never been a large part of what they were doing. Ergo, I suspect I'd be accurate in saying Kenton was already keeping Oasis running pretty much singlehandedly. :) He has confirmed he will still have a couple other people able to tend to it if he is unavailable as well.

Indeed, I've been essentially single-handedly running Oasis since it launched (there was a mechanism for others to help if I wasn't available, but in practice it was only ever used once or twice).

Oasis upkeep requires only a few minutes of my time each week, and that's mostly for the purpose of pushing an update.

Sad to know the business did not work out. Sandstorm is a wonderful piece of software, I was able to install and play with it without too much trouble. I hoped that would be the project that would take open source software to new heights.

Software (at least software for consumption, mot for creative work) moves from desktop to cloud + mobile devices in droves. And there is no widely successful FLOSS app ecosystem that works in that direction. Basically I want to be able to get a server, install it at home or maybe in the datacentre, and I want to be able to install FLOSS server-side software that works through the web browser and mobile apps. Think my own pinboard.in, feed reader, IRC or Slack-type server, dashboard etc. Sure you can do it with Linux right now, but the amount of work you have to do configuring all this is well beyond the simplicity of 'apt-get install'. The closest thing to this is what QNAP and Synology do, but their systems are proprietary.

Sandstorm has the potential to be that system and did a lot of things well, package installation experience probably the most notable. What I did not like is the grain model. I understand the security reasons behind it, but it felt like a straitjacket and URLs were ugly. There was no accompanying mobile apps (not Sandstorm's fault per se, but something to think about when building systems like that in the future)

This is avery sad thing to hear and one can only wish the best of luck to the open source project. I think especially in current times, user-friendly alternatives to the cloud are badly needed.

By the way, I really appreciate the honest style of the message. Sentences like

Unfortunately, Sandstorm the business has now run out of money, and we have been unable to raise more.

are refreshing in contrast to the usual "the next chapter of our journey" speeches.

Sad to hear this news, but also excited to hear that Sandstorm is continuing as an open source project.

I'm mainly excited because Sandstorm makes indie web apps viable. I've been amazed to see how quickly members of the Sandstorm community can spin up sophisticated apps like collaborative editing or file sharing. If you have a framework like Meteor to handle sync, and Sandstorm handles authentication and sharing, then you can make a serious multi-user app in a weekend.

Even better, once you've made your app, you don't have to worry about security or scaling. So a junior developer could make an app which stores my sensitive financial information, and I'd still try it because I trust Sandstorm to keep my data safe even if the app is poorly written.

Sandstorm's foundation is solid, and I think a few UI and developer-happiness improvements will make this a reality. Wishing the team all the best!

So sad to see yet another blooming Open Source technology make a business/financial shutdown statement. I've been a fan of how much kentonv has hustled, not only in code, but also being a role model about being fearless to get out and post to HN about his technology. Very impressive.

I'm in a similar place, and just recently wrote an article on the RethinkDB/Parse shutdowns and spoke on the Changelog podcast about it as well: https://hackernoon.com/the-implications-of-rethinkdb-and-par... .

Given what I say there, I actually want to encourage the sandstorm team to not give up yet - they are in the right space. Maybe wait out a year, and then hustle some marketing/bizdev/enterprise/government sales, they are in the right space and have some big opportunity ahead. Sometimes, being too early can bite though, but please please try again - don't give up.

As a great example of this, look at Bitcoin. Crypto currencies were all the rage in the 90s and went nowhere. A decade and a half later... the market timing matched up, and it exploded.

Thanks! And yes, that's basically the plan. :)

I read the article and my key takeaway was that licensing was a significant culprit. But Parse and Sandstorm are different. Do you think there is something systematic to open source or to VC-backed startups or to developer tools or something else?

Great question, if I were to tackle it, I would take it like this:

1. Parse, to non-developers, was a wild success - not a failure. An $85M exit ( https://angel.co/parse ) on a $7M investment, that is a 10X+ return in 3 years. This doesn't seem to be talked about much, especially compared to the darling Firebase.

It represents exactly what an affluent ecosystem would want: A business savvy and technically proficient team that can be sold off to the highest bidder that investors vet. However, it is a "shut down" in the eyes of developers because the tool was overlooked.

2. Sandstorm is so advanced that it isn't quite understood yet, partly because nobody has invented the catchy phrase for it (even if they did, the timing is still too early). While most first-world users now have multiple devices, they only use 1 at a time, and they don't see these two problems: (A) They don't know their devices should sync more than what Apple tells them they should (B) They don't know that their devices, which they own physically, should be their private servers for all their services.

That is why I think Sandstorm shouldn't give up, because with the addition of 5B+ new people coming online, I don't care how scalable Google/Amazon/Apple/Microsoft are, things are going to be a lot more powerful/reliable/customer-satisfaction if people own and run their own services (fully automated by things like sandstorm). This isn't just a privacy/ownership thing, it is a customer expectation "thing" - using a service is like using a public bathroom, but owning that service is like using your apartment's bathroom. It doesn't matter how gross/nice any 1 experience is, ultimately the consistency of expectation wins out.

So yes, there is something systematic to VC-backed startups (like Parse, they're ultimately a hiring/resume gig - or randomly big industry creators, like Dropbox, Uber/Lyft, AirBnB), and there is something systematic to Open Source and developers (we often value different things). Developer Tools aren't particularly unique, other than the fact that they are either industry causing/creating architectures, or unfortunately on the tail end of a dying architecture. They are black and white in their success, high risk, with no middle ground - and since risks often fail, and humans are loss averse, the failures often seem to outweigh or overwhelm the successes. The important thing to remember though is that the winners cause and create prosperity for entirely new industries/sectors, for people and companies around the world, and for generations to come.

Oh no! I really believe sandstorm (or something like it) is what we need the future to be. Rather than having everything get sucked up into Google, Facebook, Apple, or these other few centralized services, imagine where everyone has a personal (or family, or church group or whatever) server, and they can one-click install their email apps, their document apps, etc.

The basic issue is that everyone wants "cloud" apps, so that their emails and chats appear on their phones and their tablets or home computers. But unfortunately it seems we leapt straight from the PC paradigm where your email is stored on your computer straight to the "centralized, 3rd party cloud" paradigm, where Google owns all your stuff. But with a "cloud" that you still control, tough problems like end-to-end encryption fall away, since it only needs to be encrypted from one person's cloud to another, while the messages themselves could be synced between all the user's connected devices.

Linux was a beautiful, world changing thing. If we could establish an open-source platform seeking to replicate a lot of things Google and Facebook do now, but without the privacy implications, that could be equally world changing.

Sandstorm, at least as far as I understand it, definitely has the vision right, so I'm hoping despite Sandstorm for Work not panning out, the technology will continue to grow.

I just don't see a big market for hosting FOSS apps. There are few apps, if any, that are better than a commercial equivalent already on web/iOS/android with support teams, marketing, etc. Ordinary people don't have much qualms about using a commercial service despite all the privacy warnings in the world: just look at the 1B+ users on Facebook.

So if we're left with a small crowd who does care, they're also largely the same crowd who feels comfortable getting a DO droplet and apt-get installing whatever app.

I fee bad for the sandstorm guys, seems like they put a lot of energy into it, but they approached it as an engineering challenge rather than from a market research "build what people want" challenge.

It's definitely true that we've been more focused on technology than market research, and that this is a huge factor in why our business didn't work.

However, I don't believe you can really make revolutionary changes based on the "lean startup", "do lots of market research and test everything with metrics" strategy. It's absolutely a great way to make incremental improvements -- even big ones -- but not paradigm shifts.

Sandstorm's vision is a long-term one, and it actually isn't primarily focused specifically on self-hosting, privacy, or even FOSS, but rather on creating infrastructure that allows decentralized software to stand on equal or greater footing compared to centralized services. There is a lot of work that needs to be done for this to function, and you can't justify it by saying "look, these customers asked for it" -- you justify it by laying out the vision and saying: "Look, there will be these clear enormous advantages if this works."

For reference, here's our technology manifesto: https://sandstorm.io/how-it-works

This is always a tough sell, because people rarely agree on hypothetical outcomes that can't be measured in advance. And if it were clear, someone would be doing it already. So, I don't expect you to agree. But I'm going to keep working on it.

"allows decentralized software to stand on equal or greater footing compared to centralized services."

While that's great from a CS/FOSS/EFF/hacker perspective, the question is what's necessary for such software to be on equal ground in the eyes of ordinary users? My guess is that the decentralized/centralized split isn't (yet?) it, but rather the UX and functionality. Few open source end-user apps are entirely original and cutting edge; most are poor knockoffs of commercial products or are failed commercial products that got open sourced.

To me that's why sandstorm didn't make much sense. I applaud your efforts, I really don't want to rain on your parade -- I poured my sweat and tears into a startup that failed as well so I get it -- I'm just reacting to what seemed like not-honest-enough reasons for failure on the website. It's really important to know what didn't go right for next time lest you make the same mistakes again.

It sounds like you're assuming that Sandstorm is a platform strictly for open source software, but that was actually not our intent. In the ten-year vision, there is a thriving ecosystem of both open source and proprietary / paid applications that build on the platform because it provides many advantages both to developers and to users, allowing for better-quality apps.

We've used open source apps to seed the app market, because we can do that without the upstream developers' help. We also are big fans of open source ourselves, obviously, and I feel open source is especially disadvantaged in a SaaS world, so Sandstorm will make it more competitive. But in the end what I really want is high-quality decentralized software in general.

> However, I don't believe you can really make revolutionary changes based on the "lean startup".

You know more than me, but isn't of the key ideas of the Lean Startup to validate your assumptions, which everyone has? Write them down and validate them ASAP to de-risk your project. For Sandstorm some could be:

- Developers are willing to bet on an unproven company/project/platform.

- Users are willing to create Sandstorm accounts.

- Developers are willing to build on top of Sandstorm rather than owning all the data and customer relationship.

But +1 for "people rarely agree on hypothetical outcomes that can't be measured in advance." Well said.

Open source succeeds not only when it's open, but when that openness also just makes it better than using the closed alternative. For example, I was able to send my friends a single Sandstorm sharing link that contained the equivalent of a bunch of Google Docs (Etherpad) and Trello boards (Wekan) in one easy location. Because Google Docs and Trello are closed source, separate platforms, I can't do that. But I can with Sandstorm.

A lot of what Sandstorm is aiming to do is still in development feature-wise, and then people have to build apps on top of that. So I'd say this is a long haul destination here. But the key point is: Open won't win because it's more private, or more free. It'll win when it's better.

One of my key worries with the current walled garden approach is exactly what you describe. Value can't be easily reached by connecting products together. Every major company seems to be working hard to keep there customers completely inside there ecosystem. It makes sense for them and I certainly don't blame them, but it does seem to represent some level of failure for the current system.

I think Android is a great example of how providers can realize that a common, unified platform has huge advantages to their business. Of course, I'd argue the largest problem with Android is the control Google exerts over it. But, as far as the manufacturers go, it's a great example of seeing the benefits of a common platform.

My hope is someday everyone will use Sandstorm (I'm an optimist), and maybe you'll use Sandstorm on Google's servers or Apple's servers or whatever but you can all access the same apps everywhere, whether you're in someone else's cloud or hosting your own.

Universities would seem like a good target market to me. There's privacy requirements (student grades shouldn't leave the premises!), there's a need for fine-grained access control, there's a need for easy to use file sharing, calendaring, and for hosting faculty- or student-developed apps in an environment where it's hard to impose a single OS or enterprise-y software.

Universities also typically have multi-million dollar IT budgets and larger institutes have dedicated IT staff with >5 employees that manage the email-servers, computer pools etc. It is not a stretch for them to also offer other services like a mattermost installation or a gitlab installation and indeed that happens.

I agree. In fact, some of our biggest fans seem to be "ed tech" users, especially outside of the US.

They're notoriously hard to make money from, though. Luckily that's not a concern for us anymore. :)

That's certainly fair, but at the same time as somebody who does care about this kind of stuff I deeply wish we didn't live in this world of massive centralized walled gardens.

I hadn't heard about this project before, but for a long time I've been thinking it would be nice to have some form of sand-boxed, probably Node based local cloud system.

I think you under-estimate the difficulty to install services locally. Sure popular packages are usually easy, but things with even a little bit less support can take days to get right.

> I think you under-estimate the difficulty to install services locally. Sure popular packages are usually easy, but things with even a little bit less support can take days to get right.

This. Generally it's people who don't self-host that usually claim that web apps are just a 'apt-get install' away.

Ordinary people don't have much qualms about using a commercial service despite all the privacy warnings in the world: just look at the 1B+ users on Facebook.

That's changing, more people are keep their mouths shut more often on social media because they know their data is being scooped up.

I think it's a matter of educating more customers; they have no idea that it's even possible to host their own Google or Facebook in some instances.

Maybe it isn't a big market but the market does exist and it does require more customer education and awareness raising. It's a harder sell than enterprise sales.

Sorry to hear this! :( I use a self-hosted Sandstorm instance almost daily, and I'm very happy with it.

I don't really agree with some of the critiques posted here regarding the UI and UX. Sure, it could have used further improvements, but I feel it's simple, functional, and intuitive enough. Not at all a critical shortcoming imo (well, perhaps for use cases where mobile support is essential).

For me a limiting factor is that some of the apps do not have feature-parity with their regular version. In particular, plugin support, which is very important for example for WordPress, ShareLaTeX, and IPython.

Another thing is the pace in which new apps are packaged for Sandstorm, and the trust that there will be regular and timely updates. Of course this also depends very much on the community, and the ease with which things can be packaged, but it felt like app porting lost a bit of momentum.

Regarding the future of the project, are there any other potential avenues for financing further development, other than buying Oasis hosting?

I very much want to see this project continued!

I'd love to see the community using Bounty Source or the like to finance projects, e.g. packaging particular apps.

For my part, I don't need any financial incentives -- I'll keep coding regardless.

So the paid offering of Oasis still exists and you are advertising it in the end of the blog post.

It is not directly said in the post, but it sounds like you are trying to still make it work in the long run by minimizing the team and going with the slow organic growth that you have?

No criticism intended there, I personally think that would be great and in the long run probably the most healthy way to make something so idealistically grounded like Sandstorm work.

Yes, exactly.

Oasis brings in enough revenue to cover Sandstorm's serving costs (for Oasis itself, Sandcats, updates, etc.). Oasis is also very low-maintenance for us, since Sandstorm in general is designed to be easy to maintain. So there's no reason to shut it down.

Our other paid offering, Sandstorm for Work, brought in very little revenue, so it made more sense to make it free to drive growth.

I do believe there's a future business in Sandstorm, perhaps centered around the app market and supporting paid apps. I believe that as long as we keep improving Sandstorm, a few years down the road we may be in a place to revive the business. But mainly I want to keep working on it because, honestly, I really enjoy it, especially now that I don't have to think about boring business-y stuff. :)

I really hope this works out! I've yet to use Sandstorm in anger - but I strongly believe the "correct" model for a project like this is offer paid hosting managed by system experts (ie: you, the creators) - along with an easy back-and-forth transition path from self-host to paid hosting and back.

Charging for ldap always felt a bit wrong to me - supporting open federated standards is kind of a selling point of Sandstorm in the first place - leaving it out felt like "demanding" payment rather than providing a tantalizing service I'd want to pay for.

People point at wordpress - which are a successful business built on a rather terrible code-base, along with a rather nasty walled garden with a half-open gate (the theme ecosystem). A better model might be Ghost - they also offer paid hosting, but doesn't draw such a hard line between self-host and "ghost host" IMNHO. (I don't know how well Ghost works in terms of revenue, though).

Would you be able to share some number wrt. hosting costs and current recurring revenue? How many paying users do you have, and how many more would you need to pay for the size of team you'd like?

On Oasis, we have 2132 monthly active users and 284 paying users accounting for $2376 in monthly revenue -- although some of these users are still paying from credit they received by supporting our Indiegogo campaign, so the physical revenue number is lower (and isn't on my dashboard for some reason).

Our hosting costs from Google Cloud are confusing because currently we have some startup credit (which will expire in about six months), and the way they account for that in invoices is weird... But if I'm reading right, we spent $1552 in January, before applying the credit. We also pay for $35 for Cloudflare, $35 for G Suite, $25 for Github, $80 for Sendgrid, $50 for Mailchimp, $50 for eShares, and probably some things I'm forgetting at the moment. So, around $2000 monthly. We also pay an undisclosed but surprisingly small amount for Sandcats.io TLS certificates which we pass on free to users.

To support any full-time developers we'd need Oasis paying users to increase by at least 10x, so something like 2500. Yesterday was a very big news day for us, which resulted in 6 new signups.

Thank you so much for taking the time, and writing such a candid reply.


> Yesterday was a very big news day for us, which resulted in 6 new signups.

Ouch. (otoh, a steady 2% daily growth is nothing to sneeze at - you'll be at 10x in 116 days!)

In all seriousness; best of luck. I think there should still be a bright future for sandstorm - a few more rounds of polish, a bit of luck and pr and sustainable growth should be very much in reach.

FWIW, if you needed LDAP for personal use, you pretty much just needed to contact the Sandstorm team about it. But the general goal was "for Work" to cover features which were primarily only going to be used by decent-sized organizations, and generally that holds relatively true for LDAP.

This is something that I would love to see happen with open source projects:

1. company is created around the project 2. other companies started using the project and find it handy 3. companies need maintenance and support: consulting companies start opening up shop and serving them 4. parent company gets more customers because they're the first/official supporting company

This similiar to the Wordpress model I think and they're fairly successful, they've got a whole ecosystem.

We have added the Sandstorm Technology Roadmap to the Sandstorm repo, where you can learn about everything Sandstorm has built and plans to build.

Perfect, now another company can take a chance on raising VC funds for this or bankrolling it themselves.

Ehh... The support model is pretty tricky to make work. It doesn't scale well, and it creates somewhat of a conflict of interest: if you make your product work too well, people won't need support. It has worked a few times but there are a lot more failures than successes, sadly.

> Perfect, now another company can take a chance on raising VC funds for this or bankrolling it themselves.

Let's be honest: it would be nearly impossible for this to happen. If we couldn't get VCs to fund us, no VC is going to fund some other people -- who likely don't understand the codebase or the vision in anywhere near as much detail as we do -- to work on the same thing. Even with an extremely rational argument for why they'd be able to do better, the psychological barriers to investing in something that "already failed" are huge.

But if someone did try this, they should probably hire some people from the original team, I would think. :)

A more likely scenario is, if Sandstorm shows strong growth as an open source project to the point of being fundable again, then the original team (with maybe some added biz dev expertise) can restart the company in the future.

> A more likely scenario is, if Sandstorm shows strong growth as an open source project to the point of being fundable again, then the original team (with maybe some added biz dev expertise) can restart the company in the future.

I sincerely wish you the best of luck. I think it's a valuable-to-society idea, even if it was hard to market.

This was largely RethinkDB's plan, and it worked about as well for us as it did for Sandstorm. One can argue Sandstorm executed it a bit better than we did. (Disclosure: speaking as a former RethinkDB employee, but not for anyone else, and I have no "inside information" to speak of about the finances.) I think this can work, but I think the unpleasant truth is that the developer tools market--which is certainly what RethinkDB was in, and which Sandstorm was certainly at least adjacent to--is a mostly lousy place to be in.

The bulk of WordPress's revenue doesn't come from support or their plugin system, it comes from "premium subscription" services sold to their hosting customers and, to a lesser degree, advertising they show on hosted blogs (that aren't paying for premium subscriptions).

> I think this can work, but I think the unpleasant truth is that the developer tools market--which is certainly what RethinkDB was in, and which Sandstorm was certainly at least adjacent to--is a mostly lousy place to be in.

I think it is difficult to convince devs to pay for tools given the plethora of free options available. It's a stupid mindset even I suffer from, and I think only heavy marketing will work to convince devs of the advantages of a particular paid tool. I was convinced for Sandstorm, but didn't have a project I could use it for just yet, but I hadn't even heard of RethinkDB until a week before they announced the shut down.

> This is something that I would love to see happen with open source projects:

That won't happen. But not for lack of trying!

My consulting company, Paragon Initiative Enterprises, has produced over a dozen high quality open source projects that make it easier to write secure PHP software.

For starters, we wrote an entire CMS that has secure automatic updates baked into its core as a first-class feature (including for extension developers): https://paragonie.com/project/airship

Worried about SQL injection? EasyDB makes it easy and intuitive to use prepared statements. https://github.com/paragonie/easydb

Need Content-Security-Policy headers quickly and easily? You want CSP-Builder: https://paragonie.com/project/csp-builder

Want all the security of libsodium with an even simpler interface and a separate class for dealing with the filesystem? Check out Halite: https://paragonie.com/project/halite

Want to stop CSRF (including replay attacks)? https://github.com/paragonie/anti-csrf

Want to quickly examine the differences between two PHP Archives (e.g. for reproducible builds)? https://github.com/paragonie/pharaoh

We even wrote the community's accepted interface for generating cryptographically secure random numbers in PHP 5 projects: https://github.com/paragonie/random_compat

And coming soon (pending an audit), a pure-PHP implementation of libsodium that will likely be adopted by WordPress so its automatic updates are Ed25519 secured: https://github.com/paragonie/sodium_compat

And even more: https://paragonie.com/projects

Guess how many clients we've gotten from all this open source software we wrote over the past two years that demonstrably improves the security posture of software written in PHP?


My solution: Our next project isn't going to be OSS, and it's unlikely that any of our future ones will be unless it's intended to be a giveaway.

The open source + consulting business model may sound good in theory, but it simply doesn't work. (Though, I will grant that it's possible that the "consulting about someone else's open source project" is more sustainable, due to near-zero investment in said project itself.)

The consulting model was decent 10 years ago but it's lousy today. It will come back in 5 years or so but as a model it isn't very different than non-open source professional services. So the question is how does open source advance in the face of these cycles and I think your point is that even if some folks can make some marginal profit at a particular point in time due to the way money flows in open source, the ecosystem doesn't advance much as the project governance is tied to the whims of the consulting business.

The reason I mentioned it is because it has worked for Wordpress, Drupal and Magento in general. There's countless shops that build plugins and themes for those and are hired for things ranging from small changes to full-scale development.

I would love to see that happen with Sandstorm or other projects because maybe the consulting model doesn't work for the parent company but I'm sure there's hundreds of smaller consulting firms that would love to support it.

Generally if a whale ends up dead on a beach lots of parasites feast upon its bloated corpse.

But that's not to say we need more beached whales.

Just this week, I was on the fence about whether I should get a hosted environment of Sandstorm on the Basic level. Your sad tale of failing as a business gave me the push I needed and I just subscribed.

Sorry to see it go this way, and sorry I couldn't help sooner.

Thank you!

Sorry to see the business fail. I was recommending people to check out the project since the day I learned about it here. I hope the development will continue without problems though :).

A quick question, if I may: say I want to test Sandstorm, first on Oasis, but then I want to migrate to self-hosting. Is there a way to move all the data I stored on my Oasis instance to the self-hosted one?

Yes. You can click the "download backup" button in the top bar when you have a grain open to download a zip file of all its contents. You can then upload that to any other server to restore the grain there.

Currently there is not a mass-download or mass-transfer feature; you have to do each grain one at a time. But you probably won't generate that many grains if you're just testing it out, so it ought to be OK. We plan to add mass-transfer in the future.

See also: https://github.com/sandstorm-io/sandstorm/tree/master/roadma...


I think Sandstorm missed out on a potential business opportunity that I will call, for lack of a better term, SaaS as a service.

Here's what I mean. Suppose I develop an application that fits nicely into Sandstorm's grain-based model. But I don't want to give it away. And just as important, I don't want my users to have to deal with this weird Sandstorm thing. I want to sell the app as a SaaS subscription, like so many other web applications that people are used to. Yet, I don't want to deal with recurring billing, hosting my users' data, 24/7 availability, etc.

So I develop my product as a Sandstorm app, then pay Sandstorm to host it under my own domain, with Sandstorm being invisible to the user. As far as the user is concerned, it's a SaaS product that I'm providing, like any other SaaS product. But I don't have to implement recurring billing, back up users' data, worry about availability or security, etc.

Does this make sense to anyone else?

That's missing out entirely on the point of Sandstorm, which is to provide users with the ability to host their own cloud software. Sandstorm as a business was meant to be in support of that goal, rather than the product being made to fit whatever would make the business profitable at the expense of its goals.

Maybe. Our feeling was that there are many other PaaS's out there already with this kind of focus, and Sandstorm doesn't really offer anything that would make it better than the alternatives. Instead, the focus of Sandstorm is to create infrastructure where the servers "report to the user" rather than to the developer, which is a very different kind of problem.

I do think there are permutations of fine-grained containerization which might be interesting as a PaaS but we consciously decided not to focus there, for better or for worse.

I think you are talking about developing a market place. Very different ball game than sandstorm.

IMO closely related though.

I wanted something like this: crowdfunding of apps, preferably open source.

But while I though it could fit well in on top of sandstorm I understand it would be hard to pull of in a balanced way.

Regarding open sourcing previously paywalled features:

> We no longer have a business model to protect, so the code can now be set free.

I'm pretty sure this is a big decider in whether a company open sources a piece of software.

Technically our "paywalled" features in Sandstorm for Work were actually open source all along. The paywall existed in official builds but you could easily remove it in a custom build.

The line you quote is actually with regards to Blackrock, which is our scale-out technology, which we never got around to selling (except indirectly by using it to run Oasis).

I am always a little nervous when the status of a project I rely on changes, but I'm pretty confident Sandstorm.io as a platform is still just beginning.

Seems they have - at least for now - given up the commercial project.

I would have loved it if they were successful and made a small fortune so as to encourage more innovative in this niche.

That said, seems they are once again proving what they are made of and making everything available as open source.

I indeed wanted Sandstorm to succeed as a business in order to support Sandstorm's development -- but to me the business was always a vehicle rather than the end goal. For now, the business hasn't worked. I'm actually somewhat relieved, as I've always felt more comfortable building pure-open-source projects rather than business-driven ones. The contortions we went through to try to get revenue felt very unnatural to me.

Have you considered using https://www.patreon.com/ ? If there's enough interest among the people using it maybe you could pay for one full time developer. I know of multiple projects where this has happened like Vue.js and Hapi.js.

It's unlikely that we'd collect enough money to pay a developer in the near term. Developers are expensive. But if people want to contribute financially to the project, the easiest way is to sign up for Oasis. This avoids the 5% fee that Patreon charges.

How simple is Sandstorm to run? I want to use something like sandstorm, but i want stupidly simple deployments, even if at the cost of features. Eg, my killer "sandstorm" like feature would be a single binary, or perhaps 1 binary per service type, that i run with no auth, not exposed to public, a single backup dir, no config, etc.

I want low maintenance from the user side. How much does Sandstorm fit this?

Also, as a side note i feel quite sad for Sandstorm. It's a difficult concept to monetize even if for continued development. Ie, even if i can be convinced that this will be "easy enough" to use, i'd be hard pressed to pay for a service.. i want to keep it on my network, that's the point to me. I'd have to donate, i suppose. Which is unfortunate.

Perhaps they could offer an encrypted backup solution? Eg, i want to self host, but they could easily store an encrypted and versioned backup of my entire sandstorm db? I'd pay for that! I'm doing that from someone anyway, why not sandstorm.io?

> How simple is Sandstorm to run?

Extremely so. Installation is via an interactive process (no config files) and optionally automatically provisions DNS and TLS certificates for you (if you choose a hostname under sandcats.io). Once installed, Sandstorm auto-updates without any intervention. Apps are installed as easily as installing apps on your phone, and also auto-update. The system is intended to be feasible for non-technical people to manage.

I suggest trying it out. :) https://sandstorm.io/install

One thing that might help a little: instead of punting on the hosting ("your favorite cloud provider") link to a page making some specific recommendations.

(Technically I'm sure nearly all of them would work, but you still need to choose between them, which means putting on your sysadmin hat for a bit.)

Do you have any plans to monetize users like me? Eg, i want to run it at home behind a firewall. I'd love to purchase something, but not at the cost of privacy/etc.

How do i fit in your long term goals?

Well, we had a product called "Sandstorm for Work" which was self-hosted and which people could pay for, and a lot of people said they'd love to pay for it, but very few people ever did. :/ So now we've removed the paywall and the Sandstorm for Work premium features are available in all self-hosted Sandstorm servers for free.

If you'd like to help the project monetarily, you can sign up for an Oasis account, even if you intend to primarily use Sandstorm self-hosted.

That said, at present, we've stopped worrying about monetization and are only worried about making the platform better and getting more users. Simply installing a server and using it helps us! The more users we have, the more interest there will be from developers, and vice-versa.

Sounds good, really appreciate your time on this! I'll give this a try this weekend :)

I tested Sandstorm just last week, the technology maybe cutting edge but sadly the UI design /UX was from the the 90s. The various apps did not gel with either sandstorm frame or other apps at all (conceptually, not technically), almost as if they are iframed and glued together.

Hope the team spends time and polish the presentation layer.

One thing we want to do to improve the UI is to remove the current black topbar and replace it with a top bar that melds better with the app. Most web apps these days have a colored topbar that contains a name, logo, document title, share button, account settings button, etc. In Sandstorm you see a lot of apps still having such a topbar of their own, but then the Sandstorm topbar lives above it, and half of the usual topbar functionality actually ends up in the Sandstorm top bar, confusing people.

In order for Sandstorm to defend against app security vulnerabilities, we can't simply let the app handle its own access control, so we do need a place to hang this trusted UI.

What I'd like to do is have Sandstorm render a modern-style colored top bar with all the usual elements an app would put in it -- with the ability for the app to customize the color and contents to some degree. This top bar would feel like part of the app, but would be trusted, so we could put access control and account settings there, etc.

I'm glad to hear the plan is to continue the dream. When I first heard about Sandstorm I thought it was a fantastic concept. Unfortunately it wasn't user-friendly enough and I walked away.

I'd always peak at updates whenever the name popped up but I was waiting for it to be more user-friendly. Outside of what sounds to be a lack of a sales/marketing team - the UX/UI is what prevented me from forking over cash.

I hope it works well enough to try and bounce back for a round 2. Best of luck.

I'd love to see a meta-analysis of OSS-oriented companies that have succeeded vs. those that have failed and what they did.

The best thing, IMHO, is that pretty much every OSS-oriented company that has "failed" has left behind valuable work for the community. And non-OSS-oriented companies that failed largely have not.

So the business has failed but the managed hosting is still available? What does that mean? Who keeps it running?

I do. (With help from some trusted people if I'm unavailable.)

Oasis pays for itself and Sandstorm is intentionally designed to be low-maintenance (for the benefit of self-hosters), so keeping it going is actually not very hard. We don't foresee any need to shut down any of Sandstorm's services.

Thanks for clarifying. So you are going to run Oasis full time all by yourself ? Would be great to put this as part of your post since it's not clear how much one can depend on Oasis.

I will handle most of it, but there will be fallbacks when I'm not available.

FWIW, Oasis takes only a few minutes of work per week to operate...

FWIW, Oasis takes only a few minutes of work per week to operate...

Well, today I learned. A bit humbling I guess as someone who typically use more hours to support smaller infrastructure:-]

As an aside, how easy is it to create your own apps for Sandstorm?

edit: Found this, https://docs.sandstorm.io/en/latest/vagrant-spk/packaging-tu...

Saw this coming :-/ I anticipated this one after app.net shut down. Next one up, cozy.io?

If only sandstorm sold a box with it pre-installed. Kind if like a Pogo plug.

Pogoplug did stop selling their hardware years ago. So it probably wasn't working out either :/

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact