Sandstorm News

Sandstorm is a self-hostable web productivity suite. Host your own

Recommended Posts

Further Reading

Sandstorm for Work Beta: LDAP, SAML, organization management

By Kenton Varda - 06 Apr 2016

Sandstorm is a great way to run open source collaborative productivity apps like document editors, task managers, chat rooms, file sharing, and more (54 apps and growing), all in one place. Lots of people – including us – use Sandstorm every day as part of doing their jobs. For example, right now I am composing this blog post in Dillinger running on Sandstorm Oasis (our hosting service), but many people choose to self-host Sandstorm on their own machines.

Sandstorm for Work makes self-hosted Sandstorm easier to integrate into a corporate environment. That means you can:

We’re in beta now, so not all features are ready yet, but once you’ve installed Sandstorm you’ll automatically receive updates as they become available.

To get started now, install Sandstorm and choose “Sandstorm for Work” during setup (or if you already have a server, look for the “for Work” tab in the admin settings). Sandstorm for Work is priced at $15/user/month, and currently we’re offering a 90-day free trial. (It’s still open source! More on that in a bit.)

Install Sandstorm »

Productivity Apps Large and Small

With Sandstorm for Work, you can run apps similar to popular SaaS products, but keep your data in-house. For example, you can run Etherpad and EtherCalc instead of Google Docs, Wekan instead of Trello, Rocket.Chat instead of Slack, and Davros instead of Dropbox. Once you have Sandstorm running, you can install each new app with a click – no need to create a new account on a new service, and no worry about whether that service is sufficiently private and secure. With Sandstorm, running apps in-house is actually easier than using SaaS.

But even more interestingly, you can run apps on Sandstorm that aren’t available anywhere else, like Simon Vansintjan’s Annotate. The idea behind Annotate is simple: upload an image, then annotate it with comments. We at Sandstorm use it to discuss UI and illustration mockups. Here’s me using it to comment on a slide deck we’re working on:

What I love about Annotate is its simplicity: Simon wrote the whole thing in a couple weekends. And yet, it’s enough to be useful to design teams anywhere. No matter what Simon decides to do in the future, this app will never disappear, and you don’t have to trust Simon because your data stays on your server.

Annotate is just one of 54 apps and growing on our app market. By installing Sandstorm at your workplace, you get access to all of these at once, under a single login, and without giving up control of your data.

Security Behind the Firewall

Of course, if you want to run apps on your own infrastructure, behind your firewall, you need to think about security. A malicious app – or a buggy app that gets hacked – can compromise your whole network.

Fortunately, Sandstorm protects you. Sandstorm is the only container engine that implements fine-grained isolation, locking every document in its own container. By doing so, it prevents any app from compromising the server or network, and indeed it renders 95% of app security vulnerabilities moot before they are even discovered.

Developing for Enterprise

Are you a developer of a web app aimed at enterprise? Do you ever get requests for an on-prem version, but find it hard to fulfill this request given the myriad environments and infrastructure you’d need to support? Perhaps we can help. If you target Sandstorm, then these logistics become our job. If your app works on one Sandstorm server, it will work everywhere. If you are interested in learning more, check out our developer features and e-mail us.

Is it Open Source?

Yes! Sandstorm for Work features are part of the same codebase as the rest of Sandstorm and under the same Apache 2.0 license. However, in order to unlock Sandstorm for Work features, we ask that you buy a “feature key” from us.

So how does that work? Can’t anyone just remove the feature key check? In fact, yes, you can. However, if you did that, you would not be able to take advantage of our automatic updater, which ensures that your server is updated to the latest version within 24 hours of any release with no effort on your part. Automatic updates are important to keep your server secure and to make sure you can always run the latest apps.

Purchasing a feature key also entitles you to priority support. However, we don’t want to be a company who primarily sells support, because we think that creates a perverse incentive for us to make our product hard to use. Indeed, it is our goal that no one should ever need to contact support at all, but under a support model, we’d be putting ourselves out of business! Under the feature key model, we are selling features, and promising support if there are problems. This way, we are incentivized to make sure there are no problems, because then we don’t have to answer support tickets.

The Future

We like to release features early and often – we push a new release almost every week. What we are announcing today is only the beginning of what we have in store for Sandstorm for Work. Over the coming months, we’ll be adding features like group management (to make it easier to share documents with your team), audit logging (keep track of who has been accessing what, for security and compliance purposes), customizable access control policies, and much more.

If you install Sandstorm today, you’ll automatically get these features as they become available – your server will automatically update after every weekly release with no action needed on your part. So why not install now and see what you think? Feel free to file a bug to tell us what you want to see next.

Try a demo » Install Sandstorm »

Sandstorm's security track record, and what it means for self-hosting

By Asheesh Laroia - 29 Feb 2016

Today I want to share the results of our own analysis of security issues of web apps available on the Sandstorm app market.

95% of security issues automatically mitigated, before they were discovered

Sandstorm automatically protects users from a huge fraction of the publicly disclosed security vulnerabilities discovered in apps on the Sandstorm app market, before the vulnerabilities were even disclosed. Of the issues we examined, 95% were wholly or partly mitigated. You can read the full report here in our documentation. The analysis covers publicly-disclosed vulnerabilities in Etherpad, WordPress, Roundcube, ShareLaTeX, and Tiny Tiny RSS. In WordPress, we limited our analysis to security issues of severity score 6 or higher, due to the large number of issues. We also mitigated 21 CVEs in the Linux kernel to prevent sandbox breakout.

We built Sandstorm to create a viable ecosystem for indie and open source web apps. When server apps are as safe to run as apps on a phone, people will feel free to choose whatever software they like. Consider that some Sandstorm apps, like Giftr, are small and don’t have as many people checking the code for bugs. Sandstorm protects you when you use those apps, too.

We know that security is risk-management, not binary. No software, Sandstorm included, will ever protect all user data from all bugs in all programs. However, raising barriers to a successful attack means fewer successful attacks will occur.

Self-hosted apps can be as secure as a centralized web app

With Sandstorm, you get an experience as easy to use as software-as-a-service, and you retain the privacy benefits of self-hosting. One of our key security strategies is to isolate each grain (typically, one document) separately, so that a buggy or malicious app has a hard time ruining your day. That degree of isolation is enabled by our various security practices.

I hope you’ll read the full analysis, prepared by myself and Kenton Varda. Let us know what you think!

When self-hosting is secure, users are free to choose

Security enables freedom of choice. If you use a Sandstorm server, you can choose productivity tools that fit your needs, even if the server is maintained by someone else.

Want to chat with colleagues? Install Rocket.Chat or Let’s Chat. Want to track tasks and stay organized? Install WeKan or Simple Todos. Want to organize a gift exchange? Install Giftr. Want to share files quickly with friends? Install FileDrop or Davros.

If you prefer managed hosting, you can make an account on Oasis and enjoy any of these apps or upload your own.

Or you can run your own Sandstorm install. Over the past six months, we’ve integrated free SSL certificates and cryptographically-verified automatic updates into self-hosted Sandstorm. As soon as someone installs Sandstorm for an organization, they can safely allow colleagues to choose their own tools. If you install Sandstorm for yourself, you can use the best indie web apps and let the platform handle security for you. Get started on the Sandstorm install page.

Andrew Wansley shares his story of Giftr

By Nena Nguyen - 25 Feb 2016

Giftr is one of the newest additions to our App Market; it helps make coordinating gift exchanges less painful for you and other gifters involved. At our Sandstorm San Francisco meetup in January, app author Andrew Wansley shared his story of how his decision to create & package his Giftr app all started from a simple family tradition.

Watch Andrew’s talk here:

Try Giftr & remember to review it on the App Market!

Free publicity for your indie web app, and free Oasis service for you

By Asheesh Laroia - 05 Feb 2016

Every useful web app deserves users and publicity. Every author deserves an easy way to see their app the way their users see it on Sandstorm.

So here’s the deal: If you write an open source web app, and you package it for Sandstorm, I’ll help people discover your app and use it. You’ll also get credit toward one year of Oasis managed hosting so you can test your app on Sandstorm. The offer applies to anyone who successfully submits an app to the Sandstorm App Market, whether or not you’re the original author. It doesn’t have to be open source, though we do love open source. The Oasis hosting can be used for anything you like.

A Sandstorm package allows people to use your app even if you don’t maintain a public service

When I asked Simon Vansintjan why he made a Sandstorm package of his Quick Survey app, he told me, “I have no interest in running a SaaS of every small app that I think would be a benefit [to other people].”

Simon wants to publish code, not commit to maintaining a service. Simon wrote Quick Survey so he could run one particular survey, as well as for the joy of learning Meteor.

By packaging his app for Sandstorm, he got multiple document support without writing any code. Simon said, “Once I understood that [multi-document] translated really well to how Sandstorm views apps / grains, I figured it made a lot of sense to port it to Sandstorm. I’m happy I ended up trying to port it, because it opened up how easy it would be to get other apps up and running with it.”

You can try out Quick Survey with a click. Your app could be that easy to spin up.

Quick Survey is a web app that isn’t a business, and Sandstorm is perfect for apps like that. For example, Daniel Kraft is nearly done packaging up his personal D&D dice rolling app. What hobby apps have you made that others might enjoy?

Publicity: Graphics, app demo, outreach, and more

When your app is on the Sandstorm app market, it’s naturally in front of people who use Sandstorm every day. Universities, corporations, non-profits, and self-hosting enthusiasts alike spend huge amounts of time in apps on Sandstorm.

Beyond that, every Sandstorm app is supported by the Sandstorm.io community team — Néna, Jade, and me.

Néna supports open source web app developers by providing graphics for any app with a Sandstorm package. Here are some of the graphics she’s put together:

All three of us spend every day thinking about how to get more people using the apps in the Sandstorm ecosystem. The apps are what what make Sandstorm interesting. So we do things like:

The Sandstorm community as a whole will give you feedback on your app if you email the sandstorm-dev group. Check out these recent threads to see how it works.

I want self-hosting to be a meaningful alternative to software as a service. You can be part of that movement by packaging your app for Sandstorm. If your app is written using Meteor, I’ll even create the initial packaging.

See what users see, with a free Power User account on Oasis

Your users probably don’t know how to deploy your app, which is why they need Sandstorm. I want you to be able to see what your users see, so I’ll give you a free year of Power User level on Oasis managed hosting if you write or package an app for Sandstorm.

While you’re on Oasis, feel free to enjoy it for anything else within the usual terms and conditions. Take advantage of private git repositories with gogs, project task tracking with Wekan, or privacy-preserving web analytics with Piwik. I’ll also give you an invite to Keybase so when people install your apps, they can verify your identity via the world’s most usable interface to PGP.

To take advantage of this offer, visit Oasis and upgrade to any paid plan, knowing that all the paid plans are free-of-cost while Sandstorm is in beta. Then email me at [email protected] to request a statement credit equal to the cost of a Power User account. We’ll add it to your account, and you’ll be all set.

To get started, read the docs, or email me

Every good web app deserves users and publicity. I’m here to help you with that.

You can dive right in by reading the packaging tutorial. Sandstorm supports any language/stack that runs on Linux, and has special tooling for nodejs, PHP/MySQL, Meteor, and Python.

If you’re unsure, or you just want to chat, or you’re waiting on us to publish your app, it’d be my honor to hear from you. Send us an email on sandstorm-dev!

Sandstorm user stories from Hacker News

By Jade Wang - 03 Feb 2016

While my previous blog post was discussed on Hacker News yesterday, andybak asked to “hear from people that are using Sandstorm day to day.” Reading the replies really made me appreciate the warmth of the Sandstorm community, and I just wanted to share a few excerpts.

Nolan Darilek writes:

I use Sandstorm daily. Private/company projects are run in Gitlab instances, though I may switch to Gitweb if a minor cosmetic issue is resolved (Gitweb in Sandstorm can only host one repo by design but you still have to click through to it when viewing the instance, which is mildly annoying when all other apps come up ready to use.)

I have a bunch of Wekan boards managing everything from coding projects to my GTD buckets to separate boards for random home improvement projects. I prefer Wekan to spreadsheets because I can track work through arbitrary workflows and annotate items with additional data, and Sandstorm lets me manage that without having to maintain and secure a separate Wekan server that any random person could find and exploit. My blog is hosted in Sandstorm WordPress so I have the niceness of its admin interface but none of its security risks, and all the speed of a static site. A small 2-person bootstrapped startup I’ve cofounded uses it for many of the same use cases plus hosting our app’s Piwik instance, again so there’s literally no non-Sandstorm-secured user-facing attack surface other than Piwik’s API endpoint. I have an idea for a platform co-op in the middle distant future, and if I manage to launch it then I’ll run it via Sandstorm-hosted Loomio, which I’m actively attempting to port and am fairly close to completing.

Sandstorm is a great platform, and the community comprises some of the nicest, most dedicated folks I know. When my cofounder messed up our install a bit, Kenton talked us through fixing it on a weekend no less, right down to giving us database queries to run and then patching Sandstorm to handle our edge case the next week. Awesome people.

Jacob Weisz writes:

I use Sandstorm daily. Effectively it replaces Google Drive/Docs for me. I use Etherpad, EtherCalc, and Text Editor a lot on it. And I use Davros for storing arbitrary files I want to share. My blog is hosted on Sandstorm, but I’ve posted to it like four times so it doesn’t really count.

Steve Dee writes:

I’ve been hosting a Groove Basin instance on it for the last little while. Check it out, it’s anarchist radio! Link »

At some point some crazy mofo is going to post it to hackernews. Hopefully I don’t have to revoke the URL and clean up any spam and y’all just groove with the little community I’ve got going on there! But just in case, here’s one where you can only listen, that might last a little longer: Link »

I posted a URL for that station to my work’s Slack, and then people started uploading stuff and rocking out. We’ve had a great time taking turns DJing, sharing our musical taste with each other, and hijacking the stream when it gets too boring or weird. I’ve had friends of mine jump on from elsewhere in the world, some who I haven’t seen in years, and drop their music on us. We’re completely in love with this – it’s a way for us to stay connected through music without disturbing the people who just want to work quietly.

I’m astounded at how easy Sandstorm made this whole thing. These guys continue to blow me away with their ability to create incredibly useful experiences on a small budget and in such a short time.

Are you using Sandstorm at work? Drop me a line at [email protected], I’d love to hear about it and find out how I can be useful!