> But, I can do basically the same thing ... what am I missing about Sandstorm?
The big difference, in my mind, is that each app is integrated with a permissions/capabilities model and strongly sandboxed by individual instance or document. Sandstorm itself handles logins, and handles capabilities to access documents; then e.g. there's no way that Etherpad can accidentally leak your doc to someone else unless you've granted a Sandstorm-level permission to that person.
It sort of flips from the "walled-garden app" model, where the app is the boundary and individual docs and users are within the app, to the traditional "computer with filesystem" model, where the user login and the file with permissions are system-level concepts. (Except instead of "file", they call it a grain, and it's a separate instance of Etherpad or Gogs or whatever.) That's also what makes this more than just Docker containers -- deeper integration into the app.
That also gives you flexibility to have a bunch of different instances of a single app, and IIRC, they have functionality to import/export those instances in a well-defined format from one host to another.
At least, that's what I remember from playing with it 4 years ago. In any case, I got the impression that the model was much more secure, and flexible, than just "install Gogs on vanilla Linux".
This is such a great comment. Tying together all the different login systems and making it work with a bunch of different systems behind those authentication systems is such a pain in the ass. Maybe Sandstorm tried to promote that as the key benefit at some point and it didn't resonate, but their site right now says "Sandstorm is an open source platform for self-hosting web apps" which does not differentiate it at all.
If I knew that I could create a private walled garden with a bunch of disparate apps that are all connected, that I would have been excited about. That's hard work they did, and it is a shame they don't promote that up front. I'm confused who they think they are talking to, since "open source apps" would only appeal to developer/sys-admin people anyway.
The big difference, in my mind, is that each app is integrated with a permissions/capabilities model and strongly sandboxed by individual instance or document. Sandstorm itself handles logins, and handles capabilities to access documents; then e.g. there's no way that Etherpad can accidentally leak your doc to someone else unless you've granted a Sandstorm-level permission to that person.
It sort of flips from the "walled-garden app" model, where the app is the boundary and individual docs and users are within the app, to the traditional "computer with filesystem" model, where the user login and the file with permissions are system-level concepts. (Except instead of "file", they call it a grain, and it's a separate instance of Etherpad or Gogs or whatever.) That's also what makes this more than just Docker containers -- deeper integration into the app.
That also gives you flexibility to have a bunch of different instances of a single app, and IIRC, they have functionality to import/export those instances in a well-defined format from one host to another.
At least, that's what I remember from playing with it 4 years ago. In any case, I got the impression that the model was much more secure, and flexible, than just "install Gogs on vanilla Linux".