This talk covers how web app packaging works for the free software [Sandstorm.io](https://sandstorm.io/) project. This talk covers how Sandstorm achieves one-click installs of web apps for unprivileged users. To do this, Sandstorm's packaging tools do a few strange things:
- Every app package is a tiny Debian derivative, often as small as 20MB.
- Apps have no Internet connectivity to the outside world.
- Sandstorm uses a FUSE filesystem to identify which files are needed to run the app.
- An app bundles all its needed services, as well as files, resulting in one MySQL service per app.
- Users click and run one _instance_ of an app like Etherpad per document, which is all handled transparently via a web app, a strategy that has neutralized 95% of 0-day web app vulnerabilities, based on our analysis.
- Developers on Mac OS and Windows can create packages for Sandstorm, even though Sandstorm is Linux-only, due to an emphasis on Linux VMs in our development tools.
Somehow we manage to make this scale reasonably well. Additionally, it is popular with upstream authors: of the >50 web apps packaged for Sandstorm, about 1/3 are maintained by their upstreams.
This talk focuses on how the Sandstorm packaging tools work, with community insights as well as technical ones, with the hopes of showing Debian how to more effectively package web apps for end users.
Talk (45 mins) session with Asheesh Laroia and Sandstorm.io during Debconf 16