Self-hosting is just responsible computing now. The big companies are just too big to care about small businesses, and will use your data in any way that they please - take it or leave it. And it's cheaper to boot. A synology NAS or a raspberry pi 3 could cover 90% of what most internet services offer the average consumer/small business right now.
Because with cloud providers you don’t need anyone on staff to understand the product, keep up with the constant changes and predatory features they slip in, manage the cost overruns, or help to migrate away from their proprietary data formats once you’ve had enough of their “whaddaya gonna do about it?” treatment of customers?
It does invalidate the argument. They’re implying that with self hosting you need someone to manage it, but with cloud you don’t. The truth is you need someone managing both scenarios, and the cost remains roughly the same.
Does it? It is a lot easier to find people who can work with Office 365 than who can stand up and maintain a comparable suite of selfhosted services, especially when considering needs like secure remote access.
I don't know who else here has ever actually done the kind of work that we're talking about, but I have, for contract clients, over the span of most of a decade. Between G Suite and Office 365, those jobs dried up fast about a decade ago, and I wasn't sorry; the thing about selfhosted deployments of this type is that no matter how standard you try to make the platform, clients' requirements persist in varying, so each deployment ends up a somewhat different artifact whose differences, because those get less investment of effort than the common aspects, are always what cause the most problems and cost the most money in maintenance. No one was sorry to see that expense dwindle with the rise of SaaS officeware platforms; even for me, it wasn't a loss, because it freed up my time for more interesting and lucrative engagements.
Of course I'm sure that, for those of you saying this is easy, your experience is different from mine. It would be really interesting to hear more about how you've been able to make selfhosted deployments work so well for folks who aren't technical. That's a really significant achievement! Teams like Sandstorm have spent years at it and come away with nothing of import to show, and I'm sure I'm not alone in wanting to know more about how folks here have overcome the same challenges.
I don't get your point. It doesn't matter if you host your stuff on AWS, Hetzner, or locally on a Pi, you need someone to manage that. If you are this someone, great, if not, you need to pay someone else. And contrary to what private cloud providers advertise,[0] the amount of work is similar in each case.
[Or used to, around 2006 or so - I'm not sure if they still claim managing public cloud resources is means less work.]
I actually went to the DC yesterday. It had been 6 months since I had been there and everything was running fine (and has been for 2 years now). I just had a small addition. I don't love the drive, but it's really not much of my time to manage it.
By the sound of it, you are exactly the person I was talking about needing to have on staff. That's a good kind of person to be (I say, while being likewise), but I'm not sure it makes for an effective counterargument from experience.
Yes, but my point is that I can do a lot of stuff that isn't just DCops work; in fact it's a very small part of my job. I handle all the infrastructure to include cloud and some managed services as well. Kinda the nature of a small company - you just do what needs doing.
Sure, I get that, but my point is that most small businesses aren't going to have or want someone with that set of skills. Those in and around the tech industry will, sure, but that isn't most small businesses. And selfhosted equivalents of SaaS officeware packages really aren't the sort of thing that can be reliably set up and managed on a "do what needs doing" basis - not because most people can't learn, but because starting from what you know as a user that's quite a bit of learning, and time thus better spent on any of the other forty dozen things that always want doing to keep a small shop afloat.
It would be nice if the tooling really was simple enough that wasn't so, but despite considerable effort to make it so from Sandstorm among others over quite a long time, as far as I know no one's had notable success in achieving that. Hence the rise and continued prominence of SaaS providers, who abstract all of that effort behind an SLA and a monthly fee.
I agree with the criticism of SaaS platform behavior at the head of this thread. What I think the commenters on that side of the discussion are missing or maybe ignoring, is that much of the value a SaaS offering provides is in not having to (pay someone to) administer that stuff yourself - and that, considered separately from the question of how providers behave, "all you have to think about is 'pay us and use our stuff'" is in the general case a strong value proposition.
Yes, I was thinking about the software world really. I work for a small SaaS vendor so we have the skills to develop and host our offering. We are indeed toying with AI (because who isn't?) to see about adding features, but one of our requirements would be that it is self-hosted as well because we work in medical IT. I believe that's one place where strong privacy laws and at least the idea that patients own their data (doctors don't seem to be super onboard on that) can put some guardrails on what companies can do.
Yes but it's just too hard for even experienced people. Even harder to have good reliability, backup. I'm etching my rather average needs setup for a decade and there are still issues and I couldn't yet fully decouple. Life is short man.
There are new tools, apps and solutions every year (easy vm handling, kinda easy vpn, projects like Wireguard, Immich) but overall there are huge things missing to make selfhosting a thing for common people.
It's pretty easy right now. Synology makes things so, so simple and Yunohost is closing in right behind. If you can manage a large spreadsheet, I don't see why you wouldn't use one of those systems.
Since this seems to be written partly in response to (and honestly, to take advantage of) the recent Slack AI training panic, I took a look to see how Slack have updated their materials in response to that panic.
I think these updates are really good - Slack's previous messaging around this (especially the way they unclearly conflated older machine learning models with new policies for generative AI) was confusing and it wasn't surprising it caused a widespread panic.
It's now very clear what Slack were trying to communicate: they have older ML models for features like channel recommendations which work how you would expect such models to work. They have a separate "Slack AI" addon uou can buy that adds RAG features powered by a foundation model that is never further trained on user data.
I expect nobody will care. Once someone has decided that a company might "train AI" on private data you've already lost that person's trust. It's not clear to me if any company has figured out how they can overcome one of these AI training panics at this point.
>I expect nobody will care. Once someone has decided that a company might "train AI" on private data you've already lost that person's trust. It's not clear to me if any company has figured out how they can overcome one of these AI training panics at this point.
I think it goes beyond a single company, or rather a single incidence of this panic. You're looking at each time this happens as an independent coin flip instead of a series of dominoes that trigger a reaction in multiple directions.
What I mean by that is there's a counterculture sentiment building based off the idea that people have seen this same pattern enough times at this point that they're distrustful of large scale systems by default. It's happening with government institutions, politics, economics, and individual industries like gaming and streaming.
To that end the "panic" is not just a reaction to Slack's (perceived) actions, but an expectation that Slack will be yet another domino in that line of companies that have done the same. It's also difficult to prove a negative (that Slack isn't using private data for training purposes even if they say they're not) so the messaging is up against a very solid wall.
The result here is that public announcements and messaging related to data are under heavy scrutiny, and the media is incentivized to try and make their reporting go viral (ironically for the ad revenue) at the expense of actual journalistic reporting.
I'm not sure what the solution to this problem is, or if there even is one, but promoting self hosting seems like an indicator that the default assumption is that data collected will be abused in some way. Honestly based on the last couple of years it's not an unreasonable assumption either.
Yeah I think Slack's updated stated internal policies are about as reasonable as one can hope for from a tech giant, if one can trust them to stand by those policies. Your article was on my mind when writing this, I guess I should have linked it.
The crux of the matter is whether you can trust a big tech company to do what they claim they will. They all think AI is worth infinite dollars. In that world, without some very clear, painful, straightforward, contractual penalty ... well we've seen that the tech giant plan is that rules are meant to constrain your competitors' behavior, not yours.
If they wrote "If any of your data is discovered to have been in an AI training model, Slack owes you 10x your lifetime payments to Slack, and any involved whistleblowers get 1% of the total paid" in their terms of service, which means if Slack screws this up, the company is immediately bankrupt, that might prove effective. But a promise in a "privacy principles" policy that doesn't appear to actually be incorporated into the core ToS does not have a lot of teeth.
This does seem to be one of the key challenges here: publishing a "principles" document doesn't mean much if you reserve the right to change those principles in the future!
I think you're right: the most convincing version of this would be actual legalese.
I wouldn't be surprised if Slack have this in the contracts they sign with their larger customers, but I don't think those are publicly available.
Another offender: codegpt.io ToS grants them an irrevocable perpetual sublicenseable license to all code they see from you. It’s insane what rights companies claim to your data.
As far as I can tell that's the copy they've had in place since 2016 - a year before even the original Transformers paper that kicked off today's LLMs - to cover their own tiny old-school ML models for things like channel recommendations.
2FA pushed me out of github, but M/S Copilot in github created the road out.
Now seems people's chats and posts are being used to train AI. I wonder how long before Cell Phone Providers start using Text Messages to train AI (or sell to AI people).
To start with, I don't have two devices, only a laptop. (And a backup laptop and desktop at home, but I typically don't work there.) Correct, I have no smart phone.
Second, it's not an important security measurement for me. I didn't go into FOSS to be part of someone's supply chain. I do it as a way to share my knowledge of how one might solve a problem. If you want use my code, then inspect it to make sure it does what you want, or pay me for commercial support. Neither require 2FA.
Might someone take over the account? Sure, I suppose. But I'm not into "community building" or GitHub's gamification, and my primary repos are all local, so if that happens and GitHub's support didn't help, I could start a new account. Again, don't depend on me for your supply chain without a commercial support agreement.
When Microsoft switched GitHub to require 2FA I concluded it was because they wanted to assure their corporate and government clients that it was "safe" for them. Those profits subsidize Microsoft's free hosting plans, so my presence there was helping contribute to Microsoft's already excessive market power.
Third, the change was driven from on high, with no chance for me to decide what was appropriate for my projects. I concluded Microsoft was so powerful they could make such paternalistic changes because they knew network effect was on their side that they could have little concern about the small number of people leaving or getting upset.
Fourth, my FOSS projects on GitHub were labors of love that were a net negative on my income. I was not going to spend any money on new hardware or waste my time figuring out how to get things working under a new system when I was already hosting most of my work on Sourcehut, which is much more aligned to my ethical and moral views.
I still don't know how many security keys I'm supposed to have (how often should I expect to lose one? should I store the backups off-site at a friend's place?), or how often am I supposed to test they work? And then I hear about issues about lock-in and how attestation requirements might prevent FOSS solutions ad prevent people from backing up one's own security keys, and issues with resident vs. non-resident keys, and being able to register multiple keys. It's all learnable, but I simply don't care enough.
And I don't see why I should care about all this when the paying customers of my software have all been fine with only a tar.gz, license agreement, and support contract.
To answer myself, from reading the other comments, it sounds like GitHub started to require 2FA at some point, and some people refused to set it up. The problem was not some inadequacy of GitHub's 2FA implementation, but the fact it is mandatory.
(I had 2FA set up a long time ago, so didn't notice the policy change)
Given how awful some text messages I get from relatives read, I really hope not. The worst types of typos. The only thing I want them to train properly is voice to text. It cannot for the life of itself ever get anything right. I have to scream at Siri a dozen times.
This will continue to occur and may come as a "shock" to some companies that will ignorantly persist in using proprietary services unless a significant change in data collection from the service itself occurs, which should not be the primary motivation to switch to a self-hosted version in the first place
Considering Microsoft are bringing in a ‘feature’ to record your desktop, I wouldn’t be surprised that an additional ‘feature update’ further down the line will simply take all those chats with your self-hosted AI models to train AI models.
So in my opinion, it just doesn’t matter if you are using self-hosted AI, the weakest link in your chain for keeping your data private is the very OS’s that you’ll be interacting with said self-hosted AI.
And with all the manufactured fear mongering going on around AI, that data will -already- be deliciously irresistible for prism-participating, lovable, trustable companies like Microsoft.
Sorry to burst some pretty bubbles for the lovely naive people.
"We don’t train LLMs on Zulip Cloud customer data, and we have no plans to do so. Should we decide that training our own LLMs is necessary for Zulip to succeed, we promise to do so in a responsible manner"
:). What a clever way to say that even though we don't do it today, we cannot guarantee that we will never do it on our cloud service. At least they are honest I guess.
I think you're missing a big part of the point of the post: Which is that if you self-hosting, nobody can train models on your data, if you're going to use a cloud service, you should use one where you can move data to self-hosting, and where you can trust the vendor.
We do basically guarantee that you won't have your organization's data included in AI training in Zulip Cloud without consent. But yes, we're not ruling out the possibility of some sort of opt-in feature that might be useful in Zulip Cloud.
I'm humble enough to not pretend I know what will be possible/expected in terms of AI technology in 5-10 years, but one could easily imagine some sort of tool trained on web-public channel data in open Zulip communities being a thing that could make sense if done with appropriate consent. If such a thing were desired, I don't think it most of the concerns related to the slack controversy would apply.
I respect the self hosting part of course. All I am saying is that the premise of the post is that you guys take privacy seriously but you still left that door opened that someday you may use LLMs.
>> we're not ruling out the possibility of some sort of opt-in feature that might be useful in Zulip Cloud.
Zulip's weasel wording indicates they are nerfing a great (maybe their best) opportunity to stand out from the herd.
How about this for a mind-blowing concept (/s) ... If a web-public channel wants to add some sort of useful feature based on a technology trained on their data then let the owners/administrators of that channel flip that switch on. Zulip should have no involvement in that decision, period.
