> As an open source SaaS startup, we need to be able to do both: Ship quickly while also offering a self-hosted version.

You want to, you don't need to.

> This makes shipping updates harder because customer instances are a black box.

Containers for software updates.

> Even low-risk fixes like renaming a database column can break a billing run when a job is currently using that data.

Why is anyone renaming database columns in the year 2025? Have we not had five fucking decades of experience that this is a terrible thing to do? If your application's internals are exposed to the customer, you have messed up. If you have an API or user interface, it has to be backwards-compatible. These are table stakes.

> You can’t extend/integrate cloud software beyond what APIs allow you to do.

True, API integration is by definition vendor lock-in. But that's what people like these days. Nobody wants to spend the time to develop an interoperable standard when they can just churn out an API and force somebody else to make it work with what they have.

> If a cloud vendor has a security issue, you now have a security issue.

So vet the cloud provider for its security practices. Enterprises do this as a matter of course. The decent (read: expensive) providers have better security than you'll implement.

> If a vendor fails/gets sunset by an acquirer, their software disappears.

True enough (again, API integration is vendor lock-in), so make sure you use vendors in a way that's highly cohesive and loosely coupled so they are easier to replace. In general, part of your maintenance budget (80% of the cost of software is maintenance) is in upgrading or replacing EOL software. This is more true of self-hosted software than cloud-hosted.

Building a self-hosted thing isn't significantly different than a cloud-hosted thing. Remember when we didn't have a cloud? Everything was self-hosted. What's hard is just software engineering, because new people aren't learning the lessons old people already learned. It's like building construction, with no zoning code, no manual, no 5-year apprenticeship. It's hard to learn; it's not hard to practice once you've learned.