Why is there no central directory of consulting companies / freelancers for Qubes OS support?

I have been asking around in the matrix channels a bit and it seems there is no central page for freelancers and companies that offer Qubes OS consulting.

This does exist for debian with the list of debian consultants at Debian -- Debian Consultants and for openbsd with their support and consulting page OpenBSD: Support and Consulting

I have helped implement qubes OS for several customers in the past and it mostly was because they “saw my laptop” and thought that this was “totally what they were looking for in departments X and Y”.

Is there a reason for this not existing? Are interested customers generally supposed to contact Team | Qubes OS ?

If this is not the intention, would it be possible to start such a list below the qubes-os.org domain, like qubes-os.org/consulting-and-support or similar?

What do you guys think about this idea?

2 Likes

A similar idea has been suggested before

Edit: changed the URL to the first post.

3 Likes

xD what kinda labor? :wink:

2 Likes

It could be handled as a community guide in the first time, if you want see it to happen

2 Likes

I’m happy to build a website for it, but wanted to ask first if it exists somewhere I don’t know and if not if it could be done at the qubes-os.org domain.

I think its a good idea and would make it more easy for companies interested in qubes to find the right freelancer / consulting company.

1 Like

I also think it is a good idea.
ITL should, I think, have prime place on any such list.
I do not think that Qubes could (as things stand) be directly involved
in production of such a list or endorsement of any entries there.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

3 Likes

I think such a list should belong to the website somehow. I’m part of one of the list mentioned above, the process was to send a commit adding the information, and there are no extra checks done by upstream.

The Qubes OS foundation would only have to accept pull requests, nothing more. At least the list would not be managed by a third party that could take control or profit from the list. And although Qubes OS would not review all the consultancies information, the list would appear more legitimate to Qubes OS users.

1 Like

I think such a list should belong to the website somehow

+1 that would be ideal I think. Is there an admin of qubes-os.org around?

I’m part of one of the list mentioned above, the process was to send a commit adding the information, and there are no extra checks done by upstream.

Yes me too. Its rather simple to get listed there. I think thats generally ok. If you view the websites of the people listed there, its mostly obvious that they are into debian or openbsd.

The Qubes OS foundation would only have to accept pull requests, nothing more

That would be an ideal approach, yes

At least the list would not be managed by a third party that could take control or profit from the list. And although Qubes OS would not review all the consultancies information, the list would appear more legitimate to Qubes OS users.

If we do this by PR then other qubes users would see and assumably check the new entry.

On OpenBSD it says “you should have OpenBSD related content on your website”. As said, when you look at the website, it’ll be obvious.
A section could be added to the page where you can complain about a given consultant / consulting company that they had no idea what they’re doing and that you’re unsatisfied or something.

1 Like

And this is exactly why it does not belong on the website.
The list “would appear more legitimate”, but all Qubes has done is
accept PRs. Don’t you see a problem here?

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

4 Likes

Yes, I fully understand your point @unman . I get that by it being somewhere on qubes-os.org it would give legitimacy to the linked freelancers / companies.

I have to add though that not having that list also isn’t perfect. Anyone can easily create a website and rank it high enough to aquire customers for qubes consulting. I’m sure some people in the forum do that as well.

I think you can generally see if people are genuine by just looking at their websites.

Long story short, I think a central point where companies can look for freelancers and consulting companies would be a good idea and would help to get additional traction for qubes, which in return would also help qubes - if more companies use it, more companies would be willing to further fund / sponsor the development of qubes.

I fully understand that there is no totally fool-proof way of building such a list of course, but I still think its a good idea. If you write on top of the list “these freelancers / consulting companies are NOT verified by qubes, we ONLY quickly checked their websites” the person looking at the list knows whats coming and can take that into account.

1 Like

Do you have an opinion on this @marmarek / @adw ?

2 Likes

Why even have the list on the website if you have to write it’s not safe to use?

It would look terrible if someone got hacked using social engineering, through a source provided by the official website.

2 Likes

IMO it’s still better than having people looking for random a consultancy in search engines.

1 Like

I guess it’s because of this kind of issues we started making “certifications” a thing :thinking:

1 Like

I don’t see how it is better when there is no vetting of the people on the list, it’s the same as picking a random person from an internet search.

As I see it, the difference is that it makes them seem more trustworthy because it’s posted on the official website, and that trust can be exploited.

5 Likes

The Qubes OS market is unfortunately too small for ITL to be able to fully cover it.

So imho there’s no need for such a list.

And yes, I know this because I am a freelancer (with Qubes OS knowledge), regularly check all freelancer offers and never noticed any project related to Qubes OS.

1 Like

I previously posted my opinion here:

One advantage of this approach is that it give the listings some visibility from the official website while making it clearer that they’re essentially unvetted self-promotions. Also, a forum thread allows you to be more verbose, use special formatting, embed images and videos, etc. It also allows your (prospective) clients to ask questions and leave reviews and testimonials in the comments.

But I’m no longer the website maintainer, so it’s not my call. I see the merits of the arguments on both sides and have no strong opinion either way at this point.

FWIW, I do think that a healthy OS ecosystem includes independent experts offering unofficial support and consulting services to users, and I’m glad to see such offerings grow around Qubes.

3 Likes

I think having a forum thread is just not visible enough to companies that are new to qubes and found it because they read an article or because they googled “most secure OS for my company” or sth.

The companies I worked with in regard to qubes check if theres a link on the website or google “qubes consulting”. I think having a list on the site is totally fair. Even OpenBSD does it and they basically invented paranoia.

I did get a hand full of customers from the debian consultants page that my company is listed on. It includes a description section where we wrote a bit about how long we’ve been using debian and that its a bit our religion (next to qubes of course :stuck_out_tongue: ;)))

I do see your argument that this isn’t checked / verified. I think if we had a thread in the forum, people would see that and it wouldn’t be checked or verfied either. Especially if someone is a h4x0r they will have the knowledge to appear legit one way or another. Also I think if you want to hack people there are simpler ways than getting listed on OS’s consulting pages.

I think qubes has been around long enough and there ARE companies interested in qubes consulting. At the end of the day, qubes-os.org does have a big blue DONATE button on the top right of the page: Donate to Qubes | Qubes OS If qubes can help companies interested in qubes find freelancers and consulting companies more easily, those can more easily convince them to donate towards qubes development.

1 Like

I don’t know where you got those prices… I can give you 1990’s prices when I did it a lot or up to mid 2005.
On site 1k-1.5k/day + expenses for secure environments. If you want to go to Columbia or strike zone the prices go a lot higher really fast. I know people that went with a helicopter escort (military) for 4k a day. USD prices by the way.
For offsite just outsource to … they are very good for the price.

1 Like

What about building a Qubes App Store.
to prevent someone purchasing an app, and then releasing it to the whole world for free.
The store would need a lock from the Qubes OS. and I doubt that is possible.
But there are several things that cost sharing if enough folks purchased the App, and allows the developer the opportunity to earn enough to keep it patched for awhile.

Each individual needing to purchase one fix, makes that one fix for one machine, expensive.

Apps which come to mind, Let me focus on the group of Journalists, Human Rights people.

A quick clean download of a Qube to do one of several different VPN’s. Or the SALT equal.
A quick clean download of a Qube to for reading and writing. Or SALT equal.
While it is easy to create a Qube of Libreoffice. and put it offline. It also needs features of encryption.
Ability to handle video, remove information from images, date, GPS location embedded in picture. This is the offline Qube for doing work.
Another Qube needs to be for receiving texts, images, video.
.
It really comes down to being able to protect the individual app store developer product from being taken by others, and freely distributed.

It is true I am a needy person. I am not technically qualified to have something in App Store.

I would hope the App Store could be managed to make sure risky kinds of (things/software packages) are not included.

Query. Can Flatpak’s be registered to control distribution. I am guessing, that there is no kind of lock that one of the more technically qualified here could not take out in just a few hours.

1 Like