In practice this does not happen at huge scale with red hat updates or grsec kernel patches.
There are too many updates so you would need someone to publish the sources regularly, and you would also have to trust that person.
1 Like
That also doesnât help company XYZ which âwants to use qubes for their developersâ. They need a consultant / consulting company to explain things to them. Having an app store doesnât solve this problem.
1 Like
"
Trust the developer.
Is it better for a non-technical person to stumble along and try to create Qubes/ with more software, and install on their own?
That is not the right answer. I dunno. If they are in the App Store. there is a rating system?
I know there used to be a fellow who took the list of Red Hat packages, and recompiled them, without Red Hat references/attribution. and released under the name âWhite Hatâ Linux. I am guessing âRed Hatâ considered its clients were buying it for continuing support. As well as constantly checking to keep âRed Hatâ free from malware.
And like tannerlambert just remarked. Users need advice. More information, little things.
Another Option in App Store?
Several people have offered to write a current book on documenting Qubes, Such as Solene who has a proven history of writing documentation that is understandable. But how to pay for several months of devotion to the project. by whoever does it. and then a continuing income from the âBook.â
Then some of Qubes will change with the next big update. How many people would buy that âbookâ? How much would they pay?
Edit: How much to charge for just a chapter in the book?
If I look at the different threads for how to install yyy-VPN, and the number of posts is long. Then the current approach for people starting Qubes is not working so well.
Perhaps the first thing is a meme that says, âReal Computer Security is not easy, requires time and effortâ
1 Like
CEOs / CTOs donât buy books to understand qubes, they hire somebody who understands qubes and then comes to the office / some chat / video chat to explain and help implement things.
The reason I started this thread is because, other than for openbsd and debian, there is no central list of companies / freelancers that provide consutling for qubes to companies / individuals with the money for it. Neither an app store nor a book solve that problem.
I am sure that there is a need for this, as I have done qubes consulting for companies in the past - its not many, but they do exist. Qubes has become reasonably popular and is something developers might google for âafter their company got hackedâ and then recommend it to their CTO. He will then ask well do you guys know about it, and if not, lets find sbd who does and can help us implement it.
A central list would solve that problem, and with access to such consultants being more easy, I also think it would make it more easy to generate additional cash flor for the donate button on the website. Companies might need feature X, Y and Z, which the consultant could refer to the qubes development team.
At the end of the day, making qubes more accessible to companies, which means giving companies a more easy way to obtain support for it, will obviously generate more cash for developing qubes as well. Its a win win win.
2 Likes
I was just emphasing on the case in which there would be a store to download âthingsâ (like source code, salt formulas, whatever), and your worry that it could be freely shared outside the store.
âthat personâ was in reference to the person leaking the content for free.
2 Likes
I am wrong twice in the same hour. tannerlambert, I am glad for people with your expertise are involved. You are correct. If big companies start using Qubes. then hopefully the big company experience will also provide feedback for how to implement Qubes better, and they will donate money for the developers to be - better paid â more of them.
I thought it would be obvious, there would be a section in the App Store, for individuals to sell not just an App, but their expertise, with a -click here for the work I have already accomplished, check my references with corporate clients.
Solene, Can you sell one chapter of documentation at a time on the App Store?
thanks for being around. As you have alluded to before. It takes time, a lot of effort, to write concise clear documentation. At some point, one can not do it for free.
I still agree the developers have the correct position, to provide a secure version of the Qubes OS. If someone feels the need to open themselves up to risks by adding third party software, because the -client individual feels they need it. That is on them. I need to be able to retreat to what the developers have created, as the best attempt of keeping Qubes OS Secure.
1 Like
@catacombs all good 
Your knowledge of Qubes and security in general surely FAR outweighs my own, but what Iâm reasonably good at is sales and talking to the people who make decisions in medium to large companies. Also Iâm a pretty nifty Linux admin
I think there is a misconception in this thread.
I know you guys are all tech geniuses, but the people who run companies and make decisions that bring in the money you need to develop qubes OS are not. After you have more than five employees, you stop being a tech guy and you start being a CEO (read: you manage things instead of coding).
This thread (or my intention with it) is not at all about documentation or an app store or about making qubes more easy to access for the people using it. It is about the CTOs / CEOs that have the cash and think âif we implement qubes, I have to spend less money on ransomware gangsâ or âif we implement qubes, I can tell marketing to tell our customers that we are overlord secure now, and thatâll sell betterâ and so on. The people with the money do not have the time to read documentation, nor the technical knowledge to understand it, nor do they want an app store. They want a company that âcomes and implements qubes and takes care of things(!)â. What they WILL do is follow a button on the main qubes-os.org page that says âbuy consulting hereâ.
In the practical world, first CTOs decide that qubes will be used in the company, maybe due to a recommendation of a developer that says âhey, Iâve used qubes before, it might solve our problemâ, and AFTER a consultant was there to implement qubes, the developers who run qubes MAY read the documentation. Developers as in not security geniuses like all of you guys, but your classical PHP dev with a wife and two kids and a bank-loan for his house and not the highest interest in tech itself - as in the one who âbuild the website example.comâ for the last 10 years, and who likes his job, but isnât passionate about it that much (as in not as much as you guys are about security). If this guy has an issue with qubes he will google it, may or may not find (and understand) the doc, and if not he will call the consultant that implemented qubes in the company.
I think 100% of the people here in this thread use Qubes because they understand what it does, how it works, and why its a good idea to use it from a technical POV, and I assume most of you write code for qubes as well.
That means that you guys are not the target audience. The target audience âbuys securityâ and has the money to finance the development of Qubes OS. Which means we have to get them to choose qubes OS, and for that we have about 30 seconds, which is the time they spend on qubes-os.org before they look for consulting for it.
I honestly think we should meet in the middle here. Yes, we can not realistically know if someone who applies to be listed for consulting has malicious intent. Same goes for the OpenBSD and Debian consultants pages. And that will obviously be apparent to the people who click that page too.
Right now when you google qubes consulting you get more or less questionable results. This will detere CEOs / CTOs, trust me on this one please, I know how they think
There is one result in the top google results for âqubes consultingâ that sells Qubes consulting and in the next sentence wordpress LOL xD This isnt good marketing.
I KNOW there are companies who would love to implement qubes as a security solution, as they already exist and Iâve worked with them in the past. Making it more easy for them to adopt qubes is important imho, and having a clearly visible consulting list would definitely help with that, which would help to raise more money for qubes development (worked for linux will work for us).
2 Likes
@marmarek Iâd like to bump this thread one more time. Whats your opinion?
1 Like
Iâll reiterate my view that this is not a good idea, for reasons stated.
Weâve already seen cases where established members of the community have
made off with clientsâ money. If that introduction came via a list on
the official web site it would reflect badly on Qubes.
Iâd call in @Michael for a view also.
Iâd prefer @adw view with a listing in the Forum, if this is thought to
be a good idea at all.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
4 Likes
Iâm with @unman on this one, we shouldnât have just a list of basically unverified companies endorsed on our website. If going with unverified list, then itâs place is at most on the forum. We may consider a link from the website to the forum, similar to the Community-recommended hardware link.
But maybe we can have some at least basic verification in place? We have Qubes Partners | Qubes OS page, where we list significant donors without much other criteria. If weâd require âbe a Qubes OS partnerâ to be listed on such consultant companies list, this would at least enforce some kind of commitment expressed as monetary investment. There can be also other options for proving commitment, like âbe a certified hardware vendorâ (this would for example cover https://shop.nitrokey.com/shop/consulting-and-support-for-qubes-os-nitrophones-it-security-336), or âhave history of contribution to the projectâ (the last one is hard to quantifyâŚ). This doesnât solve all problems, but maybe would be good enough with appropriate disclaimer?
There is also a business side of this - generally, we donât agree to use our website for free advertisement. A list of companies on the official website surely is an advertisement, regardless how many disclaimers there are, and does generate some profit to those companies. I think itâs fair to require some of this profit being directed to support Qubes OS development itself.
6 Likes
we shouldnât have just a list of basically unverified companies endorsed on our website
What kind of verification do you have in mind? I think there are two ways to verify: checking if the company is a legitimate company, as in checking the tax register (this is a thing in Germany). So it wouldnât work for startups / new companies / freelancers.
Checking the technical knowledge, which you have if you are up to no good.
Link to the forum
I still think that this does not appeal companies. Maybe if the thread is very well managed and you canât post in the thread itself, so the thread is not full of âpls list my companyâ and âi like qubesâ posts. But its still not what will impress a CEO / CTO. It will make qubes look like a hobby project.
When a non technical person looks at qubes-os.org you have 30 seconds to convince him. Then he will look somewhere else and most likely buy more snake oil for windows.
pay to list
reads a bit like pay to win to me - there is one person that may or may not be in this thread that definitely deserves to be in the consulting list, and from what I understand, that person currently does not have the financial ressources for this.
For companies that works however. Iâm not sure what you have in mind there. 500 usd? 1000? 10.000?
Generally I think asking for money to be listed has nothing to do with verification.
There can be also other options for proving commitment, like âbe a certified hardware vendorâ
This requires significant financial ressources. What I think qubes needs is a central register of ânumbers to callâ if you want to talk to a qubes expert. Right now googling that has questionable results. It takes to long and is not clean enough right now for companies that want qubes to find a consultant for qubes. Imho, that should be organized, preferbly at the central website of the OS.
You can be an EXCELLENT consultant and not have a lot of financial ressources.
have history of contribution to the project
This is more something that I think makes more sense - though Iâm sure there are many people who are experts in qubes who donât have a blog or the time to contribute to qubes itself.
free advertisement
A list of companies on the official website surely is an advertisement, regardless how many disclaimers there are, and does generate some profit to those companies.
yes - for qubes as well. As said, right now the way to finding a qubes consultant or consulting company is rocky. In order for more businesses to use qubes, this is a requirement. There needs to be a way to âbuy qubes supportâ, and with the current state I think many companies which look at qubes dont continue.
Companies that use qubes request new features and have the money to pay for them.
I think asking the consultants to pay for the development of qubes is the wrong approach. Consultants should bring in companies that use qubes and request features / pay for qubes.
I think itâs fair to require some of this profit being directed to support Qubes OS development itself.
I think you are targeting the wrong people. One VERY clever person in this thread just canât contribute to qubes financially, but he can DEFINITELY sell qubes support.
If you are not into Qubes, you will not let yourself / your company be listed in this qubes consulting list. If you are into qubes, you will try to get your client to direct money towards qubes, because you want the project to flurish.
The more people and companies use qubes, the more popular qubes becomes, the more cash-flow will be directed towards qubes. @marmarek do you agree with this statement?
Having a list of consulting companies / freelancers for qubes support will grow the project. Ultimately the more people use qubes, there will be more ppl / companies among them which can fund qubes.
Donât see it as marketing JUST for the consulting companies, see building a list of support companies / freelancers it as marketing for qubes as well.
2 Likes
thanks for raising this topic & for the discussion. i think this could be useful for folks & definitely should live in the forum not on the website for the reasons highlighted by others. we could have a separate category, with 1 thread per company/consultant, with a template that they fill out for their first post.
i think this would avoid having too high a bar for folks to be listed, as independent consultants obviously are not in a position to be a certified hardware vendor etc, so the list could be a bit more useful/valuable.
5 Likes
counter proposal: instead of qubes-os.org or forum.qubes-os.org, lets take consultants.qubes-os.org? If you donât want to list it on the main page, such a subdomain would quickly rank #1 on google for âqubes consultingâ and âqubes supportâ and would still offer a good way of styling it (this is very important for selling it - has to look good).
We could use a forum thread to get listed. Consultants / companies could introduce themselves, write about themselves, people could ask questions.
I really donât want to start to sound annoying by being so persistent - Its just that I honestly do know about how to sell and market things. Right now Iâm selling Debian to companies that mostly run PHP and Iâm annoyed by this as its to easy xD I want more paranoid customers because its just more fun, and selling qubes is one of the things Iâd much rather do. I hope you guys forgive my persistence. I really do not mean any disrespect and I do see your opinions and concerns. Iâve been using qubes since about 3.0 and I honestly love it and appreciate your work a LOT.
CEOs / CTOs of SMEs and corporations above 100 employees will not think that a forum thread is professional. Imho even a cleanly managed thread will look unprofessional. It has to be a pretty designed page, with some logos on the left, descriptions on the right and some call to action buttons. Best case company logo + face of the consultant from whom they are buying.
This will obviously have a higher conversion rate, which means more financially strong institutions will use qubes, which means there will obviously be more money for qubes development in the mid- to long run.
By the way, people selling and concentrating on wanting to sell qubes has other positive side-effects for qubes, here is one: Sichere Arbeitsumgebungen fĂźr Juristen: Qubes-OS (thats me trying to sell qubes to lawyers by buying an article in a magazine for lawyers). Next article is currently being published and should be online in a few days, will be published on a popular tech site in Germany with ~10.000 readers (according to ahrefs and the newspaper itself). I have three articles in planning as well rn.
Quote from https://www.qubes-os.org/donate/:
Help us spread the word
If you are a Qubes OS user or support our cause, help us expand our community by introducing Qubes to your circle, including:
Privacy advocates
IT companies
Individuals who value and appreciate privacy in general
Cryptocurrency companies
Sysadmins and other professionals who work with security
Please help us (Linux consulting companies and fellow reasonably paranoid consultants) to spread the word, which will enable us and our clients to further help you.
2 Likes
I appreciate your passion for this, and I think youâre making some very compelling arguments, @tannerlambert. It seems the main problem is how to weed out bad actors, who might get listed on the Qubes website and proceed to tarnish the projectâs reputation, without setting the bar so high that it also keeps out most of the good actors who would create value for the ecosystem. If you can somehow figure out a solution to this problem, I think youâd be able to overcome most of the resistance to the idea.
2 Likes
@adw highly appreciated!
how to weed out bad actors
To be perfectly honest with you, my best answer is ânotâ. We can not design a consulting page that is as secure as you guys designed qubes Let me get into details on this one with examples, while also comparing to how Debian and OpenBSD do it, and, from what i can conclude, why they do it like that (with OpenBSD Iâm sure they had the same discussion at some point as we do right now).
As you didnât define bad actors, I assume you mean:
a) people hunting for backlinks: these will be obvious as their sites will not have any relation to qubes
b) 3v1l h4x0rs hunting for high quality victims: depending on how much time they put into it, there is no way to weed out those. They might as well join your team and commit good code to qubes for years and then try something evil. They can design websites, write blogposts, become active forum members, make donations to qubes, use social engineering to become buddies with developers of qubes. The xz story in SSH recently is a good example of âthere is no stopping those peopleâ - and I honestly think that is ok - not that I like what happened there, but this is simply the world we live in. As has been realistically proven - there is no ultimate security.
But it is not the task of the consultants list page to mitigate such security issues! Every CEO / CTO with a sane mindset will realize that qubes linking to external companies does not make qubes liable for the actions of the linked sites, nor would they blame qubes-os.org for doing so. Debian and OpenBSD also state something like that on their sites. And to be frank - it just is totally obvious too. Of course Debian and OpenBSD dont have 3 hour phone calls with each applicant. And even if they did, it wouldnt help against ANY determined attacker.
I checked how debian and openbsd handle applications. Quote from https://www.openbsd.org/support.html:
âIf you want your website to be listed, make sure it can actually be viewed on OpenBSD, and does not require any proprietary software. [âŚ] Note that we may at any time, and without notification, remove your entry if it is found to be inaccurate, if your website is broken, or if there is no mention of OpenBSD on it.â
Debians policies for getting listed are here: Debian -- Information for Debian Consultants, quote:
âthat website must have a mention of your Debian consulting servicesâ
Equally low level as OpenBSD.
Lets say Iâm a CTO of some health data company and run OpenBSD and call and ask some questions, itâll quickly be obvious if that company knows about OpenBSD.
If they donât, maybe iâll leave a bad google review. If they totally suck, maybe Iâll write a mail to the openbsd list and compalin about them. I can also write such an email without having any interaction with the company just to mess with them and if I have 5 usd I can pay someone in bangladesh to write 20 google reviews (for >25 per review I can get realistic ones from actual companies).
I think realistically we can weed out people who are not at all related to qubes and do not provide consulting for qubes (those that just want the backlink). When you look at IT companies websites, it quickly becomes obvious if they have any relation to qubes. Anything above that isnât realistic.
I think weeding out bad actors is simply not your job when providing such a page, much as fiverr / upwork isnât liable if I hire somebody there who then attacks my company, the same way debian and openbsd isnt. Everybody who uses those lists knows that too. Everybody who googles for âlinux consultingâ knows that too. Its common sense.
You provide that page so people can easily find consulting for qubes. Such a page will have that effect. Companies do visit qubes-os.org and then want to find consultants. Having such a page will massively reduce the time to find consulting, which in turn will cause more companies to use qubes, which in return will cause more companies to direct cash towards qubes development. It will also make qubes âlook largerâ and more professional imho. Companies / CEOs / CTOs want ways to âbuy somethingâ. That isnât the case with qubes atm. I cant go to qubes-os.org, click consulting, pick one from the list and get started. Thats not good for the conversion rate.
The goal here is to make qubes more popular by having more companies adopt it. A consultants list page does acchieve that goal.
If you want to meet in the middle, people can introduce themselves in the forum. But then again, as said above, this doesnt provide additional security. Having the list in the forum provides no additional security and will just show a lower conversion rate.
This whole thing isnât about security - I totally get that this is the way you are accustomed to thinking. This is about marketing for qubes, which by reading the donate page I know is something you guys want. While talking about security, we forget about a) qubes and b) the 99% legitimate freelancers and consulting companies.
By helping legitimate companies / consultants / freelancers, some of which are active in this thread, to get a better conversion rate and, using that, generating more cash flow for qubes by connecting people who love qubes with financially strong companies that can support the development of qubes.
This is what the consultants page is supposed to do. Not be a list of âtrustworthy peopleâ. Whos trustworthy? Are you SURE @adw that you are trustworthy? If someone kidnaps your family and forces you to do bad things, will you?
By doing nothing the risk to companies who want to use qubes is exactly the same (CTOs google âqubes consultingâ, which btw is SUPER easy to rank for atm, its maybe a 5k investment in regard to paying a webdesigner and buying backlinks) and the conversion rate of companies using qubes in the end is lower. Imho that is the only difference that is acchieved by not having such a page.
I think the benefits of such a page far outweight the risks, as the risks exist one way or another. If we do nothing, there is no change to the risks. And no, I do not think anyone ever thought âits fiverrs / upworks / debians / openbsdâs fault that I got hacked because they didnât run a 50 hour background check on this personâ. At least nobody in their right mind.
2 Likes
I think the qubes development, or modern coding styles with scm in general can eleminate (much of) the risk factors by having at least two, or ideally more, people checking the code.
If I create a PR for qubes software, somebody else will check and read that. When you code a lot you get used to that kind of thinking in general. Iâm not saying Iâm not a bit more security focused than the average joe either and do not completely see your points - i do understand your points of course, but I do not see them applying in this case, as this isnt software.
But I do see much more benefits and as said, I do not see how the risk changes at the end, nor do I realisitically see anyone in their right mind blaming qubes itself.
With marketing, which is something qubes clearly is interested in (if you dont like the word marketing rephrase it to âacquiring more fundingâ) it just doesnât work like that. That doesnât make acquiring more funding something bad or evil in general. Its just by design has risks that in coding our favorite OS can be (almost) eliminated, and in this case can not.
Many things in life entail known risks and that doesnt mean you shouldnt do it. Having kids is a huge financial risk. Driving a car has huge risks that can not be properly eliminated - you can drive carefully, and you can choose your consultant carefully, and you can still be involved in a car crash because someone is being an idiot and drives drunk.
Driving still has huge benefits that do outweight those risks, and so does acquiring more funding
1 Like
we get spam SEO emails every week from people asking if they can get linked to from the Qubes OS website, write guest posts, etc. given the security focus of this project, we want to be a bit careful with what we link to from the main website, what could be misunderstood as promoting, etc.
so why not start with something (in the forum, as suggested above), and we iterate from there? maybe after a bit we decide it seems fine and we move it to the website or a subdomain, maybe not. it is similar with this forum â it was originally a separate domain, after a year we decided we were comfortable with it being a subdomain of the main site.
iâll discuss with the others & try to make a template etc like proposed above.
6 Likes
@michael sounds very fair, I appreciate you guys.
I get the spam / SEO / backlink issue. I have the same problem with my site Two days ago I started automatically filtering @gmail.com to the spam directory xD
3 Likes
Sounds good enough to start 
2 Likes
Hi,
Have been searching for this missing page!
I am very interested in Qubes OS for our small company, but would want to make sure we have a vendor who could help us do a pilot, and help understand whether this would be practical for a group of 20 people with mixed technical abilities. And finally provide some sort of ongoing second line support.
Contact me if this is something you as a company can provide. (alex@bedatadriven.com)
Thanks,
Alex
3 Likes