Re: [qubes-users] Announcement: Qubes OS Begins Commercialization and Community Funding Efforts

2016-12-01 Thread Franz
On Wed, Nov 30, 2016 at 8:56 PM, Andrew David Wong  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Dear Qubes Community,
>
> Since the initial launch [01] of Qubes OS back in April 2010, work on Qubes
> has been funded in several different ways.  Originally a pet project, it
> was
> first supported by Invisible Things Lab [02] (ITL) out of the money we
> earned
> on various R and consulting contracts. Later, we decided that we should
> try to
> commercialize it. Our idea, back then, was to commercialize Windows AppVM
> support.  Unlike the rest of Qubes OS, which is licensed under GPLv2, we
> thought
> we would offer Windows AppVM support under a proprietary license. Even
> though we
> made a lot of progress on both the business and technical sides of this
> endeavor, it ultimately failed.
>
> Luckily, we got a helping hand from the Open Technology Fund [03] (OTF),
> which
> has supported [04] the project for the past two years. While not a large
> sum of money in itself, it did help us a lot, especially with all the work
> necessary to improve Qubes' user interface, documentation, and outreach to
> new
> communities.  Indeed, the (estimated) Qubes user base has grown [05]
> significantly over that period. Thank you, OTF!
>
> But Qubes is more than just a nice UI: it's an entirely new, complex
> system --
> a system that aims to change the game of endpoint security. Consequently,
> it
> requires expertise covering a wide spectrum of topics: from understanding
> low-level aspects of hardware and firmware (and how they translate to the
> security of a desktop system), to UI design, documentation writing, and
> community outreach. Even if we consider only the "security research"
> aspect of
> Qubes, this area alone easily scales beyond the capabilities of a single
> human
> being.
>
> In order to continue to deliver on its promise of strong desktop security,
> Qubes
> must retain and expand its core team, and this requires substantial
> funding. At
> this point, we believe the only realistic way to achieve this is through
> commercialization, supplemented by community funding.
>
>
> Commercialization
> =
>
> We're taking a different approach to commercialization this time.
> Building on
> the success of the recent Qubes 3.2 release, which has been praised by
> users for
> its stability and overall usability, we will begin offering commercial
> editions
> (licenses) of Qubes OS to corporate customers. We believe that the
> maturity of
> Qubes, combined with its powerful new management stack [06], makes it ripe
> for adoption by any corporation with significant security needs.
>
> Commercial editions of Qubes OS will be customized to meet special
> corporate
> requirements. For example, two features that might be particularly
> attractive to
> corporate customers are (1) "locking down" dom0 in order to separate the
> user
> and administrator roles and (2) integrating our local management stack
> with a
> corporation's remote management infrastructure. These are both examples of
> features that our developers are capable of implementing now, on Qubes 3.2.
>
> We plan to partner with one to three corporate clients in order to run a
> pilot
> program throughout the first half of 2017.  After it has been successfully
> completed, we'll then widen our offer to more corporate customers and,
> ultimately, to small business customers. Our main constraint is the
> scalability
> required to cover each additional client. Hence, we plan to focus on larger
> customers first.
>
> Let there be no misunderstanding: Qubes OS will always remain open source.
> We
> anticipate that the majority of our commercialization efforts will involve
> the
> creation of custom Salt configurations, and perhaps writing a few
> additional
> apps and integration code. In the event that any corporate features require
> reworking the core Qubes code, that new code will remain open source.
>
> We considered many other ways of attempting to commercialize Qubes before
> arriving at this model. One possibility that some of our users have
> inquired
> about is that we sell dedicated Qubes hardware (i.e. laptops). However,
> there
> are a number of challenges here, both in terms of making the hardware
> trustworthy enough to merit our "seal of approval", and from a business and
> logistics perspective. For these reasons, we don't plan to pursue this
> option in
> the immediate future.
>
>
> Community funding
> =
>
> Unfortunately, the financial necessity of shifting our priorities to
> commercial
> clients will mean that we have less time to work on features that benefit
> the
> wider, security-minded open source community, which has been our focus for
> the
> past seven years.  This deeply saddens us. (We all use Qubes on our
> personal
> computers too!) However, the reality is that ITL can't afford to sustain
> the
> open source development of Qubes for much longer. We're running out 

[qubes-users] Announcement: Qubes OS Begins Commercialization and Community Funding Efforts

2016-11-30 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

Since the initial launch [01] of Qubes OS back in April 2010, work on Qubes
has been funded in several different ways.  Originally a pet project, it was
first supported by Invisible Things Lab [02] (ITL) out of the money we earned
on various R and consulting contracts. Later, we decided that we should try to
commercialize it. Our idea, back then, was to commercialize Windows AppVM
support.  Unlike the rest of Qubes OS, which is licensed under GPLv2, we thought
we would offer Windows AppVM support under a proprietary license. Even though we
made a lot of progress on both the business and technical sides of this
endeavor, it ultimately failed.

Luckily, we got a helping hand from the Open Technology Fund [03] (OTF), which
has supported [04] the project for the past two years. While not a large
sum of money in itself, it did help us a lot, especially with all the work
necessary to improve Qubes' user interface, documentation, and outreach to new
communities.  Indeed, the (estimated) Qubes user base has grown [05]
significantly over that period. Thank you, OTF!

But Qubes is more than just a nice UI: it's an entirely new, complex system --
a system that aims to change the game of endpoint security. Consequently, it
requires expertise covering a wide spectrum of topics: from understanding
low-level aspects of hardware and firmware (and how they translate to the
security of a desktop system), to UI design, documentation writing, and
community outreach. Even if we consider only the "security research" aspect of
Qubes, this area alone easily scales beyond the capabilities of a single human
being.

In order to continue to deliver on its promise of strong desktop security, Qubes
must retain and expand its core team, and this requires substantial funding. At
this point, we believe the only realistic way to achieve this is through
commercialization, supplemented by community funding.


Commercialization
=

We're taking a different approach to commercialization this time.  Building on
the success of the recent Qubes 3.2 release, which has been praised by users for
its stability and overall usability, we will begin offering commercial editions
(licenses) of Qubes OS to corporate customers. We believe that the maturity of
Qubes, combined with its powerful new management stack [06], makes it ripe
for adoption by any corporation with significant security needs.

Commercial editions of Qubes OS will be customized to meet special corporate
requirements. For example, two features that might be particularly attractive to
corporate customers are (1) "locking down" dom0 in order to separate the user
and administrator roles and (2) integrating our local management stack with a
corporation's remote management infrastructure. These are both examples of
features that our developers are capable of implementing now, on Qubes 3.2.

We plan to partner with one to three corporate clients in order to run a pilot
program throughout the first half of 2017.  After it has been successfully
completed, we'll then widen our offer to more corporate customers and,
ultimately, to small business customers. Our main constraint is the scalability
required to cover each additional client. Hence, we plan to focus on larger
customers first.

Let there be no misunderstanding: Qubes OS will always remain open source. We
anticipate that the majority of our commercialization efforts will involve the
creation of custom Salt configurations, and perhaps writing a few additional
apps and integration code. In the event that any corporate features require
reworking the core Qubes code, that new code will remain open source.

We considered many other ways of attempting to commercialize Qubes before
arriving at this model. One possibility that some of our users have inquired
about is that we sell dedicated Qubes hardware (i.e. laptops). However, there
are a number of challenges here, both in terms of making the hardware
trustworthy enough to merit our "seal of approval", and from a business and
logistics perspective. For these reasons, we don't plan to pursue this option in
the immediate future.


Community funding
=

Unfortunately, the financial necessity of shifting our priorities to commercial
clients will mean that we have less time to work on features that benefit the
wider, security-minded open source community, which has been our focus for the
past seven years.  This deeply saddens us. (We all use Qubes on our personal
computers too!) However, the reality is that ITL can't afford to sustain the
open source development of Qubes for much longer. We're running out of time.

In an attempt to keep the open source development of Qubes going, we've teamed
up with Open Collective [07], which makes it easier to donate to the Qubes
project.  Now, in addition to our Bitcoin fund [08], we can also accept
donations via credit card. ITL will not benefit from of any of