Here’s the a gdoc as authoritative source, just in case something is edited here.: https://docs.google.com/document/d/1CLyy1d2FZ6HTvOtTZPi5tKJ0l27kFlHaiBySWDkXAeo/edit?usp=sharing
OK, so here I am responding as me - xrobau, Rob, the guy who CREATED FreePBX, and also the guy that created all of the GPG stuff, not as a representative of Clearly IP. Here’s the quick summary - I’m totally blindsided by this post, and it seems that there’s a lot of wild accusations being thrown around, lawyers are getting involved, and a bunch of crap is happening, all because Sangoma is pissed at me.
Because everything that I’ve done is legal and above board, they’re trying to get revenge at me by threatening legal action and attacking Clearly IP (who I work for now) and, I guess, are trying to put Clearly out of business - maybe it’s affecting Sangoma’s own business and revenue? But that’s just me guessing, of course, because I have no idea why a massive company like Sangoma is rattling it’s sabers and making all this noise, trying to beat up on a tiny company like Clearly, along with the guy that created FreePBX, when they don’t have a leg to stand on.
Let’s start with some background. When I left Sangoma, I didn’t make a big deal about WHY I was leaving, but if you read between the lines of my I’m leaving post, a lot of people guessed that I was pissed - and I was. I had been lied to, tricked, sent to the other side of the planet to avoid an important meeting, and I was done. So I gave my 2 weeks notice, confirmed with them that I didn’t have an NDA or non-compete, and left with my head held high and feeling good about things, with only a slightly passive-aggressive leaving note, and not slagging out Sangoma, even though I was FURIOUS with them at the time.
Unfortunately for Sangoma, I was the start of the exodus. As everyone has noticed, almost all of the old FreePBX team also left over the next 6 months. However, Sangoma had learned from losing me, and the remaining people were forced to have NDAs, Clauses that insist on Non-Forking of any open source Sangoma products and unenforceable Non-Competes. But I didn’t, and I would never sign anything that would limit me, because FreePBX is my baby, and always has been. I created it! I would never agree to anything that limited my ability to use, develop, or hack on it.
So that’s where we are now. I’m the guy that created FreePBX. Under the terms of the GPL and AGPL, I can do anything with it and Sangoma can’t stop me. I also still own the copyright on a bunch of things, INCLUDING THE ENTIRETY OF THE GPG SUBSYSTEM AND THE “FreePBX Master Signing Key”.
Here is the link from 2014 that clearly shows I have personal copyright along with Schmooze Com Inc.
Here is the original FreePBX Master Public Key that anyone can import - https://pastebin.com/22cDUg3y
Using that key, ANYONE can import and validate that key by running the commands in https://pastebin.com/wtSdQgMS That ends up giving you this result:
root@plex:~# gpg --list-sigs 9F9169F4B33B4659
pub rsa4096 2014-04-30 [SC]
uid [ unknown] FreePBX Module Signing (This is the master key to sign FreePBX Modules) <firstname.lastname@example.org>
sig 51F5B68D25155DCB 2014-05-01 Rob Thomas (Personal Email) <email@example.com>
sig 3 9F9169F4B33B4659 2014-04-30 FreePBX Module Signing (This is the master key to sign FreePBX Modules) <firstname.lastname@example.org>
sig 3 9F9169F4B33B4659 2016-05-04 FreePBX Module Signing (This is the master key to sign FreePBX Modules) <email@example.com>
sig 3 9F9169F4B33B4659 2017-06-07 FreePBX Module Signing (This is the master key to sign FreePBX Modules) <firstname.lastname@example.org>
sig DB16FED947DF73B1 2018-09-12 [User ID not found]
sub rsa4096 2014-04-30 [E]
sig 9F9169F4B33B4659 2017-06-07 FreePBX Module Signing (This is the master key to sign FreePBX Modules) <email@example.com>
To explain this simply, this says that the key was generated on 2014-04-30, and signed by me on 2014-05-01. That key was then used in the GPG module on 2014-05-09.
My copyright and ownership on that key was never assigned to Sangoma. They have been allowed to use it, because it was ALSO Copyright to Schmooze, and Sangoma bought Schmooze, but my copyright and ownership of it was never sold or transferred. Sangoma and myself are the only two entities that have copyright on that key, and are the only entities that are allowed to grant permission to other entities to use it.
Now let’s go through a timeline of what’s been happening.
- September 2018 - I make it public that I’m leaving.
- May 2019 - I join Clearly IP, and out of habit generate a GPG key for Clearly IP shortly after that.
- September 2019 - I sign the Clearly IP key with the FreePBX Master key (that I own)
- January 22nd 2020 - Sangoma edits the ‘Key Revocation’ section of the FreePBX Wiki, to add the ability to revoke keys if someone else is making money from a FreePBX module (slightly paraphrased)
- February 3rd 2020 - Sangoma’s Law Firm sends Clearly IP an email saying that we shouldn’t have the master key and that we stole it. Clearly engages with outside legal counsel to work up a response and get all the facts in our response.
- February 6th 2020 - Clearly IP receives a certified letter by US Mail and another copy by Fed Ex both mailed on the 3rd from them.
- February 7th 2020 3:30pm - Clearly IP responds to Sangoma’s letter by email
- February 7th 2020 6:00pm - Sangoma ignores our reply, and posts this with more threats to shut down our business, whilst making bogus claims.
And that’s where we are now. Sangoma is waving lawyers around, trying to get Clearly IP to pay up for some sort of extortion, which - as far as I know - they haven’t even told us what they want, and it looks like they’re doing this because they’re pissed at ME. Unfortunately for Clearly IP, because they don’t have a leg to stand on they are going to break Clearly IP and Sangoma systems as some sort of crazy vengeance.
Now, let’s just go through a few points in that announcement.
- “Our Master Signing Key is a trade secret”
No. A trade secret is only a secret if it’s secret. Sangoma knows I have the key, and also explicitly knows OTHER people outside of Sangoma have the key. This is not a trade secret, nor are they the exclusive owner of this key. (“Trade Secret” has a specific legal definition)
- [It] “helps the FreePBX community know signed modules come from trusted sources”
No. It does not. It’s never done that. It’s documented everywhere that signed modules are purely for integrity validation. If you look at the title of the page that Sangoma edited, it’s called “Module Signing (Integrity Validation)”. It’s also stated in NUMEROUS places that it’s only for integrity checking:
- “Their actions caused the Cleary(sic) IP modules to be seen by FreePBX as trusted or verified by Sangoma”
How could someone think that? If they had read any wiki page or community post about module signing, they’d know it was purely about integrity validation, and not about certification or trust. But if they hadn’t read any posts about it, they wouldn’t even know that signatures existed, not to mention know how to find out who signed what key.
- “Signed modules from other third party companies with the Clearly IP master key, thus extending this trust to third parties – which is something not allowed under the FreePBX key signing agreement.”
That didn’t happen, as far as I know. I may be wrong, of course! But, the Sangoma Key signing agreement isn’t relevant ANYWAY, as I was the one that signed the Clearly IP key.
- (CIP signed their own module) … “which was signed with an unauthorized copy of Sangoma’s FreePBX “Master Signing Key”, without Sangoma’s permission and without signing a key signing agreement”
We’ve just been through this. Sangoma knows I’m a copyright owner of the key. Sangoma knows that I have the key. Sangoma knows that other people have the key. This was in the email they received earlier today. So it’s not unauthorized as I am a Copyright Holder of the key.
The only relevant bit here is “without Sangoma’s permission”, and that’s actually correct! But who in their right mind would think that I need to ask Sangoma’s permission to use my own key to sign my OTHER key, purely to attest that I verify that I am me? Not even a crooked lawyer could try to convince people that.
And all of that gets to this one important fragment at the bottom of the post: “We hope that Clearly IP will reach out to us and restart the conversation with the goal of reaching a mutually beneficial arrangement” - it’s all about the money, isn’t it? Disregarding that fact that they’re springing this on us without any warning at all (well, ok, 48 hours), and then ignoring our responses, to try to pressure Clearly IP into giving into something that they haven’t even told us about.
I wrote FreePBX and gave it away. I wrote the GPG subsystem, gave it away too, and made a big deal about it not being about money. I foresaw this coming, and insisted that every document and every publication about signing a key is purely about integrity validation, and is never about certification or validation. But yet, that’s what Sangoma is trying to say, that the integrity validation is some sort of blessing-from-on-high, despite everything that their own documentation says, and everything that I wrote as part of creating it.
So now you know. This is one of the reasons I left Sangoma. They lie whenever they want, and change the rules to suit them. But this time I’m not going to sit here and take it. When I was doing some research into this post, I discovered that my copyright on the GPG code was unlawfully removed. If Sangoma wants to get lawyers involved, then it’s super easy to prove that my Copyright was removed without permission, which is actually theft and violation of my Intellectual Property!
Your move, Sangoma.
Edit 2: Fixed who’s law firm sent an email to whom.