Note: I put this back. Yes, I use words like trusted, etc. While that may have never been the intent to be a WoT it pretty much is.
You’re using too broad of strokes here. The claim in clear. Misuse of the Master Key to sign modules. This is something that has existed for years. Also the fact that all contributed modules must be AGPL and not generate commercial revenue as contributed modules could be merged into FreePBX as a whole.
Anyone can make and user a module for FreePBX. It will generate an unsigned warning from FreePBX warning you that the module isn’t verified by Sangoma/FreePBX. Signing a module with Sangoma means there is a verification processes and FreePBX will see this as a trusted module by it’s system.
How did people know they got compromised by the last XSS exploits because they didn’t install the fix? The module signing told them their modules had been modified and sure enough they found the system compromised.
So if people are using things to make their modules look like their are signed and verified by FreePBX/Sangoma and they are not, that could lead people to install malicious code by bad actors and think they are fine because FreePBX says the module passes.
No one is stopping anyone from contributing or making modules. But with a project like this you have to control and have some verification process so rando’s aren’t committing modules that can do harm to the users.
But has that always been in the key signing agreement, or was it modified since then to include that. What Ward says in Sangoma’s New FreePBX Gotchas With Module Signatures – Nerd Vittles makes be believe that it was modified more recently, in order to make a clear case for revoking Clearly IP’s key.
(editing my question after re-reading posts)So if I’m reading all this right, Sangoma’s claiming it’s their key and @xrobau says it’s also his key. I don’t see how that can work if the 2 parties aren’t working together. How can Sangoma guarantee the integrity of the modules signed by the key if the other owner is signing modules with it they can’t test/verify (and vice versa)?
That whole module signature checking that Rob wrote a few years ago while still working for Sangoma and which was all about “integrity and security” at the time came back to bite him.
Third party contribution to Freepbx slowed down a lot after this and people didn’t like it at all especially Ward Mundy from PIAF who wrote plenty of nasty articles about Sangoma and the whole former Schmooze team and the relationship between them turned quite hostile.
Now they seem to be best friends again and even sponsor him.
So answering my own question here: The change to the key signing agreement dated 21 Jan , 2020 by Michelle Fleming was to add this section:
You have developed and/or are utlizing a module with FreePBX for which you are directly or indirectly generating revenue or commercial advantage and you have not entered into a commercial agreement with Sangoma that protects its commercial interests and its intellectual property
That is adding to the list of reasons to revoke the key. Okay, so clearly playing dirty to make a late change like that. But if the issue is over signing commercial modules, then the section above seems to indicate that this is undefined territory?
Signing your own commercial module will not be supported at the moment, because as soon as there’s a financial agreement in place, a pile of other new and interesting laws apply. We’ll cross that bridge when we come to it, but it’s going to be annoyingly difficult.
That line is exactly the same all the way back to Rob’s original version dated 31 Oct, 2014.
In fact, there’s very little difference over the last many years: Sangoma Documentation
Ultimately, this comes down to whether Sangoma or Rob have the original rights to the key signing system. As Rob points out in his detailed post, the key signing system was set up by him in a role as a community contributor, not a paid developer, and he contributed it to the open source project, not a company. Clearly, Schmooze and then Sangoma took over the daily responsibility of operating and maintaining the signing system as it’s a necessary part of the FreePBX distro, but unless there was a legal agreement in place concerning the transfer of rights for the key system itself, including his master key, doesn’t Rob retain the ability to grant ClearlyIP the ability to sign their own modules? It’s clear that there is a misunderstanding here between the two companies as to the ownership and rights of this – and just as hopefully they will talk about it and come to some sort of agreement that doesn’t include threatening to revoke keys and breaking customer’s systems.
Update to FreePBX Community “Advanced Notice” Posting from Friday Feb 7
Subsequent to our post on Friday, February 7, 2020, we have heard the requests from community members who need more time before Sangoma takes any action regarding Clearly IP modules. Since Sangoma’s goal is to minimize any impact on the community, we will NOT revoke our signature on Clearly IP Module signing key before Monday, February 17, 2020.
Isn’t FreePBX supposed to be Free and Open Source?
Sangoma’s position is that FreePBX will always be Free and Open Source: this will NEVER change. The issue has nothing to do with open source, instead it has to do with the violation of the clearly defined rules that pertain to commercial (non-open source) modules and the key signing agreement that is posted here:
Clearly IP did not request their key to be signed by Sangoma nor did they sign a key signing agreement like everyone else. Instead they signed their own Clearly IP key using FreePBX Master Key and chose to release “non GPL, non open-source, commercial” modules into FreePBX open source platform.
FreePBX Master Key Ownership
When Sangoma acquired the assets of Schmooze in January 2015, including the FreePBX Project, we relied upon commitments made by the former shareholders of Schmooze regarding the ownership of the FreePBX Project and the assignment of intellectual property rights held by individual contributors (including Robert Thomas).
Sangoma will not be debating ownership of the FreePBX Master Signing Key in these Forums. The intent of our post was to inform our community members ahead of any actions by Sangoma.
This came up in my Google feed because obviously I use freepbx and asterisk, and have been for 10 years now. This is ridiculous for an open source project. Sangoma, get your act together or get ready for a mass exodus. You aren’t the only game in town anymore.
I’ll also add that if anyone outside of my organization changes anything on my phone system intentionally, there will inevitably be legal action coming your way. My organization was purchased by a $10B/yr Enterprise with enough lawyers it would make your head spin. The main entity I support provides services for patient and doctors, where mortality is a VERY real thing. I’d strongly caution the proposed course of action mentioned in this thread.
On the legal front this seems to have nothing to do with any part of the open source FreePBX. It is about signing of commercial modules.
That of course affects many things, depending on how someone is using the solution.
Read your T&C’s before randomly posting threats on the internet. If it is commercial, it is entirely likely to not actually be “yours” as much as you think.
Did you see the news about Tesla pulling Autopilot from used vehicles? Legal.
The Clearly IP module in question has been out for what, 2-3 weeks? Have you really already rolled it into wide scale production to the point where you would be crippled? That’s surprising for such a large “Enterprise” organization…
Probably none on your system.
It’s only if you have very recently installed the IncrediblePBX distribution, that you would have Clearly IP modules. I think they got a commercial 911 module that they sell and you would have noticed if you had bought that.
Yeah, that is kind of interesting considering that 1) The MLTS itself must have this ability out of the box come 6 days from now. 2) Using the upstream provider to solve these gaps is not going to cut it. See #1. Why? Because the next month you could have a different provider for whatever reasons, they don’t have this and now your MLTS is out of compliance.
So right now it sounds like IncrediblePBX’s only solution to this is a commercial module you have to buy and you must use Clearly IP’s trunking with for it to work. Unless I’ve missed something but I haven’t seen any other solutions announced from them outside of this.
During this period of rapid evolution of the FreePBX forks, I think these are some good questions for users to take away from all of this, including:
Who are we getting our FreePBX flavor from ?
Will FreePBX modules from Vendor A work with modules from Vendor B ?
Are there non-module alternatives for critical functionality, using native Asterisk configurations, that won’t break (as much) if/when we do change vendors and their associated SIP trunking services in the future ?
Do you mean the developers that are forking FreePBX or the use of those forks? Developers are forking FreePBX and then adding/removing what they want. So right now every fork is based off FreePBX itself. As far as I know there isn’t an existing fork of another existing fork.
Do you mean if I create a FreePBX module then does it work with Fork A and Fork B? The answer is, in theory it should because I created a FreePBX module and those forks still use them. Now that isn’t to say Fork A or Fork B did something and my module would need extra things in it to work fully on their platform.
Of course, this has never changed with the project. You are free to modify it as you see fit as long as your follow the rules of the software.
What I said wasn’t a “threat”, it’s facts. The “threat” is from Sangoma here implying they have the right to remotely access my PBX without my authorization and disable or enable functionality as they see fit.
Might want to check out the lawsuits against Microsoft and other software companies. And if you can make a case for damages to business or public safety (for example e911) it can get VERY ugly. Add to that what would have been an initial 2 day notice…not a good look at all.
I’m going to have to start planning my exit from FreePBX sadly. The way this was handled and the disregard of impact to customers leaves a sour taste in my mouth for what might happen later this year, or the next year, etc. The changes to commercial modules years ago was bad enough. Now they’ve basically threatened users with the ability to disable my PBX whenever they so choose.
Nope. That’s not really the point however. Someone saying they can remotely disable functionality in my PBX without my consent is a major risk based on these statements. You’re cool with that?