Note: I put this back. Yes, I use words like trusted, etc. While that may have never been the intent to be a WoT it pretty much is.
You’re using too broad of strokes here. The claim in clear. Misuse of the Master Key to sign modules. This is something that has existed for years. Also the fact that all contributed modules must be AGPL and not generate commercial revenue as contributed modules could be merged into FreePBX as a whole.
Anyone can make and user a module for FreePBX. It will generate an unsigned warning from FreePBX warning you that the module isn’t verified by Sangoma/FreePBX. Signing a module with Sangoma means there is a verification processes and FreePBX will see this as a trusted module by it’s system.
How did people know they got compromised by the last XSS exploits because they didn’t install the fix? The module signing told them their modules had been modified and sure enough they found the system compromised.
So if people are using things to make their modules look like their are signed and verified by FreePBX/Sangoma and they are not, that could lead people to install malicious code by bad actors and think they are fine because FreePBX says the module passes.
No one is stopping anyone from contributing or making modules. But with a project like this you have to control and have some verification process so rando’s aren’t committing modules that can do harm to the users.