Advanced notice to the community regarding Clearly IP modules

That whole module signature checking that Rob wrote a few years ago while still working for Sangoma and which was all about “integrity and security” at the time came back to bite him.

Third party contribution to Freepbx slowed down a lot after this and people didn’t like it at all especially Ward Mundy from PIAF who wrote plenty of nasty articles about Sangoma and the whole former Schmooze team and the relationship between them turned quite hostile.
Now they seem to be best friends again and even sponsor him.

Funny how things can go.

3 Likes

So answering my own question here: The change to the key signing agreement dated 21 Jan , 2020 by Michelle Fleming was to add this section:

You have developed and/or are utlizing a module with FreePBX for which you are directly or indirectly generating revenue or commercial advantage and you have not entered into a commercial agreement with Sangoma that protects its commercial interests and its intellectual property

That is adding to the list of reasons to revoke the key. Okay, so clearly playing dirty to make a late change like that. But if the issue is over signing commercial modules, then the section above seems to indicate that this is undefined territory?

Signing your own commercial module will not be supported at the moment, because as soon as there’s a financial agreement in place, a pile of other new and interesting laws apply. We’ll cross that bridge when we come to it, but it’s going to be annoyingly difficult.

That line is exactly the same all the way back to Rob’s original version dated 31 Oct, 2014.

In fact, there’s very little difference over the last many years: Sangoma Documentation

Ultimately, this comes down to whether Sangoma or Rob have the original rights to the key signing system. As Rob points out in his detailed post, the key signing system was set up by him in a role as a community contributor, not a paid developer, and he contributed it to the open source project, not a company. Clearly, Schmooze and then Sangoma took over the daily responsibility of operating and maintaining the signing system as it’s a necessary part of the FreePBX distro, but unless there was a legal agreement in place concerning the transfer of rights for the key system itself, including his master key, doesn’t Rob retain the ability to grant ClearlyIP the ability to sign their own modules? It’s clear that there is a misunderstanding here between the two companies as to the ownership and rights of this – and just as hopefully they will talk about it and come to some sort of agreement that doesn’t include threatening to revoke keys and breaking customer’s systems.

1 Like

Update to FreePBX Community “Advanced Notice” Posting from Friday Feb 7

Subsequent to our post on Friday, February 7, 2020, we have heard the requests from community members who need more time before Sangoma takes any action regarding Clearly IP modules. Since Sangoma’s goal is to minimize any impact on the community, we will NOT revoke our signature on Clearly IP Module signing key before Monday, February 17, 2020.

Isn’t FreePBX supposed to be Free and Open Source?

Sangoma’s position is that FreePBX will always be Free and Open Source: this will NEVER change. The issue has nothing to do with open source, instead it has to do with the violation of the clearly defined rules that pertain to commercial (non-open source) modules and the key signing agreement that is posted here:

https://wiki.freepbx.org/pages/viewpage.action?pageId=29753662
https://wiki.freepbx.org/display/FOP/Requesting+a+Key+to+be+Signed

Clearly IP did not request their key to be signed by Sangoma nor did they sign a key signing agreement like everyone else. Instead they signed their own Clearly IP key using FreePBX Master Key and chose to release “non GPL, non open-source, commercial” modules into FreePBX open source platform.

FreePBX Master Key Ownership

When Sangoma acquired the assets of Schmooze in January 2015, including the FreePBX Project, we relied upon commitments made by the former shareholders of Schmooze regarding the ownership of the FreePBX Project and the assignment of intellectual property rights held by individual contributors (including Robert Thomas).

Sangoma will not be debating ownership of the FreePBX Master Signing Key in these Forums. The intent of our post was to inform our community members ahead of any actions by Sangoma.

6 Likes

This came up in my Google feed because obviously I use freepbx and asterisk, and have been for 10 years now. This is ridiculous for an open source project. Sangoma, get your act together or get ready for a mass exodus. You aren’t the only game in town anymore.

I’ll also add that if anyone outside of my organization changes anything on my phone system intentionally, there will inevitably be legal action coming your way. My organization was purchased by a $10B/yr Enterprise with enough lawyers it would make your head spin. The main entity I support provides services for patient and doctors, where mortality is a VERY real thing. I’d strongly caution the proposed course of action mentioned in this thread.

2 Likes

On the legal front this seems to have nothing to do with any part of the open source FreePBX. It is about signing of commercial modules.

That of course affects many things, depending on how someone is using the solution.

Read your T&C’s before randomly posting threats on the internet. If it is commercial, it is entirely likely to not actually be “yours” as much as you think.

Did you see the news about Tesla pulling Autopilot from used vehicles? Legal.

2 Likes

So you have Clearly IP modules installed on your PBX system?

3 Likes

So, if in “advanced settings” I set “Enable Module Signature Checking” off, then all this is ‘not applicable’ and “what’s then the problem?” ?

( Or am I reading that this will be subverted to “things you paid for” but cant read will stop working if you paid the wrong guy)

1 Like

The Clearly IP module in question has been out for what, 2-3 weeks? Have you really already rolled it into wide scale production to the point where you would be crippled? That’s surprising for such a large “Enterprise” organization…

1 Like

If you turn signature checkIng off in advanced setting, it won’t help…since every time you update modules it will be re-activated.

@dicko which modules are affected by this change please? (because I have no info about which are the Clearly IP’s modules inside FreePBX system)

1 Like

If you haven’t manually installed Clearly IP modules in freePBX, NO modules will be affected!

2 Likes

Probably none on your system.
It’s only if you have very recently installed the IncrediblePBX distribution, that you would have Clearly IP modules. I think they got a commercial 911 module that they sell and you would have noticed if you had bought that.

3 Likes

Yeah, that is kind of interesting considering that 1) The MLTS itself must have this ability out of the box come 6 days from now. 2) Using the upstream provider to solve these gaps is not going to cut it. See #1. Why? Because the next month you could have a different provider for whatever reasons, they don’t have this and now your MLTS is out of compliance.

So right now it sounds like IncrediblePBX’s only solution to this is a commercial module you have to buy and you must use Clearly IP’s trunking with for it to work. Unless I’ve missed something but I haven’t seen any other solutions announced from them outside of this.

1 Like

During this period of rapid evolution of the FreePBX forks, I think these are some good questions for users to take away from all of this, including:

  1. Who are we getting our FreePBX flavor from ?
  2. Will FreePBX modules from Vendor A work with modules from Vendor B ?
  3. Are there non-module alternatives for critical functionality, using native Asterisk configurations, that won’t break (as much) if/when we do change vendors and their associated SIP trunking services in the future ?
1 Like

Do you mean the developers that are forking FreePBX or the use of those forks? Developers are forking FreePBX and then adding/removing what they want. So right now every fork is based off FreePBX itself. As far as I know there isn’t an existing fork of another existing fork.

Do you mean if I create a FreePBX module then does it work with Fork A and Fork B? The answer is, in theory it should because I created a FreePBX module and those forks still use them. Now that isn’t to say Fork A or Fork B did something and my module would need extra things in it to work fully on their platform.

Of course, this has never changed with the project. You are free to modify it as you see fit as long as your follow the rules of the software.

What I said wasn’t a “threat”, it’s facts. The “threat” is from Sangoma here implying they have the right to remotely access my PBX without my authorization and disable or enable functionality as they see fit.

Might want to check out the lawsuits against Microsoft and other software companies. And if you can make a case for damages to business or public safety (for example e911) it can get VERY ugly. Add to that what would have been an initial 2 day notice…not a good look at all.

I’m going to have to start planning my exit from FreePBX sadly. The way this was handled and the disregard of impact to customers leaves a sour taste in my mouth for what might happen later this year, or the next year, etc. The changes to commercial modules years ago was bad enough. Now they’ve basically threatened users with the ability to disable my PBX whenever they so choose.

Nope. That’s not really the point however. Someone saying they can remotely disable functionality in my PBX without my consent is a major risk based on these statements. You’re cool with that?

Seems you have missed the point.

And yes, we were a small business that was purchased by a massive Enterprise in the healthcare industry. I implemented FreePBX at our sites. They’ll probably try to replace them with Cisco soon enough now if they are allowed to.

Maybe I’m just simple, but to me this looks like Rob and Tony put out a module that addresses our E911 concerns with the upcoming requirements. They beat Sangoma to the punch, so now Sangoma is reacting the only way they can.

Would this even have been an issue if Sangoma had released theirs already? Would they even be concerned?

And I think the point you are missing is that FreePBX is not impacted. If you went bleeding edge on their commercial e911 module or their phone provisioning module, you may be impacted. If you are using Incredible PBX (which I’m hearing is using alot of Clearly IP stuff) then you may be impacted. But FreePBX is not in and of itself impacted, unless you’re on the bleeding edge with these 3rd party modules.

1 Like