No it’s not. All of the other modules are still checked for sanity. The only problems that will happen are if “bad guys” mess with the two modules I’ve excluded in the future; I won’t be notified. I’ve accepted that risk for these 2 modules, and only these 2 modules. Your suggestion of disabling it totally would mean that every single module I have would be unchecked… not what I want.
2 modules being unchecked is acceptable risk to me. 30+ is not.
I didn’t read this whole post, so I must have missed the “hate” posts. I don’t hate you, here’s a :hug: to prove it. Hah.
As for a secure way to do this, I’m not sure one exists, at least not the way you want it to. This is OSS, things can be edited. To me (a complete outsider not privy to any conversations about module signing) it seems that FreePBX module signing is Schmooze’s way of trying to defend someone’s network when the customers should be doing that themselves with firewalls and proper security config throughout their networks. It’s not the job of a VoIP server to protect a network. If someone can get inside the network far enough to edit PHP code on a server, FreePBX module signing is the least of your worries.
I’d personally be happy with the simple checking done with the module.sig file. Then if we edit any code we can simply update the hash and be happy. Obviously hackers can do that too, but like I said above, acceptable risk. This is OSS after all. The only secure way to do what module signing is supposed to do in theory is to make all modules compiled binaries, and I doubt anyone wants that. I’ve had to deal with ZEND compiled PHP before and I wanted to hang myself.
So in the bigger conversation, my 2 cents is that module signing is too restrictive considering this is all OSS. Customers should have their own defense strategy to prevent people from getting into their servers.
So what do you think? Sorry if this post sounds too attacky.
It’ll ignore any modules that start with cxpanel or framework
Yeah, I didn’t put the $ at the end of the regex. I’ll edit my post…