Module Signing Questions

Perhaps another point of this whole thread

might be “How does one self generate a ‘module.sig’ for a trusted module”, self or otherwise modified inside the open source FreePBX eco system, without being dependent on the new commercial/phone-home oriented Sangoma eco system ? Or are we just expected to trust without question that authority without any control over it and go through the whole self certification hoops against that same authority? (seems a little scary to me . . . , not to you?)

That was, actually, my very first suggestion. Just generate a GPG key and ask us to sign it. We need you to sign the indemnity form that says what you do with your key is your fault,and not ours. (The wording of that is what has been causing issues, but, if you are doing it for yourself and not distributing the modules, then nothing in there could cause you any problems)

This has 100% nothing to do with phone home. The new OOBE calls that let Sangoma offer free stuff aren’t really ‘phoning home’, but I can see how you could get that impression. It’s a single request that asks ‘Can I have any free stuff?’ and returns yes or no. This is all open source code, nothing’s hidden or obfuscated - check out OOBE.class.php in BMO (and you’ll also see who the main committer to that class is, too :sunglasses:

That’s the whole point of the indemnification. We do NOT have any authority. All we’re doing is approving your GPG key to sign modules. You can do whatever you want with it, but, if a module signed by your key is found to be doing bad stuff, then we’ll revoke our signature on your key. That is the only time that we explicitly block a module from running. We think that if we’ve had to actually revoke someone’s key, then there’s going to be a damn good reason for it.

From there, If you wanted to re-enable that module, you’d have to delete the sig file, so the module is treated as unsigned.

People are over-thinking this. This is just a really basic, trivial, way of doing a simple GPG web of trust, that’s built into FreePBX. That’s it.

Here’s the wiki page on how it all works and goes together, and even has examples of what you need to do to generate a key.

Indeed it’s just about trust, which I would like to point out was never built into FreePBX (open source ) to my knowledge, we just learned to trust it, . . . with caution :slight_smile:

Just being the devil’s advocate here you asked us to "ask us to sign it. ". . .

And in case you question it, I trust you without limit.

Well, I honestly tried my best to NOT make it about trust. This is just integrity validation. Which, as you said…

That’s exactly right, and I have had huge amounts of regret over that over the years. In fact, one of the things I pretty much BEGGED to be allowed to do, when I came back to FreePBX, was to add in some sort of integrity validation, and using GPG this way seemed to be the best, and most flexible and - most importantly - the most standard. Everyone uses GPG for integrity validation, so why don’t we? :sunglasses:

Absolutely. I have no issues with that at all. And, happily, no-one has appeared to disagree with the implementation, or the logic behind it, it’s just the wording of the indemnification that’s upset some people, which is a legal thing that is Not My Problem™ :sunglasses:

Aww, shucks.

I guess my problem is that the open source modules are intrinsically modifiable, by definition, if the only source of authority of such acceptable changes are immutably enforced by a third party that rejects those ad hoc changes, then it is no longer supportably open source, am I being a complete AH here?

I do understand why, I just don’t agree with your enforced authority as to what I want in my FreePBX.


That’s not correct.

That’s also incorrect.

I would never say that :sunglasses:

It’s not immutably enforced. Not even a little bit. Both of those words are wrong. It’s not immutable (unchangeable) - you can go through and change it yourself. The code is in BMO/GPG.class.php. And it’s all EXTREMELY well documented, because I don’t want to be the only person in the world who understands it :sunglasses:

It’s also not enforced, at all. All it does is WARN you when it detects something has changed, notwithstanding my previous comment about explicitly blocking known-bad malicious entities (and even the ability to remove the block is well documented).

Additionally, nothing ‘rejects’ changes.

This really should be spun off into a different thread, so we don’t clutter this one up, and if I knew how to do it, I would, but I’m going to go to bed shortly, as I think I’ve managed to trick my body into thinking it’s bedtime at a reasonable time :sunglasses:

I agree someone should move it out of here.

Sleep well :slight_smile:

That is indeed the crux of the problem. The way the American legal system works, there’s no way an individual American (whether user or small developer) that’s not shielded behind a “corporate veil” should want to go along with that. As you say, it’s not your problem, but it is a huge problem for anyone who might want to sign a module but doesn’t want to expose themselves to unnecessary legal risk.

I’m not saying that Australia is a legal backwater, after all both our systems are based on English law. But, I just get the sense that you don’t see some of the ridiculous legal stuff there that goes on here. To give you just a small idea how f—ed up it is, there was a case a couple of decades ago where a 12 year old boy was raped (at least in the statutory sense, since he was well below the age of consent) by his older female babysitter. The babysitter then got pregnant and had the baby, and the boy was ordered by the courts to make child support payments on the kid! When I read that, I realized how totally insane the American legal system really is. I just have my doubts that anything that ridiculous would occur in any other country based on English law, and sadly that’s probably not the most ridiculous ruling ever issued by American courts.

So with cases like that on the books, a lot of Americans simply don’t want to expose themselves to unnecessary legal liability. You start to read agreements with the question in your mind, “How could this be used against me, and if it is, what’s the worst possible outcome?” Because, it just might happen.

I truly don’t understand the problem with the wording. If Sangoma gets sued because of something you did with your key, it’s your fault, and you’re responsible for it.

What is wrong with that? If you think the entire concept is wrong, then we’ll just have to agree to disagree and give up, because there’s no way you’re going to convince me that THAT isn’t fair.

However, if you’re happy with the CONCEPT, but the wording is unclear, there’s nothing stopping us from changing that, or adding clarifications.

I think the “agree to disagree” part is what is going to happen here, because there is absolutely no way I would be happy about being forced to indemnify a corporation against anything. Corporations can afford lawyers, I can’t.

What I would like to see is a way that individuals could get a single-use key that would only work for a single module on a single installation without having to sign anything. In that situation I don’t see what I could possibly do that would cause Sangoma to be sued, since the key would only work on the user’s installation and no one else’s.

If Sangoma feels they need to be indemnified by individuals wanting to run a third-party module on their own installations, there is something seriously wrong. Basically what you then have is two parties that are both ultra-paranoid about legalities, and neither is going to give an inch. I will admit to being in that camp, but as an individual it’s only prudent to assume that if you ever get into a legal battle with a corporation, at the very least defending yourself is going to turn out to be very expensive, and Corporations can and do use questionable legal tactics for the express purpose of causing the other party to exhaust all their available funds.

As far as it goes, if Sangoma is THAT paranoid about being sued, why aren’t users forced to indemnify Sangoma before they are allowed to use FreePBX at all? Of course if they ever tried that, they would lose a lot of users in a real big hurry, and it would probably quickly drive a stake through the heart of any relationship they might have with some of the big promoters of FreePBX like the Nerd Vittles people (although I get the sense that relationship has already taken a turn for the worse, from some things i have read recently). But my point is that forcing individuals to indemnify Sangoma before they can use a third party module that Sangoma had absolutely nothing to do with doesn’t make any more sense, in fact it probably makes less sense.

I understand that you don’t understand the problem with the wording, but I think that’s in part because your expertise is in technical areas and not law, and in part because you haven’t have enough exposure to the insane workings of the US legal system. Unfortunately, I’m not a lawyer and I don’t know any personally, so I can’t really make any good suggestions that might make that indemnification section less objectionable. I don’t think that section should be necessary at all, and the thing I don’t understand is why you seem to think I’m being unreasonable because I don’t want to agree to it, yet you don’t think Sangoma is being unreasonable for putting it there in the first place. Seems a quite one-sided view of things from where I sit, and I don’t think there’s much hope we’ll ever agree.

Besides, as far as I’m concerned, with the additions to Custom Destinations, for me the point is moot, at least for the time being. I no longer have a need to use a third-party module so I don’t really care to argue the point, especially with you, because I think you’re one of the good guys. It just perplexes me that you honestly don’t appear to see the problem with that indemnification section, and if you don’t see it, I have no idea what I could say to turn on the light bulb for you.

I read your entire message, and I’m not ignoring it, but this is the important bit: I do not see the problem with you being responsible for what you do with your key. Honestly, I don’t. You seem to have an issue with it, and I don’t know why.

Can you try to explain the problem, please? I’m willing to spend some time trying to figure out what the problem is, and possibly even fix it, but I don’t KNOW what the problem is, and I’m just sitting here puzzled why a small number of people have a problem with it (lots of other people DON’T - AFAIK there’s now over a hundred signed keys out in the wild).

Guys, have you seen this thread on, specifically the posts by “AllThumbs” of the Nerd Vittles site mentioned in editor’s post?

I think that “AllThumbs” is Ward Mundy and iirc he either is a lawyer, or used to be.

First I want to say up front that I’m only replying to this because you don’t seem to understand the problem here, and I am trying my best to help you see it, but apparently I’m failing miserably. And that frustrates me, because to me the problem couldn’t be more apparent. And besides that, it’s a moot point for me now because you’ve addressed my original problem with the updates to Custom Destinations.

So please take these comments in the spirit of trying to help you see my point, but if you still don’t then I’m absolutely at a loss as to what else I can say, and I really don’t want you upset with me because I’m happy with the help you’ve given to me and therefore this is a non-issue for me now.

So to try to answer your question, I don’t have an issue for being responsible for what I do with my key ON MY SYSTEM. But for that, I should not have to sign any legal agreements. I have a huge issue with being responsible for the use of a key on anyone else’s system, but I don’t want to permit that in the first place.

I’d be curious to know how many of those keys were signed by users in the USA. IMHO, any US resident who signs for a key is either blissfully unaware of the legal exposure they are giving themselves, or they aren’t thinking clearly. If someone lives in another part of the world where the court system actually makes sense, then I can understand why they’d be less hesitant to sign for a key. But here in the US, you have to assume that any legal terminology that can be used against you just might be.

The fix is simple: Allow individual users to obtain single use keys that will only work on their system and no other, without having to consent to any agreements that give them legal exposure. Or give them a way to disable module signature checking for one module only.

Here is the part I really don’t understand. Why you think I should be responsible for anything regarding that module if I didn’t write it and don’t understand the code, other than the risk of installing it on my own system, which I was willing to accept? Why aren’t you asking the maintainers of the POSSA repository why they aren’t willing to sign for the modules in their repository? I’m serious - they probably have a reason they don’t want to do it, and if they don’t want to, why do you seem to think I should? This has been part of my point all along - of all the parties that should be willing to sign for a module, the end user is probably the least appropriate party, particularly if they had nothing to do with the creation of the code. Would you want to legally indemnify some corporation against the possible misuse of code that you didn’t write, and that you have no idea how it operates, other than maybe some small degree of trust that the author knew what he was doing?

Maybe that code DOES contain something bad or nefarious - I doubt it because I’ve used it in the past and never had a problem, but let’s just say it does. Being willing to accept that risk on my own system is one thing, but I’m not willing to assume even the smallest bit of risk with regard to anyone else’s system or Sangoma. And I don’t need to sign anything to indemnify myself against myself.

Now you may say that if I keep the key to myself there’s no problem. But that document is still out there. What if someone hacks my system and get the key, or compromises your servers and gets it, or simply tries a brute force attack to find a working key and happens to get mine? That’s why I say, I don’t need and don’t want a key that will work for everyone. If you hadn’t solved this problem, I would still only be wanting a key that works on my system alone, and no one else’s.

I have a feeling I’m still not explaining this well enough to make my point clearly understood, and that’s why I say, I wish you’d ask the maintainers of POSSA why they are unwilling to get keys for the modules in their repository. Even though they didn’t write most of that software, they are still distributing it for use by multiple users, whereas I’m not and have no desire to. They would be a more appropriate party to get a key, and if they don’t want to maybe they can at least explain why in a way that you can understand. I’m sorry my communications skills aren’t better, but in the end it all boils down to legal exposure and the fact that no sane individual should have to agree to indemnify a corporation against a possible lawsuit, because that’s a recipe for personal financial disaster. I don’t want to have to worry about possibly losing everything I own, just because I wanted to use a third-party module on my FreePBX installation.

That pretty much hits the nail on the head. Schmooze/Sangoma is the only organization of which I am aware that requires a blank check for their legal expenses (reasonable or not) because some user added an open source component to what is proclaimed to be an open source project. RedHat doesn’t require it, Ubuntu and Debian don’t require it. Digium doesn’t require it. Apache doesn’t require it. Oracle doesn’t require it. Nobody but Sangoma!

This smells more like an attempt to channel folks into using proprietary, closed source (commercial) modules while locking out open source contributions from outside developers. That conclusion is reinforced by the fact that this is the only open source product in which the owner locks a commercial product into their module system (a.k.a. SIPStation) presumably to encourage sales while barring inclusion of competitive commercial modules from others. That may turn out to be a costly blunder. Suppose Digium had a similar prohibition that barred companies like Sangoma from adding software to Asterisk to support non-Digium proprietary hardware. Wouldn’t that be interesting?

Funny that FreePBX “integrity checking” only appeared in version 12 after numerous hacks of FreePBX, all of which could have been avoided by including a secure, preconfigured firewall as part of the distribution just like the other aggregations do. But wait, that might have cut into sales of Sangoma hardware such as Session Border Controllers. Starting to get the picture now?

I think this is getting in the weeds so I will make three simple points.

First, Ward … your rhetoric is not even worth the time of day to address, it’s completely out of line, has no basis, and is ridiculous.

Second, we understand the desire to have “a single use single machine” key. If we knew how to do this securely, we would. We’ve been laboring over a solution since we started signing. “Code submissions are welcome” … if there’s someone out there who has a solution to evaluate, we’d love to hear it.

Third. FreePBX does not require any EULA / legal agreement in it’s general purpose use. There seems to be an immense amount of hypocrisy in certain project leaders (Ward) who seem to be losing sleep over this while requiring every one of their PIAF and IncrediblePBX users to agree to the following:

If you do not agree with these terms and conditions of use, press Ctrl-C now. Otherwise, press Enter to proceed at your own risk…

For those ‘non-lawyers’ this highlighted comment is a legal equivalent of INDEMNIFICATION with a blanket HOLD HARMLESS and in the event Ward is harmed the users or users’ customers will have to make Ward “whole” with no understanding of what that means.