I understand that signature checking is a security measure, however I have my reasons for not having it enabled. I’ve noticed that after some recent module updates, it seems to be enabled again. While I appreciate the effort to ensure security, I would prefer to have more control over these settings. It would be appreciated if the module updates could respect my previous configuration choices.
Module integrity validation is for EVERYONE, and if it wasn’t turned on automatically then an attacker could do exactly that, and bypass it all!
I assume you’re doing module development, so running the ‘protect this module’ script can be annoying and easy to forget, but unless you can figure out a way where YOU can turn off module integrity validation and NO ONE ELSE CAN, we’re pretty much back where we started 8)
The sensible idea would be to put the ‘protect this module’ command into your CI/CD, or whatever you’re using to develop modules.
This is about settings being changed in general without even being notified about it. So let’s not go down the security rabbit hole. I have noticed other settings being changed on me as well from time to time.
Signature checking may not be necessary for all users in all circumstances and can sometimes cause more issues than it solves. I would love to hear of potential alternatives or modifications to the current setup that would better suit my needs.
There is no rabbit hole. It is working as designed and the behavior has been there since day 1 of the functionality almost 10 years ago. I have opened a ticket for this setting to be hidden in case others get confused by what it does.
It appears that the approach being taken does not fully consider the capability and expertise of the users. It would be valuable to consider alternative solutions that empower users and allow for more customization and control. Each user has unique needs and perspectives, and it’s important to respect and accommodate those differences.
This setting was put there for developers working on the feature. it serves no purpose outside of someone debugging the signature checking component. There is no end user usefulness for this functionality. There are a lot of flags and settings that users don’t see because their sole purpose is to speed development. When I am developing database stuff I add in functionality to nuke everything and start over. This in general would give a user a bad day. It it NOT there for them. They never need to use it. These things exist to help debug. Nothing more, nothing less. It isn’t commentary on the user. There is development stuff in FreePBX that was just for me when I was a primary developer. It isn’t used by any other developer, user or employee. They likely don’t even know it exist without reading the code. If they are reading the code they are probably working on it and can use what I added.