Home » Technology » Keeping It Real: Holey Socks! It’s the Missing FreePBX GPL Source Code, Or Is It?

The Most Versatile VoIP Provider: FREE PORTING

Keeping It Real: Holey Socks! It’s the Missing FreePBX GPL Source Code, Or Is It?

If you’ve ever shopped at the outlet malls, you quickly learn that things are often not quite as they appear on first blush. Labels inside shirts have either been removed or mangled in some way to keep you from returning the merchandise to a ‘real store’ for a refund at full retail price. Socks in particular always have a habit of sprouting a hole after you’ve worn them about twice. For those that were ever in the military, you may recall that the Post Exchange always had name-brand shirts for about half the price of the regular men’s stores. They were quite a deal… as long as your favorite colors were pink and purple. Let’s face it. These manufacturers think they’re smarter than we are, and all these sleights of hand are no accident. They’re purposeful actions engineered to assure that we don’t get something for nothing.

All FreePBX gpl source is available at http://t.co/7z6lXPVwVo and mirrored at https://t.co/n9Cu46hFRV #asterisk #showyourcode

— James Finstrom (@geek3point0) June 8, 2015
Source: twitter.com/geek3point0/status/607910432385441793


All FreePBX gpl source is available at http://t.co/7z6lXPVwVo and mirrored at https://t.co/n9Cu46hFRV #asterisk #showyourcode

— James Finstrom (@geek3point0) June 15, 2015
Source: twitter.com/geek3point0/status/610447235852201986


So what do retail merchandising tricks have to do with Sangoma® and FreePBX® source code? You’ve probably seen the weekly ads on Twitter touting the availability of GPL source code for FreePBX.1 So life is good, right? What’s the problem?

If you tell a lie big enough and keep repeating it, people will eventually come to believe it.
Dr. Joseph Goebbels… among others*

‘CliffsNotes-like Version’ of the GPL… with apologies to CliffsNotes™

Ever Dealt with a DOP? That’s not a typo for DOPE. Quite the contrary, these aren’t dumb people. In fact, they are folks that think they’re smarter than the rest of us. Our new word "DOP" means somebody you suspect is being Dense on Purpose. We’ve gone around and around on Twitter this week with the FreePBX developers who repeatedly have claimed they’ve released "ALL FreePBX GPL source code" while we have suggested just the opposite. So let’s dumb it down to a single paragraph with short sentences that even a Fifth Grader can understand…

FreePBX is a GPL product. FreePBX consists of TWO components. A GUI generates Asterisk code. A Cloud-based CDN provides updated modules to make FreePBX continue to work. FreePBX won’t continue to function properly without its CDN. Thus, the GPL says BOTH components must be licensed as GPL code. The GPL requires ALL corresponding source for ALL integral components. A GPL toolkit that generates crippled source doesn’t cut it. A toolkit with strings attached doesn’t suffice. A toolkit that only functions properly if you agree to pay Sangoma’s legal expenses does not comply with the GPL source requirement. Toolkits are fine and may be required components under the GPL but… Source means SOURCE CODE. The source requirement means ALL the actual code necessary to replicate ALL of the uncrippled functionality of the original GPL product. GPL Source "means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities." Source means ALL the same source that the FreePBX product itself uses to make the product fully functional in an uncrippled, unrestricted manner.

So Sangoma… SHOW ME (ALL) THE SOURCE!

CliffsNotes is a trademark of HOUGHTON MIFFLIN HARCOURT. Reference is a simile only. CliffsNotes makes no product associated with the GPL.

The Rest of the Story for Those That Enjoy Reading

For those that have used the FreePBX GUI, you quickly learn that the best feature of this GPL-touted product is its ability to automatically update all of its included modules with three button clicks. Clicking Check Online gives you an instantaneous snapshot of every component in the GUI and every update that’s available. Clicking Upgrade All tags all of your modules that have an update available. Clicking Process brings all of your modules current. It works exactly the same way whether you have one module to update or twenty. It’s simple, easy, and quick. You couldn’t ask for a better upgrade design.

The deal, of course, with GPL software is that you’re entitled to get the source code with the application itself so that you can make changes and improvements if you choose to do so. We’ve been outspoken critics of the fact that Sangoma doesn’t meet that requirement. And these weekly Twitter ads presumably are their response suggesting that they do. So let’s take a careful look at the ‘GPL Source’ that Sangoma says they’re providing and do a little experiment to find the hole in the socks.

To make this Module Admin component of FreePBX work, you need two pieces: the FreePBX GUI software itself AND the FreePBX Cloud component that houses the (hidden) GPL modules for FreePBX. Sangoma provides only one of the two necessary components. In a previous article, we showed how to build the cloud component to independently maintain the FreePBX GPL modules. The implication from the Twitter ads is that you can build the equally important cloud component using the ‘GPL source’ provided in either Sangoma’s GIT repository or on GitHub. Otherwise, the source code provided yields a crippled version of FreePBX in which the critical Module Admin component wouldn’t function properly. In other words, the GitHub ‘GPL Source’ wouldn’t be the real source code necessary to make the GPL product work as designed. It speaks volumes about the type of "open source" folks we’re dealing with when you come to appreciate that a single Apache command switch (Options +Indexes) is all that would be necessary for Sangoma to provide the Real Source Code™.

So let’s do a simple experiment. First, download the touted ‘GPL Source’ for the Core module that’s buried in GitHub. Next, download the Core module that’s hidden in Sangoma’s Cloud repository. This is the one that’s actually used to update FreePBX using the Module Admin tool explained above. Now let’s expand the tarballs and compare the contents. The GitHub-touted source is pictured on the left. The "real source" from the Sangoma repository is on the right. Can you guess which one will actually work in the cloud repository to make Module Admin and FreePBX function properly?

By comparing the contents of the two tarballs, you’ll notice several things. First, the file names are different. This naming convention is critically important to the FreePBX Module Admin component. One works. One doesn’t. Second, the time stamps on the individual components are different. This is a tell-tale sign that the two tarballs were generated using different programs, none of which have been provided. Third, the "real source" file is over 6,000 bytes larger than the GitHub version. Expanding the two files as we have done above tells you why. The "real source" (on the right) has an extra signature file that is missing from the GitHub version. Not only is the signature file missing, but so is the program to actually generate it.2 This is critically important because FreePBX 12 uses these signature files to determine whether a module is legitimate. Guess which one passes that test?

There’s actually another missing piece that the Sangoma ads and GitHub repositories fail to acknowledge: the XML file for each FreePBX version and the scripts to actually generate the contents of these files. These XML files tell the Module Admin component what modules have been updated and what the checksums for the modules are. The XML files in the cloud and for the individual modules are essential in assuring that you don’t destroy your server by installing a partially downloaded component that cripples the functionality of the FreePBX GUI or brings down your telephone system.

In conclusion, FreePBX is the antithesis of open source and violates the basic tenets of the GPL. Not only is the platform anything but open, but its real source is shrouded in secrecy together with the tools to make the product functional. This is not the way GPL open source projects are supposed to work, and Sangoma should know better. They’ve been a long-time supporter of the open source community.

The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. [Emphasis added.]

Pinocchio would be proud. Standing alone without its hidden components, FreePBX has become the poster child for CrippleWare with its missing pieces and half-baked source code. Giving Sangoma the benefit of the doubt, let’s assume that Sangoma had no knowledge of any of this and chalk it up to the Schmoozers pulling a fast one on the new boss to protect their still-to-be-paid profits from Year One sales of FreePBX commercial offerings. After all, that was the silver lining in the Sangoma purchase contract.

Dear Sangoma: NOW YOU KNOW!

What happens going forward is on your watch, not the previous owners. Sangoma now owns the FreePBX product and is obliged to provide the "real source code" for the program and all of its critical components in accordance with the GPL. We trust that after reading this (and we’ve mailed them a copy), Sangoma will choose to do the right thing for the Asterisk community upon which its livelihood depends. Abide by the terms of your GPL license and release the "real source code" for all of the critical components of FreePBX including all of its GPL modules and all of the pieces necessary to make the cloud repository, XML local and cloud components, and signature generation and checking mechanisms function as designed and integrated into your FreePBX product.

For the rest of the story…

Epilogue. After release of our article, the lead FreePBX developer, Philippe Lindheimer, finally documented Online Module Management… after 9 years of secrecy. Better late than never! This was followed by a posting from Rob Thomas that sought to document the process of writing a new FreePBX module. Anyone with an interest in the GPL and open source software should read both of them. Here are two guys whose entire livelihood is thanks to the open source community. Yet they both tout the FreePBX Distro which is neither open source nor GPL code. Here’s what’s missing with the current FreePBX GUI. Their focus appears to be on the process for introducing new modules into FreePBX, a process that remains proprietary. Our focus has been on obtaining the source for the existing components of the FreePBX GUI. There still is no way to independently replicate the Cloud-based CDN component of FreePBX 12 with the same modules that FreePBX uses because that "open source software" has not been provided. The new FreePBX 12 design requires a PROPRIETARY KEY in order to produce any modules for the FreePBX "GPL" platform. That includes any attempt to replicate the original FreePBX components. Bottom Line: You cannot replicate the same source code that FreePBX 12 uses in the Cloud using the tools provided by the FreePBX developers. And that is a no-no under the GPL unless the apparatus to produce and manage the original keys is also provided. The GPL requires release of the original source upon which the FreePBX platform operates, not a toolkit and not a reworked version using different source resulting in different modules. Providing proprietary tools to generate different source with different module components is NOT the same as original source code… as the GPL requires.

As one of our PIAF Forum users suggested, this design would make perfect sense for a proprietary platform such as the FreePBX Distro, and the developers would do everyone in the open source community a favor by migrating the technology there while restoring the original GPL design of the FreePBX GUI.3

Originally published: Monday, June 15, 2015  Updated: Friday, June 19, 2015   Epilogue: Monday, June 22, 2015



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Following publication of our article, the ads on Twitter from the FreePBX Community Manager were removed from public view, not exactly the Sangoma response we had hoped for. Now the GPL Source Code AND the ads are hidden. NEWS FLASH: The ads have now reappeared. Coming on the heels of this article, that would appear to be an official FU from Sangoma that they do not intend to release the module source components hidden in their CDN cloud. []
  2. After release of this article, one of the FreePBX developers suggested that the GPL FreePBX Development Tools could be used to build your own Cloud component for FreePBX. There are several problems with that. First, these tools and their output are for development use only and were never intended for use with FreePBX in a production environment. Second, the tools require a (revocable) "key" issued by FreePBX. In and of itself, that makes FreePBX proprietary. Third, this key requires a user to sign a blank check legal indemnification agreement to cover all of Sangoma’s legal expenses (reasonable or otherwise) should they be sued for anything associated with that key. Without a key, unsigned modules (including those from FreePBX’s own GitHub source tree) would generate nasty compromised server messages in the GUI. So, no, providing a toolkit to build crippled source is not the same as providing the actual source code upon which FreePBX relies for proper operation, i.e. the XML and TGZ files hidden in the Sangoma Cloud which in Sangoma-speak is euphemistically described as their content delivery network (CDN). []
  3. We will not get into the developer’s claim in footnote 1 that these FreePBX security breaches were not caused by "a FreePBX exploit" but instead were the result of an "unauthorized module installed on them that was named ‘Admin Dashboard.'" In point of fact, the unauthorized module was detected by some early users of FreePBX 12; however, the exploit that resulted in the introduction of the Trojan module was most definitely caused by a FreePBX exploit, an acknowledged security vulnerability "within the legacy FreePBX ARI Framework module/Asterisk Recording Interface (ARI)." It was that exploit that allowed the introduction of the Trojan module in the first place. As we have often suggested, this vulnerability never would have occurred if all of the aggregations including the FreePBX Distro had provided a locked down firewall as part of their distribution. []

3 Comments

  1. So what recourse is there? What if Sangoma thumbs their nose at your argument?

    [WM: Love the nose joke. Stay tuned. It ain’t over ’til it’s over. –Lenny Kravitz]

  2. Great stuff, keep up the good work.
    But what if they do nothing ? They are in breach of the GPL – but who is able to enforce that ? Anyone with the object code (ie any user), or only a copyright holder ? And on that, I had a quick look at GitHub, and although I could see a Licence file with GPL3 I didn’t see any copyright notices.

  3. People will come to them because it is easy to do so. The good money they make will be from support hours (they know their product better than anyone) and from commercial modules. Why don’t they make it more open and then they can even sell their modules anywhere such as you see Elastix do at addons.elastix.org ??? I guess they’re afraid someone would build a better commercial module and undercut them? Holding on too tight can actually be detrimental to the success they could see.

    Thanks for all this work – and please keep us posted on developments

Comments are closed.