If you’ve ever shopped at the outlet malls, you quickly learn that things are often not quite as they appear on first blush. Labels inside shirts have either been removed or mangled in some way to keep you from returning the merchandise to a ‘real store’ for a refund at full retail price. Socks in particular always have a habit of sprouting a hole after you’ve worn them about twice. For those that were ever in the military, you may recall that the Post Exchange always had name-brand shirts for about half the price of the regular men’s stores. They were quite a deal… as long as your favorite colors were pink and purple. Let’s face it. These manufacturers think they’re smarter than we are, and all these sleights of hand are no accident. They’re purposeful actions engineered to assure that we don’t get something for nothing.

All FreePBX gpl source is available at http://t.co/7z6lXPVwVo and mirrored at https://t.co/n9Cu46hFRV #asterisk #showyourcode

— James Finstrom (@geek3point0) June 8, 2015
Source: twitter.com/geek3point0/status/607910432385441793


All FreePBX gpl source is available at http://t.co/7z6lXPVwVo and mirrored at https://t.co/n9Cu46hFRV #asterisk #showyourcode

— James Finstrom (@geek3point0) June 15, 2015
Source: twitter.com/geek3point0/status/610447235852201986


So what do retail merchandising tricks have to do with Sangoma® and FreePBX® source code? You’ve probably seen the weekly ads on Twitter touting the availability of GPL source code for FreePBX.1 So life is good, right? What’s the problem?

If you tell a lie big enough and keep repeating it, people will eventually come to believe it.
Dr. Joseph Goebbels… among others*

‘CliffsNotes-like Version’ of the GPL… with apologies to CliffsNotes™

Ever Dealt with a DOP? That’s not a typo for DOPE. Quite the contrary, these aren’t dumb people. In fact, they are folks that think they’re smarter than the rest of us. Our new word “DOP” means somebody you suspect is being Dense on Purpose. We’ve gone around and around on Twitter this week with the FreePBX developers who repeatedly have claimed they’ve released “ALL FreePBX GPL source code” while we have suggested just the opposite. So let’s dumb it down to a single paragraph with short sentences that even a Fifth Grader can understand…

FreePBX is a GPL product. FreePBX consists of TWO components. A GUI generates Asterisk code. A Cloud-based CDN provides updated modules to make FreePBX continue to work. FreePBX won’t continue to function properly without its CDN. Thus, the GPL says BOTH components must be licensed as GPL code. The GPL requires ALL corresponding source for ALL integral components. A GPL toolkit that generates crippled source doesn’t cut it. A toolkit with strings attached doesn’t suffice. A toolkit that only functions properly if you agree to pay Sangoma’s legal expenses does not comply with the GPL source requirement. Toolkits are fine and may be required components under the GPL but… Source means SOURCE CODE. The source requirement means ALL the actual code necessary to replicate ALL of the uncrippled functionality of the original GPL product. GPL Source “means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities.” Source means ALL the same source that the FreePBX product itself uses to make the product fully functional in an uncrippled, unrestricted manner.

So Sangoma… SHOW ME (ALL) THE SOURCE!

CliffsNotes is a trademark of HOUGHTON MIFFLIN HARCOURT. Reference is a simile only. CliffsNotes makes no product associated with the GPL.

The Rest of the Story for Those That Enjoy Reading

For those that have used the FreePBX GUI, you quickly learn that the best feature of this GPL-touted product is its ability to automatically update all of its included modules with three button clicks. Clicking Check Online gives you an instantaneous snapshot of every component in the GUI and every update that’s available. Clicking Upgrade All tags all of your modules that have an update available. Clicking Process brings all of your modules current. It works exactly the same way whether you have one module to update or twenty. It’s simple, easy, and quick. You couldn’t ask for a better upgrade design.

The deal, of course, with GPL software is that you’re entitled to get the source code with the application itself so that you can make changes and improvements if you choose to do so. We’ve been outspoken critics of the fact that Sangoma doesn’t meet that requirement. And these weekly Twitter ads presumably are their response suggesting that they do. So let’s take a careful look at the ‘GPL Source’ that Sangoma says they’re providing and do a little experiment to find the hole in the socks.

To make this Module Admin component of FreePBX work, you need two pieces: the FreePBX GUI software itself AND the FreePBX Cloud component that houses the (hidden) GPL modules for FreePBX. Sangoma provides only one of the two necessary components. In a previous article, we showed how to build the cloud component to independently maintain the FreePBX GPL modules. The implication from the Twitter ads is that you can build the equally important cloud component using the ‘GPL source’ provided in either Sangoma’s GIT repository or on GitHub. Otherwise, the source code provided yields a crippled version of FreePBX in which the critical Module Admin component wouldn’t function properly. In other words, the GitHub ‘GPL Source’ wouldn’t be the real source code necessary to make the GPL product work as designed. It speaks volumes about the type of “open source” folks we’re dealing with when you come to appreciate that a single Apache command switch (Options +Indexes) is all that would be necessary for Sangoma to provide the Real Source Code™.

So let’s do a simple experiment. First, download the touted ‘GPL Source’ for the Core module that’s buried in GitHub. Next, download the Core module that’s hidden in Sangoma’s Cloud repository. This is the one that’s actually used to update FreePBX using the Module Admin tool explained above. Now let’s expand the tarballs and compare the contents. The GitHub-touted source is pictured on the left. The “real source” from the Sangoma repository is on the right. Can you guess which one will actually work in the cloud repository to make Module Admin and FreePBX function properly?

By comparing the contents of the two tarballs, you’ll notice several things. First, the file names are different. This naming convention is critically important to the FreePBX Module Admin component. One works. One doesn’t. Second, the time stamps on the individual components are different. This is a tell-tale sign that the two tarballs were generated using different programs, none of which have been provided. Third, the “real source” file is over 6,000 bytes larger than the GitHub version. Expanding the two files as we have done above tells you why. The “real source” (on the right) has an extra signature file that is missing from the GitHub version. Not only is the signature file missing, but so is the program to actually generate it.2 This is critically important because FreePBX 12 uses these signature files to determine whether a module is legitimate. Guess which one passes that test?

There’s actually another missing piece that the Sangoma ads and GitHub repositories fail to acknowledge: the XML file for each FreePBX version and the scripts to actually generate the contents of these files. These XML files tell the Module Admin component what modules have been updated and what the checksums for the modules are. The XML files in the cloud and for the individual modules are essential in assuring that you don’t destroy your server by installing a partially downloaded component that cripples the functionality of the FreePBX GUI or brings down your telephone system.

In conclusion, FreePBX is the antithesis of open source and violates the basic tenets of the GPL. Not only is the platform anything but open, but its real source is shrouded in secrecy together with the tools to make the product functional. This is not the way GPL open source projects are supposed to work, and Sangoma should know better. They’ve been a long-time supporter of the open source community.

The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. [Emphasis added.]

Pinocchio would be proud. Standing alone without its hidden components, FreePBX has become the poster child for CrippleWare with its missing pieces and half-baked source code. Giving Sangoma the benefit of the doubt, let’s assume that Sangoma had no knowledge of any of this and chalk it up to the Schmoozers pulling a fast one on the new boss to protect their still-to-be-paid profits from Year One sales of FreePBX commercial offerings. After all, that was the silver lining in the Sangoma purchase contract.

Dear Sangoma: NOW YOU KNOW!

What happens going forward is on your watch, not the previous owners. Sangoma now owns the FreePBX product and is obliged to provide the “real source code” for the program and all of its critical components in accordance with the GPL. We trust that after reading this (and we’ve mailed them a copy), Sangoma will choose to do the right thing for the Asterisk community upon which its livelihood depends. Abide by the terms of your GPL license and release the “real source code” for all of the critical components of FreePBX including all of its GPL modules and all of the pieces necessary to make the cloud repository, XML local and cloud components, and signature generation and checking mechanisms function as designed and integrated into your FreePBX product.

For the rest of the story…

Epilogue. After release of our article, the lead FreePBX developer, Philippe Lindheimer, finally documented Online Module Management… after 9 years of secrecy. Better late than never! This was followed by a posting from Rob Thomas that sought to document the process of writing a new FreePBX module. Anyone with an interest in the GPL and open source software should read both of them. Here are two guys whose entire livelihood is thanks to the open source community. Yet they both tout the FreePBX Distro which is neither open source nor GPL code. Here’s what’s missing with the current FreePBX GUI. Their focus appears to be on the process for introducing new modules into FreePBX, a process that remains proprietary. Our focus has been on obtaining the source for the existing components of the FreePBX GUI. There still is no way to independently replicate the Cloud-based CDN component of FreePBX 12 with the same modules that FreePBX uses because that “open source software” has not been provided. The new FreePBX 12 design requires a PROPRIETARY KEY in order to produce any modules for the FreePBX “GPL” platform. That includes any attempt to replicate the original FreePBX components. Bottom Line: You cannot replicate the same source code that FreePBX 12 uses in the Cloud using the tools provided by the FreePBX developers. And that is a no-no under the GPL unless the apparatus to produce and manage the original keys is also provided. The GPL requires release of the original source upon which the FreePBX platform operates, not a toolkit and not a reworked version using different source resulting in different modules. Providing proprietary tools to generate different source with different module components is NOT the same as original source code… as the GPL requires.

As one of our PIAF Forum users suggested, this design would make perfect sense for a proprietary platform such as the FreePBX Distro, and the developers would do everyone in the open source community a favor by migrating the technology there while restoring the original GPL design of the FreePBX GUI.3

Originally published: Monday, June 15, 2015  Updated: Friday, June 19, 2015   Epilogue: Monday, June 22, 2015



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors

Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com. Better yet, download the PIAF5 ISO powered by 3CX. Free version includes support for 8 simultaneous calls with a SIP trunk.

  • Run on Premise or in the Cloud, on Windows and now on Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • RentPBX, a long-time partner and supporter of PIAF project, is offering generous discounts for Nerd Vittles readers. For all of your Incredible PBX hosting needs, sign up at www.RentPBX.com and use code NOGOTCHAS to get the special pricing. The code will lower the price to $14.99/month, originally $24.99/month. It’s less than 50¢/day.


    Some Recent Nerd Vittles Articles of Interest…

    Be Sociable, Share!

    1. Following publication of our article, the ads on Twitter from the FreePBX Community Manager were removed from public view, not exactly the Sangoma response we had hoped for. Now the GPL Source Code AND the ads are hidden. NEWS FLASH: The ads have now reappeared. Coming on the heels of this article, that would appear to be an official FU from Sangoma that they do not intend to release the module source components hidden in their CDN cloud. []
    2. After release of this article, one of the FreePBX developers suggested that the GPL FreePBX Development Tools could be used to build your own Cloud component for FreePBX. There are several problems with that. First, these tools and their output are for development use only and were never intended for use with FreePBX in a production environment. Second, the tools require a (revocable) “key” issued by FreePBX. In and of itself, that makes FreePBX proprietary. Third, this key requires a user to sign a blank check legal indemnification agreement to cover all of Sangoma’s legal expenses (reasonable or otherwise) should they be sued for anything associated with that key. Without a key, unsigned modules (including those from FreePBX’s own GitHub source tree) would generate nasty compromised server messages in the GUI. So, no, providing a toolkit to build crippled source is not the same as providing the actual source code upon which FreePBX relies for proper operation, i.e. the XML and TGZ files hidden in the Sangoma Cloud which in Sangoma-speak is euphemistically described as their content delivery network (CDN). []
    3. We will not get into the developer’s claim in footnote 1 that these FreePBX security breaches were not caused by “a FreePBX exploit” but instead were the result of an “unauthorized module installed on them that was named ‘Admin Dashboard.'” In point of fact, the unauthorized module was detected by some early users of FreePBX 12; however, the exploit that resulted in the introduction of the Trojan module was most definitely caused by a FreePBX exploit, an acknowledged security vulnerability “within the legacy FreePBX ARI Framework module/Asterisk Recording Interface (ARI).” It was that exploit that allowed the introduction of the Trojan module in the first place. As we have often suggested, this vulnerability never would have occurred if all of the aggregations including the FreePBX Distro had provided a locked down firewall as part of their distribution. []
    Tags:

    This article has 3 comments

    1. So what recourse is there? What if Sangoma thumbs their nose at your argument?

      [WM: Love the nose joke. Stay tuned. It ain’t over ’til it’s over. –Lenny Kravitz]

    2. Great stuff, keep up the good work.
      But what if they do nothing ? They are in breach of the GPL – but who is able to enforce that ? Anyone with the object code (ie any user), or only a copyright holder ? And on that, I had a quick look at GitHub, and although I could see a Licence file with GPL3 I didn’t see any copyright notices.

    3. People will come to them because it is easy to do so. The good money they make will be from support hours (they know their product better than anyone) and from commercial modules. Why don’t they make it more open and then they can even sell their modules anywhere such as you see Elastix do at addons.elastix.org ??? I guess they’re afraid someone would build a better commercial module and undercut them? Holding on too tight can actually be detrimental to the success they could see.

      Thanks for all this work – and please keep us posted on developments