IncrediblePBX Module

I’m only asking about this here since ClearlyIP is listed as the author of the module. How is this module licensed as AGPLv3 but completely obfuscated/encoded?

How does one get the code since this is AGPLv3?

You’ve got the source code. The fact that it includes hex/octal escapes and goto commands as part of the working source code doesn’t violate the terms of the AGPLv3 license as I read the terms of the license. It’s not encrypted. If you don’t like the way the functioning code is written, you’re free to make modifications so long as you comply with the terms of the AGPLv3 license. If someone delivers Mandarin code and you are only fluent in English, that’s not a source code violation so long as the Mandarin code actually works. That’s why AI engines came along in the first place.

The code is obfuscated meaning I have to run things to clean it up to make it readable and usable. That is violating AGPLv3 according to the AI you mentioned. The code as it is can be fine as that can fall under “Object Code” but there isn’t any “Source Code” which must be made available to the public.

If you’re providing source code that is intentionally hex-encoded, like:

"\x49\x6e\x63\x72\145\144\x69\142\x6c\x65\x20\120\x42\130"

Instead of:

"Incredible PBX"

Then:

• You are not providing the code in its preferred form for modification.
• You are obfuscating function names, strings, and logic.
• You are hindering users’ ability to audit or improve the code.

That’s a clear AGPLv3 violation if:

1. You are distributing the software,
2. Or you are making it available as a service (e.g., SaaS), and
3. You do not also make the unobfuscated source available.

So yeah, I have the code but I have to jump through hoops to make it in a form that can be modified. I have the right under AGPLv3 to ask for the source in its preferred form of modification.

Section 1 of the AGPLv3:

The “source code” for a work means the preferred form of the work for making modifications to it.

“Object code” means any non-source form of a work.

Section 6:

You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:

d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge.

The Corresponding Source for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities.

Then Section 13 that would cover any modifications I would make:

Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network an opportunity to receive the Corresponding Source of your version…

To be clear, I am making a request per AGPLv3 for the source code which should already be available for me to access. I’d also request the module be made to be in compliance with AGPLv3 because right now, it’s not in compliance.

AI is not the final word on the terms of the AGPL license. I cannot speak for the Clearly IP folks, but as I read the terms of the license, the format of the delivered source code is in the discretion of the developer so long as the code, as delivered, “works.” In the case of PHP and in this case, the source code and object code are one and the same. It is executable as is. The fact that you don’t like the format of the working code is not in violation of the license requirements. And I am perfectly comfortable with the format of the delivered code which meets my needs as far as modification is concerned. To be clear, this is Clearly IP’s code, not mine. And, contrary to your assertion, it is being provided to me as the licensee in my preferred form for modification. If you don’t like the format, don’t use the code.

Ahh, so I should use AI to make all this work but I shouldn’t use AI on validating if it is a violation of the APGLv3 license. This has nothing to do with if I like it or not. In order for any modifications to be made, the code needs to be run through the wringer to make it so modifications can be made.

Once again, your feelings just like mine have, no bearing on if this code as is actually violates the AGPLv3 license. Just because you’re comfortable with it doesn’t make it right or a non-violation of the license.

Also, it doesn’t matter how we feel. Per the license I can make the request I made and it needs to be honored.

For the record, I never suggested you “use AI to make all this work .” THE SOURCE CODE WORKS AS DELIVERED. I was simply noting that AI was a good tool to translate Mandarin into English if that was your preferred language. To repeat… in this case, I’m perfectly happy with the source code as delivered because it works and it meets my requirements in terms of modifications. We flew to the moon and back using code written in hex. I’m perfectly comfortable with it now. Sorry if it’s not to your liking.

Tom let me look into this as we are the author but let me review agreements with Ward on who the copyright owner is and who would have to address any request made.

So just for clarification on all this:

1. The actual source code was written in hexadecimal and never once run through a function or process (like bin2hex()) to output the final code in hexadecimal?
2. That the hexadecimal code is “The preferred form of the work for making modifications to it.”?
3. The fulfillment of my request for the source code will result in the hexadecimal version of the code being provided as the source code?

Keep in mind that the final version being executable and working doesn’t automatically make it the source code.

PHP is an interpretive language. It takes source code, interprets it, and then executes it. Hence any PHP source code is, by definition, executable. Conversely, there is no such thing as binary PHP code. By definition, if PHP and humans can read it, the PHP source code can also be executed.

We will provide you with a version of the module in a programming language that even you can understand subject to the licensing restrictions and requirements of AGPLv3. Pay particular attention to the requirement that you preserve licensing restrictions and not publish or redistribute our trademarks or trade names with the provided code or any derivative work. We will also need written indemnification from you and any additional current or future recipients for both the authors and copyright holder of the provided material. If you are unclear of the specific requirements of and your obligations under AGPLv3, please consult with an attorney of your choice. So that we may send you the requested code, kindly provide a notarized indemnification statement together with your email address, name, and mailing address (not a P.O. box) at your convenience.

No, you need to provide it in the preferred form of the work for making modifications to it. So it if was coded in plain text PHP, you need to provide it in plain text PHP not hexadecimal.

AGPLv3 doesn’t prevent redistribution of code with trade marks or trade names. I can do this as long as I don’t mis-use or misrepresent the trade mark/name in any manner. If I where to do so, that would be a trade mark law matter not under the AGPLv3.

Section 10 of the AGPLv3 doesn’t allow for you to impose further restrictions like this. It also applies to the requirement of stripping trade marks.

“You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License.”

This is in violation of Section 6 and 13 which basically states it must be done automatically (when interacting over a network), or upon distribution without unreasonable conditions.

From Section 6: “You must make the Corresponding Source available in the manner specified…”

From Section 13: “…you must offer to all users interacting with the work … an opportunity to receive the Corresponding Source … without charge…”

I made a valid request under the license and your response is imposing restrictions that violate the AGPLv3.

By “plain PHP”, I assume you mean PHP without hex. That was what was being offered. This module was exclusively engineered for use with Incredible PBX and FreePBX. For the record, there is no such thing as “plain PHP” when it comes to module usage and design for FreePBX. The conditions imposed are not unreasonable. If you plan to use it for other purposes, we require indemnification. You have cherry-picked sentences in the AGPLv3 that you like and ignored the rest. As for trademark usage, you may use it on Incredible PBX platforms only. Any other use requires removal of our trademarks. I’d suggest you take my initial advice and speak with a reputable copyright attorney. You might want to run your theories by a trademark lawyer as well.

I want to take a minute to provide some background on the Incredible PBX branding module for those that have been watching this thread as bystanders. Why would we push back so hard on releasing what Tom calls “plain PHP” when we have been one of the major proponents of open source software for decades?

The short answer is that Tom has no idea how all of the pieces of Incredible PBX fit together. If his objective was to grab a free branding module that he then could rebrand and use for other customers such as hospitals or schools, then he is in for a rude awakening. The Incredible PBX module was considerably more than just putting a pretty face on the FreePBX GUI. At its core, the purpose was to move Incredible PBX users from the FreePBX module repository to the ClearlyIP repository where we had total control of which modules and what versions of each module were available to our users. For example, we do not provide the FreePBX firewall module to Incredible PBX users. It’s not because there’s anything fundamentally wrong with it. After all it was written by some of the same folks that now work for Clearly IP. But the Incredible PBX platform has always had a different security model than FreePBX. It’s based upon IPtables and whitelists. Only those on the whitelist gain SIP and web access to Incredible PBX servers. And we manage the whitelists and security with our Automatic Update Utility which also is an integral part of every Incredible PBX server. That’s a long-winded way of saying our “branding module” is closely tied to our security model. And, when you separate the “branding module” from Incredible PBX, you have a very insecure PBX platform because we still have complete control of the module repository for Incredible PBX users. Count the times FreePBX security has been breached and compare that to Incredible PBX. Our number is zero.

Here’s a simple example. When you buy a Tesla, you don’t own or control how Tesla delivers AutoPilot and Full Self-Driving components to your car. Those are exclusively in the hands of Tesla, and you can buy all the Teslas in the world, but you still won’t have control of the software running on your car. The same is true, of course, with virtually every automobile on the highway today.

So how does one use the Incredible PBX branding module and regain control of the modules available in FreePBX. The simple answer is to change the module repository back to FreePBX. Is it easy? Yes if you know what you’re doing. But then you’ve lost the key advantage of protecting your users from FreePBX module releases that cause problems. And there have been many.

I hope this clarifies why the Incredible PBX branding module should never be separated from or used independently from Incredible PBX. It also explains why we would not want our trademark emblazoned on a platform that lacked the security mechanisms that Incredible PBX users have come to expect. After all, that is our brand. And we will protect it.

I made a valid, friendly and civil request, as within my rights under the AGPLv3 license, for the source code. In return I have been met with pushback, hostility and language that could be construed as a form of intimidation and threats. There has also be major conflation on Ward’s part in regards to the AGPLv3, copyright and trade marks.

Conclusionary. I have a pretty good idea on how all of the pieces fit together. The biggest hurdle I had was finding where all those pieces lived since it wasn’t in a single place or in some cases a place that was still accessible. Don’t conflate me having to ask where things are available at as not understanding all the pieces. Clearly, I had enough understanding to go and look for the pieces.

Speculative and a bit threatening. You have no idea what my objective is so you are speculating my objective. I am curious though, what rude awakening am I in for?

All you needed to do Ward was ask what my objective was. You could have engaged me in a civil manner about all of this and I would have told you. For the past month I have been putting aside a few hours of my day, either early mornings or late evenings, in which I focus on open source work. I’ve been working on some of the tickets from the FreePBX issue tracker, I have been working on my own modules (Advanced Call Spy and a new one for HEPv3/Prometheus monitoring) and I have been working on streamlining, fixing and improving the IncrediblePBX 2025 (FreePBX v17 based) installer and tools. In other words, I’ve been actively working on contributions for your project.

While I’m only half way through the installer I’ve done quite a bit. The objective is to make it a more inclusive installer removing the need to grab a dozen pieces from various places including having to download and restore a year old backup for some things to be installed. Hence my request about the incrediblepbx module, I wanted to just see what it did beside just change branding settings and repo locations. I wanted to validate if it had any impact on things being installed during the installation process.

• Made it so IPv6 is just disabled permanently at the start. Doing a temp disable at the start and then doing a permanent disable at the end wasn’t needing when you can just do it once.
• Fixed it so the DNS setup is using Debian 12’s default method of systemd-resolved
• Streamlined the installation of packages needed for the install. There were instances of packages being installed twice in different apt-get install commands.
• While iksemel is only needed for res_xmpp and since gvsip/google voice is gone it may not really be needed going forward. However, it has been available as a package for 10 years in Debian. I added the needed packages to the package install command and removed the need for manual installation.
• Cleaned up the Asterisk install portion. Multiple un-needed make menuselect.makeopts existed and are not needed, removed them. Removed the pjsip-bundled and jasson flags as Asterisk automatically installed the pjsip-bundle now and jasson was installed via packages which Asterisk will use. These flags force installs that don’t need to happen.
• Making it so all the tools i.e. rootfiles and other confs are part of the inclusive install so they don’t need to be downloaded separately.
• The incrediblepbx module was being downloaded and installed twice. Removed the un-needed second download/install.
• Fixes for the fail2ban as it was creating directories instead of files, it was adding settings to the wrong config file and made it use jail.local instead of jail.conf for configuration/settings updates.
• Fixed the ARI username and password generation. Mis-spelling in the commands resulted in no random generation and the values be blank. So the ARI passwords have been set to a blank password for some time now as well as a blank username.
• Fixed a mis-spelling in the memory_limit update to php.ini, the sed command doesn’t match anything so the memory limit is never changed from the default.

Now that isn’t a complete list but covers a lot of what I done so far with the install script.

I’ve also made updates to add-ip, add-fqdn and del-acct. I’ve added improved validation that looks for proper IP format, currently you can pass 1.1.2.hello and it’s accepted. However, I have also merged add-ip and add-fqdn into one script. I have also made a new one that merges all three allowing fw-manager add|remove <name> <ip|host>

This also includes using netfilter-persistent to keep track and restore all the rules to survive reboots. Made some updates to the nightly checker too that runs to resolve any FQDNs in the firewall.

I also took the custom iptables script and created trusted-providers that allows you to add/remove IPs based on the provider. trusted-providers add|remove [provider1 provider2 | all]

Again, just some overview of what I’ve been messing with. I was hoping to have the first version up on github this weekend for review and testing. Even despite this clear and intentional push back from Ward in regards to my original request, I’m still doing the work.

Having dealt with your comments for many years, the words “valid, friendly and civil” aren’t the first adjectives that come to mind. Perhaps if you had sent me a private message on our support forum explaining what you were trying to do, things might have been different. But here we are, and my offer still stands.

P.S. You already have the source code!

That is irrelevant to the current request.

There was no copy right of Ward Mundy LLC in the code or the module.xml just ClearlyIP so no indication you were a copyright or holder of the original source. So are you saying if I had PM’d you directly you would have complied with the request without push back and barriers?

The offer that violates the AGPLv3 license?

This is very disheartening to see. I can’t believe the wild rationalization here in defense of not providing open source licensed code according to the terms of the license.

Honestly this kind of stuff is why it’s so hard to trust a for-profit brand. And I genuinely believe Clearly had done many great things for the FreePBX ecosystem, that’s not discounted. But this is so worng.

I may be misreading, but I think he’s offering to provide the unobfuscated version of the code to you? I.e. he’s offering, and you want, the “plain php” which just means preobfuscation, without the hex rncoding and goto commands? Maybe in in the heat of the moment this was misunderstood about what his offer is?

This has nothing to do with ClearlyIP, they are not the copyright holders or own of the actual module in question.

There are additional requirements being asked for to provide the code. That isn’t allowed.

Ok this thread is really off topic to TangoPBX. The module is built by ClearlyIP for the IncrediblePBX team. Since we wrote the module for IncrediblePBX I have talked with Ward. We agreed after a long talk that the ClearlyIP team is authorized to publish an updated module to be non randomized and it will be in the IncrediblePBX mirror system that is provided to the IncrediblePBX project for free by the ClearlyIP team. We as a group feel its in the spirit of the AGPL even though is not required and the TangoPBX branding module already does not randomize any of the functions from day one so it makes no sense for the incrediblePBX module which does the exact same thing to be randomized.