Sveriges mest populära poddar
Start / FLOSS Weekly / Episode 777 transcript

FLOSS Weekly

Episode 777 transcript

N/A • 3 april 2024
FLOSS-777

Jonathan: This is Floss Weekly, episode 777, recorded Wednesday, April 3rd. Asterisk, wait, faxes? This week, we sit down with Joshua Culp, the Asterisk Project lead. We talk about the Asterisk Project, its new corporate home at Sangoma, and then fax machines, and why we all still get spam calls. You don't want to miss it, so stay tuned.

Hey, it is time for Floss Weekly. That's the show about free Libre and open source software. I'm your host, Jonathan Bennett, and I've got David Ruggles with me today. Hey, David, how is it? Going good. It's good to have you. First time on Floss Weekly as a co host. Not your first time to co host with one of my shows.

And we, we brought you over for a very particular reason, and that is today's guest was your request. In fact, you've bugged me several times about this. Get, get this guy. This would be really fun. We need to ask about this one particular thing. And I agreed. I thought it would be cool. So I reached out and we've got we've got Joshua Collins.

Culp from Asterisk as the guest. And David Asterisk is something that you're familiar with, isn't it?

David: It is. I've, I go way back with asterisks into the early 2000s. I happened to actually get to go to Digium down in Huntsville. For those of you on the video, I am wearing the shirt. So I, I went there, I got the shirt.

And I've actually, I don't do as much with asterisks now as I did probably before. Five to seven years ago or so, it was the last time I was really into Asterix. Now I'm into the other sides of the Sangoma company. I sell and support Switchvox and stuff to some of my clients. But Asterix is, I just, I love the project.

I love the story behind it and I'm excited to talk about it. So yes, I'm a, I'm a bit of a fangirling today.

Jonathan: I understand. Oh, I, well, I've been, I've been around Asterix for a long time too, which might make this an interesting interview because We're both, we're both kind of insiders on this. There might be a lot of inside baseball that happens.

I'm, I'm going to try to channel my inner new, but so that we can get some of those basic questions out. But I don't know, I've been doing Astros for a long time as well. And like you, not as much here recently. And part of that, I think is because everybody uses cell phones these days and some other things locally have changed.

Maybe I'll get into the story of, of my attempts to get one of our local telecom companies to give me raw sip. It did not end with a good end. They were not willing to do that, but we almost got there and I would have rolled out so many asterisk boxes if we'd done that, but anyway, let's not let's not waste any more time.

Let's go ahead and bring our guest on Joshua, thank you, sir, for being here.

Joshua: Hi, it's nice to be here. Thanks for

Jonathan: having me. Yes. So we're talking, we're talking asterisk, and I'm not sure. Which way I want to go first. Maybe you can answer both of these questions in one go The the big question. I think some people are going to have is what what is asterisk?

I've never heard of this and then the other side of that question is how are you involved with asterisk?

Joshua: Yeah, so asterisk is these days a communications toolkit We're about giving People the tools to build cool things in the communication space that might be a call center that might be an omni channel solution that might just be phone system for a business in the cloud or locally.

Previously in the beginning asterisk was really centered around being a phone system, but over time, we've really changed into that communications toolkit perspective and personally I'm. What I say is the project lead basically means I make sure that the ship is pointed in generally the right direction.

So that's taking feedback from the community, from internally at Sangoma, from other places, and just figuring out Where we need to go next and one needs to be a focus and also the normal day to day stuff, like deciding policies and that kind of stuff.

Jonathan: And how, how long have you been with the asterisk project?

Do you, do you go all the way back to when it was the, the pet project for a Linux support company?

Joshua: Almost. So I think I came in around 2001 or 2002. Okay. Asterisks asterisk itself. As it's known today, actually came about in 1999. So a few years. A fun fact that not many people know the version of Asterisk that exists now is actually the second iteration of it.

There was one previously. That was completely scrapped where it had no configuration. Your configuration was C code. And if you wanted to change your configuration, you would change the C code and recompile. It's,

Jonathan: it's just like, it's just like Unix.

Joshua: Yep. So the current one was actually Asterisk NG.

But then it just turned into

Jonathan: Asterisk. That's, that's fun. And so we, we kind of hinted at it, but when Asterisk first started, before you got on board, it was, it was a part of Digium, I believe, and they wanted to do, they wanted to do Linux support, and they needed a phone system. Isn't that the way that story goes?

So

Joshua: it, Digium didn't even exist yet. It was Linux support services headed up by Mark Spencer, and he needed a phone system, like you said but did not have much money, and Mark is the type of person that he will code what he needs, and so he coded a phone system. There you go. Over time, it took over.

Yeah,

Jonathan: it's We had, I think we had Mark on Floss Weekly years and years ago, one of the very early episodes. And I think he said something to the effect of, it turns out it's more fun to play with phone systems than it is to do Linux desktop support.

Joshua: Yep. Not, not wrong at all there.

Jonathan: Okay. So my experience with Asterisk was building, building phone systems.

And like I said, during the top of the hour, when it was actually the local cable company started rolling out. phone service through DOCSIS, they would, they would give us an analog port on the, on the cable modem. And I went to, cause I, I was, I was fairly well tied into the company at the time. And I went to him.

I'm like, Hey, I know that's running SIP on the backend. And in fact, It's probably talking to an asterisk server somewhere on the back end. Can you let me get to that SIP directly? They're like, oh, I don't know. We'll go and find out. And they, you know, they talked about it inside corporate or whatever. And they came up to me, they're like, no, we can't do that.

And funny thing, it wasn't too long after that, that they started selling actual business phone systems where they would do the thing essentially that I was asking them to do. Which struck me

Joshua: as funny. Yeah, so additional fun fact. I'm gonna, I'm gonna have a lot of fun facts today. Yeah. Yeah, cable systems, at least they didn't, and I don't know if they do these days or not.

They didn't use SIP. They used a completely different protocol called MGCP, which was much more SIP places much more intelligence in the endpoint. So like a phone or a ATA to convert from SIP to Analog MGCP was much more lower level, the remote side controlling the end point being like go off hook and that kind of thing.

Why the whole cable world went that route? I don't know. It's the cable world. Fiber on the other hand does generally use SIP, thankfully, or not thankfully. Depending upon your opinion of SIP.

Jonathan: Well, SIP tends to just work. I do remember another experiment where I tried to make IAX, the inter asterisk exchange format, work between two different boxes.

I found out the hard way that you have to have, I think it was really, really tight timing to make that happen, and I didn't have the hardware to do that. Is that one of those things that's kind of fallen by the wayside, or is IAX still around?

Joshua: So, from a model perspective, IX does still exist. Some people swear by it, but most of our effort and time goes into SIP because SIP has taken over the world, essentially.

Yes. Yes. People, every day, whether they realize it or not, are probably using

Jonathan: SIP. Probably using Asterisk. People every day, I'm sure, are using Asterisk and don't even realize it, at some point along the call path. Do you have an idea of like how many asterisk installs there are out there and and how many calls get handled on them?

Joshua: So the only so from a project perspective, we don't have we don't report metrics or anything back The most I have is download statistics of what's grabbing tarballs and even then if they grab it from git I don't have visibility into that So from a downloads perspective, it's about 1. 5 million downloads a year From a calls perspective I should also add that's only downloads that doesn't include products that use asterisks, such as switch box or free PBX or other stuff or custom solutions or any of that from a calls perspective.

Not really, but. Still a ton. A ton. There you go. Yeah, I have, I can derive certain stuff internally because we do hosted phone systems, so I can kind of see trends and stuff that way. Voice is still very much alive. This

David: is the Floss Show, all about open source. And as we already said, I've used Asterix for a long time, but I've kind of fallen out of it.

Back when I was active in Asterix I was using a lot of Sangoma hardware. Their T1 interface cards and stuff. So I've always had a positive view and relationship with Sangoma from I guess, end user perspective. And I think it's very interesting to, from a distance, follow the transition as they have become the open source phone system company.

And they're really expanding into a lot of different areas. I'm going to start a star. They just purchased recently, which. We're not even going there. But

Joshua: I think that was

Jonathan: two acquisitions ago. Yeah,

David: that, that would not surprise me. And they definitely an M and a company mergers and acquisitions.

But one of the things that I've seen some that I'd love to, for you to speak to, if it's not unreasonable is there's been some concern in the open source community that Sangoma. It may not be quite as open source friendly as Digium was. I haven't seen anything personally, but again, I'm kind of looking at it from the 30, 000 foot view, so.

Would you be able, willing to speak to that?

Joshua: Sure. So from an open source perspective, from an asterisk perspective, I'll speak first absolutely nothing changed between Digium and Sangoma. If anything, we were given more freedom at times to just kind of do our thing. From a FreePBX perspective I've actually been helping to try to get them to be more standardized on open source and more friendly on open source standardizing processes and stuff.

And then as a company, our latest acquisition, I think was a company called, Do you know who Funality is? That's

Jonathan: a SIP provider, isn't

Joshua: it? Probably. Everyone's a SIP provider these days. The

Jonathan: name sounds familiar. We'll put

Joshua: it that way. We'll go from do you know who Netfortress is? Not offhand, no.

Do you know who Trixbox is? Yes. Okay, so that's all the same company. Okay. So our latest acquisition was actually, through a roundabout way, kind of the Trixbox company. And, As part of that, they have their own asterisk that they forked and made changes to and such. And from an open source perspective, we took those generally applicable changes and just made them open source.

We took their giant change set and picked out the parts that were generic and just made it out there so other people could use it. Including competitors. I know there's some competitors that took some of the stuff and just Used it for their thing. I'm fine with that. So we're still the goal my personal goal is I don't want to maintain multiple versions of asterisk.

So if I can open source everything I can,

so I don't hold anything back if I can. And I'm pushing that internally at Astracon. I forgot what I called myself. I think the overlord of open source at Syngoma just overseeing all that stuff and pushing it. And the same goes, I'm really going off on a tangent now. Also getting teams and stuff to contribute patches upstream and stuff as well.

So trying to do open source as much as we can.

David: That's very encouraging to hear. And thank you for answering that because. Again, it was kind of second party. I hadn't seen any of the issues directly, but anytime there's a big change, especially with a company as large and as diversified as Syngoma, you get a little bit of panic.

I mean, IBM and Red Hat is a whole different open source story that we are not going

Joshua: on. Yeah. I mean, to give a little bit more of a glimpse, I talked to the CTO weekly about open source stuff. We have an open source. Team where we all get together and talk about stuff, so that's awesome.

David: So in to kind of circle back to the IAX conversation from a second ago, I actually have infrastructure that I sort of tangentially support where we bring sip into it.

And then we have a whole series of asterisk clusters behind it, and we're using IAX between all the clusters. So we, we bring SIP in from all our external connections, but then everything in house is IAX. And it's because of that tight timing and stuff, so. We might convert to SIP at some point. We're also running older versions of Asterix behind it because it works and it's not exposed to the internet, so.

Joshua: Yeah from a conversion perspective, I'm going slightly technical here. At a larger scale E not E SIP should scale Better with packets. Just because of the threading model of X2 where it has to stuff you can't, you can't distribute the load as much in X2, but in SIP it gets more distributed.

Jonathan: So I am curious then about hardware support. Because Digium used to make some hardware, and I believe Syngoma makes a lot of hardware too. And once upon a time, it used to be a massive pain to try to take one of these cards and actually add them to an asterisk machine, because so much of the hardware, the driver support, was out of tree.

It was not actually in the upstream Linux kernel. And so there was, there was compiling. And if you updated your kernel, you had to go and compile again. And if you forgot, then you would get the 8 a. m. phone call after the thunderstorm because the server turned itself off and turned itself back on again with a new kernel and nothing works anymore.

Have we gotten, have we gotten any better about this? Is asterisk hardware actually upstreamed into the Linux kernel these days? No. Ah,

Joshua: Hardware is a dying. Hardware is a dying thing.

what's It's, it's what it's turned into is just using. SIP gateways instead of appliances. I suppose that's what, that's what most people do these days. They just set up a box and generally just forget about it unless something breaks, which usually these days is upstream PRI problems.

Jonathan: Yeah, that, that sounds about right.

Joshua: Makes a lot of sense. Plus it means also that you can send it up. The cloud. I hate saying the cloud into hosted instances elsewhere. Someone else's

Jonathan: computers. Yes Did the idea of running your own hardware die because the driver's problem was so bad? Is that what caused that?

Joshua: From a hardware perspective

Jonathan: you mean just from an end user perspective like if somebody wants to build an asterisk box.

Why, why did people move away from, you know, buying a four port FXO card and slapping it on a PCI bus?

Joshua: Multiple reasons, I think. One, it's becoming harder to actually Get lines and stuff from upstream carriers from a phone's perspective, the cost of SIP phones has gone down and then the experience can generally be better than an analog phone.

Which is why ATAs kind of also came down in price. So it's like deal with the kernel driver, have it in there. Or just buy a however many dollar ATA physical appliance and just go from there. There's also cases in like hotel rooms and stuff where you need a lot of them. And so it's easier to do an appliance in that case instead of a physical card.

Or multiple physical cards. So I will

Jonathan: tell you the thing about this answer that drives me nuts. Those physical appliances are little computers running Linux and maybe running Asterisk. So we have the exact same problem. It's just, I guess it's just managed by somebody else instead of the end user now. I would still, I would still like to see drivers go up into the upstream kernel, but I guess it's not always practical.

David: To speak to that briefly. I mean, first off, I agree from an open source perspective, drivers upstream is always a good thing. But one of the benefits that I have seen personally by splitting it out is lightning and damage issues. We used to regularly lose. FXO, FXS ports beat from close lightning strikes and sometimes the hardware they were plugged in, whereas a relatively self contained, less expensive gateway, I can sit out there, isolate it, and if it gets fried, throw another one in.

Jonathan: This is true. All right, so we, we've talked about kind of Asterisk as a business phone system, but it sounds like that's not necessarily the the real focus anymore. When we talk about Asterisk as a toolkit, what, what things have we added besides just, you know, routing phone calls to, to really kind of make it a toolkit?

What's, what are the new toys?

Joshua: Ah, the new toys. ARI, ARI, ARI. ARI stands for Asterisk REST Interface. which is essentially a simplified. I don't need to know that much about telephony to write telephony applications. A goal is to make it as simple and self contained so that people don't have to worry about the internal workings of the asterisk or C code and stuff.

But still give the primitives to build cool things. So an example is I'll go back a bit. So it uses HTTP requests and a WebSocket WebSocket gives you JSON based events, events like someone pressed a key. So a DTM key a call went into your application, and then you have easy rest interface to control that call.

So you might say, you might say slash answer to answer the call. Or slash playback to start playing back an audio file, or you might have a bridge to connect multiple things together. One of the cool things about the bridges in ARI is if you put in more than two, it just becomes a conference bridge.

If you take the third one out, it goes back and optimizes itself all behind the scenes to be more efficient. And so it gives, it, it takes, Or it gives outside developers an easier way to extend asterisk without knowing C. Got it. One of the reasons we did this was actually kind of selfish. It was for Switchvox, one of our commercial products.

They wanted better call queuing and writing a call queue in C is not the best because call queuing at its core can be considered a lot of business logic. And so we made ARI to give them the primitives to. Right. A call queue in JavaScript, which they did. And that allowed them not as asterisk developers as basic telephony, understanding people to.

write a call center queuing application and they were able to easily add in skills based routing and all that kind of stuff. So that's where stuff has gone towards. There's also other cool things that that means, like you could do multiple asterisk, asterisk instances and have a, ARI application that spans across all of them.

So you can connect things together. It's just lots of cool stuff

Jonathan: making it moving that stuff out into JavaScript instead of C keeps asterisk out of the news for Getting getting owned by you know, insert hacker from foreign country here because you're Your business logic people that aren't great C programmers had to go in and write terrible C.

Whereas doing it in JavaScript sort of keeps you

Joshua: safe. Yeah, it's JavaScript is just one language. You could do it in Python if you wanted. Go Rust. Yeah,

Jonathan: okay. Yeah, so I suppose the fact that it's The fact that it's just REST and WebSockets, anything that supports HTTP calls and WebSockets, you can write it in.

So you could do it and see if you really wanted to. If you really, really wanted to.

Joshua: Yep. The other nice thing is because you're using, you're using outside languages, you can leverage outside. SDKs for doing things. Like the latest thing that we kind of foresaw or expected what happened, the whole AI boom like three or four years ago, we added the ability to send media in ARI out to the ARI application where you can then use an SDK, like.

Google or something else and just pipe the audio in and go from there So you text to speech it and then take that result and ship it off to chat gpt if you want All without having to touch asterisk or the c code

Jonathan: It's cool. And I hate it at the same time.

David: So speaking of ARI I've got a bit of a throwback question again, because it's been a while since I've been digging around at source level. But back when I was extremely active in Asterix we had a module called external IVR. And it was specifically designed because you could, if you had long IVRs, where people were keying ahead, they already knew what questions were coming and they were just punching in answers, you could lose touch tones in there.

Does ARI, does ARI solve that

Joshua: issue as well? Yeah. It shouldn't skip DTMFs or anything. What you do with those is up to the AR application, but there is a guarantee that it is serialized and you will get them all. So they do come in order. Awesome.

David: And then a second question completely unrelated to that, but we've been taught everything we've been talking about to this point is voice and DTMF.

Does Asterix talk SMS, MMS, any other traditional. Phone type communications.

Joshua: So there's an answer. SMS and MMS from a implementation and standards perspective is. Complicated and messy at times.

Jonathan: Some

Joshua: implementations are better than others. So there is, there is technically the ability to send and receive text messages over SIP, which some providers do use for SMS.

Generally these days It's delivered over webhooks and using a REST interface instead. So those don't have direct Ability within Asterisk to do that. From a company perspective that's what we do. And then we use SIP as a notification mechanism to say, Hey, something came in so that we don't have to maintain a persistent like web socket or anything.

We just send it over SIP. Makes

David: sense.

Jonathan: Ding. Check your messages.

Joshua: Basically. The way it works is yeah, it comes in, it goes into the dial plan. And then in the case of FreePBX, it executes An AGI that goes and queries the REST interface.

Jonathan: Back when I was actively trying to sell asterisk based phone systems, one of the fun things that I would tell customers is I would, I would, I would, I'd really play up the idea there.

It's based on asterisk. It's, it's super configurable. We can do it. We can do anything you want to. We can make it, call you up and sing happy birthday to you on your birthday if you really wanted to. And that's always been one of the things that I've done. I mean, still to this day, I think it's cool about the Astra system is basically anything that you can dream up, you could make the thing do because it gives you the ability.

I mean, back in those days, I was just building stuff right in the dial plans, but you could, you could make all of that stuff work. And I kind of assumed that as, as you go forward and you push into kind of these new arenas that's beyond just voice, beyond just phone calls. That's still sort of one of the guiding principles, isn't it?

That you want to, you want to make this as modular and configurable so that whatever crazy thing a business or an individual has, they can, they can make it happen with Asterisk.

Joshua: Yep. And the other thing is we're not afraid to just be a component in a larger system. We can't be everything. do everything to everyone and do it well.

It just doesn't end well. I value the stability we have and not having critical issues occur at night. So that, that's something there's a balance there, but we try our best. Yeah.

Jonathan: So we talk about, we talk about voice. I'm assuming Asterisk can play with video as well, can't it?

Joshua: Yes, yes, yes.

These days it can. What does that look like? I mean, it's video. It looks like pictures. Ha ha! Lots of pictures at once.

Jonathan: Yeah. So are we doing, are we, are we doing, do we do video over SIP? Is this RTSP? Like what, what, how, how does this work?

Joshua: So the WebRTC RTSP. I remember when, side tangent I remember when I was at a WebRTC conference, one of the first ones, people were like, WebRTC will replace everything in two years, including our, including our cell phones and desk phones.

Here we are. Context for people who may not know. WebRTC is a set of standards for the web browser to allow. Web pages to do real time communication. It uses underneath the hood, some existing voice over IP standards. They just kind of mudged them together and then made them more complicated at times.

And then made interesting choices such as. Yeah, there's no, they didn't define a way that you actually exchange the information that's left up to you. It gets messy real fast. So our implementation was based on that allowing multi party. Conference bridges to occur using WebRTC clients and within Asterisk that required adding support for having multiple video streams because we didn't, we didn't have stream support before we just assumed one audio, one video when you're in a multi party, that's not true anymore.

And then from a SIP perspective, it was adding all the WebRTC stuff. So it essentially allows you locally to hold a multi party video conference in your browser.

Jonathan: Yeah. One of the real fun things about WebRTC is you can use whatever codec you want to so long as it's H X, X264 baseline. That's

Joshua: the one.

There was a, there was a long argument about whether H. 264 was supposed to be mandatory or not in WebRTC. Yeah. For a period of time it was not going to be.

Jonathan: I know there is a there's a development effort over at Google right now to add x265 support. To WebRTC and I am I'm sort of looking forward to that and I'm hoping I'm hoping against all hope that they they do it in a way That's not quite as brain dead as the x264 support.

So and I'm sure I'm sure you know this Being one that's played with it. In Chrome and in Firefox, there is an entirely separate code path for handling WebRTC as opposed to all of the other video handling. And I know this because one of the other projects I'm involved in, we tried to take feeds from security cameras and use it with WebRTC and throw it to the browser for, you know, basically real time viewing.

And unless your security camera has a specific x264 baseline option, the browser is just like, no, we're not going to play with that.

Joshua: Yep. This is also slightly extending in over to, um, Twitch and stuff with whip, if I recall correctly, they require very specific H264 attributes to work properly.

If you don't, then nope. It just doesn't play. Yeah, I think it's a profile ID has to be, I think they're, I think they're literally doing a string compare.

Jonathan: Probably. In that project, one of the hacks that we added that makes it work is you can just override the profile ID with the one that works on your, on your camera feed.

And sometimes that makes it work.

Joshua: Yeah. Codec negotiation.

Jonathan: Yeah, it's always it's always been a pain though I know I assume you guys have you guys have fought with this too trying to make various things work in asterisk

Joshua: Oh, yeah, and along with varying Interpretations of standards and spec.

Jonathan: Oh, yes, that is that is always the that is always the fun part Is there anything else that's new?

We talked a little bit about Kind of this idea of call centers, like what had to change in Asterisk to be able to go from, you know, a hundred phones in a small business to a full blown call center, or maybe multiple call centers tied together? Like what, I'm sure there were some challenges there.

Joshua: Yeah, so all that ARI work and then profiling around that.

We essentially put in a, Message bus, an asynchronous message bus inside of asterisk. Previously, a lot of stuff would just synchronously do things in critical paths. Like, like it's sending voice and it's also writing it to a text file in the same thread, which is generally not great because you want voice to generally milliseconds.

What could possibly go wrong? This guy, Oh, is a little out there. So there's a lot of optimizations around that. And then just more flushing out of ARI to ensure that it has all the functions it needs, because like in a call center, you need to monitor the state of phones to know if they're available, they're on the phone, they're not on the phone.

All that kind of stuff. It's worked well. And community doesn't currently use ARI, but I'm pushing them too. But Yeah, they are a, so you're going off a tangent now, they're a multi tenant, multi Asterisk Kubernetes based VoIP platform. So it scales up and down. So they were leveraging their knowledge and the issues they ran into to, in the future, more refine and improve Asterisk in that regard too.

Yeah. It's different different problems for different areas.

Jonathan: Yeah. Different problems at different scales too. Like the, the, the issues that we would run into doing a, a business phone system are just completely different from trying to do that sort of a deployment. Let's talk about security for a minute.

And when, when David was asking about Sengoma as kind of the new corporate overlord, one of the things that I couldn't help but think about is, no matter how bad company is at managing open source, It's better than having a young developer named Giatan come along and, you know, help out until you finally make him a co maintainer and then he pushes a he pushes a malicious backdoor on one of your releases, like no matter how bad Sangoma messes it up, it's not going to be that bad.

Joshua: I mean, you'd hope. Never say never.

Jonathan: Well, I mean, I suppose, but I honestly, I can't imagine that. I can't imagine a serious company making a goof that, doing something that malicious. Or a mistake that would have quite the same repercussions. And for those that don't know, it's the open source library XZ.

A, a developer, Jia Tan, who is almost certainly not a real person. It's Probably a three letter agency from some country came along and volunteered to be a co maintainer and finally got the co maintainer position and then added a backdoor in XZ that adds a backdoor to SSH. And thankfully, a Microsoft engineer, this is hilarious, a Microsoft engineer caught it because SSH logins were taking an extra 500 milliseconds.

And It's hilarious. It's like, he must not have been on the teams developer group. If 500 milliseconds was enough to stand out to him, like all of, all of the jokes at Microsoft's expense are hilarious to me around this. But at the same time, the dude is an absolute hero for finding it. But anyway, so this, this was this thought that came to mind.

Sangoma is, Sangoma is better than that. Like, even if there are problems, it's better to have a corporation come and take over. Rather than asterisk fall down that sort of rabbit hole.

Joshua: Yeah, so I'll talk somewhat about how it works. So there's only technically three people who have direct commit access.

I think I'm one of them, but I've never used it, I don't think. And then I think George has it, and then I think that might actually be it. Just because one of my philosophies is we should never commit directly, everything go through code review. We're not immune from that. Sure. The same stipulations.

And we don't, there's no, we don't do code main, we don't do co maintainers or anything of a project as a whole from outside the company. That I have trust if I can, I have the ability to see who you are and stuff inside the company. I trust that more. So otherwise there is an elevated role which allows people to triage issues and stuff.

But otherwise everyone's treated equal.

Jonathan: You know, that, that idea that you're, you're only maintain maintainers are only allowed to be from within the company a month ago, I've made a found that a bit onerous. But suddenly that seems like a really good idea

Joshua: Yeah, it's just it's the way it's always been and I I personally don't see a reason to change it I also would not wish the responsibility of maintainership on anyone else

Jonathan: Yeah, I I get that. I assume there have been security security vulnerabilities over the years are there Are there any that really stick out as having been particularly noteworthy?

Joshua: None that immediately come to mind You I think there were maybe a handful of cases where a packet could crash asterisk. And I think one of those was in a really obscure protocol for Cisco specific phones called SCCP, which hilariously is not technically a Cisco protocol because it actually came from a company that Cisco acquired, which is amusing.

But yeah, we're completely open with our security vulnerability stuff. We publish. Security vulnerability reports. And this is something from going back to Syncoma and open source, this is something I'm also working on from a company perspective to standardizing our process, bug bounty program, all of that across the entire company, products, services, infrastructure, everything just to make it more open.

Jonathan: Yeah, and just to be clear, I was not, I was not taking a swing there at Sangoma and how their open source works. I was just, I was just making, making the point about how it is infinitely better than having, having the problem that the XC project did. You can take

Joshua: swings if you want, it's fine. Well,

Jonathan: I, I am not afraid to do so if I think the, the situation warrants it, but I have not seen anything at this point that warrants it.

I do know, kind of pulling on the security thread for a moment longer I do know that one of the problems people used to have is where they would, they would accept SIP calls from the outside and they would have, you know, essentially a weak password protecting that. It would get found and then suddenly you have a, essentially an open, or sometimes literally an open SIP relay.

And On the internet, open relays on the internet is a bad thing and you know, I, I imagined spam calls would get routed through that, but you also had calls going out to, um, to, to toll numbers where you would suddenly find several hundred dollars of, of toll calls on your bill. Is that still a thing

Joshua: that happens?

Oh, yeah. Oh, yeah. Still a thing. Yeah. Still a thing. Internally, I hang out in the trunking channels which are sip trunking channels. And yeah, it's, it's still a thing still showing up. People are either the more more common thing these days is finding phone provisioning files that are open over TFTP or some other mechanism and then grabbing the username and password from that.

And also weak usernames and passwords on web interfaces is also a common thing. Like trying to brute force these days, stuff is generally locked down enough with like fail to ban and other stuff that stuff gets caught fairly quickly that way it's the other mechanisms.

Jonathan: Yeah, that's a good point.

So is it generally these Either unrestricted or where, where a, via TFTP, one of these files has gotten leaked. Is that why we get calls about our vehicle's extended warranty? Is that how we get those calls?

Joshua: Oh no, I'm going to rant about this. Let's see, do we

Jonathan: support

Joshua: rants? Who wants to talk stir shakin Oh yes,

Jonathan: oh yes.

So give us the background first. I, I sort of know what you're

Joshua: talking about. No, I don't want to give a background. I don't want to give a background for someone to ask you. What do you think Stirshaken is and what is it for?

Jonathan: I, isn't that a, a law that got passed that basically said you're not allowed to, to send spam phone calls?

Am I thinking about the right thing?

Joshua: Not exactly. Okay. David, are you gonna take a stab or do you just know?

David: As I commented in Discord. I'm quickly Googling, so that's cheating.

Joshua: It is cheating. So I, I will say what stir shaken is stir shaken is a mechanism to assert your authority to use a phone number for your caller ID or basically a level of trust, so there's three different levels, a, B, and C.

A means. Yeah, this person is totally in their right to use this phone number. B is I know them as a customer, but I don't know that phone number. So maybe, and then C is nope. I don't know that much. You may have noticed I'm did not say anything about spam calls. And that's because. It doesn't really stop spam calls.

It just stops using random caller IDs. So it doesn't, it helps to a degree. The problem is that spammers. Are just getting phone numbers that give them a stir shaken rating of a or b And so it's still making through the whole stopping spam calls thing is a separate thing about the reputation of phone numbers Where stir shaken plays a factor but other information about the phone numbers is needed to make that judgment Essentially, so we've gone through all of this work Which is continuing to change and isn't really deployed across the world or enough.

And here we are.

Jonathan: It is very reminiscent of some of the schemes in email to stop spam emails like SPF. Actually, it sounds very much like SPF to me.

Joshua: I'll also say this. On a Starshaken call, you receive an HTTPS address that you then have to retrieve.

Jonathan: Oh, what could possibly go wrong with that?

Joshua: To get the certificate used for that call.

Because it is certificate all, it is all certificate based. So, yeah.

Jonathan: So, are we just stuck with spam phone calls then? For the foreseeable future.

I, I know, I know they've thrown a couple of people in jail for making millions of spam phone calls. And that seems to maybe have helped a little bit, but, I don't know, it'd be nice to be able to find an actual technical solution to

Joshua: it. Yeah, so one of the things about star shaken is it doesn't embed an identifier that you can submit to the authorities and they can trace it back and then go after the originator.

Which can help. Yeah,

Jonathan: David,

David: I was just going to ask. I've noticed on my personal cell phone over the last 66 months, a year or so, it started telling me likely spam call. Is that stir shaken in practice? Or is that just something that cell phone companies are doing or something?

Joshua: Both it can be stir shaken, but some cell phone companies are paying reputation companies to provide a reputation score for phone numbers so they look at like how They I believe they have honey pots and stuff that identify the frequency of the call use Where it's going and that kind of information and then you can derive kind of an intent behind that.

However, spammers are now catching on and rotating through phone numbers faster so that they don't reach whatever magical threshold to be considered Potentially spammy.

Jonathan: Yes, it is it is disheartening how many parallels there are between phone call spam and email spam Seems like the exact same sort of cat and mouse game Fun.

So something else that we still have to deal with are faxes Faxes are still a thing, aren't they?

Joshua: Faxes are still a thing.

Jonathan: Asterisk has to handle faxes and Sip does not like faxes Does it?

Joshua: How do I answer that? FAT SIP does handle faxes. However, the various implementations of doing so may or may not handle faxes.

Are we sensing a theme here when it comes to SIP? It's all about the implementation. I mean, that's just

Jonathan: a theme with technology in general, but yes.

Joshua: Yeah. So disclaimer, Sangoma has a faxing product. It works generally good, still sold. It's, it's still pains me every time. It's still. A big thing. Fax is still big.

I think it'll be big until the heat death of the universe. Yeah

Jonathan: All right. So here here's the question of all of the faxes that get sent What percentage of them do you think actually has a real fax machine on one end as opposed to? a digital service Making a fax to another digital service

Joshua: actually a lot.

Oh, you think so? Okay. Yeah. Yeah Doctors offices medical practices. They they use tons of fact like physical fax

Jonathan: machines. Yeah. Yeah, it's true It's true. So what's the what's the problem? Why are why are faxes hard when you digitize and then packet eyes them? Why doesn't it just work? People's voices just work.

Why don't faxes just

Joshua: work? Two reasons. One, if you're doing purely as audio, then they're not as tolerant to jitter and packet loss as we are as humans. And so that throws them completely off from a from a, so there is a spec called T38 loose spec

Jonathan: as such things are

Joshua: implementations reflect that which actually turns it into underlying they call them UDPTL packets to transport the raw fax information that generally works fine.

I would say 99%. So it's, it works as good as fax can. I will throw in an additional fun fact though. There is also a specification for doing modem over IP. In SIP. Oh, fun. We don't support that. My second, my question though, why do you think it exists?

Jonathan: Because, no, I can tell you, I can tell you probably why it exists. It's because you've got remote hardware, like network switches sitting in Network rooms around the world. One of the places I get to work on these is in hotels. So you'll have an MDF in a hotel and there's a network switch or some kind of a phone system even, and it's got a serial port on it and it's got an old, the whatever.

Robotics modem sitting there connected off to a phone line and there's a really good chance that that phone line goes over SIP And they want to be able to remote dial into it and use the modem to be able to get back into their phone system Or network switch or whatever when something happens to the IP address and they can't get into it that way

Joshua: That's one of the reasons the second might surprise you.

Okay, it came about during an age where credit card IP

Jonathan: That would be the other one that makes sense. Yeah,

Joshua: and they were like well Modem over IP anyone? Doesn't mean it's a good idea.

Jonathan: Yeah. Yeah. Does it ever just, do you ever just sit and stop and think like, take fax machines, for instance, like the, the level of abstraction we have to make this work.

So you start out with an analog piece of paper, you put it in a fax machine and it digitizes it. A modern, modern fax machine will digitize it and then converts it from that digital signal back to the analog. And then when it hits the next device, it gets converted from that analog fax signal back into digital via T38.

It goes out over all of the different, again, layers of abstraction to go from end point A to end point B. Goes back to analog. back to digital in a fax machine, and then back to analog at a printout. It's just, it's mind boggling sometimes. And this is not the only place in technology where this happens, but I think faxes are one of the great examples of it.

And just the, I don't know, is it, is it ludicrous? Is it crazy?

Joshua: I mean, I think it's amazing it

Jonathan: works. Also true. Also true.

Joshua: No, that, that stuff doesn't faze me. It's, because fax, fax while still being used is not as common as just calls. What perplexes me and I just have to like just stop sometimes just shake my head is SIP as a standard has been interpreted in different ways.

So I'm amazed sometimes that stuff can just talk to each other. And I will give an example without naming a provider. There is a provider with about four different implementations of SIP, some of which can't even talk to each other. And I'm just like. It shouldn't be that way. How did, how, how does this even

Jonathan: How did we, how did we get to this place?

Okay, so. Somebody wants to get started with Asterisk. And I, I will, I will say The, the barrier for entry for Asterisk is actually really low. You can run it, I'm sure, on a Raspberry Pi. You can run it on a virtual machine, on your desktop. But what, what are some pointers that you would give someone that Finds this fascinating and wants to start playing with it.

Joshua: So www. astros. org. There's some info there. Our main documentation site these days is docs. astros. org. And a project that we did a few years ago was called super awesome company which is like a pre created, pre formulated project. Set of configuration files for an office with fictional people, common functionality, that kind of stuff.

So if you're leaning towards more of a phone system perspective to get your feet wet that's a great opportunity. You can use a physical SIP phone or a actual clients on your desktop or WebRTC, but do not do WebRTC cause. We should talk about WebRTC. And then from like a developer perspective, there's some tutorials on the doc site as well showing ARI in some different ways, like interacting with calls, connecting them together, that kind of stuff.

It's basically pick what you're interested in and go from there.

Jonathan: Yeah, super interesting. I'm, I'm curious Well, I'll let David get a question in first, and then I want to ask about the direction that Asterisk is going in the future. So this

David: might be a decent precursor to that question. What are, if any, the big or small Asterisk competitors out there, and how do you compare?

Joshua: So there's FreeSwitch, FreeSwitch and technically Yates still Camaleo, you, I mean, Camaleo is iffy iffy. To be quite honest, I don't focus on any of them. I just listened to the community and stuff. So that's one of the times I said, I don't know these days. I know some people who have moved from free switch over to asterisk and said, we are actually ahead in the areas they care about.

Which is nice to hear. Yeah. Yates, who remembers Yates? Do I have their view? The name

Jonathan: sounds familiar, but nothing more than that.

Joshua: Yeah. So it was a, it was another Communications tool, kitty kind of thing that kind of went in the direction of, um, BTS what

Jonathan: radio it stands for, what radio ones it stands for, what?

Yet another telephone

Joshua: exchange, yet another telephone engine, I think. But they went in the direction of doing software defined radio for mobile. And then Camellia and OpenSIPs are not really communication toolkits or phone systems. They're SIP proxies, so they are more, vastly more efficient at moving SIP traffic around and that kind of thing.

David: So do you still see implementations where you put Camellia or OpenSIPs in front of Asterix to handle that, that SIP? Proxying and then Asterix actually handles the all the

Joshua: rest of it. Yeah. So from that perspective, a lot of people tend to treat Asterix as a component for doing media based stuff the application side, and then they offload more of the general SIP stuff to Camalio since it's just more efficient at doing that.

At a higher scale. It also allows you to load balance and stuff.

Jonathan: So that is actually a really great, great segue into what's, what's coming next for Asterisk. What are the things you guys are looking at and working on? What, what new features can you hype us up about? Can I

Joshua: hype

Jonathan: you up about? Yeah, come on, hype us up.

Let's get some energy in here.

Joshua: Hype us up? I'm not a hype guy. I just do stuff and things. Or tell people to do stuff and then yeah I'm really trying to leverage the knowledge and information we have from I tell you guys it was community. That's the whole tricks box thing. The platform is called community, which is a headache for me because you have community and then you have the asterisk community.

So now I'm like, I'm doomed on naming. Yes. So their scalable up and down thing. I'm trying to learn as much as I can about that. To more flush out asterisk in that area to make it scale more to add missing functionality. One of those would be a tenant identifier. Which is a real simple thing to just tie channels and calls to a tenant.

So you can have more information and events about what tenant a call relates to. We don't really have that kind of thing currently. But they leverage it heavily. I also want to more flush out our external media, which is the ability to send and receive media to ARI stuff. Right now that's very VoIP ish and not very web ish.

It's RTP packets, UDP RTP packets back and forth. I want to shove that over a WebSocket and just make it easier to send media back and forth. And then everyone ready to take another drink? AI, AI, AI! However, my goal isn't to shove AI into Asterisk. It's just to give the tools to make it easier to integrate outside of Asterisk.

So like, we did a demo at Astercon, which should be on YouTube. And was very annoying at the time we were doing live transcription as me and my colleague, Mike were presenting. And so we were just talking, it was just live transcoding or live translating, live, whatever, over on the other screen as we're talking.

And so I glanced over and saw myself. Speaking in tech and then promptly went, I can't look at this. Your brain just shuts down. Yes. Yes. Yes, it does. So more easily facilitating that kind of stuff. Cause I, it's no, it should be no secret. is something we're looking at, too. Sure.

Jonathan: That is actually a, a good question to ask.

What is, what is Astracon and when is it next?

Joshua: Astracon. Ooh, marketing spiel. Astracon is the Asterisk users conference generally happens once a year where we get together Have presentations about various things talk about stuff. We usually have a developer conference beforehand where we bring up our qualms, quibbles and talk about improvements and stuff.

I can't say when or where it is because I don't know yet. It's been Fort Lauderdale the past few years. Maybe it'll be there again. Maybe it won't stay tuned. I should also add Our videos, our presentations were recorded. And once this is done, I'll pop it into discord, the link to that playlist.

So even if you didn't go and you're curious, you can peruse. I did a two or three talks. I've already forgotten. I did a talk on external media for transcription purposes. And I did a asterisk over the past year. Like what we did some of the hints of what's coming up, that kind of stuff. Yeah.

People can take a gander there if they wish. All right.

Jonathan: We are getting close to the end. David, do you have any final questions that maybe one final question you want to get in?

David: Absolutely. I've got one final question that kind of goes back to Sangoma as a whole. Especially with all the mergers and acquisitions is Asterix Sangoma's core.

And as they're bringing in things because I'll pick on one thing that I know about personally you've got switchbox cloud and star to star and there's kind of a broad overlap of functionality there with switchbox cloud being switchbox. I assume is asterisk based Star to star being an acquisition.

I assume is not but I don't actually know are you migrating everything that you're merging? and acquiring To an asterisk core if

Jonathan: it's not already. I'm gonna, I'm gonna jump in and make a quick guess and I can be entirely wrong and that's fine. The name star2star makes me think that it is something to do with one asterisk talking to another because the asterisk is a star.

Go ahead.

Joshua: Star2star is an interesting case. I think they were asterisk and then they were something I don't know what they're currently on. I've lost track to be quite honest. But going forward I would expect our acquisitions to be, well, I hope this is a push at least to be asterisk in some way.

So, community is a purely asterisk they are currently on a forked version of asterisk, but I try to reduce that delta, as I've said before switchbox also on asterisk, as you know, they are quite literally don't have a fork of asterisk. They're not special. They are on certified asterisk. From a existing product perspective if it makes sense and there's some benefit, then it is always evaluated.

And then going forward for like new products that may, or new products and new services, our favor is always asterisk, if it makes sense.

Jonathan: Yeah, all right. So maybe the hardest question we've had, because you've got to do some set math in your head, you have to think about all the things you wanted to talk about and then compare that to what we have talked about.

And so the question is, is there anything we did not ask you that you wanted to make sure and cover?

Joshua: I wanted to rant about WebRTC.

Jonathan: I think we got a, at least a small rant about WebRTC in. I ranted a little bit about WebRTC,

Joshua: goodness. I was not a rant about WebRTC.

David: I don't know. Do we have enough time

Jonathan: for a rant?

We have, we have enough time for a very short rant. If you want to give us a couple of minutes

Joshua: worth. Okay. I don't know if it'll be a rant, but a caution. Okay. For anyone who watches slash listens slash is watching this right now. If you ever decide to delve into WebRTC, know this. It is relatively easy.

To do the demo stuff of making a call between two things that is vastly different than creating something that goes into production, because there are very many layers to WebRTC and many standards and specs, and it is not a question of. If it will fail, it is a question of when it will fail. Hotel Wi Fi being a very good example.

And then you need to know those specs in order to figure out what happened. Additionally, SIP and WebRTC embed IP addresses in the signaling, meaning if you opt for the cloud, such as AWS, which is a NATed environment, And you're actually, your asterisk or other WebRTC platform is on a local IP address.

You need to ensure that You configure things such that your public IP address goes in the signaling or else you will have no audio I'm i'm

Jonathan: my ptsd flashbacks from working on this are coming one more thing with that is the browsers Google will make some security change and not tell you about it and it'll break all the things for a while what mdns for a while our stuff was broken because of mdns.

Yeah, that was fun. Oh goodness Okay, so final questions I want to ask quickly What's the weirdest and most surprising thing you've seen somebody do with asterisk? Where's, where's the place that you've discovered it that surprised you the most?

Joshua: That I can talk about?

Jonathan: Well, yes, that you can talk

Joshua: about.

I can't give names, but at least one, one tax agency in the world uses it. Which I had mixed feelings

Jonathan: about. Yeah, yeah, I was just thinking that.

Joshua: But, that was nice.

Jonathan: Yeah, fun, fun. Okay, so, final two questions, and these I have to ask. I'm, I'm basically contractually obligated to ask, or people will, will send me mail about it.

What is, you personally, your favorite text editor and scripting language? Ha, ha,

Joshua: ha, ha. Text editor Sublime Text 3. Okay. I have a paid for license. Cool. Scripting language, define scripting language.

Jonathan: Not C, not a systems language, but something that you would, you would hack together a little, a little script to do something.

And whatever I mean I, I won't tell you that it's a wrong answer, so whatever one you want to, you want to pick.

Joshua: I mean Bash, however, I also do Quick Stuff and Go. Cool.

Jonathan: I think either of those are totally legitimate answers. I, for a second there, I expected you to say something like, well, the asterisk dial plan language, of course.

Joshua: No, that would be Lauren who I am trying to convince to, for you to, we'll see. Yeah,

Jonathan: we're, we're open to it. Fun. All right. Well, we appreciate the time, sir. Thank you so much for being here. It was a lot of fun to learn about Asterisk, what Asterisk is up to these days and get the get the story straight from you guys about the Sangoma acquisition and I've got to say, I feel pretty good about it.

All things considered. I, I'm happy with the new corporate overlords, as it were,

Joshua: so. Yes, much to the dismay of many, I'm sure, the world did not end. Nothing changed.

Jonathan: Imagine that. Alright, thank you so much for being here.

Joshua: It's been great. Thanks for having me again.

Jonathan: Yes, sir. Alright, David, what do you think?

I love it. What's your takeaway?

David: It's awesome to catch up on Asterix. It's, it's cool to just get the few questions I had answered directly. I mean, as I said at the beginning bit of Asterix fan boy and just in, in, enjoyed

Jonathan: it. Yeah. I'm, I'm real intrigued by the ARI, the Asterix REST interface.

I assume that's what that stands for. Absolutely. It sounds like you could do some really fun things with that. So I, I, I do some smart home stuff. And I, right now a lot of it actually works using Python Flask and a little REST interface I built inside Python Flask. And I'm, I'm now thinking, well, I could pull one of the desk phones back out and connect it to Asterisk and then write a little JavaScript script.

that would make those two things talk to each other. So then you could like dial in to your smart home. It's like the sky's the limit with this stuff. And that's one of the fun things about it is if you can, if you can dream it up, you can make it happen. And that, that, that was always the that was always the serotonin hit from working with asterisk.

Like somebody would go, we really, and it's happened to me. We, we have had. Problems with phone calls, we need to record all of our incoming phone calls. It's like, oh, I'm sure I can do that with asterisks. Spend a few minutes on Google. Yeah, here's, here's essentially how you do this. And you go and set up a little system to record all incoming phone calls.

And then, of course, you add the note at the beginning. Thank you for calling such and such. Just a note, your phone calls may be recorded for quality assurance purposes. But then, you know, you're off to the races. And. One of these days, I'm sure they will call me back with the problems that they are out of disk space, but it's not happened yet.

It's just, it's just fun. It's fun that you can do all this stuff with it. David, do you have anything that you want to plug?

David: Not specifically, but it never hurts to plug Twit and the Untitled Linux Show, which I also get the opportunity to co host on from time to time. So I would say go check that out.

Jonathan: I think the plan is for you to be one of the co hosts this Saturday?

David: That's what I was told.

Jonathan: Alright. So next week we have I believe Catherine is down to co host. And we're going to talk to Gina, oh my goodness, this is a German name. Hodge? Hobg? I have no idea how to pronounce that. She will tell us how to pronounce it when we have her on.

But she is the developer behind Octoprint. Octoprint. And that is the little Linux distro that you can put on a Raspberry Pi to control a 3D printer. And I've had one of those running for a long time, and Gina is probably going to tune me out because it's a really old version of it, but hey, it still works.

And so that is next week, April 10th. So make sure and come back for that one. Let's see, things that I have to plug. Well, of course there is the Untitled Linux Show over on Twit. We mentioned that at Hackaday. We sure appreciate Hackaday as the new home of Floss Weekly. And don't forget to check the site out and my security column goes live on Fridays.

Have a lot of fun with that. And I think that's it. That's, that's pretty much what we want to let you know about. Thank you to everyone in the chat room that caught us live. Thank you to everyone on the download that listens. We sure appreciate it. Sure to tell a friend about the show if you enjoyed it.

And hey, we will see you next time on Floss Weekly.

Kategorier
PoddarTeknologi
Förekommer på
Teknik
00:00 -00:00
Hur lyssnar jag på podcast?

En liten tjänst av I'm With Friends. Finns även på engelska.