On Thu, Apr 04, 2019 at 09:31:22PM +0100, Mike Evans wrote: > After a hiatus I have successfully interacted with the HMRC API for a test > account to post earning & expenses using python.
Brilliant ... something that I got part way through but never completed. This is something that I need to do for my, one man band, business. So I will volunteer to help in some way. > I've not looked at the VAT part, because I'm not VAT registered, so... I am VAT registered, so I have motivation to do something. > A minimal json data set for a self-employed quarterly submission looks like: So your script reads & sends JSON to HMRC and, presumably generates a JSON file with the HMRC reply. This is good and I can see it being useful to many others who need to talk to HMRC - eg organisations that have written their own accounts programs. > I'm still thinking how to keep the secret, even though HMRC have apparently > relaxed that requirement. Ideas welcome on that, maybe a json request from > gnucash.org, I know the request code will still be public however, that's the > part that needs more_thought&more_input. With Open Source software it is hard to have a secret. Ideas: * Everyone who uses it gets a secret from HMRC. Possible, but a nasty way of doing it. * Embedding the key in the code, possibly obscuring it (think: X-OR with something, or even encrypting it [[ although the key will need to be somewhere else that can be seen]] ). * Putting the key in a file. Exactly the same considerations apply as embedding the key in the code. * Embedding the key in a small C executable: + Run the executable (maybe with magic arguments) and it prints the key to stdout. + The python talks to HMRC via this program, this program recognises the startup dialogue and inserts the key at the appropriate point. Binaries would need to be made for the supported platforms (Linux, OSx/MacOS, MS-Windows) Universal binaries can be produced for Linux by statically linking. It is all down to what HMRC will accept. Embedding the key in the code or file is what I would prefer. The source code to the C binary could still be Open Source, but the key would need to be provided with a compile time argument to the C compiler. The other question is: who knows the key. With a commercial closed source supplier I would expect that most people in the development team would know the key. Are we really any different - it is just that our dev team is a bit larger than most ???? Thinking about it: how does closed source keep a secret ? The only way is to use compiled code and embed the secret in there, possibly obscuring it in some way. But something embedded can be obtained by running the code under a suitable debugger - an expending some effort. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 https://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/contact.php #include <std_disclaimer.h> _______________________________________________ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
