Having been down this road in a previous life, you should understand that any attempt to 'validate' the installation of open source software will eventually be defeated if the value of doing so is sufficiently high. In this case, the person who wants to cheat on VAT collection/remittance would find a way to do so if their revenue is moderately large, I suspect, and others in the community will sell services to defeat the checking.
In addition such validation means that users of the plugin would be unable to operate modified versions of the core and the VAT module, when the OSL would otherwise permit them to do so. Granted, this is an obligation placed on them by a government entity and not the licensor. On Thu, Nov 22, 2018 at 10:44 AM Antoine Thomas < antoine.tho...@prestashop.com> wrote: > Mike, > I agree, this is a strange request from Infocert. Currently, they think > that an obfuscated code will be more complicated to modify if a merchant > wants to cheat on VAT. However, we understand that they are not really > expert of open source. At this stage we don't want to share the source code > in OSL or AFL (our modules are usually distributed on AFL), for the risk is > to lose the certification. This is something we need to clarify with them. > > David, > Thanks for the reminder. So instead of obfuscation, maybe the plugin could > check that the PrestaShop core and the VAT module are original and have no > modification, comparing them with a digital signature, right? > I will check that option with the developers and see if this could be > possible to do that in a future version. Also, of course, Infocert will > have to validate this idea too. > > > > [image: PrestaShop] > <https://www.prestashop.com/?utm_source=signature&utm_medium=e-mail&utm_campaign=emails-signatures> > > Antoine Thomas aka ttoine > > Developer Advocate > > t: +33 (0)6 63 13 79 06 > > antoine.tho...@prestashop.com > > > > > On Wed, 21 Nov 2018 at 22:29, David Woolley <for...@david-woolley.me.uk> > wrote: > >> On 21/11/2018 19:35, Mike Linksvayer wrote: >> > >> > I wonder whether INFOCERT's request is justifiable? I imagine they >> think >> > obfuscated code is less likely to be modified, any modification >> > potentially making the software non-compliant with the regulation, >> > risking INFOCERT's reputation? Why isn't it good enough to have a >> > warning that only unmodified versions are certified and that any >> >> Obfuscating makes it more work to modify, but if you actually want to >> avoid modifications, you should digitally sign. >> >> Obfuscation, to the extent that it makes it impossible to change, goes >> way beyond the level that makes it impossible to verify for security. >> >> _______________________________________________ >> License-discuss mailing list >> License-discuss@lists.opensource.org >> >> http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org >> > _______________________________________________ > License-discuss mailing list > License-discuss@lists.opensource.org > > http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org >
_______________________________________________ License-discuss mailing list License-discuss@lists.opensource.org http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
