[License-discuss] OSL and obfuscated code

[Mike Linksvayer]

On Wed, Nov 21, 2018 at 4:37 PM Antoine Thomas <
antoine.thomas at prestashop.com> wrote:

> A new regulation which aims to fight VAT fraud obligates merchants (and
> e-merchants) to use a software allowing to:
>  -  Make accounting data inviolable,
>  -  Secure the accounting data,
>  -  Keep and store the accounting data,
> In order to satisfy a potential inspection of the tax administration.
>
> In addition to these properties, the law requires that merchants use a
> certified software (FYI, in France, the certification is delivered by only
> 2 companies : LNE and INFOCERT).
>
> In order to offer an alternative to our users, PrestaShop has developed a
> module that can be installed to the merchant’s discretion.
>
> This module complies with the law requirements but in order to satisfy the
> INFOCERT’requests, the code source of the module has been obfuscated.
>

Tangential to question asked, and I'm interested in general case, not
agitating for PrestaShop to push back on the request in this particular
case...

I wonder whether INFOCERT's request is justifiable? I imagine they think
obfuscated code is less likely to be modified, any modification potentially
making the software non-compliant with the regulation, risking INFOCERT's
reputation? Why isn't it good enough to have a warning that only unmodified
versions are certified and that any modifications mean you are running
uncertified software and in violation of the regulation? The whole point
for merchants to install the module is to be compliant with the new
regulation, right?

I notice that PrestaShop module source files already include the following
disclaimer, which could be made scarier for a third party certified module:

* Do not edit or add to this file if you wish to upgrade PrestaShop to newer
> * versions in the future. If you wish to customize PrestaShop for your
> * needs please refer to http://www.prestashop.com for more information.
>

Another question, perhaps more closely related to question asked (though
still entirely tangential, as the original question has been answered in a
way that makes this non-essential) -- does INFOCERT require that no
unobfuscated source to the certified module be available? If not, I imagine
the certified module would be obfuscated, under OSL-3.0, with the
non-certified preferred form for modification also available, per OSL-3.0's
"Grant of Source Code License", if I understand correctly.

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20181121/5ee42bf8/attachment.html>