[License-discuss] OSL and obfuscated code

Kevin P. Fleming kevin+osi at km6g.us
Fri Nov 23 12:33:19 UTC 2018

Having been down this road in a previous life, you should understand that
any attempt to 'validate' the installation of open source software will
eventually be defeated if the value of doing so is sufficiently high. In
this case, the person who wants to cheat on VAT collection/remittance would
find a way to do so if their revenue is moderately large, I suspect, and
others in the community will sell services to defeat the checking.

In addition such validation means that users of the plugin would be unable
to operate modified versions of the core and the VAT module, when the OSL
would otherwise permit them to do so. Granted, this is an obligation placed
on them by a government entity and not the licensor.

On Thu, Nov 22, 2018 at 10:44 AM Antoine Thomas <
antoine.thomas at prestashop.com> wrote:

> Mike,
> I agree, this is a strange request from Infocert. Currently, they think
> that an obfuscated code will be more complicated to modify if a merchant
> wants to cheat on VAT. However, we understand that they are not really
> expert of open source. At this stage we don't want to share the source code
> in OSL or AFL (our modules are usually distributed on AFL), for the risk is
> to lose the certification. This is something we need to clarify with them.
> David,
> Thanks for the reminder. So instead of obfuscation, maybe the plugin could
> check that the PrestaShop core and the VAT module are original and have no
> modification, comparing them with a digital signature, right?
> I will check that option with the developers and see if this could be
> possible to do that in a future version. Also, of course, Infocert will
> have to validate this idea too.
> [image: PrestaShop]
> <https://www.prestashop.com/?utm_source=signature&utm_medium=e-mail&utm_campaign=emails-signatures>
> Antoine Thomas aka ttoine
> Developer Advocate
> t: +33 (0)6 63 13 79 06
> antoine.thomas at prestashop.com
> On Wed, 21 Nov 2018 at 22:29, David Woolley <forums at david-woolley.me.uk>
> wrote:
>> On 21/11/2018 19:35, Mike Linksvayer wrote:
>> >
>> > I wonder whether INFOCERT's request is justifiable? I imagine they
>> think
>> > obfuscated code is less likely to be modified, any modification
>> > potentially making the software non-compliant with the regulation,
>> > risking INFOCERT's reputation? Why isn't it good enough to have a
>> > warning that only unmodified versions are certified and that any
>> Obfuscating makes it more work to modify, but if you actually want to
>> avoid modifications, you should digitally sign.
>> Obfuscation, to the extent that it makes it impossible to change, goes
>> way beyond the level that makes it impossible to verify for security.
>> _______________________________________________
>> License-discuss mailing list
>> License-discuss at lists.opensource.org
>> http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
> _______________________________________________
> License-discuss mailing list
> License-discuss at lists.opensource.org
> http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20181123/cb72a1c5/attachment.html>

More information about the License-discuss mailing list