[License-discuss] OSL and obfuscated code

Fri Nov 23 12:43:34 UTC 2018

Good point, thanks.

[image: PrestaShop]
<https://www.prestashop.com/?utm_source=signature&utm_medium=e-mail&utm_campaign=emails-signatures>

Antoine Thomas aka ttoine

Developer Advocate

t: +33 (0)6 63 13 79 06

antoine.thomas at prestashop.com

On Fri, 23 Nov 2018 at 13:34, Kevin P. Fleming <kevin+osi at km6g.us> wrote:

> Having been down this road in a previous life, you should understand that
> any attempt to 'validate' the installation of open source software will
> eventually be defeated if the value of doing so is sufficiently high. In
> this case, the person who wants to cheat on VAT collection/remittance would
> find a way to do so if their revenue is moderately large, I suspect, and
> others in the community will sell services to defeat the checking.
>
> In addition such validation means that users of the plugin would be unable
> to operate modified versions of the core and the VAT module, when the OSL
> would otherwise permit them to do so. Granted, this is an obligation placed
> on them by a government entity and not the licensor.
>
> On Thu, Nov 22, 2018 at 10:44 AM Antoine Thomas <
> antoine.thomas at prestashop.com> wrote:
>
>> Mike,
>> I agree, this is a strange request from Infocert. Currently, they think
>> that an obfuscated code will be more complicated to modify if a merchant
>> wants to cheat on VAT. However, we understand that they are not really
>> expert of open source. At this stage we don't want to share the source code
>> in OSL or AFL (our modules are usually distributed on AFL), for the risk is
>> to lose the certification. This is something we need to clarify with them.
>>
>> David,
>> Thanks for the reminder. So instead of obfuscation, maybe the plugin
>> could check that the PrestaShop core and the VAT module are original and
>> have no modification, comparing them with a digital signature, right?
>> I will check that option with the developers and see if this could be
>> possible to do that in a future version. Also, of course, Infocert will
>> have to validate this idea too.
>>
>>
>>
>> [image: PrestaShop]
>> <https://www.prestashop.com/?utm_source=signature&utm_medium=e-mail&utm_campaign=emails-signatures>
>>
>> Antoine Thomas aka ttoine
>>
>> Developer Advocate
>>
>> t: +33 (0)6 63 13 79 06
>>
>> antoine.thomas at prestashop.com
>>
>>
>>
>>
>> On Wed, 21 Nov 2018 at 22:29, David Woolley <forums at david-woolley.me.uk>
>> wrote:
>>
>>> On 21/11/2018 19:35, Mike Linksvayer wrote:
>>> >
>>> > I wonder whether INFOCERT's request is justifiable? I imagine they
>>> think
>>> > obfuscated code is less likely to be modified, any modification
>>> > potentially making the software non-compliant with the regulation,
>>> > risking INFOCERT's reputation? Why isn't it good enough to have a
>>> > warning that only unmodified versions are certified and that any
>>>
>>> Obfuscating makes it more work to modify, but if you actually want to
>>> avoid modifications, you should digitally sign.
>>>
>>> Obfuscation, to the extent that it makes it impossible to change, goes
>>> way beyond the level that makes it impossible to verify for security.
>>>
>>> _______________________________________________
>>> License-discuss mailing list
>>> License-discuss at lists.opensource.org
>>>
>>> http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
>>>
>> _______________________________________________
>> License-discuss mailing list
>> License-discuss at lists.opensource.org
>>
>> http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
>>
> _______________________________________________
> License-discuss mailing list
> License-discuss at lists.opensource.org
>
> http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20181123/7d12acec/attachment.html>