[GNC-dev] Gnucash and the UK's "Making Tax Digital" initiative

Alain D D Williams addw at phcomp.co.uk
Fri Apr 5 07:52:05 EDT 2019

On Thu, Apr 04, 2019 at 09:31:22PM +0100, Mike Evans wrote:

> After a hiatus I have successfully interacted with the HMRC API for a test account to post earning & expenses using python.

Brilliant ... something that I got part way through but never completed.

This is something that I need to do for my, one man band, business. So I will
volunteer to help in some way.

> I've not looked at the VAT part, because I'm not VAT registered, so...

I am VAT registered, so I have motivation to do something.

> A minimal json data set for a self-employed quarterly submission looks like:

So your script reads & sends JSON to HMRC and, presumably generates a JSON file
with the HMRC reply. This is good and I can see it being useful to many others
who need to talk to HMRC - eg organisations that have written their own accounts

> I'm still thinking how to keep the secret, even though HMRC have apparently
> relaxed that requirement. Ideas welcome on that, maybe a json request from
> gnucash.org, I know the request code will still be public however, that's the
> part that needs more_thought&more_input.

With Open Source software it is hard to have a secret. Ideas:

* Everyone who uses it gets a secret from HMRC. Possible, but a nasty way of
doing it.

* Embedding the key in the code, possibly obscuring it (think: X-OR with
something, or even encrypting it [[ although the key will need to be somewhere
else that can be seen]] ).

* Putting the key in a file. Exactly the same considerations apply as embedding
the key in the code.

* Embedding the key in a small C executable:
+ Run the executable (maybe with magic arguments) and it prints the key to stdout.
+ The python talks to HMRC via this program, this program recognises the
startup dialogue and inserts the key at the appropriate point. Binaries would
need to be made for the supported platforms (Linux, OSx/MacOS, MS-Windows)
Universal binaries can be produced for Linux by statically linking.

It is all down to what HMRC will accept. Embedding the key in the code or file
is what I would prefer. The source code to the C binary could still be Open
Source, but the key would need to be provided with a compile time argument to
the C compiler.

The other question is: who knows the key. With a commercial closed source
supplier I would expect that most people in the development team would know the
key. Are we really any different - it is just that our dev team is a bit larger
than most ????

Thinking about it: how does closed source keep a secret ? The only way is to use
compiled code and embed the secret in there, possibly obscuring it in some way.
But something embedded can be obtained by running the code under a suitable
debugger - an expending some effort.

Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>

More information about the gnucash-devel mailing list