[GNC-dev] German online banking users would need a 3.7 release before mid-September...

John Ralls jralls at ceridwen.us
Sat Aug 10 14:32:00 EDT 2019

> On Aug 10, 2019, at 4:20 AM, Christian Stimming <christian at cstimming.de> wrote:
> Dear developers,
> the German online banking users have received notice from their banks that due 
> to EU regulations, from mid-September onwards (Sept 14th) the banking client 
> software has to use a registered product key, otherwise the bank server 
> connection will be refused.
> (In German: https://www.hbci-zka.de/register/prod_register.htm )
> For gnucash, I have registered and received such a product key, and in the 
> communication to me there haven't been any restrictions that would pose 
> problems for open source software. Hence, as long as gnucash will stick to 
> this procedure and send the product key, the users (and we) should be fine.
> However, as our banking library aqbanking only recently introduced the 
> necessary API for this, it was not before July 7th that this code has been 
> introduced into gnucash, which means our last stable version gnucash-3.6 does 
> not yet contain this.
> My question is: Can we schedule the 3.7 release somewhat earlier than our 
> normal 3-month schedule, so that this release is available before the bank 
> server change in mid-September? Normal schedule for 3.7 is End of September, 
> but this is too late for users of this feature.
> In theory, any release date between now and Sept 14th would be fine, although 
> the earlier we do this, the earlier the respective updates can be tested by 
> the users. Maybe around August 20th?


Apparently the bank servers were supposed to have switched over last week, see https://www.hbci-zka.de/register/register_faq.htm. The 14 September deadline seems to have something to do with using FinTS bank interfaces via third party services, see https://subsembly.com/apidoc/fints/index.html under "PSD2 Client Registration". I suppose some users may have configured GnuCash to do that and now will have to reconfigure to talk to their banks instead. There's nothing we can do about that.

Regardless, we can do a snap release as soon as we can get the registration number issue sorted and I can make time to do the release.

I am a bit concerned about the registration number being published. What's to prevent a bad actor from taking it and using it in a different, malicious, application? What might be the consequences? Would DK revoke GnuCash's registration? I think it more likely that the folks at DK didn't even consider the possibility that there might be an open source financial application than that it doesn't matter to them.

John Ralls

More information about the gnucash-devel mailing list