Re: Bug#784405: ITP: rnetclient -- Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority
(reposted, because I dopped the Cc to debian-devel by mistake. I apologise for sending it twice to the BTS and bug submitter). On Wed, May 6, 2015, at 01:51, Sergio Durigan Junior wrote: Package: wnpp Severity: wishlist Owner: Sergio Durigan Junior sergi...@sergiodj.net * Package name: rnetclient Version : 2015.1 Upstream author : Thadeu Cascardo, Sergio Durigan Junior, Alexandre Oliva * URL : http://wiki.libreplanetbr.org/rnetclient/ * License : GPLv3+ Programming Lang: C Description : A Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority rnetclient is a Free Software that can be used to submit the Brazilian Income Tax Report to the Brazilian Tax Authority (Receita Federal). It is the outcome of reverse-engineering ReceitaNet, the official and proprietary software that Receita Federal develops. What's the real point of this package? One actually needs to install the tax-report-building program from RFB (IRPF20xx) to have anything for rnetclient to transmit, at which point you might as well install ReceitaNet since you're already running RFB-provided java code anyway. Also, what's the official position of RFB regarding the existence, and use of this program? Regardless of whether the process of reverse engineering the ReceitaNet protocol is legal or not (I don't know, so I am not assuming anything), actually connecting to RFB servers using this program might well not be legal. Not to mention it can cause harm to rnetclient users if RFB decides that they object to tax reports submited through rnetclient, and we might find ourselves in legal trouble over that as well, there's the whole enticing others to use the rnetclient program angle that could be played against Debian (in this case, it might well end up being directed at Brazillian DDs since RFB won't be able to target SPI or Debian itself). Also, ReceitaNet is often updated, it went from version 4 (tax report of 2014) to version 7 (tax report of 2015), rnetclient would have to be kept up-to-date if such changes in ReceitaNet are in any way related to the protocol or servers it should connect to submit the tax report. This can cause operational issues if rnetclient makes it to Debian stable, since the program must be working perfectly during the tax submission window. In fact, the upstream homepage has this notice (loosely translated from pt_BR): Version 2015.0 did not support fully the tax report format for 2015. This problem has been fixed in version 2015.1. We wait reports of both sucessful and non-sucessful use of rnetclient 2015.1 in our mailing list. Please clarify the above points. So far, it looks like accepting this in Debian is a lot of risk for no real gain. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique de Moraes Holschuh h...@debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1431026795.880517.264141793.6c66e...@webmail.messagingengine.com
Re: Bug#784405: ITP: rnetclient -- Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority
On Thursday, May 07 2015, Frederic Peters wrote: What's the real point of this package? One actually needs to install the tax-report-building program from RFB (IRPF20xx) to have anything for rnetclient to transmit, at which point you might as well install ReceitaNet since you're already running RFB-provided java code anyway. It looks like the initial part wouldn't require network access; this would be quite an important difference. I'm not sure I understood the sentence, but yeah, the program used to prepare the tax report indeed does not need network access. Regardless of whether the process of reverse engineering the ReceitaNet protocol is legal or not (I don't know, so I am not assuming anything), actually connecting to RFB servers using this program might well not be legal. I don't know anything about Brazilian reverse engineering, or others, laws, and what would apply here. But I wouldn't stop at regardless it is legal or not and might not well be legal without any details. Thanks, that's my feeling as well. And that's why those programs were developed. But as I said in my reply to Henrique, reverse engineering is not against the Brazilian copyright law. Also, ReceitaNet is often updated, it went from version 4 (tax report of 2014) to version 7 (tax report of 2015), rnetclient would have to be kept up-to-date if such changes in ReceitaNet are in any way related to the protocol or servers it should connect to submit the tax report. This can cause operational issues if rnetclient makes it to Debian stable, since the program must be working perfectly during the tax submission window. In fact, the upstream homepage has this notice (loosely translated from pt_BR): Version 2015.0 did not support fully the tax report format for 2015. This problem has been fixed in version 2015.1. We wait reports of both sucessful and non-sucessful use of rnetclient 2015.1 in our mailing list. This makes it an appropriate candidate for jessie-updates. That is actually a pretty good solution! I am still learning the terms and the whole process here, but jessie-updates, according to: https://www.debian.org/News/2011/20110215 (thanks to Cascardo for providing the link) would indeed be the ideal place for rnetclient, according to this criterion: - Packages that need to be current to be useful (e.g. clamav). Cheers, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible http://sergiodj.net/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87r3qsuivo@sergiodj.net
Re: Bug#784405: ITP: rnetclient -- Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority
On Thursday, May 07 2015, Henrique de Moraes Holschuh wrote: That is actually a pretty good solution! I am still learning the terms and the whole process here, but jessie-updates, according to: https://www.debian.org/News/2011/20110215 (thanks to Cascardo for providing the link) would indeed be the ideal place for rnetclient, according to this criterion: - Packages that need to be current to be useful (e.g. clamav). I am well versed with stable-updates, I upload to it several times per year due to intel-microcode. Unless there is previous arrangement with the stable release managers, an upload to stable-proposed-updates it is not always going to be fast enough for this. keep current doesn't mean rush into stable every time, after all. Oh, sure, I did not mean to lecture you, I am well aware of your Debian fame. Sorry if it sounded like that. As for being fast enough, Receita Federal usually gives 2 months to prepare and submit your tax report, and the majority of the population usually wait until the last week to fulfill their duties, so maybe it is reasonable to expect that, if rnetclient enters the stable-updates repo in the middle of the timeframe of 2 months (i.e., 1 month after RFB published the proprietary versions of the softwares), we will still have plenty of users benefitted by this. Does this sound feasible? IMHO, it would be far better to have someone maintain the debian packaging of this stuff upstream, in a apt-gettable repository that can be added to sources.list. Such a repository, although unofficial, could be both Debian and Ubuntu-friendly, and target also the LTS branches of Debian and Ubuntu. This side-steps all the issues I raised. It seems that the only remaining issue was deciding which repository would be a better fit for the program, and if the proposal of putting it in the stable-updates is accepted, then we're golden. I had considered the option of maintaining the Debian infrastructure upstream when I saw your first message (actually, even before I posted the ITP!), but I still think it is more beneficial to have rnetclient in the official repository. It would, for example, be much harder to be able to provide ports for different architectures just like Debian does but without using Debian's infrastructure; I could mention other good to have things as debbugs here, but I think you've got the point :-). Cheers, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible http://sergiodj.net/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87r3qru9pi@sergiodj.net
Re: Bug#784405: ITP: rnetclient -- Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority
Let me add here some of the history about rnetclient and IRPF Livre, concerning legal and government matters. As already said, Oliva has been publishing IRPF Livre for a while. He decompiled that software when it was using GPL libraries, which would make it GPL software, even though SERPRO or Receita didn't distribute it on the same terms. That could be interpreted as a legal liability, but he has not found any problems since then. Here is what has happened instead. As Sergio also pointed out, Oliva has gone through the process of trying to get the software released, claiming that recent law for transparency meant the government needed to publish it. SERPRO, who is the developer of the software, claimed there was secrets in the software that would allow people's income to be leaked. That is a lie! As Oliva pointed out in his counter-claim, his own IRPF Livre would allow such a leak if that was true. And that would be a huge security breach in the whole process of tax paying/refund. Unfortunately, the judge decided against the publishing of the software. But Oliva stated that he has done the reverse engineering, publishes the software, and no action against him has been taken. When I was developing rnetclient, I found some concerning problems in its trust model (software trusts certificate that is shipped with itself, certificate has a weak password, easily found on the software, even software hashing checking can be easily circumvented, software is not distributed with any signature - not even over https). I thought that publishing that would put me into trouble. I gave a talk on a big event in Brasil (FISL, 5k people, 300 watched the talk live, video was published, SERPRO president was at FISL), and no action has been taken against me. Oliva and I even talked to SERPRO president at the time, he couldn't care less, or even seemed favorable to what we were doing. I have been shipping rnetclient since then, 2013. This year I even managed to have it updated at the same day that Receita has published its own software (they didn't do Betas this year). The fix came the next day. I have an intention to publish a version that should work for years to come, until the protocol breaks from what it has been for the last 5 years. And, in fact, it's still useful to submit corrections to previous years files. So, if you have to publish 2013 and 2014 again for any reason, 2015.1 can be used. And the software will still be useful for at least the next 5 years, when people might still want to resubmit their 2015 files. Unless Receita breaks the whole thing, as I mentioned, but hasn't done for at least the last 5 years. About my own process of reverse engineering: I did some decompiling and read some of the code. I wrote a very small Java class to override the certificate verification, allowing me to do some MITM. Most of the process after that involved me writing tests to simulate a server and a client, and see how the client and server responded. Reading the code just helped me get the basics on the encoding so I could write the tests. After that, I wrote the program from scratch. Even though it was not completely clean room, it's hard to conceive there was any copy of SERPRO's code. Their code is in Java, with its own APIs, I used C, with GNUTLS, BSD sockets, zlib, my own decoding of the file that came after I started writing the tests (so I didn't read any code related to that). Also, Brazilian law says: Art. 6º Não constituem ofensa aos direitos do titular de programa de computador: [...] III - a ocorrência de semelhança de programa a outro, preexistente, quando se der por força das características funcionais de sua aplicação, da observância de preceitos normativos e técnicos, ou de limitação de forma alternativa para a sua expressão; Which means that it's not a copyright infringement when a program is similar to a preexisting one because of its functional characteristics, or because it follows technical or normative references, or there is a limitation for other forms of expression. Hope that helps moving the discussion forward. I, at least, found it delightful to write this for posterity. Cascardo. signature.asc Description: Digital signature
Re: Bug#784405: ITP: rnetclient -- Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority
[ Cc'ing Thadeu Cascardo, who developed rnetclient and is a DD. ] On Thursday, May 07 2015, Henrique de Moraes Holschuh wrote: On Wed, May 6, 2015, at 01:51, Sergio Durigan Junior wrote: Package: wnpp Severity: wishlist Owner: Sergio Durigan Junior sergi...@sergiodj.net * Package name: rnetclient Version : 2015.1 Upstream author : Thadeu Cascardo, Sergio Durigan Junior, Alexandre Oliva * URL : http://wiki.libreplanetbr.org/rnetclient/ * License : GPLv3+ Programming Lang: C Description : A Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority rnetclient is a Free Software that can be used to submit the Brazilian Income Tax Report to the Brazilian Tax Authority (Receita Federal). It is the outcome of reverse-engineering ReceitaNet, the official and proprietary software that Receita Federal develops. What's the real point of this package? One actually needs to install the tax-report-building program from RFB (IRPF20xx) to have anything for rnetclient to transmit, at which point you might as well install ReceitaNet since you're already running RFB-provided java code anyway. Hey, Henrique! Thanks for the comments. The real point of this package is to provide freedom for those who have to declare their income tax in Brazil. Of course, as you have mentioned, rnetclient solves one side of the equation, which is sending the report to the Receita Federal. As for the other side (which is preparing the report), you do not necessarily have to install the proprietary version of the program that is published by the Receita Federal; instead, you can install IRPF-Livre, a Free Software made by Alexandre Oliva (since 2007): http://www.fsfla.org/svn/fsfla/software/irpf-livre-2015/ Every year, he releases a new code to be tested. The reports generated by IRPF-Livre can be successfully transmited by rnetclient, as has been tested by Alexandre Oliva and others. Unfortunately, IRPF-Livre is not a Debian package (yet?), but then again, the proprietary version is obviously not on Debian either. Also, what's the official position of RFB regarding the existence, and use of this program? There is no official position about both programs so far, to the extent of my knowledge. What exists (or existed; I don't remember all the details now) is a lawsuit by Alexandre Oliva who has been trying to make RFB release the code of the proprietary softwares mentioned above. But this is offtopic to this discussion, I think. Regardless of whether the process of reverse engineering the ReceitaNet protocol is legal or not (I don't know, so I am not assuming anything), IANAL, but in general reverse engineering is not forbidden in Brazil. I found some documents about this, and I can provide them if needed. actually connecting to RFB servers using this program might well not be legal. Not to mention it can cause harm to rnetclient users if RFB decides that they object to tax reports submited through rnetclient, and we might find ourselves in legal trouble over that as well, there's the whole enticing others to use the rnetclient program angle that could be played against Debian (in this case, it might well end up being directed at Brazillian DDs since RFB won't be able to target SPI or Debian itself). That is indeed a good point; I don't know if Debian as a project is willing to take this risk. I mean, there is always a risk of RFB deciding that they won't accept tax reports made by IRPF-Livre and/or submitted by rnetclient; in this case, we would have to think in another option. As I said, Alexandre Oliva has been doing IRPF-Livre since 2007, and last year some people used rnetclient to submit their reports, and nothing unusual happened. I think it is not very... dangerous (I did not want to use that word, but...) for Debian to have rnetclient on its repositories, but that is a personal opinion of someone who is starting to contribute to Debian. Also, ReceitaNet is often updated, it went from version 4 (tax report of 2014) to version 7 (tax report of 2015), rnetclient would have to be kept up-to-date if such changes in ReceitaNet are in any way related to the protocol or servers it should connect to submit the tax report. This can cause operational issues if rnetclient makes it to Debian stable, since the program must be working perfectly during the tax submission window. Yes, that is another good point. I don't know what would be the best way to solve this. I know rnetclient in stable would probably not be updated as frequent as it should. In fact, the upstream homepage has this notice (loosely translated from pt_BR): Version 2015.0 did not support fully the tax report format for 2015. This problem has been fixed in version 2015.1. We wait reports of both sucessful and non-sucessful use of rnetclient 2015.1 in our mailing list. Yes, but I don't see what's the problem. rnetclient has to be
Re: Bug#784405: ITP: rnetclient -- Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority
On Thu, May 7, 2015, at 19:23, Sergio Durigan Junior wrote: On Thursday, May 07 2015, Frederic Peters wrote: Also, ReceitaNet is often updated, it went from version 4 (tax report of ... This can cause operational issues if rnetclient makes it to Debian stable, since the program must be working perfectly during the tax submission window. ... This makes it an appropriate candidate for jessie-updates. That is actually a pretty good solution! I am still learning the terms and the whole process here, but jessie-updates, according to: https://www.debian.org/News/2011/20110215 (thanks to Cascardo for providing the link) would indeed be the ideal place for rnetclient, according to this criterion: - Packages that need to be current to be useful (e.g. clamav). I am well versed with stable-updates, I upload to it several times per year due to intel-microcode. Unless there is previous arrangement with the stable release managers, an upload to stable-proposed-updates it is not always going to be fast enough for this. keep current doesn't mean rush into stable every time, after all. IMHO, it would be far better to have someone maintain the debian packaging of this stuff upstream, in a apt-gettable repository that can be added to sources.list. Such a repository, although unofficial, could be both Debian and Ubuntu-friendly, and target also the LTS branches of Debian and Ubuntu. This side-steps all the issues I raised. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique de Moraes Holschuh h...@debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1431041125.3326982.264217493.12bca...@webmail.messagingengine.com
Re: Bug#784405: ITP: rnetclient -- Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority
Hi, Henrique de Moraes Holschuh wrote: What's the real point of this package? One actually needs to install the tax-report-building program from RFB (IRPF20xx) to have anything for rnetclient to transmit, at which point you might as well install ReceitaNet since you're already running RFB-provided java code anyway. It looks like the initial part wouldn't require network access; this would be quite an important difference. Regardless of whether the process of reverse engineering the ReceitaNet protocol is legal or not (I don't know, so I am not assuming anything), actually connecting to RFB servers using this program might well not be legal. I don't know anything about Brazilian reverse engineering, or others, laws, and what would apply here. But I wouldn't stop at regardless it is legal or not and might not well be legal without any details. Not to mention it can cause harm to rnetclient users if RFB decides that they object to tax reports submited through rnetclient, and we This is GPL, This program comes with ABSOLUTELY NO WARRANTY, of course the user should be informed. might find ourselves in legal trouble over that as well, there's the whole enticing others to use the rnetclient program angle that could be played against Debian (in this case, it might well end up being directed at Brazillian DDs since RFB won't be able to target SPI or Debian itself). We noted above there's no indication of an actual legal problem; so again, might, just like it's the case for many other programs (for a common example, running a bittorrent client might not be legal in $country). Also, ReceitaNet is often updated, it went from version 4 (tax report of 2014) to version 7 (tax report of 2015), rnetclient would have to be kept up-to-date if such changes in ReceitaNet are in any way related to the protocol or servers it should connect to submit the tax report. This can cause operational issues if rnetclient makes it to Debian stable, since the program must be working perfectly during the tax submission window. In fact, the upstream homepage has this notice (loosely translated from pt_BR): Version 2015.0 did not support fully the tax report format for 2015. This problem has been fixed in version 2015.1. We wait reports of both sucessful and non-sucessful use of rnetclient 2015.1 in our mailing list. This makes it an appropriate candidate for jessie-updates. Fred -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150507220004.ga1...@0d.be
Bug#784405: ITP: rnetclient -- Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority
Package: wnpp Severity: wishlist Owner: Sergio Durigan Junior sergi...@sergiodj.net * Package name: rnetclient Version : 2015.1 Upstream author : Thadeu Cascardo, Sergio Durigan Junior, Alexandre Oliva * URL : http://wiki.libreplanetbr.org/rnetclient/ * License : GPLv3+ Programming Lang: C Description : A Client to submit the Brazilian Income Tax Report to the Brazilian Tax Authority rnetclient is a Free Software that can be used to submit the Brazilian Income Tax Report to the Brazilian Tax Authority (Receita Federal). It is the outcome of reverse-engineering ReceitaNet, the official and proprietary software that Receita Federal develops. -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible http://sergiodj.net/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87mw1i2trt@sergiodj.net