Reflexion on the french SAPIN LAW application #105
Comments
|
hello, Some comments
Some people do register payments using Odoo, in particular they consider that they can give the invoice at the desk and register the payment by setting the "paid" status of the invoice. They are wrong, already today. They must conform to payment regulations now, independently of this law. In particular it is true for non-VAT business which is not concerned by the new rule. The law now underlines these obligations and requires tools used to register payments to get certified. This is the only new point compared with today situation. People who are correct today, I mean who register their payments on a cash register or a paper book can keep on, no change.
Hope this helps. |
|
@flotho regarding the point of sale on our side we think about
With that solution we are sure that no POS can be lost during the synchronization as the ticket will be generate only after the synchronization (and maybe we can generate it on server side so you can reprint a ticket from the backoffice easily). We can also print the first letter/digit of the hash on the ticket, so every ticket are a proof of the inalterability. |
|
Hi @flotho, Thanks a lot for beginning this thread ! We could in a first time enumerate each point, and after create little workshops for each point. I see the following points.
do you see other points ? Thanks. CC
kind regards. |
|
Please, let us know your conclusions: on our side, so far, we don't plan to do anything more than the current l10n_fr_certification module proposition (except a signed document by Fabien certifying Odoo) best regards |
|
Quentin : do you mean Odoo Enterprise will not pass through certification process ? |
|
I think there are an other point : it the software fingerprint. Maybe use https://www.postgresql.org/docs/current/static/pgcrypto.html or http://docs.postgresql.fr/9.2/ssl-tcp.html to crypt database. |
|
I propose we speak about this during the OCA code sprint in Barcelona https://odoo-community.org/event/barcelona-code-sprint-2017-05-29-2017-05-31-58/register It will be a good opportunity to exchange our ideas and update the status of the work on this. At Akretion, we already started some devs on this topic and we will continue (maybe during the code sprint too). |
|
For those who missed the info : https://www.lesechos.fr/thema/030387673950-revirement-bienvenu-en-matiere-de-logiciels-certifies-2094788.php |
|
I just made a PR to manage certification for PoS. (and for account, even if it does'nt seems necessary anymore, given the last @alexis-via remark). |
|
Thanks to the community for the tips http://proxy-pubminefi.diffusion.finances.gouv.fr/pub/document/18/22503.pdf |
|
Hi everyone |
|
Hi @MohammedAuneor, Welcome in the community.
Well, this thread has a avantage to join various people of the OCA community. Let's go continuing with this, and if we have to create later work group, it will be more easy.
Accouting is now out of the scope of the law, just Point of sale. See @alexis-via comment. (#105 (comment)).
Good idea ! for me, it's optional, because not all configurations provide test / demo servers.
Indeed, we have to port l10n_fr_certification_pos module. Feel free to review #108. It should be cool to have a stable 8 version, before porting it. and it will not need a lot of work.( some JS work)
I don't understand that point. This is a matter of adminsys people, to grant backup. What do you propose ? Thanks for your comment. |
|
2017-07-21 16:46 GMT+02:00 Sylvain LE GAL <notifications@github.com>:
The only problem I see is with the point 220, that says: Elle doit prévoir
un dispositif technique garantissant l'intégrité dans le temps des archives
produites et leur conformité aux données initiales de règlement à partir
desquelles elles sont créées.
I don't understand that point. This is a matter of adminsys people, to
grant backup. What do you propose ?
I'm afraid
1_ this point is the main one and we must all understand it.
2_ no, it is not a sys-admin aspect, but THE feature any POS software MUST
conform to. All others are at best "nice-to-have" only.
|
|
Hi @sisalp. Please, be more precise.
regards. |
|
2017-07-21 19:29 GMT+02:00 Sylvain LE GAL <notifications@github.com>:
Hi @sisalp. Please, be more precise.
What do you propose ?
This law about a set of precise requirements, if you want to build a
solution which conforms, you have to pass the qualification tests. The
requirement Auneor talks about is key.
AFAIU, some may make an error when they think they may issue
attestations on a software which definitly doesn't pass most of the
tests or with even no plan at all.
I follow this thread trying to understand if the community will
address the questions:
- is it feasable first, then maintainable ?
- are there a migration path and service offreings for existing customers.
Whad did you plan to do for your enterprise ?
For my enterprise ? I don't use Odoo.
For my hosted customers who use the POS (few), either they ask their
integrator, or I redirect them to people who propose solutions (few
also) and they make their own choice. I'm not sure going down to more
details would help in this discussion.
|
|
For those who missed the info : https://www.economie.gouv.fr/files/files/directions_services/dgfip/controle_fiscal/actualites_reponses/logiciels_de_caisse.pdf |
|
We are going to upgrade l10n_fr_certification for POS module in order to be compliant with the new legislation that we read carefully. This new module will be released asap and will be available for versions 9, 10 & 11. Here are the functionalities we plan to cover:
Is there anything else we should take into account? Have you already developed new modules covering those aspects? Your feedback will be much appreciated. Thanks! |
|
2017-10-16 16:39 GMT+02:00 fgi-odoo <notifications@github.com>:
Is there anything else we should take into account? Have you already developed new modules covering those aspects? Your feedback will be much appreciated. Thanks!
What is the level of coverage of theses tests :
http://brochures.sisalp.fr/referentiel-certification-systemes-caisse.pdf
?
Which don't conform ?
|
|
Hi @fgi-odoo. Thanks a lot to ask to the community. Very appreciated. Are you responsible of Point Of Sale in Odoo ? The point are pretty clear for me, except two :
Are talking about the possiblity to generate pdf with daily / weekly / etc.. information ? Not sure to understand.
Are you talking about the possibility to generate via Odoo the certificate. (pdf too). thanks for your precision. kind regards. |
|
@sisalp : your document is outdated. Don't it ? (décembre 2016) After the election of Macron, see @jcchoquet remarks. If you find a up-to-date document, please share to the community. regards. |
|
Hi @fgi-odoo, |
|
2017-10-16 17:42 GMT+02:00 Sylvain LE GAL <notifications@github.com>:
@sisalp : your document is outdated. Don't it ? (décembre 2016)
I didn't see any evolution about how a device can be tested in the
law. All discussions I saw were about environment (who, how, why...),
not about compliance.
After the election of Macron, see @jcchoquet remarks. If you find a up-to-date document, please share to the community.
I don't know about these remarks. Did they change the requirements ?
Any pointer ?
…
regards.
|
|
Answering to my-self: I guess you refer to a comment in this list. Yes
of course, I followed this carefully. The document I pointed is up to
date from my standpoint.
2017-10-16 18:03 GMT+02:00 Dominique Chabord <dominique.chabord@sisalp.org>:
… 2017-10-16 17:42 GMT+02:00 Sylvain LE GAL ***@***.***>:
>
> @sisalp : your document is outdated. Don't it ? (décembre 2016)
I didn't see any evolution about how a device can be tested in the
law. All discussions I saw were about environment (who, how, why...),
not about compliance.
>
> After the election of Macron, see @jcchoquet remarks. If you find a up-to-date document, please share to the community.
I don't know about these remarks. Did they change the requirements ?
Any pointer ?
>
> regards.
--
Dominique Chabord - SISalp
Logiciel libre pour l'entreprise Tryton et open-source Odoo, OpenERP
Les Millières 74230 Serraval - France
tel(repondeur) +33(0)950274960 fax +33(0)955274960 mob +33(0)622616438
http://sisalp.fr
http://boutique.sisalp.fr
https://twitter.com/SISalp l'actualité de vos services en temps réel.
|
|
when I have contacted the DGFIP for this law, i have this response : |
|
Hi @jcchoquet thanks a lot for your link. regards. |
|
@legalsylvain yes I'm the product owner for all the sales apps (sales, pos, ecommerce, etc.).
@jcchoquet: for now balance of POS payment journals can be edited from the Accounting menu since statements stay in draft as long as you don't close the session. So the idea is to prevent the editing of such draft statements if they relate to POS journals. Therefore the only way to make corrections is through the frontend with plus and minus operations, as stated in the new regulation. |
|
@fgi-odoo : the new regulation is not only for cash but for all methods of payment (see topic 11 of link) |
|
@jcchoquet Indeed! So we will stick to the initial plan and prevent users from cancelling any journal entry, including confirmed account payments. |
|
the certification will be made also for the community version ? |
|
Ok, @robinshakty, thanks for your comment, |
|
Thanks @robinshakty for your feedback! Has anybody else tested it? Thanks! |
|
Hi @fgi-odoo, I already reviewed it directly on the PR odoo/odoo#20581 |
|
Odoo will give a module for the certification for Odoo community, but it means that we have to obtain certification on our own, right ? |
|
@robinshakty thanks a lot for your suggestions. Why would it be better to process a sales closing at the closing of a pos session? You might close your POS several times a day or have several sessions running at the same time. It would considerably increase the number of sales closings. If it's only for control reasons, is it not acceptable to launch the cron manually? This will be explaned in the user doc. Then regarding the xml file, this is adding a new layer of security (with another hash computation on the file I guess) that can hacked as well by a "man of the art". Also this extra process would slower the recording a pos order. The initial # computation makes it already a bit slower. So I'm not sure we should do that. A man of the art will always be able to change the hash, whatever you do to prevent it. |
|
@tkFontaine yes you got it. Odoo will provide a user guide with some technical hints. Here is the draft: https://docs.google.com/document/d/1zAA_Qe2H7fCPvGbH_ztuMoNNzmT3xOmX__xF5Ugi2F8/edit?usp=sharing |
|
Hi @fgi-odoo, The idea of the hashed xml file is to have a hashed data out of the (backup of) the database, to maintain inalterability even after a restore of a database, with the possibility to sync with a digital safe (via rsync or ftp), and we would solve the problem of a 'man of the art' because hashed datas woul be secure by another 'real' and independant Certificate Authority. |
|
@robinshakty Ok, a user will not be able to resume a pos session after more than 24 hours. This will force them to process daily closings and so, to include pos sales into daily sales closings. There can be a gap of one day of course, if the sales closing occurs before the pos closing. But this can be easily figured out thanks to datetime fields on both objects. We don't see that as a problem. Regarding the xml file I keep this nice suggestion to improve the module in master afterwards. |
|
Here is our official statement: https://www.odoo.com/fr_FR/blog/notre-blog-5/post/obtenez-la-certification-anti-fraude-a-la-tva-avec-odoo-464. The module will be available very soon. |
|
2017-12-13 15:15 GMT+01:00 fgi-odoo <notifications@github.com>:
Here is our official statement:
https://www.odoo.com/fr_FR/blog/notre-blog-5/post/obtenez-la-certification-anti-fraude-a-la-tva-avec-odoo-464.
Thank you, but care about the fact that Odoo is NOT certified, and in
this statement you must read attestation in place of certificate
sed s/certificate/attestation/g
The module will be available very soon.
and will be interested in any update about your certification process.
|
|
@fgi-odoo Thank you for your work.
Then I closed the session actually open, Edit: I selected the wrong country. But there still a question Is it a problem if there are already old sales before install modules ? |
|
@sisalp We made sure to comply with every single requirement of the new law. So we are confident in delivering the certificate ourself. By law it is also forbidden to communicate anything about any certification process. @tkFontaine all the old sales should be encrypted when you install the module. |
|
2017-12-18 10:00 GMT+01:00 fgi-odoo <notifications@github.com>:
@sisalp We made sure to comply with every single requirement of the new law.
So we are confident in delivering the certificate ourself.
I don't underestimate Odoo's self-confidence but words have their importance.
When you "certify yourself", you can deliver an "attestation"
When certification is done by an authority (there are two), you get a
certified product
Approximation is to be avoided at this step.
By law it is also
forbidden to communicate anything about any certification process.
Any reference to this law ? Certification process is made public by
certification authorities. I referenced the main one previously. Do
you mean "certification process results" instead ?
regards
|
|
On 12/18/17 12:06 PM, sisalp wrote:
Certification process is made public by
certification authorities. I referenced the main one previously. Do
you mean "certification process results" instead ?
|
|
2017-12-18 12:33 GMT+01:00 Olivier Dony <notifications@github.com>:
On 12/18/17 12:06 PM, sisalp wrote:
> Certification process is made public by
> certification authorities. I referenced the main one previously. Do
> you mean "certification process results" instead ?
http://www.nf525.com/index.php?option=com_content&view=article&id=95&Itemid=582
See §3.2.1.
Yes, it confirms that you cannor claim to be certified before you
actually get certified by the authority.
This confirms you must say 'attestation' until then.
|
Will it includes all documents required for certification ? If yes, it means that we have to provide those documents by ourself ? Last question, but not the least : Can someone tell me the difference between "certificat" and "attestation individuelle" ? |
|
@tkFontaine there are detailed elements on BOFIP, around paragraph 350 http://bofip.impots.gouv.fr/bofip/10691-PGP |
|
As discussed here a few months ago, printing the hash on the ticket is needed to avoid offline fraud (cfr odoo/odoo#16935 (comment)). We are working on such an improvement for the l10n_fr_pos_cert module. The ticket printing will therefore require to be online. When it comes to restaurants, we need your opinion regarding pro forma printings. For now, you can take an order, print the pro forma and delete the order without registering the payment. This seems to go against the new legislation requiring to make inalterable any order update with + and - operations (items 20 of the FAQ https://www.economie.gouv.fr/files/files/directions_services/dgfip/controle_fiscal/actualites_reponses/logiciels_de_caisse.pdf). As a solution, we think of recording all the printings in the backend (attached to the pos order) and prevent from deleting orders already printed in pro forma. That way, any update or deletion operation will be printed, saved and encrypted. Do you agree on the solution? Thanks! |
|
Hi @fgi-odoo. Thanks a lot for sharing your insights !
Regarding the print of the hash on the bill, I worked some monthes ago on that feature.
+1 in the JS part. We could add a flag on order lines, that indicate that order line has been printed.
Is it necessary ? If the order lines can not be deleted or altered, once printed. The order will be validated. don't you think ? Other problem I see, unfortunately, in Bar and restaurant, sometimes, the waiter will give the "profarma", and the customer will go without pay. (This occures in France;-)). I think we should handle this case with an option to validate a pos order, but not paid. (something like with a Profit / Loss mechanism). Kind regards. |
|
Hi, As discussed by email, we would gladly collaborate on this 🙂 |
Hello, I read all threads. What about the official certifier for Odoo Pos Community? Regards, |
|
Any answer @fgi-odoo ? Regards |
|
@rgeromegnace Modules used for the certification are available in the community version. But the certificate is only provided to Odoo Enterprise Users, as it implies a strong commitment from the editor (see https://www.odoo.com/fr_FR/blog/notre-blog-5/post/mise-en-conformite-de-votre-systeme-odoo-pour-la-nouvelle-legislation-anti-fraude-a-la-tva-464). If you run the community version, you should issue the certificate yourself or ask an integrator. |
Thanks for your reply even if it is late. I thought that there were partners or integrator that sold the module and that managed the certification. Regards, |
|
There hasn't been any activity on this issue in the past 6 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days. |
github-actions
bot
added
the
stale
Dear Community,
I would like to start a thread regarding the SAPIN french law. From now the french administration is not really explicit about the ways to certify the Odoo solution. Does anyone has some legal info?
Here are some of the resources I found :
Some part of the law seems to be easy to certify : Hosting / Backup / Recovery are easy for the community partners to be certified.
Regarding the durability of the datas I think we have a problem with the POS. From now the POS has been designed to be working without network and all the datas are stored inside the browser database. This point could be an issue if you consider how easy it is to get the datas from the internal database (and what about the debug mode allowing to flush the orders!!!)
I have some little ideas on those points :
None of those solutions looks enough for me(everything in the client part could be changed by an experienced user/ ethic hacker).
Odoo seems to have started a reflexion on this : https://github.com/odoo-dev/odoo/commits/9.0-l10n_fr-certification-lpe . It looks like Odoo is considering that only the account_cancel module could be a problem.
Some partners have started a reflexion, (BTW thanks to Sébastien Morelle) : https://anybox.fr/blog/logiciels-de-caisse-certifies
Maybe we could start a thread here https://odoo-community.org/groups/france-24
Any feedback would be appreciated.
Regards
The text was updated successfully, but these errors were encountered: