Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much

(OT) Building in "donation management" support in site design

by hacker (Priest)
on Jun 25, 2002 at 08:14 UTC ( [id://177037]=perlmeditation: print w/replies, xml ) Need Help??

Bear with me for a moment, my fellow monks...

It has recently come to my attention that I'm going to have to begin thinking about developing a donation-type of system for an Open Source project I contribute heavily to, Plucker.

A commercial company has taken our software and is using it in violation of the spirit and letter of the license which binds it (the GNU General Public License, aka GPL).The FSF has appointed an attorney to work on our behalf, and she's been dong great. Her current arrangement doesn't allow her to take our case to litigation, however, under pro bono terms, so we have to find a way to fund legal fees should the case persue towards litigation. We've already been threatened four times with a lawsuit by the CEO of this company if we even consider taking him to court.
"If we end up in court, I will bankrupt these guys."
-- CEO, $this_company
I've seen at least three ways to handle this:
  1. PayPal "generic" account for the project team
    Using PayPal makes it easier to donate from the website, offloading the credit card verification from us, but is not FDIC insured facility.
  2. SSL certificate on the server + credit card verification/payment system
    Having an official Thawte SSL certificate will bolster confidence in the donator. It verifies origin, is secure, and allows direct credit card processing. Unfortunately, it's also expensive.
  3. "Snail mail"/Postal Mail
    This is the most-broad, since everyone in the world can send in a postal mail donation, if this was the only way to donate, many would not. It's slow, requires a lot of manual work, and doesn't work well with international funds.
I'm fairly confident I can develop the perl on the server-side to support this, but I'm wondering if any others have built similar systems, and how did you go about it?

Any gotchas?

Any particular modules/technologies I should using/not using?

Any other tips or comments I can use?

Thank you for your help and support in this matter.

edit kudra 25-06-2002
Marked off topic

  • Comment on (OT) Building in "donation management" support in site design

Replies are listed 'Best First'.
Re: Building in "donation management" support in site design
by hakkr (Chaplain) on Jun 25, 2002 at 11:42 UTC
    I would recommend using secure trading for your real time credit card validation as they provide fraud prevention functions and are industry standard. Also remember never to store credit card numbers on your server if you must refer to credit card numbers use only the first 4 digits likeso 2341 xxxx xxxx xxxx xxxx. You 'll need a proper merchant bank account to accept the payments. AMEX cards require a separate merchant account to the VISA/Mastercard. Older browsers may have trouble with 128 bit certificates.

    A self signed certifcate will save you money and is unlikely to be noticed. Also to save money you may use a 40 bit certificate which is also not likely to be a barrier. Make sure every page is printable to a single page of A4. openssl with mod_ssl for apache is the easy free way to go. Always remember to backup your key and CSR and store them securely. Perl wise you should notice no difference under https except for a slight decrease in speed. I would look at some of the CPAN encryption modules if you do decide to store credit card information on your server. Watch out what minimum transaction size you do choose as the smaller they get the less worthwhile it all becomes

    Update Secure trading charge 1.5% per transaction and the credit card company will also make a charge per transaction in case of AMEX 3%. As for opening a merchant bank account I don't imagine there is a charge for that but you probably have to be a registered company.
      Thanks for the ideas.

      I already have a self-signed cert I created awhile ago, and it's been working fine for my basic tests. I also bury my IMAP mail behind it using SquirrelMail, so the mod_ssl bits are already there and functioning well (I also use a similar certificate for my irc/ssl irc server). My server signature is currently:

      Server: Apache/1.3.26 (Unix) PHP/4.3.0RC1 mod_gzip/ mod_perl/1.26 mod_ssl/2.8.9 OpenSSL/0.9.6a

      The only downside to having a self-signed certificate is that the user will get a warning dialog every single time they hit the secured page, because their browser doesn't recognize the CA.

      I suppose I'll have to see how to handle the merchant account issue. I wonder what (if anything) they charge for that service. Is it a percentage of the charges processed through them? Or is it a flat fee on a monthly scale? Merits further investigation. Thanks again.

Re: Building in "donation management" support in site design
by Matts (Deacon) on Jun 25, 2002 at 11:30 UTC
    Wow, that situation sucks.

    Personally I'd do paypal. While it's known to have a bad customer agreement, it's very widely known, and trivial to write something for it - it's just a plain form with the action attribute pointing to paypal.

    But don't expect to get much from it. I've had a Contribute form up for AxKit for over a year now and not had a single donation, despite the default donation being set at only $20.

Re: Building in "donation management" support in site design
by Anonymous Monk on Jun 25, 2002 at 12:35 UTC
    Talk to Wendy about whether you want to assign copyright to the FSF. You would forgo the possibility of collecting damages, but you would also forgo possible liability and the cost of lawyers. Plus the FSF has deeper pockets and an infrastructure set up to handle donations.

    If you proceed on your own, just one tip. Have a website that can hold up to the /. effect. :-)

      We've been slashdotted a few times for other reasons (the Sony GPL Violation was one), the site has no problem with getting slammed. We've held off on public awareness campaigns for the moment, only because we' keep getting threatened by the CEO with being sued every time we talk about mentioning this to anyone. Once our attorney assures us we are in the clear, the broader campaign will commence.

      The problem with the copyright assignment is that we're spreading the copyright too thin at that point. There are eight (8) or so of us on the team, and we've already filed US Copyright documents with the copyright office ("dead-tree" versions, signed in blue ink, with the required two printed copies of the source included), but re-assigning copyright to the FSF would weaken our position in the short term.

      It tends to be a delicate issue, but the interesting part is how the licensing and your rights actually get stronger when the original GPL license is violated.. (every copy re-distributed/sold/etc. after a GPL violation is found, is now a US copyright violation, outside the reach of the GPL, but now well within the reach of the DMCA and Lanham Act).

      At this point, my concern is to continue getting releases out, make the customers aware that the software was written by us, not by $COMPANY, and that we are the copyright holders, not $COMPANY. To affront the lawsuit threats we've been hearing, it's going to be good to be prepared financially and legally, for whatever will ensue, by making it possible for others to help us out with donations/etc.

      The CEO has already said directly that he has millions of investor dollars to take to court with him, and his intention is to bankrupt us. There's something very fishy going on here. We simply asked for compliance with the license, and for that request, are being threatened with lawsuits. Doesn't quite sound right, unless someone's guilty, and trying to mute the developers with baseless threats.

      Keep the great ideas, comments, and support coming.

Re: (OT) Building in "donation management" support in site design
by tjh (Curate) on Jun 25, 2002 at 14:48 UTC
    Bad scene. Sympathies and "keep up the good work" to ya.

    A commercial company has taken our software and is using it in violation of the spirit and letter of the license which binds it...

    Nasty. This company, and this CEO, need to be hurt. They're not getting it. Simple vindictiveness might indicate finding out who's on their board and contacting them too - they might like being personally implicated... :)

    Even if the FSF atty won't work for free to free your software, be sure she helps you cover;

    • Your documentation and proofs;

    • Your rights and responsibilities re: PR and other public venue exposures your group, with the FSF's help, may be able to use (the Big Company may not like public exposure for many reasons...) However, using PR and taking it public has it's own risks - be sure an attorney works with you at every step. Not that this is advice (IANAL), but given proper legal help, could be very interesting.

    • What's your fallback position if there are no donos?

    • Get her advice and guidance on ALL other avenues and approaches you can pursue, including her advice or referrals to atty's that CAN and WILL take a high profile case pro bono.

    • As for payments, do all mentioned. Also include a phone number donors can call. Be sure you have ways to issue receipts.

    I just did a little Googling and noticed who they are. Their web site hides all contact and corporate info. Interesting.

    There's a bit of data floating around, including good sites like this one.

(Really OT) Re: (OT) Building in "donation management" support in site design
by Zaxo (Archbishop) on Jun 25, 2002 at 14:39 UTC

    There are some quasi-legal forms of business treachery you may want to keep in mind. Here are a few questions you can research.

    Do members of $COMPANY's law and/or accounting firm hold a majority of the voting stock or board seats? That gives them the power to shift $COMPANY's assets into their own pockets by doing just as they have threatened. In extremis, they can leave an empty husk for you to try and collect from, along with all their other creditors.

    Is there a dissatisfied minority block of shareholders? Some may be wary of the majority, and assist you by opposing the board and management. They have a lot to lose if the majority loots the company.

    Do $COMPANY's employees hold a significant block of stock? Bankruptcy hurts them worst of all, They are less likely to oppose the majority, but might be developed as a source of information.

    Are $COMPANY's shares publicly traded? That gives you the tactic of buying a share, which gives you standing to make demands, noise and trouble. It also makes the SEC take an interest.

    Does $COMPANY have enough money or political clout to be above the law? Self-explanatory.

    Uhhh... IANAL, btw. ;-)

    After Compline,

Re: (OT) Building in "donation management" support in site design
by shotgunefx (Parson) on Jun 25, 2002 at 15:07 UTC
    Well, a quick (and very secure) way of doing it would be to set up a Yahoo! Store. It'll cost you $50 bucks a month flat, plus a 10 cents per item (donation amount) and 0.5% transaction fee but it will hold up on almost any amount of users and takes a lot of the headache and liability off of you.

    If you don't already have a merchant account, you can apply for one.

    The cost might be too much but I can tell you that I have not donated to certain organizations in the past because of security concerns. In those situations I would have used paypal if it had been available so maybe that's the way to go.

    Good luck!


    "To be civilized is to deny one's nature."
Re: (OT) Building in "donation management" support in site design
by chaoticset (Chaplain) on Jun 30, 2002 at 08:17 UTC
    The trick in any multiplayer game where you can lose is to pit the two biggest opponents against each other and scrap the loser. Law is most definately a multiplayer game. :)

    Legally, this is tricky but possible, IMHO (though IANAL, thank Chao). Does $COMPANY already have a bad reputation? If so, seek the help of advocacy groups such as the Better Business Bureau, or attempt to get in touch with law enforcement -- if the CEO is doing this to you, the CEO may be doing it to someone else.

    Similarly, consider the possibility of enlisting a (hopefully) more honorable corporate sponsor in some fashion -- set up a licensing agreement with someone who has got the legal capability to reduce $COMPANY to litigious cinders, and sit back to watch the fireworks.

    Keep in mind that IANAL. (Although if you do see a hefty settlement through these techniques, then by reading this post you've already agreed to my EULA (End-User Legal Agreement) and therefore owe me 5% of all monies recieved. ;) )

    You are what you think.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlmeditation [id://177037]
Approved by Zaxo
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others pondering the Monastery: (None)
    As of 2024-04-25 00:47 GMT
    Find Nodes?
      Voting Booth?

      No recent polls found