Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121885
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.200.91.1.1\))
Date: Thu, 30 Nov 2023 18:04:20 -0600
References: <e763ad7e-26aa-4f34-9387-6dfa2a3823b6@app.fastmail.com>
 <8e77ac89-b8dd-4991-b859-943d34592f5d@app.fastmail.com>
 <fff6af56-f888-4263-b6a5-b8718e4614ae@heigl.org>
 <CAOD_yv1hxVzF_N5TTvCVeBZ+G5z=Guy2xL3QnrRNK9gm_r=gmA@mail.gmail.com>
 <06261716-9557-4944-8bad-14cd77cfbbb0@heigl.org>
To: PHP Developers Mailing List <internals@lists.php.net>
In-Reply-To: <06261716-9557-4944-8bad-14cd77cfbbb0@heigl.org>
Message-ID: <DA56D46C-87C0-4F1C-BEB5-A1727C6C8AC7@benramsey.com>
Subject: Re: [PHP-DEV] Adding a donate link to the PHP website
From: ben@benramsey.com (Ben Ramsey)

> On Nov 30, 2023, at 02:45, Andreas Heigl <andreas@heigl.org> wrote:
>=20
> On 30.11.23 09:39, James Titcumb wrote:
>> On Thu, 30 Nov 2023 at 07:28, Andreas Heigl <andreas@heigl.org =
<mailto:andreas@heigl.org>> wrote:
> [...snip...]
>>    I suppose that is actually nothing that an RFC can do as I imagine =
that
>>    everyone from the PHP Group needs to support this and even an RFC
>>    wouldn't legally be able to change anything in regards to that.
>> Surely, everyone who has contributed (i.e. has voting karma) has the =
opportunity to vote, and therefore, if they choose not to vote, that is =
surely their choice. I don't know the ins and outs of it, but I'd have =
thought an RFC, well advertised, with plenty of time to ensure as many =
people can vote who have rights to.
>=20
> What I meant by that is that the members of "The PHP Group" are =
currently the copyright holders. =46rom a legal point of view no RFC can =
change that. The only way to change that would be for the PHP Group to =
transfer their copyright to someone else. What an RFC *can* do though is =
*propose* that the PHP Group transfers their copyright to the PHP =
Foundation.
>=20
> Though I'm lo lawyer, so =C2=AF\_(=E3=83=84)_/=C2=AF


I have spoken at length with a lawyer about this, and the TL;DR version =
is that every contributor owns the copyright on their specific =
contributions, if the contributions are copyrightable. Some =
contributions (typo fixes, white space changes, etc.) aren=E2=80=99t =
copyrightable, but anything more significant that is the contributor=E2=80=
=99s own work belongs to them.

In other words, even though the license statement says the copyright =
belongs to The PHP Group[^1] or Zend Technologies Ltd.[^2], technically, =
these copyrights only apply to the specific code contributed by these =
organizations or contributed by people for these organizations (through =
work-for-hire or by legally transferring the copyright to them).

Contributing to an open source project is NOT an implicit transfer of =
your copyright to the project. To do this, every contributor needs to =
sign a CLA that specifies they are transferring their copyright to The =
PHP Group.

What is implied, however=E2=80=94and I=E2=80=99m told this is how most =
courts in the US and outside would view it=E2=80=94is assignment of =
license. When someone contributes to an open source project, they own =
the copyright on their contributions, but unless they specify a =
different license that covers their contributions, it=E2=80=99s implied =
that they are granting use of their contributions under the same license =
as the project. In this way, the contributor can=E2=80=99t later demand =
to have their copyrighted code removed; it=E2=80=99s under the terms of =
the same license, which can't be revoked.

Once a copyright statement is placed on a source file, there=E2=80=99s a =
bunch of legal reasons why you cannot change or remove that copyright =
statement. In general, you should keep all copyright statements added to =
a source file and never change one that already exists on a source file. =
Just look at the file header on any WebKit[^3] source file. WebKit even =
specifies that you add a copyright notice to each file where you make =
=E2=80=9Csignificant=E2=80=9D changes.[^4]

With this in mind, it would be more proper to update the general =
copyright notice to something like this:

    Copyright (c) 2023 and later, The PHP Foundation and contributors. =
All rights reserved.
    Copyright (c) 1999-2023, The PHP Group and contributors. All rights =
reserved.

Since no reassignment of copyright is taking place, we don=E2=80=99t run =
into any major legal issues, and this tells a true and accurate story. =
The PHP Group were stewards of the project until 2023, at which point =
the community recognized The PHP Foundation as the new stewards of the =
project, and through all of this time (since 1999), the various =
copyrights have been owned by their respective owners (i.e., =
contributors).

If you look at the file headers on ICU source code, you can see that =
Unicode, Inc. made a similar change in 2016.[^5]

All this said=E2=80=A6 I am in favor of making this change.

I also have a lot more to say on this, as I=E2=80=99ve been considering =
opening up an RFC on just this topic. I had intended to reach out to =
Zend first (through Matthew Weier O=E2=80=99Phinney), but I haven=E2=80=99=
t done that yet, so this is the first time anyone from Zend has seen =
these ideas. My apologies. :-)

The PHP source code is interesting in that it is covered by two =
licenses: the PHP License[^6] and the Zend Engine License.[^7] This is =
an historical artifact of the early days of PHP when it was conceivable =
that other companies might develop their own engines for PHP, but we =
know how this story ends: for all intents and purposes, the Zend Engine =
is PHP and PHP is the Zend Engine. Yes, I=E2=80=99m aware of =
alternatives (with very limited adoption), and no, they don=E2=80=99t =
matter for this discussion.

Both the PHP License and Zend Engine License are based on the BSD =
4-clause =E2=80=9COriginal=E2=80=9D license,[^8] and as a result, =
neither are compatible with the GPL.[^9][^10] In fact, the Zend Engine =
License isn=E2=80=99t an OSI Approved License, while the PHP License =
is,[^11] and this can cause problems, especially with companies that =
require SBOMs listing the licenses of all third-party software used and =
these licenses must be OSI Approved. I=E2=80=99m not sure why no one has =
raised this as an issue yet, and I=E2=80=99ve been quiet about it (until =
now) to avoid it becoming an issue.

The BSD 4-clause license is the one that includes the =E2=80=9Cobnoxious=E2=
=80=9D (in the words of the FSF) advertising clause, and the Zend =
license includes this. Both the PHP and Zend licenses include a =
statement that says The PHP Group and Zend Technologies Ltd. have the =
exclusive right to publish revised versions of the license, and both =
state that redistributions must include a specific =E2=80=9Cthis product =
includes=E2=80=A6=E2=80=9D statement. The PHP License also includes the =
restrictions against using the name =E2=80=9CPHP=E2=80=9D in the name of =
any derivatives. If all of these statements are removed, the licenses =
become identical to the BSD 3-clause license.

So, a few points about this:

* In general, when changing a project=E2=80=99s license, you need every =
contributor to approve of the changes because they own the copyrights on =
their contributions and the license terms of their copyrighted =
contributions are changing.
* The PHP and Zend licenses are essentially the BSD 3-clause license =
with additional stuff.
* The additional stuff isn=E2=80=99t related to any rights a contributor =
(i.e., copyright holder), other than The PHP Group and Zend, would have =
on the source code.
* The PHP Group has already specified it has the right to modify its =
license.
* Zend has already specified it has the right to modify its license.
* The additional stuff is largely unimportant and unenforceable.
* If both licenses are modified to change them to the BSD 3-clause =
license, this does not change any of the terms the contributors (i.e., =
the copyright holders) have granted to users, so we don=E2=80=99t need =
explicit approval from all contributors (though an advance notice of =
several months to allow comments on the changes is a nice gesture).

Obviously, IANAL, but I=E2=80=99ve spoken with Pamela Chestek about =
these changes. She is a member of the Board and Chair of the License =
Committee for the Open Source Initiative, though I must make it clear =
(for legal reasons) that she was not acting in an official capacity of =
her role with the OSI when we spoke.=20

MY PROPOSAL:

1. Retire the PHP License and Zend Engine License.
2. Drop the Zend/LICENSE file and replace the text of the LICENSE file =
with the exact text of the BSD 3-clause license.
3. Replace the copyright notice in the file headers and LICENSE with the =
following:

    Copyright (c) 2023 and later, The PHP Foundation and contributors.
    Copyright (c) 1999-2023, The PHP Group and contributors.
    Copyright (c) 1999-2023, Zend Technologies USA, Inc. ("Zend=E2=80=9D),=

      a subsidiary of Perforce Software, Inc.

Here is an example diff of the proposed changes to the LICENSE file: =
https://gist.github.com/ramsey/96026cda9da33cb95e49357dc074cdb5

We would allow contributors (i.e., copyright holders) at least 3 months =
to make comments on the proposal, after which their approval is implied.


An ALTERNATE PROPOSAL, if others feel strongly about keeping the =
=E2=80=9Cadditional stuff=E2=80=9D in the LICENSE:

1. Retire the Zend Engine License, effectively folding it into the PHP =
License.
2. Make some light edits to the PHP License to bring it to parity with =
the exact text of the BSD 3-clause license, while keeping the =
aforementioned =E2=80=9Cadditional stuff.=E2=80=9D
3. Replace the copyright notice in the file headers and LICENSE, as =
noted above.
4. Bump the PHP License version number to 3.2.

Here is an example diff of the alternate proposed changes to the LICENSE =
file: https://gist.github.com/ramsey/b6bd0339a027b182f91133d912515d44=20

Again, we would allow contributors (i.e., copyright holders) at least 3 =
months to make comments on the proposal, after which their approval is =
implied.

It=E2=80=99s important to note that The PHP Group (or PHP Association) =
did exist at one time as a formal business entity in the US,[^12] and =
Zend drafted a formal agreement with the PHP Association for its use of =
the Zend Engine.[^13] So, there is some precedence here for members of =
The PHP Group to step forward and =E2=80=9Cbless=E2=80=9D or approve of =
this proposal. Additionally, it=E2=80=99s important for Zend to also =
=E2=80=9Cbless=E2=80=9D or approve of this.

So, this is a lot for a message in a thread about adding a donation link =
to the PHP website, but if others are interested, I can take this into a =
new thread and work on a separate RFC, or perhaps we use the same RFC =
for both and use it as an opportunity to formalize the project=E2=80=99s =
relationship with The PHP Foundation, as the successor to The PHP Group.

Cheers,
Ben



[^1]: https://github.com/php/php-src/blob/master/LICENSE
[^2]: https://github.com/php/php-src/blob/master/Zend/LICENSE=20
[^3]: =
https://github.com/WebKit/WebKit/blob/main/Source/JavaScriptCore/runtime/I=
ntlObject.cpp
[^4]: https://webkit.org/contributing-code/#develop-your-changes
[^5]: =
https://github.com/unicode-org/icu/blob/8d3d214ad7f76b7d0650f19a871a0e7d58=
a5986f/icu4c/source/i18n/msgfmt.cpp
[^6]: =
https://github.com/php/php-src/blob/4d51d588b90737016afb69e99432b2d0969b37=
23/LICENSE
[^7]: =
https://github.com/php/php-src/blob/4d51d588b90737016afb69e99432b2d0969b37=
23/Zend/LICENSE
[^8]: https://spdx.org/licenses/BSD-4-Clause.html
[^9]: https://www.gnu.org/licenses/license-list.html#OriginalBSD
[^10]: https://www.gnu.org/licenses/bsd.html
[^11]: https://opensource.org/license/php-3-01/
[^12]: https://1drv.ms/f/s!AoV7OZl7wKt-hcBhtk2mnkJOJWYk8Q
[^13]: https://www.php.net/license/ZendGrant/