Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:127147
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 2E9841A00BC
	for <internals@lists.php.net>; Fri, 18 Apr 2025 16:37:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1744994111; bh=ejM3OtZ62hBpJGk51s8s9h/xtit00PrTRPKgCuGwFQo=;
	h=From:Date:Subject:To:From;
	b=dX2Xtr0TCq2Mw0zuUJImGnjmp7IpDJmyZ2Xv7hLIg+fAtwXVTIj20DjYQg24JeyQ8
	 j/oTawt9TjEUYhA6qglA0yvXWQuyyMjUykSL49J6EMRWYsRwDMguiNwGhEnaT73Saa
	 UeLicX/dLbBZ0nDKzZ3M54RmaPU+OkNUxK789ow7vKxSyViJhgb7HRj/TpYZ8dGk/i
	 oUWf7PeBiJPHI/UNDUAbvTH/FacpYzHeAHEzGPbIVYgCTWISEi0wMfGVeB0ryYq4K0
	 60Iq9c+/QeSjSJiMbdOiwQSGa9J3EwbLhMLSko0oxL64kghMDQcKYLD+tJLIin48Wv
	 GK+Fwqmp3c13Q==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 26A7A180079
	for <internals@lists.php.net>; Fri, 18 Apr 2025 16:35:11 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.7 required=5.0 tests=BAYES_50,DMARC_NONE,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <jakub.php@gmail.com>
Received: from mail-oi1-f179.google.com (mail-oi1-f179.google.com [209.85.167.179])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 18 Apr 2025 16:35:10 +0000 (UTC)
Received: by mail-oi1-f179.google.com with SMTP id 5614622812f47-400b948600aso485566b6e.0
        for <internals@lists.php.net>; Fri, 18 Apr 2025 09:37:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1744994251; x=1745599051;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=ejM3OtZ62hBpJGk51s8s9h/xtit00PrTRPKgCuGwFQo=;
        b=jrkEszAzzJkRnQT147hiUnsvQCLDOnZgEML7J0zNK0T4bLh3K0Xz74399QJEPLIDqM
         LREvrz3lKSBm2qEJ2cfB8mp/zHssnrOwf8o3KauMy/OcDY143Q3eROb9pkgxVtKTFKMJ
         AOOa20Mv9eSsGX07aX601+5MIPcFlQjyeLOPDH+MofXOnBVCDqwh585WAvzETDDsXm2j
         IuiSoRFpR3nXqihd/r040kjXKBM9sQewnqjPQyDQCWIJEl+A3IZUOyzPR9WV6DXgKxY2
         u2byfEHFhBZ/vAyObDxjnadEd3m1HeYGV1hZ94YZRfSAo9+PnTtadikoMPsamV47P6rr
         X0sA==
X-Gm-Message-State: AOJu0YzHNXao7hzYmIOQJWzwpgck5h54MHdi21fhgZcdpo5PwVXqrUFs
	83wYlY3gtIadWe+3VBjKz2lMDfC3FPLOt84sa/aZu+R9LwUeP9ArNGErekzTLdQW4G9rSmN4AUc
	7Zu2oW1dBksElWEqmTKBoA+0RLJNQhdB+
X-Gm-Gg: ASbGncsG9F/Z9M2M8JGUq09Pz8opjCQyPuBiVnuJ5Q2pzpAYzFtfstQSq4s8GrOuUG3
	/ELHyHi1yjCCU5SW/gO2ZWE/oLy2ezYj/1+Pne+xU5/GWVfVM7PUx/CS368hZbjQpD1qs6EX8Br
	euZ1yBme6m6sm19ToedWEG
X-Google-Smtp-Source: AGHT+IEobJHtCDhvVE2rAZUUcobihbTG4Ko15SZUAPq+j83XdExU3f+qrWDzSkoHv21aAzFpy5LTSv35gGmkmT7rpKw=
X-Received: by 2002:a05:6808:8405:b0:3fc:1f7b:c3c7 with SMTP id
 5614622812f47-401c0a70221mr1733158b6e.15.1744994250983; Fri, 18 Apr 2025
 09:37:30 -0700 (PDT)
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Date: Fri, 18 Apr 2025 18:37:19 +0200
X-Gm-Features: ATxdqUFzcfO5kVM0lQ-rgzSVK-42KR7Pcfa2MjdfUGeKKMMetzZM3T0IE9M-hT4
Message-ID: <CAEKnhAHORcGZtWOe9_2gOabTqMKHBGTMN6LEm=fFieWtZO30nQ@mail.gmail.com>
Subject: [PHP-DEV] Requiring DCO (Developer Certificate of Origin)
To: PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000077125e0633102224"
From: bukka@php.net (Jakub Zelenka)

--00000000000077125e0633102224
Content-Type: text/plain; charset="UTF-8"

Hi,

We just had some private discussions about the implication of contributing
under pseudonym. This is in general fine and we should not have problem
with it and we actually never verified the contributors so this is possibly
happening already.

The only thing about it is that it might raise questions why the pseudonym
is used. This is quite likely completely fine and it might be just that the
author does not want to share their personal details. We should not be
asking those authors to provide their identity because it's their personal
choice and we should respect it.

That said we also need to think about the project and possible risk that
this can also bring. One of those is potentially hiding the identity
because the author does not have rights to contribute (e.g. their employer
has that right). Even though this unlikely, it's a problem that we should
consider. There is quite easy solution for such problem though - it's a
Developer Certificate of Origin. It's pretty easy to integrate and I put
together a quick PR to add it: https://github.com/php/php-src/pull/18350 .

The implication of that is that it means that all commits (except the merge
ones) in the PR will need to have signed-off-by header with the author of
the commit. This is still fine to be signed off by the pseudonym. This also
applies to users with legal name because the same issue applies to them too
potentially.

Please let me know if you have any concerns or thoughts about this!

Kind regards,

Jakub

--00000000000077125e0633102224
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<div><br></div><div>We just had some private discussion=
s about the implication of contributing under pseudonym. This is in general=
 fine and we should not have problem with it and we actually never verified=
 the contributors so this is possibly happening already.</div><div><br></di=
v><div>The only thing about it is that it might raise questions why the pse=
udonym is used. This is quite likely completely fine and it might be just t=
hat the author does not want to share their personal details. We should not=
 be asking those authors to provide their identity because it&#39;s their p=
ersonal choice and we should respect it.</div><div><br></div><div>That said=
 we also need to think about the project and possible risk that this can al=
so bring. One of those is potentially hiding the identity because the autho=
r does not have rights to contribute (e.g. their employer has that right). =
Even though this unlikely, it&#39;s a problem that we should consider. Ther=
e is quite easy solution for such problem though - it&#39;s a Developer Cer=
tificate of Origin. It&#39;s pretty easy to integrate and I put together a =
quick PR to add it:=C2=A0<a href=3D"https://github.com/php/php-src/pull/183=
50">https://github.com/php/php-src/pull/18350</a> .</div><div><br></div><di=
v>The implication of that is that it means that all commits (except the mer=
ge ones) in the PR will need to have signed-off-by header with the author o=
f the commit. This is still fine to be signed off by the pseudonym. This al=
so applies to users with legal name because the same issue applies to them =
too potentially.</div><div><br></div><div>Please let me know if you have an=
y concerns or thoughts about this!</div><div><br></div><div>Kind regards,</=
div><div><br></div><div>Jakub</div><div><br></div><div><br></div></div>

--00000000000077125e0633102224--