Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:127153
Precedence: bulk
MIME-Version: 1.0
References: <CAEKnhAHORcGZtWOe9_2gOabTqMKHBGTMN6LEm=fFieWtZO30nQ@mail.gmail.com>
 <741043039.151003.1745003044092@email.ionos.de>
In-Reply-To: <741043039.151003.1745003044092@email.ionos.de>
Date: Sat, 19 Apr 2025 01:06:59 +0200
Message-ID: <CAEKnhAFxhhopZhMFH_B3dmmZXBzpzDsiq1yJEPfHzZ5kZ6f0qw@mail.gmail.com>
Subject: Re: [PHP-DEV] Requiring DCO (Developer Certificate of Origin)
To: Sai Liu <mails@thomasbley.de>
Cc: PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000fb299d06331593ff"
From: bukka@php.net (Jakub Zelenka)

--000000000000fb299d06331593ff
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi

On Fri, Apr 18, 2025 at 9:04=E2=80=AFPM Sai Liu <mails@thomasbley.de> wrote=
:

>
>
> Jakub Zelenka <bukka@php.net> hat am 18.04.2025 18:37 CEST geschrieben:
>
>
> Hi,
>
> We just had some private discussions about the implication of contributin=
g
> under pseudonym. This is in general fine and we should not have problem
> with it and we actually never verified the contributors so this is possib=
ly
> happening already.
>
> The only thing about it is that it might raise questions why the pseudony=
m
> is used. This is quite likely completely fine and it might be just that t=
he
> author does not want to share their personal details. We should not be
> asking those authors to provide their identity because it's their persona=
l
> choice and we should respect it.
>
> That said we also need to think about the project and possible risk that
> this can also bring. One of those is potentially hiding the identity
> because the author does not have rights to contribute (e.g. their employe=
r
> has that right). Even though this unlikely, it's a problem that we should
> consider. There is quite easy solution for such problem though - it's a
> Developer Certificate of Origin. It's pretty easy to integrate and I put
> together a quick PR to add it: https://github.com/php/php-src/pull/18350
> .
>
> The implication of that is that it means that all commits (except the
> merge ones) in the PR will need to have signed-off-by header with the
> author of the commit. This is still fine to be signed off by the pseudony=
m.
> This also applies to users with legal name because the same issue applies
> to them too potentially.
>
> Please let me know if you have any concerns or thoughts about this!
>
> Kind regards,
>
> Jakub
>
>
>
>
> According to the license (see
> https://github.com/php/php-src/blob/master/LICENSE):
> IN NO EVENT SHALL THE PHP
> DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE
>
> From my understanding there is no liability for the project if people
> contribute that are not allowed to contribute, or contribute code without
> proper IP rights.
> If there are valid complains from any third party, the project can remove
> the code that is questioned.
>

The problem is that if the author does not have rights to contribute the
code under that license, it might be problematic and the owner might
request removal of the code or there might be potentially other
implications.

Kind regards,

Jakub

--000000000000fb299d06331593ff
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi</div><br><div class=3D"gmail_quote gmail_quote_con=
tainer"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Apr 18, 2025 at 9:04=
=E2=80=AFPM Sai Liu &lt;<a href=3D"mailto:mails@thomasbley.de">mails@thomas=
bley.de</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex"><u></u>

=20
 =20
=20
 <div>
  <div>
   =C2=A0
  </div>
  <blockquote type=3D"cite">
   <div>
    Jakub Zelenka &lt;<a href=3D"mailto:bukka@php.net" target=3D"_blank">bu=
kka@php.net</a>&gt; hat am 18.04.2025 18:37 CEST geschrieben:
   </div>
   <div>
    =C2=A0
   </div>
   <div>
    =C2=A0
   </div>
   <div dir=3D"ltr">
    Hi,=20
    <div>
     =C2=A0
    </div>
    <div>
     We just had some private discussions about the implication of contribu=
ting under pseudonym. This is in general fine and we should not have proble=
m with it and we actually never verified the contributors so this is possib=
ly happening already.
    </div>
    <div>
     =C2=A0
    </div>
    <div>
     The only thing about it is that it might raise questions why the pseud=
onym is used. This is quite likely completely fine and it might be just tha=
t the author does not want to share their personal details. We should not b=
e asking those authors to provide their identity because it&#39;s their per=
sonal choice and we should respect it.
    </div>
    <div>
     =C2=A0
    </div>
    <div>
     That said we also need to think about the project and possible risk th=
at this can also bring. One of those is potentially hiding the identity bec=
ause the author does not have rights to contribute (e.g. their employer has=
 that right). Even though this unlikely, it&#39;s a problem that we should =
consider. There is quite easy solution for such problem though - it&#39;s a=
 Developer Certificate of Origin. It&#39;s pretty easy to integrate and I p=
ut together a quick PR to add it:=C2=A0<a href=3D"https://github.com/php/ph=
p-src/pull/18350" target=3D"_blank">https://github.com/php/php-src/pull/183=
50</a> .
    </div>
    <div>
     =C2=A0
    </div>
    <div>
     The implication of that is that it means that all commits (except the =
merge ones) in the PR will need to have signed-off-by header with the autho=
r of the commit. This is still fine to be signed off by the pseudonym. This=
 also applies to users with legal name because the same issue applies to th=
em too potentially.
    </div>
    <div>
     =C2=A0
    </div>
    <div>
     Please let me know if you have any concerns or thoughts about this!
    </div>
    <div>
     =C2=A0
    </div>
    <div>
     Kind regards,
    </div>
    <div>
     =C2=A0
    </div>
    <div>
     Jakub
    </div>
    <div>
     =C2=A0
    </div>
    <div>
     =C2=A0
    </div>
   </div>
  </blockquote>
  <div>
   =C2=A0
  </div>
  <div>
   According to the license (see <a href=3D"https://github.com/php/php-src/=
blob/master/LICENSE" target=3D"_blank">https://github.com/php/php-src/blob/=
master/LICENSE</a>):
  </div>
  <div>
   IN NO EVENT SHALL THE PHP
   <br>
   DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE
  </div>
  <div>
   =C2=A0
  </div>
  <div>
   From my understanding there is no liability for the project if people co=
ntribute that are not allowed to contribute, or contribute code without pro=
per IP rights.
  </div>
  <div>
   If there are valid complains from any third party, the project can remov=
e the code that is questioned.</div></div></blockquote><div><br></div><div>=
The problem is that if the author does not have rights to contribute the co=
de under that license, it might be problematic and the owner might request =
removal of the code or there might be potentially other implications.</div>=
<div><br></div><div>Kind regards,</div><div><br></div><div>Jakub=C2=A0</div=
></div></div>

--000000000000fb299d06331593ff--