Hi,
We just had some private discussions about the implication of contributing
under pseudonym. This is in general fine and we should not have problem
with it and we actually never verified the contributors so this is possibly
happening already.
The only thing about it is that it might raise questions why the pseudonym
is used. This is quite likely completely fine and it might be just that the
author does not want to share their personal details. We should not be
asking those authors to provide their identity because it's their personal
choice and we should respect it.
That said we also need to think about the project and possible risk that
this can also bring. One of those is potentially hiding the identity
because the author does not have rights to contribute (e.g. their employer
has that right). Even though this unlikely, it's a problem that we should
consider. There is quite easy solution for such problem though - it's a
Developer Certificate of Origin. It's pretty easy to integrate and I put
together a quick PR to add it: https://github.com/php/php-src/pull/18350 .
The implication of that is that it means that all commits (except the merge
ones) in the PR will need to have signed-off-by header with the author of
the commit. This is still fine to be signed off by the pseudonym. This also
applies to users with legal name because the same issue applies to them too
potentially.
Please let me know if you have any concerns or thoughts about this!
Kind regards,
Jakub
Hi
I have a strong suspicion of why this comes up now, but would still like to have more openness on why this is suddenly needed.
This just seems like an extra barrier and extra work.
Since this is a policy change, doesn't this need an RFC as well?
Kind regards
Niels
Marco Deleu
Hi
Since this is a policy change, doesn't this need an RFC as well?
Kind regards
Niels
One can argue that this isn’t a policy change but rather just tooling to help enforce a policy already in place: https://www.php.net/license/contrib-guidelines-code.php
One can argue that this isn’t a policy change but rather just tooling to help enforce a policy already in place: https://www.php.net/license/contrib-guidelines-code.php https://www.php.net/license/contrib-guidelines-code.php
Hi
Are you referring to the following text?
If you contribute code that isn't entirely your own (for example it may be partially derived from other Open Source software) you are asked to add a comment into the source code to indicate the origin and the license of the original code.
Because yes if you contribute code that isn't your own you should cite the source, I agree with that.
However, I don't see how this is related to a DCO.
Kind regards
Niels
On Fri, Apr 18, 2025 at 7:53 PM Niels Dossche dossche.niels@gmail.com
wrote:
Hi
I have a strong suspicion of why this comes up now, but would still like
to have more openness on why this is suddenly needed.
This just seems like an extra barrier and extra work.
Since this is a policy change, doesn't this need an RFC as well?
Yeah I think an RFC makes sense. I will try to put something together
including some reasoning why I think it's a good think to have.
Regards
Jakub
Hi
Jakub Zelenka bukka@php.net hat am 18.04.2025 18:37 CEST geschrieben:
Hi,
We just had some private discussions about the implication of contributing
under pseudonym. This is in general fine and we should not have problem
with it and we actually never verified the contributors so this is possibly
happening already.The only thing about it is that it might raise questions why the pseudonym
is used. This is quite likely completely fine and it might be just that the
author does not want to share their personal details. We should not be
asking those authors to provide their identity because it's their personal
choice and we should respect it.That said we also need to think about the project and possible risk that
this can also bring. One of those is potentially hiding the identity
because the author does not have rights to contribute (e.g. their employer
has that right). Even though this unlikely, it's a problem that we should
consider. There is quite easy solution for such problem though - it's a
Developer Certificate of Origin. It's pretty easy to integrate and I put
together a quick PR to add it: https://github.com/php/php-src/pull/18350
.The implication of that is that it means that all commits (except the
merge ones) in the PR will need to have signed-off-by header with the
author of the commit. This is still fine to be signed off by the pseudonym.
This also applies to users with legal name because the same issue applies
to them too potentially.Please let me know if you have any concerns or thoughts about this!
Kind regards,
Jakub
According to the license (see
https://github.com/php/php-src/blob/master/LICENSE):
IN NO EVENT SHALL THE PHP
DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLEFrom my understanding there is no liability for the project if people
contribute that are not allowed to contribute, or contribute code without
proper IP rights.
If there are valid complains from any third party, the project can remove
the code that is questioned.
The problem is that if the author does not have rights to contribute the
code under that license, it might be problematic and the owner might
request removal of the code or there might be potentially other
implications.
Kind regards,
Jakub
Hi,
We just had some private discussions about the implication of contributing under pseudonym. This is in general fine and we should not have problem with it and we actually never verified the contributors so this is possibly happening already.
I fully agree with these two points.
The only thing about it is that it might raise questions why the pseudonym is used. This is quite likely completely fine and it might be just that the author does not want to share their personal details. We should not be asking those authors to provide their identity because it's their personal choice and we should respect it.
I fully agree here too.
That said we also need to think about the project and possible risk that this can also bring. One of those is potentially hiding the identity because the author does not have rights to contribute (e.g. their employer has that right). Even though this unlikely, it's a problem that we should consider. There is quite easy solution for such problem though - it's a Developer Certificate of Origin. It's pretty easy to integrate and I put together a quick PR to add it: https://github.com/php/php-src/pull/18350 .
I wonder where these new names come from for many things existing
since long under clear, wide spread and understood names. In this
specific case, and please correct me if that's not the reason for this
initiative, it is called a Common License Agreement (CLA). Which we
always opposed to have, and I still do, strongly :).
best,
Pierre
@pierrejoye | http://www.libgd.org
That said we also need to think about the project and possible risk that
this can also bring. One of those is potentially hiding the identity
because the author does not have rights to contribute (e.g. their employer
has that right). Even though this unlikely, it's a problem that we should
consider. There is quite easy solution for such problem though - it's a
Developer Certificate of Origin. It's pretty easy to integrate and I put
together a quick PR to add it: https://github.com/php/php-src/pull/18350 .I wonder where these new names come from for many things existing
since long under clear, wide spread and understood names. In this
specific case, and please correct me if that's not the reason for this
initiative, it is called a Common License Agreement (CLA). Which we
always opposed to have, and I still do, strongly :).
I think the name is different because it does not require explicitly signed
document but just provide personal hint to the commits providing some sort
of personal attestation of that particular commit. You can probably google
it to get more details - it's Linux Foundation thing that is used by many
projects.
Anyway after getting some feedback I decided not to proceed with this and
just proposing much lighter variant which is purely updating the
CONTRIBUTING.md : https://github.com/php/php-src/pull/18356 . I don't think
this update really needs an RFC as it's not really a policy change so if
there are no objections, I will merge it in the next few weeks.
Kind regards
Jakub