We just had some private discussions about the implication of contributing under pseudonym. This is in general fine and we should not have problem with it and we actually never verified the contributors so this is possibly happening already.
The only thing about it is that it might raise questions why the pseudonym is used. This is quite likely completely fine and it might be just that the author does not want to share their personal details. We should not be asking those authors to provide their identity because it’s their personal choice and we should respect it.
That said we also need to think about the project and possible risk that this can also bring. One of those is potentially hiding the identity because the author does not have rights to contribute (e.g. their employer has that right). Even though this unlikely, it’s a problem that we should consider. There is quite easy solution for such problem though - it’s a Developer Certificate of Origin. It’s pretty easy to integrate and I put together a quick PR to add it: https://github.com/php/php-src/pull/18350 .
The implication of that is that it means that all commits (except the merge ones) in the PR will need to have signed-off-by header with the author of the commit. This is still fine to be signed off by the pseudonym. This also applies to users with legal name because the same issue applies to them too potentially.
Please let me know if you have any concerns or thoughts about this!
I have a strong suspicion of why this comes up now, but would still like to have more openness on why this is suddenly needed.
This just seems like an extra barrier and extra work.
Since this is a policy change, doesn't this need an RFC as well?
One can argue that this isn’t a policy change but rather just tooling to help enforce a policy already in place: PHP: License Information
Hi
Are you referring to the following text?
If you contribute code that isn't entirely your own (for example it may be partially derived from other Open Source software) you are asked to add a comment into the source code to indicate the origin and the license of the original code.
Because yes if you contribute code that isn't your own you should cite the source, I agree with that.
However, I don't see how this is related to a DCO.
Jakub Zelenka bukka@php.net hat am 18.04.2025 18:37 CEST geschrieben:
Hi,
We just had some private discussions about the implication of contributing under pseudonym. This is in general fine and we should not have problem with it and we actually never verified the contributors so this is possibly happening already.
The only thing about it is that it might raise questions why the pseudonym is used. This is quite likely completely fine and it might be just that the author does not want to share their personal details. We should not be asking those authors to provide their identity because it’s their personal choice and we should respect it.
That said we also need to think about the project and possible risk that this can also bring. One of those is potentially hiding the identity because the author does not have rights to contribute (e.g. their employer has that right). Even though this unlikely, it’s a problem that we should consider. There is quite easy solution for such problem though - it’s a Developer Certificate of Origin. It’s pretty easy to integrate and I put together a quick PR to add it: https://github.com/php/php-src/pull/18350 .
The implication of that is that it means that all commits (except the merge ones) in the PR will need to have signed-off-by header with the author of the commit. This is still fine to be signed off by the pseudonym. This also applies to users with legal name because the same issue applies to them too potentially.
Please let me know if you have any concerns or thoughts about this!
From my understanding there is no liability for the project if people contribute that are not allowed to contribute, or contribute code without proper IP rights.
If there are valid complains from any third party, the project can remove the code that is questioned.
I have a strong suspicion of why this comes up now, but would still like to have more openness on why this is suddenly needed.
This just seems like an extra barrier and extra work.
Since this is a policy change, doesn’t this need an RFC as well?
Yeah I think an RFC makes sense. I will try to put something together including some reasoning why I think it’s a good think to have.
Jakub Zelenka <bukka@php.net> hat am 18.04.2025 18:37 CEST geschrieben:
Hi,
We just had some private discussions about the implication of contributing under pseudonym. This is in general fine and we should not have problem with it and we actually never verified the contributors so this is possibly happening already.
The only thing about it is that it might raise questions why the pseudonym is used. This is quite likely completely fine and it might be just that the author does not want to share their personal details. We should not be asking those authors to provide their identity because it’s their personal choice and we should respect it.
That said we also need to think about the project and possible risk that this can also bring. One of those is potentially hiding the identity because the author does not have rights to contribute (e.g. their employer has that right). Even though this unlikely, it’s a problem that we should consider. There is quite easy solution for such problem though - it’s a Developer Certificate of Origin. It’s pretty easy to integrate and I put together a quick PR to add it: https://github.com/php/php-src/pull/18350 .
The implication of that is that it means that all commits (except the merge ones) in the PR will need to have signed-off-by header with the author of the commit. This is still fine to be signed off by the pseudonym. This also applies to users with legal name because the same issue applies to them too potentially.
Please let me know if you have any concerns or thoughts about this!
From my understanding there is no liability for the project if people contribute that are not allowed to contribute, or contribute code without proper IP rights.
If there are valid complains from any third party, the project can remove the code that is questioned.
The problem is that if the author does not have rights to contribute the code under that license, it might be problematic and the owner might request removal of the code or there might be potentially other implications.
On Fri, Apr 18, 2025 at 11:41 PM Jakub Zelenka <bukka@php.net> wrote:
Hi,
We just had some private discussions about the implication of contributing under pseudonym. This is in general fine and we should not have problem with it and we actually never verified the contributors so this is possibly happening already.
I fully agree with these two points.
The only thing about it is that it might raise questions why the pseudonym is used. This is quite likely completely fine and it might be just that the author does not want to share their personal details. We should not be asking those authors to provide their identity because it's their personal choice and we should respect it.
I fully agree here too.
That said we also need to think about the project and possible risk that this can also bring. One of those is potentially hiding the identity because the author does not have rights to contribute (e.g. their employer has that right). Even though this unlikely, it's a problem that we should consider. There is quite easy solution for such problem though - it's a Developer Certificate of Origin. It's pretty easy to integrate and I put together a quick PR to add it: Require Developer Certificate of Origin (DCO) by bukka · Pull Request #18350 · php/php-src · GitHub .
I wonder where these new names come from for many things existing
since long under clear, wide spread and understood names. In this
specific case, and please correct me if that's not the reason for this
initiative, it is called a Common License Agreement (CLA). Which we
always opposed to have, and I still do, strongly :).
On Fri, Apr 18, 2025 at 11:41 PM Jakub Zelenka <bukka@php.net> wrote:
That said we also need to think about the project and possible risk that this can also bring. One of those is potentially hiding the identity because the author does not have rights to contribute (e.g. their employer has that right). Even though this unlikely, it’s a problem that we should consider. There is quite easy solution for such problem though - it’s a Developer Certificate of Origin. It’s pretty easy to integrate and I put together a quick PR to add it: https://github.com/php/php-src/pull/18350 .
I wonder where these new names come from for many things existing
since long under clear, wide spread and understood names. In this
specific case, and please correct me if that’s not the reason for this
initiative, it is called a Common License Agreement (CLA). Which we
always opposed to have, and I still do, strongly :).
I think the name is different because it does not require explicitly signed document but just provide personal hint to the commits providing some sort of personal attestation of that particular commit. You can probably google it to get more details - it’s Linux Foundation thing that is used by many projects.
Anyway after getting some feedback I decided not to proceed with this and just proposing much lighter variant which is purely updating the CONTRIBUTING.md : https://github.com/php/php-src/pull/18356 . I don’t think this update really needs an RFC as it’s not really a policy change so if there are no objections, I will merge it in the next few weeks.