Re: Requiring DCO (Developer Certificate of Origin)

From:	Sai Liu	Date:	Fri, 18 Apr 2025 19:04:04 +0000
Subject:	Re: Requiring DCO (Developer Certificate of Origin)
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

 
  
 
 
  
    
  
  
   
    Jakub Zelenka <[email protected]> hat am 18.04.2025 18:37 CEST geschrieben:
   
   
     
   
   
     
   
   
    Hi, 
    
      
    
    
     We just had some private discussions about the implication of contributing under pseudonym.
This is in general fine and we should not have problem with it and we actually never verified the
contributors so this is possibly happening already.
    
    
      
    
    
     The only thing about it is that it might raise questions why the pseudonym is used. This is
quite likely completely fine and it might be just that the author does not want to share their
personal details. We should not be asking those authors to provide their identity because it's
their personal choice and we should respect it.
    
    
      
    
    
     That said we also need to think about the project and possible risk that this can also bring.
One of those is potentially hiding the identity because the author does not have rights to
contribute (e.g. their employer has that right). Even though this unlikely, it's a problem that
we should consider. There is quite easy solution for such problem though - it's a Developer
Certificate of Origin. It's pretty easy to integrate and I put together a quick PR to add
it: https://github.com/php/php-src/pull/18350 .
    
    
      
    
    
     The implication of that is that it means that all commits (except the merge ones) in the PR
will need to have signed-off-by header with the author of the commit. This is still fine to be
signed off by the pseudonym. This also applies to users with legal name because the same issue
applies to them too potentially.
    
    
      
    
    
     Please let me know if you have any concerns or thoughts about this!
    
    
      
    
    
     Kind regards,
    
    
      
    
    
     Jakub
    
    
      
    
    
      
    
   
  
  
    
  
  
   According to the license (see https://github.com/php/php-src/blob/master/LICENSE):
  
  
   IN NO EVENT SHALL THE PHP
   
   DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE
  
  
    
  
  
   From my understanding there is no liability for the project if people contribute that are not
allowed to contribute, or contribute code without proper IP rights.
  
  
   If there are valid complains from any third party, the project can remove the code that is
questioned.
  
  
    
  
  
   Regards
  
  
   Thomas
  
 



   

Thread (9 messages)

• Jakub ZelenkaFri, 18 Apr 2025 16:37:19 +0000
  • Niels DosscheFri, 18 Apr 2025 17:54:18 +0000
    • Marco Aurélio DeleuFri, 18 Apr 2025 18:10:13 +0000
      • Niels DosscheFri, 18 Apr 2025 18:16:01 +0000
    • Jakub ZelenkaFri, 18 Apr 2025 23:03:23 +0000
  • Sai LiuFri, 18 Apr 2025 19:04:04 +0000
    • Jakub ZelenkaFri, 18 Apr 2025 23:06:59 +0000
  • Pierre JoyeSat, 19 Apr 2025 04:01:46 +0000
    • Jakub ZelenkaSat, 19 Apr 2025 14:39:55 +0000