The PHP License, Simplified
I’ve been fascinated with copyright since high school and with open source licensing for most of my career. Yes, I’m a nerd, but I really do find it compelling to think about how humans communicate ideas—through words, songs, photographs, videos, and even code—and claim ownership over these products of the mind. Copyright is how we do that, and licensing is one of the tools we use to share what we create. So, when Matthew Sheahan posted a question to the php-general mailing list in early 2020, just as COVID-19 lockdowns were taking hold, it caught my attention.
Matthew’s team needed to use phpdbg, but their organization required OSI-approved licenses, and “the fact that 3.0 and 3.01 are substantively identical is no use to us at all.” While the PHP website said the PHP License 3.01 was OSI-approved, the OSI’s own said otherwise. Only version 3.0 had been formally approved. 3.01 was a minor version bump, nearly identical to 3.0, but that didn’t matter when company policy required it be listed on the OSI website. Since copyright and licensing is an interest of mine, I figured this was a way I could contribute to the PHP project, so I volunteered. I contacted the OSI to request legacy approval for 3.01, and the OSI Board voted to approve it in May 2020. Problem solved.
I figured this was a way I could contribute to the PHP project, so I volunteered.
But that planted a seed. Looking closely at the PHP License and the Zend Engine License, I saw two well-intentioned licenses that included increasingly awkward provisions; they were showing their age. The PHP project had been using its own custom license since PHP 3, when Rasmus Lerdorf adapted it from the Apache License, version 1.0, with modifications. The Zend Engine License came along with PHP 4, covering sources in the Zend/ directory. Each license contained conditions specific to their respective custodians—restrictions on using the names “PHP” and “Zend,” an advertising acknowledgment clause, and provisions granting only the PHP Group and Zend Technologies the authority to change the licenses.
After 25 years of cohabitation within the same source code repository, [PHP and the Zend Engine] are intertwined in ways in which the Zend Engine can no longer be separated and used as a standalone product. Together, they form the PHP programming language reference implementation.
These weren’t bad licenses. Most developers, distributors, and companies accepted their intent and moved on. But gaps between intent and substance have a way of accumulating. The Zend Engine, once imagined as a separable product, had been inextricably bound to PHP for 25 years; the notion that it required its own license had become a historical artifact. Condition 4 of the PHP License—restricting derived products from calling themselves “PHP”—created real ambiguity for Linux distributions like Debian, which patch and redistribute PHP. Neither license was GPL-compatible, and the Zend Engine License had never been OSI-approved. Yet strip away the PHP Group-specific and Zend-specific conditions from both licenses, and what remains is effectively the Modified BSD License, otherwise known as BSD-3-Clause.
So, that is now the PHP License, version 4, and the Zend Engine License, version 3. Not a custom adaptation. Not a derivative. The actual BSD-3-Clause license, with its SPDX identifier, recognized by the OSI, the FSF, and every major piece of licensing tooling in use today. It’s compatible with the GPL. There are no advertising requirements, no restrictions that only a single organization can invoke, no ambiguity for distributors.
The rights granted by contributors have not changed. The rights granted to users have not changed. The new licenses are fully compatible with the old ones. This is a simplification and nothing more.
Getting here required more than writing an RFC. The PHP License gives the PHP Group the authority to change it, which meant tracking down each of the original PHP Group members and getting their written consent. Each approved the proposal. Perforce Software, the successor to Zend Technologies, needed to sign off on the Zend Engine side, as well. They provided a formal letter confirming their full authority and support for the change. I hired an attorney to review the proposal and provide advice on any legal questions that might surface during the discussion period. Speaking of which, I allowed for a six-month community discussion period preceding the vote, which passed unanimously.
Now, if you’re using software licensed under the PHP License 3.01, clause 5 of that license allows you to use the same software under the new version. If you maintain a PECL extension or any other project licensed under PHP License 3.01, clause 5 of that license allows you to adopt the new version. The same permissive spirit that covered your project before still covers it.
Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group.
If your organization has a policy requiring use of OSI-approved licensed open source software, or if you’ve had to explain away the Zend Engine License’s non-approved status to a compliance review, those conversations are over. And if you’ve simply never thought about this because it didn’t affect you, that’s fine too. It’s worth knowing the licenses exist, they’ve been updated, and PHP’s legal foundations now match the spirit of the language and community.
There are many people to thank for seeing this through: the members of the PHP internals community who engaged with the RFC over a long discussion period, the members of the PHP Group—Thies, Stig, Shane, Andi, Rasmus, Sam, Sascha, Zeev, Jim, and Andrei—who each took the time to respond to my messages, Perforce Software—and especially Matthew Weier O’Phinney and Sara Kilian—for their support and cooperation, Zak Greant, the debian-legal and OSI license-discuss mailing lists, the FSF Licensing & Compliance Team, and Pamela Chestek of Chestek Legal. Open source licensing is unglamorous, but it matters, and I’m glad to have had a part in this.
![](data:image/svg+xml,<svg width="48" height="48" viewBox="0 0 48 48" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><rect x="0" y="0" width="48" height="48" style="fill: %23f09f42" /><text x="50%" y="50%" dy=".1em" fill="%23000000" font-size="24" text-anchor="middle" dominant-baseline="middle" style="font-family: system-ui, sans-serif; line-height: 1">NV</text></svg>){kind=small}
![](data:image/svg+xml,<svg width="48" height="48" viewBox="0 0 48 48" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><rect x="0" y="0" width="48" height="48" style="fill: %2342f068" /><text x="50%" y="50%" dy=".1em" fill="%23000000" font-size="24" text-anchor="middle" dominant-baseline="middle" style="font-family: system-ui, sans-serif; line-height: 1">CO</text></svg>){kind=small}
![](data:image/svg+xml,<svg width="48" height="48" viewBox="0 0 48 48" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><rect x="0" y="0" width="48" height="48" style="fill: %2342f045" /><text x="50%" y="50%" dy=".1em" fill="%23000000" font-size="24" text-anchor="middle" dominant-baseline="middle" style="font-family: system-ui, sans-serif; line-height: 1">GL</text></svg>){kind=small}
![](data:image/svg+xml,<svg width="48" height="48" viewBox="0 0 48 48" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><rect x="0" y="0" width="48" height="48" style="fill: %2342f0b9" /><text x="50%" y="50%" dy=".1em" fill="%23000000" font-size="24" text-anchor="middle" dominant-baseline="middle" style="font-family: system-ui, sans-serif; line-height: 1">CB</text></svg>){kind=small}
4 Comments
Does this include things like php-perl, which I’ve been wanting to be packaging for Debian for ages?
https://github.com/swthemathwiz/php-perl/blob/main/php_perl.c
This is code where it was unclear whether the licence grant even applies, as it is clearly not PHP itself. The named author is also unreachable.
I’m honestly not sure what’s going on with that extension. There’s no license file, and when I look at the source files, they say they’re “subject to version 3.0 of the PHP license.” The original author, according to the source files is Dmitry Stogov, but the repo owner is definitely not Dmitry.
If the source files are correct, then Dmitry is the original author, and his contributions are licensed under the PHP License version 3.0. swthemathwiz has made a number of changes to the source, but they didn’t specify a license for their contributions. We could assume they consider their modifications to be licensed under the same terms, but I’m not a lawyer, and I have no idea if that would hold.
Since Dmitry’s contributions are licensed under the PHP License v3.0, then clause 5 of that license is in effect, and you can probably use the source under the terms of the BSD-3-Clause, but it would be best to get in touch with swthemathwiz to find out what license they consider their modifications to be under.
If this was Dmitry’s repo, then it wouldn’t matter who else had contributed. Based on the reasoning I argued in the RFC, everyone’s contributions are implied as being under the same terms as the source unless 1) they have signed a CLA that states exactly what the terms are, or 2) they have identified other license terms they contributed their modifications under. But that argument only holds (I think) if these were contributions to the upstream project, and the upstream project accepted them. Since this is not the upstream project, and the modifications are not clearly licensed, the terms are a little muddy.
Yes, it’s a forked repo, I couldn’t find the original one quickly enough.
The problem is: the PHP licence 3.x only applies to PHP itself, not to PHP extensions that are not part of PHP, so the upgrade clause in the licence would not apply either.
Dmitry would need to relicence, but I’ve not had any luck contacting him back when I first wanted to package the extension.
I’m assuming that, when relicenced, swthemathwiz would rebase their changes on top of that and follow the licence change.
This is one of the reasons the PHP License has been problematic for distros, etc. For historical reasons, many if not most PECL extensions were licensed under the PHP License, with the assumption the license could also be applied to things other than the PHP source.
In the RFC, I argued that:
Folks on the debian-legal mailing list encouraged this interpretation. See this post and following responses in the thread.
Granted, IANAL, and neither were those who suggested this on debian-legal. As with anything like this, consult with your own lawyer.