NYCPHP Meetup

[Tom Melendez]

Hey Folks,

This is slightly off-topic, but I've just had the "higher-ups" come to 
me asking about open source and coding audits.  I'm not speaking about 
collaborative tools or auditing from a security perspective, but rather 
from a legal perspective.  Simply put, how do you know were a piece of 
code really came from?

I'm hoping that others on the list have gone through this (or are 
actually going through it now) and can provide some insight. 

Some general questions:
1. When you decide to use a piece of open source software, what do you 
document? (package name, authors, download location, website, license, 
date/time, etc)
2.  Do you feel the need to actually verify that they wrote it?  Or is 
it enough to say, "This is a popular package, and it is generally 
accepted that this person wrote it."

As this could relate to PHP:
1.  The PEAR and PECL repositories - is there anything built into the 
package approval process that looks for this?  I didn't see anything on 
the website.  I would imagine that some Google searches probably occur 
just to make sure this package
2. Code posted on the PHP site by users?  Is that "free" to use?

I realize that most of us aren't lawyers, and we're getting help from 
our legal team, but any help you can provide is greatly appreciated.

Thanks,

Tom
http://www.liphp.org