Transitioning from the Contributor License Agreement (CLA) to the Developer Certificate of Origin (DCO)

[Geenz]

Hey everyone! Here are the details of our upcoming transition from the CLA to the DCO. We’re doing this to streamline the contribution process and remove friction for our community.

This change aims to make contributing easier, faster, and more transparent for everyone. I’m providing this to everyone today so that we can collect feedback as we determine next steps in its implementation.

The Current Challenges with the CLA

While the CLA served its purpose, it presented several ongoing difficulties for contributors:

• Clunky Contributor Experience: The process of reading, signing, and managing the CLA often added an extra, non-coding step that many found cumbersome.
• CLA Bot Issues: Our CLA bot has occasionally misidentified or mis-tagged people on GitHub, leading to unnecessary delays and confusion in PR reviews.
• Rights Assignment Mechanism: The CLA primarily functions as a rights assignment mechanism. Given that our projects are licensed under the LGPL, we can already pull code from compatible sources while respecting copyright. The CLA added an unnecessary layer of ownership transfer, which some found off-putting due to the nature of the LGPL.

Introducing the Developer Certificate of Origin (DCO)

The DCO is a simple, lightweight statement that asserts you have the right to submit the contribution under the project's license.

Benefits of the DCO:

• Simplified Contribution: There is no separate legal agreement (CLA) required.
• Clear Attestation: Developers attest that they have the rights to contribute the code they submit.
• License Protection Remains: While we no longer own the rights to the contributed code (the contributor retains copyright), the existing LGPL license continues to protect us in terms of distribution and use of that code.

The DCO Agreement

We will be utilizing the standard DCO text provided by the Linux Foundation. By signing your commit, you are agreeing to the following terms:

Developer Certificate of Origin
Version 1.1

Copyright (C) 2004, 2006 The Linux Foundation and its contributors.

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.


Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

You can find the Linux Foundation’s current DCO terms here: https://developercertificate.org/

DCO Process: Signing Off Your Commits

The DCO is enforced by requiring a "Signed-off-by" line in the commit message of every commit. This is done using a simple command-line flag when making your commit.

How to Sign Your Commits:

1. The Standard Commit Command:

This is how you commit today:

git commit -m "This is my commit"

2. The DCO-Compliant Commit Command:

This is how you will be committing once the DCO is in place. I encourage everyone to start doing this today:

git commit -s -m "This is my commit"

When you use the -s flag (which is a shortcut for --signoff), Git automatically appends the following line to your commit message using the name and email configured in your git config:

Signed-off-by: Your Name <[email protected]>

Important: Every commit in a Pull Request must be signed by the original author of that commit for the PR to be merged. We will have overrides for this in the beginning to help ease the migration - however we intend to use that increasingly sparingly as time goes on.

Enforcement

We will be using the dcoapp to automatically check for the required "Signed-off-by" line on all incoming commits and PRs: https://github.com/dcoapp/app

We appreciate your cooperation and feedback as we transition to this new model. The goal here is to make contributions easy and auditable, while improving our overall legal risk mitigation and compliance. I look forward to everyone’s feedback!

[DarlCat]

This is a welcome change to me, but a couple of people in the Discord and I have voiced there's not an apparent / simple way to automate this for all of our commits. It may become a pinch point for first-time contributors to have to handle adding it to all of their commits, especially if they have a multi-commit branch they're hoping to contribute.

Support automatic signoff in git guis seems hit-or-miss, too. My preferred Sublime Merge has no zero support for it, and the Github Desktop app seems to be in a spot as well.

I did find this article discussing a few ways to accomplish it, but it still may be burdensome for some.

[DarlCat]

Okay so this is a non-issue as I've discovered, you can git rebase --signoff HEAD~3 or similar to quickly sign wips. Big two thumbs-up from me! 😸

[Dzonatas]

[Geenz]

Please remain on topic. Create another discussion thread.