Require Developer Certificate of Origin to All Commits #10322
Replies: 4 comments
-
@thibaudcolas Please give your inputs over this. |
Beta Was this translation helpful? Give feedback.
-
Thanks for bringing this up. We did discuss it at the most recent Core Team meeting and came to the conclusion that it would be beneficial to put similar language into our contributing guide — but we do not plan to enforce DCO in commits or pull requests, following the precedent set by Python and Django. |
Beta Was this translation helpful? Give feedback.
-
Alright. Should we close this discussion? Btw. The whole Linux Open Source World uses it. Maybe, they enforce stricter rules. |
Beta Was this translation helpful? Give feedback.
-
Thanks for bringing this up! If we ever were to go for something like this, my preference would be for a contributor license agreement to be signed upfront rather than automated verification of every commit – which feels very heavyweight. Ultimately for a CMS I don’t see it as very likely that we would receive submissions of code that could be valuable enough to be covered under patents (valid and enforceable ones), in a way that would make anyone come after "Wagtail". So the biggest risk would be someone submitting GPL code without realising. |
Beta Was this translation helpful? Give feedback.
-
In open source projects, a lot of contributors tend to add the lines of code from outer sources. This makes the project subject to legal rules.
The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. Here is the full text of the DCO, reformatted for readability:
Describe the solution you'd like
Contributors sign-off that they adhere to these requirements by adding a Signed-off-by line to commit messages.
Git even has a -s command line option to append this automatically to your commit message:
For this to be enforced among all commits, a DCO bot can be added.
Once installed, this integration will create a check indicating whether or not commits in a Pull Request do not contain a valid Signed-off-by line.
Approach to be followed (optional)
Add to Github
Additional context
This feature is used by many open source projects since maintaining legal contracts is a good practice.
Example project which use this:
Example Check: https://github.com/meshery/meshery/pull/7259/checks?check_run_id=11720541887
Beta Was this translation helpful? Give feedback.
All reactions