Use of DCO

Dave Neary dneary at redhat.com
Thu Jan 3 13:25:36 UTC 2013


Hi Anthony,

For the uninitiated is DCO = Developer Certificate of Origin?

I am not sure whether oVirt has a formal process similar to the kernel's 
for this. Signed-off-by in oVirt probably doesn't carry the same baggage 
for maintainers as it does for the kernel.

For everyone else: this involved developers being asked, and at least 
verbally affirming, that they have written the patch themselves and have 
the rights required to publish their work under the relevant license.

A CLA gets around this by having an explicit Contributor Licensing 
Agreement where developers explicitly grant a license to some entity 
(usually the project's sponsoring entity or a non-profit supporting the 
project).

Both Mozilla and the Kernel, and several other projects, have avoided a 
CLA for a number of reasons - if you're aiming for a diverse developer 
base (as we are in oVirt) this can slow down adoption and participation 
by 3rd parties. For that reason, I would not encourage the adoption of a 
CLA for oVirt. On the other hand, ensuring we have the right to ship the 
code which is submitted to us is a good idea - and pushing the 
responsibility for asking to the maintainers integrating the code 
upstream is reasonable. How we do that is an implementation detail - we 
could of course "hack" SOB as the kernel has done to mean "I've checked 
and this is fine". It is important to realise that using SOB for this 
purpose is convention - a process hack, rather than something inate in 
SOB: http://elinux.org/Developer_Certificate_Of_Origin

Cheers,
Dave.

On 01/02/2013 05:27 PM, Anthony Liguori wrote:
>
> Hi,
>
> I've noticed that the various oVirt projects are not using the DCO
> process correctly.  While contributors are adding Signed-off-by's
> (Good), there's no Signed-off-by being added by maintainers (Bad).
>
> http://lwn.net/Articles/139918/
>
> It may seem like a minor thing, but SOB is meant to provide a chain of
> custody and it's less effective if the certification isn't also done by
> maintainers.
>
> For VDSM, I see examples like:
>
> commit 53c6801658a8c5e05ceb518ffd9ebfefa805fda9
> Author: Antoni S. Puimedon <asegurap at redhat.com>
> Date:   Tue Dec 18 22:33:39 2012 +0100
>
>      Fix blockSD pep8.
>
>      Change-Id: I2ed4ce2a5748a911f76da02f762e5bda9352b905
>      Signed-off-by: Antoni S. Puimedon <asegurap at redhat.com>
>      Reviewed-on: http://gerrit.ovirt.org/10213
>      Reviewed-by: Dan Kenigsberg <danken at redhat.com>
>
> The last 'Reviewed-by' ought to be a 'Signed-off-by'.
>
> OTOH, ovirt-engine lacks any Reviewed-by tags.  For example:
>
> Author: Sharad Mishra <snmishra at linux.vnet.ibm.com>
> Date:   Wed Dec 26 11:10:32 2012 -0800
>
>      core: removed obsolete classes vm_template_image_map_id and vm_template_imag
>
>      These clasees are not used anymore.
>
>      Change-Id: I82f0861644f155f7b6c27ba5acb3a069b6f1a8f6
>      Signed-off-by: Sharad Mishra <snmishra at linux.vnet.ibm.com>
>
> I'm not sure if this is a limitation in gerrit.  I know the question has
> come up regarding what OpenStack does.  OpenStack doesn't use DCO.  They
> have an explicit CLA that everyone must sign before participating[1].
> DCO eliminates the need for such an agreement (when used properly).
>
> [1] http://wiki.openstack.org/CLA
>
> Regards,
>
> Anthony Liguori
>
> _______________________________________________
> Board mailing list
> Board at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/board
>

-- 
Dave Neary - Community Action and Impact
Open Source and Standards, Red Hat - http://community.redhat.com
Ph: +33 9 50 71 55 62 / Cell: +33 6 77 01 92 13



More information about the Board mailing list