-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add DCO and commit-message.md #1338
Closed
+84
−0
Closed
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| # Guidelines to create great commit messages | ||
|
|
||
|
|
||
| We use [GitCop](https://gitcop.com) to check that commit messages are | ||
| properly written. The rules are the following: | ||
|
|
||
| * The first line of a commit message, called the subject line should | ||
| not be more than 80 characters long. | ||
|
|
||
| * The commit message should end with the following trailers: | ||
|
|
||
| ``` | ||
| Licence: MIT | ||
| Signed-off-by: User Name <email@address> | ||
| ``` | ||
|
|
||
| where "User Name" is the author's real name and email@address one of | ||
| the author's valid email addresses. | ||
|
|
||
| These trailers mean that the author agrees with the following | ||
| document (which comes from http://developercertificate.org/): | ||
|
|
||
| [developer-certificate-of-origin](./developer-certificate-of-origin) | ||
|
|
||
| and with licensing the work under the MIT license available in the | ||
| following file: | ||
|
|
||
| [LICENSE](./LICENSE) | ||
|
|
||
| To help you automatically add these trailers, you can run the | ||
| following script: | ||
|
|
||
| [setup_commit_msg_hook.sh](./setup_commit_msg_hook.sh) | ||
|
|
||
| which will setup a Git commit-msg hook that will add the above | ||
| trailers to all the commit messages you write. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| Developer Certificate of Origin | ||
| Version 1.1 | ||
|
|
||
| Copyright (C) 2004, 2006 The Linux Foundation and its contributors. | ||
| 660 York Street, Suite 102, | ||
| San Francisco, CA 94110 USA | ||
|
|
||
| Everyone is permitted to copy and distribute verbatim copies of this | ||
| license document, but changing it is not allowed. | ||
|
|
||
| Developer's Certificate of Origin 1.1 | ||
|
|
||
| By making a contribution to this project, I certify that: | ||
|
|
||
| (a) The contribution was created in whole or in part by me and I | ||
| have the right to submit it under the open source license | ||
| indicated in the file; or | ||
|
|
||
| (b) The contribution is based upon previous work that, to the best | ||
| of my knowledge, is covered under an appropriate open source | ||
| license and I have the right under that license to submit that | ||
| work with modifications, whether created in whole or in part | ||
| by me, under the same open source license (unless I am | ||
| permitted to submit under a different license), as indicated | ||
| in the file; or | ||
|
|
||
| (c) The contribution was provided directly to me by some other | ||
| person who certified (a), (b) or (c) and I have not modified | ||
| it. | ||
|
|
||
| (d) I understand and agree that this project and the contribution | ||
| are public and that a record of the contribution (including all | ||
| personal information I submit with it, including my sign-off) is | ||
| maintained indefinitely and may be redistributed consistent with | ||
| this project or the open source license(s) involved. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| #!/bin/sh | ||
|
|
||
| cat >.git/hooks/commit-msg <<'EOF' | ||
| #!/bin/sh | ||
|
|
||
| grep "^License:" "$1" || { | ||
| echo >>"$1" | ||
| echo "License: MIT" >>"$1" | ||
| echo "Signed-off-by: $(git config user.name) <$(git config user.email)>" >>"$1" | ||
| } | ||
| EOF | ||
| chmod +x .git/hooks/commit-msg | ||
|
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is "real name"? What if the author is a vermin without a legal name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On Sat, Jun 06, 2015 at 03:19:37PM -0700, rht wrote:
Presumably it's how you'd identify yourself to a court considering a
copyright- or licence-infringement case. I'm not sure how that breaks
down in edge cases, but I imagine most contributors will have a
government-issued ID that has a name on it, and that would probably be
a good choice ;).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The DCO and copyright licenses are for ensuring protections + rights to use / modify code are respected. These only matter in various nation's legal courts, and these names are only relevant in that context. I am not sure how other projects handle identity, but pseudonyms/personas should be fine according to most legal codes (it's fine in US code and lots of other copyright systems are based on or compatible with the US one).
However, the linux kernel contribution guidelines say:
I presume this is for both security + legal concerns (It may be tricky to deal with pseudonymous contribution in other countries. And it certainly is easier to trust contributions if you know who wrote them, and why.) I'm sure some pseudonymous contribution case has come up though-- i'd be curious how they handled it.
For our purposes, until further notice, i'm fine accepting pseudonymous contributions that bear the
License: MITtrailer, so that it is known -- beyond shadow of a doubt -- that the license has been properly signed off to.one the internet nobody know's i'm a cat :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A quick search gives non-promising results: https://www.google.com/webhp#q=pseudonymous+contribution+open+source -- seems like everyone's scared. But this isn't right. I think the right of using pseudonyms is an important part of a free society. (e.g. http://en.wikipedia.org/wiki/The_Federalist_Papers) I will look into this, because I think the copyright concerns aren't real. Hopefully we can find some legal precedent to point to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I dont have an issue using my real name anywhere, I prefer to use whyrusleeping as often as possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On Sun, Jun 07, 2015 at 01:30:40PM -0700, Juan Batiz-Benet wrote:
Right, I was just suggesting that as an option for people who were
wondering “how do I convince a court that I am the pseudonymous author
of this commit”.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wking Contribution signing (any of commit/tag/pr) is much preferred even in the non-pseudonymous case. It just happens that it is still not practical nowadays (for large scale projects). When it becomes practical it will enable pseudonymous contributor to verify itself. From your viewpoint, I wonder if this is an unnecessary side effect, or should be prevented by any means? For the latter, e.g. every key has to be tied to a gov id.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On Mon, Jun 08, 2015 at 01:28:01AM -0700, rht wrote:
I don't understand why it's not practical. I think Gerwitz explains
things well in 1, but the main issues he points out include:
a. What good are signatures by a one-off key?
b. How do you handle signatures in the context of rebases or
additional commit-message trailers?
c. How do you aggregate signatures as commits trickle up a lieutenant
tree? Or equivalently, as external auditors review the changes.
and I don't see those being addressed in the near future. In any
case, those features would be nice, but don't seem to be major
adoption blockers. I expect the major issue with adoption is just
lack of motivation, just like it is for the majority of email users
not using OpenPGP.
For this purpose, I think it's practical now.
I haven't looked up any previous case history (and I don't even know
if previous cases exist), but I expect tying the singing key to a
government ID isn't neccessary. For proving ownership of a commit,
I'd expect a court to accept either:
a. The commit is written by Trevor King, and here's my passport
proving that that's me, and here's a bit of background
differentiating me from other Trevor Kings who may be claiming that
commit.
b. The commit is written by foobar, and here's the signature by
foobar's key, and here's the fooboar-signed copy of that challenge
text you gave me yesterday, proving that I have access to foobar's
secret key and am therefore likely foobar.
I personally prefer (a), but I think (b) is a valid choice for folks
who prefer a pseudonym and expect to only address courts that
recognize pseudonyms.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it were practical today then you would have already seen contribution/review signing in linux kernel / any high stake project DCO (as one of the sufficient conditions of being practical).
(b), (c) are among the real obstacles to contribution/review signing, which has nothing to do with the lack of motivation (neither is this the reason for the state of email+pgp).
I think you are referring to 1. pseudonymous contributor/reviewer for sign-off or commit author field + pgp-signed emails / fake real name, but those are not signed commits, 2. one/few author(s) case where merges are unneeded/manageable, then sure this is practical and has been done for a very long time.
For the second (a) case, so given the choice, you are substituting a permanent pki gov id with a pki + one-off 2nd factor auth. Why?
For the second (b) case, this is what US law http://www.copyright.gov/fls/fl101.html says
So it is up to the lawyers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On Tue, Jun 09, 2015 at 05:04:11AM -0700, rht wrote:
No, I meant author-signed commits that are merged without having the
signature blown away (at least most of the time, see 1).
Pseudonymous commits signed by a pseudonymous key allow you to
decouple your government ID from the contributions. Folks might want
that for all the usual reasons they choose to use pseudonyms. The PKI
bit just gives you a tool to demonstrate your ownership of the
psuedonym if/when you decide to claim the association.
I'm pretty sure this is going to be true for copyright issues however
you dice it ;). And I'm not a lawyer, and I haven't read any previous
case history 2. But I'd put good odds on a court accepting the
“signed by a pseudonymous key for which I've just demonstrated
secret-key access” argument.