One of the few requirements that Commonhaus puts on its projects is that they use either a Developer Certificate of Origin or some kind of Contributor License Agreement system. This is a reasonable requirement and I believe some projects associated with WildFly are already using a DCO.
If you're impatient, skip to #3 below...
A CLA isn't really practical to administer for an organization of our scope; a DCO is far simpler.
There are three things we need to do for a good DCO system.
1) Add a dco.txt file in each repository. Commonhaus has a jbang script "policy-panda"[1] that checks for this when run against a GitHub org.
You may have noticed that a few days ago I spammed 88 repos in the wildfly and wildfly-extras GH org with PRs to add this file. In case it is helpful for other orgs, the script is at [2].
2) Add a reference to the DCO in the CONTRIBUTING.md in each repo. This is also checked by the Commonhaus policy-panda script.
Narayana has nice text in [3] that I think is appropriate most anywhere. (Note that the requested license/copyright header says "The Narayana Authors". For repos in the wildfly and wildfly-extras orgs it would be "The WildFly Authors".)
I don't think we should take immediate action on this, i.e. don't everyone go off and start editing existing files separately. We can make a plan. FWIW, my jbang script at [2] can also send up modification PRs, so if we determine that big sets of repos should all use the same file it may be helpful.
3) DCOs involve an attestation from the person submitting that code that they agree with the DCO. This is typically done via a 'Signed-off-by' line in the git commit message. This can be done via the -s flag (lower case) to the git commit command.
I expect there will be lots of discussion around the logistics of adding these signoffs! There already are in the brand new zulip thread around this. Chatters -- please post a summary of the discussion to this thread as many WF developers are not actively following zulip!
Note that the git commit flag for a signoff is "-s" NOT "-S" which is a different thing that triggers gpg signing of your commit. GPG signing is not an attestation of a DCO etc.
Rado has kindly created a WFLY issue[5] to track adding of software enforcement of the signoff requirement. The details of that are another topic to discuss.