[wildfly-dev] Re: Developer Certificate of Origin for WildFly projects

I think that using `Signed-off-by` for this purpose is really oblique, and in most or all cases it's just going to be the same as the person who made the commit in the first place, which makes it more or less useless informationally speaking. Could there not instead be a clause which indicates that the mere act of submitting the commit is an attestation of its origin and/or agreement with the DCO? On Thu, Jul 17, 2025 at 9:55 AM Brian Stansberry via wildfly-dev < wildfly-dev(a)lists.jboss.org&gt; wrote: > One of the few requirements that Commonhaus puts on its projects is that > they use either a Developer Certificate of Origin or some kind of > Contributor License Agreement system. This is a reasonable requirement and > I believe some projects associated with WildFly are already using a DCO. > > If you're impatient, skip to #3 below... > > A CLA isn't really practical to administer for an organization of our > scope; a DCO is far simpler. > > There are three things we need to do for a good DCO system. > > 1) Add a dco.txt file in each repository. Commonhaus has a jbang script > "policy-panda"[1] that checks for this when run against a GitHub org. > > You may have noticed that a few days ago I spammed 88 repos in the > wildfly and wildfly-extras GH org with PRs to add this file. In case it is > helpful for other orgs, the script is at [2]. > > 2) Add a reference to the DCO in the CONTRIBUTING.md in each repo. This > is also checked by the Commonhaus policy-panda script. > > Narayana has nice text in [3] that I think is appropriate most anywhere. > (Note that the requested license/copyright header says "The Narayana > Authors". For repos in the wildfly and wildfly-extras orgs it would be "The > WildFly Authors".) > > I don't think we should take immediate action on this, i.e. don't > everyone go off and start editing existing files separately. We can make a > plan. FWIW, my jbang script at [2] can also send up modification PRs, so if > we determine that big sets of repos should all use the same file it may be > helpful. > > 3) DCOs involve an attestation from the person submitting that code that > they agree with the DCO. This is typically done via a 'Signed-off-by' > line in the git commit message. This can be done via the -s flag (lower > case) to the git commit command. > > I expect there will be lots of discussion around the logistics of adding > these signoffs! There already are in the brand new zulip thread around > this. Chatters -- please post a summary of the discussion to this thread as > many WF developers are not actively following zulip! > > Note that the git commit flag for a signoff is "-s" NOT "-S" which is a > different thing that triggers gpg signing of your commit. GPG signing is > not an attestation of a DCO etc. > > Rado has kindly created a WFLY issue[5] to track adding of software > enforcement of the signoff requirement. The details of that are another > topic to discuss. > > [1] https://github.com/commonhaus/foundation/tree/main/templates/panda > [2] https://github.com/bstansberry/git-file-adder > [3] https://github.com/jbosstm/narayana/blob/main/CONTRIBUTING.md > [4] > https://wildfly.zulipchat.com/#narrow/channel/174184-wildfly-developers/t... > [5] https://issues.redhat.com/browse/WFLY-20791 > > Best regards, > > -- > Brian Stansberry > Architect, JBoss EAP > WildFly Project Lead > He/Him/His > _______________________________________________ > wildfly-dev mailing list -- wildfly-dev(a)lists.jboss.org > To unsubscribe send an email to wildfly-dev-leave(a)lists.jboss.org > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > List Archives: > https://lists.jboss.org/archives/list/wildfly-dev@lists.jboss.org/message... > -- - DML • he/him