Using DCO (Developer Certificate of Origin)

Overview

The recommended best practice for all code submitted through a project hosted by the Linux Foundation AI&Data Foundation is to include a Developer Certificate of Origin (DCO) sign-off.  

This certifies that you are able to submit your contribution to our repository under the license of the repository, and for the contribution to be redistributed under that same license.

You can "sign" this certificate by including a line in the git commit of "Signed-off-by: Legal Name <email-address>", using the email address associated with your GitHub account.

Why DCO

The DCO is a per-commit sign-off made by a contributor stating that they agree to the terms published at https://developercertificate.org/ for that particular contribution.  DCO sign-offs differ from contributor agreements (CLAs):

  • While contributor agreements are usually made once and automatically cover all future contributions, DCO sign-offs must be present on every single commit, or else the contribution will not be accepted.

  • A contributor agreement may be signed by a third party, like a company, on behalf of its employees, whereas the DCO is always an attestation by the author of the contribution.

There are several good articles on DCO in the References section below for more details.  

How to work with DCO

When Committing

You need to ensure that every commit message has a line "Signed-off-by: Your Legal Name <your-email@address>", and while you could add that manually every time, here are the steps to follow so the computer can add it for you:

  1. Set your legal name in the git configuration:
    git config user.name "Legal Name" 
  2. Set your email in the git configuration:
    git config user.email "email@address" 
  3. Add the -s  or --signoff  to all git commit  invocations.
    1. Add a git alias:
      git config --global alias.c 'commit --signoff'
      and then run "git c" instead of "git commit"
    2. In IntelliJ

When Merging

The merge or a PR must also have a DCO so we can know the entire repository is under the associated license.

Squashed Merges

When Merging a Pull Request through "squash and merge", include the Signed-off-by lines from every contributor, and add one for you as the person merging.  This might require you to edit the comments as a part of the merge.  Note:  If you use the GitHub client, it should handle cleaning up any extraneous messages for you.  

Handling Failures

When you have a DCO failure on your PR from DCO Bot

'

Click on that "Details" link and follow the instructions.

When you have a DCO failure on your PR from CI

On Circle CI you will see:

In the full Console Output you will see DCO is checked on ALL branches:

Checking commits in branch origin/main for commits missing DCO...
Checking commits in branch origin/merge for commits missing DCO...
11b5f95dd5ef51af398f8b343b266debadd6f0b9 is missing Signed-off-by line.
Checking commits in branch origin/pull/2497 for commits missing DCO...
Checking commits in branch origin/release-21.10.x for commits missing DCO...
Checking commits in branch origin/release-22.1.0 for commits missing DCO...

Exited with code exit status 1

If the commit missing the signoff is on main branch, you will need to contact a Maintainer Admin for the project you are trying to commit to (main rebase required).

If the commit missing the signoff is on a non-main branch (eg merge in the example above), and you are a maintainer, you should be able to force-push to that branch (eg rollback the most recent commit). 



References