logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

DCO.md (4979B)

    

  1. ---
  2. title: The Developer Certificate of Origin is a great alternative to a CLA
  3. date: 2021-04-12
  4. outputs: [html, gemtext]
  5. ---
  7. Today Amazon released their fork of ElasticSearch, [OpenSearch][0], and I want
  8. to take a moment to draw your attention to one good decision in particular: its
  9. use of the [Developer Certificate of Origin][1] (or "DCO").
  11. [0]: https://github.com/opensearch-project/OpenSearch
  12. [1]: https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin
  14. ---
  16. Previously:
  18. - [ElasticSearch does not belong to Elastic](https://drewdevault.com/2021/01/19/Elasticsearch-does-not-belong-to-Elastic.html)
  19. - [Open source means surrendering your monopoly over commercial exploitation](https://drewdevault.com/2021/01/20/FOSS-is-to-surrender-your-monopoly.html)
  20. - [Don't sign a CLA](https://drewdevault.com/2018/10/05/Dont-sign-a-CLA.html)
  22. ---
  24. Elastic betrayed its community when they changed to a proprietary license.  We
  25. could have seen it coming because of a particular trait of their contribution
  26. process: the use of a Contributor License Agreement, or CLA. In principle, a CLA
  27. aims to address legitimate concerns of ownership and copyright, but in practice,
  28. they are a promise that one day the stewards of the codebase will take your work
  29. and relicense it under a nonfree license. And, ultimately, this is exactly what
  30. Elastic did, and exactly what most other projects which ask you to sign a CLA
  31. are *planning* to do. If you ask me, that's a crappy deal, and I refrain from
  32. contributing to those projects as a result.
  34. However, there are some legitimate questions of ownership which a project owner
  35. might rightfully wish to address before accepting a contribution. As is often
  36. the case, we can look to git itself for an answer to this problem. Git was
  37. designed for the Linux kernel, and patch ownership is a problem they faced and
  38. solved a long time ago. Their answer is the [Developer Certificate of
  39. Origin](https://developercertificate.org/), or DCO, and tools for working with
  40. it are already built into git.
  42. git provides the -s flag for git commit, which adds the following text to your
  43. commit message:
  45. ```
  46. Signed-off-by: Drew DeVault <sir@cmpwn.com>
  47. ```
  49. The specific meaning varies from project to project, but it is usually used to
  50. indicate that you have read and agreed to the DCO, which reads as follows:
  52. > By making a contribution to this project, I certify that:
  53. > 
  54. > 1. The contribution was created in whole or in part by me and I have the right
  55. >    to submit it under the open source license indicated in the file; or
  56. > 2. The contribution is based upon previous work that, to the best of my
  57. >    knowledge, is covered under an appropriate open source license and I have
  58. >    the right under that license to submit that work with modifications,
  59. >    whether created in whole or in part by me, under the same open source
  60. >    license (unless I am permitted to submit under a different license), as
  61. >    indicated in the file; or
  62. > 3. The contribution was provided directly to me by some other person who
  63. >    certified (1), (2) or (3) and I have not modified it.
  64. > 4. I understand and agree that this project and the contribution are public
  65. >    and that a record of the contribution (including all personal information I
  66. >    submit with it, including my sign-off) is maintained indefinitely and may
  67. >    be redistributed consistent with this project or the open source license(s)
  68. >    involved.
  70. This neatly answers all concerns of copyright. You license your contribution
  71. under the original license (Apache 2.0 in the case of OpenSearch), and attest
  72. that you have sufficient ownership over your changes to do so. You retain your
  73. copyright and you don't leave the door open for the maintainers to relicense
  74. your work under some other terms in the future. This offers the maintainers the
  75. same rights that they extended to the community themselves.
  77. This is the strategy that Amazon chose for OpenSearch, and it's a good thing
  78. they did, because it strongly signals to the community that it will not fall to
  79. the same fate that ElasticSearch has. By doing this, they have imposed on
  80. themselves a great deal of difficulty to any future attempt to change their
  81. copyright obligations. I applaud Amazon for this move, and I'm optimistic about
  82. the future of OpenSearch under their stewardship.
  84. If you have a project of your own that is concerned about the copyright of
  85. third-party contributions, then please consider adopting the DCO instead of a
  86. CLA. And, as a contributor, if someone asks you to sign a CLA, consider
  87. withholding your contribution: a CLA is a promise to the contributors that
  88. someday their work will be taken from them and monetized to the exclusive
  89. benefit of the project's lords. This affects my personal contributions, too
  90. &mdash; for example, I avoid contributing to Golang as a result of their CLA
  91. requirement. Your work is important, and the projects you offer it to should
  92. respect that.