Require Developer Certificate of Origin (DCO)

[bukka]

This adds requirement to confirm that the contributor has rights to contribute to the project.

[bwoebi]

Why would we start enforcing this now? Is there any point in this, doing this on a 30 year old project?

[bukka]

@bwoebi This is meant just for the future commits and it should protect the project in cases where the contributed code is from unknown source to make sure that the project won't be liable for those contributions if the author does not have rights to contribute it. This should be probably the primary risk especially in the cases where the code is contributed under pseudonym and the code origin is not known - it doesn't mean that we do not trust such author - it's purely just a protection for the project.

[bukka]

I will post it to internals about it.

[kocoten1992]

project won't be liable, code is contributed under pseudonym and the code origin is not known, protection for the project.

For those who confused (like myself), this is probably sanction between countries..

[smalyshev]

I'm not sure I understand how this helps. If somebody contributes the code they don't own, we still have a problem, and a "signed-off" line is not going to absolve us. Moreover, since it's added automatically, it has absolutely no information about the content of a particular commit, or represents an informed consent of the committed with whatever we ask them to agree - it only means the committer, at some time in the past, enabled an option in their git client. If you want the CLA-type protection, you need a CLA gateway and making people explicitly sign it (not that this absolves us either, but at least there's an explicit gateway that requires human acknowledgement). If you want to accept drive-by commits without CLA, then I don't see how signed-off line adds anything meaningful here.

By signing off, you confirm that you have the right to submit your code under the
PHP License.

How this is better than "by submitting a pull request to the PHP repository, you confirm that you have the right to submit your code under the PHP License."? It is equally strong protection-wise, but without extra steps.

[bukka]

Moreover, since it's added automatically, it has absolutely no information about the content of a particular commit, or represents an informed consent of the committed with whatever we ask them to agree - it only means the committer, at some time in the past, enabled an option in their git client. If you want the CLA-type protection, you need a CLA gateway and making people explicitly sign it (not that this absolves us either, but at least there's an explicit gateway that requires human acknowledgement). If you want to accept drive-by commits without CLA, then I don't see how signed-off line adds anything meaningful here.

I'm pretty sure that this has been analysed by various lawyers and what you are saying is most likely incorrect. It was created by Linux foundation (it's used for Linux kernel) and you will find it also in various RedHat projects (e.g. I recently contributed to pkcs11-provider that has got this rule) so it shows on its own that there was for sure some legal analysis and it was most like deemed sufficent. In fact this is becoming more popular than CLA because it doesn't require so much hassle for contributors but still gives enough legal assurance for the project.

How this is better than "by submitting a pull request to the PHP repository, you confirm that you have the right to submit your code under the PHP License."? It is equally strong protection-wise, but without extra steps.

I think explicit commit signed-off-by would be more likely considered as a personal attestation so it's a bit stronger. However considering the GitHub ToS, it might be ok. So I went for a much lighter variant to just update the contributing notes in #18356 .

I can already see that this PR would be difficult to introduce to this project so I'm going to close this as I don't think it would pass RFC.