Do we really need the DCO signing? #79
-
|
@billimek (you're the only other maintainer I'm aware of) Is there an upstream requirement to sign off on git commits that I may be unaware of? There are times when people have submitted code that would be nice to merge, but the wait on signing off the DCO means the fix doesn't happen, and it feels wrong to re-submit the same fix as myself and sign off on the code I just submitted. Thoughts? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 4 replies
-
|
Hi @tvories, I agree that we face a number of PRs from folks who have not signed the DCO. This is probably a better question for someone from the broader Nextcloud org. I believe they require DCO for all contributions across all of the repos here. @skjnldsv can you confirm? |
Beta Was this translation helpful? Give feedback.
-
That's exactly what I was wondering. I'll wait to hear back from Nextcloud about that. |
Beta Was this translation helpful? Give feedback.
-
That is also totally against the purpose of a sign-off and the CTO. Don't do this. See nextcloud/server#1481 and the discussion around it. The sign-off is a bit of an insurance that people contribute only code that is compatible with the project's license. IMO it's a good thing. |
Beta Was this translation helpful? Give feedback.
-
|
So the thing is in theory people could copy code from other sources and would make you (or more like "us as Nextcloud") with your app violate 3rdpartys licenses. With the DCO they basically confirm they either wrote the code themselves or that the license is compatible with your license. if you give a 💩 about it (being charged thousands to millions of dollars because of copyright infrigment) go ahead without it and ask for the repository to be moved to your user so it's not Nextcloud being charged. |
Beta Was this translation helpful? Give feedback.
-
This makes the most sense to me. Thank you all for the clarification about the DCO. Makes a lot of sense that it's a licensing concern, though I would say that I do believe there's a difference between someone correcting grammar on the README or a single line typo that someone submitted a PR for and then abandoned, vs someone contributing a large amount of code change. In the case where someone submits a PR for a typo and doesn't sign off, do you just not fix it if the person abandons their PR? This is my first exposure with a DCO, so I appreciate the replies. |
Beta Was this translation helpful? Give feedback.
-
|
Well fixing a typo has no "threshold of originality" and can therefore be accepted without a problem |
Beta Was this translation helpful? Give feedback.
-
|
Is there a way to set the "threshold of originality" at the DCO plugin level, or would a maintainer just know that under 7 lines it is OK to "Set DCO to pass"?
|
Beta Was this translation helpful? Give feedback.
-
|
We set this manually |
Beta Was this translation helpful? Give feedback.
So the thing is in theory people could copy code from other sources and would make you (or more like "us as Nextcloud") with your app violate 3rdpartys licenses. With the DCO they basically confirm they either wrote the code themselves or that the license is compatible with your license.
In theory otherwise you are in charge for code they put into your app.
if you give a 💩 about it (being charged thousands to millions of dollars because of copyright infrigment) go ahead without it and ask for the repository to be moved to your user so it's not Nextcloud being charged.
I would only accept patches < 7 lines without a DCO ( https://en.wikipedia.org/wiki/Threshold_of_originality )