User Tools

Site Tools


dco

Developer Certificate of Origin (DCO)

Background

The DCO is a per-commit sign-off made by a contributor stating that they agree to the terms published at https://developercertificate.org/ for that particular contribution.

When creating a commit with the Git CLI, a sign-off can be added with the -s option: https://git-scm.com/docs/git-commit#git-commit--s. The sign-off is stored as part of the commit message itself, as a line of the format:

Signed-off-by: Full Name <email>

DCO sign-offs differ from contributor agreements (CLAs):

  • While contributor agreements are usually made once and automatically cover all future contributions, DCO sign-offs must be present on every single commit, or else the contribution will not be accepted.
  • A contributor agreement may be signed by a third party, like a company, on behalf of its employees, whereas the DCO is always an attestation by the author of the contribution.

Enabling DCO enforcement

GitHub

GitHub uses status checks (similar to CI pass/fail) against new Pull Requests to ensure that contributions which fail DCO validation will not be merged into a DCO-protected branch (usually “master”).

Log in as user with Owner rights to a GitHub organization. Browse to the URL https://github.com/apps/dco and hit the “Install” (or “Configure”) button. Select the organization to install it to. Select “All repositories”.

Browse to the settings for each repository in that organization. Choose “Branches” from the menu. If “master” does not show up under Protected Branches, select it from the “Choose a branch” drop-down. Enable “Protect this branch”, “Require status checks to pass before merging” (and check the “DCO” status check if it is available). Repeat for the remaining repositories.

To complete the configuration, you should return to the master branch protection screen—on each repository—to check “DCO” after this status check has been seen by GitHub.

GitLab

TBD

Gerrit

Unlike GitHub, which allows a contributor to create a Pull Request but marks it as failing checks, Gerrit will not even accept a changeset unless the commit(s) in that changeset pass DCO.

The project.config file must have the following configuration set, or inherited from a parent repository:

[receive]
    requireSignedOffBy = true
dco.txt · Last modified: 2019/12/26 18:20 by emsearcy