The Developer Certificate of Origin is a great alternative to a CLA April 12, 2021 on Drew DeVault's blog

Today Amazon released their fork of ElasticSearch, OpenSearch, and I want to take a moment to draw your attention to one good decision in particular: its use of the Developer Certificate of Origin (or “DCO”).


Previously:


Elastic betrayed its community when they changed to a proprietary license. We could have seen it coming because of a particular trait of their contribution process: the use of a Contributor License Agreement, or CLA. In principle, a CLA aims to address legitimate concerns of ownership and copyright, but in practice, they are a promise that one day the stewards of the codebase will take your work and relicense it under a nonfree license. And, ultimately, this is exactly what Elastic did, and exactly what most other projects which ask you to sign a CLA are planning to do. If you ask me, that’s a crappy deal, and I refrain from contributing to those projects as a result.

However, there are some legitimate questions of ownership which a project owner might rightfully wish to address before accepting a contribution. As is often the case, we can look to git itself for an answer to this problem. Git was designed for the Linux kernel, and patch ownership is a problem they faced and solved a long time ago. Their answer is the Developer Certificate of Origin, or DCO, and tools for working with it are already built into git.

git provides the -s flag for git commit, which adds the following text to your commit message:

Signed-off-by: Drew DeVault <sir@cmpwn.com>

The specific meaning varies from project to project, but it is usually used to indicate that you have read and agreed to the DCO, which reads as follows:

By making a contribution to this project, I certify that:

  1. The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or
  2. The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or
  3. The contribution was provided directly to me by some other person who certified (1), (2) or (3) and I have not modified it.
  4. I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.

This neatly answers all concerns of copyright. You license your contribution under the original license (Apache 2.0 in the case of OpenSearch), and attest that you have sufficient ownership over your changes to do so. You retain your copyright and you don’t leave the door open for the maintainers to relicense your work under some other terms in the future. This offers the maintainers the same rights that they extended to the community themselves.

This is the strategy that Amazon chose for OpenSearch, and it’s a good thing they did, because it strongly signals to the community that it will not fall to the same fate that ElasticSearch has. By doing this, they have imposed on themselves a great deal of difficulty to any future attempt to change their copyright obligations. I applaud Amazon for this move, and I’m optimistic about the future of OpenSearch under their stewardship.

If you have a project of your own that is concerned about the copyright of third-party contributions, then please consider adopting the DCO instead of a CLA. And, as a contributor, if someone asks you to sign a CLA, consider withholding your contribution: a CLA is a promise to the contributors that someday their work will be taken from them and monetized to the exclusive benefit of the project’s lords. This affects my personal contributions, too — for example, I avoid contributing to Golang as a result of their CLA requirement. Your work is important, and the projects you offer it to should respect that.

⇒ This article is also available on gemini.

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~sircmpwn/public-inbox@lists.sr.ht [mailing list etiquette]

Articles from blogs I read Generated by openring

Status update, July 2021

Hi! This status update comes a bit late, because I was on leave, biking in the south of France for a few days. This month I’ve released mako 1.6, to try to make up for the long delay for the last release. mako 1.6 brings quality-of-life improvements: modes a…

via emersion July 21, 2021

The mythical 10× programmer is just a good leader

There is some truth to the idea that some programmers are more productive than others. In practice, this is mainly a function of the breadth and depth of their experience, rather than an expression of innate talent. Under the right circumstances, the differe…

via Blogs on Sourcehut July 17, 2021

Summary of changes for June

Hey everyone! This is the list of all the changes we've done to our projects and apps during the month of June. We'll also be reporting in our on position in the world, and on our future plans. Summary Of Changes Nasu, released a nasu guide, and…

via Hundred Rabbits July 1, 2021