On 23/05/2025 15:11, Jay Faulkner wrote:
On 5/23/25 12:57 AM, Sean Mooney wrote:
i actully think it woudl be incorrect too.
In item "c", it addresses this kind of signoff.
"The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it."
https://developercertificate.org/
While I agree a rebase doesn't *need* a signoff, I should not say it's incorrect to add one. In fact, in other communities that use DCO (like Gentoo), I am required to add a signoff for any patch passing through my hands, even if I don't directly modify it.
by that logic as a core review i would be required to add my signed-off by when ever i approve a patch to merge my understanding is that the the DCO is a commitment form the author that they are allowed to contribute the review content under the terms of the license of the project and an affirmation that they agree to do so. so the received content will in our case be contributed under the apache2 license which no stipulation with regards to signed off by ectra. if adopting the DCO would require use to update the commit message like that just to rebase it or worse merge it i think that would be an excessive burden to put on maintainer who already are over taxed with reviews. if we are modifying the code content even if just resolving trivial merge conflict adding signed off by is more reasonable but even in that case that is tracked by the committer filed and the authorship is still that of the original author. in the case of resolving a merge conflict it really falls under b but for clicking the rebase button with no change is closet to C assuming the patch contains a signed-off by or was contributed under the current icla which would make the contribute APACHE 2 licensed. i often use the rebase button instead of a recheck when a patch fial due to a flaky test or an unrelated infra issue and it has not been updated in a few days. that results in a cleaner history as we hopefully avoid a merge commit and is otherwise a nice alternative to a bare recheck or "recheck DCO" which honestly would be preferable then having to pull the patch to add my "Signed-off-by" i also would not want to set a precedent of editing the commit in the ui to add my "Signed-off-by" to trigger a job run as a side effect either. i really think we should only be doing that if we make a material change to the code similar to a Co-authored by. for backprots we are adding the cherry picked form line anyway so adding signed off by when doing that is not really much extra effort. I really hope we are not trading a one time relatively minor step of readign and accepting the icla for a continuous burden for every contributions going forward. by the way on a related note where we recive patches for secuirty bugs as attachment to launchpad and the orgianl author is not the one to actully summit the patch i assume we will be useing clause B to make that submission on there behalf. """ The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file """ normally the reporter of a security bug is not the person that actually fixes the issue and that person has signed the icla if i was wright such a patch i would sign it off going forward but are we going to ask all those that submit a patch as an attachment like that to also include the signed off by too? i assume yes. i bring that up as we have discussed enforcing this in gerrit and while that is the primary way we get contributions its not the only one. we also get contribution for translations submitted via Zanata. those are submitted to project by a bot after the change are exported from the Zanata server but how are we going to enforce that those contribution are submitted under the project license? is there a way for translator to also add a "Signed-off-by" or otherwise agree to the DCO. i think that may have been over looked in the governance resolution currently begin proposed and should be reviewed before it is implemented.
-JayF