Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contributor licensing #308

Closed
znewman01 opened this issue Jun 8, 2022 · 8 comments · Fixed by #319
Closed

Contributor licensing #308

znewman01 opened this issue Jun 8, 2022 · 8 comments · Fixed by #319
Assignees
@znewman01 @joshuagl
Labels
documentation

Comments

@znewman01
Copy link
Contributor

#190 adds a DCO requirement. This was somewhat controversial.

We should:

  1. Make a decision on contributor licensing.
  2. Document and enforce it.

Summary of available options.

Developer Certificate of Origin (DCO)

Pros:

  • It's what python-tuf does.
  • Lighter-weight, legally speaking, than a CLA: many developers are able to sign a DCO but not a CLA
  • Easy to enforce: there's an off-the-shelf GitHub action.

Cons:

  • Can be annoying to type -s all the time.
  • Makes GitHub web UI changes difficult (you can manually add the Signed-off-by: line).

Contributor License Agreement (CLA)

Pros:

  • Set-and-forget: you just have to sign it once.

Cons:

  • Some contributors are unable (often due to their employer) or unwilling (due to the legal requirements) to sign a CLA.
  • Enforcement is more of a pain. We also have to pick a CLA.

Do nothing

Pros:

  • Status quo; don't have to do anything. Seems to be working so far.
  • Other TUF projects seem to be okay with this.
  • Nobody has ever convinced me that these things matter.

Cons:

  • Legal risks (???)
znewman01 added a commit to znewman01/go-tuf that referenced this issue Jun 8, 2022
@znewman01
Update CONTRIBUTING.md, add MAINTAINERS.md
a2f92c4 
Follow-up from theupdateframework#190 (thanks @asraa!).

I did not add a DCO requirement at this point, as that was controversial
in theupdateframework#190. I filed theupdateframework#308 to track that.

I tried to address all *other* feedback in theupdateframework#190.

Fixes theupdateframework#212.

Fixes theupdateframework#306.
@znewman01 znewman01 mentioned this issue Jun 8, 2022
Merged
@joshuagl
Copy link
Member

joshuagl commented Jun 8, 2022

DCO is now easier to manage through the GitHub web UI, admins can mark it as required and the UI will fill it in automagically: https://github.blog/changelog/2022-06-08-admins-can-require-sign-off-on-web-based-commits/

I should add that python-tuf requires DCO: https://github.com/theupdateframework/python-tuf/blob/develop/docs/CONTRIBUTING.rst#dco

@mnm678
Copy link
Collaborator

mnm678 commented Jun 9, 2022

I think DCO is easier for most people. It looks like the cncf wants projects to have some kind of contributor licence

asraa added a commit that referenced this issue Jun 9, 2022
@znewman01 @asraa
docs: Update CONTRIBUTING.md, add MAINTAINERS.md (#309)
1684c68 
* add contrbuting guidelines

Signed-off-by: Asra Ali <asraa@google.com>

* Update CONTRIBUTING.md, add MAINTAINERS.md

Follow-up from #190 (thanks @asraa!).

I did not add a DCO requirement at this point, as that was controversial
in #190. I filed #308 to track that.

I tried to address all *other* feedback in #190.

Fixes #212.

Fixes #306.

* Move docs into a "docs" folder.

Fixes #303.

* Whitespace fixes

* Address PR comments

- TODO for testing instructions
- Remove obsolete TODO

* Full URL in testing

* Fix @joshuagl suggestions

Co-authored-by: Asra Ali <asraa@google.com>
@trishankatdatadog
Copy link
Member

Pros:

  • Nobody has ever convinced me that these things matter.

Cons:

  • Legal risks (???)

Exactly. So let's just go with the simplest thing. DCO is fine by me considering recent changes.

@znewman01 znewman01 self-assigned this Jun 9, 2022
@znewman01
Copy link
Contributor Author

It appears that I don't have the permissions to set this up: https://github.com/dcoapp/app#usage

Someone with "write access" to the go-tuf repo needs to configure the repo in Settings > Branches > Branch protection for master > Require status checks to pass before merging > DCO (check it!).

You may also need to "install" the DCO bot: https://github.com/apps/dco > Configure.

@znewman01 znewman01 removed their assignment Jun 10, 2022
@rdimitrov
Copy link
Contributor

@joshuagl - I think you may have the necessary rights 👍

@joshuagl
Copy link
Member

I've installed the app, but we need a PR to be opened after it has been installed to trigger the check before we can enable the branch protection

@znewman01 znewman01 mentioned this issue Jun 10, 2022
Merged
2 tasks
@znewman01
Copy link
Contributor Author

I've installed the app, but we need a PR to be opened after it has been installed to trigger the check before we can enable the branch protection

Does #319 work?

@joshuagl
Copy link
Member

It does, all set up :-)

@znewman01 znewman01 mentioned this issue Jun 13, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@znewman01 znewman01

@joshuagl joshuagl

Labels
documentation
Projects
No open projects
[go-tuf] Project planning - v0.6.0 (Target: 2022-11-30)
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: Add DCO instructions znewman01/go-tuf
5 participants
@znewman01 @mnm678 @joshuagl @rdimitrov @trishankatdatadog