Reviewing our use DCO for usability, personal safety, validity

[Nebrethar]

I appreciate that we want a contributor license agreement in our process. It's a valuable part of a growing organization to take it up. I want to go over some reasons I think DCO isn't helping us with that, hopefully concisely:

• We are having issues with contributors knowing about the DCO, using the DCO, and patching mistakes with DCO. We have some really good examples in DEI. I've also personally had issues when I use the GitHub UI.
  • I've experienced issues where I have to completely remake a PR because my DCO commit locks up and I don't know enough Git to resolve it. This could be bad for new contributors.
• Using DCO introduces ethics issues around real names. For the validity of the DCO, you must use your real name. Neither pseudonyms nor anonymization will work. I think this is a really big ask.
  • Some good questions around this topic of DCO & naming are well described in this issue.
• I've seen a few spots where good arguments are made that DCO is not a valid CLA. Here is one argument for that case.
  • The validity becomes a bigger problem if we ask the submitter during the review of their PR.
  • I've also seen maintainers "just set it to pass" for other maintainers, including me, because of the difficulty.

With these arguments in mind, I propose we, as an organization:

• Remove our integration of the DCO in CHAOSS repositories
• Search for an alternative that provides an explicit opportunity for agreement

[GeorgLink]

Great arguments.

The DCO requirement comes from the Linux Foundation. If we want to change it, we need to involve the Linux Foundation.

[germonprez]

I have to agree as the DCO does make things additionally burdensome and does remove anonymity. I can chat with folks at the LF if we really do have to have this if you'd like.

[ElizabethN]

I would +1 removing this requirement, especially in light of @Nebrethar's comments above. If removing the requirement isn't something we can implement, maybe there can be a provision for those who would like to opt-out.

[rpaik]

I'm supportive of streamlining the DCO process. Perhaps our language can be modified so that an explicit sign-off on the DCO isn't required. Here are examples from a couple of communities that I have been involved with that say "by making a contribution, you agree to the DCO terms"

• Cube Dev: https://github.com/cube-js/cube.js/blob/master/DCO.md#developers-certificate-of-origin
• GitLab: https://gitlab.com/gitlab-org/dco/-/blob/master/README.md

[germonprez]

HI all.

After talking with folks at the LF, I really think this is something we need to keep. The primary reasons around around ensuring that contributions are

The DCO indicates that contributors are responsible for the code that they contribute and that they understand that the contribution is under the terms of the [..] project licenses."

Not having the DCO also contributes to pattern that may result in malicious code being contributed because of anonymity. I think our only other option is a CLA which is much more involved and even higher overhead.