search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
50.9k stars 5.8k forks source link

Getting clarity around the DCO usage #63

Closed jmertic closed 5 years ago

jmertic commented 5 years ago

Hi!

Looking at the contributing guideslines at https://github.com/NationalSecurityAgency/ghidra/blob/master/CONTRIBUTING.md#developer-certificate-of-origin-dco-process, I saw you are using the DCO ( which is great! ). That said, looking at the approach, it seems a bit kludgy:

This project implements a Lite version of the DCO process. When you submit a pull request to this repository for the first time, you need to sign the DCO. To indicate you have read and agree to the DCO, you need to add the following information to the contributors file

Typically when DCO agreements are done, it's a signoff on the commit. Here's an example from a project I work on ( https://github.com/AcademySoftwareFoundation/tac/blob/master/process/contributing.md ):

Ensuring a clean code pedigree and lineage is critical to downstream adoption of open source code in industry.

ASWF requires the use of the Developer’s Certificate of Origin 1.1 (DCO), which is the same mechanism that the Linux® Kernel and many other communities use to manage code contributions. The DCO is considered one of the simplest tools for sign offs from contributors as the representations are meant to be easy to read and indicating signoff is done as a part of the commit message.

Here is an example Signed-off-by line, which indicates that the submitter accepts the DCO:

Signed-off-by: John Doe john.doe@hisdomain.com

You can include this automatically when you commit a change to your local git repository using git commit -s. You might also want to leverage this command line tool for automatically adding the signoff message on commits.

Then there are nice tools like DCO bot and a local integration that makes the process super easy.

Happy discuss further online or offline if you like!

nsadeveloper789 commented 5 years ago

Thanks for this advice! This was supposed to implement the Lite version, which upon further consideration seems more difficult than the one you describe. Until we better understand the DCO -- and decide whether or not we actually want it -- we've switched to the basic inbound=outbound model.

jmertic commented 5 years ago

I'm happy to help you understand the DCO more if you'd like - ping me at jmertic at linuxfoundation dot org.

nsadeveloper789 commented 5 years ago

Thank you again for your willingness to help, and sorry for the delayed response. I've brought this to the attention of one of our open-source coordination folks.

jmertic commented 5 years ago

No worries @nsadeveloper789 - keep me posted on any way I could help.