Allow signed off via comment

[caniszczyk]

There are many times when a new contributor summits a PR and forgets to do the signed off by.

It would be great if the bot could allow commits associated with the PR to be rewritten by allowing the contributor to comment: "please sign off my commits" or something to that nature

[philips]

Yes please!!

[hiimbex]

Theoretically this can be solved by the button in https://github.com/probot/dco/pull/79; however, the does require action by someone with write access, so it's up to maintainers to determine if the contributor has sufficiently commented that they want this.

However, having the actual bot re-write the commits would not work as intended. DCO is a GitHub App, not OAuth, so it can not act as a user to re-write git history. If the DCO re-wrote commits, they would be attributed to the bot, not the original author.

[philips]

Why can't it rewrite on behalf of the user? What is the technical issue? I can make a commit look like it comes from anyone.

[hiimbex]

Well the whole point of the DCO is to ensure valid commits by users not bots, so this feels like a bad thing for the app to do to me at least.

Additionally, the DCOs current permissions are very minimal. It currently has:

I can see a lot of reasons why folks wouldn't want to give a GitHub App write access to their repo contents.

I'm opposed to implementing this in a way where the bot actually rewrites the commits. I'm fine with a button that says 'set status to passing' or something like that which could be pressed by maintainers or users, or adding instructions with the exact commands for users to run to fix their commits. All of this is implemented in #79.

[mattfarina]

Here is how Chef handles that....

Every commit, that does not meet the criteria for an obvious fix, must have a Signed-off-by line. Chef maintainers, listed in the project’s MAINTAINERS.md file, may ask you to attest to the DCO by way of a comment on your PR. After you have done so, a maintainer will rebase your branch adding an appropriate attestation to each commit. The resulting commit message would include something along the lines of:

Signed-off-by: Jane Doe <jane@example.com> on behalf of Joe Smith <joe.smith@email.com>

@caniszczyk what does the linux foundation / CNCF think of this?

[philips]

I don't understand the hair splitting on the DCO coming from the user via the -s flag on git commit or a comment on GitHub which authorizes a bot to rebase and add the -s flag.

If the Chef workaround is acceptable that is fine though

On Tue, Aug 28, 2018 at 6:54 AM Matt Farina notifications@github.com wrote:

Here is how Chef handles that....

Every commit, that does not meet the criteria for an obvious fix, must have a Signed-off-by line. Chef maintainers, listed in the project’s MAINTAINERS.md file, may ask you to attest to the DCO by way of a comment on your PR. After you have done so, a maintainer will rebase your branch adding an appropriate attestation to each commit. The resulting commit message would include something along the lines of:

Signed-off-by: Jane Doe jane@example.com on behalf of Joe Smith joe.smith@email.com

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/probot/dco/issues/83#issuecomment-416592684, or mute the thread https://github.com/notifications/unsubscribe-auth/AACDCNad6gSjAZU3tAt2qj4QZ9mlyZ8Fks5uVUuVgaJpZM4Vkph7 .

[mattfarina]

@philips I'm most interested in the easiest solution that the lawyers will accept.

One issue is that a bot changing the repo means the local users commits are different from the ones on the PR. This is going to create a different experience to force pull (will that work?) to replace your local commits with the bot altered commits on the same branch github is tracking against the PR.

[philips]

Who talked to a lawyer about the bot? Which lawyer? And what was their response?

On Tue, Aug 28, 2018 at 12:24 PM Matt Farina notifications@github.com wrote:

@philips https://github.com/philips I'm most interested in the easiest solution that the lawyers will accept.

One issue is that a bot changing the repo means the local users commits are different from the ones on the PR. This is going to create a different experience to force pull (will that work?) to replace your local commits with the bot altered commits on the same branch github is tracking against the PR.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/probot/dco/issues/83#issuecomment-416710177, or mute the thread https://github.com/notifications/unsubscribe-auth/AACDCDAhzyQz3uACwbfxCEXAgrHJOnBhks5uVZkAgaJpZM4Vkph7 .

[mattfarina]

@philips For these cases my concern is with the CNCF. That's why I asked @caniszczyk what the CNCF thinks of this. They can consult with the lawyers there. I tend to let Chris and Dan handle communicating with the CNCF lawyers.

[hiimbex]

Just popping in from the perspective of the maintainers of this app. We just want it to work in a way that solves all of these use cases and would be super excited to make it easier for new folks to sign-off; however, we do want a +1 from the biggest users of the app before making such changes that perhaps lawyers might not like. 🙂

[philips]

Thanks @mattfarina and @hiimbex. I guess it is back in @caniszczyk court to ask a Dolan or someone else.

[gundalow]

How do people currently deal with people editing files directly via the github.com web interface?

[caniszczyk]

@gundalow some people have hacked things using a chrome extension: https://chrome.google.com/webstore/detail/dco-github-ui/onhgmjhnaeipfgacbglaphlmllkpoijo?hl=en-US

DCO GitHub UI

DCO signoff for GitHub UI

[stale[bot]]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

[itayd]

@caniszczyk , for the record - https://github.com/probot/dco/issues/105. I'm not sure if you're still open for that idea.

[stale[bot]]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?