github / github-ospo

Helping open source program offices get started
https://github.blog/2023-03-13-an-open-source-project-to-empower-ospos-everywhere/
MIT License
663 stars 59 forks source link

Developer certificate of origin (DCO) app and PR check #94

Closed jmeridth closed 7 months ago

jmeridth commented 7 months ago

Is your feature request related to a problem?

I'm a fan of having PRs use the DCO GitHub App to enforce the Developer Certificate of Origin aka commit signing on all commits (contribution confirmation and ownership).

The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that
they wrote or otherwise have the right to submit the code they are contributing to the 
project.

It's better than CLAs (in my opinion) and easier to ensure.

Related OSPO Tool

automatic-contrib-prs GitHub Action, cleanowners GitHub Action, contributors GitHub Action, evergreen GitHub Action, issues-metrics GitHub Action, stale-repos GitHub Action, internal-contribution-forks GitHub App

Describe the solution you'd like

Add the app to each of the OSPO tools. Before we do that we'd update the pull request template and CONTRIBUTING.md mentioning the change and requirement.

Describe alternatives you've considered

Certificate License Agreement (CLA) is an older way to do the same thing, confirm ownership and who is contributing.

Additional context

Currently we mention Legal Notice in our CONTRIBUTING.md but don't confirm it in any way.

jmeridth commented 7 months ago

Am now aware of GitHub's ToS (inbound=outbound) (thank you @zkoppert) and also after reading Ben Balter's blog post on this topic, I'm torn. If the ToS is sufficient, I don't think additional overhead is warranted. I'm still a fan of authors signing their commits 😄 🤔

jmeridth commented 7 months ago

Closing in favor of (inbound = outbound) aka Contribution under Repository License