Implement Developer Certificate of Origin policy for contributions

[tonygermano]

Related to #1

This appears to be a fairly widespread mechanism as an alternative to requiring contributors to sign a CLA. It is published by the Linux Foundation and used by several prominent projects, such as the Linux Kernel and git. Its text is found here: https://developercertificate.org/

Github has an app which enforces the policy on PR's so that they cannot merge until appropriately signed off.
https://github.com/apps/dco

This page looks to be a great reference to get new contributors familiar with the requirements. It also describes how to correct commits which had not been signed off correctly.
https://www.secondstate.io/articles/dco/

[kpalang]

@tonygermano Do you have a workflow in mind on how to execute this for the engine repository, both from the organizational and technical aspect?

[tonygermano]

The github app I linked provides enforcement.

The last link provides a how-to for contributors, though we can write up our own basic instructions, as well.

[kpalang]

Do I understand correctly that the GPG-based signing does not really apply here anymore then?

[tonygermano]

That is correct. It is encouraged, but optional.

[kpalang]

I installed the DCO app to the org. All repositories are monitored by it.

[tonygermano]

I installed the DCO app to the org. All repositories are monitored by it.

I just noticed that in the engine repo a few minutes ago. Thanks for doing that. I was going to ask when/if we wanted to move forward with that.

[kpalang]

So to formalize the process:

1. All commits must be signed off according to instructions given here
2. Signing off is enforced by a ruleset. PRs cannot be merged if DCO check fails
   • The ruleset will be enforced once the repository is public
3. GPG signing the commits is encouraged, but not required

Have I got that correct?

[tonygermano]

So to formalize the process:

1. All commits must be signed off according to instructions given here

2. Signing off is enforced by a ruleset. PRs cannot be merged if DCO check fails

   • The ruleset will be enforced once the repository is public

3. GPG signing the commits is encouraged, but not required

Have I got that correct?

Looks good to me unless someone else has objections.

[kpalang]

@OpenIntegrationEngine/steering-committee Need everyone's opinion here.

[pacmano1]

voting on your post with thumbs up / thumbs down

[kpalang]

@OpenIntegrationEngine/steering-committee Everyone please add a comment under this issue with your agreement or disagreement. The emoji reactions are not a reliable method as the reactions can be changed, but a comment leaves behind a trail.

@tonygermano could you take it upon yourself to implement the fast-forward method you described in another thread in engine repo?

[kayyagari]

I approve the proposed workflow.

[ssrowe]

I approve.

[tonygermano]

@tonygermano could you take it upon yourself to implement the fast-forward method you described in another thread in engine repo?

My time is limited for the next week, but I can try to work on it if no one else gets to it first.