Skip to content

Implementing Developer Certificate of Origin (DCO)

This page is about implementing a DCO or CLA for CERN projects.

For when you are asked to sign a CLA or DCO while contributing to other projects, please see Signing a CLA or DCO.

DCO for projects on GitHub

GitHub’s Terms of Service include the following paragraph:

Whenever you make a contribution to a repository containing notice of a license, you license your contribution under the same terms, and you agree that you have the right to license your contribution under those terms.

As a result, all contributions made through the normal Pull Request workflow are implicitly licensed in the same way as the project they're submitted to. Note that accepting contributions outside the GitHub platform (e.g. patch files sent via email) do not fall under these terms, and must be handled specifically.

It is possible to include a reminder of this in the repository, but such a reminder serves no formal legal purpose. For example, a pull request template, could be added at .github/pull_request_template.md in your repository containing the following content:

Reminder: By using GitHub you have agreed to the GitHub’s Terms of Service,
including that 1) you license your contribution under the same terms as
the current repository’s license, and 2) that you agree that you have
the right to license your contribution under those terms.

DCO for any other platform (CERN Gitlab...)

git includes functionality to "sign-off" a commit (with the --signoff option). A developer can use this to mark individual commits as being contributed under agreement of a project's DCO. This mechanism can be a bit clunky (as compared to the GitHub DCO agreement), but could be handled with the following steps:

  1. Add a note on your project documentation or repository (e.g. in CONTRIBUTING.md):

    This project requires contributors to agree to Developer Certificate of
Origin (DCO) by adding a dedicated `Signed-off-by:` line to all commits.
Please use `git commit –signoff` in order to automate this.

  2. Require that all merge request commits must include a signature of the form:

    Signed-off-by: Firstname Lastname <email.address@domain.org>

This could be easily enforced for example on Gitlab by the dedicated push rule in the project settings:

```
[ ] Reject commits that aren't DCO certified.
```

Defining a Contributor License Agreement (CLA)

Please get in touch with the OSPO should you need to define a CLA for your project as the definition requires review by legal advisers.