bmarwell, 11 months ago

@anderseknert None of the projects I contribute to require me to sign off my commits. What is it for for?

anderseknert, 11 months ago

@bmarwell DCO, most often https://en.m.wikipedia.org/wiki/Developer_Certificate_of_Origin

bmarwell, 11 months ago

@anderseknert yeah okay. IBM and the Apache foundation do have CLAs. That's why.

castarco, 11 months ago

@anderseknert Better yet, it can be configured in our .gitconfig file to do it always automatically :) .

https://gist.github.com/lisawolderiksen/a7b99d94c92c6671181611be1641c733

And if possible, sign it as well with PGP (which actually makes much more sense from a legal point of view)!

https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

anderseknert, 11 months ago

@castarco not necessarily better :) See the comment from @klausman earlier in this thread:

> as the git-config manpage rightly points out -- signing off should be a conscious act

There are many ways to automate a sign-off, but it’s arguably no longer a signoff then. I mean, not like anyone would know, just saying it wouldn’t be considered better by many, but worse.

The whole DCO thing being silly seems to me like the most rational take to me 😅

johanneskastl, 11 months ago

@anderseknert There is also a way to do this for multiple commits using rebase...

anderseknert, 11 months ago

@johanneskastl good point! We almost always want squashed commits in PRs in #OPA, but that’s certainly applicable to a lot of other projects 👍

johanneskastl, 11 months ago

@anderseknert It even works without squashed commits...

anderseknert, 11 months ago

@johanneskastl Sure! My point was mainly that most often one PR == one commit, in our project. So there's only really one commit to sign off on at the end of the day :) Other projects do things differently of course.

linux_mclinuxface, 11 months ago

@anderseknert I worked for a long time on a sign off required project. I like what it does but the workflow is terrible, especially for new contributors.

anderseknert, 11 months ago

@linux_mclinuxface totally! Just curious, what is it that it does that you like? 🙂 I work for such a project, and it just seems to cause more harm than good. But I could be missing some benefit.

linux_mclinuxface, 11 months ago

@anderseknert IANAL but sign offs connected with DCOs are non-controversial from a legal standpoint.

CLAs, on the other hand can be monstrous and should probably have counsel review before an organization starts having devs contribute.

Any time a legal review can be avoided, it's a win.

anderseknert, 11 months ago

@linux_mclinuxface uncontroversial, I’m sure, but what value do they add from a law POV? A sign off on a commit is just repeating information that was already there, and it’s not like donald@duck.com signing off on a commit helps assert an actual person is connected to that action, no?

linux_mclinuxface, 11 months ago

@anderseknert Well, the sign off by itself doesn't do anything much, but paired with item D in the DCO and the conscious act of signing gives it legs (again, IANAL)

kevinteljeur, 11 months ago

@anderseknert This is useful generally!

anderseknert, 11 months ago

@kevinteljeur true! Also, the --no-edit option is great when amending code but don’t need to edit the commit message.

klausman, 11 months ago

@anderseknert One of the problems is that -- asthe git-config manpage righlty points out -- signing off should be a conscious act, but there is no (current) mechanism that tells the user upon opening the PR (BEFORE creating the PR visibly to others) that says "Hey, if this is gonna be merged, it needs signoff, add that now?"

I suspect someone somewhere already has a hook mechanism for that :)

anderseknert, 11 months ago

@klausman for sure! I suppose any commit without a sign-off could be rejected at push, but people often work on a bunch of commits and then squash into a final one for the PR which is signed, so damned if you do, damned if you don’t 😄