Jesús VázquezOct 16, 2023
Miro Hrončok  

So many open source projects enforce the Signed-off-by line in commit messages without assigning any menaing to it. I am not a laywer, but I believe such line bares no meaning unless otherwise specified (and even then it is questionable, at least).

Requring a magical incantation in commit messages is an artificial obstacle for contributing, especially for beginners. If your project does that, try to figure out if you can drop the requrement. Thanks

Oct 16, 2023 at 9:45amWeb
Show threadAksOct 16, 2023
@hroncok i gpg sign my commits but only really because it gives funny green signed symbol in codeberg and that gives me dopamine
Show threadmfOct 17, 2023

@aks @hroncok fun fact, there’s no real relation between GPG signing and «Signed-off-by»…

GPG only confirms it’s been you who “signed off” whereas the “signing off” comes from a court case about contributing licensed code.

Show threadAriadne Conill 🐰Oct 16, 2023

@hroncok this is absolutely bad advice. instead, projects should explicitly adopt the DCO, so the sign-off has meaning.

git commit --signoff automatically adds the line anyway.

Show threadJulian Andres Klode 🏳️‍🌈Oct 16, 2023

@ariadne @hroncok I'd argue that the line is stupid and needs to go away. What you need to have is an explicit statement of what policy was signed off by. Because people just add it all the time by default, and don't actually know what the policy is of projects they submit to.

Then you can argue that any surprising policy is void for German contributors since they can't be considered to read them (that's the rule for ToS, and arguably those are ToS).

Worst
Design
Ever.

Show threaddango🍡Oct 16, 2023
@juliank @ariadne @hroncok aside the legalities, if A authored, B proposed on list, C picked into staging and sent the final merge request... Signed-off-by has a clear chain where otherwise that info would be lost
Show threadJulian Andres Klode 🏳️‍🌈Oct 16, 2023
@dango_ @ariadne @hroncok That's true sure. Some chain needs to be there, but it's hard to argue that people actually read the policy they signed off by.
Show threadMiro Hrončok  Oct 16, 2023
@ariadne That's impossible to use when the contribution is done via the web interface and very hard to amend to the commit message manually once the commit is already complete.
Show threadAriadne Conill 🐰Oct 16, 2023
@hroncok the various web interfaces can ask if you want to add the line or not. this isn't hard.
Show threadMiro Hrončok  Oct 16, 2023
@ariadne neither necessary
Show threadLaurent BercotOct 16, 2023

@hroncok @ariadne From an individual contributor's pov, a Signed-Off-By: line is a minor annoyance. From the pov of a corporation's legal department, it is necessary if the company's going to use your contribution to an open source product.

Either that, or the company will require you to sign a CLA. Which goes directly against the spirit of free software and is a *real* impediment to developers.

I like to be paid when I write software, and I like to avoid signing anything that restricts my rights or my creative control. When a company is okay using a DCO rather than a CLA to protect itself, I'm *happy*.

And if you have the smallest modicum of interest in community-driven free software and people getting paid writing and maintaining it, you will be happy too, and make it as easy as possible for organizations to use a DCO, and ignore the negligible cost of sign-off lines.

Show threadMiro Hrončok  Oct 17, 2023
@ska @ariadne This all started by me saying a lot of projects demand the line without assigning meaning. If a project actually knows why they are doing that and clearly document that, I wouldn't criticize (despite the inconvenience).
Show threadNetworkManagerOct 16, 2023

@hroncok the meaning we assigned to those tags is basically that the contributor is passing the ownership of their soul to us

we don't require them, but oddly enough some contributors choose to include them anyway

Show threadMartin BukatovičOct 16, 2023

@hroncok Exactly.

Moreover if a project has automatic check rejecting a commit without it, not pointing out to it's meaning for this very project makes this whole exercise bit pointless.

Show threadmfOct 17, 2023
@hroncok Yup, for example i don’t understand why would someone enable requirement for this in Fedora dist-git; if you have Fedora account you’ve already agreed to the terms, there’s nothing more, just a meaningless checkbox 🙃