One-off Signed-off-by on older commits (OSS Hygiene)

[jbenet]

Now that we enforce "signed-off-bys", we'll need to collect them for older commits.

• enable GitCop on all org repos. (oof, can we have a script do this?)
• draft email to contributors
• make list of (commit, author, email, commit gh link) for commits needing signed-off-bys
• make google form
• send out email (only send out after it's been enabled all over)

i'll do most of this but could use help with the enabling GitCop everywhere. if we can script that, it would be awesome.

[jbenet]

this is just a draft for prep.

---

---

TL;DR: we need explicit "Signed-off-by" sigs for some git commits. You can just sign this google doc form, and done!

<google-form-link>

Long Version:

Greetings Everyone,

Thank you very much for your past, present, and future contributions to the IPFS Project. Sorry to bother you with this silly Open Source hygiene thing.

As you may remember, the various code repositories of the IPFS Project are MIT Licensed. All contributions carry the same MIT license, except for "vendored" or "linked" code, which carries compatible licenses (BSD, Apache 2, etc).

You're getting this email beacuse you contributed code to an IPFS Repository, before we began enforcing the "License commit trailers required" policy. A "License trailer" is a small signoff in the bottom of a commit message, that looks like this:

License: MIT
Signed-off-by: Juan Batiz-Benet <[email protected]>

The "Signed-off-by" part is the sign-off typical to the linux kernel, git, docker, and other projects. The "Sign-off" agrees to the Developer Certificate of Origin (1.1), which is a document that certifies the contribution. You can find out more about the DCO here: http://elinux.org/Developer_Certificate_Of_Origin and see our own hosted copy here: https://github.com/ipfs/community/blob/master/docs/developer-certificate-of-origin

The reason these projects ask for the explicit "Signed-off-by" trailer in commits is that a conscious step must be taken by the contributor to formally sign the work to the license, even if only done once. As far as lawyers are concerned, it is really not enough to make a pull-request on a repo with a given License file (as of 2015-06). Rather than hope law practice catches up to common open-source practice, we want to make absolutely sure that all users can use and contribute to IPFS without any worry. Thus (advised by our lawyers) we are making sure all the commits have a "Signed-off-by" clause. And we now have a bot that checks Pull Requests for us: GitCop (many thanks to the author gazler and chriscool for setting it all up). GitCop verifies the trailers, and otherwise asks the author to add them, pointing to guidelines, instructions, and even a helpful git commit hook.

The "License: MIT" part is a section added to make it clear, beyond shadow of a doubt, that all the code in the the commit at hand has been Licensed MIT, as the rest of the project, regardless of where that commit lands. Note that it is understood that if non-MIT vendored code is included and clearly labeled with its own LICENSE file in its own directory and/or with License headers on the files then that code carries that License. (We do not have an automated check today for verifying the LICENSE files added are all compatible with the MIT License, but we may in the future).

So, there's a few commits you made that we need to get explicit "Signed-off-bys" from you. The commits are technically already covered by the License file in the root of the repo, as is common practice and our contribution documentation states, but it is important that we make sure we apply the same level of OSS hygiene to them.

To make this easy for you, we've made a google doc form for everyone. You just need to fill out your name and email, as it would appear on the commit sign-off, for example:

Juan Batiz-Benet <[email protected]>

We'll then make one commit to the repository noting all the relevant commit hashes, with all the "Signed-off-by" lines. The google form takes only a few seconds, and is over at:

<google-form-link>

Again, thank you so much for your contribution, thank you for your prompt reply, and sorry to bother you with this silly thing!

Thanks,
Juan Benet

[daviddias]

We should get this for the JS repos as well. @RichardLitt could you lead this?

[RichardLitt]

Talked to @flyingzumwalt a bit about this today. I can certainly help, but not sure I'd be the best DRI for this particular effort.

Are we still going with gitcop? I haven't seen it in a while - have I just not been watching go-ipfs enough? That's the only repo we use it for, currently, correct?

[RichardLitt]

Just had some fun: It would be possible to ask users to add a global git commit hook without too much hassle. We could have them add this:

#!/bin/sh

if [[ $(git remote get-url origin | grep "[ipfs|libp2p|ipld|orbit|multiformats]") ]]; then
  grep "^License:" "$1" || {
  	echo >>"$1"
  	echo "License: MIT" >>"$1"
  	echo "Signed-off-by: $(git config user.name) <$(git config user.email)>" >>"$1"
}
fi

If you're working on any of our repos, you would automatically add the same things we currently add only to go-ipfs.

[ghost]

Oh, I didn't know global commit hooks. Where would you put that script?

About GitCop, I've seen it just the other day -- we're eager to switch away from it. It's just very blunt and unfriendly.

[ribasushi]

Oh, I didn't know global commit hooks. Where would you put that script?

It's a relatively new thing that has not yet trickled down to dists: git/git@867ad08a

You still need to distribute a config somehow, this is the closest to "safe" I was able to come up with some time ago (read the commit message carefully): Perl5/DBIx-Class@1f99022a59

[RichardLitt]

It's pretty easy to implement: https://coderwall.com/p/jp7d5q/create-a-global-git-commit-hook.

@ribasushi I'm not sure about that config setup. The solution I just l pointed to seems to work for me. Maybe I am missing something?

[ribasushi]

@RichardLitt you mentioning global commit hook made me think of the git 2.11 feature, not of init templates.

The extra faffing I show in the second paragraph is a workflow to both allow updates from upstream ( the scripts are hosted in-repo, instead of some one-off comment on github ) while at the same time highlighting the concern that a malicious committer might drop unsavory code into the hook/config areas.

[RichardLitt]

@dignifiedquire Pointed out that github added a default contributor license. We could potentially use that. However, as @Kubuxu mentioned in the All Hands call, this means it is a bit more removed from git.