1 |
On Fri, Jun 15, 2018 at 12:03 PM kuzetsa <kuzetsa@×××××.com> wrote: |
2 |
> |
3 |
> from: "$ man git-commit" : [...] The meaning of a |
4 |
> signoff depends on the project, but it typically |
5 |
> certifies that committer has the rights to submit |
6 |
> this work [...] |
7 |
> |
8 |
> this is frustratingly vague (to me), but I suppose |
9 |
> the extra metadata included in the same paragraph |
10 |
> has a link to: https://developercertificate.org/ |
11 |
|
12 |
Well, we aren't using that as-is, but a modified version of this. |
13 |
Gentoo policies aren't contained in manpages. |
14 |
|
15 |
The Gentoo policy is in draft GLEP 76: |
16 |
https://gitweb.gentoo.org/data/glep.git/tree/glep-0076.rst |
17 |
|
18 |
(It was posted a few days ago on this list, and discussed here in |
19 |
various forms over the last few years.) |
20 |
|
21 |
> ^ took me a few minutes to figure out what you meant, |
22 |
> or where that particular quote came from: |
23 |
|
24 |
It came from GLEP 76 (still in draft). It is of course based on the |
25 |
Linux DCO (which I believe is attributed in the GLEP). |
26 |
|
27 |
> I had never considered this, because historically, |
28 |
> gentoo developers who use their PGP key to commit |
29 |
> rarely use the --signoff feature when committing the |
30 |
> submissions of a contributor, and even if they had, |
31 |
> there's not a stable definition. |
32 |
|
33 |
Today they shouldn't be using --signoff, because there IS no official |
34 |
policy. They will be required to do so once GLEP 76 is approved (this |
35 |
will be enforced with a commit hook). |
36 |
|
37 |
> "some other person who certified" - does this mean the |
38 |
> contributor needs to use their PGP key to sign or...? |
39 |
> |
40 |
> it would be good for gentoo to have clarity on this. |
41 |
|
42 |
IMO it is up to the certifier to decide what constitutes a |
43 |
certification made by somebody else. This is necessarily outside of |
44 |
Gentoo so to try to impose a particular mechanism would make it harder |
45 |
to use outside code. For example, all Linux commits have a DCO |
46 |
signoff, but these have no GPG signoffs to go with them. We wouldn't |
47 |
want to block people from using GPL2 Linux code just because they use |
48 |
a different mechanism to track such things. |
49 |
|
50 |
The Gentoo DCO is an agreement between the Gentoo committer (a Gentoo |
51 |
dev) and Gentoo. |
52 |
|
53 |
That is roughly how I see it at least. |
54 |
|
55 |
-- |
56 |
Rich |