Linus Torvalds and Linux 2.6 kernel maintainer Andrew Morton have announced a new way of tracking contributions to Linux: the Developers Certificate of Origin.
Under the new kernel submission process, contributions to the Linux kernel may only be made by individuals who acknowledge their right to make the contribution under an appropriate open-source license. This acknowledgment, the DCO, is used to track contributions and contributors to Linux. The DCO ensures that appropriate attribution is given to developers of original contributions and derivative works, as well to those contributors who receive submissions and pass them, unchanged, up the kernel tree. All contributors are called upon to “sign off” on a submission before it can be considered for inclusion in the kernel.
The Open Source Development Labs, a consortium dedicated to accelerating the adoption of Linux in the enterprise, and which employs both leaders of Linux, announced its support for these enhancements to the Linux kernel submission process. The point of this move is to improve the accurate tracking of contributions to the kernel and ensure developers receive credit for their contributions. Torvalds and Morton said they adopted the revised process only after obtaining input and broad support from key kernel subsystem maintainers and others in the open-source community.
In a statement, Torvalds said: “This process improvement makes Linux even stronger. Weve always had transparency, peer review, pride and personal responsibility behind our open source development method. With the DCO, were trying to document the process. We want to make it simpler to link submitted code to its contributors. Its like signing your own work.”
This move is being made in part to combat claims from The SCO Group Inc. that Linux contains code from what it claims is its proprietary Unix intellectual property. “The Linux development process has worked well for more than 10 years but with its success has come new challenges,” said Stuart Cohen, CEO of OSDL in a prepared statement. “The measure we announce today goes a long way toward eliminating doubt surrounding the origin of Linux code, and does so without placing any undue burden on the development community.”
In addition, this move addresses concerns that stolen proprietary code from Microsoft Corp., Cisco Systems Inc. or some other company might somehow make its way into Linux.
While many have declared that there simply is no chance that proprietary code could be in Linux or other major open-source projects, concerns over these issues have led to the creation of companies to address these issues. Such businesses include New York-based Open Source Risk Management, which offers a vendor-neutral open-source indemnification insurance program, and Black Duck Software, which offers a system for checking source code for unauthorized use of open source code.
The OSDL has committed to providing resources to ensure that contributions made to the kernel adhere to the DCO and the process improvements. The Lab will review the content of the contributions to confirm that submissions to the kernel have been signed off by contributors in accordance with the DCO. In addition, the OSDL plans to launch an educational campaign for developers and end users on the DCO and the process improvements.
The DCO itself is extremely simple. In its entity, it reads :
“By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or
(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or
(c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.”
The DCOs full text can be found at the OSDLs Linux Developers Certificate of Origin Webpage.