Merge pull request #1481 from nextcloud/signed-off-by

Add Developer Certificate of Origin (DCO)

.drone.yml

@@ -26,6 +26,13 @@ pipeline:
     when:
       matrix:
         TESTS: app-check-code
+  signed-off-check:
+    image: nextcloudci/php7.0:php7.0-2
+    commands:
+      - php ./build/signed-off-checker.php
+    when:
+      matrix:
+        TESTS: signed-off-check
   syntax-php5.6:
     image: nextcloudci/php5.6:php5.6-2
     commands:
@@ -153,6 +160,7 @@ pipeline:
 
 matrix:
   include:
+    - TESTS: signed-off-check
     - TESTS: integration
     - TESTS: jsunit
     - TESTS: check-autoloader

CONTRIBUTING.md

@@ -29,11 +29,36 @@ Thanks for wanting to contribute source code to Nextcloud. That's great!
 
 Please read the [Developer Manuals][devmanual] to learn how to create your first application or how to test the Nextcloud code with PHPUnit.
 
+### Tests
+
 In order to constantly increase the quality of our software we can no longer accept pull request which submit un-tested code.
 It is a must have that changed and added code segments are unit tested.
 In some areas unit testing is hard (aka almost impossible) as of today - in these areas refactoring WHILE fixing a bug is encouraged to enable unit testing.
 
+### Sign your work
+
+We use the Developer Certificate of Origin (DCO) as a additional safeguard
+for the Nextcloud project. This is a well established and widely used 
+mechanism to assure contributors have confirmed their right to license 
+their contribution under the project's license. 
+Please read [contribute/developer-certificate-of-origin][dcofile]. 
+If you can certify it, then just add a line to every git commit message:
+
+````
+  Signed-off-by: Random J Developer <random@developer.example.org>
+````
+
+Use your real name (sorry, no pseudonyms or anonymous contributions).
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
+
+### Apply a license
+
+In case you are not sure how to add or update the license header correctly please have a look at [contribute/HowToApplyALicense.md][applyalicense]
+
 [devmanual]: https://docs.nextcloud.org/server/10/developer_manual/
+[dcofile]: https://github.com/nextcloud/server/blob/master/contribute/developer-certificate-of-origin
+[applyalicense]: https://github.com/nextcloud/server/blob/master/contribute/HowToApplyALicense.md
 
 ## Translations
 Please submit translations via [Transifex][transifex].

build/signed-off-checker.php

@@ -0,0 +1,120 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @author Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/**
+ * Script to verify that all commits have been signed-off, if a commit doesn't end
+ * with a signed-off message the script is failing.
+ */
+$baseDir = __DIR__ . '/../';
+
+$pullRequestNumber = getenv('DRONE_PULL_REQUEST');
+
+if(!is_string($pullRequestNumber) || $pullRequestNumber === '') {
+	echo("The environment variable DRONE_PULL_REQUEST has no proper value.\n");
+	exit(1);
+}
+
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_URL, 'https://api.github.com/repos/nextcloud/server/pulls/'.$pullRequestNumber.'/commits');
+curl_setopt($ch, CURLOPT_USERAGENT, 'CI for Nextcloud (https://github.com/nextcloud/server)');
+$response = curl_exec($ch);
+curl_close($ch);
+
+shell_exec(
+	sprintf(
+		'cd %s && git fetch',
+		escapeshellarg($baseDir),
+		escapeshellarg($pullRequestNumber)
+	)
+);
+
+$decodedResponse = json_decode($response, true);
+if(!is_array($decodedResponse) || count($decodedResponse) === 0) {
+	echo("Could not decode JSON response from GitHub API.\n");
+	exit(1);
+}
+
+// Get all commits SHAs
+$commits = [];
+
+foreach($decodedResponse as $commit) {
+	if(!isset($commit['sha'])) {
+		echo("No SHA specified in $commit\n");
+		exit(1);
+	}
+	$commits[] = $commit['sha'];
+}
+
+
+if(count($commits) < 1) {
+	echo("Could not read commits.\n");
+	exit(1);
+}
+
+$notSignedCommits = [];
+foreach($commits as $commit) {
+	if($commit === '') {
+		continue;
+	}
+
+	$signOffMessage = false;
+	$commitMessageLines =
+		explode(
+			"\n",
+			shell_exec(
+				sprintf(
+					'cd %s && git rev-list --format=%%B --max-count=1 %s',
+					$baseDir,
+					$commit
+				)
+			)
+		);
+
+	foreach($commitMessageLines as $line) {
+		if(preg_match('/^Signed-off-by: .* <.*@.*>$/', $line)) {
+			echo "$commit is signed-off with \"$line\"\n";
+			$signOffMessage = true;
+			continue;
+		}
+	}
+	if($signOffMessage === true) {
+		continue;
+	}
+
+	$notSignedCommits[] = $commit;
+}
+
+if($notSignedCommits !== []) {
+	echo("\n");
+	echo("Some commits were not signed off!\n");
+	echo("Missing signatures on:\n");
+	foreach ($notSignedCommits as $commit) {
+		echo("- " . $commit . "\n");
+	}
+	echo("Build has failed\n");
+	exit(1);
+} else {
+	exit(0);
+}
+

contribute/HowToApplyALicense.md

@@ -0,0 +1,46 @@
+# How to apply a license
+
+Originally Nextcloud was licensed under the GNU AGPLv3 only. From
+June, 16 2016 on we switched to "GNU AGPLv3 or any later version" for
+better long-term maintainability and to make it more secure from a
+legal point of view.
+
+Additionally Nextcloud doesn't require a CLA (Contributor License
+Agreement). The copyright belongs to all the individual
+contributors.
+
+If you modify an existing file, please keep the existing license header as
+it is and just add your copyright notice:
+
+````
+@copyright Copyright (c) <year>, <your name> (<your email address>)
+````
+
+If you create a new file please use this license header:
+
+````
+/**
+ * @copyright Copyright (c) <year>, <your name> (<your email address>)
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+````
+
+Additionally we require a Developer Certificate of Origin (DCO), look
+at [CONTRIBUTING.md][contributing] to learn more how to sign your commits.
+
+[contributing]: https://github.com/nextcloud/server/blob/master/CONTRIBUTING.md#sign-your-work

contribute/developer-certificate-of-origin

@@ -0,0 +1,35 @@
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.