The Spring team will be rolling out a simplified contribution process that replaces the requirement to sign a Contributor License Agreement (CLA) with a Developer Certificate of Origin (DCO). The process will start this week with Spring Framework, Spring Security, & Spring Boot and then roll out to the entire Spring portfolio.

History

Spring has long used a permissive Contributor License Agreement (CLA) in order to provide legal protections to the Spring project, users, and the Spring team. Long time contributors may remember that signing the CLA originally involved emailing a signed PDF of the CLA. The Spring team was then required to manually verify that the CLA was signed before accepting contributions. Without integrations like GitHub Apps, this manual process was somewhat necessary then.

In order to streamline that process, we created an electronic version of the CLA which automatically verified that the authors of pull requests had signed the CLA. This was a large improvement over the manual process, but it still had its disadvantages.

While the electronic CLA simplified contributions, contributors were still faced with obstacles when contributing to Spring. CLAs are lengthy legal documents that can be difficult to understand. What’s more is that CLAs tend to be custom and thus the effort to understand them must be done on a per project basis. Due to legal requirements between employees and their employers, developers would often need to work with their employer to get approval to sign the CLA. All of these factors added additional layers of complexity when contributing to Spring.

Simplifying Contributions to Spring

In order to further simplify contributing to Spring, we have decided to move to using a Developer Certificate of Origin (DCO). This still provides the same protections to the Spring project, users, and Spring team.

The benefit is that the Developer Certificate of Origin (DCO) is easy to read and a standard across many projects including the Linux Kernel. The entire DCO can be summarized as:

1. I certify that the submitted code can be submitted under the open source license of the project (for Spring this is Apache 2.0)
2. I understand that what I am contributing is public and will be redistributed indefinitely

How to Use Developer Certificate of Origin

In order to contribute to the project, you must agree to the Developer Certificate of Origin. To confirm that you agree, your commit message must include a Signed-off-by trailer at the bottom of the commit message. For example, it might look like the following:

A commit message

Closes gh-123

Signed-off-by: Rob Winch <[email protected]>

The Signed-off-by trailer can be added automatically by using the -s or –signoff command line option when specifying your commit message:

git commit -s -m

If you have chosen the Keep my email address private option within GitHub, the Signed-off-by trailer might look something like:

A commit message

Closes gh-123

Signed-off-by: Rob Winch <[email protected]>

FAQ

What about existing Pull Requests?

Existing pull requests which are already passing the CLA check do not need to sign the DCO. If the pull request is not already passing the CLA, then the DCO process should be used.

When will the migration to using a DCO start?

The Spring Framework, Spring Security, and Spring Boot projects will transition to this process this week (January 6, 2025). After a successful trial period, we will migrate all Spring projects to use this process.

What checks are performed to ensure the process is followed?

Spring uses the DCO GitHub App to add a check that enforces that all commits in a pull request contain a Signed-off-by trailer with a value of the email and name found in the user’s GitHub profile.

If you would like to see what the process looks like, the DCO app describes how the process works along with screenshots of what to expect.

What do I do if the DCO check fails?

If the DCO check fails, you can click on the “Details” link next to the failed check which will explain why the check failed and how to fix it. If you forgot to add the Signed-off-by trailer for a single commit, then you can do so by using:

git rebase HEAD~1 --signoff
git push —-force-with-lease origin

What if there is more than one author for the commit?

Clause c of the Developer Certificate of Origin allows a commit containing code from multiple origins to include a single Signed-off-by trailer. In this instance, inclusion of the Signed-off-by trailer indicates that the commit author certifies that they have the right to submit the commit under the project’s license.

Can I use GitHub’s Suggest a Change Feature

You may apply suggested changes on a pull request.

1. The person suggesting the change should include the Signed-off-by in their comment that suggest the change.
2. Then, the person applying the change (committing the suggestion) will include their Signed-off-by trailer (compulsory commit signoffs are enabled) when they click the “Sign off and commit suggestion” button which indicates that they agree to the Developer Certificate of Origin.

Can I modify someone else's commit?

The Developer Certificate of Origin clause b allows modifying the code, but it can be considered impolite attributing your changes (bugs) to another person. For that reason, it is considered polite to insert a description with your email and name enclosed in square brackets followed by a Signed-off-by at the end of the commit message. For example:

Signed-off-by: PR Developer <[email protected]>
[[email protected]: apply code conventions]
Signed-off-by: Committer Developer <[email protected]>

Happy Contributing!

We are looking forward to seeing more & simplified contributions from you! If you have any questions, don’t hesitate to reach out to us in our issue trackers.