[OpenSSF] Use Developer Certificate of Origin (DCO)

[Zeitsperre]

Addressing a Problem?

When it comes to contributions, we currently use the Apache v2.0 software license, which all contributors are expected to have read and agreed to when they push code to the repository. The wording of the license is such that we probably don't need to manage Contributor Licensing Agreements (CLA, which is convenient for us).

There is however an issue that we don't currently ensure that the following information is available on every commit:

• The full name and email of the contributor
• Verification that the contribution is legally permitted

There is broad industry-wide adoption of the Developer Certificate of Origin (DCO), which is an assurance that the contributions/commits are being made with both the information of the contributor and with their informed agreement to the principles of the contributor guidelines and license.

This also helps contributors track ownership of their commits without relying on GitHub's history, if ever we decide to migrate the codebase in the future.

Potential Solution

Adoption is incredibly simple. The contributing documentation needs to add a mention that going forward, users agree to the Developer Certificate of Origin (DCO):
https://developercertificate.org/

Enabling DCO for all commits is very simple to enable

• shell

  $ git config --global format.signoff true

• PyCharm:
  

If we want to enable a check for this:

• Existing App https://github.com/apps/dco
• DIY example using dco-check: https://github.com/WasmEdge/WasmEdge/pull/3451/files

Additional context

https://medium.com/@michaelyuan_88928/a-complete-guide-to-dco-for-open-source-developers-fa063c17d9e7

https://wiki.linuxfoundation.org/dco

Contribution

• I would be willing/able to open a Pull Request to contribute this feature.

Code of Conduct

• I agree to follow this project's Code of Conduct