>>>>> On Sat, 08 Sep 2018, Michael Orlitzky wrote:

> The Gentoo Certificate of origin says,
>> By making a contribution to this project, I certify that:
>> 
>> 1  The contribution was created in whole or in part by me...
>> 
>> 2  The contribution is based upon previous work that, to the best of 
>> my knowledge, is covered...
>> 
>> 3  The contribution is a license text (or a file of similar nature)...
>> 
>> 4  The contribution was provided directly to me by some other person 
>> who certified (1), (2), (3), or (4), and I have not modified it.

> Do we really want to allow (4)s all the way down?

> That issue aside, I have some doubts about the usefulness of asserting
> (4), which to me sounds like the opposite of what is intended: "someone
> gave it to me and he said it was fine" is a weird defense. Especially if
> the name of the person doesn't appear in the sign-off.

If you certify 4., the commit should already carry a Signed-off-by line
with that other person's name. If not, you must certify it with one of
the other clauses (presumably, 2.).

> I realize we might not be able to do much better in the case of e.g.
> patches from outside contributors, but shouldn't we at least record the
> person's name in that case?

Yes, the idea is that either there is a chain of Signed-off-by lines, or
(if not) that the committer has the responsibility that the contribution
is under a free software license.

Realistically, I won't expect our certification chains to have normally
more than two S-o-b lines (like proxied committer and proxy committer).

> If there's ever a dispute, we might need to track the guy down.

We can also see it more positively, the name should be there to give
credit to the right person. :)

> I also realize that (4) was taken directly from the DCO which presumably
> has had actual lawyers look at it, so take this with a grain of salt.

Ulrich