OSDL Implements Contributor Tracking System for Linux

by Timothy Prickett Morgan

With all the nonsense floating around about the origin of the code going into the Linux operating system, Linus Torvalds, the creator of the operating system, and Open Source Development Labs, the nonprofit that now shepherds its development, do not want new enhancements to Linux to be subject to doubt. To that end, OSDL has announced that it supports a new kernel submission process for Linux, suggested by Torvalds and the maintainer of the Linux 2.6 kernel, Andrew Morton.

Under a new scheme called the Developer's Certificate of Origin (DCO), Linux contributors can only contribute code if they state that they have the right to make that contribution of new code or a derivative work of other open source code. By tracking the system of DCOs from here on out, the Linux maintainers will be able to show the interrelations of the source that comprises Linux. If you don't sign a DCO, your code does not go into Linux.

The change may come as something of a shock to Linux contributors, but the reasoning behind it is clear enough. "This process improvement makes Linux even stronger," said Torvalds in a statement on the OSDL site. "We've always had transparency, peer review, pride and personal responsibility behind our open source development method. With the DCO, we're trying to document the process. We want to make it simpler to link submitted code to its contributors. It's like signing your own work."

It is also (although Torvalds did not say it) a means of catching people in a lie if they sign off on work that is not their own. Such a thing would have come in handy in the last year in The SCO Group's lawsuits with IBM, Red Hat, and Novell over Unix intellectual property that SCO claims it owns and has been illegally moved into the Linux operating system. The implication is that IBM did this, perhaps by taking bits of AIX and Dynix/ptx and introducing it into Linux. The word "perhaps" is appropriate, since SCO has yet to fully document the pieces of code that it says were moved into Linux.

Torvalds, in a message to the Linux kernel maintainer list, said that the real intent of the DCO was to document the "chain of trust" that has always characterized Linux in particular and open source software in general. As code comes in and is passed up the developer tree to Torvalds and Morton (with Linxu 2.6), everybody knows who to trust before and after themselves in the tree. But no one knows everyone who contributes to Linux, not even Torvalds.

The DCO obviously does not address past contributions to the Linux kernel. Building such a web of contributions and getting people to sign off on contributions that may be at least a decade old would be a monumental task.

Torvalds and Morton say that they implemented the DCO after getting input from key Linux kernel subsystem contributors and other open source luminaries. The DCO 1.0 document is dirt simple. It reads as follows:

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or

(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or

(c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.

People will simply add this statement to their submissions, as well as the chain leading back from them, with their e-mail after that.

OSDL says that it will provide the personnel and the money to make sure that the DCO process works and that it will audit the submissions to Linux to ensure that they are compliant with the DCO. It will also start an educational campaign to explain the DCO to companies using Linux, as well as to code contributors. But, as always, Linux is more or less relying on honesty being the best policy, since the DCO is not going to actually run code analysis against the vast amount of open- and closed-source programs in the marketplace. However, with the DCO, OSDL will know who added what to Linux and when they did it. If it finds itself in a bind, perhaps sued as part of an intellectual property or copyright lawsuit, for instance, the key contributors to Linux and OSDL itself will have some sort of legal protection, as well as a way to show the courts that it dealt with a potential problem (unauthorized submission of work from other people or companies), even if the allegations by SCO turn out to be true. This move goes a long way toward preventing the next SCO case from happening. Unfortunately, it will not have much of an effect on the SCO and related cases.