You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Part of: #12156
Phase 5 is post-switch governance (begins after Phase 4 #12160). Exception: the DCO setup/enforcement task is pulled forward and tracked as a pre-switch gate item in #12183, so no post-switch Apache-licensed commit lands without inbound sign-off.
Goal
Prevent the need for another relicensing effort. Establish lightweight, automated processes to protect the Apache 2.0 license going forward.
Tasks
Developer Certificate of Origin (DCO) — enforce at or before the switch: Add a DCO check as a required branch-protection status checkbefore merging the Switch Commit, or before accepting any further Apache-licensed contributions. Otherwise post-switch Apache-licensed commits can land without inbound sign-off. (Tracked as a gate item in RFC 86 Pre-Switch Sign-off Gate (blocks Phase 4) #12183.)
Document sign-off flows for: command line, GitHub web edits, squash/rebase merges, and maintainer-applied patches.
Automated license scanning — define the policy, not just the tool: Integrate FOSSA or Snyk into CI, and specify: scopes, allowed/denied licenses, transitive-dependency handling, exception-approval process, the responsible owner, and failure severity.
Per-file SPDX / REUSE metadata + CI validation so mixed-license / vendored / generated files stay auditable over time.
Update CONTRIBUTING.md: Document the DCO requirement and explain how to sign commits (git commit -s).
Update PR template: Add a checklist item reminding contributors about DCO sign-off.
Announce governance changes to the community.
Definition of Done
DCO check is live in CI and blocking merges without sign-off (in place by the Switch Commit, per #12183). License scanning is active with a documented policy. Per-file SPDX/REUSE metadata is validated in CI. CONTRIBUTING.md and PR template are updated.
Phase 5: Future Governance & Sustainability
Part of: #12156
Phase 5 is post-switch governance (begins after Phase 4 #12160). Exception: the DCO setup/enforcement task is pulled forward and tracked as a pre-switch gate item in #12183, so no post-switch Apache-licensed commit lands without inbound sign-off.
Goal
Prevent the need for another relicensing effort. Establish lightweight, automated processes to protect the Apache 2.0 license going forward.
Tasks
git commit -s).Definition of Done
DCO check is live in CI and blocking merges without sign-off (in place by the Switch Commit, per #12183). License scanning is active with a documented policy. Per-file SPDX/REUSE metadata is validated in CI. CONTRIBUTING.md and PR template are updated.