Skip to content

RFC 86 Phase 5: Future Governance (DCO + License Scanning) #12161

Description

@jjgao

Phase 5: Future Governance & Sustainability

Part of: #12156
Phase 5 is post-switch governance (begins after Phase 4 #12160). Exception: the DCO setup/enforcement task is pulled forward and tracked as a pre-switch gate item in #12183, so no post-switch Apache-licensed commit lands without inbound sign-off.

Goal

Prevent the need for another relicensing effort. Establish lightweight, automated processes to protect the Apache 2.0 license going forward.

Tasks

  • Developer Certificate of Origin (DCO) — enforce at or before the switch: Add a DCO check as a required branch-protection status check before merging the Switch Commit, or before accepting any further Apache-licensed contributions. Otherwise post-switch Apache-licensed commits can land without inbound sign-off. (Tracked as a gate item in RFC 86 Pre-Switch Sign-off Gate (blocks Phase 4) #12183.)
    • Recommended tool: DCO GitHub App
    • Document sign-off flows for: command line, GitHub web edits, squash/rebase merges, and maintainer-applied patches.
  • Automated license scanning — define the policy, not just the tool: Integrate FOSSA or Snyk into CI, and specify: scopes, allowed/denied licenses, transitive-dependency handling, exception-approval process, the responsible owner, and failure severity.
  • Per-file SPDX / REUSE metadata + CI validation so mixed-license / vendored / generated files stay auditable over time.
  • Update CONTRIBUTING.md: Document the DCO requirement and explain how to sign commits (git commit -s).
  • Update PR template: Add a checklist item reminding contributors about DCO sign-off.
  • Announce governance changes to the community.

Definition of Done

DCO check is live in CI and blocking merges without sign-off (in place by the Switch Commit, per #12183). License scanning is active with a documented policy. Per-file SPDX/REUSE metadata is validated in CI. CONTRIBUTING.md and PR template are updated.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions