UPDATED: In an effort to respond to recent questions about the authorship and sources of the Linux kernel, Open Source Development Labs (OSDL) said Monday it would support a new contributor documentation step in the Linux kernel submission process.
Called the new Developer’s Certificate of Origin (DCO), the effort tracks contributions and contributors to make sure that contributors are given their due credit for their work. Moreover, contributors will be asked to “sign off” on a submission before it may be considered for inclusion in the kernel.
The current DCO is quite brief. Its full text is available now on the OSDL site. Essentially, the contributor vouches that “the contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file” or is based on previous work that is covered under an appropriate open source license and the contributor has the right under that license to submit that work with modifications.
“It’s partly just an evolution in a 10-year process,” OSDL CEO Stuart Cohen told internetnews.com. “Part of enhancing the process is having an easy to implement solution where the development community could sign, who submitted what code and when they delivered it. It’s part of a maturing process of Linux as Linux goes more mainstream.”
The move comes after The Alexis de Tocqueville Institute recently came out with a research report in which it questioned Linus Torvalds’ authorship of the kernel, which set off a wave of denunciations about the report in the open source community. SCO Group’s ongoing lawsuit against IBM, in which it claims parts of select Linux kernels contained copyrighted Unix code, is still wending its way through the legal system.
In the meantime, Linux supporters such as HP and Novell have offered indemnification policies to customers in order to shield them from any potential litigation or license fees that might arise from the SCO/IBM dispute.
OSDL’s Cohen said the latest kernel controversy had nothing to do with today’s announcement. “Timing is coincidental,” he said. “It’s not because of the SCO lawsuit, it’s not because of that research report. Those are PR exercises. One has nothing to do with the other,” he added.
“Linux has gone mainstream. It’s about a $6 billion dollar market today and it’s supposed to double in less than five years. And there are just things that small, medium large, government and education [sectors] expect. This is something that Linus and the development community are going to do and OSDL is going to take an active role in.”
Torvalds, however, did appear to make a connection between recent events and the move for greater documentation of the kernel development process. In a public post early yesterday, Torvalds began a request for discussion among kernel developers with a very specific reference to SCO.
“Some of you may have heard of this crazy company called SCO … who seem to have a hard time believing that open source works better than their five engineers do,” he wrote. “They’ve apparently made a couple of outlandish claims about where our source code comes from, including claiming to own code that was clearly written by me over a decade ago.
“So, to avoid these kinds of issues ten years from now, I’m suggesting that we put in more of a process to explicitly document not only where a patch comes from (which we do actually already document pretty well in the
changelogs), but the path it came through,” Torvalds wrote.
Officials from SCO were not immediately available to comment.
Stacey Quandt principal of Quandt Analytics, and a former lead analyst with OSDL, said the move is of more significance to companies developing Linux rather than Linus and the kernel maintainers, since there is already an informal Web of trust in place for kernel developers.
“There is a benefit to this but oddly enough Linux is reaching late maturity and this is equivalent to buying a bottle of Bordeaux and assuming the origin of all the grapes, when only the wine maker actually knows where all the grapes came from,” Quandt told internetnews.com.
“Linux is a moving target and while this will placate some CEOs, CIOs and CTOs waiting for the outcome of SCO’s legal claims against IBM, the question is what about all the patches that are already part of the Linux kernel? Is there a process to go through every line of code and document the path from the originator? This announcement is clearly targeted at Linux end users in an attempt to erode any concerns about the development process,” she said.
OSDL’s Cohen said he doesn’t think it’s necessary to go backwards with the DCO. “We’re 100 percent confident that we can go back and determine where every line of code came from and who submitted it,” he added. “But there has been no need to do that work, there has been a level of trust and confidence with the users that that’s not necessary. We’re not going to do that, if we have to do it we will, but right now that is not anybody desire to do that, it’s terribly unproductive work.”
According to Torvalds, the generally acknowledged creator of Linux, the new exercise is all about documenting the process.
“This is not about proving authorship it’s about documenting the process,” Torvalds wrote in a public post. “This does not replace or preclude things like PGP-signed emails, this is _documenting_ how we work, so that we can show people who don’t understand the open source process.”