Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

Who's Afraid of the DCO
Helping Adopt the DCO for your Project

James Bottomley
About Me


Long time Kernel Developer

  • SCSI Subsystem Maintainer
  • PA-RISC architecture Maintainer

Open Source Business Evangelist and Advocate

Agitating on legal issues for a while now


Project Best Practises

Need Licence and a way to contribute

Old Days had Licence + entity + CLA

Equity problem: CLAs usually privilege the intermediate entity

But have to analyse carefully Licence+CLA to see this

Example: OpenStack

corporation can completely subvert the licence

Also need something to record and keep track of signed CLAs

This model is bad (even if you trust the entity)

New Way   Inbound = Outbound

But still can't pick any patch off the street.

Need a Contribution Agreement (CA)

CA doesn't have to be a licence, just an attestation

Solve filing problem by storing CA attestation in source control

Essentially this is what the DCO is

Attestation is
Signed-off-by: J R Dev <>


By making a contribution to this project, I certify that:
  1. The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or
  2. The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or
  3. The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
  4. I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.

Must be coupled to strong source control

DCO+Licence is still the entire agreement

Don't create project specific DCOs

avoids proliferation

Plus it's easy to get wrong

The Legal basis of the DCO

Signoff is a personal attestation from Author and Transmitter

But in US, contribution is likely owned by Employer

So how are the rights transferred?

Happens by common law principles of Agency

Good employer

 ⇒ Proper Authorization

 ⇒ Explicit Agency

Everyone Else

 ⇒ Ostensible Agency

Ostensible Agency only Requires:

External expectation of Authority

Employer Awareness

So rights transfer without Explicit Employer Authority

Everyone has been relying on this for years

So now it becomes standard practise

New Problem: Patents

Newer licences have explicit patent grants (GPLv3; Apache-2)

How does the DCO grant patent rights?

Obvious answer: the same way it grants copyrights, via agency

but the lawyers don't like this

Copyright agency is required

Patent agency is not.

And they've pushed back on OpenStack to prove it

Politically, here's why

Corporate Lawyers Guard Intellectual Property

Problem: OpenStack becomes de-facto Practise

Renders DCO unusable for patent encumbering licences

Questions legitimacy of current projects (Docker, Samba)

But they still want to encumber corporate patents

Effectively empowering engineers to decide which patents to encumber

So can we move them to using the DCO for this?

The Patent Pledge

Instead of signing a CLA with each project foundation

could issue a general pledge on patents in open source

Avaliable at


It is our expectation that any DCO signoff from a corporate email address binds that corporation to grant all necessary copyright and, where required, patent rights to satisfy the terms of the licence. Accordingly, we are publishing this pledge to illustrate how, as a matter of best practice, we implement this expectation.

For the purposes of this pledge, our corporate email domain is and its subdomains.


  1. Our corporation trains its Open Source contributors carefully to understand when they may and may not post patches from our corporate email domain and to obtain all necessary internal clearances according to our processes before making such a posting.
  2. When one of our developers posts a patch to a project under an OSI approved licence with a DCO Signed-off-by: from our corporate email domain, we authorise that developer to be our agent in the minimum set of patent and copyright grants that are required to satisfy the terms of the OSI approved licence for the contribution.

Pledge would bind corporate patents for DCO signoffs

Pledge also moves the bar on the DCO

Creates expectation that DCO works for Patent binding licences with corporate signoff

Presented using impress.js by Bartek Szopka

Thank You!