Relaxing the need for copyright assignments

Werner Koch wk at
Thu Apr 12 11:49:04 CEST 2012


Nowadays we have wealth of crypto libraries available.  It is often
easier to contribute to them than to Libgcrypt.  The copyright
assignments required for Libgcrypt turned out to be a major hassle and
thus I plan to relax the rules.

What do you think of this:

  Libgcrypt is currently licensed under the LGPLv2+ with tools and
  the manual being under the GPLv2+.  We may eventually update to a
  newer version of the license or a combination of them.  It is thus
  important, that all contributed code allows for an update of the
  license; thus we can't accept any code under the LGPLv2(only).

  We used to have a strict policy of requiring copyright assignments
  to the FSF.  To avoid this major organizational overhead and to
  allow inclusion of code, not copyrighted by the FSF, this policy has
  been relaxed.  It is now also possible to contribute code by
  asserting that the contribution is in accordance to the "Libgcrypt
  Developer's Certificate of Origin" as found in the file "doc/DCO".
  (Except for a slight wording change, this DCO is identical to the
  one used by the Linux kernel.)

  If your want to contribute code (or documentation) to Libgcrypt and
  you didn't signed a copyright assignment with the FSF in the past,
  you need to take these simple steps:

  - Decide which mail address you want to use.  Please have your real
    name in the address and not a pseudonym.  Anonymous contributions
    can only be done if you find a proxy who certifies for you.

  - If your employer or school might claim ownership of code written
    by you; you need to talk to them to make sure that you have the
    right to contribute under the DCO.

  - Send a mail to the gcrypt-devel at mailing list from that
    mail address.  Include a copy of the DCO as found in the official
    master branch.  Insert your name and email address into the DCO in
    the same way you want to use it later.  For example:

      Signed-off-by: Joe R. Hacker <joe at>

    If you really need it, you may perform simple transformations of
    the mail address: Replacing "@" by " at ", "." by " dot ".

  - That's it.  From now on you only need to add a "Signed-off-by:"
    line with your name and mail address to the commit message.

The DCO is

  Libgcrypt Developer's Certificate of Origin.  Version 1.0
  By making a contribution to the Libgcrypt project, I certify that:
  (a) The contribution was created in whole or in part by me and I
      have the right to submit it under the free software license
      indicated in the file; or
  (b) The contribution is based upon previous work that, to the
      best of my knowledge, is covered under an appropriate free
      software license and I have the right under that license to
      submit that work with modifications, whether created in whole
      or in part by me, under the same free software license
      (unless I am permitted to submit under a different license),
      as indicated in the file; or
  (c) The contribution was provided directly to me by some other
      person who certified (a), (b) or (c) and I have not modified
  (d) I understand and agree that this project and the contribution
      are public and that a record of the contribution (including
      all personal information I submit with it, including my
      sign-off) is maintained indefinitely and may be redistributed
      consistent with this project or the free software license(s)
  Signed-off-by: [Your name and mail address]

I pondered with the idea of requiring OpenPGP signed statements but
rejected it.  They don't gain much unless we want to establish another
complicated procedure to check the trustworthiness of the key.  Even if
we would do so, we will have no way to check the provenience of the
submitted code.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list