CLA vs. DCO: What's the difference?

CLA vs. DCO: What's the difference?

Both show that a contributor is allowed to make a contribution and that the project has the right to distribute it. But which one is better?

CLA vs. DCO: What's the difference?
Image by :

Get the newsletter

Join the 85,000 open source advocates who receive our giveaway alerts and article roundups.

In your open source adventures, you may have heard the acronyms CLA and DCO, and you may have said "LOL WTF BBQ?!?" These letters stand for Contributor License Agreement and Developer Certificate of Origin, respectively. Both have a similar intent: To say that the contributor is allowed to make the contribution and that the project has the right to distribute it under its license. With some significant projects moving from CLAs to DCOs (like Chef in late 2016 and GitLab in late 2017), the matter has received more attention lately.

So what are they? The Contributor License Agreement is the older of the two mechanisms and is often used by projects with large institutional backing (either corporate or nonprofit). Unlike software licenses, CLAs are not standardized. CLAs can vary from project to project. In some cases, they simply assert that you're submitting work that you're authorized to submit, and you permit the project to use it. Other CLAs (for example the Apache Software Foundation's) may grant copyright and/or patent licenses.

The Developer Certificate of Origin was introduced by the Linux Foundation in 2004. Instead of a legal contract that must be submitted to the project, it's a lightweight mechanism to say, "Yes, I have the right to submit this, and I understand that you will use it." Using it merely requires the contributor to sign the git commit. Advocates for this approach cite the lower barrier to entry as the main feature of the DCO. It does not require a contributor to read and understand a lengthier legal document.

Advocates for CLAs say that the presence of a CLA shows that the project is being governed with long-term stability in mind. If nothing else, it implies that it is well-resourced enough to have a lawyer draft the CLA and to have someone responsible for making sure that CLAs are on file for all contributors. CLAs may also give the project the right to relicense the work later. This can be a benefit if the current license is found to be inadequate and you can't contact the hundreds of people who have contributed over the years. Of course, it's also a risk that, at some point in the future, a project would take a direction that the contributors find unacceptable.

So which should you use? As with many questions (licenses, text editors, etc.), the answer is "it depends." If you're a juicy target for litigation and you want some cover, a CLA might be the right approach. If you want to minimize the barriers for contribution while still requiring your contributors to pinky swear that they're submitting their own work, then look at using a DCO. The important thing is to consider the needs of your project and your community, then decide accordingly.


About the author

Ben Cotton - Ben Cotton is a meteorologist by training and a high-performance computing engineer by trade. Ben works as a product marketing manger at Microsoft Azure focused on high performance computing. He is a Fedora user and contributor, co-founded a local open source meetup group, and is a member of the Open Source Initiative and a supporter of Software Freedom Conservancy. Find him on Twitter (@FunnelFiasco) or at... more about Ben Cotton