Open source is, by its nature, an organic, unpredictable, and opportunistic world. Which can make managing a wide reaching open source community at a large company like VMware especially challenging.
GitHub forms the organizational foundation for many companies, both internally and externally. Many companies with their own GitHub organization eventually face a common problem: to create consistency and ensure a positive experience for all the teams working with GitHub. Manual operations are just too slow, clumsy and error prone. At VMware, we realized that we needed to automate and streamline much of the back office operational aspects of our Open Source efforts.
I’ll reveal some of the challenges we faced and will walk you through our journey automating GitHub and introduce tools we built to help.
Building a Contributor License Agreement (CLA) Portal
The first problem we tackled when it came to automating our open source management was improving the contributor license agreement (CLA) workflow. The purpose of a CLA is to provide a record that the copyright holder grants the necessary rights to contribute code to be redistributed as part of an open source project. For more details on the purpose of a CLA, see our FAQ here: vmware.com/faq.
The old process involved the developer downloading the CLA in PDF format, reviewing the agreement, printing, signing, scanning and emailing it back to the VMware legal team before contributions could be accepted for the project. You can imagine the frustration met by our community contributors, along with the possibility of mistakes in this manual workflow.
We set out with the goal that making contributions to a VMware open source project should be as frictionless as possible, yet meet the requirements defined by our legal team.
In 2016, we built and released the internal CLA portal, which enables a workflow for community contributors to review and digitally sign the CLA for our projects on GitHub. When a contributor opens a pull request, they will be prompted to sign the agreement if they have not already. Once signed, the VMware legal team is notified to review the agreement. If approved, the project maintainers have the necessary legal clearance to merge the change. In the rare case the agreement is rejected, the contributor has the ability to re-sign.
When an agreement has been signed and approved, an indication is made within the pull request and future pull requests that the contribution(s) can be accepted right away. The portal provides an administrator interface used for agreement authoring and project mapping, in addition to reviews.
Also supported is a workflow for developer certificate of origin (DCO). When enabled on a GitHub project, all commits within a pull request will be checked for a signature that matches the commit author. The first VMware open source project to use the DCO workflow is Clarity, which is licensed under the MIT license. We are also using the widely accepted Linux Foundation DCO, which can be found here.
Since enabling this open source management workflow, over 150 developers across more than 20 projects have signed our CLA or DCO. We have also released the CLA Portal as open source on GitHub: github.com/vmware/claportal. We did this with the hopes that it will help others maneuver the legal hurdles necessary to properly accept contributions from the community efficiently.