Ie. if I review and then commit, should I sign off or ack?
Sign off.
I would say ack, but not necessarily sign off.
I guess Segher's point is that committing a patch sent to the mailing list falls under (c) in the DCO, so I should sign off. Is the mailing list really "directly to me" ?
Yes. You got the code, you passed it on. You better make sure that you know what you're signing for though -- i.e., you should make reasonably sure that the person who sent you the patch had the right to do so (whether something is sent via a mailing list makes no difference at all btw -- conducting your business in the open doesn't change the business).
So should I actually first ack and then sign off?
Or do we just agree to roll the two into one for LinuxBIOS? That would make whichever one we choose more ambiguous though. :\
Well it would be really weird to sign-off on a patch that you don't agree with, so acked-by is quite redundant if you already signed off on a patch.
Segher