Yeah, 'malicious' was probably the wrong word choice there. What I meant was somebody acting in such a way as to fully take advantage of / exploit the code without regards to the wishes of the owners, which you would ordinarily think of as 'malicious' except that pretty much the whole point of the MIT license is that the owners wish for you to do just that, so it's not ethically wrong in the sense that 'malicious' is.
> Not being required to sign anything.
Is a DCO even legally binding then, if this is the point? Makes it sound very "gentleman's agreement"-ish, in that a contributor who later regrets licensing his contribution could sue the maintainers for copyright infringement for not abiding by a cease and desist to immediately purge the relevant commits from the project, which the maintainers won't be able to do of course because it would leave the project in an unusable state.
You can sell GPLed software too. Allowing commercial use is part of the definition of free software and open source. People sell phones with Android in them; Red Hat sells lots more.
That's… literally not malicious at all (except if the original copyright notice is removed).
> what, exactly, does a DCO give a contributor compared to a CLA?
Not being required to sign anything. CLAs are just annoying, especially when the signing form requires personal information (hi Google).