<div dir="ltr"><div>Hi all,</div><div><br></div><div>On behalf of the SciPy Steering
Council I'm happy to announce that we (the SciPy project) now have signed up to the agreement between
Tidelift and NumFOCUS. The summary of the agreement is:
Tidelift will pay SciPy a minimum of $2500/month until Oct 2020, and SciPy will do the following:</div><div>- provide a documented way to disclose security vulnerabilities, and respond to disclosures in a timely manner</div><div>- deal with any licensing issues in a timely manner</div><div>- write good release notes, and clarify our advice to users on what releases to use</div><div>-
some one-time things like getting our metadata into the Tidelift
system, and acknowledging Tidelift as one of our funders on the website<br></div><div><br></div><div>This blog gives a nice overview: <a href="https://blog.tidelift.com/how-to-start-earning-money-for-your-open-source-project-with-tidelift" target="_blank">https://blog.tidelift.com/how-to-start-earning-money-for-your-open-source-project-with-tidelift</a>.</div><div><br></div><div>Note
that it seems to us that this is a quite modest amount of work that we
will be able to do with volunteer resources. A lot of it we do anyway -
this is a nice feature of Tidelift's business model, in a way they
promise their customers that we will keep doing what we're doing, add
some valuable things like unified dependency reporting around it, and
pass on some of the benefits to the projects (or to individual
maintainers for other projects).</div><div><br></div><div>We haven't
determined what to do with the funds yet, but there's lots of things
that could be done (organize in-person dev meetings, perhaps fund some work on hairy problems that no one seems to
want to solve for free, etc.) - to be determined in the future.</div><div><br></div><div>The Tidelift model was discussed on th numpy-discussion list back in September (<a href="https://mail.python.org/pipermail/numpy-discussion/2018-September/078736.html" target="_blank">https://mail.python.org/pipermail/numpy-discussion/2018-September/078736.html</a>)
but at that point there was no "project wide" solution and the "pay
some individuals" model had some issues. Letting all the funding flow
into the SciPy account at NumFOCUS nicely solves this.</div><div><br></div><div>Some PRs that address licensing and vulnerability disclosure issues will follow shortly.</div><div><br></div><div>Cheers,<br></div><div>Ralf</div><div><br></div></div>