Fair warning: this email contains “informed speculation”, that might be all wrong.

(I still need to check with my employer on whether this affects my involvement with pip/PyPA)

I have one kinda-major concern with how Tidelift tracks and counts dependencies. Unless they’ve changed something in their pipeline recently, basically all of our projects are significantly underreported by their pipelines.

They don’t account for the fact that projects using requirements.txt/setup.py/setup.cfg are using pip/setuptools and pyproject.toml build requirements aren’t considered either (at least, last I checked). Similarly, twine and virtualenv aren’t things folks specify in requirements.txt files usually, but are obviously used by basically every package on PyPI (and with anything that looks like PyPI, like Artifactory).

IIRC a broken pip release had increased the number of folks who pinned pip in requirements.txt, which increased the $$$ amount for pip. Clearly, that’s not the incentive structure design we wanna go for. :)

All this is to say: a _very significant_ portion of PyPA projects’ users are not counted toward those projects by Tidelift. That’s despite the underlying assumptions in most of Tidelift’s dependency tracking tooling (they process requirements.txt files for example). I’m pretty sure whatever numbers they have for PyPA projects right now, would increase significantly if they start accounting for these things.

FWIW, they’ve acknowledged this in public Twitter replies to me but I haven’t followed up on this eagerly because there was no good reason to ask them to do development work so that we would hypothetically have a good enough reason to hop on board. Things might’ve changed on their end, but I doubt that given that the numbers aren’t significantly different.

For context, the same thing happened when GitHub rolled out their used-by metrics as well (their CEO also acknowledged this in public Twitter replies) so it’s not like Tidelift are the only ones who missed this nuance. It’s just that we now have a good reason to care about their number. :)

FWIW, Tidelift’s support still better than nothing, so I’m not complaining or whatever. That said, it’s definitely worthwhile for us to push them on these things, because PyPA projects joining Tidelift is less of a hypothetical now than it was in the past and this might represent a significant chunk of $$$ for us.


PS: yes, I tried looking but Twitter doesn’t make it easy to find old tweets.

On Wed, 17 Mar 2021 at 23:47, Sviatoslav Sydorenko <webknjaz@redhat.com> wrote:
On Wed, Mar 17, 2021 at 10:09 PM Paul Moore <p.f.moore@gmail.com> wrote:
> Personally, I'd have to understand better what this meant in terms of
> what the pip project might be committing to if we were under tidelift.
> [...]
> being "asked to do stuff" by Tidelift is something I need to consider
> quite carefully.

IIRC the agreement is that you keep maintaining the project as you did
before. They won't demand any features. But they will want you to keep
the metadata up-to-date (like confirming that they parsed the license
properly, publishing the security policy, enabling 2FA for all the
maintainer accounts, and so on).

Warm regards,
Sviatoslav Sydorenko

Software Hacker @ Ansible Core

()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

PyPA-Committers mailing list -- pypa-committers@python.org
To unsubscribe send an email to pypa-committers-leave@python.org
Member address: pradyunsg@gmail.com