On Thu, Mar 18, 2021 at 10:07 AM Pradyun Gedam firstname.lastname@example.org wrote:
I have one kinda-major concern with how Tidelift tracks and counts dependencies. Unless they’ve changed something in their pipeline recently, basically all of our projects are significantly underreported by their pipelines.
They don’t account for the fact that projects using requirements.txt/setup.py/setup.cfg are using pip/setuptools and pyproject.toml build requirements aren’t considered either (at least, last I checked). Similarly, twine and virtualenv aren’t things folks specify in requirements.txt files usually, but are obviously used by basically every package on PyPI (and with anything that looks like PyPI, like Artifactory).
IIRC a broken pip release had increased the number of folks who pinned pip in requirements.txt, which increased the $$$ amount for pip. Clearly, that’s not the incentive structure design we wanna go for. :)
All this is to say: a _very significant_ portion of PyPA projects’ users are not counted toward those projects by Tidelift. That’s despite the underlying assumptions in most of Tidelift’s dependency tracking tooling (they process requirements.txt files for example). I’m pretty sure whatever numbers they have for PyPA projects right now, would increase significantly if they start accounting for these things.
Yep, the projection is not $50 anymore: https://tidelift.com/lifter/package/pypi/pip/.
Although, I must add that the "dependents on GitHub" numbers aren't directly taken into account. They account their direct customers' requirements only AFAIK (and maybe the transitive deps of those).
For context, the same thing happened when GitHub rolled out their used-by metrics as well (their CEO also acknowledged this in public Twitter replies) so it’s not like Tidelift are the only ones who missed this nuance. It’s just that we now have a good reason to care about their number. :)
[...] it’s definitely worthwhile for us to push them on these things, because PyPA projects joining Tidelift is less of a hypothetical now than it was in the past and this might represent a significant chunk of $$$ for us.
Agreed. It's a good idea to negotiate with them fixing their tooling before we hop on this train. I think we may be in a good position to inspire the change.
FWIW, they’ve acknowledged this in public Twitter replies to me but I haven’t followed up on this eagerly because there was no good reason to ask them to do development work so that we would hypothetically have a good enough reason to hop on board. [...] PS: yes, I tried looking but Twitter doesn’t make it easy to find old tweets.
Here you go https://twitter.com/katzj/status/1216842962895802373.