On Thu, 18 Mar 2021, 09:41 Sviatoslav Sydorenko, email@example.com wrote:
On Thu, Mar 18, 2021 at 10:07 AM Pradyun Gedam firstname.lastname@example.org wrote:
I have one kinda-major concern with how Tidelift tracks and counts dependencies. Unless they’ve changed something in their pipeline recently, basically all of our projects are significantly underreported by their pipelines.
They don’t account for the fact that projects using requirements.txt/setup.py/setup.cfg are using pip/setuptools and pyproject.toml build requirements aren’t considered either (at least, last I checked). Similarly, twine and virtualenv aren’t things folks specify in requirements.txt files usually, but are obviously used by basically every package on PyPI (and with anything that looks like PyPI, like Artifactory).
IIRC a broken pip release had increased the number of folks who pinned pip in requirements.txt, which increased the $$$ amount for pip. Clearly, that’s not the incentive structure design we wanna go for. :)
All this is to say: a _very significant_ portion of PyPA projects’ users are not counted toward those projects by Tidelift. That’s despite the underlying assumptions in most of Tidelift’s dependency tracking tooling (they process requirements.txt files for example). I’m pretty sure whatever numbers they have for PyPA projects right now, would increase significantly if they start accounting for these things.
Yep, the projection is not $50 anymore: https://tidelift.com/lifter/package/pypi/pip/.
I'm pretty sure it was at 50 USD quite a while back. pip 20.0 is the broken release I'm talking about here. And even at ~500 USD, it's also nowhere close to what other reasonably major projects in the ecosystem have.
Although, I must add that the "dependents on GitHub" numbers aren't
directly taken into account. They account their direct customers' requirements only AFAIK (and maybe the transitive deps of those).
Yea, IIUC, it's only for the businesses that have subscribed and the transitive dependencies of their codebase.
Tidelift's model is kinda perfect for us, as long as they count our users (which happens to be basically everyone in the Python ecosystem 😅).
For context, the same thing happened when GitHub rolled out their used-by metrics as well (their CEO also acknowledged this in public Twitter replies) so it’s not like Tidelift are the only ones who missed this nuance. It’s just that we now have a good reason to care about their number. :)
[...] it’s definitely worthwhile for us to push them on these things, because PyPA projects joining Tidelift is less of a hypothetical now than it was in the past and this might represent a significant chunk of $$$ for us.
Agreed. It's a good idea to negotiate with them fixing their tooling before we hop on this train. I think we may be in a good position to inspire the change.
FWIW, they’ve acknowledged this in public Twitter replies to me but I haven’t followed up on this eagerly because there was no good reason to ask them to do development work so that we would hypothetically have a good enough reason to hop on board. [...] PS: yes, I tried looking but Twitter doesn’t make it easy to find old
Here you go https://twitter.com/katzj/status/1216842962895802373.
For anyone wondering what the $$$ numbers look like for some of the major projects in the ecosystem, this thread is a worthwhile read.
-- Warm regards, Sviatoslav Sydorenko
Software Hacker @ Ansible Core
https://useplaintext.email/ () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments