On Thu, 18 Mar 2021, 09:41 Sviatoslav Sydorenko, <webknjaz@redhat.com> wrote:
On Thu, Mar 18, 2021 at 10:07 AM Pradyun Gedam <pradyunsg@gmail.com> wrote:
> I have one kinda-major concern with how Tidelift tracks and counts
> dependencies. Unless they’ve changed something in their pipeline
> recently, basically all of our projects are significantly underreported
> by their pipelines.
>
> They don’t account for the fact that projects using
> requirements.txt/setup.py/setup.cfg are using pip/setuptools and
> pyproject.toml build requirements aren’t considered either (at least,
> last I checked). Similarly, twine and virtualenv aren’t things folks
> specify in requirements.txt files usually, but are obviously used by
> basically every package on PyPI (and with anything that looks like
> PyPI, like Artifactory).
>
> IIRC a broken pip release had increased the number of folks who
> pinned pip in requirements.txt, which increased the $$$ amount for
> pip. Clearly, that’s not the incentive structure design we wanna go
> for. :)
>
> All this is to say: a _very significant_ portion of PyPA projects’ users
> are not counted toward those projects by Tidelift. That’s despite the
> underlying assumptions in most of Tidelift’s dependency tracking
> tooling (they process requirements.txt files for example). I’m pretty
> sure whatever numbers they have for PyPA projects right now, would
> increase significantly if they start accounting for these things.

Yep, the projection is not $50 anymore:
https://tidelift.com/lifter/package/pypi/pip/.

I'm pretty sure it was at 50 USD quite a while back. pip 20.0 is the broken release I'm talking about here. And even at ~500 USD, it's also nowhere close to what other reasonably major projects in the ecosystem have.

Although, I must add that the "dependents on GitHub" numbers aren't
directly taken into account. They account their direct customers'
requirements only AFAIK (and maybe the transitive deps of those).

Yea, IIUC, it's only for the businesses that have subscribed and the transitive dependencies of their codebase.

Tidelift's model is kinda perfect for us, as long as they count our users (which happens to be basically everyone in the Python ecosystem 😅).

> For context, the same thing happened when GitHub rolled out their used-by metrics as well (their CEO also acknowledged this in public Twitter replies) so it’s not like Tidelift are the only ones who missed this nuance. It’s just that we now have a good reason to care about their number. :)
>
> [...] it’s definitely worthwhile for us to push them on these things,
> because PyPA projects joining Tidelift is less of a hypothetical now
> than it was in the past and this might represent a significant chunk
> of $$$ for us.

Agreed. It's a good idea to negotiate with them fixing their tooling before
we hop on this train. I think we may be in a good position to inspire the
change.


> FWIW, they’ve acknowledged this in public Twitter replies to me but I
> haven’t followed up on this eagerly because there was no good
> reason to ask them to do development work so that we would
> hypothetically have a good enough reason to hop on board.
> [...]
> PS: yes, I tried looking but Twitter doesn’t make it easy to find old tweets.

Here you go https://twitter.com/katzj/status/1216842962895802373.

Thanks! <3

For anyone wondering what the $$$ numbers look like for some of the major projects in the ecosystem, this thread is a worthwhile read.



--
Warm regards,
Sviatoslav Sydorenko

Software Hacker @ Ansible Core

---
https://useplaintext.email/
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments
---