[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement

M.-A. Lemburg mal at egenix.com
Mon Dec 7 20:51:39 CET 2009

Noah Kantrowitz wrote:
>> VanL wrote:
>>> Doug Hellmann wrote:
>>>> We have to grant the PSF the rights to distribute the files if we're
>>>> uploading them to be hosted on PyPI.  Does the new wording imply
>> that
>>>> we're licensing the use of that code under those terms, or just
>>>> granting distribution rights the file containing the code?  It feels
>>>> like the latter, but I don't know how the word "perform" is
>>>> interpreted in this context.
>>> Doug is essentially right here. By this agreement, the PSF gets the
>>> particular rights to:
>>> - reproduce: We can copy it (in memory, or in preparation to send a
>> copy)
>>> - distribute: We can cause other people to receive it.
>>> - transmit: We can send it out on a signal.
>>> - display: We can show the content to other people.
>>> - perform: A term of art for showing some sorts of works (think
>>> audio-visual or theater works)
>>> - publish: We can offer and provide copies to other people.
>>> ... including in digital form: And do all that stuff using computer
>>> representations of whatever you upload.
>>> You will find that all of these are very closely related, if not
>>> synonyms. Basically, we can receive your work, copy it, and provide
>> it
>>> to other people in a variety of ways. This does not give the PSF the
>>> right to relicense your work, nor to create derivative works -- just
>> to
>>> pass it on to anybody who happens to wander by the PyPI web page.
>> Right, but why does the clause also give this permission
>> to "all other users of the web site" and why does the license
>> need to be "irrevocable" ?
> PyPI has user-run mirrors, some internal and some public.

Those are likely only a handful of users who'd need the
added permissions and it doesn't explain the need for
an irrevocable license.

If you replace "all other users of the web site" with "users
granted permission by the PSF to use the PyPI data", the mirror
requirement would be dealt with in a way that doesn't require
giving redistribution rights to the general public.

The "irrevocable" appears to be unnecessary, since developers
can already revoke the permission by simply deleting the uploaded

Note that the two paragraphs were added after I asked the board
on their views of having crypto code on PyPI.

The conclusion was that pypi.python.org would only be seen as
platform for distribution, without the PSF actually redistributing
the uploaded code and the uploader would be the one to determine
whether it's ok to upload the code or not. That's a convenient
understanding for the PSF, since it doesn't have to control
the uploaded code.

However, the current wording makes it look a lot like the PSF is
in fact regarding itself as a redistributor of the PyPI hosted
code, so the PSF would have to follow export regulations of the
Netherlands (where the servers are hosted) w/r to redistribution
and reexport of crypto code. This again, is not really convenient
for the PSF, since export rules are complicated.

IMHO, it would be better to clearly state that PyPI is only
providing a hosting service for the uploaded files, with the
uploading user controlling the content and only imposing some
limits of what can be uploaded rather than creating
a licensing relationship between the uploader and the PSF,
ie. the PSF provides the web space, the user the content -
thereby avoiding all these issues.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Dec 07 2009)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list