[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement
van at python.org
Mon Dec 7 21:12:51 CET 2009
M.-A. Lemburg wrote:
> Those are likely only a handful of users who'd need the
> added permissions and it doesn't explain the need for
> an irrevocable license.
The irrevocability is there to protect the PSF. It is so that no one can
claim later that they got mad at the PSF and revoked the PSF's ability
to redistribute something that they previously uploaded.
> If you replace "all other users of the web site" with "users
> granted permission by the PSF to use the PyPI data", the mirror
> requirement would be dealt with in a way that doesn't require
> giving redistribution rights to the general public.
This also makes it easier for people to pass along PyPI packages to
their friends. As I have explained before, this doesn't give anybody the
right to relicense the content. What is provided to the PSF (and those
who get the package from the PSF) is the right to pass on to others
exactly what was received.
> The "irrevocable" appears to be unnecessary, since developers
> can already revoke the permission by simply deleting the uploaded
You are thinking like an engineer, not like a lawyer. It doesn't have to
make sense, it just is.
> Note that the two paragraphs were added after I asked the board
> on their views of having crypto code on PyPI.
> The conclusion was that pypi.python.org would only be seen as
> platform for distribution, without the PSF actually redistributing
> the uploaded code and the uploader would be the one to determine
> whether it's ok to upload the code or not. That's a convenient
> understanding for the PSF, since it doesn't have to control
> the uploaded code.
Not quite right. From the point of view of the United States, export
takes place when US-sourced code is uploaded to the server in the
Netherlands. This is done by the person uploading, so that is the person
that we require to have previously complied with any export
restrictions. You are incorrect about your assertion that the PSF does
not redistribute the code. It does.
> However, the current wording makes it look a lot like the PSF is
> in fact regarding itself as a redistributor of the PyPI hosted
> code, so the PSF would have to follow export regulations of the
> Netherlands (where the servers are hosted) w/r to redistribution
> and reexport of crypto code. This again, is not really convenient
> for the PSF, since export rules are complicated.
See above. I have rendered no opinion on Netherlands export laws, as I
am not qualified to do so. The question asked of me was with regard to
possible PSF complications relative to PyPI and crypto code. As the PSF
is a United States corporation, the advice was rendered relative to US law.
> IMHO, it would be better to clearly state that PyPI is only
> providing a hosting service for the uploaded files, with the
> uploading user controlling the content and only imposing some
> limits of what can be uploaded rather than creating
> a licensing relationship between the uploader and the PSF,
> ie. the PSF provides the web space, the user the content -
> thereby avoiding all these issues.
This is incorrect on several counts. The PSF is not a licensor under the
PyPI text, and therefore the text does not create a licensing
relationship between the PSF and anyone else. Besides, your proposed
solution would not solve the problem.
More information about the Catalog-SIG