[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement

VanL van at python.org
Mon Dec 7 21:12:51 CET 2009

M.-A. Lemburg wrote:
> Those are likely only a handful of users who'd need the
> added permissions and it doesn't explain the need for
> an irrevocable license.
The irrevocability is there to protect the PSF. It is so that no one can 
claim later that they got mad at the PSF and revoked the PSF's ability 
to redistribute something that they previously uploaded.

> If you replace "all other users of the web site" with "users
> granted permission by the PSF to use the PyPI data", the mirror
> requirement would be dealt with in a way that doesn't require
> giving redistribution rights to the general public.
This also makes it easier for people to pass along PyPI packages to 
their friends. As I have explained before, this doesn't give anybody the 
right to relicense the content. What is provided to the PSF (and those 
who get the package from the PSF) is the right to pass on to others 
exactly what was received.
> The "irrevocable" appears to be unnecessary, since developers
> can already revoke the permission by simply deleting the uploaded
> files.
You are thinking like an engineer, not like a lawyer. It doesn't have to 
make sense, it just is.

> Note that the two paragraphs were added after I asked the board
> on their views of having crypto code on PyPI.
> The conclusion was that pypi.python.org would only be seen as
> platform for distribution, without the PSF actually redistributing
> the uploaded code and the uploader would be the one to determine
> whether it's ok to upload the code or not. That's a convenient
> understanding for the PSF, since it doesn't have to control
> the uploaded code.
Not quite right. From the point of view of the United States, export 
takes place when US-sourced code is uploaded to the server in the 
Netherlands. This is done by the person uploading, so that is the person 
that we require to have previously complied with any export 
restrictions. You are incorrect about your assertion that the PSF does 
not redistribute the code. It does.
> However, the current wording makes it look a lot like the PSF is
> in fact regarding itself as a redistributor of the PyPI hosted
> code, so the PSF would have to follow export regulations of the
> Netherlands (where the servers are hosted) w/r to redistribution
> and reexport of crypto code. This again, is not really convenient
> for the PSF, since export rules are complicated.
See above. I have rendered no opinion on Netherlands export laws, as I 
am not qualified to do so. The question asked of me was with regard to 
possible PSF complications relative to PyPI and crypto code. As the PSF 
is a United States corporation, the advice was rendered relative to US law.

> IMHO, it would be better to clearly state that PyPI is only
> providing a hosting service for the uploaded files, with the
> uploading user controlling the content and only imposing some
> limits of what can be uploaded rather than creating
> a licensing relationship between the uploader and the PSF,
> ie. the PSF provides the web space, the user the content -
> thereby avoiding all these issues.
This is incorrect on several counts. The PSF is not a licensor under the 
PyPI text, and therefore the text does not create a licensing 
relationship between the PSF and anyone else. Besides, your proposed 
solution would not solve the problem.



More information about the Catalog-SIG mailing list