[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement

M.-A. Lemburg mal at egenix.com
Fri Dec 11 01:45:10 CET 2009 

Terry Reedy wrote:
> M.-A. Lemburg wrote:
>> Steve Holden, Chairman, PSF wrote:
>>> Adding a Google-like clause might make us seem less Draconian.
>>
>> Here's a proposal for a less controversial text based on the Google
>> terms:
> 
> I like the third part better.

Thanks.

>> """
>> PyPI is a service provided by the PSF. In order to be able to
>> distribute the content you upload to
>> PyPI to web site users, the PSF asks you to agree to and affirmatively
>> acknowledge the following:
>>
>> 1. Content is restricted to Python packages and related information only.
>>
>> 2. Any content uploaded to PyPI is provided on a non-confidential basis.
>>
>> 3. The PSF is granted an irrevocable, worldwide, royalty-free,
>> nonexclusive license to reproduce,
>> distribute, transmit, display, perform, and publish the content,
>> including in digital form. This
>> licence is for the sole purpose of enabling the PSF to display,
>> distribute and promote the content
>> on PyPI.
>>
>> 4. I represent and warrant that I have complied with all government
>> regulations concerning the
>> transfer or export of any content I upload to the PyPI servers in The
>> Netherlands. In particular, if
>> I am subject to United States law, I represent and warrant that I have
>> obtained the proper
>> governmental authorization for the export of the content I upload. I
>> further affirm that any content
>> I provide is not intended for use by a government end-user as defined
>> in part 772 of the United
>> States Export Administration Regulations.
>> """
> 
> The fourth section might scare people off without further explanation
> somewhere, as it could be taken to imply that people have to get a US
> gov permit to upload, which almost no one has done. If this is only
> about crypto software, it should say so. I do not understand the last
> sentence at all as open-source licenses do not usually exclude specific
> users. I cannot affirm something that is complete gobble talk to me.

The clause has three parts:

 a) "I represent and warrant that I have complied with all government regulations concerning the
transfer or export of any content I upload to the PyPI servers in The Netherlands."

This part is written in a general way and is needed to
cover export regulations which may be imposed by the country
of the uploader when uploading (exporting) applications to
a server in the The Netherlands.

For many countries these export regulations are variants
of the things laid out in the Wassenaar Arrangement which
covers crypto code, but also other software technologies
that may be considered dual-use:

http://www.wassenaar.org/
in particular:
http://www.wassenaar.org/controllists/2009/WA-LIST%20%2809%29%201/WA-LIST%20%2809%29%201.pdf

Most software will fall under the "GENERAL SOFTWARE NOTE"
(with some special rules for crypto software), but countries
may still implement additional rules such as the ones currently
imposed by the US (you have to send them an email with the link
to the download location - see
http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html).

Since the exact regulations depend on the country from where
the code is uploaded, the clause can't be more specific.

I added the location of the servers to the original clause to
make the export nature of the upload more specific.

 b) "In particular, if I am subject to United States law, I represent and warrant that I have
obtained the proper governmental authorization for the export of the content I upload."

This part only applies to US uploaders.

Note that the US regulations have a subtle detail: they apply to
all US-origin content. E.g. if you export some dual-use system software
written in the US from Germany to Cuba, the US can put you on their
embargo list.

 c)  "I further affirm that any content I provide is not intended for use by a government end-user
as defined in part 772 of the United States Export Administration Regulations."

This part applies to all uploaders. The restriction appears to be
a super-set of the embargo restrictions for various individuals -
most of those are government end-users.

I find that clause too board as well, since it prevents government
users in general to use PyPI packages.

Furthermore, the embargo lists also includes companies and, of course,
whole countries, which this clause does not cover. See e.g.
EU: http://ec.europa.eu/external_relations/cfsp/sanctions/docs/measures_en.pdf
US: http://www.bis.doc.gov/news/2009/2009-fpr.pdf
(note how e.g. Cuba is on the US list, but not on the EU list)

I'm not sure why the clause is needed. Perhaps Van could clarify
this.

IMHO, part a) already covers everything that is needed w/r to
export restrictions.

All this with the usual IANAL disclaimer. I've read a lot on these
things when we started shipping a pyOpenSSL distribution. Some of the
things I found are listed above.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Dec 11 2009)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list