[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement

Steve Holden steve at holdenweb.com
Tue Jan 19 05:21:58 CET 2010 

None that I am aware of, but Martin is the one who's been making changes
most recently. I don't think there's been any input from Van on this
yet, but I've been busy and may have forgotten or missed something.

regards
 Steve

M.-A. Lemburg wrote:
> Hi Steve,
> 
> has there been any progress on this ?
> 
> M.-A. Lemburg wrote:
>> Steve Holden, Chairman, PSF wrote:
>>> Adding a Google-like clause might make us seem less Draconian.
>> Here's a proposal for a less controversial text based on the Google
>> terms:
>>
>> """
>> PyPI is a service provided by the PSF. In order to be able to distribute the content you upload to
>> PyPI to web site users, the PSF asks you to agree to and affirmatively acknowledge the following:
>>
>> 1. Content is restricted to Python packages and related information only.
>>
>> 2. Any content uploaded to PyPI is provided on a non-confidential basis.
>>
>> 3. The PSF is granted an irrevocable, worldwide, royalty-free, nonexclusive license to reproduce,
>> distribute, transmit, display, perform, and publish the content, including in digital form. This
>> licence is for the sole purpose of enabling the PSF to display, distribute and promote the content
>> on PyPI.
>>
>> 4. I represent and warrant that I have complied with all government regulations concerning the
>> transfer or export of any content I upload to the PyPI servers in The Netherlands. In particular, if
>> I am subject to United States law, I represent and warrant that I have obtained the proper
>> governmental authorization for the export of the content I upload. I further affirm that any content
>> I provide is not intended for use by a government end-user as defined in part 772 of the United
>> States Export Administration Regulations.
>> """
>>
>> The general terms on the python.org legal page would have to be
>> changed in the same way.
> 
> I've attached a message explaining some of the reasons for part 4.
> 
> Thanks,
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Re: [Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement
> From:
> "M.-A. Lemburg" <mal at egenix.com>
> Date:
> Fri, 11 Dec 2009 01:45:10 +0100
> To:
> Terry Reedy <tjreedy at udel.edu>
> 
> To:
> Terry Reedy <tjreedy at udel.edu>
> CC:
> catalog-sig at python.org, VanL <van at python.org>
> 
> 
> Terry Reedy wrote:
>> M.-A. Lemburg wrote:
>>> Steve Holden, Chairman, PSF wrote:
>>>> Adding a Google-like clause might make us seem less Draconian.
>>> Here's a proposal for a less controversial text based on the Google
>>> terms:
>> I like the third part better.
> 
> Thanks.
> 
>>> """
>>> PyPI is a service provided by the PSF. In order to be able to
>>> distribute the content you upload to
>>> PyPI to web site users, the PSF asks you to agree to and affirmatively
>>> acknowledge the following:
>>>
>>> 1. Content is restricted to Python packages and related information only.
>>>
>>> 2. Any content uploaded to PyPI is provided on a non-confidential basis.
>>>
>>> 3. The PSF is granted an irrevocable, worldwide, royalty-free,
>>> nonexclusive license to reproduce,
>>> distribute, transmit, display, perform, and publish the content,
>>> including in digital form. This
>>> licence is for the sole purpose of enabling the PSF to display,
>>> distribute and promote the content
>>> on PyPI.
>>>
>>> 4. I represent and warrant that I have complied with all government
>>> regulations concerning the
>>> transfer or export of any content I upload to the PyPI servers in The
>>> Netherlands. In particular, if
>>> I am subject to United States law, I represent and warrant that I have
>>> obtained the proper
>>> governmental authorization for the export of the content I upload. I
>>> further affirm that any content
>>> I provide is not intended for use by a government end-user as defined
>>> in part 772 of the United
>>> States Export Administration Regulations.
>>> """
>> The fourth section might scare people off without further explanation
>> somewhere, as it could be taken to imply that people have to get a US
>> gov permit to upload, which almost no one has done. If this is only
>> about crypto software, it should say so. I do not understand the last
>> sentence at all as open-source licenses do not usually exclude specific
>> users. I cannot affirm something that is complete gobble talk to me.
> 
> The clause has three parts:
> 
>  a) "I represent and warrant that I have complied with all government regulations concerning the
> transfer or export of any content I upload to the PyPI servers in The Netherlands."
> 
> This part is written in a general way and is needed to
> cover export regulations which may be imposed by the country
> of the uploader when uploading (exporting) applications to
> a server in the The Netherlands.
> 
> For many countries these export regulations are variants
> of the things laid out in the Wassenaar Arrangement which
> covers crypto code, but also other software technologies
> that may be considered dual-use:
> 
> http://www.wassenaar.org/
> in particular:
> http://www.wassenaar.org/controllists/2009/WA-LIST%20%2809%29%201/WA-LIST%20%2809%29%201.pdf
> 
> Most software will fall under the "GENERAL SOFTWARE NOTE"
> (with some special rules for crypto software), but countries
> may still implement additional rules such as the ones currently
> imposed by the US (you have to send them an email with the link
> to the download location - see
> http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html).
> 
> Since the exact regulations depend on the country from where
> the code is uploaded, the clause can't be more specific.
> 
> I added the location of the servers to the original clause to
> make the export nature of the upload more specific.
> 
>  b) "In particular, if I am subject to United States law, I represent and warrant that I have
> obtained the proper governmental authorization for the export of the content I upload."
> 
> This part only applies to US uploaders.
> 
> Note that the US regulations have a subtle detail: they apply to
> all US-origin content. E.g. if you export some dual-use system software
> written in the US from Germany to Cuba, the US can put you on their
> embargo list.
> 
>  c)  "I further affirm that any content I provide is not intended for use by a government end-user
> as defined in part 772 of the United States Export Administration Regulations."
> 
> This part applies to all uploaders. The restriction appears to be
> a super-set of the embargo restrictions for various individuals -
> most of those are government end-users.
> 
> I find that clause too board as well, since it prevents government
> users in general to use PyPI packages.
> 
> Furthermore, the embargo lists also includes companies and, of course,
> whole countries, which this clause does not cover. See e.g.
> EU: http://ec.europa.eu/external_relations/cfsp/sanctions/docs/measures_en.pdf
> US: http://www.bis.doc.gov/news/2009/2009-fpr.pdf
> (note how e.g. Cuba is on the US list, but not on the EU list)
> 
> I'm not sure why the clause is needed. Perhaps Van could clarify
> this.
> 
> IMHO, part a) already covers everything that is needed w/r to
> export restrictions.
> 
> All this with the usual IANAL disclaimer. I've read a lot on these
> things when we started shipping a pyOpenSSL distribution. Some of the
> things I found are listed above.
> 


-- 
Steve Holden           +1 571 484 6266   +1 800 494 3119
PyCon is coming! Atlanta, Feb 2010  http://us.pycon.org/
Holden Web LLC                 http://www.holdenweb.com/
UPCOMING EVENTS:        http://holdenweb.eventbrite.com/

More information about the Catalog-SIG mailing list