[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement

M.-A. Lemburg mal at egenix.com
Wed Jan 20 10:45:36 CET 2010 

Steve Holden wrote:
> None that I am aware of, but Martin is the one who's been making changes
> most recently. I don't think there's been any input from Van on this
> yet, but I've been busy and may have forgotten or missed something.

Thanks.

As far as I can tell, the text on the PyPI registration page hasn't
changed since we last discussed the problem.

Since there is currently discussion going on about setting up
PyPI mirrors that are not maintained by the PSF, I think that
we need to do something about the licensing terms soonish, esp.
since most package authors who have uploaded things to PyPI
will not be aware of any changes to the terms and conditions of
using PyPI.

Any such change will have to be made more visible on the site
and the Python announcement list than is currently done (you only
see the text if you click on "register" on PyPI - which, of course,
already registered users will unlikely do on a regular basis :-).

Regards,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 20 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/


> regards
>  Steve
> 
> M.-A. Lemburg wrote:
>> Hi Steve,
>>
>> has there been any progress on this ?
>>
>> M.-A. Lemburg wrote:
>>> Steve Holden, Chairman, PSF wrote:
>>>> Adding a Google-like clause might make us seem less Draconian.
>>> Here's a proposal for a less controversial text based on the Google
>>> terms:
>>>
>>> """
>>> PyPI is a service provided by the PSF. In order to be able to distribute the content you upload to
>>> PyPI to web site users, the PSF asks you to agree to and affirmatively acknowledge the following:
>>>
>>> 1. Content is restricted to Python packages and related information only.
>>>
>>> 2. Any content uploaded to PyPI is provided on a non-confidential basis.
>>>
>>> 3. The PSF is granted an irrevocable, worldwide, royalty-free, nonexclusive license to reproduce,
>>> distribute, transmit, display, perform, and publish the content, including in digital form. This
>>> licence is for the sole purpose of enabling the PSF to display, distribute and promote the content
>>> on PyPI.
>>>
>>> 4. I represent and warrant that I have complied with all government regulations concerning the
>>> transfer or export of any content I upload to the PyPI servers in The Netherlands. In particular, if
>>> I am subject to United States law, I represent and warrant that I have obtained the proper
>>> governmental authorization for the export of the content I upload. I further affirm that any content
>>> I provide is not intended for use by a government end-user as defined in part 772 of the United
>>> States Export Administration Regulations.
>>> """
>>>
>>> The general terms on the python.org legal page would have to be
>>> changed in the same way.
>>
>> I've attached a message explaining some of the reasons for part 4.
>>
>> Thanks,
>>
>>
>> ------------------------------------------------------------------------
>>
>> Subject:
>> Re: [Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement
>> From:
>> "M.-A. Lemburg" <mal at egenix.com>
>> Date:
>> Fri, 11 Dec 2009 01:45:10 +0100
>> To:
>> Terry Reedy <tjreedy at udel.edu>
>>
>> To:
>> Terry Reedy <tjreedy at udel.edu>
>> CC:
>> catalog-sig at python.org, VanL <van at python.org>
>>
>>
>> Terry Reedy wrote:
>>> M.-A. Lemburg wrote:
>>>> Steve Holden, Chairman, PSF wrote:
>>>>> Adding a Google-like clause might make us seem less Draconian.
>>>> Here's a proposal for a less controversial text based on the Google
>>>> terms:
>>> I like the third part better.
>>
>> Thanks.
>>
>>>> """
>>>> PyPI is a service provided by the PSF. In order to be able to
>>>> distribute the content you upload to
>>>> PyPI to web site users, the PSF asks you to agree to and affirmatively
>>>> acknowledge the following:
>>>>
>>>> 1. Content is restricted to Python packages and related information only.
>>>>
>>>> 2. Any content uploaded to PyPI is provided on a non-confidential basis.
>>>>
>>>> 3. The PSF is granted an irrevocable, worldwide, royalty-free,
>>>> nonexclusive license to reproduce,
>>>> distribute, transmit, display, perform, and publish the content,
>>>> including in digital form. This
>>>> licence is for the sole purpose of enabling the PSF to display,
>>>> distribute and promote the content
>>>> on PyPI.
>>>>
>>>> 4. I represent and warrant that I have complied with all government
>>>> regulations concerning the
>>>> transfer or export of any content I upload to the PyPI servers in The
>>>> Netherlands. In particular, if
>>>> I am subject to United States law, I represent and warrant that I have
>>>> obtained the proper
>>>> governmental authorization for the export of the content I upload. I
>>>> further affirm that any content
>>>> I provide is not intended for use by a government end-user as defined
>>>> in part 772 of the United
>>>> States Export Administration Regulations.
>>>> """
>>> The fourth section might scare people off without further explanation
>>> somewhere, as it could be taken to imply that people have to get a US
>>> gov permit to upload, which almost no one has done. If this is only
>>> about crypto software, it should say so. I do not understand the last
>>> sentence at all as open-source licenses do not usually exclude specific
>>> users. I cannot affirm something that is complete gobble talk to me.
>>
>> The clause has three parts:
>>
>>  a) "I represent and warrant that I have complied with all government regulations concerning the
>> transfer or export of any content I upload to the PyPI servers in The Netherlands."
>>
>> This part is written in a general way and is needed to
>> cover export regulations which may be imposed by the country
>> of the uploader when uploading (exporting) applications to
>> a server in the The Netherlands.
>>
>> For many countries these export regulations are variants
>> of the things laid out in the Wassenaar Arrangement which
>> covers crypto code, but also other software technologies
>> that may be considered dual-use:
>>
>> http://www.wassenaar.org/
>> in particular:
>> http://www.wassenaar.org/controllists/2009/WA-LIST%20%2809%29%201/WA-LIST%20%2809%29%201.pdf
>>
>> Most software will fall under the "GENERAL SOFTWARE NOTE"
>> (with some special rules for crypto software), but countries
>> may still implement additional rules such as the ones currently
>> imposed by the US (you have to send them an email with the link
>> to the download location - see
>> http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html).
>>
>> Since the exact regulations depend on the country from where
>> the code is uploaded, the clause can't be more specific.
>>
>> I added the location of the servers to the original clause to
>> make the export nature of the upload more specific.
>>
>>  b) "In particular, if I am subject to United States law, I represent and warrant that I have
>> obtained the proper governmental authorization for the export of the content I upload."
>>
>> This part only applies to US uploaders.
>>
>> Note that the US regulations have a subtle detail: they apply to
>> all US-origin content. E.g. if you export some dual-use system software
>> written in the US from Germany to Cuba, the US can put you on their
>> embargo list.
>>
>>  c)  "I further affirm that any content I provide is not intended for use by a government end-user
>> as defined in part 772 of the United States Export Administration Regulations."
>>
>> This part applies to all uploaders. The restriction appears to be
>> a super-set of the embargo restrictions for various individuals -
>> most of those are government end-users.
>>
>> I find that clause too board as well, since it prevents government
>> users in general to use PyPI packages.
>>
>> Furthermore, the embargo lists also includes companies and, of course,
>> whole countries, which this clause does not cover. See e.g.
>> EU: http://ec.europa.eu/external_relations/cfsp/sanctions/docs/measures_en.pdf
>> US: http://www.bis.doc.gov/news/2009/2009-fpr.pdf
>> (note how e.g. Cuba is on the US list, but not on the EU list)
>>
>> I'm not sure why the clause is needed. Perhaps Van could clarify
>> this.
>>
>> IMHO, part a) already covers everything that is needed w/r to
>> export restrictions.
>>
>> All this with the usual IANAL disclaimer. I've read a lot on these
>> things when we started shipping a pyOpenSSL distribution. Some of the
>> things I found are listed above.
>>
> 
>

More information about the Catalog-SIG mailing list