[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement

M.-A. Lemburg mal at egenix.com
Mon Jan 25 16:57:35 CET 2010

VanL wrote:
> On 1/23/2010 7:46 AM, M.-A. Lemburg wrote:
>> That's a tricky one: That extra sentence "I further affirm..."
>> introduces a restriction that goes beyond what US developers
>> normally have to follow. And the way it is written, it also
>> applies to developers not affected by US law.
>> However, that restriction basically says that PyPI package
>> may never be intended for use by government end-users, which
>> IMHO goes way too far - we have quite a few government users...
>> I'd just drop that extra limitation, since the first sentence
>> already covers all restrictions that a government may have
>> imposed on such uploads.
> There are specific restrictions that mandate the additional language
> about foreign government end-users. Sorry :) 

Here's the complete definition of "government end-user" as defined
in part 772 of the United States Export Administration Regulations
(taken from http://www.access.gpo.gov/bis/ear/txt/772.txt):

"Government end-user" (as applied to encryption
items). A government end-user is any foreign
central, regional or local government department,
agency, or other entity performing governmental
functions; including governmental research
institutions,  governmental corporations or their
separate business units (as defined in part 772 of
the EAR) which are engaged in the manufacture
or distribution of items or services controlled on
the Wassenaar Munitions List, and international
governmental organizations.  This term does not
include: utilities (including telecommunications
companies and Internet service providers); banks
and financial institutions; transportation;
broadcast or entertainment; educational
organizations; civil health and medical
organizations; retail or wholesale firms; and
manufacturing or industrial entities not engaged in
the manufacture or distribution of items or
services controlled on the Wassenaar Munitions

AFAICT, the above term is only used for crypto items, not any
code in general.

However, the current form of the PyPI terms clause 4 applies
to any code that could be used by e.g. parts of the military
of some foreign country (with foreign meaning non-US, I suppose).

PyPI packages will usually not have any extra use restrictions
for the above "government end-users", so requesting from a package
author to "affirm that any content I provide is not intended for
use by a government end-user" basically requires that:

a) the author adds a special restriction to the content (even if
   the code doesn't contain any crypto items), or

b) doesn't upload the content.

OTOH, by removing that extra sentence, only the first sentence of clause
4 applies, which does allow such uploads for non-crypto code and
only mandates the restrictions related to foreign government
end-users as defined by the US EAR (with all its complex rules).

If we then add new PyPI user terms which disallow use of PyPI
in ways that are prohibited by the US EAR and whatever is
mandated by The Netherlands, we'd create a much cleaner situation
for everyone.

> Also see MvL for the thought that went into the current wording. As I
> have stated before, the wording doesn't grant the PSF the authority to
> relicense or make derivative works of the content. Rather, it allows the
> PSF (and mirrors, and people who use PyPI) to reproduce exactly the
> content that was uploaded to PyPI.

Giving the PSF those redistribution right is not the problem.

It's giving all web site users those same redistribution rights
that's causing trouble.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Jan 25 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Catalog-SIG mailing list