[Catalog-sig] Flag to tell pip to only install uploaded files

Tres Seaver tseaver at palladion.com
Fri Jul 6 16:19:54 CEST 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/05/2012 10:49 PM, Terry Reedy wrote:
> On 7/5/2012 6:48 PM, Donald Stufft wrote:
>> On Thursday, July 5, 2012 at 6:38 PM, Terry Reedy wrote:
>>> Last I knew, uploading a file required licensing it to the PSF. On
>>> the other hand, I can find no mention of that on 
>>> http://pypi.python.org/pypi?%3Aaction=submit_form 
>>> http://wiki.python.org/moin/CheeseShopTutorial nor a link to the
>>> license anywhere. So I don't know what the current situation is.
>>> 
>> http://www.python.org/about/legal/
>> 
>> IANAL but I think it pretty much it just says the things you upload
>> to the site, the site is allowed to let others download it and you
>> don't get to charge the PSF for it.
> 
> That is pretty much what the first version says. The current version
> is much more expansive and seems to deny any license restrictions.
> 
> "The Python Software Foundation ... has no obligation of any kind with
>  respect to such third party content."
> 
> not even to respect its license?
> 
> ... "The PSF is free to use or disseminate such content on an 
> unrestricted basis for any purpose,"
> 
> The purpose of any license to to restrict use or dissemination.y would
> do so is

FWIW, the purpose of a copyright license is to *allow* copying which
would otherwise be prohibited by copyright.

> "and third party content providers grant the PSF and all other users
> of the web site an irrevocable, worldwide, royalty-free, nonexclusive
>  license to reproduce, distribute, transmit, display, perform, and 
> publish such content, including in digital form."
> 
> That says to me that the PSF *and* its users are pretty much free of
> any license restrictions on uploaded software, which negates the
> point of having a license.

Assuming your reading is correct, it implies that software uploaded to
PyPI itself is licensed *separately* under those terms, just as MySQL is
/ was available under both the terms of the GPL *and* a commercial
license (for those who didn't wish to abide by the GPL's terms).  Only
the copyright holder can offer such a dual license, of course.

> For instance, without a declaration otherwise from the FSF, I would
> not think it legal to upload a derivative of a GPL-licenced work

Note that the FSF's opinion is not more weighty than the author's here,
should the issue come to court:  the controlling intent would be that of
the author of the GPL'ed package from which the uploaded-to-PyPI
distribution derived.  E.g., assume that Sally releases a GPL'ed
distribution, 'foo-0.1.tar.gz', but does *not* upload to PyPI.  If Beth
creates another distribution, 'bar-0.1.zip', derived from
'foo-0.1.zip'[1], and uploads it to PyPI, then users of PyPI would have
additional permissions w.r.t. 'bar-0.1.zip', but *only to the extent that
Beth has the right under copyright law to grant them*.

[1] The example presumes that 'bar-0.1.zip' is determined under law to be
a derived work of Sally's 'foo-0.1.tar.gz'.  Whether uses which merely
import from modules in 'foo' (rather than copying) make 'bar-0.1.zip' a
derived work of 'foo-0.1.tar.gz' is a question which courts would have to
decide (the issue can reasonably be argued both ways).

That '/about/legal' language is likely drafted to cover non-software
content as well.  Perhaps it needs a clarification that uploaded software
distributions remain licensed to the site's users under the terms of any
license included in the distribution, and that permission to disstribute
it freely from PyPI is granted to the PSF as a separate license.


Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/29AUACgkQ+gerLs4ltQ5w+QCfU0M6q5RDmErvNd9ZY1fIq1EJ
3poAnjmLtapWGz7Tj7G18kqy1RCFRBwr
=12p6
-----END PGP SIGNATURE-----

More information about the Catalog-SIG mailing list