[Python-legal-sig] PyPI terms (moved here from the catalog-sig)
Jesse Noller
jnoller at gmail.com
Fri Mar 1 15:18:11 CET 2013
On Friday, March 1, 2013 at 8:42 AM, M.-A. Lemburg wrote:
> I've wanted to have this discussion for a long time, so here goes
> (this is long...):
>
> There's an issue with the terms we use on the Python website and
> in particular the PyPI site. The issue is related to the license
> we ask users uploading content to the site to sign up to.
>
> I'm focusing here specifically on the PyPI side of things, where
> package authors want to upload package distribution files to the
> PyPI hosts.
>
> The terms we currently have are overly broad, in fact much broader
> than needed for providing and maintaining the PyPI service.
>
> There may be other areas where we need such broad terms, e.g.
> comments on blog posts, postings to mailing lists (which are
> archived and displayed on the website) or content in the wiki,
> but those can be subject of a different discussion.
>
> These are the current terms (taken from http://www.python.org/about/legal/):
>
> """
> Third-Party Content
>
> The Python Software Foundation (PSF) does not claim ownership of
> any third-party code or content (third party content) placed on
> the web site and has no obligation of any kind with respect to
> such third party content. Any third party content provided in
> connection with this web site is provided on a non-confidential
> basis. The PSF is free to use or disseminate such content on an
> unrestricted basis for any purpose, and third party content
> providers grant the PSF and all other users of the web site an
> irrevocable, worldwide, royalty-free, nonexclusive license to
> reproduce, distribute, transmit, display, perform, and publish
> such content, including in digital form.
>
> Third party content providers represent and warrant that they
> have obtained the proper governmental authorizations for the
> export and reexport of any software or other content contributed
> to this web site by the third-party content provider, and further
> affirm that any United States-sourced cryptographic software is
> not intended for use by a foreign government end-user.
>
> Individuals and organizations are advised that the PyPI website
> is hosted in the US, with mirrors in several countries outside
> the US (see http://www.pypi-mirrors.org/). Any uploads of
> packages must comply with United States export controls under the
> Export Administration Regulations.
> """
>
> Let's look at this sentence by sentence:
>
> > The Python Software Foundation (PSF) does not claim ownership of
> > any third-party code or content (third party content) placed on
> > the web site and has no obligation of any kind with respect to
> > such third party content. Any third party content provided in
> > connection with this web site is provided on a non-confidential
> > basis.
>
>
>
> This part is obviously necessary and makes it clear that the PSF
> is not claiming ownership (we'd be foolish to take ownership
> without review, anyway).
>
> > The PSF is free to use or disseminate such content on an
> > unrestricted basis for any purpose, and third party content
> > providers grant the PSF and all other users of the web site an
> > irrevocable, worldwide, royalty-free, nonexclusive license to
> > reproduce, distribute, transmit, display, perform, and publish
> > such content, including in digital form.
>
>
>
> This part would be mostly fine as well, except for an important
> detail:
>
> "...the PSF and all other users of the web site..."
>
> The small addition "and all other users of the web site" implies
> a license agreement between the content providers and all other
> users of the web site.
>
> I'm sure that most package authors wouldn't have a problem
> with granting the PSF the above license rights, but do have
> a problem with extending those same rights irrevocably to
> all users of the web site.
>
> By agreeing to the above term, the authors are giving up
> control of the distribution of their distribution files
> completely.
>
> Note that the above does not include a use license and it
> just refers to the distribution files, not their content,
> so that does not override the terms of the licenses which
> control the distribution file contents - this appears to be
> a misunderstanding that has sometimes cropped up on
> the catalog-sig.
>
> Now, I can see where the terms originated. They were added
> when I requested the addition of the export rule clauses
> further below in 2011.
>
> At the time, there was a big discussion about a PyPI mirror
> framework and the above terms make it easily possible for any
> user of the website to set up such a mirror, so I guess
> that motivated the addition of "all other users of the web site".
>
> However, the number of public PyPI mirrors is small and may
> get even smaller once we have a CDN setup to feed distribution
> files directly to all users of our website, so its easy
> to narrow down those "other users of the web site" that
> would actually need such distribution rights.
>
> I'd suggest to do what many other hosting sites do: make the
> terms only apply to the provided service and only include
> those parts which are absolutely necessary to be able to
> provide the service:
>
> * restrict the redistribution rights to just the PSF and
> allow the PSF to sublicense these rights to public PyPI mirror
> providers (which also gives the PSF more control over who
> is allowed to host such mirrors)
>
Ubuntu does this with the PPA agreement - the only way they allow UGC uploads - Notice however they restrict what licenses users can use:
https://help.launchpad.net/PPATermsofUse
See also:
http://fedoraproject.org/wiki/Infrastructure/Mirroring
Also:
http://help.rubygems.org/discussions/problems/411-rubygemsorg-toseula
https://raw.github.com/isaacs/npm/master/LICENSE
https://code.google.com/projecthosting/terms.html
https://help.github.com/articles/github-terms-of-service
Specifically on the last one:
"We claim no intellectual property rights over the material you provide to the Service. Your profile and materials uploaded remain yours. However, by setting your pages to be viewed publicly, you agree to allow others to view your Content. By setting your repositories to be viewed publicly, you agree to allow others to view and fork your repositories."
In short: making it available means people can take it
>
> * only allow the redistribution rights for the purpose
> of providing the PyPI service
>
> * allow users of the website to maintain non-public mirrors
> of the PyPI service
>
> Next, I don't see a need for the license between the PSF and the
> content provider to be irrevocable, but perhaps there's some
> IP law requirement for this. I don't think anyone would have
> an issue with giving the PSF irrevocable rights to the above
> rights.
>
> However, I also don't think the license should be irrevocable between
> the content provider and all other users of the web site.
> Simply because, a content provider may actually need to revoke
> those rights due to e.g. trademark, patent copyright issues,
> or conflicts with restrictions such as export restrictions, or
> conflicts with local laws in certain countries, or for non-legal
> issues such as preventing users from losing data or to resolve a
> naming issue.
>
> The PSF would always play nice with content providers, but
> it is not at all clear that all other web site users would.
>
> Now, on to the next clauses:
>
> > Third party content providers represent and warrant that they
> > have obtained the proper governmental authorizations for the
> > export and reexport of any software or other content contributed
> > to this web site by the third-party content provider, and further
> > affirm that any United States-sourced cryptographic software is
> > not intended for use by a foreign government end-user.
> >
> > Individuals and organizations are advised that the PyPI website
> > is hosted in the US, with mirrors in several countries outside
> > the US (see http://www.pypi-mirrors.org/). Any uploads of
> > packages must comply with United States export controls under the
> > Export Administration Regulations.
>
>
>
> These are export rules the PSF has to implement as US organization,
> so there's nothing much we can do about this.
>
> The part "affirm that any United States-sourced cryptographic software is
> not intended for use by a foreign government end-user" goes a bit
> too far as well, AFAIR, since the EAR only applies to certain government
> end-users. Then again, keeping up with the constant changes in
> export regulation is probably not what we want to spend our time on
> as PSF.
>
> --
> Marc-Andre Lemburg
> eGenix.com (http://eGenix.com)
>
> Professional Python Services directly from the Source (#1, Mar 01 2013)
> > > > Python Projects, Consulting and Support ... http://www.egenix.com/
> > > > mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
> > > > mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
> > >
> >
>
>
> ________________________________________________________________________
>
> ::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
>
> eGenix.com (http://eGenix.com) Software, Skills and Services GmbH Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> Registered at Amtsgericht Duesseldorf: HRB 46611
> http://www.egenix.com/company/contact/
More information about the Python-legal-sig
mailing list