[SciPy-Dev] Tidelift agreement for SciPy
ralf.gommers at gmail.com
Wed May 29 06:20:26 EDT 2019
On behalf of the SciPy Steering Council I'm happy to announce that we (the
SciPy project) now have signed up to the agreement between Tidelift and
NumFOCUS. The summary of the agreement is: Tidelift will pay SciPy a
minimum of $2500/month until Oct 2020, and SciPy will do the following:
- provide a documented way to disclose security vulnerabilities, and
respond to disclosures in a timely manner
- deal with any licensing issues in a timely manner
- write good release notes, and clarify our advice to users on what
releases to use
- some one-time things like getting our metadata into the Tidelift system,
and acknowledging Tidelift as one of our funders on the website
This blog gives a nice overview:
Note that it seems to us that this is a quite modest amount of work that we
will be able to do with volunteer resources. A lot of it we do anyway -
this is a nice feature of Tidelift's business model, in a way they promise
their customers that we will keep doing what we're doing, add some valuable
things like unified dependency reporting around it, and pass on some of the
benefits to the projects (or to individual maintainers for other projects).
We haven't determined what to do with the funds yet, but there's lots of
things that could be done (organize in-person dev meetings, perhaps fund
some work on hairy problems that no one seems to want to solve for free,
etc.) - to be determined in the future.
The Tidelift model was discussed on th numpy-discussion list back in
but at that point there was no "project wide" solution and the "pay some
individuals" model had some issues. Letting all the funding flow into the
SciPy account at NumFOCUS nicely solves this.
Some PRs that address licensing and vulnerability disclosure issues will
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the SciPy-Dev