The Python Software Foundation, responsible for overseeing the development of the Python programming language, has declined a $1.5 million grant offered by the National US Science Foundation as part of the “Safety, Security and Privacy of Open Source Ecosystems” program. The grant application was submitted in January and, after a thorough review and approval process, was granted funding. This grant would have involved the allocation of $1.5 million over a period of two years, a significant sum considering the Python Software Foundation’s annual budget of approximately $5 million and its 14 employed staff members.
The reason behind the refusal of the grant stems from the conditions that would have had to be accepted upon receiving the funds. The grant stipulated that participants could not engage in activities promoting or supporting the principles of diversity, equity, and inclusion (DEI) or any other discriminatory ideology that conflicts with US federal anti-discrimination laws. This condition not only applied to the work directly funded by the grant but extended to all activities of the recipient organization.
This condition posed financial risks as the National Science Foundation reserved the right to reclaim any funds already disbursed if the terms of the grant were violated. Furthermore, this requirement contradicted the Python Project’s mission, which upholds diversity, equity, and inclusion as fundamental values. In the eyes of the Python Software Foundation representatives, accepting the terms while refusing to endorse DEI would constitute a betrayal of the community and its stated mission.
The funds that were earmarked for the grant were intended to be utilized for the development of new tools aimed at automating the review process for packages uploaded to the PyPI (Python Package Index). Rather than the existing “reactive” approach of checking packages after they are already available in the catalog, the foundation planned to implement a “proactive” scheme where screening would take place before packages were released to users. The tools would employ functionality analysis to identify potential malicious packages based on typical elements of known malware. These tools were envisioned to extend beyond PyPI protection and could potentially be adapted for use with other open source project repositories such as NPM and Crates.io.