The company Anthropic, which promotes the Claude family of large language models, has awarded organization the Python Software Foundation (PSF) a grant of $1.5 million. The funds will be allocated gradually over two years and are designed to finance work to improve CPython and strengthen protection against attacks carried out through dependencies (supply-chain) in the PyPI package repository (Python Package Index).
The allocated funds are planned to be used to develop new tools for automated review of packages uploaded to the PyPI directory (Python Package Index). Instead of the current “reactive” scheme, which involves checking after a package is already available in the catalog, the intention is to implement a “proactive” scheme, in which checking is performed before the package is available to users. To identify malicious packages, they intend to use functionality analysis that takes into account typical elements of known malware. The developed tools can be used not only in PyPI, but also in other open repositories.
Previously, a grant from the US National Science Foundation was approved for the implementation of this plan, which the Python Software Foundation refused due to inconsistency with the requirements of the mission of the Python project and financial risks (withdrawal of funds already transferred, in case of violation of the conditions).
Part of the funds are also planned to be spent on financing the main work of the Python Software Foundation, maintaining the PyPI infrastructure, Developers in Residence initiative (financial support for CPython developers) and grants to community representatives.