← Back to context

Comment by bbor

2 days ago

For anyone who isn’t aware/remembering, this is certainly made with the security of PyPi in mind, python’s main package repository.

NPM is the other major source of issues (congrats for now, `cargo`!), and TIL that NPM is A) a for-profit startup (??) and B) acquired by Microsoft (????). In that light, this gift seems even more important, as it may help ensure that relative funding differences going forward don’t make PyPi an outsized target!

(Also makes me wonder if they still have a Microsoft employee running the PSF… always thought that was odd.)

AFAIU the actual PSF development team is pretty small and focused on CPython (aka language internals), so I’m curious how $750,000/year changes that in the short term…

EDIT: there’s a link below with a ton more info. This gift augments existing gifts from Amazon, Google, Microsoft, and Citi, and they soft-commit to a cause:

  Planned projects include creating new tools for automated proactive review of all packages uploaded to PyPI, improving on the current process of reactive-only review. We intend to create a new dataset of known malware that will allow us to design these novel tools, relying on capability analysis.

8 comments

bbor

Reply
simonw  2 days ago

> (Also makes me wonder if they still have a Microsoft employee running the PSF… always thought that was odd.)

You might be confusing the Python Steering Council - responsible for leadership of Python language development - with the PSF non-profit there.

The PSF is lead by a full-time executive director who has no other affiliation, plus an elected board of unpaid volunteer directors (I'm one of them).

Microsoft employees occasionally get voted into the board, but there is a rule to make sure a single company doesn't have more than 2 representatives on the board at any one time,

The board also elects a chair/president - previously that was Dawn Wages who worked at Microsoft for part of that time (until March 2025 - Dawn was chair up to October), today it's Jannis Leidel from Anaconda.

Meanwhile the Python steering council is entirely separate from the PSF leadership, with their own election mechanism voted on by Python core contributors. They have five members, none of whom currently work for Microsoft (but there have been Microsoft employees in the past.)

  • bbor  2 days ago

    Wow, I didn't know you got a spot on the board, that's a great choice on their part! Thanks for giving your time.

    Yes, I was talking about Wages -- the day-to-day is surely complex, but I'm sure you'd agree that the president of the board is ultimately "above" the chief executive if push ever came to shove, at least on paper. I will grant that I used "running", which is quite unclear in hindsight! "Responsible for" or "leading" seems more accurate.

    She seemed great as policymaker and person, but when I last checked her job was literally to be Microsoft's Python community liason, and that just struck me as... dangerous? On the nose? Giving the reigns to someone from a for-profit, $1.5B corporation whose entire business depends directly upon the PSF's work also seems like an odd choice. Again, I'm sure they're great as an individual, and during normal operations there's no competing interests so it's fine. It's just...

    I guess I just have a vision for the non-profit org guiding the world's most popular programming language that doesn't really mesh with the reality of open source funding as it exists today, at the end of the day; the "no 2 representatives from the same company" rule seems like a comforting sign that they(/y'all!) share that general philosophy despite the circumstances.

    • simonw  2 days ago

      Us board members voted to put Dawn in that position.

      The position doesn't have much additional power at all - the chair spends a little more time with the executive director and gets to set the agenda for the board meetings, but board actions still require a vote from the board.

      If we felt like an employee of a specific company was abusing their position on the PSF board we would take steps to address that. Thankfully I've seen no evidence of that from anyone during my time on the board.

      If anything it's the opposite: board members are very good about abstaining from votes that their employer might have an interest in.

    • jacobian  2 days ago

      > I'm sure you'd agree that the president of the board is ultimately "above" the chief executive if push ever came to shove, at least on paper.

      That is not true of the PSF, nor of many (most?) other US nonprofits. Not on paper, and not practically speaking. The director reports to the board, but officers have little to no unitary power. You can go read the PSF’s bylaws if you like, and if you do you’ll see that officers, including the president, can do very little without a board vote. And because of aforementioned policy, that’s a max of two votes from people employed by a single company.

      Also, like, do you know anything about Dawn? She’s been serving the Python community waaaay longer than she’s worked for Microsoft. Questioning her ethics based on absolutely nothing is unfounded and, honestly, pretty fucked up.

      There’s this pernicious lie that Microsoft is somehow controlling the PSF. It’s based on about as much evidence as there is for Flat Earth, yet here it is again. At best, repeating this lie reflects profound ignorance about how the PSF actually functions; at worst it seems like some kind of weird disinfo campaign against one of the most important nonprofits in open source.

      3 replies →

jjtheblunt  2 days ago

Microsoft was serious about supporting Python as far back as 2006, because IronPython was a real effort in Redmond. (I'm wondering how they think of it now.)