[Python-legal-sig] PyPI terms (moved here from the catalog-sig)
M.-A. Lemburg
mal at egenix.com
Fri Mar 1 14:42:22 CET 2013
I've wanted to have this discussion for a long time, so here goes
(this is long...):
There's an issue with the terms we use on the Python website and
in particular the PyPI site. The issue is related to the license
we ask users uploading content to the site to sign up to.
I'm focusing here specifically on the PyPI side of things, where
package authors want to upload package distribution files to the
PyPI hosts.
The terms we currently have are overly broad, in fact much broader
than needed for providing and maintaining the PyPI service.
There may be other areas where we need such broad terms, e.g.
comments on blog posts, postings to mailing lists (which are
archived and displayed on the website) or content in the wiki,
but those can be subject of a different discussion.
These are the current terms (taken from http://www.python.org/about/legal/):
"""
Third-Party Content
The Python Software Foundation (PSF) does not claim ownership of
any third-party code or content (third party content) placed on
the web site and has no obligation of any kind with respect to
such third party content. Any third party content provided in
connection with this web site is provided on a non-confidential
basis. The PSF is free to use or disseminate such content on an
unrestricted basis for any purpose, and third party content
providers grant the PSF and all other users of the web site an
irrevocable, worldwide, royalty-free, nonexclusive license to
reproduce, distribute, transmit, display, perform, and publish
such content, including in digital form.
Third party content providers represent and warrant that they
have obtained the proper governmental authorizations for the
export and reexport of any software or other content contributed
to this web site by the third-party content provider, and further
affirm that any United States-sourced cryptographic software is
not intended for use by a foreign government end-user.
Individuals and organizations are advised that the PyPI website
is hosted in the US, with mirrors in several countries outside
the US (see http://www.pypi-mirrors.org/). Any uploads of
packages must comply with United States export controls under the
Export Administration Regulations.
"""
Let's look at this sentence by sentence:
> The Python Software Foundation (PSF) does not claim ownership of
> any third-party code or content (third party content) placed on
> the web site and has no obligation of any kind with respect to
> such third party content. Any third party content provided in
> connection with this web site is provided on a non-confidential
> basis.
This part is obviously necessary and makes it clear that the PSF
is not claiming ownership (we'd be foolish to take ownership
without review, anyway).
> The PSF is free to use or disseminate such content on an
> unrestricted basis for any purpose, and third party content
> providers grant the PSF and all other users of the web site an
> irrevocable, worldwide, royalty-free, nonexclusive license to
> reproduce, distribute, transmit, display, perform, and publish
> such content, including in digital form.
This part would be mostly fine as well, except for an important
detail:
"...the PSF and all other users of the web site..."
The small addition "and all other users of the web site" implies
a license agreement between the content providers and all other
users of the web site.
I'm sure that most package authors wouldn't have a problem
with granting the PSF the above license rights, but do have
a problem with extending those same rights irrevocably to
all users of the web site.
By agreeing to the above term, the authors are giving up
control of the distribution of their distribution files
completely.
Note that the above does not include a use license and it
just refers to the distribution files, not their content,
so that does not override the terms of the licenses which
control the distribution file contents - this appears to be
a misunderstanding that has sometimes cropped up on
the catalog-sig.
Now, I can see where the terms originated. They were added
when I requested the addition of the export rule clauses
further below in 2011.
At the time, there was a big discussion about a PyPI mirror
framework and the above terms make it easily possible for any
user of the website to set up such a mirror, so I guess
that motivated the addition of "all other users of the web site".
However, the number of public PyPI mirrors is small and may
get even smaller once we have a CDN setup to feed distribution
files directly to all users of our website, so its easy
to narrow down those "other users of the web site" that
would actually need such distribution rights.
I'd suggest to do what many other hosting sites do: make the
terms only apply to the provided service and only include
those parts which are absolutely necessary to be able to
provide the service:
* restrict the redistribution rights to just the PSF and
allow the PSF to sublicense these rights to public PyPI mirror
providers (which also gives the PSF more control over who
is allowed to host such mirrors)
* only allow the redistribution rights for the purpose
of providing the PyPI service
* allow users of the website to maintain non-public mirrors
of the PyPI service
Next, I don't see a need for the license between the PSF and the
content provider to be irrevocable, but perhaps there's some
IP law requirement for this. I don't think anyone would have
an issue with giving the PSF irrevocable rights to the above
rights.
However, I also don't think the license should be irrevocable between
the content provider and all other users of the web site.
Simply because, a content provider may actually need to revoke
those rights due to e.g. trademark, patent copyright issues,
or conflicts with restrictions such as export restrictions, or
conflicts with local laws in certain countries, or for non-legal
issues such as preventing users from losing data or to resolve a
naming issue.
The PSF would always play nice with content providers, but
it is not at all clear that all other web site users would.
Now, on to the next clauses:
> Third party content providers represent and warrant that they
> have obtained the proper governmental authorizations for the
> export and reexport of any software or other content contributed
> to this web site by the third-party content provider, and further
> affirm that any United States-sourced cryptographic software is
> not intended for use by a foreign government end-user.
>
> Individuals and organizations are advised that the PyPI website
> is hosted in the US, with mirrors in several countries outside
> the US (see http://www.pypi-mirrors.org/). Any uploads of
> packages must comply with United States export controls under the
> Export Administration Regulations.
These are export rules the PSF has to implement as US organization,
so there's nothing much we can do about this.
The part "affirm that any United States-sourced cryptographic software is
not intended for use by a foreign government end-user" goes a bit
too far as well, AFAIR, since the EAR only applies to certain government
end-users. Then again, keeping up with the constant changes in
export regulation is probably not what we want to spend our time on
as PSF.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Mar 01 2013)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Python-legal-sig
mailing list