[Catalog-sig] PyPI terms (was: Deprecate External Links)

M.-A. Lemburg mal at egenix.com
Thu Feb 28 11:22:33 CET 2013 

On 27.02.2013 19:11, Noah Kantrowitz wrote:
> 
> On Feb 27, 2013, at 9:28 AM, M.-A. Lemburg wrote:
>> [reasons for not hosting distribution files on PyPI]
>> * giving up control
> 
> This is the point of running a package server, the author gives up control over distribution in order to reap the benefits of solid infrastructure and discoverability. This is a feature.

Please see below.

>>
>>> The legal restrictions on code on pypi itself is nothing more than needed to let people actually install things, which is kind of the point of listing on pypi. If someone really wants their own universe, run a package server yourself. What other reasons are there? Agreeing to an extra license would block pip anyway, so no loss there. Huge package files maybe? 
>>
>> That's not quite true:
>>
>> http://www.python.org/about/legal/
>>
>> """
>> ... third party content providers grant the PSF and all other users of the web site an irrevocable,
>> worldwide, royalty-free, nonexclusive license to reproduce, distribute, transmit, display, perform,
>> and publish such content, including in digital form.
>> """
>>
>> Once you upload the files to PyPI, you completely give up control,
>> because that license is irrevocable. This goes far beyond what the
>> Python license does:
>>
>> http://docs.python.org/2/license.html
>>
>> Changing the PyPI terms to be more author-friendly is on my agenda,
>> but I haven't found the time for that particular discussion yet ;-)
> 
> You are comparing an artifact distribution requirement with a source code license. PyPI's terms don't say a thing about source code or anything else, just that if you want a package file to be installable, we need to be able to send it to people. There is nothing even remotely author unfriendly here, it is just common sense. Again, PyPI is _not_ the only way to publish packages, we are allowed to expect interoperability from people that choose to participate in our community.

The distributions files are the "content" the license is talking about,
just as the Python distribution files are distributed under the
Python license, so those two are really addressing the same thing.

Unlike the PyPI terms, the Python license does not grant an irrevocable
license on the content. It even comes with a termination clause, which
explicitly says that the license is revoked in case breached.

The PyPI terms, OTOH, do not allow revoking the license to distribute
the files. This wouldn't be a problem for the PyPI itself, since we'd,
of course, help the author to get the files removed.

However, the PyPI terms go beyond this in giving "all other users of the
website" those same irrevocable rights... which is a pretty large
crowd to ping in case of problems and ask nicely to take down the
files. What makes this worse for the author is that they are not
required to comply per the current PyPI terms.

This is what I meant with giving up control.

Removing the "irrevocable" in the PyPI terms would already go a long
way to make the terms more author-friendly, but this will have to
be hashed out with our legal counsel.

One of the reasons I had started the CloudPyPI project was to
address this aspect: having the whole mirror infrastructure
under PSF control would resolve the above issues, since we could
then remove the "all other users..." part of the terms altogether.

BTW: I've never seen a hosting website require agreeing to
giving users of the website the same distribution rights
as the owner of the website.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Feb 26 2013)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list