New T&C: is pypi moving towards a paid subscription model and/or abandoning package neutrality?

I reviewed the new Terms of Service of Feb 25 which will come into effect on Mar 27, 2025
https://policies.python.org/pypi.org/Terms-of-Service/

They supersede the old terms of use.

Some paragraphs seem very concerning to me. I am hence wondering:

is PSF moving pypi to a paid subscription model?

Is PSF looking to abolish package neutrality on pypi?

There are substantial passages indicating pay-for-service products (references below)

Re package neutrality, after the change, packages and accounts can be removed by PSF without any reason given or process necessary. Secondary damages caused by such an act - e.g., deleting a popular package - are also explicitly ruled out from liability on the side of PSF.
(references below)

Taken together, the terms of services could be seen as indicating a move towards a commercial, competitive package hosting model. It is of course hard to predict how far this move will go, but the changes may be seen as clearly indicative of this direction.

I also do think that this change in terms of services should be discussed by the community as a whole, as they seem to alter substantially the de-facto character of pypi and PSF.

It would be appreciated if PSF leadership could comment on whether such a discussion has taken place, and if yes, explain where and how the decision has been taken, and link to public minutes.

References - paid service model, package neutrality

paid service model:

new, extensive “paid services” section in Terms of Service - Python Software Foundation Policies

abandoning package neutrality:

“PSF has the right to suspend or terminate your access to all or any part of the Website at any time, with or without cause, with or without notice, effective immediately. PSF reserves the right to refuse service to anyone for any reason at any time.”

“You understand and agree that we will not be liable to you or any third party for any loss of profits, use, goodwill, or data, or for any incidental, indirect, special, consequential or exemplary damages, however arising, that result from […]”

Briefly to maybe keep this from spiraling from FUD to chaos over the weekend.

Bottom line: these Terms of Service are fundamentally to formalize protections for maintainers, PyPI volunteers, and the PSF as we finally begin moving forward with PyPI Organizations for paid corporate users. Embarrassingly, nearly two entire years since we hoped to start.

Yes. For corporate usage, (edit: who choose to opt in to the paid features) in order to provide Organization features which will continue be provided to Community projects at no cost, forever. We also intend to add additional paid features that will help offset sustainability concerns such as bandwidth and staffing costs to support PyPI.

No.

The summary is here: Introducing our new Terms of Service - The Python Package Index Blog.

We are adopting this TOS to formalize the relationship and protections for maintainers, the pypi admins, and PSF in order to move forward with paid Organization accounts for corporate users.

And one other clarifying remarks: No one will be forced into adopting Organization features paid or free.

This doesn’t seem to answer the question about the “PSF May Terminate” paragraph below:
https://policies.python.org/pypi.org/Terms-of-Service/#3-psf-may-terminate

PSF has the right to suspend or terminate your access to all or any part of the Website at any time, with or without cause, with or without notice, effective immediately. PSF reserves the right to refuse service to anyone for any reason at any time.

This paragraph applies to all accounts, not only organization accounts, right? What does it have to do with “moving forward with paid Organization accounts”?

Yes, exactly my thoughts.

In response to Ee Durbin’s claim that this is to “formalize protections for maintainers” - the paragraph in fact seems to strip maintainers (as well as users) of any and all protections.

Comparing this to the current status quo, where protections arise not necessarily through the T&C, but the lack of the “reserves right to terminate for any cause” paragraph and baseline legal protections in applicable jurisdictions.

I had the same question as @pitrou regarding the specific paragraph. I can completely understand the need for termination in case of abuse similarly to the intent of the following paragraph:

2. PSF May Remove Content

We have the right to refuse or remove any User-Generated Content that, in our sole discretion, violates any laws or PSF terms or policies.

While this paragraph is about content, I would expect the PSF to also have the rights to terminate services when violations of laws or PSF terms or policies occur. However, the current paragraph is much more permissive regarding terminations. So I was seeking clarification.

Do realize we are talking about legal terms of service for a US non-profit. Don’t be surprised if the answer is, “the lawyers require it to be this broad to protect the PSF from lawsuits”. I also don’t think it changes what PyPI could do previously since the only formal terms were the terms of use which didn’t formally outline any of this and thus didn’t have any restrictions for what PyPI could do (i.e. why worry now if you didn’t worry before?).

Also note that the ToS at the bottom says, “Questions about the Terms of Service? Contact us at legal@python.org”, so there is a place to go for a more formal response.

To “protect PSF” may be, but such is not the concern - the issue at hand is, that users and maintainers do not seem to be protected at all, and that pre-existing protections are removed from them, by the change.

I would vehemently contest that claim, this is, in my opinion, clearly wrong.

If a termination clause is not present, it defaults to norms of the jurisdiction and/or precendent in case of common law systems like the US one. So, some protections will be afforded to users and developers under the old T&C, compared to the total absence of such barriers in the new T&C.

I do also have some further questions, including “who decided” (which was not answered so far), let me concretize:

1. when was this change of T&C decided and by whom?
2. are there minutes or other documents of the decision?
3. is there a clear legal assessment on whether moving to a paid service model jeopardizes the 501(c) US non-profit status?
4. does or did the aforementioned decision require a vote by the meeting of members?

I am not a US lawyer, so unless you happen to be I think we are both speculating here based on our knowledge of the US legal system As such, I’m going to stop guessing and suggest you reach out to legal@python.org as the ToC suggests for answers to your questions.

I do think these questions need to be answered in public and not in a private email thread - as a form of accountability of PSF towards its members.

Also, the PSF lawyers will likely be unable to answer questions about decision making rationale, e.g., who decided or why.

To me, it seems that is something only the current board of directors or officers of the PSF can answer.

Either way, I have sent an email as you suggested - not a bad idea! With the intention to direct useful replies to this thread.

Maybe the first question to the lawyers should be one about facts:

Is it true or false that the new terms, compared to the old terms, predominantly remove protections, specifically against termination of service, from “users” and “maintainers” of pypi packages (where they use pypi services such as upload, download, pypi package/project maintenance)?

Hoping to see a public answer from the aforementioned PSF lawyers here.

Just sent this email to legal at python.org and psf at python org:

Subject: Questions regarding new T&C

To whom it may concern,

I would like to direct your attention towards this forum thread regarding the new T&C applicable to the python package index:

https://discuss.python.org/t/new-t-c-is-pypi-moving-towards-a-paid-subscription-model-and-or-abandoning-package-neutrality/82566/9

It would be great if you could reply to some of the questions asked therein by members of the community.

I suggest to start with the simple question about whether, according to your expert legal opinion, the new terms remove protections from users with regards to termination of service, when compared to the old terms.

Best Regards

On the topic of paid subscription models, @brettcannon, @EWDurbin - since you have officially and unambiguously confirmed that paid subscription models and related services or products are indeed planned in the not-to-far future:

do you know whether there is a planned collaboration with one or more corporations on this, possibly hyperscalers?

Hi Franz, I’ll allow PSF board to respond to your inquiry as you state that they are best suited.

great! Hoping that they have the time to engage in discussion with the community on this topic and related topics of policy!

For convenience, I am collecting some of the questions from above, by me and others:

0. when was this change of T&C decided and by whom?
1. are there minutes or other documents of the decision?
2. what is the key rationale behind the paragraph “… PSF reserves the right to refuse service to anyone for any reason at any time.”?
3. is there a clear legal assessment on whether moving to a paid service model jeopardizes the 501(c) US non-profit status?
4. does or did the aforementioned decision require a vote by the meeting of members?
5. on the confirmed paid services or products, are there planned collaborations with one or more corporations, possibly hyperscalers?

Being a PSF member, I can answer that no vote or consultation of the members occurred.

(yes, Discourse renumbers a numbered list when only part of if is displayed - funny)

Update 2025-03-03 15:45 UTC - email from Deb Nicholson (Executive Director PSF) in response to mine above.

"
Hi Franz,

I wanted to acknowledge that we’ve received your note and will respond as soon as we can.

Deb
"

(I am not a lawyer, this is my personal opinion, etc.)

This didn’t sound right to me, so I checked: the AUP going back at least to June 2024 (archive.org link) includes the following language:

PyPI retains full discretion to take action in response to a violation of these policies, including account suspension, account termination, or removal of content.

While the majority of interactions between individuals in PyPI’s community fall within our Acceptable Use Policies and Community Guidelines, violations of those policies do occur at times. When they do, PyPI staff may need to take enforcement action to address the violations. In all cases, these actions are permanent and there is no basis to reverse a moderation action taken by PyPI Staff.

My interpretation of the new T&C is that they’re a more idiomatic (in terms of legalese) way of saying the same thing the old AUP said. So I think it’s incorrect to describe a change in policy around neutrality here: you might disagree with the old policy too, but I would argue that it’s morally identical to the new one in terms of powers granted to PSF/PyPI.

All told, I don’t agree that the character of PyPI has been meaningfully altered by these terms. PyPI continues to be an uncurated index, but that doesn’t mean (and has never meant) that the index is “fair game” for spam, malware, or personal file hosting (or just about anything else that would pose a risk to PyPI’s role in the ecosystem).

@woodruffw, disagreed with your reading of the terms.

In my understanding, very high-level summary:

Terms up until now: PSF can terminate in case of wrongdoing (“policy violation”) or for other clearly stated “good reason”. E.g., if you upload a virus package, violate someone’s trademark, typosquat, etc.

Terms from March: PSF can terminate for any reason, including what most people might consider “bad reasons”. E.g., for the purpose of illustration and without implying any intent here: selling a coveted project name on pypi to the highest bidder. Or, resolving name conflicts always in favour of a US entity. Or shutting down projects from a country the US is in a trade war with.

Again, repeating, not implying intent, just illustrating examples of what the new terms would enable vs where the protections of the old terms for users and maintainers would extend, and no longer do.

So, the new terms are not an idiomatic way to say the same. The old terms said “PSF can act if you violate policies” (and here are various policies like “do not upload virus”). The new terms say “PSF can act as it wants, no matter whether you have violated policies or not, and it is the sole decision maker, without recourse or appeal”.

The strict condition under which PSF is empowered to act is removed, in the sense of removing the condition in the legalese, and excluding legal liability from the get-go.