Hacker News new | past | comments | ask | show | jobs | submit login
Things I've learned serving on the board of the Python Software Foundation (simonwillison.net)
170 points by rednafi 3 months ago | hide | past | favorite | 102 comments



The elephant in the room here is the ideological capture of the PSF via its CoC working group. It seems, at best, the power of an unaccountable body to arbitrarily enforce membership conditions (and the like), has not been properly thought through (though, of course, attempts were made). The absence of due process and accountability to the community means the members of this group have arbitrary power to shape the PSF+community however they wish.

They have thus far, explicitly equivocated community criticism of the PSF with "attacking" it; equivocated mentioning the difficulties some communities face with defending these difficulties; and equivocated mentioning the identities of victims of this enforcement with the converse bigotry that people of other identities ought be harmed.

Thus at this point there is no open question about whether the CoC group is enforcing the CoC or using abusing their juridical power to humiliate, defame and exclude members of the community which are critical of the PSF.

This is so repulsive to any reasonable person, the behaviour here is so public and so clearly abusive. Left to their own devices, a PSF operating under this capture will alienate significant numbers of the invested members of the python community -- who are aware-of, and concerned-by, such actions.

I think those of us merely observing this, with some stake in python as a language and community, ought make our repulsion clear. Since this is having, and will have, a serious deleterious impact on those most inclined to participate and invest time in projects of this kind.


Suspending Tim Peters for 3 months on bogus claims of misbehavior was harmful for the whole Python community. He's the guy who wrote the Zen of Python. If nothing is changed I fear that the Python community will continue to suffer.

This is also another data point that confirms my dislike of Code of Conducts. At first glance they seem like a good idea, but in practice they are often used as a tool to oust people disliked by the ones with the power to enfore them. Afterwards they are used as shield from criticism.


The issue isn't Tim, and I'd imagine that was his intention. The issue is what Tim's reasonable criticism (of PSF policy changes) provoked, ie., a list of accusations from the CoC group that were obscenely defamatory (grounds for a civil suit) and nakedly self-serving. A list of accusations with no references, no quotes, no examples to evidence them -- just a list of the most extreme kind of bigotry that no reasonable person would tolerate.

Tim, and others, I'd say have given pitch-perfect good faith criticisms of the PSF carefully given with unfalting good-faith to perform the truth of these criticisms. Namely, he induced a group bullies in the middle of defining their own power to abuse others, to bully and abuse him. It is in these actions that we see, immediately, that his criticisms are accurate.

The PSF may presently believe they can conduct themselves this way, and the powergrab will eventually be permitted and so on -- but they've severely underestimated the relevant power dynamic: which is not between the PSF and powerless former critics, but between the community and the PSF itself.


What I cannot seem to find is a comprehensive list of similar events, Code of Conduct takeovers. Otherwise, concerns can be dismissed with "Well, that was a one-off situation," whereas a long history of such things would be more convincing to those in the middle.

Perhaps one could even honeypot the code to find out if the CoC types might be looking at you next. Include terms like blacklist and master and whatever else triggers them, see if you get some requests to change them, and there you go.


The Drupal Associations maltreatment of Larry Garfield seems to rhyme with the maltreatment of Tim Peters.


I kind think we've arrived in this moment to be honest. I think it's fairly mainstream (in discursive environments) that the most recent moral panic has been hijacked by mostly WASPish elites to capture positions of power in across communities seen to have some cultural influence (hence, esp., tech).

What I imagine is also now clear is: how little these people really understand about the politics they profess (eg., in this case, saying emjois are some sort of communicative violence); how little they care about the communities they've tried to hijack; and how mistaken they are about the nature of the power that exists within them.

A bit like a dog chasing a car that finally bites it, I doubt any of them are very happy. Consider how many WASPish elite journalist types have flooded into various media journalism and criticism, and how repulsed their own audiences are at them, and likewise. It's pretty obvious that many critics in these areas despise their audiences, and the enviroments they are in.

One imagines a similar wave of realisation is hitting these groups who've tried to take over technical organisations. In the end, these are incredibly meritocratic communities whose advancement is just "someone does something". You can't really argue with volunteers of this sort, you might as well argue with the sea. If you defame them, humiliate them, marginalise them, the people left won't be the ones who do any work. You cannot browbeat people into volunteering, only out of it.

This is the asymmetry at work that these obnoxious power-chasing elites are starting to realise: their obnoxiousness and abusiveness can only alienate, it cannot include. And so, no one watches their movies, tv programs, plays their games, reads their articles, or.. volunteers for their open source projects.

But we have to be very clear here: this has nothing to do with injustice. The people who are active fighting to reduce sexism, working in domestic violence shelters; fighting racism, working with police to reduce community violence; and so on -- these people are not out there on twitter posting slurs against perceived enemies.

This group had found out that you could use this issues to defame people online, worm your way into positions of power, and somehow gain some status and credibility. Now they are discovering how self-destructive and pointless such a strategy has been .


I've seen a lot of groups unfairly tarred, but I'll be honest: you've thrown me with "Python is being ruined by WASPs."


It's not exclusively WASPs, but these do form the basic core of this elite capture project. Ivy leaguers don't wear tweed and calfskins anymore, they're in doc martens protesting at someone's oppressive use of an emoji.


What exactly do you think WASP is short for? By almost every metric, the period of political and cultural ascendancy for American WASPs ended at least a generation ago. Consider the backgrounds of our last 3 presidents, as well as our next one (regardless of who it is).

(What’s so bewildering about this is that your framing suggests that it wasn’t the WASPs who were in tweed before, but some other demographic from whom the WASPs wrested the elite status. But the exact opposite is - rightfully - the case.)


I'm not sure why you think I'm talking about presidents.

Go and have a look at who the sorts of people I'm talking about are, you'll find a lot of rich white people dressing-down. Who do you think their parents are?

> your framing suggests that it wasn’t the WASPs who

I don't see where I said this.

WASPs have fallen from the presidency to bitching in newspapers, sure; and in random social organisations. That's my point. Their children are now bleeding-heart vipers going around, as their parents did, inserting themselves in positions of power as best they are able: "Representing" the interests of other groups who've they've almost no experience or understanding of.

If you havent noticed yet, have a look. When you see this kind of intra-elite warefare taking place, go look at the pictures of who's involved. Have a look at their bios. It's often a lot of upper-middle class white children playing games.

Go walk into one of the top universities in the world.


> I'm not sure why you think I'm talking about presidents.

Because you’re also talking about universities and social organizations as if Python broadly resembles either :-)

The point was that, in relative terms, WASPs today have less political and cultural capital than they’ve ever had at any previous point before in the US’s history. Which is a good thing.

(This is why I wanted you to spell out what you think WASP stands for. It isn’t “rich and annoying white person with social capital,” despite the fact that many WASPs are that.)


Father Ted opined on the concept quite extensively. It's hard to say whether the python "leaders" responsible for this are sociopaths or well-intentioned. If well intentioned the concept is to mold the community into an image of what is good and pure and right, to clip out impurities. Totally from the line of road to hell paved with good intentions. We see how this type of thinking goes - Pol Pot, Germany in the 1940s, and so on - the lesson is that it is wrong to try to mold a person or a society so forcefully, no matter how sweet the ideal. Secondly along the lines of Father Ted, it's increased likelihood at higher levels of seniorities that these are simply sociopaths who use the veil of "good" and kudgel of white guilt to leverage as much power as possible for themselves. Knocking out a scapegoat or two helps establish their power to grant or deny the future of absolutely anyone, basically a low key reign of terror. Sad to see any organization go that way but especially sad in an organization thinking itself to be for the common good.


There are a lot of strong assertions here, but no references for those who aren't already following along. Care to share any?


It is hard to follow along, because any time someone does mention the elephant in the room the entire submission gets flagged and sinks rapidly.



I don't like to nitpick word choices on HN comments, but since you used the word three times in this one: I believe you meant "equated" (to imply that two ideas are equal), and not "equivocated" (to show uncertainty, or to waffle).


I'm using equivocation in the fallacy sense: https://en.wikipedia.org/wiki/Equivocation

In most of my uses, the popular sense also applies, "the use of ambiguous language to conceal the truth or to avoid committing oneself; prevarication."

If you read the briefs put out by the WG against Tim and others, they are engaged in equivocation which has the effect of equating, say, mentioning the difficulties experienced in a sexist work organisations with advocacy of sexism (the converse position).


I was surprised that there was no mention of the latest drama in "the kinds of things the board talks about" section. I would have assumed it was something that was a topic at the board retreat. But, maybe Simon was deliberately trying to avoid mentioning specifics to today and make this a more general post?

I would like to see an independent investigation into the recent events of the CoC WG, because it really appears to be indefensible.


If I were Tim, or any others who've been bullied-out, I'd sue for defamation. Members of the WG have issued briefs, on behalf of the PSF, which list the supposed infractions that read as the worst sort of libellous yellow journalism.

Eg., To equivocate discussing the past difficulties faced by victims of sexual harassment in corps with defending sexual harassment is sickening.

Perhaps this group of people have grown up in twitter space where the game is obnoxiously strawmanning and rephrasing another person in order to farm outrage against them (eg., "oh so when you mentioned sexism, that means you're a sexist!"). However this conduct is now on behalf of an organisation formed in law, with legal duties and responsibilities, and now has liability for this conduct that is practically absent on twitter.

This is a very serious problem for the PSF. You cannot have a working group releasing a dozen accusations of the worst kinds of bigotry, entirely false and unevidenced (etc.), on your behalf. Punishing your members, and the like. The legal liability here is incredible.


That's an interesting idea, but for a variety of reasons I'm fairly sure that Tim won't do that. Particularly not without a legal defense fund or some pro bono legal services secured to back it, but also because his vibe on it largely is "I've been called worse by better".

edit: Probably also hard to do since the CoC WG post with all the allegations on it were against an unnamed developer, making it at least an uphill battle.


Defamation doesnt require you to name the person, only for it to be obvious to a relevant reader who it is. The fact we're all talking about Tim kinda resolves that problem on the face of it.

Whether he sues or not is less important than the PSF needing to realise what crazy liability they face for their WG posting defamation this extreme against a person.


>Probably also hard to do since the CoC WG post with all the allegations on it were against an unnamed developer,

That didn't stop them in my case (https://discuss.python.org/t/im-leaving-too/58408/10; contrast https://zahlman.github.io/dpo_archive/).


Same thing happened to the Linux kernel via the same kind of self appointed CoC group. It's absolutely disgusting.


What situation are you referring to?


It is sad that open source is all about foundations and positions now, not about software development.

Periodically you see "I am awesome and served on the Steering Council" posts on Stack Overflow.

Some of it from people who have never been on the bug tracker, who don't know or ignore the significant social and abuse of power issues in Python.

The PSF marketing completely ignores reality: Free developers have been crowded out, chased away, humiliated and libeled and replaced by a clique of true believers.

I would not advise anyone to spend significant resources to donate free work to Python. I'd also warn Microsoft employees who are potentially lured in to work on a JIT that they are up against ruthless politicians and should probably better work on C# and F# for their careers.


> It is sad that open source is all about foundations and positions now, not about software development.

Actually it isn't. There's plenty of new open source being developed. When a project gets big enough, some kind of formal support structure has to emerge. I can't think of a single time I looked at someone's profile on Stack Overflow and allowed credentials to override working, well-written code.

> I would not advise anyone to spend significant resources to donate free work to Python.

I'm not part of Python governance, but after over 25 years of writing Python code, it makes me sad that you feel that way. On the whole, the Python community has been awesome online and in person. It sounds like you had a really bad experience. I've had a few bad experiences with other open-source projects, and every time, it was really just a case of I had what I thought was a great idea, and the project owners thought differently. Looking back on it, I probably didn't have as great of an idea as I thought I had at the time.


"I would not advise anyone to spend significant resources to donate free work to Python."

The Python Software Foundation (PSF) is a 501(c)(3) which means it is for the benefit of the community as a whole. What better form of organization would you suggest?

This is already much better than most other open source organizations[1], which are 501(c)(6) and are explicitly for the benefit of their members only, which are usually comprised of the silicon valley behemoths.


The Cato Institute is also a 501(c)(3). Foundations can 100% benefit the paid staff even if they do not make a profit.


I think the issue is less their legal form, but their behavior and the resulting drama. If they are driving away the good developers, some kind of collapse might be imminent. You shouldn't invest anything in that.


An alternative approach is to get involved and drive out the bullies, or better, drive out the bullying practices.


That is the ideal but the above comment "...are up against ruthless politicians ..." applies.

It's my observation that there are people involved who are : very interested in promoting a point of view; only secondarily interested in Python.

They have time and motivation to protect their bridgehead. Many others who look at what's going on and hold their nose have other things they would rather be doing ... like developing software.


could you please elaborate on those views? also maybe speculate on why this is?


Interesting, I always wondered how pip was funded. It works too quickly and seamlessly for a free service, interesting to see a company just sort of bankrolls it. I suppose if Fastly will stop bankrolling it then some of the big tech like Microsoft or Amazon should. It is the world’s most popular language now after all, and a lot of ML codebases are exclusively in Python.


> It works too quickly and seamlessly for a free service

In what sense? Linux distribution package managers work just as well, if not better.


The Linux foundation is one of the few open-source organizations that actually has significant money behind it (Mozilla is the only other one I can think of). PyPI moves hundreds of petabytes of data per year and a lot of orgs are simply not prepared to scale to that size. Without Fastly's support, the PSF wouldn't be prepared, either.

So it's more than a little annoying to see that resource wasted. Setuptools is one of the most downloaded packages, largely due to issues with the design of Pip. Numpy by my estimate accounts for over 10% of download volume by itself (it's both very popular and very large), and ships basically an entire development environment (including multiple test suites and patches for Setuptools) for both C and FORTRAN extensions, along with many megabytes of advanced math libraries, to clients who mostly don't need any of that. Most packages could be considerably smaller if the standards supported LZMA compression (which is already in the Python standard library). The metadata formats are awkward, both wasting space and failing to prevent downloads of package versions doomed to fail installation.


Foundations seem critical for the health and longevity of ecosystems. It is interesting to compare the various foundations in other ecosystems, their tax/entity status, and who comprises the board.

Many boards are structured to purely benefit the company “sponsoring” and this is wrong. I’ve always looked at PSF as a means of doing it right in all regards.

I wonder how much other ecosystems can grow if they gave up the control and allowed their communities to drive progress. One of the greatest parts of python and rust is the ability to still innovate the needs of the community and not just corporate interests


Free-threading goes in because Facebook wants it. Microsoft wants more control, too.

The current PSF is doing nothing right. Up to 2014 it was a somewhat reasonable organization that marketed Python to academics, which is part of Python's success.

Now it rests on its laurels, gives money to administrators and friends, stifles free speech and locks down the infrastructure.

No innovation has ever come from the PSF. It takes the credit for the blood, sweat and tears of individual contributors.


I enjoyed reading this perspective, but I think it left out some crucial information. My thesis here is that the PSF - already woefully underfunded, with PyPI kept afloat by a massive in-kind donation that gets to stay off the books - grossly misallocates the funding it does receive. Further, there are obvious and serious gaps in the consideration they pay to the moral values they profess to hold most dear.

> The PSF currently employs 12 full-time staff members. Members of the board do not directly manage the activities of the staff—in fact board members telling staff what to do is highly inappropriate. Instead, the board is responsible for hiring an Executive Director—currently Deb Nicholson...

Ms. Nicholson is listed as both a board member and a staff member, and also an officer. Another staff member, Olivia Sauls, is also listed as an officer. Between officers, the board and staff, I count 25 unique individuals, who are presumably all paid.

> Many PSF activities are carried out by these volunteers, in particular via Work Groups.

The membership of these Work Groups also has heavy overlap. For example, four members of the Code of Conduct Work Group are on the Board as well - including Ms. Nicholson.

It's also worth noting that members of Work Groups are not necessarily elected. For example, the cited charter for the new "User Success" Work Group doesn't provide for the addition or removal of members at all, even though it's intended to operate perpetually. The Code of Conduct Work Group appoints its members, who may apply by private contact.

> You can see how that money has been spent in the 2023 Annual Impact Report.... The most significant categories of expenditure in 2023 were PyCon US ($1,800,000), our Grants program ($677,000), Infrastructure (including PyPI) ($286,000) and our Fiscal Sponsorees ($204,000)—I’ll describe these in more detail below.

I can't readily find these numbers in the report, but I can find that staffing for 2023 cost a total of about 1.3 million.

(The report for this year is, for some reason, only available in PDF format. Others pointed out that this was not great for accessibility - supposedly a core value of the PSF and several Work Groups - and this was agreed about, and then as far as I can tell nothing was done.)

> More recently, the PSF has started employing Developers in Residence to directly support the work of both the core Python team and initiatives such as the Python Package Index.

To my understanding, there are currently three of these: Łukasz Langa - the individual who implemented my ban from the Python Discourse forum - since 2021, and Petr Viktorin and Serhiy Storchaka since January.

That makes 28 likely people on the payroll by my count. Other core developers - dozens of them - operate purely on a volunteer basis. (In talks at PyCon, Raymond Hettinger used to joke about Guido van Rossum offering to double his $0 salary.)

> PyPI’s numbers are staggering. Today there are 570,000 projects consisting of 12,035,133 files, serving 1.9 billion downloads a day (that number from PyPI Stats). Bandwidth for these downloads is donated by Fastly, a PSF Visionary Sponsor who recently signed a five year agreement to continue this service.

Per the report, this amounts to over 600 petabytes of network traffic from PyPI per year. This would cost about 12 million dollars a year - nearly triple the operating budget - at market rates (https://aws.amazon.com/cloudfront/pricing/).

My experiments suggest that about a quarter of this could be eliminated simply by enabling and then mandating the use of LZMA (XZ) compression for sdists and wheels (which currently must both use ordinary Gzip compression). There is support for LZMA in the Python standard library. (The one-time cost of recompressing existing archives should be minuscule in comparison - granted that LZMA is computationally expensive, but currently the daily download volume is on the order of dozens of times the entire repository size.)

> The annual US Python Conference—PyCon US—is a big part of the PSF’s annual activities and operations. With over 3,000 attendees each year (and a $1.8m budget for 2023) running that conference represents a full-time job for several PSF staff members.... the importance of PyCon US to the Python community is such that the PSF is happy to lose money running the event if necessary.

For a sense of scale, this is 200 times the grant that made DjangoCon Africa possible - though it ran into serious issues due to underfunding (https://pythonafrica.blogspot.com/2023/12/an-open-letter-to-...).

Also for a sense of scale: the PyCon US Youtube channel (https://www.youtube.com/@PyConUS) has about 29k subscribers and a total of 1.35 million views across all videos. For comparison, that's not many more people than those taking the JetBrains Python developer survey each year (e.g. https://lp.jetbrains.com/python-developers-survey-2023/ claims 25k), and less than a sixth as many views as for the question "How do I list all files of a directory [in Python]?" on Stack Overflow (https://stackoverflow.com/questions/3207219/). But perhaps "the Python community" (with inclusivity as a core value) is meant to represent a much smaller group than Python developers in general.


Board members of the PSF are not paid. We get to claim expenses on travel to PyCon and to the annual board retreat, but we're asked to see if our employer can foot the bill for those first (several do).

Officers who are also PSF staff members are paid because they're staff members - officers who are not staff members aren't paid.

Two of the current developers in residence are paid as PSF staff. One is paid as a contractor which I believe is because they don't live in the USA.

The Fastly sponsorsip is indeed crucial to continuing to offer PyPI as a free resource. Having an infrastructure company sponsor that kind of thing makes a lot of sense, because their underlying costs are significantly less than if the PSF were to pay market prices for that bandwidth.

The only direct PSF elections are for the board - different work groups have different governance structures, none of which involve elections as far as I know.

Python core / steering council members are also elected but that's entirely separate from the PSF, see https://peps.python.org/pep-0013/

$1.8m for a multi-day conference that supports 3,000+ attendees is pretty standard for North America.

We made some significant changes to how grants work based on the feedback from DjangoCon Africa - details of those changes are here: https://pyfound.blogspot.com/2024/07/psf-board-update-on-imp...


>Officers who are also PSF staff members are paid because they're staff members - officers who are not staff members aren't paid. Two of the current developers in residence are paid as PSF staff. One is paid as a contractor which I believe is because they don't live in the USA.

Thanks for the clarification.

>Having an infrastructure company sponsor that kind of thing makes a lot of sense, because their underlying costs are significantly less than if the PSF were to pay market prices for that bandwidth.

Absolutely. But if I worked at Fastly I would not be particularly happy about seeing that good will squandered to such an extent.

>The only direct PSF elections are for the board - different work groups have different governance structures, none of which involve elections as far as I know.

Yes, and this is a clear problem if you expect work groups to have any actual power or influence. Especially the one making decisions about banning people.

>$1.8m for a multi-day conference that supports 3,000+ attendees is pretty standard for North America.

So I hear. At that rate you'd be looking at about $600 US in admission per attendee to break even. I've certainly heard of conferences charging more than that (certainly for the ones that have tiered admission).

But I'm accustomed to fandom conventions (still multi-day with tens of thousands of attendees) that charge about a tenth of that and still manage to raise money for charity. Why is it that much more expensive to run an event for computer programmers?


> $1.8m for a multi-day conference that supports 3,000+ attendees is pretty standard for North America.

Can you please elaborate (as was also asked in a sibling comment) about how comes that the costs are not covered by tickets / sponsors?


To clarify: the PSF did not lose $1.8m on PyCon. It spent $1.8m and made most of that money back in revenue from the event.

Most years the cost is fully covered by tickets and sponsors and the event makes a profit.

When PyCon runs at a loss it’s generally a sponsorship problem. The tech industry has seen a lot of layoffs recently, and companies that sponsor large conferences are often doing so for recruiting. If a company is laying people off they are likely to drop their sponsorship budget.


It's not unusual for board members to also be officers and staff and it's generally understood that being on the board by itself does not denote a authority over staff, however, a staff member on the board would still be able to fulfill their staff responsibilities.

That said, it would be best to clarify if the board/officers are getting paid.

> My experiments suggest that about a quarter of this could be eliminated simply by enabling and then mandating the use of LZMA (XZ) compression for sdists and wheels (which currently must both use ordinary Gzip compression)

At this point, I wonder if jumping to zstd would be a much larger savings and require about the same amount of organizational effort, even if the technical work would be larger.


>To my understanding, there are currently three of these: Łukasz Langa - the individual who implemented my ban from the Python Discourse forum

Go on...


What is this intended to say? "Oh, you got banned there, so there surely is a justified reason for that"?

Because the lack of justified reason for bans was a big thing in the Python Forum some weeks ago.


I think it is just asking for the gossip around the ban. It doesn't read as "the ban was justified" or not.


Oh, I should have included the links that time I guess, I just don't want to appear overly self-promotional.

https://zahlman.github.io/politics/the-psf/2024/07/31/an-ope...

https://zahlman.github.io/dpo_archive/


> I can't readily find these numbers in the report...

The disaggregation you couldn't readily find is on p. 25 of the 2023 PSF Annual Impact Report[1].

[1] https://s3.dualstack.us-east-2.amazonaws.com/pythondotorg-as...


Thanks, that was a simple oversight on my part.


I remember being pretty perturbed a few years ago learning PSF pulled in $5M a year and spent most of the profit on “outreach.” Which is a nice to have at the end of a budget but not as the primary item.

Meanwhile the packaging group been complaining for a decade+ that they are unpaid volunteers and don’t have the resources to maintain existing features in pip, i. e. why they have broken compatibility several times in the last few years.


The developer in residence program is quite new but is a big improvement in terms of supporting key pieces of the Python ecosystem with paid contributors.


The work they are doing is not important and would have been done for free, had the inner circle not chased away most free contributors and staffed these positions with their friends.


Yes, please continue, and don’t forget packaging. Thankfully astral is stepping up to potentially take that off their hands, de facto if not officially.

Oh, and less outreach for one of the most popular programming langs in the world. :-D


The fact that Python is one of the most popular programming languages in the world and the fact that the PSF puts a lot of its effort into community and outreach may well be connected.

> The mission of the Python Software Foundation is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers.


I don't think so. It has been a learning language for two+ decades, very easy to pick up yet still powerful, and growing. Add the recent decade+ boom in data to machine learning to AI (see other comment).

I'd be surprised if outreach activities reached a fraction of that impact. In the other direction, the poor packaging story has definitely hurt it's reputation. Not a single python post goes by without someone complaining about it.


Also protect is near the front of that statement. While a mission can be anything, it doesn’t make long term sense to look for new roommates when your foundation is crumbling.


> The fact that Python is one of the most popular programming languages in the world and the fact that the PSF puts a lot of its effort into community and outreach may well be connected.

They may be, as any correlation might imply causation, but it would surprise me. Stack Overflow, great libraries (and their communities), all the data science/scientific computing open source work, the work to date on pypi, the lower barrier-to-entry syntax, as well as actual (C)Python improvements are the main things.

As an analogy, I've seen in previous companies that the HR believes they set the culture of the company, and they do things that attempt to improve the culture, but I'd still say that 99%+ of company culture is not coming from HR, except if it were extremely negative (e.g. Microsoft and stack ranking). Thankfully my more recent companies have understood this much more, which is wonderful.


Python is popular, because it's simple, and it's great as a glue language. The simplicity made it the language of choice for beginner's computer science courses at universities and schools. The glue language qualities led to numpy/scipy/et al., and that led to Python's popularity when AI/ML/data science became popular.

How much of the PSF's 2023 outreach budget was spent on those? How many universities were given money or otherwise convinced to redesign their curriculum using Python? Did it go to numpy?


Hilarious when considering Python is the glue holding together how many billions of AI/ML in industry?


They should just turn it off for 24 hours (with plenty of warning so that people who pay attention can be prepared). It might remind that industry that they exist at all.


Very unlikely board is getting paid.

5 million is a rounding error in terms of spend on python programming - Facebook alone between their website and ML likely does orders of magnitude more.

Often a thankless job - for whatever reason these small budget groups attract lots of criticism.

Nothing stops anyone from using or improving python


> My experiments suggest that about a quarter of this could be eliminated simply by enabling and then mandating the use of LZMA (XZ) compression for sdists and wheels (which currently must both use ordinary Gzip compression).

That won't happen as there is a slow effort behind the scenes to get Zstandard in the standard library, which is far better.


Why is the effort "slow"? As far as I can tell, LZMA is still better than ZSTD at compression. ZSTD is just faster. So LZMA seems to be a better solution to the bandwidth cost problem.


While I agree to your conclusion, the correct analysis needs to look at both the expected transfer rate and the decompression speed because otherwise you might end up picking a very slow algorithm (like, literally 10 KB/s). LZMA is thankfully reasonably fast to decompress (> 10 MB/s) so it is indeed a valid candidate, though the exact choice would heavily depend on what is being compressed and who would actually do the expensive compression.


Currently the model is that compression is done by the package uploaders, but I don't see a reason why uploaded files couldn't be (re)compressed on the server. Again, there would be vastly fewer compression events than decompression (after download) events. Aside from that, it's better if the standards allowed for multiple compression formats. Any effort to start using a new one for existing files in a different format, could then be phased in (prioritizing the packages where the biggest savings are possible).


> I don't see a reason why uploaded files couldn't be (re)compressed on the server.

The reason why would be of course the computational expense and latency in the package availability, which will vastly limit the algorithm choice. LZMA is probably still okay under this constraint (its compression speed is in the order of 1 MB/s for the slowest setting), but the gain from using LZMA instead of Zstandard is not that big anyway.

I presume that the vast majority of big wheel files are for compiled and bundled shared libraries. (Plain Python source files are much easier to compress.) You can estimate the potential gain from looking at various compression benchmarks, such as the `ooffice` file for the Silesia benchmark [1], and the difference is not that big: 2426 KB for 7zip (which uses LZMA2 with BCJ filter) and 2618 KB for zstd 0.6.0---less than 10% difference. And I believe, from my experience, that BCJ is responsible for most of that difference because x86 is fairly difficult to compress without some rearrangement. The filter is much faster than compression and at least as fast as decompression (>100 MB/s), so there is not much reason to use LZMA when you can instead do the filtering yourself.

[1] https://mattmahoney.net/dc/silesia.html


The effort is slower then what one would desire because we are all volunteers.


I am not a member of the Python community, and I know from here and elsewhere that there is a lot of drama (e.g. "the individual who implemented my ban from the Python Discourse forum"), so I know there is a lot of underlying context here I may not be aware of.

That said, as someone who does sit on a (non-software related) non-profit board, I got so frustrated by your comment because it included so many uninformed and flat out false assumptions, the same ones I have to roll my eyes over when I hear them directed at my non-profit.

First, it is rare (like extremely rare) for non-profit board members to get paid. For most non-profits, the expectation is that board members donate a considerable amount. The author of the post already commented that board members are not paid, making the underlying thesis of your post ("28 people on payroll") invalid.

The other thing that's frustrating about your post is the basic assumption that "number of paid people on staff = bloat", and it's something that drives me crazy. Sure, on one hand, there can be a lot of bloat (especially with larger nonprofits), and of course there are some nonprofits that are borderline frauds, only existing to funnel money to friends and family.

But getting good people to get a lot of shit done costs money. The vast, vast majority of people who work for non-profits could probably get a larger salary elsewhere - they're not doing it "for the money". And there are a lot of jobs where doing it with volunteers is basically impossible. Most volunteers don't want to do the boring yet critical grunt work of event planning, accounting, etc., and those tasks need to be done.


I think you have fundamentally misunderstood my argument.

"28 people on payroll" is not at all important to my point. The financial report says how much money is spent on salary. The important part is that most of it doesn't go to developers.

I don't see bloat because of how many staffers there are. I think funding is misallocated because developers don't get it (rather, they aren't hiring more people that can actually work on Python full time - my understanding is that most core devs have a day job) and because international events apparently run on a shoestring compared to PyCon, which in turn doesn't seem remotely important enough to justify its expenditures.

This results, among other things, in an ecosystem where basic PyPI support requests (see e.g. https://github.com/pypi/support/issues/2771) go unanswered for months, and Pip has embarrassing flaws (asking it to download a package without installing it can cause it to run arbitrary code from setup.py - https://github.com/pypa/pip/issues/1884 and many others) that have persisted for almost the entire history of Pip.

That said, I do see "bloat" in the social overhead of Python governance, given the proliferation of (volunteer) Work Groups that don't seem to be accomplishing very much.

And just to emphasize, I did already describe the PSF as "woefully underfunded", because it is - just like most other open source orgs.


> The PSF had $4,356,000 revenue

In some ways, this makes me even more impressed with Zig. And possibly a signal other believe Zig will have an outsized impact.

Zig foundation raised ~$500k last year, which is 1/9th PSF.

Yet if I had to guess Zig is way smaller than 1/9th the ecosystem Python is today.

https://ziglang.org/news/2024-financials/


While Zig foundation is impressive, a large portion of their income comes from Uber for the Zig toolchain for C/C++, not Zig the language proper. This shows both a good strategy picked by the foundation and the difficulty of funding based on the language proper.


> a large portion of their income comes from Uber for the Zig toolchain

Nah, that was a sizeable chunk of money (200k) that we received last year, but it was meant to last 2 years and we don't know if it will be renewed or not (Zig seems to be working well enough, "unfortunately").

We're getting more constant financial support from startups who have adopted Zig (Bun, TigerBeetle, ZML, to name the main ones) alongside some extremely generous private sponsors.

We're not rushing commercial adoption of Zig because we want to take our time to grow the project as we see fit. Open the changelog of every Zig release and you will see at the very top that we don't recommend usage in production yet (unless you really know what you're doing).

Corporate sponsors from wider adoption will come at the right time.


Ah, that's a good news to hear. I felt that Zig is already quite useful at least for some uses and meant to say that merit alone doesn't imply a financial success (whatever it means), it'd be another story if the financial success is not yet aimed.


This is how most non-profits work. TBH, for something as widely-used as Python, everything from headcount to expenditures are extremely modest.


Just a nit - no one serving the estimated 150 gbits/s of 600PB/year would use AWS to serve it; a more realistic amount would be about 1 million per year.


Well they _might_. But not at full "retail" AWS bandwidth costs. They are very open to negotiation once you get anywhere near a million bucks a month in spending.

But yeah, they'd have to be discounting very very seriously for you to not take your 600PB/year elsewhere.


> could be eliminated simply by enabling and then mandating

It seems like the PSF choosing an option that costs a little more while preserving the current UX of contributions on PyPI is a reasonable choice for a healthy ecosystem. Most of the ecosystem doesn't care about a few thousand dollars of funding, and most do care about the ecosystem of libraries on PyPI thriving. Given the state of Python packaging being what it is this seems like absolutely the right choice, to reduce complexity.


> PyCon US ($1,800,000)

They spend 1.8 million to mess up the sound recordings? I thought the cons was paid for by visitors and private sponsors.


That $1.8m figure is money spent, not profit made.

PyCon US usually takes in more than it costs to run - from sponsors and ticket sales.

This year the event ran at a loss, as noted in the post. In the past this has been rare - the PSF’s other activities used to be funded mostly from PyCon profits.


> 600PB per year, this costs around $12 million USD..

This value is off by at least a factor of 10. I pay around $600/yr for a 1Gbit fiber line which transfers more than 3PB/year. PSF is paying $6,000/yr to transfer the same amount, i.e. 10x more. Where is the 10x inefficiency compared to AT&T retail coming from?


I have no idea how AWS's retail prices compare to their infrastructure costs. I just used the numbers available to me and linked in GP.


Are you sure that you actually transfer 3PB/year? I think if you were maxing out your retail line, AT&T would give you a call.


Put 600 PB into the AWS S3 transfer cost calculator and you get $30M.


> But perhaps "the Python community" (with inclusivity as a core value) is meant to represent a much smaller group than Python developers in general.

I’m not really sure what you are trying to insinuate here. That pycon should be more racist and chauvinistic to increase its reach?


Inclusivity is preached, but if you are from some social background where gender identity is not valued, and you do not hide that, you are not welcome in the project.


As per the Paradox of Tolerance:

> (…) if a society's practice of tolerance is inclusive of the intolerant, intolerance will ultimately dominate, eliminating the tolerant and the practice of tolerance with them. Karl Popper describes the paradox as arising from the fact that, in order to maintain a tolerant society, the society must retain the right to be intolerant of intolerance.

https://en.wikipedia.org/wiki/Paradox_of_tolerance


Lest we forget that Popper was describing a specific type of "intolerance" that existed in the 1940s.

> "In this formulation, I do not imply, for instance, that we should always suppress the utterance of intolerant philosophies; as long as we can counter them by rational argument and keep them in check by public opinion, suppression would certainly be unwise."


Who is the intolerant in your line of thinking?


I realised my previous comment lacked some context and was adding to it but then saw you replied, so I’ll address it here instead.

There is a large difference between not valuing something and devaluing it. The former is neutral, it does not care what people engage in within the boundaries of not causing harm; the latter is actively against something and tries to stop people from doing it (we can say it is intolerant to it).

I’m not aware of an example of someone having been neutral on gender identity in the “the project”¹ and having been made unwelcome. But I’m not a Pythonista myself, so I’m not intimately aware of the internals. Could you share a concrete example? Preferably one that includes some degree of community support, not just the ramblings of a single individual, as the latter would not be representative.

¹ It’s unclear what you’re referring to. The PSF? The Pyhon language core? The Python community?


I see where you are going there, not affirming peoples gender identity can be seen as intolerance.

Let me ask you a question. Would you argue the same for national identity? Would you feel safe in a community where user profiles feature the flag of the country they identify with? Where its normal to name your country with your name? You probably wouldn't want to affirm that, either. It gives "bogus criteria" vibes like from the hacker ethics.

You might now understand how i and some others feel about gender identity. Some people want to have a social life without dealing with that. And this isn't accepted by people who want affirmation for their gender expression, regardless of cis or trans.

For ¹, i meant it in a generic fashion, as python is not the only project where this happens.


> I see where you are going there, not affirming peoples gender identity can be seen as intolerance.

It seems that what you understood from my comment is that not being actively positive about something is being intolerant. That is not what I said, I only touched on neutrality and negativity, not positivity. “Tolerance”, after all, does not mean “active support” but “acceptance”.

https://en.wikipedia.org/wiki/Toleration

Again, there is a large difference between being neutral on something and being against it.

> Would you feel safe in a community where user profiles feature the flag of the country they identify with? Where its normal to name your country with your name?

Yes? People do that all the time on social media, putting a flag near their name. Sometimes they even do it to support other countries (such as Ukraine).

> You might now understand how i and some others feel about gender identity.

Not at all. If anything, I’m even more confused. I’m curious why you wouldn’t feel safe in such a community, and why “safe” is the word you chose. What’s the danger? I mean, in the country case I could see a point: there’s tribalism and rivalries amongst countries which can lead to war, but never have I felt unsafe around someone who expressed their gender identity.

> Some people want to have a social life without dealing with that.

Just recently I spent several days in a group where one person used pronouns fluidly. They were incredibly sweet, positive, good natured, and open-minded. I’m not sure what is there to “deal with”.

Perhaps this is related to different countries and cultures.

One thing I want to make very clear, especially considering how you stated the previous comment, is that I’m not calling you intolerant, or a bigot, or any other insult. I don’t know you, and it wouldn’t be right to judge you as a human from a single random comment. I am trying to understand your point and what to you is (apparently) scary or wrong about gender identity.


> I’m curious why you wouldn’t feel safe in such a community, and why “safe” is the word you chose. " I hate being judged by whatever gender idea people "assign" me. Bogus criteria. So being around people who are natural at doing it is annoying. Expressing your gender identity signals that you consider it to be significant. Not causation, but correlation.

> Just recently I spent several days in a group where one person used pronouns fluidly.

Pronouns and names are easy. Its not easy dealing with whatever weird ideas of masculinity and femininity some people come with. Especially if your world is not as pink/blue split as theirs. Some people are chill but more aren't.

I think this would be a non-issue if gendered people had more awareness that gender is a) culturally local and b) not everyone does it.


> Bogus criteria. So being around people who are natural at doing it is annoying.

Annoyance is a far cry from fear, and you used the word “safe”. While there are people who have good reason to fear those who misgender them (those who do so on purpose and are threatening to them because of it) I haven’t quite seen the case for the reverse.

Every group has annoying extremist people and it’s understandable to want to avoid those, but judging a whole community on account of some outliers on a bad day does not seem fair.

> Expressing your gender identity signals that you consider it to be significant.

Not necessarily. It seems to be more common to see people doing so in solidarity, basically to signal “if you’re the type of person to whom this is important but are afraid to say so, this is somewhere where you can be safe from aggression”.

Worth noting that “gender identity can correlate with a person's assigned sex or can differ from it” so most people express their gender identity.

https://en.wikipedia.org/wiki/Gender_identity

> Pronouns and names are easy. It's not easy dealing with whatever weird ideas of masculinity and femininity some people come with.

This person was non-binary, which is why they used the pronouns fluidly.

I don’t see why considering masculinity and femininity to exist on a spectrum is weirder than thinking there’s a hard line. And why do you have to “deal with” it? I’m struggling to understand that part. Every person is different anyway, there are women who do not wear makeup and men who do not like sports, it’s much simpler to not ascribe any behaviour to a gender.

> Especially if your world is not as pink/blue split as theirs.

While they were good natured, I wouldn’t classify their world in those colours. At the time I met them they were in fact quite fearful for the results of an election in their country. The kind of election were some people would treat them as subhuman.

> I think this would be a non-issue if gendered people had more awareness that gender is a) culturally local and b) not everyone does it.

Now I’m curious again. Since you’re presumably talking about other people, are you saying that you don’t consider yourself to be gendered or have a gender yourself? That is interesting to me. I invite you to share more on it, I’m not sure what question to ask yet and wouldn’t want to make you uncomfortable.


My complaint is not directed at trans people, but the people who care much about gender identity, and trans people are more likely of this kind because it's a common reason for transitioning. Cis people can and will do the exact same stuff.

> I don’t see why considering masculinity and femininity to exist on a spectrum is weirder than thinking there’s a hard line

This stab goes into the wrong direction. I consider both fiction. What people do seems like role play to me. It is okay with people commit themselves to it, but they need to know the limits to it. Or ask for consent beforehand.

The pink/blue was not a reference to US politics, it was a reference to the gender binary as displayed on the transgender flag. People who classify every other thing as masculine or feminine are difficult.

And to me, i don't have a gender identity, just like every other newborn human, beyond what other people attribute to me. against my wishes. I reject the "marginalized minority" approach to it as i consider it patronizing, I'm a self-responsible adult.


> My complaint is not directed at trans people, but the people who care much about gender identity

That’s what I understood.

> The pink/blue was not a reference to US politics, it was a reference to the gender binary

Again, that’s what I took it as. Especially since I’m not American and neither was the non-binary person I mentioned. I didn’t take your comment as political.

Unfortunately, I think the medium of asynchronous text comments may be working against us here. I feel it would’ve been beneficial to have this conversation in person. Your take seems nuanced and not outright dismissive so I think it would be worth exploring further and attempt a consensus. But it’s getting late and I still have stuff to do.

Still, thank you for a civil conversation and indulging in my questions in good faith. Have a nice <insert your time of day> and week.


But you can’t avoid gender identities as long as you are speaking English.

There are 3 ways about this:

You codify that you remove them from communication. It’s pretty common on HN to say “author”, “op” or “parent” instead of he or she. Many parliaments have similar ways of talking, where you don’t use 3rd person pronouns.

Gender identities are assigned to people and they just have to accept it (this could be by a central authority like a government or on-the-fly by whoever is communicating or a mix), and communication can use 3rd person pronouns naturally.

Or, people assign their own identities, in which case, other people might have to be told which pronouns to use. Older systems, often still in use by airlines and hotels asks for salutations, but they are problematic as they are both too specific and not specific enough. They tend to require some sort of job or educational background in order to be gender neutral and they are often interpreted as containing marital status information for female salutations (miss vs Mrs)

I think it’s weird to say the Python community is excluding you because they went with option 3 and not 1.

And lastly I think that saying that a community that asks you to voluntarily add a country sticker to you profile is exclusionary is a more than a stretch.


So who manages Pypi? This document seemed vague on that. Maybe that's the problem with Pypi's progress in life.

Most packages on Pypi are complete crap. It's also heavily burdened with domain-specific applications and one-off student projects. They have no standards for what makes a useful package, and no ranking system aside from the number-of-downloads. I think package maintainers should be required to push an update every other year or have their package get dropped. I think frameworks should be separate from applications. I think packages without a lot of downloads should utilize endorsements and code-cleanliness metrics.


PyPI’s policies are here: https://policies.python.org/pypi.org/Acceptable-Use-Policy/

Outside of abuse, PyPI does not impose editorial standards on packages. That would take an incredible amount of additional work, and it’s not clear to me that it would be “better”. How much does it really matter if there’s a university student project on there with virtually no downloads?

“I think package maintainers should be required to push an update every other year or have their package get dropped.”

Sometimes libraries really are “finished” - if you go through your dependency stack you may find a surprising number of packages with no new releases in the past 12 months, because they didn’t need a release.

I tried that myself just now, here are some of the packages I found that haven't had a release in a few years:

    decorator               2022-01-07
    rfc3986                 2022-01-10
    aiosignal               2022-11-08
    colorama                2022-10-25
    h11                     2022-09-25
    jmespath                2022-06-17
    mdurl                   2022-08-14
    rsa                     2022-07-20
    mergedeep               2021-02-05
    dictdiffer              2021-07-22
    janus                   2021-12-17
    conda-content-trust     2021-05-12
    six                     2021-05-05
    uritemplate             2021-10-13
    pytest-clarity          2021-06-11
    ptyprocess              2020-12-28
    backcall                2020-06-09
    text-unidecode          2019-08-30
    PySocks                 2019-09-20
    sphinxcontrib-jsmath    2019-01-21
    pprintpp                2018-07-01
    homebrew-pypi-poet      2018-02-23
    pickleshare             2018-09-25
    webencodings            2017-04-05
Script here: https://gist.github.com/simonw/6165948ce595d74c767ce2bce8465...


Should there be an expectation of a package being particularly useful to be in a package repository?

You see the same in other places like npm or docker repositories and it is not a problem.

Manually checking things is very much out of scope for a service for open source like this. Limiting it by arbitrary metrics like code cleanliness would also just give a false sense of quality. One thing that'd make sense to me would just be asking for confirmation that the upload is not more suited to test pypi instead of the main one. Not sure whether the tools aren't already doing that or not.

The major problem that's being somewhat worked on now is typo squatting, names taken up by old packages, and other security considerations around pypi. Random packages being useless (or malware) doesn't fall under that in my mind as you just won't or shouldn't be downloading completely random things.

Admittedly there isn't as much man power dedicated to it as I think there should be, more so after I saw how much admin there is in PSF with the recent coc debacle.


I think you’re confusing two things: PyPI has maintainers end administrators, but that doesn’t mean that it’s a curated index. Like RubyGems, NPM, Cargo, etc., PyPI explicitly does not present a curated view of the packaging ecosystem. Doing so would require orders of magnitude more staffing than the index already has.

Python as a community prefers standards over implementations, which is why you could easily stand up your own curated alternative to PyPI if you wanted to. But think you’ll discover that the overwhelming majority of users don’t want their resolutions breaking just because a particular package hasn’t needed an update in the last 6 months.


> This auditability is an interesting aspect of how 501(c)(3) organizations work, because it means you can donate funds to them and know that the IRS will ostensibly be ensuring that the money is spent in a way that supports their stated mission.

Come on. IRS is woefully understaffed. This might be a good talking point but short of some sort of egregious financial crime (like actual fraud) it seems unlikely the IRS gives a shit about how PSF spends its money.


That’s what I was trying to hint at with the word “ostensibly”.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: