Article illustration 1

The Python Software Foundation (PSF) made a principled stand this week by rejecting a $1.5 million grant from the National Science Foundation (NSF), citing "betrayal of our mission" over requirements forbidding Diversity, Equity, and Inclusion (DEI) programs. The grant—the largest ever offered to the PSF—was earmarked for securing Python's package ecosystem but came with restrictive terms aligned with Trump-era policies.

The Security Initiative at Stake

The proposed NSF funding targeted structural vulnerabilities in PyPI (Python Package Index), the central repository for Python libraries used by millions of developers. After a rigorous multi-round proposal process, the PSF planned to:
- Develop automated tools for proactive malware scanning of all PyPI uploads (replacing reactive-only reviews)
- Build capability analysis systems using known malware datasets
- Create frameworks transferable to other OSS registries like npm and Crates.io

"This work would protect millions of PyPI users from supply-chain attacks," the PSF stated, emphasizing its potential to fortify open-source infrastructure globally.

The DEI Clause Conflict

NSF stipulations demanded recipients affirm they "do not, and will not... operate any programs that advance or promote DEI." Crucially, this restriction applied to all PSF activities—not just grant-funded work—with "claw back" provisions allowing NSF to reclaim spent funds for violations. For the PSF, whose mission explicitly supports a "diverse and international community," compliance was impossible:

"We can’t agree to a statement that we won’t operate any programs that ‘advance or promote’ diversity, equity, and inclusion," the foundation declared.

The PSF joins organizations like The Carpentries, which withdrew a similar NSF grant application in June over identical DEI restrictions. Both cases highlight how anti-DEI policies are impacting critical technical funding.

Implications and Next Steps

With a modest $5 million annual budget and 14 staffers, forfeiting $1.5 million represents a significant sacrifice. The PSF Board voted unanimously to withdraw, prioritizing community values over financial gain. While the security enhancements are now delayed, the foundation is calling for corporate and individual donations to revive the initiative. This decision sets a precedent for open-source organizations navigating ethical boundaries in funding partnerships.

Source: Ars Technica