The Python Software Foundation (PSF), a prominent advocate of secure open-source development, announced its decision to withdraw from a substantial federal funding opportunity, surprising many in the tech community. The PSF cited newly introduced contractual limitations around diversity, equity, and inclusion (DEI) as the main obstacle, raising concerns about balancing organizational values with government compliance. Observers see this development as a reflection of broader national debates that now directly impact technological innovation and community structures.
There have been previous instances where the open-source software sector and government funding requirements were misaligned, but these typically focused on security protocols, intellectual property, or data privacy, rather than on social policies such as DEI. In earlier years, major funding announcements for organizations like the PSF drew attention for their potential to drive security improvements and community engagement across open-source platforms. The current situation sets itself apart as the dispute centers on values and organizational autonomy, rather than technical or operational terms.
What Led to the PSF Grant Withdrawal?
The PSF was selected for a $1.5 million research grant from the National Science Foundation (NSF) aimed at strengthening the safety and security of open-source software ecosystems. While the project intended to address vulnerabilities in both Python and its package repository, PyPI, contract conditions required all funded organizations to reject any programming supporting DEI or similar initiatives. The PSF found these stipulations, which reached beyond the funded work, incompatible with its mission.
How Did PSF Respond to the New Restrictions?
Loren Crary, Deputy Executive Director of PSF, detailed the organization’s position, highlighting concerns not just about limiting its work, but also about financial unpredictability from potential clawbacks of funds.
“These [contract] terms included affirming the statement that we ‘do not, and will not during the term of this financial assistance award, operate any programs that advance or promote DEI, or discriminatory equity ideology in violation of Federal anti-discrimination laws,’”
she stated, adding that the provision extended to all PSF operations, not just the work funded by the grant.
What Was at Stake for Python and the Open-Source Community?
The proposed NSF grant would have provided “easily” the largest single donation in the PSF’s history, potentially accelerating development of automated security tools for reviewing code packages uploaded to PyPI. Currently, this process is largely reactive. The tools envisioned would have used capability analysis informed by known malware to proactively screen submissions, providing a security framework that could benefit other platforms such as NPM and Crates.io.
“We’re disappointed to have been put in the position where we had to make this decision, because we believe our proposed project would offer invaluable advances to the Python and greater open source community, protecting millions of PyPI users from attempted supply-chain attacks,”
Crary emphasized.
The NSF grant, identified as NSF-24-608, was specifically designed to “catalyze meaningful improvements in the safety, security, and privacy of the targeted [open source ecosystem] that the [ecosystem] does not currently have the resources to undertake.” The expectations for this funding had been that organizations like PSF would direct resources towards securing the open-source software supply chain, bolstering protections for the rapidly growing user base of community-developed code.
The PSF’s decision to withdraw illustrates the increasingly complex landscape where technical advancement and organizational values intersect. For professionals and advocates in the open-source field, this situation provides a cautionary tale about the potential risks of relying solely on government funding when contract terms may conflict with established community commitments, such as DEI. Organizations with similar social commitments can explore alternative funding sources and partnerships that allow them to maintain both operational focus and core values. It also signals to federal agencies the importance of aligning grant requirements with the practices and principles of the open-source communities they seek to support, or risk sidelining projects vital to broader cybersecurity resilience.
- The PSF declined a $1.5M NSF grant over DEI-related contract language.
- Automated code security tools for PyPI were central to the proposed project.
- Conflicting values between funding terms and PSF’s mission prompted the withdrawal.
