The Python Software Foundation (PSF) rejects U.S. government grant to increase software security

[thewayne]

The PSF isn't a huge organization, but they do a lot of work. They have an annual budget of about $5 million and applied, and were close to receiving, a grant for $1.5 mil from the National Science Foundation to “address structural vulnerabilities in Python and PyPI.". PyPI is a library used by TONS of Python projects and has been subject to what's known as supply-chain attacks.

So what's a supply-chain attack? In brief, you take a library that's commonly used. Let's say it let's you send output to a PDF within your Python program, a fairly common task, and something that most programmers don't want to reinvent and won't bother inspecting the library for vulnerabilities. The attack happens when a bad guy changes the code for that PDF library then uploads changes to the master, and now, in addition to generating the PDF, it sniffs around your computer and does... stuff. Infects it with malware, perhaps. Gains admin access and strolls around the network. Looks for crypto wallets and steals them. It can do all sorts of stuff. That, in very simplified form, is a supply-chain attack. And if the program you are writing is released as open source and lots of people download it, THEY all are capable of being subverted!

The PSF was going to use the money to implement some automatic code inspection systems so any changes uploaded into the PyPl library would automatically be inspected, etc., to reduce the threat of supply-chain attacks. Lots of good stuff.

But there was a problem...

The grant application was close to being approved when the board that reviews such applications noticed that the "...foundation’s mission statement includes a goal “to support and facilitate the growth of a diverse and international community of Python programmers,” which conflicted with the grant requirements."

And there was another problem. The grant application, if you agreed to accept it, you also accepted that the NSF could claw-back funds if they wanted to! Basically, you take the $1.5 mil, spend it, and a few years later they decide you're too woke and take it all back, directly out of your bank account. And if your cash flow was a little tight at that time, well, sorry! Your foundation just went negative and is no longer solvent!

The board of the FSF decided to withdraw their grant application with the NSF and pursue other avenues to complete their missions.

https://arstechnica.com/tech-policy/2025/10/python-foundation-rejects-1-5-million-grant-over-trump-admins-anti-dei-rules/

Comments

[dewline]

Good on PSF for turning away from this.

Horrific.

[richardf8]

Money is control. One day it's to close a supply chain hack, the next day you hear "but we want a back door because of the reasons." Glad they're staying independent.

[disneydream06]

Smart on them for not playing with the Regime. :o
Hugs, Jon

[moxie_man]

Glad they're refusing to raise an arm and call out Heil Trump!

[arlie]

Good for them. I wish them lots of luck finding other funding.

[kaishin108]

Thank goodness they read the fine print. No wonder grants are so complicated.

[thewayne]

When I worked for the police department back in the '90s, amongst the projects that I did I developed a database for tracking neighborhood blockwatch grants.  Basically there was a lot of communications back and forth between the PD administering the grants and the recipients/applicants: regular reports required, tracking expenditures, etc.  At the time I was also the president of our HOA and I thought it would be a great idea to apply for such a grant to get four "You Are Here" signs to post showing the layout of the complex as it was kind of confusing.  We applied for and got the grant and got the signs.  Sadly, they have since been removed, which was pretty stupid as first responders found them very useful.

[kaishin108]

What a great thing to get a grant for. That does sound very useful. How sad they are now gone.

[thewayne]

I moved away 20 years ago when Russet and I wed.  A friend still had a condo there until a year or two ago that we'd stay at occasionally when we were in town, and I saw the signs were gone.  She hadn't noticed.  Everyone whom I knew there has moved or passed away.

[kaishin108]

Oh wow. I guess a lot can happen in 20 years!

[thewayne]

There's no doubt about that!

[silveradept]

We all know that the administration rules about "no DEI!" is about making sure that they only do things that will benefit the wealthy white people that profit from the government, or make sure the white men who want a racist, sexist country where they control all the resources will vote for them, but this is one of those situations where the policies of the chucklefucks in charge actively hurts them. I wonder how much Python code the government uses, and how much they rely on things like PyPi to make sure it works properly. Not that anyone high up wants to admit it.

[thewayne]

I wonder how many people directly appointed by Trump know anything about programming, much less Python.

[silveradept]

You can probably count them on one hand.