The Python Software Foundation (PSF) rejects U.S. government grant to increase software security
Oct. 28th, 2025 01:35 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneThe PSF isn't a huge organization, but they do a lot of work. They have an annual budget of about $5 million and applied, and were close to receiving, a grant for $1.5 mil from the National Science Foundation to “address structural vulnerabilities in Python and PyPI.". PyPI is a library used by TONS of Python projects and has been subject to what's known as supply-chain attacks.
So what's a supply-chain attack? In brief, you take a library that's commonly used. Let's say it let's you send output to a PDF within your Python program, a fairly common task, and something that most programmers don't want to reinvent and won't bother inspecting the library for vulnerabilities. The attack happens when a bad guy changes the code for that PDF library then uploads changes to the master, and now, in addition to generating the PDF, it sniffs around your computer and does... stuff. Infects it with malware, perhaps. Gains admin access and strolls around the network. Looks for crypto wallets and steals them. It can do all sorts of stuff. That, in very simplified form, is a supply-chain attack. And if the program you are writing is released as open source and lots of people download it, THEY all are capable of being subverted!
The PSF was going to use the money to implement some automatic code inspection systems so any changes uploaded into the PyPl library would automatically be inspected, etc., to reduce the threat of supply-chain attacks. Lots of good stuff.
But there was a problem...
The grant application was close to being approved when the board that reviews such applications noticed that the "...foundation’s mission statement includes a goal “to support and facilitate the growth of a diverse and international community of Python programmers,” which conflicted with the grant requirements."
And there was another problem. The grant application, if you agreed to accept it, you also accepted that the NSF could claw-back funds if they wanted to! Basically, you take the $1.5 mil, spend it, and a few years later they decide you're too woke and take it all back, directly out of your bank account. And if your cash flow was a little tight at that time, well, sorry! Your foundation just went negative and is no longer solvent!
The board of the FSF decided to withdraw their grant application with the NSF and pursue other avenues to complete their missions.
https://arstechnica.com/tech-policy/2025/10/python-foundation-rejects-1-5-million-grant-over-trump-admins-anti-dei-rules/
So what's a supply-chain attack? In brief, you take a library that's commonly used. Let's say it let's you send output to a PDF within your Python program, a fairly common task, and something that most programmers don't want to reinvent and won't bother inspecting the library for vulnerabilities. The attack happens when a bad guy changes the code for that PDF library then uploads changes to the master, and now, in addition to generating the PDF, it sniffs around your computer and does... stuff. Infects it with malware, perhaps. Gains admin access and strolls around the network. Looks for crypto wallets and steals them. It can do all sorts of stuff. That, in very simplified form, is a supply-chain attack. And if the program you are writing is released as open source and lots of people download it, THEY all are capable of being subverted!
The PSF was going to use the money to implement some automatic code inspection systems so any changes uploaded into the PyPl library would automatically be inspected, etc., to reduce the threat of supply-chain attacks. Lots of good stuff.
But there was a problem...
The grant application was close to being approved when the board that reviews such applications noticed that the "...foundation’s mission statement includes a goal “to support and facilitate the growth of a diverse and international community of Python programmers,” which conflicted with the grant requirements."
And there was another problem. The grant application, if you agreed to accept it, you also accepted that the NSF could claw-back funds if they wanted to! Basically, you take the $1.5 mil, spend it, and a few years later they decide you're too woke and take it all back, directly out of your bank account. And if your cash flow was a little tight at that time, well, sorry! Your foundation just went negative and is no longer solvent!
The board of the FSF decided to withdraw their grant application with the NSF and pursue other avenues to complete their missions.
https://arstechnica.com/tech-policy/2025/10/python-foundation-rejects-1-5-million-grant-over-trump-admins-anti-dei-rules/
![[staff profile]](https://www.dreamwidth.org/img/silk/identity/user_staff.png){kind=small}
![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
