> On Jul 23, 2016, at 12:11 PM, Donald Stufft <don...@stufft.io> wrote:
>
>
>> On Jul 23, 2016, at 2:40 PM, Nicholas Chammas <nicholas.cham...@gmail.com
>> <mailto:nicholas.cham...@gmail.com>> wrote:
>>
>> I know a more concrete proposal would have to address a lot of details (e.g.
>> like how to split contributions across multiple maintainers), and perhaps
>> there is no way to find the resources to build or maintain such a thing in
>> the first place. But just for now I’d like to separate essence of idea from
>> the practical concerns of implementing it.
>
>
> I’m mulling over the idea in my head, but one other thing we’d need to figure
> out is the *legality* of doing this and if it’s something the PSF is willing
> to do at all.
This was my initial reaction as well.
It would be awesome if it worked! It would potentially go a long way to
addressing the now much-discussed problem of funding open source infrastructure
<https://medium.com/@nayafia/how-i-stumbled-upon-the-internet-s-biggest-blind-spot-b9aa23618c58#.tvr6exin9
<https://medium.com/@nayafia/how-i-stumbled-upon-the-internet-s-biggest-blind-spot-b9aa23618c58#.tvr6exin9>>.
But it is also a legal and financial mine-field. Even if a lawyer says it's
OK and it's possible to comply with the law, you still generate a lot of work
for an accountant to actually do the complying.
https://gratipay.com <https://gratipay.com/> is a good, recent example of an
apparently simple idea like this running into severe legal consequences and
nearly imploding as a result. Another potential problem that may not be
initially obvious; due to the somewhat ambiguous nature of the funding
structure, they also became a popular payment processor for nazis and white
supremacists, since it's hard to get paid for producing nazi propaganda on
other platforms. Of course, PyPI might always be used as an update platform
for malware or a C&C control point too, so it's not like there are no risks in
operating it as it currently stands, but money always has the potential to make
things worse.
I don't want to be doom-and-gloom here, in fact I would _very_ much like to see
this project happen. I just think that in order to do it in a way which
doesn't backfire horribly, it has to be responsibly staffed at the outset so
that problems like these, that we know about, can be addressed up front, and
the inevitable ones that don't seem obvious at the moment have a clearly
responsible person to go fix them as they arise, in a timely way.
-glyph
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
