Python Software Foundation Withdraws from $1.5M NSF Grant Over DEI Terms

The Python Software Foundation (PSF) has unexpectedly withdrawn from a significant federal grant opportunity from the National Science Foundation (NSF) due to newly imposed restrictions regarding diversity, equity, and inclusion (DEI). The funding, which amounted to $1.5 million, was intended to enhance the safety and security of open-source software ecosystems. The PSF’s decision reflects an ongoing tension between organizational values and government funding requirements, a situation that has drawn attention within the tech community.

DEI Restrictions Prompt Grant Withdrawal
The PSF was selected for a grant aimed at addressing vulnerabilities in both Python and its package repository, PyPI. However, the NSF’s contract conditions mandated that all funded organizations refrain from any programming that advances DEI or similar initiatives. This stipulation was viewed by the PSF as incompatible with its mission, which emphasizes inclusivity and community engagement.

Loren Crary, Deputy Executive Director of the PSF, articulated the organization’s concerns regarding the implications of these restrictions. She emphasized that the terms not only hindered the PSF’s planned work but also introduced financial uncertainties, including potential clawbacks of funds. Crary stated, “These [contract] terms included affirming the statement that we ‘do not, and will not during the term of this financial assistance award, operate any programs that advance or promote DEI, or discriminatory equity ideology in violation of Federal anti-discrimination laws.’” This provision extended beyond the grant-funded project, affecting all PSF operations.

Impact on Security Initiatives
The NSF grant represented a landmark opportunity for the PSF, potentially being the largest single donation in its history. The funding was expected to expedite the development of automated security tools designed to proactively screen code packages uploaded to PyPI. Currently, this security process remains largely reactive, and the envisioned tools would utilize capability analysis informed by known malware to enhance overall security measures.

Crary expressed disappointment over the necessity of this decision, stating, “We believe our proposed project would offer invaluable advances to the Python and greater open-source community, protecting millions of PyPI users from attempted supply-chain attacks.” The NSF grant, known as NSF-24-608, aimed to catalyze significant improvements in safety and security for open-source ecosystems that currently lack the resources to undertake such enhancements.

The PSF’s withdrawal highlights the growing complexity at the intersection of technical advancement and organizational principles. As professionals and advocates within the open-source sector reflect on this situation, it serves as a cautionary tale regarding the risks of relying solely on government funding when terms may conflict with established community commitments, such as DEI.

Organizations that prioritize social commitments should consider alternative funding sources and partnerships that allow them to uphold their core values while pursuing operational goals. This incident sends a clear message to federal agencies about the necessity of aligning grant requirements with the practices and principles of the open-source communities they aim to support. Failure to do so could result in sidelining vital projects that contribute to broader cybersecurity resilience.