Anthropic invests $1.5M in the Python Software Foundation
discuss.python.org339 points by ayhanfuat 7 hours ago
339 points by ayhanfuat 7 hours ago
https://pyfound.blogspot.com/2025/12/anthropic-invests-in-py...
This makes sense given how much of the current AI ecosystem is built on top of Python. I hope this helps the foundation improve security for everyone who relies on these libraries. For anyone who isn’t aware/remembering, this is certainly made with the security of PyPi in mind, python’s main package repository. NPM is the other major source of issues (congrats for now, `cargo`!), and TIL that NPM is A) a for-profit startup (??) and B) acquired by Microsoft (????). In that light, this gift seems even more important, as it may help ensure that relative funding differences going forward don’t make PyPi an outsized target! (Also makes me wonder if they still have a Microsoft employee running the PSF… always thought that was odd.) AFAIU the actual PSF development team is pretty small and focused on CPython (aka language internals), so I’m curious how $750,000/year changes that in the short term… EDIT: there’s a link below with a ton more info. This gift augments existing gifts from Amazon, Google, Microsoft, and Citi, and they soft-commit to a cause: > (Also makes me wonder if they still have a Microsoft employee running the PSF… always thought that was odd.) You might be confusing the Python Steering Council - responsible for leadership of Python language development - with the PSF non-profit there. The PSF is lead by a full-time executive director who has no other affiliation, plus an elected board of unpaid volunteer directors (I'm one of them). Microsoft employees occasionally get voted into the board, but there is a rule to make sure a single company doesn't have more than 2 representatives on the board at any one time, The board also elects a chair/president - previously that was Dawn Wages who worked at Microsoft for part of that time (until March 2025 - Dawn was chair up to October), today it's Jannis Leidel from Anaconda. Meanwhile the Python steering council is entirely separate from the PSF leadership, with their own election mechanism voted on by Python core contributors. They have five members, none of whom currently work for Microsoft (but there have been Microsoft employees in the past.) Wow, I didn't know you got a spot on the board, that's a great choice on their part! Thanks for giving your time. Yes, I was talking about Wages -- the day-to-day is surely complex, but I'm sure you'd agree that the president of the board is ultimately "above" the chief executive if push ever came to shove, at least on paper. I will grant that I used "running", which is quite unclear in hindsight! "Responsible for" or "leading" seems more accurate. She seemed great as policymaker and person, but when I last checked her job was literally to be Microsoft's Python community liason, and that just struck me as... dangerous? On the nose? Giving the reigns to someone from a for-profit, $1.5B corporation whose entire business depends directly upon the PSF's work also seems like an odd choice. Again, I'm sure they're great as an individual, and during normal operations there's no competing interests so it's fine. It's just... I guess I just have a vision for the non-profit org guiding the world's most popular programming language that doesn't really mesh with the reality of open source funding as it exists today, at the end of the day; the "no 2 representatives from the same company" rule seems like a comforting sign that they(/y'all!) share that general philosophy despite the circumstances. Us board members voted to put Dawn in that position. The position doesn't have much additional power at all - the chair spends a little more time with the executive director and gets to set the agenda for the board meetings, but board actions still require a vote from the board. If we felt like an employee of a specific company was abusing their position on the PSF board we would take steps to address that. Thankfully I've seen no evidence of that from anyone during my time on the board. If anything it's the opposite: board members are very good about abstaining from votes that their employer might have an interest in. > I'm sure you'd agree that the president of the board is ultimately "above" the chief executive if push ever came to shove, at least on paper. That is not true of the PSF, nor of many (most?) other US nonprofits. Not on paper, and not practically speaking. The director reports to the board, but officers have little to no unitary power. You can go read the PSF’s bylaws if you like, and if you do you’ll see that officers, including the president, can do very little without a board vote. And because of aforementioned policy, that’s a max of two votes from people employed by a single company. Also, like, do you know anything about Dawn? She’s been serving the Python community waaaay longer than she’s worked for Microsoft. Questioning her ethics based on absolutely nothing is unfounded and, honestly, pretty fucked up. There’s this pernicious lie that Microsoft is somehow controlling the PSF. It’s based on about as much evidence as there is for Flat Earth, yet here it is again. At best, repeating this lie reflects profound ignorance about how the PSF actually functions; at worst it seems like some kind of weird disinfo campaign against one of the most important nonprofits in open source. Nodding along with everything you wrote here, but one minor point for anyone who might read the bylaws and get confused. https://www.python.org/psf/bylaws/ > Section 5.15. Limits on Co-affiliation of Board Members. No more than one quarter (1/4) of the members of the Board of Directors may share a common affiliation as defined in Section 5.14. The PSF allows three board members to share an affiliation, 13 seats * 0.25 ~= 3.25. T BH, that's one too many, and I helped write/recommend the original language. When I was on the board, three felt like too many, even though everyone was wonderful, and it was Google, not Microsoft, that hit the limit. The DSF (Django Software Foundation) recently adopted a two-person limit, which I recommend more boards consider. Microsoft was serious about supporting Python as far back as 2006, because IronPython was a real effort in Redmond. (I'm wondering how they think of it now.) They are probably trying to build influence. Why is a startup that is burning cash donating money? Businesses should definitely support the open source projects that they use. I'm still astounded that professional developers seem so adverse to paying for the tools and libraries that they use to make their own money. They are heavily focused on code. Claude Code likely generates 100 of millions lines of Python a day, make the language a little bit better with $1.5M is extremely high leverage. And if this money improves PyPI security (part of the focus), that reduces the chance of Claude Code adding malicious packages to a code base (a well publicized case of this could be a big PR headache for Anthropic). This donation is likely much better leverage than trying to somehow add mitigation at the Claude Code level. Care to elaborate on how $1.5M makes Python better? The donation is earmarked for security concerns, ie. improving PyPI from a security perspective to prevent/mitigate supply chain attacks, etc. This means a more healthy Python ecosystem, which also benefits their products which are utilizing said ecosystem likely more than any other. Is it so hard to imagine that they do it because the PSF's work is important and they want to support them? All the AI labs depend hugely on the Python ecosystem and infrastructure. Startups burning cash spend on many things that are important to them. Of course they are. These donations usually come out of the marketing budget. And it's working, we're talking about them. But also they rely heavily on Python and want to support the ecosystem. really find a negative in it ey - what type of donation and from who would be acceptable to you to fund the python foundation? I must be the only one in here who thinks $1.5M is a small sum compared to Anthropic's size and the amount of value they have gotten out of Python. Good press is cheaper than I thought. You are right, it is. But it would be a mistake for us to use this opportunity to attack them for it. We should applaud their donation today, and at another time assess the meager contributions of many companies that should be shamed. Every single financial institution on Wall Street, the City of London, Amsterdam, Tokyo, Dubai and so on, uses Python. Very few contribute. I've worked at a few that use the 'mold' linker to dramatically reduce their build times. Again, very few contribute. In this particular case, I managed to get one former employer to make a donation. But the list goes on. Short arms, deep pockets, as the saying goes. It’s interesting to see everyone advocate for open source software with permissive licenses, then get mad when companies use them. If python wants to require money for updates or for customers over $X in revenue, they can! If companies don’t want to donate, they don’t have to just as python contributors don’t have to if they’re annoyed at how it’s used. All people do here is complain. We can both applaud the effort and indicate it’s not enough. Two things can be true simultaneously. It may not be enough, but I think it'd be more appropriate/constructive to point to other companies benefiting from Python that have never contributed, rather than saying one that contributed didn't do enough. that was my first thought too, $1.5M is peanuts for Anthropic, however $1.5M is better than nothing, so it worth some PR too. Good they do, I think we have to encourage companies to do it, shaming will not help. Still crazy how little investment goes to Python given how critical it is to the ecosystem. Poor management has played a role. They refused to invest in packaging to the extent that a separate company (astral) had to do it for them. Bugs closed for years with the excuse “we’re only volunteers.” Meanwhile, “outreach” was funded for several million a year. Not confidence inspiring. Maybe would have improved if the funds had been spent more appropriately. Similar story with Mozilla. > They refused to invest in packaging to the extent that a separate company (astral) had to do it for them uv didn't just happen in a vacuum, there has been lots of investment in the Python packaging ecosystem that has enabled it (and other tools) to try and improve the shortcomings of Python and packaging. There's PEP 518 [1] for build requirements, PEP 600 [2] for manylinux wheels, PEP 621 [3] for pyproject.toml, PEP 656 [4] for musl wheels platform identifiers, PEP 723 [5] for inline script metadata. Without all this uv wouldn't be a thing and we would be stuck with pip and setuptools or a bunch of more bandaid hacks on top making the whole thing brittle. [1] https://peps.python.org/pep-0518/
[2] https://peps.python.org/pep-0600/
[3] https://peps.python.org/pep-0621/
[4] https://peps.python.org/pep-0654/
[5] https://peps.python.org/pep-0723/ It seemed pipenv is more than sufficient, why should I use uv? Anecdata, but uv served as a very good packaging mechanism for a Python library I had to throw on an in extremis box, one that is not connected to the Internet in any way, and one where messing with the system Python was verboten and Docker was a four-letter word. That's the thing, you don't have to :) While I think uv is a great tool and highly recommend it, you are more than welcome to use any of the other build backends or package management tools that fit your workstyle. By having these packaging PEPs (amongst) others, the ecosystem has been able to try out different approaches and most likely over time will consolidate on specific ones that work better than the others. Where are you getting these numbers? Looking at the PSFs Report for 2024 [0], 50% of their expenses went to pycon. Would you consider that outreach? I believe conferences are very important as part of the health of a language, and reading the definition of outreach[1], I would not classify the conference as that. The second highest amount of expenses (27.1%) went to (surprise!) "Packaging Work Group/Infrastructure/Other", i.e. pypi, pip etc... "Outreach & Education" was only 2.8% of 12.9% of expenses, i.e. 0.3612%, which is $17846 (actual dollars, not thousands like in the report.) [0] https://www.python.org/psf/annual-report/2024/
[1] https://en.wikipedia.org/wiki/Outreach The assertions above are my memory from pre-covid, I’d look at 2019 and before perhaps. Many things changed after that (and council too) but it takes a while to change perception. In 2019 [0] they only had 2.5 million of total expenses, of which 75% was pycon. So even if everything else was on "outreach" (it was not), that would only be $642,500, which is not "several million a year". In 2020 [1] 48.1% went to "Packaging Work Group/Infrastructure/Other" (I assume because in person pycon was canceled). I also checked 2021 [2], which was 32.7% pycon and 31.2% pip etc... Also 2022 [3], 57.8% pycon, 26.6% Packaging Work Group... In 2023 [4], 60.5% pycon, and Packaging Work Group expenses decreased to 9.6% because of fastly now provides the bandwidth/hosting: "We are grateful to Fastly for making the online services that the PSF provides possible, so that we can
invest time and resources into advancing our infrastructure to better meet community wants and needs." So your assertion seems to have never been true. [0] https://www.python.org/psf/annual-report/2019/ [1] https://www.python.org/psf/annual-report/2020/ [2] https://www.python.org/psf/annual-report/2021/ As mentioned covid changed everything, so please stop pulling figures from that once in a lifetime event. I have looked at 2018-2016, where the expenses are almost completely the main pycon and more local pycons. Also sponserships like "Pallets group, which maintains projects such as Flask and Jinja" (2018). Everything other than the main pycon is less than 1 million dollars combined in expenses. I feel it is important to look at the facts, not just vibes. > Also sponserships like "Pallets group ... Those are "fiscal sponsorships" meaning the PSF holds money for other organizations. The PSF is not funding Pallets (or Boston Python or North Bay Python, etc, etc). They accept money earmarked for those organizations and provide administrative support. Details: https://www.python.org/psf/fiscal-sponsorees/ A portion of pycon expenses are spent on outreach and teaching during the event. Arguably all of pycon is outreach. There are dedicated grants, aid, support as well. The 2019 PDF breakdown doesn't seem to be available any longer. During the 2010s, the packaging group was begging for help. "We're only volunteers," a common refrain: https://news.ycombinator.com/item?id=46605018 During the 2020s, funding for packaging was provided by Mozilla and Chan-Zuck, as PSF wasn't doing enough.
https://www.python.org/psf/annual-report/2019/ As we all know, Astral stepped in and solved the problem for them. I moved to their tools as soon as was possible. And not simply because they were fast, but because they work. For example, here's one that pypa broke for my package a couple of years ago in pip, and never fixed: https://github.com/pypa/packaging/issues/774 I don't know much about the Linux Foundation if I'm being honest, even though I've been a 24/7 Linux user for decades, but they seemingly don't have the same image in the ecosystem, at least not close to how people see Mozilla today. Why is that? Is there lessons to be learned from the Linux Foundation how to actually effectively and responsibly manage that sort of money, in those types of projects? The Linux foundation is not a nonprofit. It is registered as a 501c6, basically a business consortium, unlike the Python software foundation which is a nonprofit (501c3). The Linux foundation also stewards way more foundations and projects that just "Linux". They are, among other things, in the business of creating foundations and making money that way. For every organization under the Linux foundation, say the CNCF, to be a part of those subprojects, you need to pay a Linux foundation tax. The Python Software foundation I don't know much about but their scope seems to be only stewarding python. They seem to have far less corporate outreach then the Linux foundation. Linux Foundation 990 - note page 16-17 with the salaries - there are for profit entity salaries, not nonprofit salaries. https://apps.irs.gov/pub/epostcard/cor/460503801_201812_990O... A foundation should invest in its technology first and resist the strong temptation to fund pet projects (of leadership) with donated money. I'm not sure what you are labeling as pet projects of leadership? Is there something the PSF is doing that you consider a pet project rather than part of their core mission? Yes, outreach before investing in packaging. It’s not that outreach is bad but that packaging was crumbling. I'm not sure how you got to "before" here. The PSF runs PyPI, organizes the Python Packaging Authority, supports sprints and standardization efforts, funds developers in residence and so on. Packaging is improving, partly because of those efforts. It's not an either/or. https://devclass.com/2025/03/10/pypi-repository-takes-steps-... Yes, it could use more funding. Glad to see that Anthropic is helping. It's still not an either/or situation. The PSF would not be fulfilling their mission if they only funded packaging until packaging was "solved" (whatever that might mean) and only then did they fund outreach.
hdjdndndba - 6 hours ago
bbor - 6 hours ago
Planned projects include creating new tools for automated proactive review of all packages uploaded to PyPI, improving on the current process of reactive-only review. We intend to create a new dataset of known malware that will allow us to design these novel tools, relying on capability analysis.
simonw - 4 hours ago
bbor - 2 hours ago
simonw - an hour ago
jacobian - an hour ago
webology - 10 minutes ago
jjtheblunt - 4 hours ago
returnInfinity - 5 hours ago
amykhar - an hour ago
red2awn - 3 hours ago
rented_mule - an hour ago
johnisgood - 2 hours ago
skeledrew - 2 hours ago
nedbat - 5 hours ago
jedberg - 5 hours ago
nikcub - 33 minutes ago
hamandcheese - 5 hours ago
tomComb - 5 hours ago
DrBazza - 5 hours ago
tyre - 5 hours ago
1stranger - 5 hours ago
notyourwork - 5 hours ago
skeledrew - an hour ago
defraudbah - 5 hours ago
qaq - 5 hours ago
mixmastamyk - 5 hours ago
jborean93 - 2 hours ago
iwontberude - an hour ago
hiAndrewQuinn - an hour ago
jborean93 - an hour ago
teh64 - 5 hours ago
mixmastamyk - 4 hours ago
teh64 - 4 hours ago
mixmastamyk - 4 hours ago
teh64 - 4 hours ago
nedbat - 4 hours ago
mixmastamyk - 3 hours ago
embedding-shape - 5 hours ago
upboundspiral - 2 hours ago
mixmastamyk - 4 hours ago
nedbat - 4 hours ago
mixmastamyk - 4 hours ago
nedbat - 4 hours ago
mixmastamyk - 4 hours ago
> CPython core developer Paul Moore described his involvement in the
> packaging community and said: “it’s struggling under the weight of its own
> popularity … the individuals involved are doing their best under what are
> frankly near-impossible conditions.”
> Moore questioned whether the fact that so many businesses now depend on
> Python and PyPI meant that “maybe a purely volunteer basis simply can’t
> work any more,” though he hoped this is not the case.
nedbat - 4 hours ago