Full Report
The Python Software Foundation (PSF) has withdrawn its $1.5 million grant proposal to the U.S. National Science Foundation (NSF) due to funding terms forcing a compromise on its commitment to diversity, equity, and inclusion.. [...]
Analysis Summary
# Industry News: Open Source Foundation Rejects Major US Grant Over DEI Mandate
## Summary
The Python Software Foundation (PSF) has withdrawn a $1.5 million grant proposal intended for enhancing Python and PyPI security after the U.S. National Science Foundation (NSF) imposed funding terms requiring the PSF to abandon its commitment to Diversity, Equity, and Inclusion (DEI) initiatives. This refusal highlights a growing conflict between U.S. federal funding priorities and the operational values of key open-source maintainers, potentially impacting security development pipelines.
## Key Details
- **Date:** Around October 28, 2025 (based on article publication)
- **Companies Involved:** Python Software Foundation (PSF), U.S. National Science Foundation (NSF)
- **Category:** Funding/Policy Rejection impacting R&D
## The Story
The PSF sought $1.5 million through the NSF’s Safety, Security, and Privacy of Open Source Ecosystems (POSE) program to develop automated malware detection tools for PyPI (and potentially port them to NPM and Crate.io), directly addressing critical open-source supply chain risks. After initial approval, the NSF attached restrictive clauses demanding that recipients affirm they would not operate programs that "advance or promote diversity, equity, and inclusion (DEI)." Because these restrictions applied to all PSF activities—not just the grant-funded work—and included the risk of clawbacks, the PSF board unanimously voted to reject the money, citing that DEI work is central to its mission. This mirrors a similar rejection by The Carpentries organization earlier in 2025 over the same funding stipulations.
## Business Impact
### For the Companies Involved
- **Python Software Foundation (PSF):** Faces an immediate $1.5 million funding gap for crucial security hardening projects (like PyPI malware detection). This forces the PSF to pivot immediately to alternative funding mechanisms (membership drives, sponsorships) while delaying important security initiatives.
- **NSF:** Fails to secure collaboration from a vital open-source project for its stated goal of improving open-source resilience, suggesting its current policy mechanisms are counterproductive to industry trust and security outcomes.
### For Competitors
- **Other Open Source Ecosystems (NPM, Crate.io):** While the malware detection tools were meant to benefit other platforms, the rejection signals that security improvements dependent on this specific federal funding stream may be delayed across the board if the underlying policy issue remains unresolved.
### For Customers
- **Python End Users/Enterprises:** Face continued, potentially unmitigated, risk associated with existing PyPI upload vulnerabilities until alternative funding is secured for the planned automated detection tools. The security posture of a foundational language ecosystem is temporarily stagnant regarding this specific defense layer.
### For the Market
- **Open Source Security Funding Landscape:** This incident acts as a significant negative signal to the broader open-source community regarding federal funding engagement, suggesting that non-security related mandates can derail mission-critical infrastructure support. It forces foundations to prioritize between critical funding and core organizational values.
## Technical Implications
The primary technical implication is the **stalling of next-generation, automated supply chain security tools** specifically designed for Python package repositories. The delay means reliance will continue on manual reviews or less robust, existing defense mechanisms for monitoring new package uploads for malware on PyPI.
## Strategic Analysis
- **Market Positioning:** Python and its ecosystem are signaling a strong commitment to non-financial drivers (organizational values) over immediate funding, reinforcing its independence but creating fiscal strain.
- **Competitive Advantage:** The PSF loses a competitive advantage in rapidly implementing high-level security upgrades that the grant money would have provided.
- **Challenges:** The PSF now faces a substantial challenge in replacing $1.5 million in immediate operational revenue required to maintain its development trajectory, putting pressure on community fundraising efforts.
## Industry Reactions
- **Analyst Opinions:** Cybersecurity and FOSS analysts likely view this as a significant setback for supply chain security, illustrating how bureaucratic or political policies can unintentionally degrade technical infrastructure resilience.
- **Expert Commentary:** Expect strong commentary supporting the PSF’s stance on organizational values. However, there will also be concern from security leaders about the resulting security vacuum.
- **Market Response:** The market reaction may involve increased calls for private industry support or direct corporate sponsorship of the PSF to fill the funding gap, potentially shifting influence from governmental to corporate backers.
## Future Outlook
- **Predictions and Expectations:** Expect the PSF to launch an accelerated, high-profile fundraising campaign targeting corporate users of Python who benefit directly from PyPI security.
- **What to watch for:** Watch whether the NSF revisits or modifies its POSE funding terms for future cycles, or if other open-source foundations follow the PSF’s lead in rejecting similar proposals.
## For Security Professionals
Security professionals relying on Python and PyPI for development must recognize that a planned security enhancement (automated malware detection) has been substantially delayed. They should proactively review their internal Software Composition Analysis (SCA tools) and dependency verification policies, anticipating a temporary higher risk vector on PyPI releases until the PSF secures replacement funding for the intended security tooling.