eesmith 5 hours ago

This is an inference based on a change in legal terms. No resolution yet if it reflects any deeper intent. (I suspect it's made by lawyers who default to 'make sure we control everything' when they write their terms, like every other corporate ToS we all supposedly agree to willingly.)

Still, I've seen that PyPI costs a lot to run, and just like ReadTheDocs I expect that a future PyPI will need a bigger income stream somehow.

I also well remember that PyPI mandated 2FA even for those who didn't want to switch, which is an ever-present reminder that they control distribution.

I stopped distributing on PyPI years ago, in favor of my own "simple index" package distribution.

I wish pip etc. had a good mechanism already for mitigating dependency confusion. I can see that people who download my package also try downloading other packages, like pybind11, from my index, even though it isn't even a dependency of mine.