On behalf of the NumPy Steering Council I'm happy to announce that we now have an agreement between Tidelift and NumFOCUS for NumPy. The summary of the agreement is: Tidelift will pay NumPy a minimum of $1000/month until Oct 2020, and NumPy will do the following:
- provide a documented way to disclose security vulnerabilities, and respond to disclosures in a timely manner
- deal with any licensing issues in a timely manner
- write good release notes, and clarify our advice to users on what releases to use
- some one-time things like getting our metadata into the Tidelift system, and acknowledging Tidelift as one of our funders on the website
Note that it seems to us that this is a quite modest amount of work that we will be able to do with volunteer resources. A lot of it we do anyway - this is a nice feature of Tidelift's business model, in a way they promise their customers that we will keep doing what we're doing, add some valuable things like unified dependency reporting around it, and pass on some of the benefits to the projects (or to individual maintainers for other projects).
We haven't determined what to do with the funds yet, but there's lots of things that could be done (enable dev meetings, pay for a numpy.org redesign, perhaps fund some work on hairy problems that no one seems to want to solve for free, etc.) - to be determined in the future.