Maintenance support available on Tidelift

[jaraco]

I learned that this project is funded on Tidelift, meaning it's popular enough that it's getting sponsorship money from enterprise customers.

This means that the maintainers of the package have an option to claim the funds in exchange for an agreement to keep the project maintained. I'm active lifter of 28 packages and am excited about what Tidelift is doing to help make open source sustainable.

Given that funding is available, we have a few options (in my order of preference):

• Designate one or two of the primary maintainers (probably @junkmd and @vasily-v-ryabov) to share the income) to register with Tidelift and claim the income. I'd recommend not splitting the income more than two ways.
• I could claim the income and simply oversee the maintenance even though I'm not actively developing the project. I could become slightly more active in the project, but I'd want access to tag releases and adjust repo settings.
• We could simply ignore it and let the project exist unfunded.

Let's discuss and decide what you all want to do. @cfarrow may have an opinion too. I'll be happy to help get anyone enrolled with Tidelift.

[cfarrow]

This is exciting news for the project. I can see this being used in many ways, from directly funding the developers, funding bounties, paying interns, ... It depends on the funding amount and willingness to commit.

You've called out @junkmd and @vasily-v-ryabov, and I agree they should get first dibs on deciding what to do with the funds, if anything. I would advocate to use the funds in a way that makes the biggest impact, but since I have not had skin in the game for a long time, I'll defer to @junkmd and @vasily-v-ryabov on what that is. If they want to split the funds, I support that.

[junkmd]

Thank you for mentioning me with this exciting news, @jaraco and @cfarrow.

I'm delighted to know that many people and companies are recognizing the importance of comtypes through this news and the recent lightning talk I had at the interactive commemorative lecture event for Guido van Rossum held in Japan.

I also would like to ask @vasily-v-ryabov for his opinion on whether to receive the reward in the first place, and if so, how to distribute it.

I maintain this project because comtypes is a key component that my main job depends on. I am also interested in funding a bounty for further development of this project (such as bringing back tests using TestComServer.tlb or TestDispServer.tlb which do not work on the CI currently).

If the main maintainers are to receive the rewards, I believe that two people receiving the rewards will make the community more involved rather than one person receiving the rewards.

Furthermore, apart from the discussion of receiving or not receiving funds, I would like to have admin rights to PyPI to release new versions in the future.

Thank you. Any opinions would be appreciated.

[vasily-v-ryabov]

Thank you guys for thinking about supporting us. I think @junkmd has more time for maintenance and more opportunities to attract new team members using part of these money. Also I think this service is not supported in my country and I get 403 forbidden error. So I'd suggest to delegate Tidelift funding control fully to @junkmd , and @jaraco could be a backup admin there. Maybe in the future, when the situation is improved, I will be able to join Tidelift as well.

@junkmd is it your PyPI profile https://pypi.org/user/junkmd/ ? I'd suggest you to make 1.3.0 release with dropped Py 2.7 support so I can add you as a PyPI maintainer if there are no objections.

[cfarrow]

No objections.

[junkmd]

@junkmd is it your PyPI profile https://pypi.org/user/junkmd/ ?

Yes, https://pypi.org/user/junkmd/ is my PyPI profile.

[jaraco]

I would like to have admin rights to PyPI to release new versions in the future.

I've added junkmd as another owner on the project. Be sure to accept the invite.

So I'd suggest to delegate Tidelift funding control fully to @junkmd

Sounds like a plan. I think next time Tidelift crawls PyPI, it'll pick up junkmd as a co-owner and they will be able to claim the project. I think the next step is for junkmd to sign up with Tidelift as a maintainer. Maybe start here, get signed up, and see what shows for you. If you have the opportunity to claim the funds, feel encouraged to do so.

If you get stuck, feel free to reach out to Tidelift support or ask questions here. If 'comtypes' doesn't appear as a funded, liftable project for you, maybe wait 24 hours to see if they crawl it overnight.

[junkmd]

I would like to have admin rights to PyPI to release new versions in the future.

I've added junkmd as another owner on the project. Be sure to accept the invite.

I accepted the invite. Thank you.

[junkmd]

I have signed up with Tidelift and have completed required paperworks. My Tidelift dashboard shows that I am a lifter of comtypes. @jaraco, thank you for your assistance for my Tidelift registration processes.

My remaining lifter task is "Create a discoverable security policy". I recognize that this means creating a SECURITY.md with the following wording, is this correct?

## Security contact information

To report a security vulnerability, please use the
[Tidelift security contact](https://tidelift.com/security).
Tidelift will coordinate the fix and disclosure.

Since this project is now getting support from Tidelift, I would like to let the community know about it. Would it be effective to add the badge to README.md?

[jaraco]

Sounds good to me. Have a look at jaraco/tidelift for the settings I merge into my Tidelift-sponsored projects.

[junkmd]

After merging #506, I registered https://github.com/enthought/comtypes/security/policy with Tidelift. With this, I have completed all the tasks requested by Tidelift.

To everyone involved, thank you.