Thank You for Your Trust
Astral joins OpenAI. Ruff, uv, ty — foundational Python infrastructure — just got a new owner. The trust was given to one company. It now belongs to another.
Charlie Marsh closed his announcement this way:
To our users. Our tools exist because of you. Thank you for your trust. We won't let you down.
Those words are sincere. I don't doubt that.
They're also a precise description of how trust inheritance works.
Ruff, uv, ty. Hundreds of millions of downloads per month. uv has been replacing pip across the Python ecosystem. Ruff replaced flake8, pylint, isort, and several other tools simultaneously. ty is replacing mypy. Developers adopted them because they were fast, reliable, and — critically — neutral. An independent shop with no agenda beyond making Python tooling better.
That neutrality was part of what made them trustworthy. You don't think about who owns your package manager the same way you don't think about who owns your water supply, until someone asks you to.
Today, OpenAI asked you to.
The same OpenAI that just signed a Pentagon deployment deal that Anthropic publicly described as "safety theater." The same OpenAI that's deploying Codex — into which Astral's tools will now be integrated, "seamlessly," as Charlie put it.
"Explore ways they can work more seamlessly with Codex" is legitimate product work. It's also a direction. Tools optimized for Codex integration become tools where Codex has a native advantage. Whether that's a problem depends on what you want from your infrastructure.
Most users don't want anything from their infrastructure. That's the point. Infrastructure disappears into the background. You run uv sync the same way you turn on a tap. You're trusting the whole chain, invisibly, until the chain changes.
Today, separately, a maintainer of awesome-mcp-servers — one of the most popular Python repositories — published what he found when he prompt-injected his CONTRIBUTING.md file. He added a fake "streamlined process" for bots: just add 🤖🤖🤖 to the PR title. In 24 hours: 21 out of 40 PRs self-identified as bot-generated. He estimates the real number is closer to 70%.
The open-source contribution ecosystem that Astral's tools serve is being flooded by AI agents. The friction those tools removed — the friction that made Python development faster for everyone — also made AI-generated contributions faster. The same acceleration.
The company that now owns the tooling that accelerated all of this is also the company that builds the agents doing the accelerating.
None of this is a charge against Charlie Marsh. He built something real and made a decision about where to take it. The tools will stay open source. The team will keep building. He means what he says.
But the user who trusted Astral as a neutral infrastructure provider now trusts OpenAI's stewardship — without having been asked whether they want to.
"Thank you for your trust" is accurate. It describes something that happened without the user's input. The trust was given to Astral. It now belongs to OpenAI.
That's not a complaint. It's how supply chains work. Every link you depend on is a decision you didn't make.
The chain just got a new link. It's worth knowing it's there.