David Brooks
I've seen this movie before. A major tech company acquires critical developer infrastructure, issues a carefully worded announcement, and the omissions are more revealing than anything that actually made it into print.
On March 19, 2026, OpenAI announced the acquisition of Astral Software Inc. β the team behind uv, Ruff, ty, and, though neither official press release mentions it, pyx. Both announcements are two pages of deliberate language. In those two pages, pyx β the enterprise product Astral quietly launched in beta in August 2025, with real paying clients including Ramp, Intercom, and fal.ai β does not appear once. That's not a footnote. That's the story.
The Acquisition OpenAI Didn't Fully Announce
Charlie Marsh, Astral's sole founder and CEO, wrote that the team joins OpenAI's Codex group "to explore how they can work more closely together." The announcement lists uv, Ruff, and ty. Period.
The elephant in the room is what's absent. pyx was a GPU-aware Python package registry β capable of automatically resolving and installing the correct PyTorch and CUDA variants based on the target environment's hardware. For ML engineering teams, that's a genuinely painful problem without a good solution in 2026. Three enterprise clients in beta is not a lab experiment. It's a validated business thesis that someone actively chose to leave out of the press release.
When a company omits its only revenue-generating product from its own acquisition announcement, there are exactly two explanations: they don't know yet what they're doing with it, or they know exactly what they're doing and prefer not to say so while the regulatory process is still open β which, as of this writing, it is.
I haven't had access to the financial terms of the deal, which haven't been made public. But the deliberate silence in both communications is more informative than anything that was actually written.
Offensive vs. Defensive: Why This Isn't the Same as Anthropic's Bun Deal
The tech press has covered both acquisitions as variations of the same pattern. Let's be real: they aren't.
Anthropic bought Bun in December 2025 after Claude Code was already running on it β 7M monthly downloads, 82K GitHub stars at acquisition time. That was defensive positioning: lock down infrastructure you're already dependent on. The same logic applies to M12's investment in Entire β you buy what you already use or what threatens what you have.
OpenAI is doing the opposite. There's no evidence OpenAI was heavily relying on uv in its internal workflows before this deal. What they're doing is acquiring the package manager so that developers who adopt Codex end up depending on infrastructure under OpenAI's control. That's an offensive move β building dependency rather than securing an existing one. The distinction matters enormously for any engineering team evaluating toolchain governance risk.
"One bad version of this deal would be if OpenAI start using their ownership of uv as leverage in their competition with Anthropic." β Simon Willison, March 19, 2026
The irony is sharper than most coverage acknowledges: Anthropic ships Claude Code as a Bun binary and relies heavily on Python across its internal stacks. OpenAI now has a vantage point into Python dependencies at global scale β including those of its most direct competitor.
uv: The Numbers Behind the Deal
The download stats are more eloquent than any press release:
| Metric | Value (March 2026) |
|---|---|
| Monthly downloads | 127.5 million |
| Daily downloads | 4.53 million |
| Time since launch | 25 months (Feb 2024) |
| Current version | 0.10.12 (pre-1.0) |
| Nearest competitor | Poetry (~66M/mo) |
Source: PyPI Stats, March 21, 2026. Actual numbers, not a fundraising deck.
uv went from zero to outpacing Poetry in under two years by writing the package manager in Rust rather than Python: dependency resolution 10β100x faster than direct competitors, zero compatibility sacrifices. When Armin Ronacher β creator of Flask β actively redirected Rye toward uv in 2024, that was as close to a community coronation as the Python ecosystem produces.
I've been tracking enterprise tooling for over a decade, and the funding history here is unusually revealing. The $4M seed round in April 2023 included Guillermo Rauch (Vercel CEO) and Solomon Hykes (Docker creator) as angels β exactly the people who understand what it means to control a software distribution layer. Subsequent Series A (Accel) and Series B (a16z) rounds were never publicly announced. That deliberate quiet wasn't accidental: Astral actively managed a "community project" narrative while closing VC rounds in the background.
One confirmed detail from the Hacker News thread matters here: a current Astral employee noted that "the company did not burn through its VC money." Astral didn't need to sell. Investors aren't converting Astral equity into cash β they're converting it into OpenAI equity ahead of an IPO. The timing isn't coincidental.
What pyx Actually Was β And What Its Absence Means for Enterprise Teams
Enterprise artifact management alternatives β JFrog Artifactory, Sonatype Nexus β run $15Kβ$100K annually and are built primarily around Java, npm, and Docker ecosystems. Neither has native GPU environment support. pyx filled that gap with three paying enterprise clients already in beta.
In a 2024 Hacker News thread titled "So how does Astral plan to make money?", Marsh stated he didn't want to charge people for using his tools. The acquisition makes pyx exactly the exit he said he didn't want to pursue. If OpenAI integrates pyx into Codex Pro as a paid tier feature, it converts a registry designed to be open infrastructure into an enterprise upsell. If they abandon it, they eliminate the only GPU-native alternative to JFrog for Python ML teams.
For US enterprise shops running AI/ML workloads, this isn't an abstract governance concern. It will surface in vendor security reviews, SOC 2 audits, and software supply chain assessments β the kind of procurement checkpoint where "our package registry is now owned by the same company building our AI coding assistant" is a question that procurement and InfoSec will ask. The LocalStack precedent is instructive: a beloved open-source AWS emulator that introduced mandatory registration and API limits within months of a business model change. Infrastructure vendors change terms when ownership changes β the IBM/CDKTF deprecation follows the same pattern. That's not cynicism; it's documented history.
If uv Is in Your Stack, Read This Before You Decide Anything
uv 0.10.12 is pre-1.0. The API is not stable, and the roadmap now reports to Codex and OpenAI enterprise priorities before it reports to the Python community. That's the reality β not alarmism, just the ownership structure.
There is, however, a real guarantee. The MIT license means the codebase is forkeable. If OpenAI deprioritizes ecosystem compatibility in favor of Codex-specific requirements β as we saw with IBM and CDKTF, in a different context β the community has everything it needs to continue the project. The accumulated work doesn't disappear.
If you ask me directly: don't change anything today. Activate repository notifications, read release notes with more scrutiny than usual, and document Poetry or pip as a formal fallback in your team's runbook. Not because a forced migration is imminent, but because critical infrastructure under the control of a pre-IPO company β with real financial incentives to monetize β warrants that basic diligence.
Here's my take: the deal hasn't closed yet. Regulatory review is still ongoing. The questions worth asking now β specifically, what happens to pyx contractually and what governance commitments actually back the open-source pledge β are still on the table. Ask them while there's still time to get real answers.
