That doesn't make any sense though. What benefit would DOJ get from getting the IP address of everyone who downloaded ytp-dlp? They aren't the enforcement arm of google's terms of service, which is a civil matter.

Even if they were, and the DOJ was going for a dragnet operation to go after tools that could potentially infringe terms of service of big corporations, they would go after every tool and every fork. Not just 1 package. But again, what court would allow such action and why?

If I was in the DOJ and was investigating a malicious package uploaded to PyPI, I would ask for the IP's of the downloaders to see if the uploaders dun goofed and downloaded their package shortly after uploading off VPN. Or to find out if any major corporations were impacted by downloading the malicious package and to inform them.

In the US at least, it has been ruled that an IP address is not sufficient evidence to link activity to any particular person. You could have been hacked for example.

In the US they don't need evidence or a warrant to put certain people they deem surveillance-worthy under 24/7 surveillance.

Exactly. This is like the police going to a store with a list of suppliers and demanding personal data of everyone who bought any of those suppliers' products. That's well beyond "normal" but somehow for digital data its ok?

(Deleted comment as it was wrongly assuming bias)

I think you're reading it wrong too - it says "IP download logs of any Python Package Index (PyPI) packages uploaded by the given usernames". So that's anyone who downloaded those packages, not just the specific users' download activity.

no. they wanted the downloads by randoms. we don’t store those with IPs