I have a lot of sympathy for some of the frustration being expressed here: I do a lot of open source maintenance, and any amount of change to my workflows drives me up the wall!
That being said: the PyPI maintainers are also in this community, also doing largely thankless work to keep one of the world’s biggest package indices healthy (and secure). Their motives are good, and (IMO) the rollout here walks the right line between imposition and changes that are necessary to match the prevailing winds in supply chain security.
Thanks for the kind words. Just to clarify (and avoid stolen valor): I worked on the 2FA implementation, but not the current critical project scheme or free key giveaway. That was all done by PyPI’s maintainers (I’m just a contributor), and they’re absolutely incredible and tireless in their commitment.
That being said: the PyPI maintainers are also in this community, also doing largely thankless work to keep one of the world’s biggest package indices healthy (and secure). Their motives are good, and (IMO) the rollout here walks the right line between imposition and changes that are necessary to match the prevailing winds in supply chain security.