The article touches on an important point: the set of open-source developers includes PyPI maintainers. A related distinction is that yes development effort required matters, but so does operational effort required. By enforcing 2FA, PyPI reduces their support burden a bit by not having to deal with account takeovers, worrying about account takeovers, and responding to account takeovers. Yes, by mandating 2FA that increases the developer's effort, but by refusing to use 2FA that increases the operational effort of PyPI. There's probably a discussion to be had about how much can PyPI lower its level of effort by large amounts by imposing small increases in effort on developers, and whether those effort values are large or small or whatever, but in this particular case I'm inclined to support the small amount of developer effort required to massively reduce the operational effort of both PyPI and everyone responsible for vetting packages for use
That's a very good point regarding operational cost of handling account takeovers.
I'm not sure I have much useful commentary to add, but it does occur to me that a sufficiently-sized pool of software users could inspect changes (either at individual-commit-time and/or at tagged-release-time) regardless of whether each changeset is by the same author or in fact a different person every time.
