Not a storm in a teacup. Being forced to accept unvetted electronic devices from a 'Foundation' instead of using TOTP rings a whole lot of alarm bells.
* How do we know that these ain't fitted with GPS trackers?
* Why are maintainers forced to give up their snail mail addresses?
* How will the keys be re-issued? Who's going to pay for this?
* Oh, and there's still the silly geo-fencing issue: 'Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, United Kingdom, and the United States'
You are assuming that the contributors are required to use these specific devices. This is incorrect. PyPI is offering free U2F devices to a subset of the affected developers, but they are free to use their own U2F devices (or a TOTP client) instead.
> Oh, and there's still the silly geo-fencing issue
The list of countries makes this sound like an export control issue. It's a legal restriction, not a deliberate choice PyPI made.
* How do we know that these ain't fitted with GPS trackers?
* Why are maintainers forced to give up their snail mail addresses?
* How will the keys be re-issued? Who's going to pay for this?
* Oh, and there's still the silly geo-fencing issue: 'Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, United Kingdom, and the United States'