We can say the same thing about maintainers of PyPI. They host your libraries and serve it to anyone who wants, free of charge. The only thing they ask in return is to maintain a minimum level of security so that they have less headache in the future.
I think both parties are within their rights, but I also think this is a stupid move on PyPI's part. Maintainers are already working for free; start making them jump through hoops and some will decide it's all too much work and leave.
I think it would be much better to throw up a warning (potentially a loud one) when a dependency is maintained by someone without 2FA.
Packages being taken over because of stolen credentials creates a maintenance nightmare, and bad publicity, for PyPI itself. As such, they have every right, and a reasonable need, to require 2FA. In contrast, the maintainers of PyPI don't lose too much if a few projects choose not to use the platform anymore. Remember, you're not paying PyPI anything either, so the fact that it may inconvenience your own projects, whether free or proprietary, is not their problem.
That isn't necessarily a bad thing. I would be happy to lose every developer who is unwilling to enable 2FA. I am glad to see that that's what happened here. The developer has no responsibility to maintain their code, and PyPI has no responsibility to let them publish their code. Both sides discussed this and an agreement was reached - the developer will no longer publish their code to PyPI.
That's fair, he owes us nothing[1]; I agree with that. But it's not unreasonable to protect the larger community with basic security practices, either.
I am not objecting the 2FA deployment - it's a good idea. I am objecting the attitude towards maintainers which disagree - they have the right to disagree. They owe us nothing.
I think they also deserve some respect.