His right

I dunno, I think if you publish a copy of your code to a registry then it would be both desirable and reasonable for that copy to be immutable. Allowing the deletion of published libraries can have huge downstream impacts and ultimately makes the registry less trustworthy.

Edit: to be clear, not trying to shame the author here - it sounds like they tried to avoid this situation: "what i didn't consider is that this would delete old versions. those are apparently now gone and yet it's apparently not possible for me to re-upload them. i don't think that's sensible behavior by pypi, but either way i'm sorry about that."

I think this is a bad design on PyPI's part though.

If you want immutable, use a blockchain.

Life is not immutable. There could be a claim about IP, malware, whatever.

Versions should be immutable, but possible to delete

I agree. The logic is similar to why you can't delete an HN comment once someone replies.

Well sure. But what happens if your post contained some confidential data? It gets redacted

Yes, but you have to email the HN mods, so there's a form of review built into the process. It can't be done unilaterally.

Apparently when the 2fa requirement is actually implemented (this was just an announcement which triggered this) deleting a package would require 2fa as well.

Other registries go further and make it harder or impossible to delete once certain criteria are met (pretty sure this was put in place after leftpad broke the whole ecosystem): https://docs.npmjs.com/unpublishing-packages-from-the-regist...