I think largely because the prerogative is on the code author to reveal as little or as much about themselves, and the prerogative of library users is to sufficiently vet a package. If folks want to publish code pseudonymously, and folks want to use that code, as long as it's not abusive, what's to stop them? You can achieve basically the same effect with github, gitlab, or even plain self-hosted HTTP packages (pip just uses a convention for listing packages in a dir, any HTTP file host can be a package server), without PyPI.
I actually think the larger problem is Python's reliance on imperative code that executes at install time. Yeah you can use pip --download and extract it yourself, but folks rarely do that.
I actually think the larger problem is Python's reliance on imperative code that executes at install time. Yeah you can use pip --download and extract it yourself, but folks rarely do that.