They are revealing to the public if a package maintainer used Tor or 2FA. I do not think that information should be made public.