I do think this is a bit of a billion dollar question. The way Linux distributions mostly does it is some form of long-term support release which gets less updates but still security updates. Burdening the maintainers more than the developers. However the amount of complexity of everyone trying to do that at the same time is not only crazy but also a real limit on progress.
Still something like that could be somewhat of a solution. You don't need to use for example 2FA but then you also don't get to publish to everyone today. Then you have to do a security update which would require it.
Still something like that could be somewhat of a solution. You don't need to use for example 2FA but then you also don't get to publish to everyone today. Then you have to do a security update which would require it.