Todo-list¶

Todo

Some of these are good candidates for upstream contribution to click.extra.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/output.py:docstring of meta_package_manager.output, line 3.)

Todo

Reuse the mapping that is proposed upstream to the package-url Python project.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/specifier.py:docstring of meta_package_manager.specifier.PURL_MAP, line 16.)

Todo

Use the removed variable to detect removed packages (which are reported with a (!) flag). See: https://github.com/caskroom/homebrew-cask/blob/master/doc /reporting_bugs/uninstall_wrongly_reports_cask_as_not_installed.md and https://github.com/kdeldycke/meta-package-manager/issues/17 .

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/managers/homebrew.py:docstring of meta_package_manager.managers.homebrew.Homebrew.installed, line 31.)

Todo

Evaluate pythonfinder to replace our custom search logic.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/managers/pip.py:docstring of meta_package_manager.managers.pip.Pip.search_all_cli, line 3.)

Todo

Mimics Pip.outdated() operation. There probably is a way to factorize it.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/managers/pipx.py:docstring of meta_package_manager.managers.pipx.Pipx.outdated, line 3.)

Todo

Evaluate steam-cli as an alternative.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/managers/steamcmd.py:docstring of meta_package_manager.managers.steamcmd.SteamCMD, line 11.)

Todo

Automatically uninstall the package if the technology is different:

PS C:\Users\kev> winget upgrade --id Microsoft.Edge
A newer version was found, but the install technology is different from the current version installed. Please uninstall the package and install the newer version.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/meta_package_manager/managers/winget.py:docstring of meta_package_manager.managers.winget.WinGet.upgrade_one_cli, line 16.)

Todo

Add arguments to installed command, or an --installed boolean flag to search so we can reduce the searched packages to those installed.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/usecase.md, line 173.)

Todo

Implement a best matching strategy, across package managers of different kinds.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/usecase.md, line 331.)

Todo

mpm doesn’t identify CVEs yet.

This feature might be solved with SBOM implementation, as I think there is some tools available around that can check an SBOM export and cross reference it with a CVE database.

Take a look at: https://security.googleblog.com/2023/04/announcing-depsdev-api-critical.html

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/usecase.md, line 438.)

Todo

mpm doesn’t collect dependencies yet. Once it does these dependencies can augment the SBOM export.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/usecase.md, line 448.)

Todo

mpm could support a cooldown period before applying updates, letting newly released versions age for a configurable delay (e.g. 7 days) before they are offered by mpm upgrade or mpm outdated.

This would mitigate supply chain attacks by giving the community time to identify and yank compromised releases before they land on your machine. The xz backdoor and VS Code extension marketplace incidents are recent examples of this threat.

Some package managers have no built-in delay mechanism at all (e.g. VS Code extensions only offer auto-update on/off, with no update.delayDays option — see microsoft/vscode#24823). mpm is in a unique position to add a uniform cooldown layer across all managers it wraps.

Prior art:

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/usecase.md, line 463.)

Todo

One future development direction might be to add a way to inventory all components your using on your system and track down their preferred funding platform like GitHub Sponsors, Liberapay or Patreon. Then have a way to fund all those.

Homebrew is already featuring some commands in that direction.

And also see this article in which someone algorithmically donated $5000+ to Open Source via GitHub Sponsors and PyPI data.

This is being discussed at #501.

(The original entry is located in /home/runner/work/meta-package-manager/meta-package-manager/docs/usecase.md, line 478.)