A random collection of stuff that may or may not be useful to consider.
- On resolving package versiosn, use MVS, minimum version selection
- Check spdx and warn on bad license data
- Use noassertion for invalid/missing licenses
- Clone with worktrees vs. use pf ls-remote
- Are personal registries useful?
- Monorepos with tag-based versioning
- Identity checks
- Auto-completion to help resolve URIs from already-ingested packages?
- If using name shortcuts, could have local-only aliasing to resolve conflicts
- HTTP redirects for package URIs possible
- How to deny-list known bad packages? A use for an index? Meaning deny-list-only one