While you may be right, package management systems don't work that way (and probably shouldn't, because aside from being slightly inefficient, you've got an information leakage!)

Right now, when upgrading, your friendly package management system says: "please give me a list of all packages and their versions". Then it determines which versions are newer, of the packages you have installed, and it updates them appropriately.

This is the point that didn't scale: with extras, this meant downloading metadata for every third party package anyone had ever uploaded, no matter if you had it installed or not.

With this system, it says "please tell me what my private virtual repository contains", and it is sent metadata only for packages that have been installed over the store.

As far as I understand it, your proposal is: "I have these packages installed locally, please send me metadata for them". This is inefficient, at least on the Jolla device, because packages are split across multiple different repositories: you would be uploading metadata for every package on your device for n different repositories, and only a tiny subset of those would apply to each seperate repository.

The "information leakage" I mentioned is that you're now implicitly saying "hey, I have this installed, and it's at this version". This sounds harmless, except it now lets an adversary know more about your systems and how to attack you. This isn't much of a problem if you only ever install things from the store, but if you ever had software you wanted to keep to yourself (self-developed, or whatever), this leaks that information.