Skip to main content

Roadmap

About this roadmap

This roadmap should serve as a reference point for Trusty users to understand where the product is heading. The roadmap is where you can learn about what features we're working on, what stage they're in, and when we expect to bring them to you. Priorities and requirements may change based on community feedback, roadblocks encountered, community contributions, and other factors.

How to contribute

Have any questions or comments about items on the Trusty roadmap? Share your feedback via GitHub discussions.

Last updated: November 2023

In progress

  • New scoring dimension: Security: Introduce a new scoring dimension that incorporates factors such as SLSA provenance and package behavior.
  • Add more features to repo and author Activity score: Bolster depth of Activity score by adding more features, e.g. information on package maintainers.
  • Improve package to repo link verification: Add statistical verification, e.g. of release timestamps, to improve the confidence of the mapping from a repo to a package.
  • Show additional context on each score component for each package: Provide key indicators to explain why a package received a particular score, based on the underlying features of the score.
  • Provenance for Python and Rust packages: Enable provenance data from Sigstore for Python and Rust packages, based on Sigstore community efforts.

Next

  • Include additional metadata on packages: Provide more information on packages including known vulnerabilities from OSV, license information, and additional information from Sigstore.
  • New scoring dimension: Transitive dependencies: Introduce a new scoring dimension that incorporates factors such as the quality of a package’s dependencies and which other packages use the package as a dependency.
  • New scoring dimension: Risk flags: Introduce a new scoring dimension that incorporates factors such as the depth of the package description and the frequency of releases.
  • Show dependencies and dependents of package: List the dependencies included in a package, and which other packages use the package as a dependency (with links to Trusty detailed pages).
  • Show trend graph of scores over time: Enable users to understand how a package’s score has changed over time.
  • Expand support to additional languages: Add additional packages based on an expanded set of languages (e.g., Java, Go, Homebrew).
  • Show Minder badge in UI: Show a package’s Minder 'badge/certification' that shows what practices the project followed.

Future considerations

  • New scoring dimension: Popularity/community: Introduce a new scoring dimension that incorporates factors such as community ratings, social media sentiment, and number of stars.
  • Score package versions separately: Create separate Trusty scores for each version of a package.
  • Receive emails when favorite package scores change: Users are able to set up email alerts based on Trusty score trends for favorite packages.
  • Additional package form factors: Expand Trusty to support additional package form factors such as machine learning models and container images.
  • Refine search parameters and package recommendations: Enable users to refine search criteria based on package metadata, such as number of GitHub stars.
  • User profile page and preferences: Enable user to create their own Trusty profile page and set user preferences.