Skip to main content

How To Improve a Package's Score

Trusty's score is made up of several components as described in scoring. The summary score is what is used to sort packages in several places in Trusty. It is basically a minimum of the component scores. If you want to improve your summary score, start with the minimum.

If you feel a component score is inappropriate, then you can request that Stacklok ignore that component in the aggregate scoring. To do this, you need to submit feedback to Stacklok, described here.

Read on to learn how to improve scores based on Trusty's scoring methodology.

Repository and People Activity

We are measuring the amount of activity around the repository and its contributors. If you have a lot of contributors, people watching or following the repo, it will score highly. If this is a single contributor with no followers and stars, then the score will be low. More information in activity scores.

The way to improve this is to have a large community supporting an active repository. This is not an easy thing to achieve, but it is what we want to measure. By trying to 'game' this value you are effectively saying you want a small project to appear big.

That said, there are other reasons the score might be low. It may be that we can't find the link to your repository from the source. Or if the repo is private and we can't get to it (unfortunately, we still can't measure a private repo). It might well be a bug, perhaps an unsupported repository type, in which case feedback is the solution and we can annotate your package to say why the score is low.

Shared Repositories (Starjacking)

Producing multiple packages from the same repo is a perfectly legitimate thing to do. If this is the case then send feedback to say this is so. Alternatively, if you have discovered that another package is starjacking your repo, then feedback again will allow us to mark the other package as malicious.

Similarly Named Packages (Typosquatting)

This means that you have a name that is a couple of errant keystrokes away from a higher scoring package. You can make your package score higher in 'natural' ways. It is possible to rename your repository to something less similar to the other package. The most practical approach is probably feedback to say that your package is not a typosquat. You will still show up as a similar name, but the summary score will not be affected by it.