Context
Several bomdrift defaults are calibration-tunable knobs: --typosquat-similarity-threshold (0.92), --young-maintainer-days (90), --recently-published-days (14), --multi-major-delta (2). The defaults were picked from intuition + small-corpus testing. To pick them rigorously, we need data: what's the false-positive rate across a representative corpus of historical npm / PyPI releases?
This is the data-collection prerequisite for a v1.0+ defaults review.
Scope
A reproducible offline pipeline that:
Not a CI job — this is offline tooling, probably runs once per month and produces a static report.
The output is a markdown page: docs/src/calibration-report.md showing:
Acceptance criteria
Constraints
- No telemetry from production. This is an offline corpus; users running bomdrift in their own CI don't send data anywhere.
- Reproducible. Anyone should be able to re-run with
cargo run + a corpus list. Pin the corpus to a snapshot date (e.g. data/calibration-corpus-2026-04.txt).
- Honest about caveats. Top-N-by-downloads is biased toward established packages; FPR may underestimate noisy categories like newly-published-and-quickly-churned scopes.
A note on commit signing
main requires verified signatures (the repo ships cosign-signed releases — we hold our own commits to the same bar).
You usually don't need to set up signing as a contributor — when a maintainer merges via "Merge" or "Squash", GitHub auto-signs the resulting commit and your unsigned PR-branch commits are fine. The friendlier path for everyone.
If you'd like your individual commits to land verbatim on main (so your name shows up in git blame), set up local signing once and your PR can be rebase-merged:
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
Then add the same SSH public key under GitHub → Settings → SSH and GPG keys → Signing keys.
See CONTRIBUTING.md → Commit signing on main for the full picture. Either way, please don't sweat it — if your PR is otherwise great, the maintainer will pick a merge mode that works.
Context
Several bomdrift defaults are calibration-tunable knobs:
--typosquat-similarity-threshold(0.92),--young-maintainer-days(90),--recently-published-days(14),--multi-major-delta(2). The defaults were picked from intuition + small-corpus testing. To pick them rigorously, we need data: what's the false-positive rate across a representative corpus of historical npm / PyPI releases?This is the data-collection prerequisite for a v1.0+ defaults review.
Scope
A reproducible offline pipeline that:
syft).bomdrift diffbetween consecutive releases (Nx → N+1x).--debug-calibration jsonloutput to a file.Not a CI job — this is offline tooling, probably runs once per month and produces a static report.
The output is a markdown page:
docs/src/calibration-report.mdshowing:Acceptance criteria
scripts/calibration/directory with the data-collection scripts (any language; bash + jq +ghis fine).docs/src/calibration-report.mdwith the first run's findings.Constraints
cargo run+ a corpus list. Pin the corpus to a snapshot date (e.g.data/calibration-corpus-2026-04.txt).A note on commit signing
mainrequires verified signatures (the repo ships cosign-signed releases — we hold our own commits to the same bar).You usually don't need to set up signing as a contributor — when a maintainer merges via "Merge" or "Squash", GitHub auto-signs the resulting commit and your unsigned PR-branch commits are fine. The friendlier path for everyone.
If you'd like your individual commits to land verbatim on
main(so your name shows up ingit blame), set up local signing once and your PR can be rebase-merged:Then add the same SSH public key under GitHub → Settings → SSH and GPG keys → Signing keys.
See CONTRIBUTING.md → Commit signing on
mainfor the full picture. Either way, please don't sweat it — if your PR is otherwise great, the maintainer will pick a merge mode that works.