This is a great suggestion! Yes, there are definitely more things that we could and should add to determine the 'liveness' of a repository (combining signals like release recency, CI test runs, dependency updates (#2458), number of graph dependents, stars/watchers). All of these signals would help end-users find the authoritative fork of a library.

How many additional API calls would this require? API-heaviness is a major constraint for the scorecard cron infrastructure as well as overall performance. We should try to measure this.

Another pitfall is that such changes would put some amount of pressure on maintainers to game the liveness metric, which is tricky for projects that are stable, or that don't have many dependencies, or simply don't require frequent updates. This characteristic makes it hard to score such a check. But I do agree that we should try to surface this in Raw Results.

A separate idea entirely from determining whether a repository is the 'authoritative' fork is to determine whether it is a fork at all. On GitHub, it's possible to create and view forks through the Dependency Graph, or by searching commit SHAs shared between repos across GitHub. Other methods could analyze the content of a repo. But the same Qs are still open: how is this scored? And how many API calls does it cost scorecard?

I propose to consider metrics defined in https://www.researchgate.net/publication/260552929_May_the_Fork_Be_with_You_Novel_Metrics_to_Analyze_Collaboration_on_GitHub

Stale issue message - this issue will be closed in 7 days

This issue is stale because it has been open for 60 days with no activity.