Sandwich Bill of Materials
3 days ago
- #sandwich
- #SBOM
- #supply-chain
- SBOM 1.0 provides a machine-readable format for declaring the full dependency tree of a sandwich, including sub-components, licensing, and vulnerabilities.
- Motivation includes the complexity of sandwich supply chains, illustrated by the 2025 egg price crisis, emphasizing the need for standardized ingredient tracking.
- Specification requires JSON format, with mandatory fields like surl, name, version, supplier, integrity, and license for each ingredient.
- Dependency resolution must be depth-first, with version negotiation for conflicts and warnings for circular dependencies.
- Vulnerability scanning against the National Sandwich Vulnerability Database (NSVD) is recommended to identify risks like CVE-2024-MAYO or CVE-2023-GLUTEN.
- Provenance attestation is required for each ingredient, extending to the origin for farm-sourced items, with challenges like chicken-or-egg provenance deferred to version 2.0.
- Reproducible builds are aspirational, with documentation of non-deterministic factors like ambient temperature or knife sharpness in a sandwich.lock file.
- Transitive dependency auditing flags outdated ingredients, single-maintainer risks, or those from insecure registries.
- Adoption is mixed, with artisanal resistance and fast food trade secrets, while regulatory moves like the EU Sandwich Resilience Act mandate SBOMs by 2027.
- The Sandwich Heritage Foundation archives sandwiches by integrity hash, facing preservation challenges and funding hurdles.
- Acknowledgments highlight the specification's dedication to a closed sandwich shop, underscoring the importance of machine-readable recipes.