Why you want labels for software, just like for food

(Paywall-free popularization like this is what I do for a living. To support me, see the end of this post)

Even more, possibly.

Why you want labels for software, just like for food /img/sbom-standards.jpg

Do you know what a SBOM is? No? You should! To help you, here is my own synthesis, as simple as possible, of a much geekier post about a very geeky concept that, in an age where so much depends on how software is used AROUND you, becomes every year more important for everybody.

What Is Exactly an SBOM?

An SBOM is the digital equivalent for software of a food label, or of the packing slips attached to the sides of parcels.

Those labels and slips tell where the food or parcel came from, who packaged it and when, together with serial numbers and other tracking data, and of course a list of what is insides.

SBOMs let consumers and developers to do the same with software components plus a lot more.

An SBOM, for example, informs all the “consumers” of some software about what they can legally do with it (modify,resell and so on). Even more important is the fact that an SBOM allows automatic verification of all the information it contains, as well as checking if some software has known security vulnerabilities in any of its components.

The Two SBOM Standards

Most projects that produce and/or process SBOMs today will do so in one of two standards: CycloneDX and SPDX. Their differences, and how they interoperate are a matter for software students and professionals, so I won’t cover them here. The only concept I want to share, and that every responsible citizen should know, is that:

  • SBOM standards “give the world a better introspection into software releases”
  • that “introspection” is absolutely vital for the correct operation of every service that uses software
  • and since the definition above includes pretty much the whole human society, we all better demand wide, complete adoption of SBOMs for all software, with both our wallets and our votes

Who writes this, why, and how to help

I am Marco Fioretti, tech writer and aspiring polymath doing human-digital research and popularization.
I do it because YOUR civil rights and the quality of YOUR life depend every year more on how software is used AROUND you.

To this end, I have already shared more than a million words on this blog, without any paywall or user tracking, and am sharing the next million through a newsletter, also without any paywall.

The more direct support I get, the more I can continue to inform for free parents, teachers, decision makers, and everybody else who should know more stuff like this. You can support me with paid subscriptions to my newsletter, donations via PayPal (mfioretti@nexaima.net) or LiberaPay, or in any of the other ways listed here.THANKS for your support!