Folio I · MMXXVI
sbom.wiki
A quiet catalog of what is inside the software you trust.
Card II
The Manifest
Each component a specimen. Each version a date of collection. Each dependency a lineage to be understood.
Below is an excerpted entry from the registry, rendered in the manner of a bill of materials. Every field is observable, auditable, and traceable to its origin. Nothing is hidden behind abstractions; everything is named.
- Artifact
- libcurl
- Version
- 8.6.0
- License
- curl (MIT/X derivative)
- Supplier
- Haxx AB, Göteborg
- Released
- 2024 · 03 · 27
- SHA-256
- 9fab2…c7e1
- Dependencies
- 14 direct · 63 transitive
- Classification
- Network · Primary
- Attestation
- in-toto SLSA-3
An SBOM is not a list. It is an assertion: this is what I am made of, and here is how you may verify it. To maintain one is an act of scholarship — a refusal to forget.
Card III
On Provenance & Trust
To know a thing is to know where it came from. The mediaeval pharmacopoeia named the mountain, the month, and the hand that harvested each herb — not because the author was fastidious, but because efficacy and safety depended upon it. Software is no different. A dependency of unknown origin is a remedy from an unmarked bottle.
Provenance is the chain of custody from source to artefact: who wrote it, who reviewed it, who built it, who signed it, and who holds the keys. A software bill of materials records the components; a provenance record records the journey each component took to arrive at your system.
There is something peaceful about this kind of work. It is not glamorous. It does not announce itself. It is the quiet discipline of a librarian who knows every volume on every shelf — not to impress visitors, but because the library must remain navigable after the lights are dimmed and the reading rooms closed.
“We are, in the end, what our footnotes say we are.”
The registry does not promise safety. It promises visibility. And visibility, in matters of software as in matters of scholarship, is the precondition of trust.