HN
Today

Sandwich Bill of Materials

This satirical specification introduces the 'Sandwich Bill of Materials' (SBOM), meticulously applying software supply chain, dependency management, and security concepts to the humble sandwich. It envisions a world where sandwiches have licenses, CVEs, and reproducible builds, all to humorous and surprisingly insightful effect. The story resonates with the HN audience by taking complex technical problems and recontextualizing them through an absurdly detailed, yet familiar, lens.

4
Score
0
Comments
#4
Highest Rank
6h
on Front Page
First Seen
Feb 13, 5:00 PM
Last Seen
Feb 13, 10:00 PM
Rank Over Time
23644517

The Lowdown

The "Sandwich Bill of Materials" (SBOM) is a proposed draft specification aiming to standardize the enumeration, provenance, and verification of ingredients in modern sandwich construction. Framed as a response to the complex, transitive dependencies within sandwiches (like bacon depending on a pig, which depends on feed corn) and past crises (e.g., the 2025 egg price crisis, likened to a 'left-pad incident'), the SBOM seeks to bring order to culinary chaos.

  • Specification Details: An SBOM document is a JSON file (.sbom) detailing each component with a Sandwich URL (surl:), name, version (using food-specific schemes like calendar dates for tomatoes, age for cheese, and semver for bread), supplier (e.g., farm://, back-of-the-fridge://), integrity hash, and license.
  • Humorous Licensing: It defines licenses such as MIT (Mustard Is Transferable), GPL (General Pickle License, making the entire sandwich open-source), AGPL (for delivery apps), BSD, SSPL (requiring open-sourcing the kitchen for sandwich-as-a-service), and proprietary for 'secret sauces'.
  • Dependency Management: Describes depth-first dependency resolution, version negotiation, and warnings for circular dependencies like 'co-dependent sourdough'.
  • Vulnerability Scanning: Proposes a National Sandwich Vulnerability Database (NSVD) with examples like CVE-2024-MAYO (mayonnaise at room temperature), CVE-2023-GLUTEN (bread contains gluten as a feature), CVE-2025-AVO (avocado ripeness window), and CVE-2019-SPROUT (arbitrary bacteria execution).
  • Provenance and Reproducibility: Requires signed provenance attestations from suppliers, aiming for hermetic build environments and extending attestation chains to the seed or animal of origin. It acknowledges the aspirational nature of 'reproducible builds' for sandwiches, listing non-deterministic factors like knife sharpness and the gravitational constant.
  • Auditing and Compliance: An sbom audit command flags issues like outdated ingredients or components from untrustworthy registries. It notes mixed adoption, with artisanal shops objecting and fast food shipping 'compiled binaries'. The EU Sandwich Resilience Act (SRA) and US Executive Order 14028.5 (potentially confused with Software BOM) are mentioned as drivers for adoption.
  • Sandwich Heritage Foundation: Inspired by Software Heritage, this foundation attempts to archive all SBOMs, struggling with the practicalities of hashing and long-term preservation of perishable items, and facing skepticism regarding whether sandwiches can be 'digital artifacts'.

Ultimately, this 'specification' is a testament to the author's ability to blend deep technical understanding with sharp wit, creating a document that is both entertaining and a pointed commentary on the complexities and occasional absurdities of modern software development practices. It is dedicated to a now-closed sandwich shop, a poignant nod to the ephemeral nature of even the most perfectly constructed creations.