frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Could lockfiles just be SBOMs?

https://nesbitt.io/2025/12/23/could-lockfiles-just-be-sboms.html
18•zdw•2h ago

Comments

firloop•2h ago
Another drawback could be that package manager lockfile schemas are optimized for performance[0]. I wouldn't appreciate seeing slower install times by default - especially if the lockfile could be converted with other tooling.

[0]: https://bun.com/blog/behind-the-scenes-of-bun-install#optimi...

zingar•1h ago
In hearing the SBOM term for the first time from that article and the linked Wikipedia page. For the ignorant like me: what is it that SBOM is used for that lockfiles aren’t? Everything in the article is something that I’m used to seeing automated scanners using lockfiles for.

Is it just that the two are used by different communities? What is the SBOM community?

edoceo•1h ago
In many cases the lock files are for one part of the stack. Like npm and composer and $other_lang thing. sBOM is when all are together and version-pinned. (I've over simplified).

Edit: for my domain we have Alpine, Debian, PHP, JS, Go in the stack. So our BOM has all that (and dependencies). It's a big list. Some is just necessary base (Alpine, Debian) but some are core stack and other are edge (dependency on python lib when we're mostly Rust (or something)).

Mirror/Vendor all these things for supply-chain integrity (it's what they tell me)

LoganDark•1h ago
> what is it that SBOM is used for that lockfiles aren’t?

Compliance. The article mentions "the EU’s Cyber Resilience Act will push vendors toward providing SBOMs", and having package managers generate SBOMs directly would certainly be convenient for that.

woodruffw•1h ago
This is a great summary, although I think I'm more bearish on SBOMs than Andrew is: my experience integrating them so far (in both pip-audit and uv) has been that there's much more malleability at the representation level than the presence of a standard might imply, and that consumers have adapted (a la Postel) to this reality by being very permissive with the kinds of broken stuff they permit when ingesting third-party SBOMs.

(Case in point: pip-audit's CycloneDX emission was subtly incorrect for years, and nobody noticed[1].)

[1]: https://github.com/pypa/pip-audit/pull/981

endorphine•35m ago
From https://en.wikipedia.org/wiki/Software_supply_chain:

> A software bill of materials (SBOM) declares the inventory of components used to build a software artifact, including any open source and proprietary software components. It is the software analogue to the traditional manufacturing BOM, which is used as part of supply chain management.

phendrenad2•23m ago
> the security world has been pushing CycloneDX and SPDX

> CycloneDX supports JSON, XML, and YAML

And SPDX is JSON.

Are there any other examples of government-mandated non-human-readable file formats? I feel like bureaucracies have a natural tendency to water down requirements such as this and instead focuses on getting wet signatures on pen-and-paper.

Lvl999Noob•1m ago
Personally, I would prefer that the package managers keep their own lockfiles with all their metadata. A CI process (using the package managers itself) can create the SBOM for every commit in a standardized environment. We get all the same benefits without losing anything (the package managers can keep their own formats and metadata and remove anything unneeded for the SBOM from it).

Fabrice Bellard Releases MicroQuickJS

https://github.com/bellard/mquickjs/blob/main/README.md
880•Aissen•11h ago•344 comments

X-ray: a Python library for finding bad redactions in PDF documents

https://github.com/freelawproject/x-ray
296•rendx•7h ago•61 comments

Unifi Travel Router

https://blog.ui.com/article/travel-in-style-unifi-style-unifi-travel-router
147•flurdy•4h ago•106 comments

Texas app store age verification law blocked by federal judge

https://www.macrumors.com/2025/12/23/texas-app-store-law-blocked/
181•danso•7h ago•106 comments

Some Epstein file redactions are being undone with hacks

https://www.theguardian.com/us-news/2025/dec/23/epstein-unredacted-files-social-media
245•vinni2•8h ago•166 comments

Is Northern Virginia still the least reliable AWS region?

https://statusgator.com/blog/aws-least-reliable-region-in-2025/
80•colinbartlett•5h ago•44 comments

Show HN: Turn raw HTML into production-ready images for free

https://html2png.dev
20•alvinunreal•2h ago•7 comments

Autonomously navigating the real world: lessons from the PG&E outage

https://waymo.com/blog/2025/12/autonomously-navigating-the-real-world
19•scoofy•2h ago•3 comments

Correspondence Between Don Knuth and Peter van Emde Boas on Priority Deques 1977 [pdf]

https://staff.fnwi.uva.nl/p.vanemdeboas/knuthnote.pdf
18•vismit2000•2h ago•1 comments

'Dracula's Chivito': Hubble reveals largest birthplace of planets ever observed

https://phys.org/news/2025-12-chaotic-dracula-chivito-hubble-reveals.html
23•wglb•3h ago•4 comments

Lua 5.5

https://lua.org/versions.html#5.5
242•km•1d ago•76 comments

Perfect Software – Software for an Audience of One

https://outofdesk.netlify.app/blog/perfect-software
124•ggauravr•3d ago•50 comments

We replaced H.264 streaming with JPEG screenshots (and it worked better)

https://blog.helix.ml/p/we-mass-deployed-15-year-old-screen
368•quesobob•11h ago•224 comments

Charts in Slides

https://ia.net/topics/charts-in-slides
18•surprisetalk•6d ago•0 comments

Could lockfiles just be SBOMs?

https://nesbitt.io/2025/12/23/could-lockfiles-just-be-sboms.html
18•zdw•2h ago•8 comments

HTTP Caching, a Refresher

https://danburzo.ro/http-caching-refresher/
82•danburzo•9h ago•8 comments

Learn Lisp/Fennel Programming Against Neovim

https://github.com/humorless/fennel-fp-neovim
34•veqq•6d ago•3 comments

Help My c64 caught on fire

https://c0de517e.com/026_c64fire.htm
84•ibobev•9h ago•25 comments

Proving Bounds for the Randomized MaxCut Approximation Algorithm in Lean4

https://abhamra.com/blog/randomized-maxcut/
6•todsacerdoti•3d ago•0 comments

Open source USB to GPIB converter (for Test and Measurement instruments)

https://github.com/xyphro/UsbGpib
20•v15w•3h ago•1 comments

Volvo Centum is Dalton Maag's new typeface for Volvo

https://www.wallpaper.com/design-interiors/corporate-design-branding/volvo-new-font-volvo-centum
69•ohjeez•10h ago•62 comments

Terrence Malick's Disciples

https://yalereview.org/article/bilge-ebiri-terrence-malick
81•prismatic•9h ago•20 comments

What makes you senior

https://terriblesoftware.org/2025/11/25/what-actually-makes-you-senior/
267•mooreds•4d ago•130 comments

Fifty problems with standard web APIs in 2025

https://zerotrickpony.com/articles/browser-bugs/
88•dhruv3006•6d ago•26 comments

iOS 26.3 brings AirPods-like pairing to third-party devices in EU under DMA

https://www.macrumors.com/2025/12/22/ios-26-3-dma-airpods-pairing/
260•Tomte•22h ago•211 comments

I didn't realize my LG TV was spying on me until I turned off Live Plus

https://www.pocket-lint.com/lg-tv-turn-off-live-plus/
155•fcpguru•7h ago•140 comments

Local AI is driving the biggest change in laptops in decades

https://spectrum.ieee.org/ai-models-locally
203•barqawiz•1d ago•203 comments

Meta is using the Linux scheduler designed for Valve's Steam Deck on its servers

https://www.phoronix.com/news/Meta-SCX-LAVD-Steam-Deck-Server
594•yellow_lead•12h ago•315 comments

Towards a secure peer-to-peer app platform for Clan

https://clan.lol/blog/towards-app-platform-vmtech/
81•throawayonthe•11h ago•21 comments

Toad is a unified experience for AI in the terminal

https://willmcgugan.github.io/toad-released/
177•nikolatt•1d ago•49 comments