SBOM Mandate vs. Trust Model: Why Crate Volume Metrics Are Obsolete for Supply Chain Security
Formal supply chain tracking is viewed as a necessity, specifically naming the requirement for a Software Bill of Materials (SBOM) following CISA guidelines.
The discourse splits on the required depth of assurance. Some users argue that quantitative metrics—like download counts—are garbage, with 'MoSal' and 'FizzyOrange' both criticizing reliance on default versions or mere volume stats. 'FizzyOrange' forcefully pivots the argument away from volume, insisting the real stat to track is 'how many authors are being trusted typically for each crate.' Meanwhile, 'blazebra' attacks tooling itself, stating that even pinning a version via tools like binstall doesn't stop outdated binaries.
The weight of the analysis points away from simple tooling adoption. While mandating an SBOM (as noted by 'collimated_thought') is a clear consensus point, the underlying fight is over trust modeling. The core issue isn't just *knowing* what you have; it's validating *who* provided it, suggesting provenance and author trust supersede raw package counts.
Key Points
Formal tracking mechanisms like SBOM are required for supply chain integrity.
Consensus demands SBOM implementation, explicitly referencing CISA guidelines, driven by figures like 'collimated_thought'.
Relying on raw download counts or basic version pinning is insufficient.
'MoSal' and 'blazebra' both argued current metrics fail because they ignore build complexity (e.g., binstall issues) or only check default states.
Security focus must shift from package volume to author reputation.
'FizzyOrange' staked this point: the valuable metric is measuring 'how many authors are being trusted typically for each crate.'
Current security tooling cannot account for modern build system complexities.
'blazebra' noted that simply specifying version '1' is useless against advanced build toolchains.
Source Discussions (3)
This report was synthesized from the following Lemmy discussions, ranked by community score.