[PaulDavisThe1st]

this seems to represent a rather limited concept of what an actual SBOM would need to be, rather impacted by someone working (primarily?) with non-compiled languages.

If your app depends on compiled libraries, then the build-time options used to construct the library are as important as version and checksum information.

I see this a lot on HN and the links here - lots of developers for whom a "dependency" is literally a file of non-compiled code, and thus not subject to changes in behavior unless edited. This is not true for compiled languages (and, for all I know, might not even be true for some non-compiled languages).