[whacker]

> That also means that unless you build a project on two identical hosts then it is unlikely you will get the same SBOMs.

I don't understand why the author thinks this is such an insurmountable issue.

Reproducible builds are possible with a little care: large parts of Debian are built reproducible. There are tools from https://reproducible-builds.org/

Bazel and similar build systems support reproducible builds, and thus identical SBOMs.

[markcurphey]

I was referring to things like Maven, WebPack and NPM. I should have made that clearer. What I have seen is in general supply chain in more mature tech and certainly OS tool chains doesn't have that issue or is certainly more aware of it and Bazel is great and all that but dev teams building business apps that are all Devopsy use plug and play and any friction to the velocity is rarely a trade off they even discuss.

[robertlagrant]

If you use Nix on the host OS you can probably make the OS as reproducible as the application layer as well, which is interesting.