[feldrim]

An SBOM-like approach to EOL/EOS issues is on the way.

[rollcat]

I think the only large projects that presently take SBOMs seriously are Nix, Guix, and Go (non-cgo). Bootstrapping is non-trivial, but at least builds are reproducible and can be compared against existing binaries.

"Oh, just write plain C". Which compiler do you mean? GCC? LLVM/clang? On top of what OS/kernel? What firmware? Etc.

[Arnavion]

Some distros packaging Rust software (OpenSUSE at least) also transparently set up CARGO=cargo-audit to get embedded SBOMs.