[elcritch]

Safety critical fields like aviation already have strict requirements. Usually there's very few software dependencies used in those projects.

Expanding that to more fields would be interesting, but difficult and expensive across the board. Particularly any sort of requirements like that generally incur significant regulatory and certification overhead.

However, if it was done similar to PCISS as an industry forum it might work better. Especially if certain fields like anything connecting with the electric grid we're required to use certified software.

[0xbadcafebee]

Pretty much all construction uses materials which follow a specification. The least we could do is start requiring all commercial software do the following:

  1. Declare an SBOM
  2. Each software component must have a listed specification

We'd then need to make software specifications. Start with the most basic specification possible; "has performed linting", "has full integration test coverage", "has passed QA testing", "has an active maintainer", "lists its license", "does not have a hidden back door", "is free of known vulnerabilities", etc. Make more detailed specifications as-needed (for a particular industry, use case, requirements).

Once we have all that, you can glance at a company's SBOM and find out if they've done the bare minimum due-diligence. We could also make or modify regulations that require these same materials standards, like privacy regulations, financial regulations.

And yes, meeting minimum material standards is more expensive. We already accept that cost in the physical world, why not in the software world? If there's a TDS, SDS, MSDS, etc for physical products, we should have them for software too. I want to know your materials are safe before I use your products. I'm sick of being exposed by companies who are completely irresponsible.