December 23, 2025

Paperwork Panic vs. Performance

Article URL →HN comments →

Could lockfiles just be SBOMs?

Devs clap back: It’s the same ingredients list—stop adding paperwork

TLDR: A new post asks if lockfiles can double as the “ingredients list” (SBOM) regulators want. Commenters split: some fear slower installs, others think lockfiles already cover it, and skeptics poke fun at government formats—turning it into a practical vs. paperwork showdown.

Today’s hot take: lockfiles—the files that list every package your app uses—are basically SBOMs, a “software bill of materials” that regulators want vendors to ship. With the EU’s Cyber Resilience Act nudging everyone, folks often run tools like Syft or Trivy to convert lockfiles into SBOMs, sometimes losing details. The proposal: skip the conversion and have package managers write SBOMs directly.

Comments lit up. Performance hawks sounded alarms: firloop warned they don’t want installs slowed down just to please auditors. Newcomers chimed in: zingar asked what SBOMs do that lockfiles don’t—translation, people think this is paperwork vs. reality. Standards skeptics piled on; woodruffw says SBOM formats are “malleable,” and tools accept all kinds of broken stuff, so standards aren’t that standard. Endorphine dropped the textbook definition. Then phendrenad2 went full meme, roasting government-required machine formats and joking about “wet signatures,” and the thread turned into a bureaucracy roast.

By the end, three camps emerged: the speed first crowd, the keep it simple crowd, and the compliance cynics. Some cheer on CycloneDX and SPDX; others say keep lockfiles fast and generate SBOMs as needed. The mood: cautiously curious, snarky as ever, and very allergic to extra paperwork.

Key Points

  • The article asserts that package manager lockfiles already capture SBOM-like data, including packages, versions, checksums, and sources.
  • Standard SBOM formats (CycloneDX, SPDX) are promoted for component description and are expected to see greater adoption due to EU regulation.
  • Current practice often converts lockfiles to SBOMs using tools like Syft or Trivy, but this conversion can be lossy.
  • The author asks whether package managers could output SBOMs directly as lockfiles, concluding it’s mostly feasible but with gaps.
  • A cross-ecosystem comparison shows all major lockfiles record core data, with differences in metadata such as dependency representation, dev/prod scope, platform variants, and tool/runtime versions.

Hottest takes

"I wouldn't appreciate seeing slower install times by default - especially if the lockfile could be converted with other tooling." — firloop
"what is it that SBOM is used for that lockfiles aren’t?" — zingar
"Are there any other examples of government-mandated non-human-readable file formats?" — phendrenad2

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.