February 13, 2026
BOM appetit!
Sandwich Bill of Materials
Open-source pickles, SAP lettuce labels, and a ‘mystery sauce’ showdown
TLDR: A playful spec proposes a JSON “Sandwich Bill of Materials” to track every ingredient, source, and license. Commenters cracked jokes about loading it into SAP, debated how to label “mystery sauce” installs like Claude Code, and adored the AGPL pickle gag, seeing humor and post-egg-crisis practicality.
Today in tech-meets-lunch, SBOM 1.0 declares a machine-readable ingredient list for sandwiches — every tomato, slice of bread, and yes, pickle comes with a source, version, and license. It even rejects YAML (the spacing-sensitive format) for JSON so your lunch doesn’t break over whitespace. Some scream “Do we really need a spec to eat a BLT?” while others remember the 2025 egg meltdown and nod like, “Yeah… maybe we do.” The licenses are comedy gold — MIT (Mustard Is Transferable) and AGPL (Affero General Pickle License) — but the supply-chain point hits: no more mystery meats sneaking in from back-of-the-fridge://.
Comments lit up. owlninja threw an enterprise grenade: “load it in SAP,” sparking corporate vs indie sandwich-maker banter. benatkin kicked off the mystery sauce fight, asking how to label script-only installs like Claude Code and linking the docs. Spec lovers swooned — TZubiri’s “Mmmmmh, specifications” got meme’d — while delivery driver McGlockenshire cheered the AGPL pickle joke because delivery counts as “over a network.” Pedants debated tomato calendar versions; jokers hashed the “best-before” integrity. Some, like ThrowawayTestr, called it the most delightful spec all year; skeptics rolled eyes at JSONifying lunch, but couldn’t resist the laughs.
Key Points
- •The draft defines a Sandwich Bill of Materials (SBOM) to enumerate sandwich components, provenance, licensing, and vulnerabilities.
- •SBOM files must be JSON (.sbom) and include fields: surl, name, version, supplier, integrity (SHA-256), and license.
- •surl identifiers follow a PURL-like convention: surl:type/name@version, with examples provided.
- •Versioning rules differ by ingredient: tomatoes use harvest dates, cheese uses age, and bread uses semantic versioning.
- •Supplier registries include trusted and untrusted sources; untrusted sources require a best-before integrity check, and licensing conditions can affect the entire sandwich.