Bill of Delivery, OCM and NixOS: Whose Problem Is It Anyway?
An article appeared on appetizers.io positioning “Software Bills of Delivery” as the next SBOM generation. Ole engaged with it in detail on his personal blog — on the Open Component Model, NixOS+Podman, and why the composition gap is primarily a K8s phenomenon. Here's a short version with a link to the original.
Whose problem is composition, really?
An article appeared recently on appetizers.io positioning “Software Bills of Delivery” as the next evolutionary step after classic SBOMs — and the Open Component Model (OCM) as the central tool for it. The composition gap is real: SBOMs describe individual containers but not which containers in which versions make up a release.
Ole commented on the article in detail on his personal blog. Short version: the problem is real, OCM solves it cleanly — but mostly as a consequence of Kubernetes design decisions. In a NixOS-/Podman-setup, like the one we run at Moselwal ourselves, composition is a side-effect of the configuration, not a separate bundle format.
What stays relevant in both worlds, and what auditors actually ask for in an ISO 27001 or TISAX context: SLSA provenance per image, OpenVEX for vulnerability hygiene, signed images with Cosign and verify-on-deploy. The established acronyms.
Read the full post
The detailed analysis of Bill-of-Delivery, OCM and NixOS — with concrete building blocks, an honest assessment of when OCM is worth it, and a discussion of the limits of each approach — lives on Ole's personal blog.
If you have a concrete pipeline question, get in touch directly via our contact page.