Where are post assembly instructions stored?
Panini and croque monsieur sandwiches are left out of this spec.
Author didn't post the repo so I don't know where to submit an issue.
Also it doesn't address mold: harmful on bread, wonderful when intentionally added to cheese
Edit: Claude Code has a homebrew cask, and homebrew supports Linux (I haven't been using it on Linux so it didn't occur to me when reading this). It can be specified in purl using pkg:brew.
I love a good APGL joke, and this one especially tickles me because I'm currently a delivery driver instead of a dev.
I put mayonnaise on my RAM but I don't know how to hash it.
Also it is now hot topic because of CRA in EU.
Specification: SBOM 1.0 (Sandwich Bill of Materials)
Status: Draft
Maintainer: The SBOM Working Group
License: MIT (Mustard Is Transferable)
Modern sandwich construction relies on a complex graph of transitive ingredients sourced from multiple registries (farms, distributors, markets). Consumers have no standardized way to enumerate the components of their lunch, assess ingredient provenance, or verify that their sandwich was assembled from known-good sources. SBOM addresses this by providing a machine-readable format for declaring the full dependency tree of a sandwich, including sub-components, licensing information, and known vulnerabilities.
A typical sandwich contains between 6 and 47 direct dependencies, each pulling in its own transitive ingredients. A “simple” BLT depends on bacon, which depends on pork, which depends on a pig, which depends on feed corn, water, antibiotics, and a farmer whose field hasn’t flooded yet. The consumer sees three letters, but the supply chain sees a directed acyclic graph with cycle detection issues (the pig eats the corn that grows in the field that was fertilized by the pig).
The 2025 egg price crisis was a cascading failure equivalent to a left-pad incident, except it affected breakfast. A single avian flu outbreak took down the entire egg ecosystem for months. Post-incident analysis revealed that 94% of affected sandwiches had no lockfile and were resolving eggs to latest at assembly time.
An SBOM document MUST be a JSON file with the .sbom extension, after YAML was considered and rejected on the grounds that the sandwich industry has enough problems without adding whitespace sensitivity.
Each sandwich component MUST include the following fields:
surl (required): A Sandwich URL uniquely identifying the ingredient. Format: surl:type/name@version. Follows the same convention as PURL but for food. Examples:
name (required): The canonical name of the ingredient as registered in a recognized food registry. Unregistered ingredients (e.g., “that sauce from the place”) MUST be declared as unverified-source and will trigger a warning during sandwich linting.
version (required): The specific version of the ingredient. Tomatoes MUST use calendar versioning (harvest date). Cheese MUST use age-based versioning (e.g., cheddar@18m). Bread follows semver, where a MAJOR version bump indicates a change in grain type, MINOR indicates a change in hydration percentage, and PATCH indicates someone left it out overnight and it’s a bit stale but probably fine.
supplier (required): The origin registry. Valid registries include farm://, supermarket://, farmers-market://, and back-of-the-fridge://. The latter is considered an untrusted source and components resolved from it MUST include a best-before integrity check.
integrity (required): A SHA-256 hash of the ingredient at time of acquisition.
license (required): The license under which the ingredient is distributed. Common licenses include:
Sandwich assembly MUST resolve dependencies depth-first. If two ingredients declare conflicting sub-dependencies (e.g., sourdough requires starter-culture@wild but the prosciutto’s curing process pins salt@himalayan-pink), the assembler SHOULD attempt version negotiation. If negotiation fails, the sandwich enters a conflict state and MUST NOT be consumed until a human reviews the dependency tree and makes a judgement call.
Circular dependencies are permitted but discouraged. A sandwich that contains bread made with beer made with grain from the same field as the bread is technically valid but will cause the resolver to emit a warning about “co-dependent sourdough.”
All SBOM documents SHOULD be scanned against the National Sandwich Vulnerability Database (NSVD). Known vulnerabilities include:
Each ingredient MUST include a signed provenance attestation from the supplier. The attestation MUST be generated in a hermetic build environment and MUST NOT be generated in a build environment where other food is being prepared simultaneously, as this introduces the risk of cross-contamination of provenance claims.
For farm-sourced ingredients, the attestation chain SHOULD extend to the seed or animal of origin. A tomato’s provenance chain includes the seed, the soil, the water, the sunlight, the farmer, the truck, the distributor, and the shelf it sat on for a period the supermarket would prefer not to disclose.
Eggs are worse, because an egg’s provenance attestation is generated by a chicken that may itself lack a valid attestation chain. The working group has deferred the question of chicken-or-egg provenance ordering to version 2.0.
A sandwich MUST be reproducible. Given identical inputs, two independent assemblers MUST produce bit-for-bit identical sandwiches, which in practice is impossible. The specification handles this by requiring assemblers to document all sources of non-determinism in a sandwich.lock file, including:
Reproducible sandwich builds remain aspirational. A compliance level of “close enough” is acceptable for non-safety-critical sandwiches. Safety-critical sandwiches SHOULD target full reproducibility.
Consumers SHOULD audit their full dependency tree before consumption. A sbom audit command will flag any ingredient that:
left-lettuce incident)Early adoption has been mixed. The artisanal sandwich community objects to machine-readable formats on philosophical grounds, arguing that a sandwich’s ingredients should be discoverable through the act of eating it. The fast food industry has expressed support in principle but notes that their sandwiches’ dependency trees are trade secrets and will be shipped as compiled binaries.
The EU Sandwich Resilience Act (SRA) requires all sandwiches sold or distributed within the European Union to include a machine-readable SBOM by Q3 2027. Sandwiches without a valid SBOM will be denied entry at the border. The European Commission has endorsed the specification as part of its broader lunch sovereignty agenda, arguing that member states cannot depend on foreign sandwich infrastructure without visibility into the ingredient graph. A working paper on “strategic autonomy in condiment supply chains” is expected Q2 2027.
The US has issued Executive Order 14028.5, which requires all sandwiches served in federal buildings to include an SBOM. The order does not specify whether it means Sandwich or Software Bill of Materials. Several federal agencies have begun submitting both.
The Software Heritage foundation archives all publicly available source code as a reference for future generations, and the Sandwich Heritage Foundation has adopted the same mission for sandwiches, with less success.
Every sandwich assembled under SBOM 1.0 is archived in a content-addressable store keyed by its integrity hash. The archive currently holds 14 sandwiches because most contributors cannot figure out how to hash a sandwich without eating it first. A BLT submitted in March was rejected because the tomato’s checksum changed during transit. The Foundation suspects condensation.
Long-term preservation remains an open problem. Software can be archived indefinitely on disk, but sandwiches introduce material constraints the specification was not designed for. The Foundation has explored freeze-drying, vacuum sealing, and “just taking a really detailed photo,” but none of these produce a bit-for-bit reproducible sandwich from the archive. The working group considers this a storage layer concern and out of scope for the specification.
Funding comes from individual donations and a pending grant application to the EU’s Horizon programme under the call for “digital preservation of cultural food heritage.” The application was rejected once already on the grounds that sandwiches are not digital, a characterization the Foundation disputes given that every sandwich under SBOM 1.0 is, by definition, a digital artifact with a hash.
This specification is dedicated to a small sandwich shop on Folsom Street in SoMA that made the best BLT the author has ever eaten, and which closed in 2019 without producing an SBOM or publishing its recipe in any machine-readable format.
This specification is provided “AS IS” without warranty of any kind, including but not limited to the warranties of edibility, fitness for a particular meal, and non-contamination. The SBOM Working Group is not responsible for any sandwich constructed in accordance with this specification that nonetheless tastes bad.