Confession time: until today, I had the concept of the software supply chain conflated in my head with the related but, as it turns out, separate notion of a Software Bill of Materials (SBOM). Both reflect the desire to understand and manage risks associated with your code. But whereas an SBOM stops at cataloguing the provenance of the bits in your codebase, the software supply chain is a much broader idea: it also includes the people and processes associated with delivering code from source to production, just as a physical supply chain covers the logistics as well as the components needed to bring goods to market.

(I think that’s right, tell me if it’s not.)

Either way, it’s weird out there: