First, what is a SBoM? A SBoM, or a Software Bill of Materials, can be seen as a list of ingredients of a software. Generating such a SBoM from an open source software is easier than from a proprietary software, due to the availability of the source code and the openness of the architecture. Does using a SBoM contribute to controlling our information and/or software, like open source does?

Data autonomy can be seen as a process of gaining control of collected and processed information. To increase transparency and control of our information and software, open source is one of the solutions. In the Open Source Program Office (OSPO) at the Center for Information Technology at the University of Groningen (UG), over the past months there has been a lot of collaboration with the data autonomy project. We have been working together on the Data Autonomy Index (DAIX), and gave presentations on events relating to data autonomy and open source. On 12 June 2024 there was the first open source event at the UG, called Open Source Meetup, which was a success. Besides this event, there was a survey prepared about open source used within the UG. The main question addressed was: “What are currently the open source questions within the UG? And is an OSPO a solution to it?”. 

Besides this, part of the open source project was about creating some policy around SBoM. Combining the discussions, literature, events, and the survey here are some results of this project. What is very important at the moment according to some people at the UG, is an Open Source Community, established either in the form of meetings, events, or a mailing list. The setup of a dedicated platform is also one of the needs, but that is difficult to arrange since the group of people actively promoting and working on open source is still relatively small. Furthermore, more thinking is needed about the policy and vision relating to the use and promotion of open source, as well as training and support measures.

Generally, the survey has shown that the main advantage of using open source is to “prevent vendor lock-in”, while the main disadvantage seems to be that using open source results in “more unsure” circumstances. Of course, what is more unsure about open source software is for example the support of a software/platform. 

This also plays a role when it comes to SBoM. Most respondents who filled in the survey did not know what a SBoM is. This is problematic, as a SBoM provides insight into important information, such as the risks and vulnerabilities of a software. Moreover, SBoM gives the users the power to put pressure on a supplier to fix critical vulnerabilities of the software. Eventually, a supplier might also feel more pressure to address such issues just because there is more transparency due to the SBoM. Hence, using a SBoM gives more control about the software to the users and gives insight into what the software contains, resolving concerns about safety.

Now back to the first question mentioned in this blog post: does a SBoM contribute to data autonomy, just as the use of open source does? In my opinion, we can answer this with yes and no. Indeed, a SBoM gives some control over important information of a software product, such as revealing the vulnerabilities and the risks. However, an individual user cannot directly inspect the source code and must therefore rely on the reliability of the full information provided through the SBoM. Nevertheless, the use of the SBoM as a mechanism highlights the issue and has the potential to ultimately provide greater insight and control.