I like nix and its approach but if I'm being honest I think its also getting easier to be sloppy about dependencies and ask AI to find any dependencies that might be missing from the cleanly installed packaging metadata. There's maybe a paradox for developers in that we can try to drop structure and brute force scan first intensively enough to catch anything likely to get caught or we can ask AI to finally apply all the rigorous methods we decided were too expensive for routine software and probably have minimally more things to run with each release.

I feel we should definitely be digging way beyond the SBOM... but also wondering if the forecasting in the general ecosystem is on point or not.

Are you offering an easy fix for that "Linux" line on your SBOM?