SBOM diffs as a release artifact, not an audit checkbox

Supply line courses often obsess over signing while humans still ask plain-language questions about dependency shifts. We teach students to attach a SPDX diff summary beside the promotion ticket, highlighting only packages that touched runtime code paths. In the second paragraph, we compare two builds with identical semantic versions but different transitive trees. The exercise is intentionally tedious because release managers reward clarity over brevity. Third, we discuss waivers: sometimes a CVE advisory does not map to an exposed surface. Students must document the waiver with explicit risk owners rather than hiding behind green pipelines. The fourth paragraph links SBOM diffs to customer comms templates so support teams inherit the same language engineering used during promotion.