To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.
The software supply chain is affected most at trust boundaries, for example, bringing in dependencies. By definition, every dependency is outside the trust boundary. The now famous XKCD comic 2347 depicts motivates a discussion of how to establish trust with the people developing your dependencies. Can you trust the maintainers of a library over time? What about the integrity of the library’s build environment or the compiler? Will an organization sell or turn over their library to someone malicious? What if a library is deleted and someone takes the name? Can the accuracy of the SBOM be trusted?