Skip to content

[FR] Implement PEP 770 #4821

New issue
New issue
Open
Open
[FR] Implement PEP 770#4821
Labels
Needs TriageIssues that need to be evaluated for severity and status.enhancement
@sethmlarson

Description

@sethmlarson
sethmlarson
opened on Feb 3, 2025

What's the problem this feature will solve?

Add support for project-specified (with project.sbom-files in pyproject.toml) SBOM files.

Describe the solution you'd like

https://peps.python.org/pep-0770, once the PEP is provisionally accepted I intend to contribute the necessary changes to adopt the PEP. setuptools already supports Metadata Version 2.4 (from PEP 639) and this PEP upgrades the Metadata Version to 2.5. The mechanics of PEP 770 are very similar to PEP 639, so there may be some code reuse.

  • Implement initial support for PEP 770.
  • Begin generating an SBOM document for setuptools (due to vendored packages)
  • Specify the generated SBOM document with project.sbom-files.

This pull request depends on implementing Metadata version 2.4 (PEP 639)

Alternative Solutions

No response

Additional context

No response

Code of Conduct

  • I agree to follow the PSF Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs TriageIssues that need to be evaluated for severity and status.enhancement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions