Add sections for Users, Projects, and SCA tools in 'How to Teach'

sethmlarson · sethmlarson · commit cff1956c31e4 · 2025-01-22T13:04:15.000-06:00
diff --git a/peps/pep-0770.rst b/peps/pep-0770.rst
@@ -371,6 +371,9 @@ of this standard. The details of this standard are most important to either
 maintainers of Python packages and developers of SCA tools such as
 SBOM generation tools and vulnerability scanners.
 
+What do Python package maintainers need to know?
+------------------------------------------------
+
 Most Python packages don't contain code from other software components and thus
 are already measurable by SCA tools without the need of this standard or
 additional SBOM documents. Pure-Python packages are about `~90% <pypi-data_>`__
@@ -380,9 +383,68 @@ For projects that do contain other software components, documentation will be
 added to the Python Packaging User Guide for how to specify and maintain
 SBOM documents for Python packages in source code.
 
+There are two "camps" of projects that contain other software, those from
+a "packaging ecosystem" (PyPI, Linux distros, Rust, NPM, etc) and those from
+outside a packaging ecosystem (vendored C, C++, Fortran). Software that is
+a part of a packaging ecosystem is much easier to identify meaning
+that package maintainers may have their package SBOM data annotated
+automatically by common build tools (auditwheel, cibuildwheel, multibuild, etc).
+
+For projects that cannot be automatically annotated, the approach will be to
+generate SBOM files by some means and then include those files manually using
+``pyproject.toml``:
+
+ .. code-block:: toml
+
+    [project]
+    ...
+    sbom-files = [
+        "sboms/bom.cdx.json"
+    ]
+
+For projects manually specifying an SBOM document the challenge will be
+keeping the document up-to-date. The CPython project has some
+`customized tooling <https://github.com/python/cpython/blob/main/Tools/build/generate_sbom.py>`__
+for this task, but it can likely be generalized into a tool reusable by other
+projects.
+
+What do SBOM tool authors need to know?
+---------------------------------------
+
+Developers of SBOM generation tooling will need to know about the existence
+of this PEP and that Python packages may begin publishing SBOM documents
+within package archives. This information needs to be included as a part of
+generating an SBOM document for a particular Python package or Python
+environment.
+
 A follow-up informational PEP will be authored to describe how to transform
 Python packaging metadata, including the mechanism described in this PEP,
-into an SBOM document describing Python packages.
+into an SBOM document describing Python packages. Once the informational PEP is
+complete, tracking issues will be opened specifically linking to the
+informational PEP to spur the adoption of PEP 770 by SBOM tools.
+
+A `benchmark is being created <https://github.com/psf/sboms-for-python-packages/tree/main/benchmark>`__
+to compare the outputs of different SBOM tools when run with various Python
+packaging inputs (package archive, installed package, environment, container
+image) is being created to track the progress of different SBOM generation
+tools. This benchmark will inform where tools have gaps in support
+of this PEP and Python packages.
+
+What do users of SBOM documents need to know?
+---------------------------------------------
+
+Many users of this PEP won't know of its existence, instead their software
+composition analysis tools, SBOM tools, or vulnerability scanners will simply
+begin giving more comprehensive information after an upgrade. For users that are
+interested in the sources of this new information, the "tool" field of SBOM
+metadata already provides linkages to the projects generating their SBOMs.
+
+For users who need SBOM documents describing their open source dependencies the
+first step should always be "create them yourself". Using the benchmarks above
+a list of tools that are known to be accurate for Python packages can be
+documented and recommended to users. For projects which require
+additional manual SBOM annotation: tips for contributing this data and tools for
+maintaining the data can be recommended.
 
 Reference Implementation
 ========================
