diff --git a/peps/pep-0770.rst b/peps/pep-0770.rst index 580022df01a..46b390e3c21 100644 --- a/peps/pep-0770.rst +++ b/peps/pep-0770.rst @@ -105,8 +105,7 @@ including the need to keep up-to-date as SBOM standards continue to evolve to suit new needs in that space. Instead, this proposal delegates SBOM-specific metadata to SBOM documents that -are included in Python packages and adds a new Core Metadata field for -discoverability of included SBOM documents. +are included in Python packages into a named directory under dist-info. This standard also doesn't aim to replace Core Metadata with SBOMs, instead focusing on the SBOM information being supplemental to Core Metadata. @@ -463,29 +462,16 @@ Syft and Grype SBOM and vulnerability scanners. Rejected Ideas ============== -Why not require a single SBOM standard? ---------------------------------------- - -Most discussion and development around SBOMs today focuses on two SBOM -standards: `CycloneDX `_ and `SPDX `_. There is no clear -"winner" between these two standards, both standards are frequently used by -projects and software ecosystems. - -Because both standards are frequently used, tools for consuming and processing -SBOM documents commonly need to support both standards. This means that this PEP -is not constrained to select a single SBOM standard by its consumers and thus -can allow tools creating SBOM documents for inclusion in Python packages to -choose which SBOM standard works best for their use-case. - -Rejected Ideas -============== - -Selecting a single SBOM standard +Requiring a single SBOM standard -------------------------------- There is no universally accepted SBOM standard and this area is still rapidly evolving (for example, SPDX released a new major version of their -standard in April 2024). To avoid locking the Python ecosystem into a specific +standard in April 2024). Most discussion and development around SBOMs today +focuses on two SBOM standards: `CycloneDX `_ and +`SPDX `_. + +To avoid locking the Python ecosystem into a specific standard ahead of when a clear winner emerges this PEP treats SBOM documents as opaque and only makes recommendations to promote compatibility with downstream consumers of SBOM document data.