Skip to content

PEP 770: Fix a handful of review comments #4366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brettcannon merged 1 commit into from
Apr 11, 2025
Merged

PEP 770: Fix a handful of review comments #4366

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 7 additions & 21 deletions peps/pep-0770.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,8 +105,7 @@ including the need to keep up-to-date as SBOM standards continue to evolve
to suit new needs in that space.

Instead, this proposal delegates SBOM-specific metadata to SBOM documents that
are included in Python packages and adds a new Core Metadata field for
discoverability of included SBOM documents.
are included in Python packages into a named directory under dist-info.

This standard also doesn't aim to replace Core Metadata with SBOMs,
instead focusing on the SBOM information being supplemental to Core Metadata.
Expand Down Expand Up @@ -463,29 +462,16 @@ Syft and Grype SBOM and vulnerability scanners.
Rejected Ideas
==============

Why not require a single SBOM standard?
---------------------------------------

Most discussion and development around SBOMs today focuses on two SBOM
standards: `CycloneDX <cyclonedxspec_>`_ and `SPDX <spdxspec_>`_. There is no clear
"winner" between these two standards, both standards are frequently used by
projects and software ecosystems.

Because both standards are frequently used, tools for consuming and processing
SBOM documents commonly need to support both standards. This means that this PEP
is not constrained to select a single SBOM standard by its consumers and thus
can allow tools creating SBOM documents for inclusion in Python packages to
choose which SBOM standard works best for their use-case.

Rejected Ideas
==============

Selecting a single SBOM standard
Requiring a single SBOM standard
--------------------------------

There is no universally accepted SBOM standard and this area is still
rapidly evolving (for example, SPDX released a new major version of their
standard in April 2024). To avoid locking the Python ecosystem into a specific
standard in April 2024). Most discussion and development around SBOMs today
focuses on two SBOM standards: `CycloneDX <cyclonedxspec_>`_ and
`SPDX <spdxspec_>`_.

To avoid locking the Python ecosystem into a specific
standard ahead of when a clear winner emerges this PEP treats SBOM documents
as opaque and only makes recommendations to promote compatibility with
downstream consumers of SBOM document data.
Expand Down