PEP 710: Mention pip-sbom prototype (#3245)

Signed-off-by: Fridolin Pokorny <fridolin.pokorny@gmail.com>
2023-08-02 17:11:28 +02:00 · 2023-08-02 17:11:28 +02:00 · de225b4e09
parent de468dbe57
commit de225b4e09
1 changed files with 9 additions and 0 deletions
--- a/pep-0710.rst
+++ b/pep-0710.rst
@ -372,6 +372,10 @@ and ``provenance_url.json`` metadata files.  This tool mimics the ``pip
 freeze`` functionality, but the listing of installed packages also includes
 the hashes of the Python distribution artifacts.

+To further support this proposal, `pip-sbom <pip_sbom_>`_ demonstrates creation
+of SBOM in the SPDX format. The tool uses information stored in the ``provenance_url.json``
+file.
+
 Rejected Ideas
 ==============

@ -573,6 +577,8 @@ References

 .. _pip_preserve: https://pypi.org/project/pip-preserve/

+.. _pip_sbom: https://github.com/sethmlarson/pip-sbom
+
 .. _thoth-station/micropipenv#206: https://github.com/thoth-station/micropipenv/issues/206

 .. _pypa/pip-audit#170: https://github.com/pypa/pip-audit/issues/170
@ -609,6 +615,9 @@ and support to work on this PEP.
 Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for
 reviewing this PEP and providing valuable suggestions.

+Thanks to Seth Michael Larson for providing valuable suggestions and for
+the proposed pip-sbom prototype.
+
 Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.

 Last, but not least, thanks to Donald Stufft for sponsoring this PEP.