Detailed installation reports

[di]

Per the discussion at https://discuss.python.org/t/pip-installation-reports/12316, there seems to be an interest in generating detailed reports on the artifacts installed into an environment, with per-artifact data including:

• index URL used
• artifact URL used
• artifact hash
• etc

We already have some related functionality here with our SBOM support, and given the availability of such metadata, I think that this should generally be considered in-scope as a feature for pip-audit

[CAM-Gerlach]

NB, this issue and project was mentioned as potentially supporting the proposal in the draft PEP 710 (under final review in PR python/pep#3076):

A community project pip-audit raised their possible interest in pypa/pip-audit#170.

Also, just to confirm, are you okay with being mentioned as such (and implied to be supportive of it)? Also, any additional feedback you may have on the PEP before initial submission is of course welcome. Thanks!

[woodruffw]

I think @di has the final say, but I'm okay with you mentioning us! It sounds like this PEP would give us the information we've asked for with this issue, so support for it (at least in a behavioral/outputs sense) seems appropriate 🙂

[di]

Yep, fine with me, thanks for checking.

[CAM-Gerlach]

Thanks for confirming!

I think @di has the final say, but I'm okay with you mentioning us!

(N.B. it's not me mentioning you, I'm just a PEP editor reviewing it—it's @fridex who was the author of the PEP and did all the hard work on it).

[fridex]

It sounds like this PEP would give us the information we've asked for with this issue, so support for it (at least in a behavioral/outputs sense) seems appropriate 🙂

See PEP-710, now online. Please feel free to participate in the discussion if you find this feature valuable. Thank you!

it's @fridex who was the author of the PEP and did all the hard work on it

(The PEP is a result of great collaboration! @CAM-Gerlach did tremendous editing work.)