Closes https://github.com/python/release-tools/issues/91 This moves the pip SBOM discovery machinery from the CPython repository to this repository to not require pip maintainers to update the SBOM every time, saving difficulties with backporting and a bunch of manual effort.
There will be a follow-up PR to the CPython repository removing the machinery there once this PR lands.
The SBOM diff between running this script on Python-3.12.2.tgz:
Notice this removes all the direct relationships between CPython and pip's subpackages, this is a good thing IMO since CPython doesn't directly depend on these packages. This still lets tools like scanners discover vulnerabilities because CPython still has a dependency relationship with pip.
Closes https://github.com/python/release-tools/issues/91 This moves the pip SBOM discovery machinery from the CPython repository to this repository to not require pip maintainers to update the SBOM every time, saving difficulties with backporting and a bunch of manual effort.
There will be a follow-up PR to the CPython repository removing the machinery there once this PR lands.
The SBOM diff between running this script on
Python-3.12.2.tgz
:Notice this removes all the direct relationships between CPython and pip's subpackages, this is a good thing IMO since CPython doesn't directly depend on these packages. This still lets tools like scanners discover vulnerabilities because CPython still has a dependency relationship with pip.