cryptography Figure out how to use PEP770 (SBOM)

Goal:

Nothing in our sdists (we don't vendor anything)
Our wheels contain:
- SBOM for all used cargo deps
- SBOM for OpenSSL, if linked statically

Apr 13 '25 15:04 alex

Does any tooling exist yet or is it all just metadata definition?

Apr 13 '25 16:04 reaperhulk

The PEP was approved like yesterday, so I don't think anything exists for it.

Apr 13 '25 16:04 alex

I guess there's a feature request here for maturin to include an SBOM for all cargo packages?

Apr 13 '25 16:04 alex

Filed https://github.com/PyO3/maturin/issues/2554

Apr 13 '25 17:04 alex

Should we be looking at pep725 as well?

Apr 13 '25 18:04 reaperhulk

It's not standardized yet.

On Sun, Apr 13, 2025 at 1:06 PM Paul Kehrer @.***> wrote:

Should we be looking at pep725 as well?

— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/12764#issuecomment-2800057271, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBBFNS7L6IPH3JMLNXL2ZKRQZAVCNFSM6AAAAAB3BG3N22VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMBQGA2TOMRXGE . You are receiving this because you authored the thread.Message ID: @.***> reaperhulk left a comment (pyca/cryptography#12764) https://github.com/pyca/cryptography/issues/12764#issuecomment-2800057271

Should we be looking at pep725 as well?

— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/12764#issuecomment-2800057271, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBBFNS7L6IPH3JMLNXL2ZKRQZAVCNFSM6AAAAAB3BG3N22VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMBQGA2TOMRXGE . You are receiving this because you authored the thread.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

Apr 13 '25 18:04 alex

cryptography cryptography copied to clipboard

Figure out how to use PEP770 (SBOM)

cryptography
cryptography copied to clipboard