Proposal:
Part of #112302
An SBOM document has been added for dependencies within CPython itself. This document is kept up-to-date using tooling and CI within the CPython repository. For building the Windows there exists a repository cpython-source-deps which "mirrors" the source code of projects not in the CPython git repo.
These dependencies are pulled in optionally, I still need to investigate what combinations are possible, but I know the possible projects and versions for each CPython branch is captured currently in PCBuild/get_externals.bat.
Will be investigating what the best method for creating an SBOM for these dependencies such that release-tools can stitch it into the final SBOMs that are distributed with release artifacts. There's a chance that no work needs to be done on this repository, in that case this issue will be migrated.
cc @zooba @ned-deily @ambv
Has this already been discussed elsewhere?
See the Discourse topic
Linked PRs
Proposal:
Part of #112302
An SBOM document has been added for dependencies within CPython itself. This document is kept up-to-date using tooling and CI within the CPython repository. For building the Windows there exists a repository
cpython-source-depswhich "mirrors" the source code of projects not in the CPython git repo.These dependencies are pulled in optionally, I still need to investigate what combinations are possible, but I know the possible projects and versions for each CPython branch is captured currently in
PCBuild/get_externals.bat.Will be investigating what the best method for creating an SBOM for these dependencies such that release-tools can stitch it into the final SBOMs that are distributed with release artifacts. There's a chance that no work needs to be done on this repository, in that case this issue will be migrated.
cc @zooba @ned-deily @ambv
Has this already been discussed elsewhere?
See the Discourse topic
Linked PRs