Skip to content

PEP 770: Add list of differences between PEP 725 and PEP 770 #4278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brettcannon merged 1 commit into from
Feb 20, 2025
Merged

PEP 770: Add list of differences between PEP 725 and PEP 770 #4278

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions peps/pep-0770.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,39 @@ These decisions mean this PEP is capable of supporting any SBOM standard
and does not favor one over the other, instead deferring the decision to
producing projects and tools and consuming user tooling.

What are the differences between PEP 770 and PEP 725?
-----------------------------------------------------

:pep:`725`
("Specifying external dependencies in pyproject.toml") is a different
PEP with some similarities to PEP 770, such as attempting to describe non-Python
software within Python packaging metadata. This section aims to show how these
two PEPs are tracking different information and serving different use-cases:

* PEP 725 describes **abstract dependencies**, such as requiring "a C compiler"
as a build-time dependency (``virtual:compiler/c``). PEP 770 describes
**concrete dependencies**, such as an exact name, version, architecture, and
hash of a software library distributed through AlmaLinux distribution
(``pkg:rpm/almalinux/libssl3@3.2.0``). For cases like build dependencies this
might result in a dependency being requested via PEP 725 and then recorded
concretely in an SBOM post-build with PEP 770.
* PEP 725 is for describing **external dependencies**, provided by the system
being used to either build or run the software. PEP 770 is for describing
**bundled software inside Python package archives**, the SBOM documents
don't describe software on the system.
* **PEP 725 is primarily about identification**, using a list of software
identifiers. PEP 770 provides the **complete functionality of SBOM standards**
to describe various software attributes such as license, checksum, download
location, etc.
* **PEP 725 and PEP 770 have different users and use-cases**. PEP 725 is
primarily for humans writing dependencies in ``pyproject.toml`` by hand.
The users of the information are build backends and users who want to build
software from source.
PEP 770 is primarily for tools which are capable of generating SBOM documents
to be included in a Python package archive and SBOM/SCA tools which want to
SBOM documents about installed software to do some other task such as
vulnerability scanning or software analysis.

.. _770-spec:

Specification
Expand Down