From b1108afed940ef171220724b1c000c8cbc5ae391 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 14 Feb 2025 17:11:39 -0600
Subject: [PATCH] PEP 770: Add build environment and reproducibility to
 motivation

---
 peps/pep-0770.rst | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/peps/pep-0770.rst b/peps/pep-0770.rst
index 7c25d862e7b..e94b8366d41 100644
--- a/peps/pep-0770.rst
+++ b/peps/pep-0770.rst
@@ -65,6 +65,18 @@ libraries are detected when using common SCA tools like Syft and Grype.
 If an SBOM document is included annotating all the included shared libraries
 then SCA tools can identify the included software reliably.
 
+Build Tools, Environment, and Reproducibility
+---------------------------------------------
+
+Going beyond the runtime dependencies of a package: SBOMs can also record the
+tools and environments used to build a package. Recording the exact tools
+and versions used to build a package is often required to establish
+`build reproducibility <https://reproducible-builds.org>`__.
+Build reproducibility is a property of software that can be used to detect
+incorrectly or maliciously modified software components when compared to their
+upstream sources. Without a recorded list of build tools and versions it can
+become difficult to impossible for a third-party to verify build reproducibility.
+
 Regulations
 -----------