Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PEP 770: Add build environment and reproducibility to motivation #4271

Merged
merged 1 commit into from
Feb 18, 2025
Merged

PEP 770: Add build environment and reproducibility to motivation #4271

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions peps/pep-0770.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,18 @@ libraries are detected when using common SCA tools like Syft and Grype.
If an SBOM document is included annotating all the included shared libraries
then SCA tools can identify the included software reliably.

Build Tools, Environment, and Reproducibility
---------------------------------------------

Going beyond the runtime dependencies of a package: SBOMs can also record the
tools and environments used to build a package. Recording the exact tools
and versions used to build a package is often required to establish
`build reproducibility <https://reproducible-builds.org>`__.
Build reproducibility is a property of software that can be used to detect
incorrectly or maliciously modified software components when compared to their
upstream sources. Without a recorded list of build tools and versions it can
become difficult to impossible for a third-party to verify build reproducibility.

Regulations
-----------

Expand Down