Generate and add an SBOM to wheels (PEP 770)

[StanFromIreland]

@sethmlarson, could you please review?

[StanFromIreland]

Ah, pathlib isn't in Python 2.7 🙃

[sethmlarson]

In general this looks good to me, do you have the "built" SBOM available so I can poke around with it with some validators?

[sethmlarson]

Funnily enough, many scanners don't recognize later SBOM versions. If you're not using new features it's better to use a lower version (like 1.4).

[StanFromIreland]

Oh, that's not ideal, IIRC since it has been a few days I think there was something only in the newer ones.

[StanFromIreland]

Here are the extracted contents:

Details

tzdata-2026.1.dist-info/sboms$ cat sbom.cdx.json 
{
  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
  "version": 1,
  "bomFormat": "CycloneDX",
  "specVersion": "1.7",
  "metadata": {
    "component": {
      "bom-ref": "pkg:pypi/tzdata@2026.1",
      "name": "tzdata",
      "version": "2026.1",
      "purl": "pkg:pypi/tzdata@2026.1",
      "type": "library",
      "components": [
        {
          "bom-ref": "https://www.iana.org/time-zones",
          "name": "tz",
          "version": "2026a",
          "type": "data",
          "data": [
            {
              "type": "dataset",
              "name": "IANA Time Zone Database",
              "description": "zic-compiled TZif timezone files"
            }
          ],
          "licenses": [
            {
              "license": {
                "name": "tz database license",
                "url": "https://data.iana.org/time-zones/tz-link.html"
              }
            }
          ]
        }
      ]
    }
  }
}

[pganssle]

Sorry I could have sworn I left this comment already, but is there a way to do this without adding a setup.py? This is a very simple package, surely there is an existing backend that can handle packaging up a data-only package and including a SBOM automatically, or a plugin for setuptools for this?

[StanFromIreland]

Not yet it seems per pypa/setuptools#4821.

Would you prefer we run generate_sbom during the update instead?

[pganssle]

Not yet it seems per pypa/setuptools#4821.

Would you prefer we run generate_sbom during the update instead?

Yeah I looked into this a bit and it seems to me like the best ways forward are one of:

• Use hatchling or maturin or something that supports this as a backend natively.
• Use auditwheel repair to add this to the wheel after the fact
• Wait until this is natively supported by setuptools or someone writes a plugin we can just use (I'm not sure we have a super strong impetus to do this right away, right?)

Also, I'm guessing based on the commit history that the setup.py seemed to need to maintain backwards compatibility with 2.7, but while I do think our completely data-only package should be able to maintain compatibility with all versions of Python ~indefinitely, we only really need an installed wheel to work, we don't need to be able to build the wheel with the older versions, so if it makes things easier, we can refactor the testing so that we have one job that builds a wheel using Python 3.13 or whatever, and all the other jobs just install that wheel, or maybe all non-EoL Python versions building from an sdist and all EoL versions just take the wheel built from Python 3.13 or 3.14 and use that for their testing.

[StanFromIreland]

Yeah I looked into this a bit and it seems to me like the best ways forward are one of:

They would still require a script to generate the SBOM at build time, I think storing the template and a copy made during the update is a little duplicative.

[pganssle]

They would still require a script to generate the SBOM at build time, I think storing the template and a copy made during the update is a little duplicative.

I am not sure I fully understand why the build-time script to generate the SBOM is necessary? Looked to me like if we generate the SBOM at update time and check it in, hatchling will just include it for us in the wheel build and auditwheel will just patch it in for us as part of our wheel building pipeline.

If we used auditwheel repair wheels built from sdists wouldn't have SBOM included unless the end user did their own auditwheel repair pass, but I think the intersection of "builds own wheels from source", "cares about SBOM inclusion in a wheel" and "would have trouble including auditwheel repair in the pipeline" is pretty slim, and presumably setuptools and other backends will grow native support for this over time, so the period of time where auditwheel repair may not even be that long (famous last words).