For projects which vendor dependencies into their source tree, having a simple way to keep those SBOMs up-to-date in CI seems important. CPython already has this in the form of a custom tool which regenerates hashes and checks them against a known SBOM file. If there are differences, CI fails and points the contributor at documentation asking questions like:
- Are you updating a bundled project?
- If so, please update other SBOM metadata.
- If not: maybe that file isn't /actually/ a part of the project?
For projects which vendor dependencies into their source tree, having a simple way to keep those SBOMs up-to-date in CI seems important. CPython already has this in the form of a custom tool which regenerates hashes and checks them against a known SBOM file. If there are differences, CI fails and points the contributor at documentation asking questions like: