Document packages bundled inside wheels #9811
Comments
|
Our answer here is the same as on bcrypt: once there is a standard for SBOM or some similar mechanism for wheels, we're happy to provide it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The binary wheels on PyPI currently ship with a shared object compiled using Rust which seems to have some external dependencies: https://github.com/pyca/cryptography/blob/main/src/rust/Cargo.lock
For now, the corresponding packages including their version and licenses are not documented inside the cryptography package itself, thus requiring additional documentation/modification work to ensure license compliance. For me not being a Rust developer, it is not really obvious whether the windows-sys dependencies actually are being included in the regular manylinux wheels or not for example.
It would be great to have the cryptography packages/wheels to provide these information for the official builds.
(Note: There already has been a short discussion about this on pyca/bcrypt#656. While it is part of the same GitHub group, the package is different.)
The text was updated successfully, but these errors were encountered: