Description
Bug report
Bug description:
In Fedora Linux, when building Python RPM, we remove the bundled pip wheel. We use an RPM build available in the system instead.
In the past, a new option was added to Python to define a custom location for that wheel: --with-wheel-pkg-dir (#87022).
generate_sbom.py doesn't count with this possibility, it looks for pip in a hardcoded location and errors if not found.
Even if there was an option to skip the search for pip wheel, would it mean that sbom.spdx.json is shipped in the built Python with incorrect data?
Also, please note that pip bundles a lot of other libraries and the actual project license, if was to reflect that reality, would be tad more complicated, see: Fedora's pip license tag. In https://github.com/python/cpython/blob/main/Misc/sbom.spdx.json#L1719 there's declared MIT only.
(Additionally, we also use the system expat and _decimal/libmpdec libraries instead of the Python copies, which are hardcoded the same way in the script, so there surely will be more issues with the generated metadata if we were trying to create SBOM as downstream repackagers)
CPython versions tested on:
3.13
Operating systems tested on:
Linux