Document packages bundled inside wheels

[stefan6419846]

The binary wheels on PyPI currently ship with a shared object compiled using Rust which seems to have some external dependencies: https://github.com/pyca/bcrypt/blob/4.0.1/src/_bcrypt/Cargo.lock

For now, the corresponding packages including their version and licenses are not documented inside the bcrypt package itself, thus requiring additional documentation/modification work to ensure license compliance. For me not being a Rust developer, it is not really obvious whether the wasi and winapi dependencies actually are being included in the regular manylinux wheels or not for example.

It would be great to have the bcrypt packages/wheels to provide these information for the official builds.

[alex]

What you're asking for is really an SBOM for wheels. Unfortunately there's no current specification or standard for these.

If and when there's an SBOM standard for wheels, we'll generate them. But we're not going to create our own ad-hoc thing for them.

[stefan6419846]

Thanks for the answer. The usual situation I have seen with packages like matplotlib, scipy, opencv-python or Pillow is to have corresponding license files inside the source code and either integrate them into the main license file during the wheel build or to just ship secondary license files.

Relying on a SBOM standard for wheels might be a valid approach, but this will probably take some time until published, supported and included in the relevant packages.