That doesn’t really change what I said. An earlier version of PEP 770 actually included what you asked about. If you read the PEP 770 discussion thread, there’s a lot of discussion about many SBOM use cases being inherently dynamic, or a mix between static and dynamic. So introducing a standardized static-only [project]-level key that will therefore not be usable by most of the packages that need SBOMs most isn’t the best idea (or at least, that was the outcome of that whole discussion). PEP 808 addresses that key concern.
2 Likes