I am also interested in this PEP. Thanks for creating this PEP @fridex, it goes hand-in-hand with a PEP on SBOMs that I would like to put together (reach out if you are interested in participating in this effort as well).
From my perspective, it would be great to be able to say that an installer that implements both PEP 610 and 710 would always have a corresponding direct_url.json or provenance_url.json file for each installed package depending on how it was installed. Towards that end:
- What are your thoughts on changing the
SHOULDto aMUSTwhen it comes to installers which implement caching? - Is there any other situation where an installer could install a distribution without resulting in
direct_url.jsonorprovenance_url.json? If not, that may be worth calling out in one or both PEPs to weed out any edge-cases that aren’t be thought of (if any) and provide more confidence for tools building on the outputs of these two standards.
Another thing I thought of was potentially recording the index where the final installable URL was sourced from, for example “https://pypi.org/simple”, since it’s possible for indices to mirror PyPI’s hosted files via redirects. I’m unsure how much that matters from an SBOM POV since a package installed directly versus indirectly from PyPI would result in the same thing getting installed and referenced in an SBOM (ie pkg:pypi/urllib3@2.0.3) but captures the installer intent which may prove useful for other tooling (ie audit that all installed packages are from the internal mirror).