So it looks like the discussion is continuing on how best to handle files outside of the project root and some other clarification work needs to be done, too. My time to work on this PEP likely to minimal until post-PyCon US (due to other time-sensitive projects coming up and vacation) and I’d like to have the portions of this PEP that seem to have solidifed be actionable (I’ve had draft pull requests ready for a bit).
I’m going to refactor the statically defined SBOM mechanism out of the PEP and will submit that as a separate PEP after PyCon US, then we can completely handle all situations including making a private-use reservation of subdirectories under .dist-info.