PEP 770: Add list of differences between PEP 725 and PEP 770 (#4278)

sethmlarson · web-flow · commit 93e9cc38fcf6 · 2025-02-20T10:13:09.000-08:00
diff --git a/peps/pep-0770.rst b/peps/pep-0770.rst
@@ -139,6 +139,39 @@ These decisions mean this PEP is capable of supporting any SBOM standard
 and does not favor one over the other, instead deferring the decision to
 producing projects and tools and consuming user tooling.
 
+What are the differences between PEP 770 and PEP 725?
+-----------------------------------------------------
+
+:pep:`725`
+("Specifying external dependencies in pyproject.toml") is a different
+PEP with some similarities to PEP 770, such as attempting to describe non-Python
+software within Python packaging metadata. This section aims to show how these
+two PEPs are tracking different information and serving different use-cases:
+
+* PEP 725 describes **abstract dependencies**, such as requiring "a C compiler"
+  as a build-time dependency (``virtual:compiler/c``). PEP 770 describes
+  **concrete dependencies**, such as an exact name, version, architecture, and
+  hash of a software library distributed through AlmaLinux distribution
+  (``pkg:rpm/almalinux/libssl3@3.2.0``). For cases like build dependencies this
+  might result in a dependency being requested via PEP 725 and then recorded
+  concretely in an SBOM post-build with PEP 770.
+* PEP 725 is for describing **external dependencies**, provided by the system
+  being used to either build or run the software. PEP 770 is for describing
+  **bundled software inside Python package archives**, the SBOM documents
+  don't describe software on the system.
+* **PEP 725 is primarily about identification**, using a list of software
+  identifiers. PEP 770 provides the **complete functionality of SBOM standards**
+  to describe various software attributes such as license, checksum, download
+  location, etc.
+* **PEP 725 and PEP 770 have different users and use-cases**. PEP 725 is
+  primarily for humans writing dependencies in ``pyproject.toml`` by hand.
+  The users of the information are build backends and users who want to build
+  software from source.
+  PEP 770 is primarily for tools which are capable of generating SBOM documents
+  to be included in a Python package archive and SBOM/SCA tools which want to
+  SBOM documents about installed software to do some other task such as
+  vulnerability scanning or software analysis.
+
 .. _770-spec:
 
 Specification
