PEP 770: Add build environment and reproducibility to motivation (#4271)

sethmlarson · web-flow · commit ae4010a2d578 · 2025-02-18T11:05:40.000-08:00
diff --git a/peps/pep-0770.rst b/peps/pep-0770.rst
@@ -65,6 +65,18 @@ libraries are detected when using common SCA tools like Syft and Grype.
 If an SBOM document is included annotating all the included shared libraries
 then SCA tools can identify the included software reliably.
 
+Build Tools, Environment, and Reproducibility
+---------------------------------------------
+
+Going beyond the runtime dependencies of a package: SBOMs can also record the
+tools and environments used to build a package. Recording the exact tools
+and versions used to build a package is often required to establish
+`build reproducibility <https://reproducible-builds.org>`__.
+Build reproducibility is a property of software that can be used to detect
+incorrectly or maliciously modified software components when compared to their
+upstream sources. Without a recorded list of build tools and versions it can
+become difficult to impossible for a third-party to verify build reproducibility.
+
 Regulations
 -----------
 
