PEP 770 – Improving measurability of Python packages with Software Bill-of-Materials was accepted earlier this year, making it possible to ship SBOMs in Python packages. See gh-29178 for more context.

This issue is for tracking the implementation. We need two different types of SBOMs:

1. One or more SBOMs for code that is vendored inside the NumPy repository.
2. Dynamically generated SBOMs that reflect software components that were vendored as part of the wheel build process, if any (e.g., libscipy_openblas.so).

To implement this, we need tooling support. Relevant upstream issues:

• meson-python: Support for PEP 770 (SBOMs) mesonbuild/meson-python#763
• auditwheel: Generate SBOMs for repaired libraries pypa/auditwheel#577
• delocate: no issue yet
• delvewheel: no issue yet

Other relevant activity:

• `scikit-learn: RFC: Towards reproducible builds for our PyPI release wheels scikit-learn/scikit-learn#28151, Automatically generate a SBOM file when vendoring array-api-compat and array-api-extra scikit-learn/scikit-learn#31343
• https://github.com/psf/sboms-for-python-packages