PEP 770: Support ``.dist-info/sboms`` directory in wheels

[AA-Turner]

@sethmlarson's PEP 770 was recently approved, which provides for a .dist-info/sboms directory in built distributions.

In keeping with Flit's general ethos, I wouldn't suggest that we generate an SBOM, but instead just copy an existing one that the user specifies. Perhaps this could be similar to [flit.external-data], e.g. [flit.sboms], with an array of relative paths?

There are a few light-touch verification steps we could add that the PEP suggests, cc @sethmlarson for thoughts if any.

I'd be happy to work on a PR if there's interest here, cc @takluyver @cdce8p.

A

[sethmlarson]

If Flit isn't the one creating the SBOM files then I think it's fine to treat the files as opaque and forward them along to the package without any verification. Of course, if you're willing to do some verification via warnings or the like I think it'd be a positive improvement to the ecosystem :) Thanks for opening this issue @AA-Turner!

[takluyver]

Thanks! I'm not familiar with SBOM, but I'm open to what you describe, having a way to include existing SBOM files into a package. It could also follow the pattern of the recently added license-files key, allowing glob patterns - I don't know how many of these files projects will typically have. I guess for Flit maybe not that many, since you wouldn't use Flit if you're building compiled code which will need bundled libraries. 🤷

I think it makes sense to do at least a bit of verification - skimming the PEP, we could at least check that files are UTF-8 JSON. I'm open to doing a bit more as well, at least if it's practical without new dependencies. If verification is the goal, let's try to get it in the first version with SBOM support, to minimise the risk that a working package under one version of Flit is rejected by a later version with stricter verification.