@sethmlarson's PEP 770 was recently approved, which provides for a .dist-info/sboms directory in built distributions.

In keeping with Flit's general ethos, I wouldn't suggest that we generate an SBOM, but instead just copy an existing one that the user specifies. Perhaps this could be similar to [flit.external-data], e.g. [flit.sboms], with an array of relative paths?

There are a few light-touch verification steps we could add that the PEP suggests, cc @sethmlarson for thoughts if any.

I'd be happy to work on a PR if there's interest here, cc @takluyver @cdce8p.

A