The Python Software Foundation has taken a significant step forward in software supply chain transparency by including SPDX-format Software Bills of Materials (SBOMs) with their official Python releases.
Starting with 3.14 released earlier this week, all distribution packages available on the official download page now include accompanying SPDX SBOMs. These machine-readable documents provide detailed inventory information about the software components, including cryptographic checksums for verification purposes.
While the current implementation uses SPDX v2.3 format and focuses primarily on component identification and integrity verification through checksums, this represents an important milestone for both the Python ecosystem and the broader adoption of SPDX standards.
“This is a huge win for supply chain security and transparency,” said SPDX Steering Committee Chair Rose Judge. “By providing standardized SBOMs in SPDX format, Python is making it easier for organizations to understand and verify what’s included in their software dependencies.”
The inclusion of SPDX SBOMs with one of the world’s most popular programming languages demonstrates the growing industry recognition of SPDX as the standard format for software bill of materials. This move will likely encourage other major open source projects to follow suit.
The SPDX SBOMs are available alongside software distribution formats, including source archives (.tar.gz and .tar.xz) and platform-specific installers for Windows, macOS, and Android systems.
