uv is in a prime position to be able to emit an SBOM that reflects the state of the current uv-managed virtual environment, or ingest an SBOM to produce a managed virtual environment.

SBOM requirements supersede any existing PEP. Executive Order 14028 demands SBOM documentation from all vendors to the US government by September 2023. It is reasonable to assume that uv may indirectly fall under this executive order if there are downstream users of uv that provide software to the US government.

It would be awesome if uv could emit an SBOM in one of the industry standard formats. CycloneDX is one such SBOM standard. I think uv may already have all the metadata necessary to output one.

SBOM support would greatly improve the security posture of uv and uv-managed projects.