I have examined cpython/Misc/sbom.spdx.json at v3.13.0a3 · python/cpython · GitHub
What worries me is that it claims the bundled pip wheel is licensed as: MIT.
In fact, due to the vendored packages in pip, the SPDX license expression is much more complex than that. For example, in Fedora, we believe the license for pip 23.3.1 is MIT AND Python-2.0.1 AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND LGPL-2.1-only AND MPL-2.0 AND (Apache-2.0 OR BSD-2-Clause)[1].
(I understand that perfect is the enemy of good, but perhaps when we try to enumerate everything, this is important.)
Breakdown at Tree - rpms/python-pip - src.fedoraproject.org ↩︎