From d56537881bf0d40cf13de8e7cea3c1239c36f67c Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Tue, 8 Apr 2025 15:20:07 +0300
Subject: [PATCH 1/2] Skip symlinks when creating SBOM for source tarball

---
 sbom.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sbom.py b/sbom.py
index 9d972fac..f5ed2ced 100644
--- a/sbom.py
+++ b/sbom.py
@@ -608,12 +608,12 @@ def create_sbom_for_source_tarball(tarball_path: str) -> SBOM:
     # Now we walk the tarball and compare known files to our expected checksums in the SBOM.
     # All files that aren't already in the SBOM can be added as "CPython" files.
     for member in tarball.getmembers():
-        if member.isdir():  # Skip directories!
+        if member.isdir() or not member.isfile():  # Skip directories and symlinks!
             continue
 
         # Get the member from the tarball. CPython prefixes all of its
         # source code with 'Python-{version}/...'.
-        assert member.isfile() and member.name.startswith(f"Python-{cpython_version}/")
+        assert member.name.startswith(f"Python-{cpython_version}/")
 
         # Calculate the hashes, either for comparison with a known value
         # or to embed in the SBOM as a new file. SHA1 is only used because

From 6fcd3d316212697ae17536e1dc4732b9285f5020 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <sethmichaellarson@gmail.com>
Date: Tue, 8 Apr 2025 08:28:05 -0500
Subject: [PATCH 2/2] Update sbom.py

Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
---
 sbom.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sbom.py b/sbom.py
index f5ed2ced..55c427e4 100644
--- a/sbom.py
+++ b/sbom.py
@@ -608,7 +608,7 @@ def create_sbom_for_source_tarball(tarball_path: str) -> SBOM:
     # Now we walk the tarball and compare known files to our expected checksums in the SBOM.
     # All files that aren't already in the SBOM can be added as "CPython" files.
     for member in tarball.getmembers():
-        if member.isdir() or not member.isfile():  # Skip directories and symlinks!
+        if not member.isfile():  # Only keep files (no symlinks)
             continue
 
         # Get the member from the tarball. CPython prefixes all of its