Document packages bundled inside wheels

[stefan6419846]

The binary wheels on PyPI currently ship with a shared object compiled using Rust which seems to have some external dependencies: https://github.com/pyca/cryptography/blob/main/src/rust/Cargo.lock

For now, the corresponding packages including their version and licenses are not documented inside the cryptography package itself, thus requiring additional documentation/modification work to ensure license compliance. For me not being a Rust developer, it is not really obvious whether the windows-sys dependencies actually are being included in the regular manylinux wheels or not for example.

It would be great to have the cryptography packages/wheels to provide these information for the official builds.

(Note: There already has been a short discussion about this on pyca/bcrypt#656. While it is part of the same GitHub group, the package is different.)

[alex]

Our answer here is the same as on bcrypt: once there is a standard for SBOM or some similar mechanism for wheels, we're happy to provide it.

[reaperhulk]

Since this is a long term action item contingent on standards and specs we're going to close this for now while we wait for those things to catch up.