python · sethmlarson · Feb 27, 2024 · Feb 29, 2024 · Feb 29, 2024 · Mar 4, 2024
diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst
@@ -66,7 +66,7 @@ After gathering this information:
 
    * ``name`` for the project name.
    * ``SPDXID`` which will be ``"SPDXRef-PACKAGE-{name}"``.
-   * ``licenseConcluded`` for the SPDX license identifier of the project license.
+   * ``licenseConcluded`` must be ``NOASSERTION``.
    * ``versionInfo`` for the version of the project.
    * ``downloadLocation`` should be an HTTPS URL for the project download as an archive.
    * ``checksums[0].checksumValue`` and ``.algorithm`` will be the SHA-256
@@ -107,3 +107,19 @@ When removing a dependency:
    that correct package is removed from the SBOM.
 5. Commit the changes to :cpy-file:`Misc/sbom.spdx.json` and
    :cpy-file:`Tools/build/generate_sbom.py`.
+
+Updating external dependencies (cpython-source-deps)
+----------------------------------------------------
+
+Dependencies for Windows CPython builds are `stored in a separate repository <https://github.com/python/cpython-source-deps>`_
+and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`.
+
+In this script the libraries to fetch are designated by ``{name}-{version}`` git refs being added to the ``libraries`` variable.
+SBOM tooling in the CPython repository matches these git refs in order to build the :cpy-file:`Misc/externals.spdx.json`
+SBOM file. When updating external dependencies for a CPython branch:
+
+1. Push the update to the ``cpython-source-deps`` repository and create a new git tag.
+2. Update the entry for the project in ``get_externals.bat``.
+3. Run ``make regen-sbom`` in the CPython source repository.
+4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff``
+5. Commit the changes and have them merged together.