gh-112302: Change 'licenseConcluded' field to 'NOASSERTION'

[sethmlarson]

Changes the licenseConcluded field to NOASSERTION to signal that we are deliberately omitting licensing information from the SBOM for the following reasons:

• CPython's licensing situation is complex and difficult to represent in absolute terms in an SBOM.
• The CPython SBOM is primarily for security use-cases, and licensing information isn't necessary to fulfill this use-case (for example, licensing information isn't required by NTIA minimum elements).

• Issue: Add Software Bill of Materials (SBOM) for Python releases #112302

[hugovk]

Does the SBOM generation tool need updating to emit this?

[sethmlarson]

@hugovk, yes it does for pip specifically, thank you.

[sethmlarson]

@hugovk Fixed that in d451a50

[hugovk]

Thanks!

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 FreeBSD14 3.x has failed when building commit 4bf4187.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/1232/builds/1261) and take a look at the build logs.
4. Check if the failure is related to this commit (4bf4187) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/1232/builds/1261

Failed tests:

• test.test_multiprocessing_spawn.test_processes

Summary of the results of the build (if available):

==

Click to see traceback logs

remote: Enumerating objects: 13, done.        
remote: Counting objects:   7% (1/13)        
remote: Counting objects:  15% (2/13)        
remote: Counting objects:  23% (3/13)        
remote: Counting objects:  30% (4/13)        
remote: Counting objects:  38% (5/13)        
remote: Counting objects:  46% (6/13)        
remote: Counting objects:  53% (7/13)        
remote: Counting objects:  61% (8/13)        
remote: Counting objects:  69% (9/13)        
remote: Counting objects:  76% (10/13)        
remote: Counting objects:  84% (11/13)        
remote: Counting objects:  92% (12/13)        
remote: Counting objects: 100% (13/13)        
remote: Counting objects: 100% (13/13), done.        
remote: Compressing objects:  14% (1/7)        
remote: Compressing objects:  28% (2/7)        
remote: Compressing objects:  42% (3/7)        
remote: Compressing objects:  57% (4/7)        
remote: Compressing objects:  71% (5/7)        
remote: Compressing objects:  85% (6/7)        
remote: Compressing objects: 100% (7/7)        
remote: Compressing objects: 100% (7/7), done.        
remote: Total 7 (delta 6), reused 0 (delta 0), pack-reused 0        
From https://github.com/python/cpython
 * branch                  main       -> FETCH_HEAD
Note: switching to '4bf41879d03b1da3c6d38c39a04331e3ae2e7545'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at 4bf41879d0 gh-112302: Change 'licenseConcluded' field to 'NOASSERTION' (#115038)
Switched to and reset branch 'main'

configure: WARNING: pkg-config is missing. Some dependencies may not be detected correctly.

[miss-islington-app]

Thanks @sethmlarson for the PR, and @hugovk for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

[bedevere-app]

GH-115088 is a backport of this pull request to the 3.12 branch.