[3.12] gh-112302: Backport SBOM generation tooling

[sethmlarson]

This PR backports the following PRs to the 3.12 branch which has an identical SBOM to the main branch. 3.11 and earlier all have substantial differences (by including setuptools which has multiple layers of dependency vendoring). I proposed backporting to previous branches on discuss.python.org.

• gh-112302: Add Software Bill-of-Materials (SBOM) tracking for dependencies #112303
• gh-112302: Annotate SBOM file as generated in .gitattributes #112854
• gh-112302: Point core developers to SBOM devguide on errors #113490
• gh-114250: Fetch metadata for pip and its vendored dependencies from PyPI #114450

As a data point to limit fear of breaking builds of downstream distributors, we received feedback from @befeleme in #114240 and #114244 which appear to have been resolved in #114450.

• Issue: Add Software Bill of Materials (SBOM) for Python releases #112302

[hugovk]

Does this need updating following #115038?

I'm fine with this going in 3.12, do you think it needs RM approval?

[sethmlarson]

@hugovk Yes this will need that update applied to this branch, and I indeed want to get approval from release managers, I'll send this again to Thomas today.