notes added to setup.py - absolute paranoia is needed on

what dependencies the HDL has.  dropping USD 16 million on 7nm Mask Charges
you absolutely cannot have arbitrary software downloaded off the internet
from external sources.

diff --git a/setup.py b/setup.py
index f8f65cc137c74bb7f07091f06e7a0bb3ec2a5e46..ddbdf8b4402fc7316616bf30bdad22b4386d4a88 100644 (file)
--- a/setup.py
+++ b/setup.py
@@ -8,23 +8,45 @@ NEWS = open(os.path.join(here, 'NEWS.txt')).read()
 
 version = '0.0.1'
 
+# the only reason this is added is because it's become a part of python 3.9.
+# the project standard is python 3.7 however in future that will be updated.
+# for now, cached_property is RELUCTANTLY added but a *copy* is added so
+# that the generation of HDL is not critically dependent on random crap
+# off the internet. you're spending USD 16 *MILLION* on masks, you better
+# be absolutely paranoid-level certain you know where every piece of the
+# chain creating the HDL comes from.
+cprop = "git+https://git.libre-soc.org/git/cached-property.git@1.5.2" \
+        "#egg=cached-property-1.5.2"
+
 # using pip3 for ongoing development is a royal pain.  seriously not
 # recommended.  therefore a number of these dependencies have been
 # commented out.  *they are still required* - they will need installing
 # manually.
 
+# XXX UNDER NO CIRCUMSTANCES ADD ARBITRARY DEPENDENCIES HERE. XXX
+# as this is HDL, not software, every dependency added is
+# a serious maintenance and reproducible-build problem.
+# dropping USD 16 million on 7nm Mask Charges when the
+# HDL can be compromised - accidentally or deliberately -
+# by pip3 going out and randomly downloading complete
+# shite is not going to do anyone any favours.
+
+# TODO: make *all* of these be from libre-soc git repo only
+# (which means updating the nmigen-soc one to mirror gitlab)
+
 install_requires = [
     #    'sfpy',    # needs manual patching
     'libresoc-ieee754fpu',   # uploaded (successfully, whew) to pip
     'libresoc-openpower-isa',  # uploaded (successfully, whew) to pip
     # 'nmigen-soc', # install manually from git.libre-soc.org
-    # git url needed for having `pip3 install -e .` install from libre-soc's git repo
-    "cached-property@git+https://git.libre-soc.org/git/cached-property.git@1.5.2#egg=cached-property-1.5.2",
+
+    # git url needed for having `pip3 install -e .` install from libre-soc git
+    "cached-property@"+cprop,
 ]
 
-# git url needed for having `setup.py develop` install from libre-soc's git repo
+# git url needed for having `setup.py develop` install from libre-soc git
 dependency_links = [
-    "git+https://git.libre-soc.org/git/cached-property.git@1.5.2#egg=cached-property-1.5.2",
+    cprop,
 ]
 
 test_requires = [
@@ -41,7 +63,8 @@ setup(
     long_description_content_type='text/markdown',
     classifiers=[
         "Topic :: Software Development",
-        "License :: OSI Approved :: GNU Lesser General Public License v3 or later (LGPLv3+)",
+        "License :: OSI Approved :: " \
+            "GNU Lesser General Public License v3 or later (LGPLv3+)",
         "Programming Language :: Python :: 3",
         "Operating System :: OS Independent",
     ],