Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
We are trying to lock down the `python-requirements.txt` file in the lowRISC/opentitan repository by adding hashes for all dependencies (including transitive dependencies), to satify OpenTitan partner organization-level requirements. To do so, we would like to generate a python-requirements.txt file with the required hashes using the `pip-compile` command from the `pip-tools` package. The way the version is detected in the `setup.py` configuration in this package is using the `use_scm_version` feature which attempts to extract the version from VCS (i.e., git) metadata. However, this requires installing the package with `pip install git+https://github.com/lowRISC/fusesoc.git@<tag>`. However, to use the `pip-compile` command to generate secure `python-requirements.txt` file (i.e., one with pinned hashes), requires installing packages directly using the HTTPS URL syntax, i.e., `pip install https://github.com/lowRISC/fusesoc/archive/refs/tags/ot-0.3.zip`, i.e., bypassing git. Unfortunately, this fails to find the version, since there is no git metadata to parse. Therefore, I updated the `setup.py` configuration to use a "fallback_version". Signed-off-by: Tim Trippel <ttrippel@google.com>
- Loading branch information