Make selection of checksum algorithms mandatory
Instead of using a default list, the user has to choose
what checksums to generate when bootstrapping the dependency
This is done because it will have an impact when checking
the dependencies: all checksums will be verified.
21 Nov 19 9ae58528c7a82295e0e6b49e2b801b3a30609ea7
Add dependency checksum verification
This commit introduces dependency checksum verification.
If, and only if, a dependency verification metadata file
is present, then Gradle will load this metadata and use
it as the "source of truth" for dependency checksums.
Verification occurs whenever a file is accessed, so it
doesn't matter if the file comes from the local cache
or if it was downloaded in the current build.
Gradle performs all verifications during the build and
fails at the end of the build, similarly to the behavior
for "write dependency verification metadata".
This allows collecting as much information as possible
regarding, typically, the missing checksums, which can
be painful during dependency upgrades.
If a dependency verification file contains multiple
checksums, then _all_ checksums are verified. This is to
avoid the case where one of the checksums is wrong but
not the other, and can be used to further secure verification:
often we only see MD5 and SHA1 checksums. While both can be
baked, it's much harder to bake a dependency which will have
both the same MD5 and SHA1 checksums.
20 Nov 19 7631a9e1d7d77849731b610868ac40a1f758a0b0