Always serialize module sources
Module sources were only serialized in the cache metadata entry.
In practice, they belong to the module metadata, so they are now
properly serialized as part of it. This fixes the "force realize"
02 Dec 19 e1ebdea3359ebede816c8d4fb82b114d5da3ab60
Add dependency checksum verification
This commit introduces dependency checksum verification.
If, and only if, a dependency verification metadata file
is present, then Gradle will load this metadata and use
it as the "source of truth" for dependency checksums.
Verification occurs whenever a file is accessed, so it
doesn't matter if the file comes from the local cache
or if it was downloaded in the current build.
Gradle performs all verifications during the build and
fails at the end of the build, similarly to the behavior
for "write dependency verification metadata".
This allows collecting as much information as possible
regarding, typically, the missing checksums, which can
be painful during dependency upgrades.
If a dependency verification file contains multiple
checksums, then _all_ checksums are verified. This is to
avoid the case where one of the checksums is wrong but
not the other, and can be used to further secure verification:
often we only see MD5 and SHA1 checksums. While both can be
baked, it's much harder to bake a dependency which will have
both the same MD5 and SHA1 checksums.
20 Nov 19 7631a9e1d7d77849731b610868ac40a1f758a0b0