Document current behavior of writing parent POM file verification
The current implementation of dependency verification metadata
generation computes POM metadata verification checksums for parent
POMs, _only when they are downloaded during the same build_.
This behavior is an artifact of how parent POM resolution is
implemented. Eventually, all metadata should be considered equal
and have metadata written in the verification file.
27 Nov 19 d3a65329a4f8d390dde24aa8e80a847d2e353266
Add dependency checksum verification
This commit introduces dependency checksum verification.
If, and only if, a dependency verification metadata file
is present, then Gradle will load this metadata and use
it as the "source of truth" for dependency checksums.
Verification occurs whenever a file is accessed, so it
doesn't matter if the file comes from the local cache
or if it was downloaded in the current build.
Gradle performs all verifications during the build and
fails at the end of the build, similarly to the behavior
for "write dependency verification metadata".
This allows collecting as much information as possible
regarding, typically, the missing checksums, which can
be painful during dependency upgrades.
If a dependency verification file contains multiple
checksums, then _all_ checksums are verified. This is to
avoid the case where one of the checksums is wrong but
not the other, and can be used to further secure verification:
often we only see MD5 and SHA1 checksums. While both can be
baked, it's much harder to bake a dependency which will have
both the same MD5 and SHA1 checksums.
20 Nov 19 7631a9e1d7d77849731b610868ac40a1f758a0b0