Make verification model more resilient to real world projects Dogfooding the Gradle build with dependenvy verification proved to be helpful. There are quite a few cases where we discover dependencies which come from different repositories. Reposiories can also be mirrored and sometimes the mirror doesn't mirror what is was supposed to.
The problem is that working around, for example by fixing the mirrors or figuring out how to fetch a dependency from the right place can be tricky. It's often easier to go and check the dependency and/or metadata and approve it.
For this purpose, the verification metadata file now includes the ability to have "alternate", trusted checksums. It also adds the ability to tell where a checksum comes from, as indication to the reader. Checksums generated by Gradle will be marked as such, and therefore a reader can see that they are less "trustworthy" than checksums fetched by a human.