- changed 40 files
Introduce module metadata verificationThis commit introduces verification of metadata files.For this, another refactoring of the `ModuleSource` conceptwas required. Ironically, before this commit, `ModuleSource`used to be available for serialization in the module metadataserializer. However, they weren't used in practice, becauseall the required data could be reconstructed from the caches.In particular, there was this "contentHash" which, becausenot properly serialized, was actually set as a field on thecomponent resolve metadata itself, instead of being partof the module source.Now, this commit reintroduces serialization of module sourcesbut takes a different approach by splitting the module sourcesin two distinct categories:- module sources which can be reconstructed from known data,such as the repository name and repository url- module sources which have to be serialized alongside componentmetadata, because they can't be reconstructed from sourcesThe latter category includes this "contentHash", serialized withthe descriptor hash module source. It also includes the informationabout _which_ actual descriptor file was used to generate thebinary module descriptor (e.g, the source POM, Ivy or modulemetadata file). This information does _not_ belong to the modulecomponent resolve metadata itself, so it belongs to its sources.For this purpose, serialization of module sources has been updatedso that instead of using Java serialization, module sources needto provide a custom serializer, called a Codec. Those codecs areuniquely identified by an id which is just an integer. This isdone for performance optimization, in order to avoid to serializethe name of the codec and have to load it dynamically. Instead,Gradle knows about the full set of serializers (and there's noway for a user to add more because in any case it would requirean update of the module metadata store format).This makes it much more efficient to serialize module sources(because we can now have an optimized encoder), but it alsopermits reconstructing module sources from incomplete information.In particular, the module source which describes the file fromwhich a component resolve metadata was sourced contains a linkto the actual file in the local artifact store. However, in orderto be relocatable, we _don't_ want this file path to be storedin the metadata cache. This means that instead of storing thepath, we actually store the artifact identifier and the hashof the descriptor so that we can, when loaded from cache, findits location back.Currently, metadata verification is enabled for all components.It's not possible to disable verification of metadata.
- … 39 more files in changeset.