Clone Tools
  • last updated a few seconds ago
Constraints: committers
Constraints: files
Constraints: dates
Fix use of schema location

The code was using `xmlns` instead of `xsi`

  1. … 4 more files in changeset.
Replace remaining uses of nagUserOfDeprecatedBehaviour with the builder

  1. … 3 more files in changeset.
Move DeprecationLogger to internal.deprecation package

  1. … 79 more files in changeset.
Optimize duplicated projects detection

Because project names cannot be changed, we can detect

duplicated project names much earlier and once for all.

This makes it redundant to recompute everytime.

  1. … 4 more files in changeset.
Fix circular dependencies when project have the same name

Before this commit, during dependency resolution, a synthetic

module version identifier was generated by project, using the

group and name of the project. However, it's possible for a

project in gradle to have the same name as another in the

same build, leading to duplicates. In this case the projects

were mixed together and lead to a circular dependency.

This commit fixes the problem by making sure we generate

distinct module version identifiers for such projects, by

using the full project path as the name instead of the short


This also makes it possible to publish valid publications

when using the maven or ivy publish plugins. However, we detect

this problem early and warn the user that they should overwrite

the project identity in this case.

  1. … 14 more files in changeset.
Move BuildCacheCommandFactory to :build-cache

And its implementation to :core (though it should end up in some build-cache-related subproject eventually).

  1. … 16 more files in changeset.
Make dependency verification XSD more explicit

By using `dependency-verification` in the URL and file


  1. … 3 more files in changeset.
Revert some changes to artifact transform execution, as these changes introduce a performance regression.

  1. … 23 more files in changeset.
Push parallel execution of transforms down to the transformation step, so that this happens independently of whether the tranform is executed for a scheduled node or when visiting an `ArtifactCollection` or `FileCollection` contents.

  1. … 12 more files in changeset.
Merge some logic used for executing a chained scheduled artifact transform node and the other places artifact transforms are executed.

An implication of this change is that when a scheduled transform produces multiple output files, then a consuming scheduled transform will transform those output files in parallel.

  1. … 15 more files in changeset.
Merge some logic used for executing an initial scheduled artifact transform node and for visiting transform outputs included in the contents of an `ArtifactCollection` or `FileCollection`.

  1. … 9 more files in changeset.
Add a way to declare exclusive content for each repository

Before this change, if a repository declared contents using

`repository.content { include "...." }`, it was required to

also declare that the _other_ repositories excluded it in

order to be mutually exclusive.

There's now an API which allows to declare exclusive content:


repositories {

exclusiveContent {

forRepository {

maven { url "" }


filter { includeGroup("com.mycompany") }





  1. … 6 more files in changeset.
Treat single version ranges as "required"

This commit changes the way Gradle handles single version

ranges to treat them like Maven does: they are effectively

"exact" version selectors (not strictly).

Fixes #11185

  1. … 5 more files in changeset.
Add API to disable dependency verification

This commit adds an API to disable verification on a specific

configuration (using `resolutionStrategy.disableDependencyVerification`.

This would let tasks which perform special dependency resolution (like

checking newer versions of dependencies) to pass even if dependency

verification is enabled.

  1. … 11 more files in changeset.
Allow various Gradle services to be injected into artifact transform actions.

  1. … 14 more files in changeset.
Update the error message to link to the docs

  1. … 5 more files in changeset.
Add an XML schema for the verification file

  1. … 3 more files in changeset.
Regroup trusted keys for readability

If a single key is trusted multiple times for different artifacts, we

now regroup the artifact coordinates under the `trusted-key` tag.

  1. … 3 more files in changeset.
Improve grouper

in order to even reduce the size of verification files

  1. … 2 more files in changeset.
Allow signature verification file generation

This commit adds the ability to generate a verification file which relies

on PGP signature verification. With this mode, Gradle will download the

signatures and verify them. Depending on the result of verification,

Gradle will either:

- automatically add trusted keys if verification passed

- automatically ignore keys if they couldn't be downloaded

- automatically ignore keys if verification failed

If verification failed or that a key couldn't be downloaded, a

WARNING will be issued to encourage the user to verify what


In order to reduce the size of the verification file, Gradle will

also automatically perform "normalization" of verifications by

configuring globally trusted keys for artifacts which share the same

group or a common super group.

  1. … 22 more files in changeset.
Add ability to ignore keys for a specific artifact

The use case for this is whenever signature for an artifact fails, but

for some reason the user still trusts the artifact. For example, a POM

file is different between different repositories because it happened

to be published twice with different timestamps.

In this case it is recommended to ignore the signature, however we

_will_ fallback on checksum verification.

  1. … 12 more files in changeset.
Sort entries when building the verification map

This is from user feedback: it seems to be easier to read/update the

contents of the verification file if entries are sorted. If it's done

correctly, then a new version of a module would be written close to

the existing one, making it easier to do manual cleanup of the file.

  1. … 2 more files in changeset.
Add support for globally trusted keys

A globally trusted key can be used to trust a number of

modules and greatly simplifies configuration: instead of

having to specify checksums for all modules, a user can

declare the keys they trust and use a similar syntax to

trusted artifacts to say to what group/name/version the

key applies.

It's often the case that the same keys are used for

several artifacts of the same group or same company, so

this makes it possible to avoid a lot of boilerplate as

long as the artifacts are signed by the same keys.

  1. … 8 more files in changeset.
Add support for ignored keys

Ignored keys can be used in case verification of a signature isn't

possible because a key isn't available anymore (lost, not published

to a key server, ...).

It's worth noting that if a component cannot be verified by at least

one public key, then verification will fallback to checksum verification.

  1. … 16 more files in changeset.
Remove version constrain constructor without 'branch'

Although technically the 'branch' is special as it is not (yet)

published and thus not used/needed in many places, we keep

things consistent to avoid weird issues as the one fixed in the

previous commit.

  1. … 5 more files in changeset.
Serialize the 'branch' detail of a version constraint

  1. … 3 more files in changeset.
Initial implementation of verification of signatures

This commit introduces _signature_ verification. Signature verification

is stronger than checksum verification and must be enabled explicitly,

by adding `<signature-verification>true</signature-verification>` to the

dependency verification configuration file.

Once such verification is enabled, Gradle will do its best to verify

the signature of artifacts. This means:

- it will try to download the .asc file associated with an artifact

- if it's present, it will automatically download the public keys

of the signature and verify that the file matches the signatures

- if _any_ of the signature verification fails, fails the build

- if a public key is not trusted explicitly, fails the build

- if signature verification succeeds, no checksum verification is


Currently it's not possible to perform checksum verification for some

modules and signature verification for others. All modules must declare

all trusted keys.

If a key cannot be downloaded, verification will fail. It's not possible

to ignore a key for now. It's not possible to fallback to checksum


  1. … 58 more files in changeset.
Allow a capability request without version to be published (#11691)

If a capability is required by a dependency, the request can be made

without specifying a version. This was not fully supported:

- At publishing time, we published 'version: null' (instead of nothing)

- At consuming time, we failed for a missing version (although this is fine)

Both cases are fixed in this commit and test coverage was added.

The test fixtures are extended to work with dependencies published

with a capability requests.

Fixes #11616

  1. … 11 more files in changeset.
Make sure group can also be null when writing

  1. … 1 more file in changeset.
Remove arbitrary limitation of trusted artifacts

This will let users filter by whatever they need. Typically at

Gradle we won't care about checking javadocs or sources so we

only need the "artifact" part.

  1. … 3 more files in changeset.