You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just like gradle wrapper can be configured to verify checksum, fetching JVM should have a similar mechanism to verify that what is installed, is what is expected to be installed.
This would have to take into account different checksums for different operating systems and architectures.
A more convenient version of this would be to at least verify release signatures using the local keychain already used for dependency verification, to not get in the way of minor-version bumps.
The text was updated successfully, but these errors were encountered:
Just like gradle wrapper can be configured to verify checksum, fetching JVM should have a similar mechanism to verify that what is installed, is what is expected to be installed.
tasks { wrapper { gradleVersion = "8.5" distributionUrl = "https://services.gradle.org/distributions/gradle-${gradleVersion}-bin.zip" distributionSha256Sum = "9d926787066a081739e8200858338b4a69e837c3a821a33aca9db09dd4a41026" } }This would have to take into account different checksums for different operating systems and architectures.
A more convenient version of this would be to at least verify release signatures using the local keychain already used for dependency verification, to not get in the way of minor-version bumps.
The text was updated successfully, but these errors were encountered: