Gradle makes it quite easy to start a new project with a Gradle wrapper
and the gradle-wrapper.properties
file that points to a Gradle distribution
zip:
distributionUrl=https\://services.gradle.org/distributions/gradle-7.5.1-bin.zip
Most people ever interact with this part of their build when they bump a Gradle version, but have you ever peeked inside this zip to see what you are downloading?
In Gradle Security Considerations
I called out that you likely want to set distributionSha256Sum
to make sure
you are getting the same zip every time. Gradle is an open-source project,
so we can go one step further - we can validate that the zip is reproducible.
To do that, we follow the following steps:
- Clone Gradle git repository
- Check out the release tag for the version we care about (in this case 7.5.1).
- Set your
JAVA_HOME
to a distribution of JDK 11 (in my caseZulu 11.0.13
) ./gradlew :distributions-full:binDistributionZip -PfinalRelease
- Compare Gradle published zip and
subprojects/distributions-full/build/distributions/gradle-7.5.1-bin.zip
When doing the comparison I found that everything inside was identical except for
2 jars: lib/fastutil-8.5.2.min.jar
and lib/gradle-base-services-7.5.1.jar
.
fastutil
jar difference is due to keeping the timestamps in the Minify
transform.
gradle-base-services
difference is due to org/gradle/build-receipt.properties
file including a build timestamp. If both of these issues get fixed, future
versions of Gradle should result into identical zips when comparing Gradle published binary
and a local build of the release commit.
Note, this distribution zip contains more than just 94 jars that are built from sources in the Gradle GitHub repository. This zip also has 139 jars that Gradle build grabs off of maven repositories and the reproducibility of these is more tricky to verify.