Gradle makes it quite easy to start a new project with a Gradle wrapper
gradle-wrapper.properties file that points to a Gradle distribution
Most people ever interact with this part of their build when they bump a Gradle version, but have you ever peeked inside this zip to see what you are downloading?
In Gradle Security Considerations
I called out that you likely want to set
distributionSha256Sum to make sure
you are getting the same zip every time. Gradle is an open-source project,
so we can go one step further - we can validate that the zip is reproducible.
To do that, we follow the following steps:
- Clone Gradle git repository
- Check out the release tag for the version we care about (in this case 7.5.1).
- Set your
JAVA_HOMEto a distribution of JDK 11 (in my case
./gradlew :distributions-full:binDistributionZip -PfinalRelease
- Compare Gradle published zip and
When doing the comparison I found that everything inside was identical except for
fastutil jar difference is due to keeping the timestamps in the
gradle-base-services difference is due to
file including a build timestamp. If both of these issues get fixed, future
versions of Gradle should result into identical zips when comparing Gradle published binary
and a local build of the release commit.
Note, this distribution zip contains more than just 94 jars that are built from sources in the Gradle GitHub repository. This zip also has 139 jars that Gradle build grabs off of maven repositories and the reproducibility of these is more tricky to verify.