What's inside that Gradle zip?
Gradle makes it quite easy to start a new project with a Gradle wrapper
and the gradle-wrapper.properties file that points to a Gradle distribution
zip:
distributionUrl=https\://services.gradle.org/distributions/gradle-7.5.1-bin.zip
Most people ever interact with this part of their build when they bump a Gradle version, but have you ever peeked inside this zip to see what you are downloading?

In Gradle Security Considerations
I called out that you likely want to set distributionSha256Sum to make sure
you are getting the same zip every time. Gradle is an open-source project,
so we can go one step further - we can validate that the zip is reproducible.
To do that, we follow the following steps:
- Clone Gradle git repository
- Check out the release tag for the version we care about (in this case 7.5.1).
- Set your
JAVA_HOMEto a distribution of JDK 11 (in my caseZulu 11.0.13) ./gradlew :distributions-full:binDistributionZip -PfinalRelease- Compare Gradle published zip and
subprojects/distributions-full/build/distributions/gradle-7.5.1-bin.zip
When doing the comparison I found that everything inside was identical except for
2 jars: lib/fastutil-8.5.2.min.jar and lib/gradle-base-services-7.5.1.jar.
fastutil jar difference is due to keeping the timestamps in the Minify transform.
gradle-base-services difference is due to org/gradle/build-receipt.properties
file including a build timestamp. If both of these issues get fixed, future
versions of Gradle should result into identical zips when comparing Gradle published binary
and a local build of the release commit.
Note, this distribution zip contains more than just 94 jars that are built from sources in the Gradle GitHub repository. This zip also has 139 jars that Gradle build grabs off of maven repositories and the reproducibility of these is more tricky to verify.