On 5/11/21 5:24 AM, Jeanette Winzenburg wrote:
deleting the caches did work, at last ;)
That's also what I had to do after similar errors. I thought there might be some bumps in the road when I proposed adding the Gradle dependency verification, but I hope we can retain enough of it to make the builds safer than before.
If we notice that the the POM files are changing (without updating their versions), Kevin's idea of removing the POM entries should help. Even the Gradle documentation anticipates some problems, saying "It means that you will be tempted to switch it off." [1]
The more I learn Gradle, the less likely I am to choose it for my own projects, but it is far ahead of Maven, for example, in protecting against supply-chain attacks. For Maven, this feature is still just a couple of old bug reports:
Extend the Project Object Model (POM) with trust information (OpenPGP, hash values)
https://issues.apache.org/jira/browse/MNG-6026 Switch the default checksum policy from "warn" to "fail" https://issues.apache.org/jira/browse/MNG-5728 John [1] https://docs.gradle.org/current/userguide/dependency_verification.html
