|
|
@@ -78,17 +78,19 @@ For updated or newly added dependencies you need to add an entry to this verific
|
|
|
</component>
|
|
|
```
|
|
|
|
|
|
+In case of updating a dependency, ensure to remove the unused entry of the outdated dependency manually from the verifcation.xml file.
|
|
|
+
|
|
|
You can also automate the generation of this entry by running your build using the `--write-verification-metadata` commandline option:
|
|
|
```
|
|
|
>./gradlew --write-verification-metadata sha256 precommit
|
|
|
```
|
|
|
|
|
|
-The `--write-verification-metadata` Gradle option is generally able to resolve reachable configurations,
|
|
|
+The `--write-verification-metadata` Gradle option is generally able to resolve reachable configurations,
|
|
|
but we use detached configurations for a certain set of plugins and tasks. Therefore, please ensure you run this option with a task that
|
|
|
uses the changed dependencies. In most cases, `precommit` or `check` are good candidates.
|
|
|
|
|
|
-We prefer sha256 checksums as md5 and sha1 are not considered safe anymore these days. The generated entry
|
|
|
-will have the `origin` attribute been set to `Generated by Gradle`.
|
|
|
+We prefer sha256 checksums as md5 and sha1 are not considered safe anymore these days. The generated entry
|
|
|
+will have the `origin` attribute been set to `Generated by Gradle`.
|
|
|
|
|
|
>A manual confirmation of the Gradle generated checksums is currently not mandatory.
|
|
|
>If you want to add a level of verification you can manually confirm the checksum (e.g by looking it up on the website of the library)
|
Rene Groeschke