How to version control and get reproducible builds incl. exactly the same (transitive) dependencies?

In Welcome to the new Gradle Dependency Cache, Hans Dockter, Gradle Founder says:

A key requirement of an enterprise build system is build reproducibility.

Chapter 52. Dependency Management says:

for example, you could store your jars in an SCM without XML descriptor files and still use transitive dependency management.

So how do I actually do this? In order to be able to reproduce builds in the future, I want to use git to version control all my dependencies (including transitive dependencies), which given the above should be possible. I have this already based on my Stack Overflow question:

repositories {
    if (project.hasProperty("download")) {
        maven {
            url ""
    } else {
        flatDir name: 'localRepository', dirs: 'dependencies'

task copyDependencies(type: Copy) {
   from configurations.compile
   into 'dependencies'

dependencies {
    compile 'junit:junit:4.+'
    compile 'mysql:mysql-connector-java:5.1.6'
    compile 'commons-dbutils:commons-dbutils:1.6'
    // bla bla bla

Then I run:

gradle copyDependencies -Pdownload

Now I have a dependencies folder, but there is no transitive dependency information in it.

Because of that, the classpath generated like this fails, because all the transitive dependency information has been lost:

task writeClasspath {
    println "Creating ${buildDir}/classpath.list"
    new File(buildDir, "classpath.list").text = configurations.runtime.asPath + "\n"

I.e. gradle writeClasspath -Pdownload creates a file containing all dependencies - including transitive dependencies - while gradle writeClasspath (without -Pdownload) only contains the dependencies explicitly listed in build.gradle - excluding transitive dependencies.

So how do I version control my dependencies so that everybody in our team, the build server and the production environment uses exactly the same versions of every single (transitive) dependency? Including e.g. the exact same *-SNAPSHOT versions (same SHA1 sum)? And so that my build system e.g. can create classpaths?

This question that is trying to achieve a similar goal got shot down. How else does one accomplish this?

I’ve heard talk of using Artifactory for something like this… One more single-point-of-failure program to configure, maintain, upgrade, backup. But how does one tag the exact set of dependencies that went into PRODUCT_VERSION_X_Y so it is reproducible a year from now? So I’m not even sure e.g. Artifactory solves our problem.

Doesn’t every enterprise shop need this? How is this commonly accomplished?

We have a goal here to be able to build everything given only a debian CD set and our git repositories.

Are you considering using the Maven plug-in to allow Maven to use the gradle repository instead of reloading and copying?