Publish SHA Checksum for gradle distributions

(Oliver Becker) #1

The gradle wrapper allows the configuration of a SHA-256 hash for verifying an automatically downloaded gradle distribution.

However, this hash apparently has to be computed by the user. So if I download an already infected distribution and compute the hash myself, the security checksum would be useless.

I wonder, why you don’t publish checksums for your distributions on your releases page

Thanks, Oliver

Safety of Gradle distributions?
(Pepper Lebeck-Jobe) #2

We now publish sha256 checksums with every release. We’ve also backfilled the data for older releases.