To have truly reproducible builds you need to have dependency management for the tools and JDK, not just libraries. That's what the wrapper is about. The wrapper can do hash checks on the downloaded Gradle tool so it should be "safe". Using the Gradle mechanism to run with a specified JDK, and fetch it from a trusted source if it is missing, completes the controlled environment - mostly, I think the JRE running the Gradle daemon is still not properly version controlled.
That said - I always run bleeding-edge Gradle as well ;-) Scott On Sun, Aug 7, 2022 at 12:30 AM Laszlo Kishalmi <laszlo.kisha...@gmail.com> wrote: > Well, really Gradle Wrapper is optional. It seems that the majority of the > users like that, so we do have Maven Wrapper as well now. > On 8/6/22 19:25, Andreas Reichel wrote: > > Thank you for the response. > > Looks like I don't need it because I never use Gradle Wrapper and always > stick with the latest Gradle Version only. > (I actually wished there was an option to avoid Gradle Wrapper completely, > there was never a Make or ANT wrapper for good. Downloading random stuff > from the network outside of the OS' package manager still gives me shivers.) > > Cheers > Andreas > > On Sat, 2022-08-06 at 18:52 -0700, Laszlo Kishalmi wrote: > > gradle/ folder (not the .gradle) usually the place to put additional build > logic, and if nothing else that's where Gradle places it's wrapper > gardle/wrapper/ > > Make sure you add the gardle/wrapper/gradle-wrapper.jar along with the > grade/wrapper/gradle-wrapper.properties file. (Unless some policy > explicitly state otherwise) Although that is a binary file, that is java > the entry point of gradlew and gradlew.bat files. That would download the > correct Gradle if it is not installed on the system. > > > On 8/5/22 17:54, Andreas Reichel wrote: > > > > On Fri, 2022-08-05 at 17:52 -0700, Laszlo Kishalmi wrote: > > while gradle/ folders > shall be committed > > > > Laszlo, > > thank you for advise, please care to elaborate. Why should it be there > when it can be rebuild on demand? What is the advantage of tracking it and > the disadvantage of dismissing it? > Sorry to bother you, I just would like to learn. > > Cheers > Andreas > > >
