-
Jacques Le Roux authored
I just read an ASF members thread about this article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 One member mentioned that the Groovy project is using the Gradle's dependency verification feature[1] in the Apache Groovy build. I suggest we do the same, even after the move from JCenter to MavenCentral where things should be safer. [1] https://docs.gradle.org/current/userguide/dependency_verification.html This commit includes: The verification-metadata.xml and verification-keyring.gpg used by the verification task *.gpg as binary in .gitattrubtes for verification-keyring.gpg The documentation about the verification in sy-dependency-verification.adoc with a link and some unrelated changes in security.adoc about security for OFBiz in production An empty line removed in build.gradle
c2c609d8