Closes #40163 (closed)
A pom file of hosted third-party dependencies may be modified at any time after publication. These files contain metadata about a version of a repository. We avoid computing and verifying the hash of downloaded .pom files that are listed in a project's gradle-dependencies-list.txt because they change unpredictably. This should be safe while the .pom file is not modified in such a way that it is rejected by gradle and while we still check the hash of non-.pom files.