Add dependency verification description to ReadMe.md

ReadMe.md

@@ -147,6 +147,27 @@ From this root project there are Run/Debug Configurations for running `IDEA` or
 * Run the `IDEA` run configuration in the project
 * A child IntelliJ IDEA with the Kotlin plugin will then startup
 
+### Dependency verification
+
+We have a [dependencies verification](https://docs.gradle.org/current/userguide/dependency_verification.html) feature enabled in the
+repository for all Gradle builds. Gradle will check hashes (md5 and sha256) of used dependencies and will fail builds with
+`Dependency verification failed` errors when local artifacts are absent or have different hashes listed in the
+[verification-metadata.xml](https://github.com/JetBrains/kotlin/blob/master/gradle/verification-metadata.xml) file.
+
+It's expected that `verification-metadata.xml` should only be updated with the commits that modify the build. There are some tips how
+to perform such updates:
+
+- Use auto-generation for getting an initial list of new hashes (verify updates relate to you changes).
+
+`./gradlew -M sha256,md5 help`
+
+*(any other task may be used instead of `help`)*
+
+- Consider removing old versions from the file if you are updating dependencies.
+- Leave meaningful `origin` attribute (instead of `Generated by Gradle`) if you did some manual verification of the artifact.
+- Always do manual verification if several hashes are needed and a new `also-trust` tag has to be added.
+- If you’re adding a dependency with OS mentioning in an artifact name (`darwin`, `mac`, `osx`, `linux`, `windows`), remember to add 
+  counterparts for other platforms.
 
 # License
 Kotlin is distributed under the terms of the Apache License (Version 2.0). See [license folder](license/README.md) for details.