[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] 1.10 Release notes and FAQ around SHA-1

From: Jacek Materna <jacek_at_assembla.com>
Date: Mon, 8 May 2017 10:46:39 +0200


I wanted to start a discussion around the FAQ (and 1.10 rls. notes) as it
pertains to the SHA-1 issue affecting all versions of SVN RE: "Continue the
1.10 alphas?" thread.

1) We should bias towards pro-active mitigation of this issue in docs/code
as we know a real solution will likely NOT come with 1.10 after all.

2) Consider patching 1.10 with de-duplication off by default ?

3) Remediation of the issue (if affected) should be a different topic? -
how to get out of the weeds guide. Published by the group - authoritative,
trusted, final. A number of providers of SVN hosting have done their own
workarounds and written their own KB's on the topic - I think having a
master guide is important.

4) I am sure there are a number of other items this group can append to
this dialog from previous discussions on the topic.

General Questions:
 - How do I protect my repository against the SHA-1 vulnerability found by

Subversion's use of SHA-1 in how it processes content is subject to hashing
collisions as identified by Google (https://shattered.io/). Preventing
suspect object commits is the simplest and best way today to protect your
repository. Disabling repository sharing is not enough to solve the issue
alone as Subversion also uses SHA-1 to de-duplicate retransmission of
content to clients for a pristine working copy.


Install a pre-commit hook that will reject new instances against known
collisions. While this will not guarantee protection from new collisions,
we will keep the hook up-to date as new collisions are publicly released.

The hook can be found here:


Jacek Materna
Received on 2017-05-08 10:46:52 CEST

This is an archived mail posted to the Subversion Dev mailing list.