Team, I wanted to start a discussion around the FAQ (and 1.10 rls. notes) as it pertains to the SHA-1 issue affecting all versions of SVN RE: "Continue the 1.10 alphas?" thread.
1) We should bias towards pro-active mitigation of this issue in docs/code as we know a real solution will likely NOT come with 1.10 after all. 2) Consider patching 1.10 with de-duplication off by default ? 3) Remediation of the issue (if affected) should be a different topic? - how to get out of the weeds guide. Published by the group - authoritative, trusted, final. A number of providers of SVN hosting have done their own workarounds and written their own KB's on the topic - I think having a master guide is important. 4) I am sure there are a number of other items this group can append to this dialog from previous discussions on the topic. >>>>>>>>>>>>>> General Questions: - How do I protect my repository against the SHA-1 vulnerability found by Google? Subversion's use of SHA-1 in how it processes content is subject to hashing collisions as identified by Google (https://shattered.io/). Preventing suspect object commits is the simplest and best way today to protect your repository. Disabling repository sharing is not enough to solve the issue alone as Subversion also uses SHA-1 to de-duplicate retransmission of content to clients for a pristine working copy. Prevention: Install a pre-commit hook that will reject new instances against known collisions. While this will not guarantee protection from new collisions, we will keep the hook up-to date as new collisions are publicly released. The hook can be found here: https://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh <<<<<<<< Best. -- Jacek Materna CTO Assembla 210-410-7661
