Adding a SHA1 collision vulnerability test hoses WebKit's source repository

OK, this is quite a serious vulnerability in Subversion. SVN depends more on raw file SHA1 hashes than git because git prepends a header which prevents raw SHA1 collisions from translating directly into easy svn-style repository corruption.<p>The reason svn is broken is its &quot;rep-sharing&quot; feature, i.e. file content deduplication. It uses a SQLite database to share the representation of files based on their raw SHA1 checksum - for details see <a href="http:&#x2F;&#x2F;svn.apache.org&#x2F;repos&#x2F;asf&#x2F;subversion&#x2F;trunk&#x2F;subversion&#x2F;libsvn_fs_fs&#x2F;structure" rel="nofollow">http:&#x2F;&#x2F;svn.apache.org&#x2F;repos&#x2F;asf&#x2F;subversion&#x2F;trunk&#x2F;subversion&#x2F;...</a><p>You can mitigate this vulnerability by setting enable-rep-sharing = false in fsfs.conf - see documentation in that file or in the source at <a href="http:&#x2F;&#x2F;svn.apache.org&#x2F;viewvc&#x2F;subversion&#x2F;trunk&#x2F;subversion&#x2F;libsvn_fs_fs&#x2F;fs_fs.c?revision=1737356&amp;view=markup#l862" rel="nofollow">http:&#x2F;&#x2F;svn.apache.org&#x2F;viewvc&#x2F;subversion&#x2F;trunk&#x2F;subversion&#x2F;lib...</a><p>This feature was introduced in svn 1.6 released 2009, and made more aggressive in svn 1.8 released 2013 <a href="https:&#x2F;&#x2F;subversion.apache.org&#x2F;docs&#x2F;release-notes&#x2F;" rel="nofollow">https:&#x2F;&#x2F;subversion.apache.org&#x2F;docs&#x2F;release-notes&#x2F;</a><p>SVN exposes the SHA1 checksum as part of its external API, but its deduplication could easily have been built on a more secure foundation. Their decision to double down on SHA1 in 2013 was foolish.

As mentioned in a previous comment ( <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13722469" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13722469</a> ) git doesn&#x27;t see these the same as it hashes the header+content which breaks the identical SHA trick.<p>Of course, I first tested this on our main production repository at work because...oh, wait, I didn&#x27;t because <i>what were you thinking</i>?!

(from the link) &quot;For the record: the commits have been deleted, but the SVN is still hosed.&quot; That is pretty much my memory of working with SVN. I remember SVN fouling its database a few times. Sure I&#x27;ve broken git a few times, but I am always able to (as Jenny Bryan says) &quot;burn the whole thing down&quot; and take state from another copy of the repository.<p>I really tried with SVN (wanted something better than CVS) for quite a long time.

Isn&#x27;t it the SVN repo that&#x27;s &quot;hosed&quot;, not the Git repo as suggested by the title?

Reminds me of when I worked at an antivirus company. We had be careful with the EICAR file in test code because it would set off AV alarms. <a href="http:&#x2F;&#x2F;www.eicar.org&#x2F;86-0-Intended-use.html" rel="nofollow">http:&#x2F;&#x2F;www.eicar.org&#x2F;86-0-Intended-use.html</a>

New SVN attack category: denial-of-service by SHA-1 collision.

A bit hard for me to tell what happened here, maybe because I don&#x27;t know anything about SVN. The two PDFs with equal SHA1 hashes were git commited to the repository, but converting that to an SVN commit failed because... SVN can&#x27;t handle two separate files with the same SHA1 hash?

I have to just say here that WebKit is one of the most over-the-top software projects I&#x27;ve ever tried to dig into, in my twenty years of programming. Building it inside a vanilla container was impossible following their directions exactly and required <i>so much</i> research on my part to get working. I&#x27;m used to a bit of back-and-forth with just about every project, but WebKit was ridiculous. After two workdays of trying, I&#x27;d been able to build a WebKit from the source, but at that point had to concede to the universe the futility of trying to build a golang-based Phantom, as my friend and former coworker originally wanted. And that also gave me <i>mad</i> respect for Phantom&#x27;s author and immediately taught me why they do not often incorporate new WebKit versions into the project instead of just pegging to the first one they can get to build.

Site is down.

This is why a git clone is not a real backup.