Subversion 1.9.6 — Security and Performance for the Enterprise

The last stable release of Subversion was November 29th, 2016 — millions of Subversion users in enterprises, game studios, governments alike have been patiently waiting for the next large release - aka. “1.10” which will bring with it a slew of fixes around conflict resolution and alike. That release is still in beta and now is your chance to help get involved by testing it!

A number of smaller issues remain on the Q to be resolved before 1.10 can happen but there is light at the end of the tunnel! In my opinion the Subversion community benefits greatly by releasing small wins often — the momentum around frequent iterative releases is a staple of the SaaS space and Subversion I believe may finally adopt this model.

So today enters 1.9.6 - an interim release with good incremental features while larger future improvements are finished. Namely, the release targets:

• Merging performance
• SHA-1 security vulnerability
• Bug fixes

“Release 1.9.6 brings a substantial reduction in client memory usage when merging with very large amounts of mergeinfo, potentially allowing a merge to complete when it would previously have run out of memory. It’s great to see a release out from the community in less than 12 months which sets up up nicely for follow on releases such as 1.10 and beyond!”— Julian Foad (SVN Community Developer)

I agree, the merging code is overly zealous on using a client's RAM when dealing with a “branch-heavy” tree. Merging is already something at the top of mind for users but this is a great step forward on optimizing the merge process for speed and resource efficiency. Details on the dialog can be found here.

On a related note, in my spare time I have been auditing the security side of the codebase, contributing [extremely lightly] around the SHA-1 collision dialog. Unlike Git, SVN was caught off guard due to its over-reliance on SHA-1 as a hashing algorithm in multiple places in the code. SHA-1 was found to be weak by Google. Using SHA-2 is not really a solution either, rather the underlying assumption of the code on a hashing algorithms uniqueness must be revised at the system level to have a guaranteed future proof solution.

While we wait, 1.9.6 has back-ported the Trunk SHA-1 discussion so that the system is collision safe moving forward (1.8.18 is safe too and will be GA in the next few days for 1.8 users). This is a great step, and while the full up fix is discussed, this protects Subversion users moving forward!

All SVN users should upgrade as soon as possible.

The official changelog can be seen below and the public availability of the code is live. Assembla is doing final QA on 1.9.6 right now, to ensure it’s rock-solid for our production servers, so our customers have the latest and greatest Subversion experience. Expect an announcement on it very soon.

Alas, here is the changelog.

1.9.6 Changelog

User-visible changes:
* Client-side bugfixes:
* cp/mv: improve error message when target is an unversioned dir (r1779948)
* merge: reduce memory usage with large amounts of mergeinfo (issue #4667) <<< Super important feature

• Server-side bugfixes:
  * ‘svnadmin freeze’: document the purpose more clearly (r1774109)
  * dump: fix segfault when a revision has no revprops (r1781507)
  * fsfs: improve error message upon failure to open rep-cache (r1781655)
  * fsfs: never attempt to share directory representations (r1785053)
  * fsfs: make consistency independent of hash algorithms (r1785737 et al)
  This change makes Subversion resilient to collision attacks, including
  SHA-1 collision attacks such as <http://shattered.io/>. See also our
  documentation at <https://subversion.apache.org/faq#shattered-sha1> and
  <https://subversion.apache.org/docs/release-notes/1.9#shattered-sha1> <<< Super important feature

- Client-side and server-side bugfixes:
* work around an APR bug related to file truncation (r1759116)

- Bindings bugfixes:
* javahl: follow redirects when opening a connection (r1667738, r1796720)

Developer-visible changes:
— General:
* win_tests.py: make the — bin option work, rather than abort (r1706432)
(regression introduced in 1.9.2)
* windows: support building with ‘zlibstat.lib’ in install-layout (r1783704)

API changes:
(none)

All users should upgrade and I can assure you the SVN community is actively working on getting 1.10 out the door.

More future goodies are on the roadmap for SVN as well. Stay tuned for updates on SVN, Assembla and the future of VCS for the Enterprise by following me here or on Twitter.

Happy SVN-ing!