Xoring hashes doesn't seem secure

[jimblandy]

Acknowledging that nobody has made any claims about this being secure, and that the intended use is implicitly on non-hostile data:

I believe that xor-ing together hashes is not secure. For an n-bit hash, all one needs is to find n documents whose hashes are mutually linearly independent, and then we can choose a subset of those to get any xor we want. I'm not sure how hard such a set is to find, but it seems much easier than finding collisions.

The Crypto StackExchange question How to calculate the hash of an unordered set recommends:

Dwaine Clarke, Srinivas Devadas, Marten van Dijk, Blaise Gassend, G. Edward Suh, Incremental Multiset Hash Functions and Their Application to Memory Integrity Checking, in proceedings of AsiaCrypt 2013.