Sig mismatch - something up?

[Paul Schmehl <pauls () utdallas edu>]

A poster just reported, on the FreeBSD ports list, that the distinfo 
file for snort has checksums that don't match what's on snort.org right now.

Here's the distinfo file information:

MD5 (snort-2.4.4.tar.gz) = 9dc9060d1f2e248663eceffadfc45e7e
SHA256 (snort-2.4.4.tar.gz) = 
b9f3e21467a5f6dd827ddb80dc9ac29ea272e4a5633a6a8a583f523a219e00e9
SIZE (snort-2.4.4.tar.gz) = 2825187

This is an md5 checksum of a download that I just did.  As you can see, 
they don't match:

root@utd59514# md5 /home/pauls/Downloads/snort-2.4.4.tar.gz
MD5 (/home/pauls/Downloads/snort-2.4.4.tar.gz) = 
37415bc9db02063ce421e3cd3f59c6c8

Here's the md5 checksum file from snort.  It matches the downloaded file 
but *not* the md5 sum from the FreeBSD ports distro:

root@utd59514# less /home/pauls/Downloads/snort-2.4.4.tar.gz.md5
37415bc9db02063ce421e3cd3f59c6c8  snort-2.4.4.tar.gz

And here's a sha256 checksum of the downloaded tarball.  It also doesn't 
match the checksum in the FreeBSD ports distro.

root@utd59514# sha256 /home/pauls/Downloads/snort-2.4.4.tar.gz
SHA256 (/home/pauls/Downloads/snort-2.4.4.tar.gz) = 
1f573e5a7e44c94ec509cea05c4345591a4ba76d0d1b25dcfcb0cdc4d3239c6c

The checksums in the distinfo file are created by downloading the 
tarball and running "make makesum".  Then the port maintainer *should* 
check those checksums against the checksum file on snort.org.

So why do we have a mismatch?  Has the snort 2.4.4 tarball been changed 
recently?

--
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature