[Snort-sigs] Gripe - Snort "other" downloads not signed/hashed

Joel Esler jesler at ...435...
Thu Aug 23 14:51:43 EDT 2012

On Aug 23, 2012, at 2:36 PM, Nathan <nathan at ...3397...> wrote:

> Respectfully, please consider (strongly consider) signing the downloadable
> packages via GPG or at a minimum providing hashes (MD5/SHA1/SHA256/SHA512?).
> This ensures that the package hasn't been tampered with and is a standard
> practice for just about every piece of code/software out there in the open
> source world.  Not having this, especially from a security provider that is
> hosting downloads "in the cloud" causes concern and doesn't allow one to
> ensure the archive hasn't been tampered with.
> Didn't see any hashes/signatures on
> http://www.snort.org/snort-downloads/additional-downloads/ if I am overlooking
> the obvious please forgive me and let me know.  Daemonlogger rocks, I just
> want to make sure it's not been tampered with :)

Most of those links are third party, and should link to the project's individual page.  I'll take a look at those that don't do that.

As far as Daemonlogger, we're going to be doing something with that soon.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

More information about the Snort-sigs mailing list