[Snort-sigs] Gripe - Snort "other" downloads not signed/hashed

Joel Esler jesler at ...435...
Thu Aug 23 14:51:43 EDT 2012


On Aug 23, 2012, at 2:36 PM, Nathan <nathan at ...3397...> wrote:

> Respectfully, please consider (strongly consider) signing the downloadable
> packages via GPG or at a minimum providing hashes (MD5/SHA1/SHA256/SHA512?).
> 
> This ensures that the package hasn't been tampered with and is a standard
> practice for just about every piece of code/software out there in the open
> source world.  Not having this, especially from a security provider that is
> hosting downloads "in the cloud" causes concern and doesn't allow one to
> ensure the archive hasn't been tampered with.
> 
> Didn't see any hashes/signatures on
> http://www.snort.org/snort-downloads/additional-downloads/ if I am overlooking
> the obvious please forgive me and let me know.  Daemonlogger rocks, I just
> want to make sure it's not been tampered with :)

Most of those links are third party, and should link to the project's individual page.  I'll take a look at those that don't do that.

As far as Daemonlogger, we're going to be doing something with that soon.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



More information about the Snort-sigs mailing list