From owner-freebsd-security@FreeBSD.ORG  Sun Jan 25 01:48:10 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4D3CE402
 for <freebsd-security@freebsd.org>; Sun, 25 Jan 2015 01:48:10 +0000 (UTC)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 0E89DE2B
 for <freebsd-security@freebsd.org>; Sun, 25 Jan 2015 01:48:09 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id 5E7AE466F;
 Sun, 25 Jan 2015 01:48:03 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 76ED913C14; Sun, 25 Jan 2015 02:47:12 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Garrett Wollman <wollman@csail.mit.edu>
Subject: Re: Strange package checksum report
References: <21698.32224.747971.146491@khavrinen.csail.mit.edu>
Date: Sun, 25 Jan 2015 02:47:12 +0100
In-Reply-To: <21698.32224.747971.146491@khavrinen.csail.mit.edu> (Garrett
 Wollman's message of "Fri, 23 Jan 2015 11:59:12 -0500")
Message-ID: <868ugrr5r3.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jan 2015 01:48:10 -0000

Garrett Wollman <wollman@csail.mit.edu> writes:
> Checking for packages with mismatched checksums:
> p5-XML-SAX-0.99_2: /usr/local/lib/perl5/site_perl/XML/SAX/ParserDetails.i=
ni

This file is updated whenever you install or remove a SAX parser, so
this is expected.  There are at least half a dozen different Perl SAX
implementations in the ports tree.

> python27-2.7.9: /usr/local/lib/python2.7/UserDict.pyc
> python27-2.7.9: /usr/local/lib/python2.7/_weakrefset.pyc
> python27-2.7.9: /usr/local/lib/python2.7/abc.pyc
> python27-2.7.9: /usr/local/lib/python2.7/codecs.pyc
> python27-2.7.9: /usr/local/lib/python2.7/copy_reg.pyc
> python27-2.7.9: /usr/local/lib/python2.7/encodings/__init__.pyc
> [ a bunch of other .pyc files elided ]

These are Pyhon bytecode files. They are automatically regenerated if
you have write access to them and Python thinks they are stale when it
tries to load them.  Apparently, Python's definition of "stale" is
slightly more complex than just comparing timestamps; they are one of
the reasons why Baptiste gave up reproducible package builds.

Is your clock synchronized with NTP?  Is this a VM?  What is the
underlying filesystem?

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no