I was building 2019.05.1 and found ntp 4.2.8p13 hash didn't match with upstream. I checked 2020.02rc3 and it has the same hash as 2019.05.1. Then checking upstream ntp I found this. [ ] ntp-4.2.8p13.tar.gz 2020-03-03 19:54 6.7M [ ] ntp-4.2.8p13.tar.gz.md5 2020-03-03 19:54 61 [ ] ntp-4.2.8p13.tar.gz.sha1 2019-03-07 06:18 62 [ ] ntp-4.2.8p13.tar.gz.sha256 2020-03-03 19:54 96 [ ] ntp-4.2.8p13.tar.gz.sha512 2019-03-07 06:18 150 [ ] ntp-4.2.8p14.tar.gz 2020-03-03 20:45 6.7M [ ] ntp-4.2.8p14.tar.gz.md5 2020-03-03 20:45 61 [ ] ntp-4.2.8p14.tar.gz.sha256 2020-03-03 20:45 96 It looks like both 4.2.8p13 and 4.2.8p14 were updated the same day, except for the former's sha1. I can also verify that the 4.2.8p13 tar.gz is larger than my local archive. Not sure what to do with this. Might be someone upstream just updated the archives and messed it up. But I wasn't sure how to report that to the upstream.
I just found the ntp email for possible security issues and emailed them about this as well.
2020.02.x is now using ntp 4.2.8p14, and its hash looks good: ntp-4.2.8p14.tar.gz: OK (md5: 783edaf1d68ddf651bde64eda54a579d) ntp-4.2.8p14.tar.gz: OK (sha256: 1960e4f081f6aafd108d721bc3ab15f9e8dfd08dc08339aa95bca9d2545e4eb7) So, the issue is fixed with the bump to 4.2.8p14.