OK, first, the disclaimer: I am sorry if that is not a securuty-related bug, i.e. everything is normal, but it might be.

At present emerge-ing bash-3.1_p11 fails:
...
>>> md5 src_uri ;-) bash31-007
>>> md5 src_uri ;-) bash31-008
>>> md5 src_uri ;-) bash31-009

!!! Digest verification Failed:
!!!    /usr/portage-distfiles/bash31-010
!!! Reason: Failed on MD5 verification

Looking at the URL, there a two files bash31-010 and bash31-010.orig
They seem binary equivalent, but their respected .sig files are different (that is normal, AFAIK).

I checked the siganures from that URL and they seem valid:

gpg --verify bash31-010.sig 
gpg: Signature made Mon Feb 20 22:23:05 2006 JST using DSA key ID 64EA74AB
gpg: Good signature from "Chet Ramey <chet@cwru.edu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7C01 35FB 088A AF6C 66C6  50B9 BB58 69F0 64EA 74AB

So is it just a glitch in out mirrors?
(no idea when is MD5 generated)