On 2025/03/19 22:54, Martin Schröder wrote:
> This is on 7.5:
> 
> > grep + /etc/changelist
> # Files prefixed with a '+' will have their checksums stored,
> +/etc/hostname.*
> +/etc/iked.conf
> +/etc/ipsec.conf
> +/etc/isakmpd/isakmpd.conf
> +/etc/isakmpd/isakmpd.policy
> +/etc/npppd/npppd-users
> +/var/nsd/etc/nsd.conf
> +/etc/radiusd.conf
> +/etc/snmpd.conf

may contain secrets (passwords, PSKs, etc)

> +/etc/iked/private/local.key
> +/etc/isakmpd/private/local.key
> +/etc/soii.key
> +/etc/ssh/ssh_host_ecdsa_key
> +/etc/ssh/ssh_host_ed25519_key
> +/etc/ssh/ssh_host_key
> +/etc/ssh/ssh_host_rsa_key
> +/var/unbound/etc/unbound_control.key
> +/var/unbound/etc/unbound_server.key

do contain secrets, plus although they're text, a diff is not really
meaningful, just knowing that they've changed is usually enough

> +/etc/moduli

not really secret, but again a diff is not that meaningful,
and there's a lot of churn/noise during os version upgrades here

> +/etc/pwd.db
> +/etc/spwd.db

binary

> May I ask why for /etc/hostname.* and several .conf files only checksums
> are stored? The man page of changelist claims this is done for "(generally
> non-text files)". Surely these are normally text files?

commit log for the various entries may give more details - blame
output on https://github.com/openbsd/src/blame/master/etc/changelist
may make it easier to see.

you're free to remove + if you like. I often do for hostname.* at least.