Agreed. It would be unusual for these files to be binaries, and if they are 
and the user doesn't like security(8) results when the files change, they 
can always add + themselves.

This is ok sthen if the +s are removed.

-- 
  Sent from a phone, apologies for poor formatting.
On 24 May 2025 10:59:02 Kirill A. Korinsky <kirill@korins.ky> wrote:

> On Sat, 24 May 2025 05:15:24 +0200,
> Klemens Nanni <kn@openbsd.org> wrote:
>>
>> 27.04.2023 14:16, Klemens Nanni пишет:
>>> On Thu, Apr 27, 2023 at 10:53:03AM +0000, Klemens Nanni wrote:
>>>> Would be nice to record changes to critical scripts run on state changes
>>>> and have modifications recorded through security(8).
>>>>
>>>> Feedback? Objection? OK?
>>>
>>> This gets ugly if you use binary files instead of scripts, so we'd either
>>> want their hashes or not handle them at all.
>>
>> Still in my tree, now there's /etc/apm/warnlow, too.
>>
>> These run as root and need no further config, so placing new files in /etc/apm/
>> is all you need;  better track changes.
>>
>> Feedback? OK?
>
> Are you sure that + here is worth it?
>
>> Index: changelist
>> ===================================================================
>> RCS file: /cvs/src/etc/changelist,v
>> diff -u -p -r1.141 changelist
>> --- changelist 13 Apr 2025 20:04:02 -0000 1.141
>> +++ changelist 22 May 2025 05:48:40 -0000
>> @@ -11,6 +11,13 @@
>> /etc/acme-client.conf
>> /etc/adduser.conf
>> /etc/adduser.message
>> ++/etc/apm/hibernate
>> ++/etc/apm/powerdown
>> ++/etc/apm/powerup
>> ++/etc/apm/resume
>> ++/etc/apm/standby
>> ++/etc/apm/suspend
>> ++/etc/apm/warnlow
>> /etc/bgpd.conf
>> /etc/boot.conf
>> /etc/bootparams
>
> --
> wbr, Kirill