From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: Ignore setuid changes for relinked files in security(8)
To: "Todd C. Miller" <millert@openbsd.org>
Cc: Andrew Hewus Fresh <andrew@afresh1.com>, tech@openbsd.org
Date: Sun, 09 Jun 2024 10:32:30 -0600

Todd C. Miller <millert@openbsd.org> wrote:

> On Tue, 04 Jun 2024 18:48:12 -0700, Andrew Hewus Fresh wrote:
> 
> > Someone (florian@) noticed that security(8) complains every time about
> > ssh-agent changing any time you reboot.
> >
> > This patch stops complaining about setuid files that have an entry in
> > /usr/share/relink and lets folks know that we're ignoring it when it is
> > removed.
> 
> Great.
> 
> > Suggestions on wording of the message (or if it should exist) welcome.
> 
> Personally, I think it should be silent.

Yes, the script should be completely silent about normal things.

> > Are the setuid changes actually useful to check still?  Should we remove
> > that whole feature?
> 
> It is probably of limited usefulness these days but I guess we
> should still keep it.

I can't make up my mind either.

So probably detecting these special cases, and being silent, is the way
to go.