So our current /etc/mtree/special file says:

./etc/ipsec.conf                type=file mode=0644 optional

If there are actual keys in this file (a bad idea, I know, because you
should be using racoon, but still), there are two problems here:

1. You don't get warned when your keys are world-readable.

2. Your keys are mailed out in cleartext, possibly over the Internet,
depending on where your root mail is forwarded.

(I found it rather ironic that it was a script named /etc/security that
exposed my keys to the world.)

Anyway, if there are no objections, I will change this to:

./etc/ipsec.conf                type=file mode=0600 optional tags=nodiff

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC