>We are replacing our tar with pax. We've also done things like
>replacing portions of our r* tools to remove suid bits and such. I
>don't think we're taking a particularly different approach on such
>matters.

so, two things:

(i) I think you're saying, that, (except exportable crypto),
     OpenBSD in fact does not do particularly more about security
     than NetBSD; they just do better marketing of the job they do.
     Is that right?

(ii) why doesnt someone write up the security-related
     changes made to NetBSD, like r* commands and fixes for
     Bugtraq/CERT advisories,  and put them on a Web page?

(iii) anyone done any objective tests -- say, systematically running
      crashme or satan  ors ome such, against all three *BSD systems
      and compared the results? (yes I know its not very good, but
      I cant think of a better metric.)