> > Also note that MAKEDEV currently does not create /dev/veriexec.
> 
> I thought that had been fixed earlier this year.  How recent is your
> -current?

No older than 5-7 days.  I see CVS logs say that veriexec entry was fixed 
in January.  But there is no mention about veriexec in my /dev/MAKEDEV.  
While src/etc/MAKEDEV.tmpl contains some entry about it.  My /dev/MAKEDEV 
is just from etc.tgz which was built by ./build.sh -someflags 
distribution sets

> >  Only messages about mismatched fingerprints are really always 
> > important.  Messages about lacking fingerprint may be not so 
interesting 
> > but they also go as "kern.crit".  Those messages can junk up logs. 
> 
> No, I don't think you are correct on that.  Lacking a fingerprint
> *should* not happen once the fingerprints have been loaded into the
> kernel.  If you have securelevel at 3 then those executables would be
> denied execution.  Lacking a fingerprint should be an indication that
> someone is trying to run something that has not been made part of the
> trusted computing base and as such the incident should be investigated
> and acted on.

OK, I see.  But you certainly will have junked up logs if try to rebuild 
system with tools on machine with veriexec turned on:)