Q: So, how do you stop the list being updated later?
   A: by using securelevel - the fingerprints can only be loaded at
      securelevel == 0.  The full effect of the verified exec is in
      effect at securelevel > 2 (i.e. 3 onwards), at this point warnings
      about invalid/missing fingerprints become fatal errors, before this
      they were merely warnings.

i assume that is "securelevel <= 0" ?
   
   Q: Doesn't chflags(1) do all this already?
   A: Not really.  It can be used to do some of the work but there are
      some things it cannot do like prevent a file from being executed
      nor can it give any confidence that what you are executing has not
      been tampered with.

how does it not give you confidence it has not been tampered with?



.mrg.