I ran /etc/security from the command line the other day to check that
a change I had made to a system file was correct. Much to my surprise,
it produced a huge mass of output indicating that all my devices and
suid files had changed.

The culprit turned out to be the time zone; my system default is
US/Eastern, but I happened to have an environment with TZ=Japan.  Thus,
the output of the ls command, which is what is compared for the setuid
files, was different even though the files were unchanged.

To avoid this problem and similar problems, I propose to put

    TZ=UTC; export TZ

at the beginning of /etc/security. I'll do this before reading
security.conf, so that it can be overridden there if an admin really
wants to have this run in another time zone (though I can't think of
any good reason to do this).

Does this seem reasonable? I can't see this even causing much lossage
after an upgrade, since you're likely to be replacing all your setuid
files at the same time anyway.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 3 5778 0123   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC