By default, sys-apps/pciutils installs an entry in cron.monthly called update-pciutils. Monthly this initiates outside network communication and e-mails the output of the data transfer to root. This is wrong: 1. Any communication from a host should be approved by the system administrator. 2. Any communication done as root should be approved by the system administrator. 3. This does not scale well. Every host that has this script will on the same day in a synchronized fashion (at 5:30 am localtime) attempt to download: http://pciids.sourceforge.net/v2.2/pci.ids 4. For every host this package is installed on a monthly message is sent to the system administrator. 5. This can cause security investigation to be initiated by the system administrator. 1 and 2 are fundamental security principles. 3 is broken and an unintentional DOS attack on http://pciids.sourceforge.net 4 is annoying 5 may detract from resources need to handle real security events, is panic inducing and annoying, and shows badly on gentoo. This whole thing is very scary. I received a message from root informing me of the output of a data transfer operation run by cron. Of course, my first thought is my system may have been compromised, leading to a security investigation. This is the type of thing administrators should not have to deal with by default. Reproducible: Always Steps to Reproduce: 1. emerge sys-apps/pciutils 2. wait for /etc/cron.monthly/* to run. Actual Results: By defautlt /usr/sbin/update-pciutils is run monthly and data transfer output is sent to root. Expected Results: No unapproved data transfer. Suggestions: (1) Minimally add a use flag, that is disable by default, for this monthly update. (2) Randomize the monthly time of the download. (3) Only after (1) and (2), silence the output of this script unless there are problems. I use sys-process/vixie-cron-4.1-r9, other cron packages may run cron.monthly on a different schedule.
Not security.
*** This bug has been marked as a duplicate of bug 156183 ***
"Not security." sounds like a very quick conclusion. It should be optional and at least use randomized cron times. But even random cron times could produce significantly more unnecessary traffic. Not to mention that it's very ugly to get mail from cron on some kind of transfer without mentioning what is being transfered.
I fail to see how is "unnecessary traffic" a security issue or how randomized cronjobs improve security in any way. Closing, read the other bug and delete the cronjob if you dislike it.