By default, sys-apps/pciutils installs an entry in cron.monthly called update-pciutils.  Monthly this initiates outside network communication and e-mails the output of the data transfer to root.

This is wrong:
1. Any communication from a host should be approved by the system administrator.
2. Any communication done as root should be approved by the system administrator.
3. This does not scale well.  Every host that has this script will on the same day in a synchronized fashion (at 5:30 am localtime) attempt to download: http://pciids.sourceforge.net/v2.2/pci.ids
4. For every host this package is installed on a monthly message is sent to the system administrator.
5. This can cause security investigation to be initiated by the system administrator.

1 and 2 are fundamental security principles.
3 is broken and an unintentional DOS attack on http://pciids.sourceforge.net
4 is annoying
5 may detract from resources need to handle real security events, is panic inducing and annoying, and shows badly on gentoo.

This whole thing is very scary. I received a message from root informing me of the output of a data transfer operation run by cron.  Of course, my first thought is my system may have been compromised, leading to a security investigation.   This is the type of thing administrators should not have to deal with by default.


Reproducible: Always

Steps to Reproduce:
1. emerge sys-apps/pciutils
2. wait for /etc/cron.monthly/* to run.
Actual Results:  
By defautlt /usr/sbin/update-pciutils is run monthly and data transfer output is sent to root.

Expected Results:  
No unapproved data transfer.

Suggestions:
(1) Minimally add a use flag, that is disable by default, for this monthly update.
(2) Randomize the monthly time of the download.
(3) Only after (1) and (2), silence the output of this script unless there are problems.


I use sys-process/vixie-cron-4.1-r9, other cron packages may run cron.monthly on a different schedule.