The mode checker is paranoid about suid/sgid, not paranoid enough about files that can be read.
The following patch prevents ports from packaging/installing if they don't have proper annotations for anything that's g-r or o-r... Before it goes in, a number of port must be properly annotated... (it's also possible the protected files don't really need to be protected, the less special cases the better). cups-1.7.1:Modes: 700 500 640 imap-uw-2.11v0:Modes: 600 ldapvacation-1.1.3p2:Modes: 640 ntop-1.1p1:Modes: 700 pgworksheet-1.9p4:Modes: 640 py-prettytable-0.7.1p0:Modes: 600 smsmail-1.0.2p3:Modes: 640 (at least, haven't finished my bulk yet). Index: OpenBSD/ArcCheck.pm =================================================================== RCS file: /build/data/openbsd/cvs/src/usr.sbin/pkg_add/OpenBSD/ArcCheck.pm,v retrieving revision 1.23 diff -u -p -r1.23 ArcCheck.pm --- OpenBSD/ArcCheck.pm 17 Jan 2014 15:46:16 -0000 1.23 +++ OpenBSD/ArcCheck.pm 18 Jan 2014 16:01:15 -0000 @@ -87,7 +87,8 @@ sub verify_modes } } if (!defined $item->{mode} && $o->isFile) { - if (($o->{mode} & (S_ISUID | S_ISGID | S_IWOTH)) != 0) { + if (($o->{mode} & (S_ISUID | S_ISGID | S_IWOTH)) != 0 || + ($o->{mode} & S_IROTH) == 0 || ($o->{mode} & S_IRGRP) == 0) { $o->errsay("Error: weird mode for #1: #2", $item->fullname, sprintf("%4o", $o->{mode} & (S_IRWXU | S_IRWXG | S_IRWXO | S_ISUID | S_ISGID)));