The net-analyzer/nrpe package has a ./configure flag: --enable-command-args allows clients to specify command arguments. *** THIS IS A SECURITY RISK! *** Read the SECURITY file before using this option!
Back in nrpe-2.x, it was available via USE=command-args, but I dropped it from nrpe-3.x, and a user just asked about it (bug 628596). There are at least two things we could do with a dangerous flag like that: 1) require EXTRA_ECONF to enable it. 2) hide it behind a masked USE flag. Both options require about the same amount of work from the user, namely editing something under /etc/portage. What do y'all think is the best way to proceed? Are there other examples in the tree I could follow?