The question really comes down to how much do we trust venus. If we
  trust venus to do the right thing, then a lot of checks in the kernel
  are superfluous. If venus is seriously untrusted we probably need even
  more checks.

The kernel should not trust venus.  A general rule in NetBSD at least
is that no user process should be able to crash the kernel.  So full
validation of all pioctl data is in order.  Besides following the
kernel/user rule above, this would mean that we are more likely to
find bugs sooner.  This heads towards the design-by-contract notions
in Eiffel, and I think that's a good thing.  I have never regretted
writing validation code - enough of it trips and shows a bug that it
is faster than debugging without it!

Besides, venus has been known to have a bug or two over the years!

-- 
        Greg Troxel <gdt_at_ir.bbn.com>