Legend:
SPEC!!  - Not specified
SPEC    - Spec not finalized
        - Not done
        * Top priority
        . Partially done
        o Done
        D Deferred
        X Abandoned


For a list of good beginner projects, check out HACKING.

NEEDS TO BE WRITTEN:

For 0.0.4:
        o UI
                o The error on '-P foo' should be 'path too short',
                  and not mention legs. (neruaL)
                o Better concept of too-short paths.
                o Beautify list-servers output
                o Rename 'server' to server-start; keep 'server', but
                  deprecated.
                o Better error message when path+routinginfo won't fit
                  into header.
                o Ctrl-C should just print "interrupted."
                o Change behavior on binary messages; don't dump 'em
                  to terminals.
                o Client queues should have max-packets-to-send option.
                o DELKEYS should work. (neruaL)
                        o Test
        o Internal statistics
        	o Event log module
                o Create and use event log
                o Event log configurability
                o server-stats command
                o Test event log
                o Document log and events
                o Test use of event log
        o Security:
                o Support multiple SURB keys
                        o Better keyrings: implement
                        o Better keyrings: test
                        o Backend support: implement
                        o Backend support: test
                        o CLI support for identities
                        o Test CLI support
                        o Specify behavior
                        o Document in --help and README
                o Increase key length to 2048 bits
                        o Specify
                        o Come up with an upgrade path?
                          (Result: drop backward compatibility.)
                        o Bump up logs
                        o Implement: Packet
                        o Implement: BuildMessage
                        o Implement: PacketHandler
                        o Test
                        	o Make old tests work
                                o Tests for BuildMessage with overflow.
                                o Tests for parsing underflow on subheads
        o Make ServerInfo more forward-compatible.
                o Skip sections completely if the version number isn't
                  recognized.
                        o Implement
                        o Test
        o Refactor configuration code.
        o Add new fields to ServerInfo:
                o Stub Secure-Configuration support
                o Stub Contact-Fingerprint support
        o MMTP
                o "IP" belongs in the MMTP part of the server descriptor.
                o self->self packets shouldn't hit the network.
                        o Implement
                        o Test
                o Don't have multiple connections to same server.
                o KEYID should be hash of signing key==hash of
                  identity key.  (Spec may be incorrect.)
                        o Implement
                        o Check expiration date on certificates
                        o Use PeerCertificateCache properly
                        o Test peercertificatecache.
                o Add support for "REJECTED" reply (receive only, with
                  rudimentary send.)
                        o Implement
                        o Test
        o "mixminion ping" command
                o Implement backend
                o Implement frontend
                X Test backend
                o Test frontend
        o Bugfixes
                o "Unexpectedly closed connection" sometimes means
                  "server not there." Log accordingly.
                o The retry scheduling logic is bogus.
                o Attach debugging log calls to DeliveryQueue.
                o "Iffy mode" is iffy message
                o Add more logging code to track fds with MMTPServer.
                o Make sure that deliveryFailed/deliverySucceeded
                  with a nonexistent handle give a warning, and don't
                  simply die.
                o Analyze logic: how can a timeout cause deliveryFailed
                  on a nonexistent handle?
        o Improved path selection
                o Better syntax
                o Improved implementation
                o Tests
        o Key management:
                o Refactor the scheduler code in ServerMain.  We know
                  too many events now.
                        o Implement
                        o Document
                        o Tests
                o Ability to generate new serverdesc with old keys.
                        o Implement
                        o Test backend
                        o Automate
                        o Test
                o Ability to notice discrepancies between SD and
                  server configuration.
                        o Implement
                        o Integrate with frontend
                        o Test in the field
                o Online key rotation
                        o Function to determine time for next rotation event.
                        o Ability to add PK to packethandler
                        o Ability to remove PK from packethandler.
                        o Ability to change TLS context for new connections.
                        o Ability to delete PK.
                        o Trigger all of the above as timed events occur.
                        o Generate new SD's as needed
                        o Publish as needed
                o Rudimentary directory automation (with trivial pinging)
                        o CGI to receive server descriptors:
                                o replace old ones if superceded,
                                  reject them if invalid,
                                  and queue them if unrecognized.
                                o The actual CGI
                        o Ability to move servers from queue to good-list.
                                o Tests
                        o Code to remember whether descriptors are published,
                          and republish as needed
                                o Implement
                                o Add 'publish' option
                                o Add explicit 'republish' command.
                        o Design directory liveness format.  Maybe include
                          all servers in "live" list for now?
                        o Add code to make directory list some servers
                          as 'ungood'
                        o Code to automatically regenerate directories as
                          needed.
        o Make "=== BEGIN" stuff comply with openpgp rfc: why rock
          the boat?
        o Add an 'upgrade to new server format' command.
        o Try out all functionality by hand
                o Start a server
                o Get stats
                o generate directory w/ blacklisted server
                o Rotate stats
                o Failed delivery w/ retry
                o (need delkeys command!)
                o Make sure rotation gets recalculated after keygen.
                o Let users see and specifically request unrecommended servers
                o Does rotation happen?
        o Make sure that stats log isn't truncated, and that it is closed
          and reopened on sighup.
        o Add note to README about decreasing key lifetime.
        o Partially superceded descriptors should get replaced in dir,
          right?
        o Resolve all the memory leaks.
        o resolve all XXXX004s
        o Finish all documentation
        o Add a warning banner.
        o Remaining unit tests
                o Tests for remembering whether keys are published
                o Tests for ServerKeyset.regenerate

For 0.0.5:
        - Background projects:
                - Work on porting clients to cygwin, win32.
                - Twisted port decision
                - Website, FAQ
        - Support for email headers
                - Subject
                - From (limited)
                - In-Reply-To
                - References
        - Support for large messages and K-of-N
        - UI improvements:
                - Audit exceptions: which should be UIError
                - Quiet server startup; should be by default if daemon
                  mode.
                - Notice when out of disk space, die more cleanly
                - 'Iffy mode' messages are confusing
        - Configurability:
                - Ability to disable or relax directory paranoia.
                - Trusted groups, trusted users for directory permissions
        - Deferred tests
                - Tests for online key rotation
                - Tests for ServerInbox and Directory.py
                - Tests for checkConsistency
        - Make 'SIGHUP' reload, (and 'SIGUSR' dump).


For 0.0.6:
        - Dummies and pinging
        - Rudimentary MIME support (content-type, content-encoding only.)

Require for "0.1.0" (the in-theory-as-good-as-type-II release):
[Release criteria: Workable replacement for type II.  At least as
anonymous, useable, secure, and portable.  Nymservers aren't in, so
not yet ready to replace type I.]

        - Full statistics
                - Full statistics (ask Len what the list is.)
        - Key management
                - Document "DELKEYS"
                - Password-protected private identity keys
                - Password-protected private link/packet keys
                - Password-protected dirserver keys
        - Security
                - Make createPrivateDirs gripe about group-writable parent
                  dirs
        - Modules and module support
                - Use ESMTP as available
                - Move boilerplate into outside files.  Add some generic
                  'Boilerplate' functionality.
                - Real SMTP module
                        - Abuse prevention of some undetermined kind.
                        X Support for setting 'Subject' and 'From' lines.
                        - Support for setting 'Subject' line.  (Maybe
                          content-type, too?)
                        - Support multiple exit addresses. (cc, bcc, etc.)
                          Needs to be bandwidth-limited.
        - End-to-end issues
                - K-of-N fragmentation and reassembly
                - MIME
        - Configurability
                - Better, documented support for http proxies for
                  downloading directories.
                - Make client-side pooling configurable and more
                  sophisticated.
                - Reload configuration on SIGHUP
                - Support for one-side-only MMTP configurations.
                . Freak out properly on missing/unpublishable IP.
                . Full validation function for client
                . Full validation function for server
                - No support for non-clique topologies
        - Client support
                - Support to remove servers from imported set, or to block
                  servers from directory.
                - Avoid timing distinguishability attack related to
                  check-dir, gen-path, read-from-stdin: only download
                  directory *AFTER* reading?  Strongly recommend a cron job?
                  Write the whole thing off as not-really-an-attack?
        - Build and install process
                o Well-tested 'make install'
                - A well-tested 'make uninstall'
                - RPMS, debs, and so on
                . Make sure we run on solaris and *BSD.
                - Make the software run under cygwin
                        - Handle weirdness with directory permissions
                        - flock
                        - Installing to relative path
                - "Somebody" should do a native Windows port
                        - Build process
                        - Any C porting as necessary
                        - Signal code may need to change.
                        - Process mgt code may need to change.
                        - Some kind of substitute for /dev/urandom.
                        - Resolve as-yet-unsuspected platform dependencies
                . An init.d script.
        - Testing
                - Test on other (non-redhat, non-linux) systems
                - COME UP WITH A REAL TESTING STRATEGY FOR PERFORMANCE AND
                  CLI'S AND MULTI-SERVER SITUATIONS.
                - Integration tests
                        - Automated tests for several servers running
                          on one machine.
                        - Tests for servers on several different
                          machines.
                - Repeatable CLI tests.
                        - For client
                        - For server
        - Support for multiple directories, no automated agreement.
                - Configurable dirserver fingerprints and URLs.
        - Full documentation
                - Complete docs for all code, with comments and examples.
                - Write guide for module developers
                - Write complete user's manual
                - Complete all other docs
                - History.
        - Dummy messages (as in batching-taxonomy)

        - DoS resistance strategy
                - Bandwidth throttling
                - Timeout connections more aggressively under heavy load
                - What else?
        - Disable heinously insecure operating modes.

Other features for "1.0" (no research required):
        - Better CLIs
                - Add a --status-fd option similar to GPG's so that
                  we can be more easily embedded.
        - Heavy-duty performance/DoS testing
        - Modules and module support
                - MBOX
                        - Full config validation
                        - Full boilerplate text
                - Tell ModuleManager about async code (as soon as needed)
        - Refactoring/cleanup
                - Put 'address' someplace more reasonable.
        - Configurability
                - Put pid and lock and key and queues in different
                  places; coalesce pid and lock.
                - Make all filenames in server config relative to
                  server home, if not absolute.
                - Make zlib bomb prevention configurable.
                - Separate error/other log files.
                - Make SURB logging configurable.
                - Add 'ALLOW' lines to blacklist.
        - Client support
                - Some way to read a reply block *and* a message from
                stdin?
        - Directory support
                - Servers should download directories
                - Servers should use downloaded directories to print useful
                  nicknames for other servers rather than just IP addresses.
        - Port to Twisted, if reasonable (see HACKING)


Features for "1.0" (some research/specification required):
        - Nymservers
        - Modules and module support
                - Incoming email gateway
                        - Insert encoded packet into net.
                        - Reply to a reply block
        - Configurability
                - Make listening configurable for multiple ports/ips, not
                  all of which need be published.  Perhaps allow different
                  rules for each listener. ???? Maybe not really a good idea.
        - Client support: Improved path selection
                - Figure out how to deal with non-clique topologies
                - Watch out for servers that are really the
                  same server
                - Only pick from the directory when picking
                  random servers.
                - Notice Allow/Deny.
                - Notice MMTP protocol versions.
        - Client support: other
                - Send message to user with known public key
                - Real PKI for end-to-end encryption
        - MMTP / async
                - Make MMTP bursty
                - Tests for all cases:
                        - Packet to server with bogus IP
                        - Junk
                        - Retry on bogus close.
                        - Multiple senders
                        - Bad senders
                        - Bad recipients
                        - Hunt down leaks
        - Directories
                - Support for full-blown multiple-server agreement mechanism
        - IPv6 support (must solve non-clique problem)
        - Generate link padding (if it helps)
        - Notice active attacks and block IPs dynamically.


WHEN WE GET THE CHANCE:
        [This stuff could be for any version 1.0 or later; it's not a
         requirement for 1.0.]
        - License-friendliness:
                - Switch from OpenSSL to NSS or GNUTLS
        - GUI
        . Multithreaded design to scale to multiple CPUs
        - Security
                - Memlockall wrapper
                o Generic secure delete
                - Support for loopback fs automation and shredding.
        - Make DB module choice configurable?
        - Consider dropping support for older Python versions?

NEED TO BE TESTED
- Signals

NEED TO BE DOCUMENTED

NEEDS TO BE BENCHMARKED
- TLS for leaks
- PEM for leaks
- gen_dh for leaks
- gen_cert for leaks

-----------
(for emacs)
  Local Variables:
  mode:text
  indent-tabs-mode:nil
  End:
