Legend:
SPEC!!  - Not specified
SPEC    - Spec not finalized
        - Not done
        * Top priority
        . Partially done
        o Done
        D Deferred
        X Abandoned

For a list of good beginner projects, check out HACKING.

NEEDS TO BE WRITTEN:

For 0.0.5.something:
        o Get limited client timeouts working.

For 0.0.6:  (The release for integrators, Windows users, senders of
large replies, people with dynamically assigned IPs, people with high
TCP latency, and me.)
        o Infrastructure -- low level
                o Generic 'encrypted storage' abstraction for
                  possibly-encrypted singleton pickled objects.
                        o Implement
                        o Integrate
                        o Test
                o Switch ClientQueue to use metadata
        o Fix misc annoyances
                o Don't generate dead keys when restarting the server
                  after the last keys have long expired.
                o Make sure we clean out Filestores used by clients.
                o Don't remove currently-undeliverable messages from client
                  queue when flushing.
                o Don't say "foo is not recommended" 7 times!
        o Dynamic IP support
                o Change IPv4/IPv6 delivery methods to use DNS if desired.
                  [Migration plan: Supplement 'IP' with 'Hostname' in
                   ServerInfo.  If we're routing S1->S2, and both have
                   'Hostname', use FWD/HOST.  Else use FWD/IPv4.  In 0.0.7,
                   drop FWD/IPv4 support, and remove IP from ServerInfo.]
                        o Rename *FWD_TYPE to FWD_IPV4_TYPE
                        o Implement DNS farm
                                o Implement
                                o Unit tests
                        o ServerInfo changes
                                o Implement
                                o Unit tests
                        o Path generation changes
                                o Implement stub canRelayTo and getRoutingFor
                                  in ServerInfo.
                                o Design functionality for can-i-relay-to and
                                  how-to-i-route-to.
                                o Use above functions whenever appropriate
                                o Extend above functions to use IPV4 or HOST.
                                o Test above functions
                        o Implement *FWD/HOST
                                o Changes in Packet.py
                                o Test changes in Packet.py
                                o Multiplex on routingtype.
                        o Implement Host-based routing
                                o Implement
                                o Notice self-routing properly
                                o Test
        o Infrastructure -- high level
                o Separate directory downloading, directory caching, path
                  parsing, and path generation into a new module.
                o Separate SURB logging, keystores, and client queues into
                  client support module.
                o Refactor path selection to have a nicer interface.
                        X Generic, cross-module notion of "address".
                        X Better capability infrastructure.
                        o Better ExitAddress notion.
                        o Separate parsing path str into specifier list,
                          checking specifier list for sanity, and generating
                          path from specifier list.
                        o Switch unit tests to test new interface to ClientDir
                        o New unit tests for multiple converging paths.
                o Rewrite ClientMain path generation to do the right
                  thing with multi-packet messages
                        o Write the code
                        o Hand-test multi-packet and single-packet fwd
                          messages and replies.
        o Security
                o Make sure clients always shuffle packets before delivery.
        o UI improvements:
                o Add some convenient way to list arbitrary server features.
                        o Refactor Config to have a richer idea of types
                        o Add 'features' to Config.
                        o Add featureMap manipulation functionality to
                          ClientDirectory.
                        o Formatting for featuremap
                        o CLI for new listservers
                        o Replace old listservers
                        o Make CLI have three different format flags, not
                          the current impenetrable --cascade={0|1|2}.
                        o Unit tests for features
                        o Unit tests for featureMaps
                o Handle the exit address '0xFFFE' as before.
                o Only warn about unknown types once.
                o Timeouts should say 'timeout', not EINTR.
                o Timeouts should be user-configurable.
                D Logging UIErrors isn't a bad idea.
                o Make UIErrors _look_ like log messages when they hit the
                  console.
                D Separate 'mixminiond' wrapper; 'mixminion server-foo'
                  confuses folk.
                o SSL's "Unexpected error: wrong version number"
                  message is confusing.
                o Better error message when opening db with unsupported
                  database type.
                o List servers by nickname, not by IP (partial solution for
                  clients only, but make expandable to servers once they
                  download directories.)
                D List servers by nickname, not by IP, even in server logs.
                o Make TRACE mode less verbose, or make DEBUG mode more
                  useful.
        o Spec conformance
                o Directory Spec
                        o Implement Packet-Versions
                        o Don't use Key-Digest; mark it for removal in 0.0.7.
                        o Make sure Maximum-Size and Allow-From are obeyed
                          for all types
                X Support SURB secret exchange format
                o Specify SURB keyring format; support loading new format.
                        o Specify format
                        o Implement format
                        o SURB secret rotation
                        o Make client use new format
        o Fragmentation logic fixes
                o Make the fragment path selection not suck.
                o Send logic for client
                o Deliver non-FRAGMENT fragment messages
                        o Implement
                        o Test
                o Option to send messages for client-side reassembly
                        o Implement
                        o Name command-line option
                        o Test
                o Don't allow 'FRAGMENT' exit type if no exit modules are
                  supported.
                o Catch wild mismatches between Max-Packets on FRAGMENT
                  and Max-Size on SMTP/MBOX/etc.
        . Full windows support
                o Finish port
                        o Some kind of substitute for /dev/urandom.
                        o Build process
                        o Signal code may need to change.
                        o Process mgt code may need to change.
                        o Resolve as-yet-unsuspected platform dependencies
                o Address everything on Itamar's non-blocking
                  incompatibility list.
                . Make sure client works
                - Make sure server works
                o Minimal installer
                o Instructions
                o Py2EXE support
        o Delayed Tests
                D Tests for ServerInbox and Directory.py
                D Tests for checkConsistency
                o What happens when Overlap > Lifetime? (Test manually.)
        o Cleanup for release
                o Resolve all XXXX006 and DOCDOC items
                o Resolve all pending bugzilla bugs
                o Resolve all pending mail bugs
                o Make README accurate again
                o Document new 'server-start' switches

For 0.0.7:
        - Specification
                - Clear up specification for payload versions.
                - Clear up specification for NEWS
                o Clear up specification for multiple addrs on MAIL
        - Infrastructure -- high level
                - Servers need to download and use directories
                - Servers should use downloaded directories to print useful
                  nicknames for other servers rather than just IP addresses.
                - Have callers of Packet/BuildMessage/DeliveryPacket
                  decide whether to look for a tag in the RI field.
                - Make processing thread and module thread general
                  cases of a thread pool abstraction.?
        - Performance
                - Do a setsockopt(IP_TOS, IPTOS_THROUGHPUT), unless on
                  cygwin, dgux, sni-sysv.
        - UI improvements
                - RFC822 interface and maildir-style exit module to help
                  integrators.
        - Large reply messages and efwd messages
                - Fragment-pool logic for client
        - Manual pages
                - Re-do man page to be generated from common source
                  on all platforms (George.)
                - The 'make install' target should install the man page
                  when appropriate
                - Move the canonical documentation from the README into
                  the manual page .
                - Add pages for 'mixminiond' and 'mixminion.conf' and
                  'mixminiond.conf'.
                - Maybe add a page for Mixminion integration.

Require for "0.1.0" (the in-theory-as-good-as-type-II release):
  [Release criteria: Workable replacement for type II.  At least as
  anonymous, usable, secure, and portable.  Other than lack of nymservers,
  also ready to replace type I.  Interfaces are stable enough that
  integrators can start building GUIs and nymservers without expecting large
  incompatible changes.  Target: first half of 2004.  (No guarantees!)]
        - Dummies and pinging
        - Security
                - Make createPrivateDirs gripe about group-writable parent
                  dirs
        - Modules and module support
                - Use STARTTLS as available, it it's not too hard.
                - Real SMTP module
                        - Support multiple exit addresses. (cc, bcc, etc.)
                          Needs to be bandwidth-limited.
        - End-to-end issues
                - MIME
        - Configurability
                - Better, documented support for http proxies for
                  downloading directories.
                - Make client-side pooling configurable and more
                  sophisticated.
                . Freak out properly on missing/unpublishable IP.
                . Full validation function for client
                . Full validation function for server
                - Support for non-clique topologies (cliques with a few
                  missing links would be sufficient.)
        - Client support
                - Automatically remove old messages from client queue. (Add
                  'warn after' and 'delete after' configuration options'.)
                - Flush messages to a single mix, or set of mixes.
                - Clean messages for a single mix, or set of mixes.
                - Support to remove servers from imported set, or to block
                  servers from directory.
                - Avoid timing distinguishability attack related to
                  check-dir, gen-path, read-from-stdin: only download
                  directory *AFTER* reading?  Strongly recommend a cron job?
                  Write the whole thing off as not-really-an-attack?
        - Build and install process
                o Well-tested 'make install'
                - A well-tested 'make uninstall'
                - RPMS, debs, and so on
                . Make sure we run on solaris and *BSD.
                . Make the software run under cygwin
                        o Handle weirdness with directory permissions
                        o flock
                        - Installing to relative path
                . An init.d script.
        - Support for multiple directories, with automated agreement.
                - Configurable dirserver fingerprints and URLs.
        - Full documentation
                - Complete docs for all code, with comments and examples.
                - Write guide for module developers
                - Write complete user's manual
                - Complete all other docs
                - History.
        - Dummy messages (as in batching-taxonomy)
        - Make 'SIGHUP' reload, (and 'SIGUSR' dump).
                - SIGHUP should reconfigure everything:
                        - Logs
                        - EventStats
                        - securedelete
                        - EntropySource (discard old entropy)
                        - Configuration (as used by key)
                        - File locations (????)
                        - Network setup
                        - Module setup
                        - (What else?)
                - SIGHUP should check whether serverinfo should be
                  regenerated.
                - Add SIGUSR1 to do rotate-and-dump only.
        - DoS resistance strategy
                - Bandwidth throttling
                - Timeout connections more aggressively under heavy load
                - What else?
        - Disable heinously insecure operating modes.

Other features for "1.0" (no research required):
        - Full statistics
                - Full statistics (ask Len what the list is.)
        - Security
                - Add ability to mark nodes as having same
                  administrative domain.
                - Change pathgen to avoid two nodes with same domain
                  in a row.
                - Change pathgen to avoid using same node for entry
                  and exit?
                - Add jurisdictions to pathgen?
        - Key management
                - Document "server-DELKEYS"
                - Password-protected private identity keys
                - Password-protected private link/packet keys
                - Password-protected dirserver keys
                - There's no need to ever store MMTP keys to disk; we should
                  also rotate them more often.  (Only if identity key is
                  unencrytped.)
        - Better CLIs
                - Add a --status-fd option similar to GPG's so that
                  we can be more easily embedded.
                - Support for sending multiple copies of a packet?
        - ClientAPI correctness
                - Port ClientAPI from C API document.
                - Move other functionality into ClientSupport module.
                - ClientMain should only have CLI functionality.
        - Heavy-duty performance/DoS testing
        - Modules and module support
                - MBOX
                        - Full config validation
                        - Full boilerplate text
                - Tell ModuleManager about async code (as soon as needed)
        o Refactoring/cleanup
                o Put 'address' someplace more reasonable.
        - Configurability
                o Put pid and lock and key and queues in different
                  places; coalesce pid and lock.
                - Make all filenames in server config relative to
                  server home, if not absolute.
                - Support for one-side-only MMTP configurations.
                X Make zlib bomb prevention configurable.
                - Separate error/other log files.
                - Move boilerplate into outside files.  Add some generic
                  'Boilerplate' functionality.
                - Make SURB logging configurable.
                - Add 'ALLOW' lines to blacklist.
        - Client support
                - Some way to read a reply block *and* a message from
                stdin?
        - Port to Twisted, if reasonable (see HACKING)
        - Send/receive large messages without having to suck them all
          into RAM at once.
                - Fragment and unfragment large messages on disk.
        - MMTP / async
               - Make MMTP bursty, at least on client side.
               - Tests for all cases:
                        - Packet to server with bogus IP
                        - Junk
                        - Retry on bogus close.
                        - Multiple senders
                        - Bad senders
                        - Bad recipients
                        - Hunt down leaks
        - Testing
                - Test on other (non-redhat, non-linux) systems
                - COME UP WITH A REAL TESTING STRATEGY FOR PERFORMANCE AND
                  CLI'S AND MULTI-SERVER SITUATIONS.
                - Integration tests
                        - Automated tests for several servers running
                          on one machine.
                        - Tests for servers on several different
                          machines.
                - Repeatable CLI tests.
                        - For client
                        - For server

Features for "1.0" (some research/specification required):
        - Nymservers
        - Modules and module support
                - Incoming email gateway
                        - Insert encoded packet into net.
                        - Reply to a reply block
        - Configurability
                - Make listening configurable for multiple ports/ips, not
                  all of which need be published.  Perhaps allow different
                  rules for each listener. ???? Maybe not really a good idea.
        - Client support: Improved path selection
                - Figure out how to deal with non-clique topologies
                - Watch out for servers that are really the
                  same server
                - Only pick from the directory when picking
                  random servers.
                - Notice Allow/Deny.
                - Notice MMTP protocol versions.
        - UI issues
                - Notice when out of disk space, die more cleanly.
                  (support max-disk-usage).
        - Dynamic IP support
                - Servers redirect to latest IP if old IP is down.  (Dynamic
                  IP support, after a fashion.)
        - Client support: other
                - Send message to user with known public key
                - Real PKI for end-to-end encryption
        - Directories
                - Support for full-blown multiple-server agreement mechanism
        - IPv6 support (must solve non-clique problem)
        - Generate link padding (if it helps)
        - Notice active attacks and block IPs dynamically.
        - Abuse prevention of some undetermined kind.

WHEN WE GET THE CHANCE:
        [This stuff could be for any version 1.0 or later; it's not a
         requirement for 1.0.]
        - License-friendliness:
                - Switch from OpenSSL to NSS or GNUTLS
        - GUI
        . Multithreaded design to scale to multiple CPUs
        - Security
                - Memlockall wrapper
                o Generic secure delete
                - Support for loopback fs automation and shredding.
        - Make DB module choice configurable?
        - Consider dropping support for older Python versions?

NEED TO BE TESTED
- Signals

NEED TO BE DOCUMENTED

NEEDS TO BE BENCHMARKED
- TLS for leaks
- PEM for leaks
- gen_dh for leaks
- gen_cert for leaks

-----------
(for emacs)
  Local Variables:
  mode:text
  indent-tabs-mode:nil
  fill-column:77
  End:
