put the 'phase 2' preliminary todo items in place

svn:r19176

1 files changed, 110 insertions, 0 deletions

diff --git a/doc/TODO.external b/doc/TODO.external
index 4382403c4b..c801a8ab4a 100644
--- a/doc/TODO.external
+++ b/doc/TODO.external
@@ -70,3 +70,113 @@ S   - Continue analyzing "traces" left on host machine by use of
 I   d Get a relay operator mailing list going, with a plan and supporting
       scripts and so on.
 
+For mid August:
+
+Section 0, items that didn't make it into the original roadmap:
+
+0.1, installers and packaging
+C - i18n for the msi bundle files
+P - more consistent TBB builds
+IC- get a buildbot up again. Have Linux and BSD build machines.
+    (Windows would be nice but realistically will come later.)
+E - Get Tor to work properly on the iPhone.
+
+3.1.1, performance work.
+
+XXX
+
+4.1, IOCP / libevent / windows / tor
+N - get it working for nick
+N - put out a release so other people can start testing it.
+N - both the libevent buffer abstraction, and the
+    tor-uses-libevent-buffer-abstraction. Unless we think that's
+    unreachable for this milestone?
+
+4.2.1, risks from becoming a relay
+S - Have a clear plan for how users who become relays will be safe,
+    and be confident that we can build this plan.
+    - evaluate all the various attacks that are made possible by relaying.
+      specifically, see "relaying-traffic attacks" in 6.6.
+    - identify and evaluate ways to make them not a big deal
+      - setting a low RelayBandwidth
+      - Nick Hopper's FC08 paper suggesting that we should do a modified
+        round-robin so we leak less about other circuits
+      - instructing clients to disable pings in their firewall, etc
+    - pick the promising ones, improve them so they're even better, and
+      spec them out so we know how to build them and how much effort is
+      involved in building them.
+
+4.5, clients download less directory info
+N - deploy proposal 158.
+N - decide whether to do proposal 140. if so, construct an implementation
+    plan for how we'll do it. if not, explain why not.
+
+5.1, Normalize TLS fingerprint
+N - write a draft list of possible attacks for this section, with
+    estimates about difficulty of attack, difficulty of solution, etc
+N - revisit the list and revise our plans as needed
+NR- put up a blog post about the two contradictory conclusions: we can
+    discuss the theory of arms races, and our quandry, without revealing
+    any specific vulnerabilities. (or decide not to put up a blog post,
+    and explain why not.)
+
+5.5, email autoresponder
+I - maintenance and keeping it running
+
+5.7.2, metrics
+
+XXX.
+
+6.2, Vidalia work
+E - add breakpad support or similar for windows debugging
+E - let vidalia change languages without needing a restart
+E - Implement the status warning event interface started for the
+    phase one deliverables.
+E - Work with Steve Tyree on building a Vidalia plugin API to enable
+    building Herdict and TBB plugins.
+
+6.3, Node scanning
+M - Steps toward automation
+    - Set up email list for results
+    - Map failure types to potential BadExit lines
+M - Improve the ability of SoaT to mimic various real web browsers
+    - randomizing user agents and locale strings
+    - caching, XMLHTTPRequest, form posting, content sniffing
+    - Investigate ideas like running Chrome/xulrunner in parallel
+M - Other protocols
+    - SSH, IMAPS, POPS, SMTPS
+M - Add ability to geolocalize exit selection based on scanner location
+    - Use this to rescan dynamic urls filtered by the URL filter
+
+6.4, Torbutton development
+M - Resolve extension conflicts and other high priority bugs
+M - Fix or hack around ugly firefox bugs, especially Timezone issue.
+    Definitely leaning towards "hack around" unless we see some
+    level of love from Mozilla.
+M - Vidalia New Nym Integration
+    - Implement for Torbutton to pick up on Vidalia's NEWNYM and clear
+      cookies based on FoeBud's source
+    - Do this in such a way that we could adapt polipo to purge cache
+      if we were so inclined
+M - Write up a summary of our options for dealing with the google
+    you-must-solve-a-captcha-to-search problem, and pick one as our
+    favorite option.
+
+6.6, Evaluate new anonymity attacks
+S - relaying-traffic attacks
+    - original murdoch-danezis attack
+    - nick hopper's latency measurement attack
+    - columbia bandwidth measurement attack
+    - christian grothoff's long-circuit attack
+S - client attacks
+    - website fingerprinting
+
+7.1, Tor VM Research, analysis, and prototyping
+C - Get a working package out, meaning other people are testing it.
+
+7.2, Tor Browser Bundle
+I - Port to one of OS X or Linux, and start the port to the other.
+I - Make it the recommended Tor download on Windows
+I - Make sure it's easy to un-brand TBB in case Firefox asks us to
+I - Evaluate CCC's Freedom Stick
+