First cut at cleaning 0.1.1.x TODO

svn:r4879

1 files changed, 73 insertions, 98 deletions

diff --git a/doc/TODO b/doc/TODO
index bc47fc8914..a9c701106a 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -14,9 +14,8 @@ PHOBOS  - phobos claims
 
 Non-Coding, Soon:
 N - contact umass folks
-N - Packaging logic and HOWTO for controller libs
 N - Mention controller libs someplace.
-  - FAQ entry: why gnutls is bad/not good for tor
+  D FAQ entry: why gnutls is bad/not good for tor
 P - flesh out the rest of the section 6 of the faq
 P - gather pointers to livecd distros that include tor
   - put the logo on the website, in source form, so people can put it on
@@ -26,7 +25,7 @@ P - gather pointers to livecd distros that include tor
   * clean up the places where our docs are redundant (or worse, obsolete in
     one file and correct elsewhere). agl has a start on a global
     list-of-tor-docs.
-P - update window's docs to clarify which versions of windows, and why a
+P - update windows docs to clarify which versions of windows, and why a
     DOS window, how it's used, for the less technical users
 NR- write a spec appendix for 'being nice with tor'
   - tor-in-the-media page
@@ -34,16 +33,13 @@ NR- write a spec appendix for 'being nice with tor'
     tor-0.1.0.7.rc
   - Remove need for HACKING file.
 
-For 0.1.0.x:
-  . Memory use on Linux: what's happening?
-    - Is it threading?  (Maybe, maybe not)
-    - Is it the buf_shrink bug? (Quite possibly)
-    - Instrument the 0.1.1 code to figure out where our memory is going;
-      apply the results. (all platforms?)
+
 
 for 0.1.1.x:
 R - are dirservers auto-verifying duplicate nicknames?
+
 N . Additional controller features
+      - Find a way to make event info more extensible
       - change circuit status events to give more details, like purpose,
         whether they're internal, etc.
       . Expose more information via getinfo:
@@ -54,116 +50,92 @@ N . Additional controller features
         download directories/network-status, and a way to force a download.
       - It would be nice to request address lookups from the controller
         without using SOCKS.
-N . helper nodes (Choose N nodes randomly; if a node dies (goes down for a
-    long time), replace it.  Store nodes on disk.
-    o Implement (basic case)
-    o Implement (persistence)
-    o Document
-    . Test, debug
-    - On sighup, if usehelpernodes changed to 1, use new circs.
+
+  . Helper nodes
+    . More testing and debugging
+    - On sighup, if usehelpernodes changed to 1, use new circuits?
     - If your helper nodes are unavailable, don't abandon them unless
       other nodes *are* reachable.
 R   - If you think an OR conn is open but you can never establish a circuit
       to it, reconsider whether it's actually open.
-  - switch accountingmax to count total in+out, not either in or
-    out. it's easy to move in this direction (not risky), but hard to
-    back, out if we decide we prefer it the way it already is. hm.
-  . Come up with a coherent strategy for bandwidth buckets and TLS. (The
-    logic for reading from TLS sockets is likely to overrun the bandwidth
-    buckets under heavy load.  (Really, the logic was never right in the
-    first place.)  Also, we should audit all users of get_pending_bytes().)
-    - Make it harder to circumvent bandwidth caps: look at number of bytes
-      sent across sockets, not number sent inside TLS stream.
-  . Handle rendezvousing with unverified nodes.
-    o Specify: Stick rendezvous point's address and port in INTRODUCE cell.
-    o Handle new format.
-      o Support to extend circuit/target circuit to a chosen combination of
-        addr/port/ID/onionkey
-      o Parse new format
-      o Generate new format (#ifdef out the logic to generate it for now)
-    o Specify: make service descriptors contain onion key and identity.
-    o Implement new service desc format
-      o Think: are we okay with the partitioning?  (Yes. It's a simple
-        migration issue.)
-      o Implement new directory code
-      o Implement new server code (Don't enable till directory code is deployed)
-      o Implement new client code (Don't enable till directory code is deployed)
-        o Look for v1 descriptor if available, else look for v0 descriptor.
-        o Use new INTRODUCE protocol if allowed.
-N   . Verify that new code works.
-    - Enable the new code
-  - christian grothoff's attack of infinite-length circuit.
+
+  - Miscellaneous cleanups
+    - switch accountingmax to count total in+out, not either in or
+      out. it's easy to move in this direction (not risky), but hard to
+      back, out if we decide we prefer it the way it already is. hm.
+    . Come up with a coherent strategy for bandwidth buckets and TLS. (The
+      logic for reading from TLS sockets is likely to overrun the bandwidth
+      buckets under heavy load.  (Really, the logic was never right in the
+      first place.)  Also, we should audit all users of get_pending_bytes().)
+        - Make it harder to circumvent bandwidth caps: look at number of bytes
+          sent across sockets, not number sent inside TLS stream.
+R   - remove the warnings from rendezvous stuff that shouldn't be warnings.
+
+N . Handle rendezvousing with unverified nodes.
+    o Implement everything
+    . Enable the new code
+    . Verify that new code works.
+
+  - Christian Grothoff's attack of infinite-length circuit.
     the solution is to have a separate 'extend-data' cell type
     which is used for the first N data cells, and only
     extend-data cells can be extend requests.
     - Specify, including thought about
     - Implement
+
 N - Destroy and truncated cells should have reasons.
 N - Add private:* alias in exit policies to make it easier to ban all the
     fiddly little 192.168.foo addresses.
     (AGL had a patch; consider applying it.)
-  - recommended-versions for client / server ?
+
 N - warn if listening for SOCKS on public IP.
+
   - cpu fixes:
     - see if we should make use of truncate to retry
     o hardware accelerator support (configure engines.)
     - hardware accelerator support (use instead of aes.c when reasonable)
 R   - kill dns workers more slowly
-R - remove the warnings from rendezvous stuff that shouldn't be warnings.
-  - continue decentralizing the directory
-    o Specify and design all of the below before implementing any.
-    - Figure out what to do about hidden service descriptors.
-    X have two router descriptor formats
-R   . dirservers verify reachability claims
-      o basic reachability testing, influencing network-status list.
-R     - rate-limiting the reporting of trouble servers
-R     - check reachability as soon as you hear about a new server
-    - find 10 dirservers. (what are criteria to be a dirserver?)
-    - some back-out mechanism?
+
+  . Directory changes
+    o recommended-versions for client / server ?
+    - Some back-out mechanism for auto-approval
       - dirservers have blacklist of IPs they hate
       - a way of rolling back approvals to before a timestamp
       - have new people be in limbo and need to demonstrate usefulness
         before we approve them
       - other?
-N   . Authoritative dirservers publish very compressed network-status objects.
-      o Generate format
-      o Publish it
-N   . Everyone downloads network-status objects
-      - From all directories, round-robin
-      - Cache them, reload on restart
-      o Serve cached directories
-      - If DirPort, act as a cache.
-N   - Directories expose individual descriptors
-      o By server ID
-      o By 'all'
-      - By 'if-newer-than' (Does the spec require this??)
-      - Support compression.
-      o Expose "own most recent descriptor".
-N   - Alice acts on network-status objects, downloading descriptors as needed.
-    o Servers publish new descriptors when:
-      o options change
-      o when 12-24 hours have passed
-      o when uptime is reset
-      o When bandwidth changes a lot.
-    - alices avoid duplicate class C nodes.
-    o everybody with a dirport will give you his descriptor.
-    - config option, on by default, to cache all descriptors.
-    - Compress router desc sets before transmitting them
-    M Analyze how bad the partitioning is or isn't.
-  - Naming:
-    - Specify and design all of the below before implementing any.
-    - some dirservers announce that they manage bindings (a flag in
-      router-status).
-    - other dirservers mention a binding if there is no conflict for
-      that binding among the dirservers that manage it.
-      no conflict == any of them bind it and no disagreement.
-    - alice can specify a nickname and it will record that name in her
-      datadir along with the key *if* it is bound. otherwise her specifying
-      will fail (loudly we hope).
-    - thus when a binding vanishes (e.g. conflict) alice will keep using
-      the one she meant.
-    - if the binding changes keys, the entry in her datadir will silently
-      get corrected.
+
+R   . Dirservers verify reachability claims
+      o basic reachability testing, influencing network-status list.
+R     - rate-limiting the reporting of trouble servers
+R     - check reachability as soon as you hear about a new server
+
+    - Decentralization
+      - Figure out what to do about hidden service descriptors.
+      - find 10 dirservers.
+        - (what are criteria to be a dirserver?)
+N     . Dirservers publish compressed network-status objects.
+        - Support several-at-once
+N     . Everyone downloads network-status objects
+        - From all directories, round-robin
+        - Cache them, reload on restart
+        o Serve cached directories
+N     . Directories expose individual descriptors
+        X By 'if-newer-than' (Does the spec require this??)
+        - Support compression.
+N     - Alice acts on network-status objects
+        - Alice downloads descriptors as needed.
+        - Alice sets descriptor status from networks-status
+
+    - Security
+      - Alices avoid duplicate class C nodes.
+      - Analyze how bad the partitioning is or isn't.
+
+N   - Naming:
+      - Separate naming from validation in authdirs.
+      - Clients choose names based on network-status options.
+      - Names are remembered in client status.
+
   - packaging and ui stuff:
     . multiple sample torrc files
     - uninstallers
@@ -175,15 +147,18 @@ N   - Alice acts on network-status objects, downloading descriptors as needed.
 N   - Vet all pending installer patches
       - Win32 installer plus privoxy, sockscap/freecap, etc.
       - Vet win32 systray helper code
-  o Make logs go into platform default locations.
-    o OSX
-    X Windows. (?)
 
 Reach (deferrable) items for 0.1.1.x:
   - Start using create-fast cells as clients
   o Let more config options (e.g. ORPort) change dynamically.
   - start handling server descriptors without a socksport?
 
+  . Research memory use on Linux: what's happening?
+    - Is it threading?  (Maybe, maybe not)
+    - Is it the buf_shrink bug? (Quite possibly)
+    - Instrument the 0.1.1 code to figure out where our memory is going;
+      apply the results. (all platforms?)
+
 For 0.1.1.x, if we can figure out how:
   - rewrite how libevent does select() on win32 so it's not so very slow.
   o enclaves (at least preliminary)