break the todo file into three todo files.

svn:r16427

1 files changed, 330 insertions, 0 deletions

diff --git a/doc/TODO.future b/doc/TODO.future
new file mode 100644
index 000000000..3155330d5
--- /dev/null
+++ b/doc/TODO.future
@@ -0,0 +1,330 @@
+$Id: TODO 16258 2008-07-30 13:04:38Z nickm $
+Legend:
+SPEC!!  - Not specified
+SPEC    - Spec not finalized
+N       - nick claims
+R       - arma claims
+P       - phobos claims
+S       - Steven claims
+E       - Matt claims
+M       - Mike claims
+J       - Jeff claims
+I       - ioerror claims
+W       - weasel claims
+K       - Karsten claims
+        - Not done
+        * Top priority
+        . Partially done
+        o Done
+        d Deferrable
+        D Deferred
+        X Abandoned
+
+=======================================================================
+
+Later, unless people want to implement them now:
+  - Actually use SSL_shutdown to close our TLS connections.
+  - Include "v" line in networkstatus getinfo values.
+    [Nick: bridge authorities output a networkstatus that is missing
+     version numbers. This is inconvenient if we want to make sure
+     bridgedb gives out bridges with certain characteristics. -RD]
+    [Okay. Is this a separate item, or is it the same issue as the lack of
+     a "v" line in response to the controller GETINFO command? -NM]
+  - Let tor dir mirrors proxy connections to the tor download site, so
+    if you know a bridge you can fetch the tor software.
+  - when somebody uses the controlport as an http proxy, give them
+    a "tor isn't an http proxy" error too like we do for the socks port.
+  - MAYBE kill stalled circuits rather than stalled connections.  This is
+    possible thanks to cell queues, but we need to consider the anonymity
+    implications.
+  - Make resolves no longer use edge_connection_t unless they are actually
+    _on_ a socks connection: have edge_connection_t and (say)
+    dns_request_t both extend an edge_stream_t, and have p_streams and
+    n_streams both be linked lists of edge_stream_t.
+  - Generate torrc.{complete|sample}.in, tor.1.in, the HTML manual, and the
+    online config documentation from a single source.
+  - It would be potentially helpful to respond to https requests on
+    the OR port by acting like an HTTPS server.
+  - Make the timestamp granularity on logs configurable, with default
+    of "1 second".  This might make some kinds of after-the-fact attack harder.
+
+Can anybody remember why we wanted to do this and/or what it means?
+  - config option __ControllerLimit that hangs up if there are a limit
+    of controller connections already.
+    [This was mwenge's idea. The idea is that a Tor controller can
+     "fill" Tor's controller slot quota, so jerks can't do cross-protocol
+     attacks like the http form attack. -RD]
+  - Bridge issues
+    . Ask all directory questions to bridge via BEGIN_DIR.
+    - use the bridges for dir fetches even when our dirport is open.
+    - drop 'authority' queries if they're to our own identity key; accept
+      them otherwise.
+      - give extend_info_t a router_purpose again
+
+
+
+If somebody wants to do this in some version, they should:
+  - Create packages for Nokia 800, requested by Chris Soghoian
+  - More work on AvoidDiskWrites
+  - Make DNSPort support TCP DNS.
+
+
+* * * * Roger, please sort these: * * * *
+
+  - bridge communities with local bridge authorities:
+    - clients who have a password configured decide to ask their bridge
+      authority for a networkstatus
+    - be able to have bridges that aren't in your torrc. save them in
+      state file, etc.
+  - Consider if we can solve: the Tor client doesn't know what flags
+    its bridge has (since it only gets the descriptor), so it can't
+    make decisions based on Fast or Stable.
+  - Some mechanism for specifying that we want to stop using a cached
+    bridge.
+
+=======================================================================
+
+Future versions:
+
+  - Protocol
+    - Our current approach to block attempts to use Tor as a single-hop proxy
+      is pretty lame; we should get a better one.
+    - Allow small cells and large cells on the same network?
+    - Cell buffering and resending. This will allow us to handle broken
+      circuits as long as the endpoints don't break, plus will allow
+      connection (tls session key) rotation.
+    - Implement Morphmix, so we can compare its behavior, complexity,
+      etc.  But see paper breaking morphmix.
+    - Other transport. HTTP, udp, rdp, airhook, etc. May have to do our own
+      link crypto, unless we can bully DTLS into it.
+    - Need a relay teardown cell, separate from one-way ends.
+      (Pending a user who needs this)
+    - Handle half-open connections: right now we don't support all TCP
+      streams, at least according to the protocol. But we handle all that
+      we've seen in the wild.
+      (Pending a user who needs this)
+
+  - Directory system
+    - BEGIN_DIR items
+      - handle connect-dir streams that don't have a chosen_exit_name set.
+    - Have a "Faster" status flag that means it. Fast2, Fast4, Fast8?
+    - Add an option (related to AvoidDiskWrites) to disable directory
+      caching.  (Is this actually a good idea??)
+    X Add d64 and fp64 along-side d and fp so people can paste status
+      entries into a url. since + is a valid base64 char, only allow one
+      at a time. Consider adding to controller as well.
+      [abandoned for lack of demand]
+    - Some back-out mechanism for auto-approval on authorities
+      - a way of rolling back approvals to before a timestamp
+        - Consider minion-like fingerprint file/log combination.
+    X Have new people be in limbo and need to demonstrate usefulness
+      before we approve them.
+
+  - Hidden services:
+    d Standby/hotswap/redundant hidden services: needs a proposal.
+    - you can insert a hidserv descriptor via the controller.
+    - auth mechanisms to let hidden service midpoint and responder filter
+      connection requests: proposal 121.
+    - Let each hidden service (or other thing) specify its own
+      OutboundBindAddress?
+
+  - Server operation
+    - If the server is spewing complaints about raising your ulimit -n,
+      we should add a note about this to the server descriptor so other
+      people can notice too.
+    - When we hit a funny error from a dir request (eg 403 forbidden),
+      but tor is working and happy otherwise, and we haven't seen many
+      such errors recently, then don't warn about it.
+
+  - Controller
+    - Implement missing status events and accompanying getinfos
+      - DIR_REACHABLE
+      - BAD_DIR_RESPONSE (Unexpected directory response; maybe we're behind
+        a firewall.)
+      - BAD_PROXY (Bad http or https proxy)
+      - UNRECOGNIZED_ROUTER (a nickname we asked for is unavailable)
+      - Status events related to hibernation
+      - something about failing to parse our address?
+        from resolve_my_address() in config.c
+      - sketchy OS, sketchy threading
+      - too many onions queued: threading problems or slow CPU?
+    - Implement missing status event fields:
+      - TIMEOUT on CHECKING_REACHABILITY
+    - GETINFO status/client, status/server, status/general: There should be
+      some way to learn which status events are currently "in effect."
+      We should specify which these are, what format they appear in, and so
+      on.
+    - More information in events:
+      - Include bandwidth breakdown by conn->type in BW events.
+      - Change circuit status events to give more details, like purpose,
+        whether they're internal, when they become dirty, when they become
+        too dirty for further circuits, etc.
+      - Change stream status events analogously.
+    - Expose more information via getinfo:
+      - import and export rendezvous descriptors
+      - Review all static fields for additional candidates
+    - Allow EXTENDCIRCUIT to unknown server.
+      - We need some way to adjust server status, and to tell tor not to
+        download directories/network-status, and a way to force a download.
+      - Make everything work with hidden services
+
+  - Performance/resources
+    - per-conn write buckets
+    - separate config options for read vs write limiting
+      (It's hard to support read > write, since we need better
+       congestion control to avoid overfull buffers there.  So,
+       defer the whole thing.)
+    - Rate limit exit connections to a given destination -- this helps
+      us play nice with websites when Tor users want to crawl them; it
+      also introduces DoS opportunities.
+    - Consider truncating rather than destroying failed circuits,
+      in order to save the effort of restarting.  There are security
+      issues here that need thinking, though.
+    - Handle full buffers without totally borking
+    - Rate-limit OR and directory connections overall and per-IP and
+      maybe per subnet.
+
+  - Misc
+    - Hold-open-until-flushed now works by accident; it should work by
+      design.
+    - Display the reasons in 'destroy' and 'truncated' cells under
+      some circumstances?
+    - Make router_is_general_exit() a bit smarter once we're sure what
+      it's for.
+    - Automatically determine what ports are reachable and start using
+      those, if circuits aren't working and it's a pattern we
+      recognize ("port 443 worked once and port 9001 keeps not
+      working").
+
+  - Security
+    - some better fix for bug #516?
+    - Directory guards
+    - Mini-SoaT:
+      - Servers might check certs for known-good ssl websites, and if
+        they come back self-signed, declare themselves to be
+        non-exits.  Similar to how we test for broken/evil dns now.
+      - Authorities should try using exits for http to connect to some
+        URLS (specified in a configuration file, so as not to make the
+        List Of Things Not To Censor completely obvious) and ask them
+        for results.  Exits that don't give good answers should have
+        the BadExit flag set.
+      - Alternatively, authorities should be able to import opinions
+        from Snakes on a Tor.
+    - Bind to random port when making outgoing connections to Tor servers,
+      to reduce remote sniping attacks.
+    - Audit everything to make sure rend and intro points are just as
+      likely to be us as not.
+    - Do something to prevent spurious EXTEND cells from making
+      middleman nodes connect all over.  Rate-limit failed
+      connections, perhaps?
+    - DoS protection: TLS puzzles, public key ops, bandwidth exhaustion.
+
+  - Needs thinking
+    - Now that we're avoiding exits when picking non-exit positions,
+      we need to consider how to pick nodes for internal circuits. If
+      we avoid exits for all positions, we skew the load balancing. If
+      we accept exits for all positions, we leak whether it's an
+      internal circuit at every step. If we accept exits only at the
+      last hop, we reintroduce Lasse's attacks from the Oakland paper.
+
+  - Windows server usability
+    - Solve the ENOBUFS problem.
+      - make tor's use of openssl operate on buffers rather than sockets,
+        so we can make use of libevent's buffer paradigm once it has one.
+      - make tor's use of libevent tolerate either the socket or the
+        buffer paradigm; includes unifying the functions in connect.c.
+    - We need a getrlimit equivalent on Windows so we can reserve some
+      file descriptors for saving files, etc. Otherwise we'll trigger
+      asserts when we're out of file descriptors and crash.
+
+  - Documentation
+    - a way to generate the website diagrams from source, so we can
+      translate them as utf-8 text rather than with gimp. (svg? or
+      imagemagick?)
+    . Flesh out options_description array in src/or/config.c
+    . multiple sample torrc files
+    - Refactor tor man page to divide generally useful options from
+      less useful ones?
+    - Add a doxygen style checker to make check-spaces so nick doesn't drift
+       too far from arma's undocumented styleguide.  Also, document that
+       styleguide in HACKING.  (See r9634 for example.)
+       - exactly one space at beginning and at end of comments, except i
+         guess when there's line-length pressure.
+       - if we refer to a function name, put a () after it.
+       - only write <b>foo</b> when foo is an argument to this function.
+       - doxygen comments must always end in some form of punctuation.
+       - capitalize the first sentence in the doxygen comment, except
+         when you shouldn't.
+       - avoid spelling errors and incorrect comments. ;)
+
+  - Packaging
+    - The Debian package now uses --verify-config when (re)starting,
+      to distinguish configuration errors from other errors. Perhaps
+      the RPM and other startup scripts should too?
+    - add a "default.action" file to the tor/vidalia bundle so we can
+      fix the https thing in the default configuration:
+      http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#PrivoxyWeirdSSLPort
+
+
+=======================================================================
+
+Documentation, non-version-specific.
+  - Specs
+    - Mark up spec; note unclear points about servers
+NR  - write a spec appendix for 'being nice with tor'
+    - Specify the keys and key rotation schedules and stuff
+    . Finish path-spec.txt
+  - Mention controller libs someplace.
+  - Remove need for HACKING file.
+  - document http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy on freebsd and osx
+P - figure out why x86_64 won't build rpms from tor.spec
+P - figure out rpm spec files for bundles of vidalia-tor-polipo
+P - figure out polipo install scripts for bundles of vidalia-tor-polipo on osx, win32
+  - figure out selinux policy for tor
+P - change packaging system to more automated and specific for each
+     platform, suggested by Paul Wouter
+P - Setup repos for redhat and suse rpms & start signing the rpms the
+    way package management apps prefer
+
+Website:
+J . tor-in-the-media page
+P  - Figure out licenses for website material.
+    (Phobos reccomends the Open Publication License with Option A at
+    http://opencontent.org/openpub/)
+P  - put the logo on the website, in source form, so people can put it on
+    stickers directly, etc.
+P  - put the source image for the stickers on the website, so people can
+    print their own
+P - figure out a license for the logos and docs we publish (trademark
+figures into this)
+    (Phobos reccomends the Open Publication License with Option A at
+    http://opencontent.org/openpub/)
+P  - ask Jan/Jens to be the translation coordinator? add to volunteer page.
+I - add a page for localizing all tor's components.
+  - It would be neat if we had a single place that described _all_ the
+    tor-related tools you can use, and what they give you, and how well they
+    work.  Right now, we don't give a lot of guidance wrt
+    torbutton/foxproxy/privoxy/polipo in any consistent place.
+P - create a 'blog badge' for tor fans to link to and feature on their
+    blogs. A sample is at http://interloper.org/tmp/tor/tor-button.png
+  - More prominently, we should have a recommended apps list.
+    - recommend pidgin (gaim is renamed)
+    - unrecommend IE because of ftp:// bug.
+  - Addenda to tor-design
+    - we should add a preamble to tor-design saying it's out of date.
+    - we should add an appendix or errata on what's changed.
+
+  - Tor mirrors
+    - make a mailing list with the mirror operators
+    o make an automated tool to check /project/trace/ at mirrors to
+      learn which ones are lagging behind.
+    - auto (or manually) cull the mirrors that are broken; and
+      contact their operator?
+    - a set of instructions for mirror operators to make their apaches
+      serve our charsets correctly, and bonus points for language
+      negotiation.
+    - figure out how to load-balance the downloads across mirrors?
+    - ponder how to get users to learn that they should google for
+      "tor mirrors" if the main site is blocked.
+    - find a mirror volunteer to coordinate all of this
+