update

2 files changed, 6 insertions, 3 deletions

diff --git a/TODO b/TODO
index 8372df7..30f884c 100644
--- a/TODO
+++ b/TODO
@@ -32,10 +32,13 @@
 * loadLog should verify the hashes (and signatures) in the log, and
   refuse to use logs that are not valid proofs of a session.
   (--replay and --graphvis need this; server's use of loadLog does not)
+  Everything else in debug-me checks a session's proof as it goes.
+  And, everything that saves a log file checks the proof as it goes,
+  so perhaps this is not actually necessary?
 * gpg key downloading, web of trust checking, prompting
   Alternatively, let debug-me be started with a gpg key,
   this way a project's website can instruct their users to
   "run debug-me --trust-gpg-key=whatever"
 * How to prevent abusing servers to store large quantities of data
   that are not legitimate debug-me logs, but are formatted like them?
-  Perhaps add POW to the wire protocol?
+  Perhaps add POW to the wire protocol? Capthca?
diff --git a/debug-me.1 b/debug-me.1
index b730010..130c90c 100644
--- a/debug-me.1
+++ b/debug-me.1
@@ -27,13 +27,13 @@ pass the command and any options after "--".
 .IP "--debug url"
 Connect to a debug-me session on the specified url. The developer runs
 debug-me with this option to see and interact with the user's bug.
-.IP "--replay logfile"
-Replay a debug-me logfile.
 .IP "--download url"
 Download a debug-me log file from the specified url. Note that if the
 debug-me session is still in progress, this will continue downloading
 until the session ends. The proof chain in the log file is verified
 as it is downloaded, but developer gpg signatures are not verified.
+.IP "--replay logfile"
+Replay a debug-me log file with realistic pauses.
 .IP "--watch url"
 Connect to a debug-me session on the specified url and display what
 happens in the session. Your keystrokes will not be sent to the session.