From dc9f329dd64dc0f9c81aac239d66eb0ff9705f7c Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Mon, 1 May 2017 12:09:25 -0400
Subject: move low priority todos to web site

---
 TODO                                               | 22 ----------------------
 doc/todo/better_control_window_UI.mdwn             |  4 ++++
 .../decentralized_gpg_web_of_trust_checking.mdwn   | 15 +++++++++++++++
 doc/todo/log_file_analysis_mode.mdwn               |  3 +++
 .../only_let_one_developer_type_at_a_time.mdwn     | 20 ++++++++++++++++++++
 doc/todo/soft_reject_developer_gpg_keys.mdwn       |  7 +++++++
 doc/todo/verify_hash_chain_in_loadLog.mdwna        |  8 ++++++++
 7 files changed, 57 insertions(+), 22 deletions(-)
 create mode 100644 doc/todo/better_control_window_UI.mdwn
 create mode 100644 doc/todo/decentralized_gpg_web_of_trust_checking.mdwn
 create mode 100644 doc/todo/log_file_analysis_mode.mdwn
 create mode 100644 doc/todo/only_let_one_developer_type_at_a_time.mdwn
 create mode 100644 doc/todo/soft_reject_developer_gpg_keys.mdwn
 create mode 100644 doc/todo/verify_hash_chain_in_loadLog.mdwna

diff --git a/TODO b/TODO
index a932792..e3d5109 100644
--- a/TODO
+++ b/TODO
@@ -46,25 +46,3 @@
 * Make debug-me --bundle create a self-contained executable bundle
   that can be ran anywhere. Update faq to suggest developers include that
   with their software.
-
-Low priority:
-
-* Color the control window background to distinguish it from the shell
-  window. Could even use a curses toolkit to draw the control window, and
-  make it have buttons, etc. Make the control window easy to use, and all
-  features discoverable..
-* Add a mode that, given a log file, displays what developer(s) gpg keys
-  signed activity in the log file. For use when a developer did something
-  wrong, to examine the proof of malfesence.
-* loadLog should verify the hashes (and signatures) in the log, and
-  refuse to use logs that are not valid proofs of a session.
-  (--replay and --graphvis need this; server's use of loadLog does not)
-  Everything else in debug-me checks a session's proof as it goes.
-  And, everything that saves a log file checks the proof as it goes,
-  so perhaps this is not actually necessary?
-* GPG WoT is checked by querying pgp.cs.uu.nl, could use wotsap if it's
-  locally installed. However, the version of wotsap in debian only supports
-  short, insecure keyids, so is less secure than using the server.
-* Once we have a WoT path, we could download each gpg key in the path and
-  verify the path. This would avoid trusting pgp.cs.uu.nl not to be evil.
-  Not done yet, partly because downloading a lot of gpg keys is expensive.
diff --git a/doc/todo/better_control_window_UI.mdwn b/doc/todo/better_control_window_UI.mdwn
new file mode 100644
index 0000000..e44bd1b
--- /dev/null
+++ b/doc/todo/better_control_window_UI.mdwn
@@ -0,0 +1,4 @@
+Color the control window background to distinguish it from the shell
+window. Could even use a curses toolkit to draw the control window, and
+make it have buttons, etc. Make the control window easy to use, and all
+features discoverable..
diff --git a/doc/todo/decentralized_gpg_web_of_trust_checking.mdwn b/doc/todo/decentralized_gpg_web_of_trust_checking.mdwn
new file mode 100644
index 0000000..268fad1
--- /dev/null
+++ b/doc/todo/decentralized_gpg_web_of_trust_checking.mdwn
@@ -0,0 +1,15 @@
+GPG WoT is checked by querying pgp.cs.uu.nl, could use wotsap if it's
+locally installed. However, the version of wotsap in debian only supports
+short, insecure keyids, so is less secure than using the server.
+And, locally running wotsap needs to download the WoT database from
+a server anyway, so does not seem to add any security.
+
+Once we have a WoT path, we could download each gpg key in the path and
+verify the path. This would avoid trusting pgp.cs.uu.nl not to be evil.
+Not done yet, partly because downloading a lot of gpg keys is expensive.
+But also because even if this check were done, bad data in the WoT could
+be backed up by real keys on the keyservers.
+
+The decentralized way is for the user do some key signing, get into the WoT,
+and then gpg can tell them if the key is trusted itself. This
+already works of course.
diff --git a/doc/todo/log_file_analysis_mode.mdwn b/doc/todo/log_file_analysis_mode.mdwn
new file mode 100644
index 0000000..9520ae7
--- /dev/null
+++ b/doc/todo/log_file_analysis_mode.mdwn
@@ -0,0 +1,3 @@
+Add a mode that, given a log file, displays what developer(s) gpg keys
+signed activity in the log file. For use when a developer did
+something wrong, to examine the proof.
diff --git a/doc/todo/only_let_one_developer_type_at_a_time.mdwn b/doc/todo/only_let_one_developer_type_at_a_time.mdwn
new file mode 100644
index 0000000..0704bac
--- /dev/null
+++ b/doc/todo/only_let_one_developer_type_at_a_time.mdwn
@@ -0,0 +1,20 @@
+Two developers can connect to a session if the user accepts them both,
+and then they can type at the same time.
+
+debug-me will reject some keystrokes depending on what the other developer
+is doing. This is probably a bit confusing, and it could be a way to
+plausibly deny a bad action, making it look like it was caused by an
+inaverdant mix up of two developers typing.
+
+Better would be to only let one developer type at a time, and they have
+to pass the typing stick to let the other developer type.
+
+Problem: What if one developer has the baton and disconnects? It should
+pass to the other developer, but disconnection does not currently
+cause a protocol message.
+
+Also, related problem, one developer has the baton and goes away,
+still connected.
+
+Seems that perhaps the user needs a way to switch control to another
+developer.
diff --git a/doc/todo/soft_reject_developer_gpg_keys.mdwn b/doc/todo/soft_reject_developer_gpg_keys.mdwn
new file mode 100644
index 0000000..3e6c561
--- /dev/null
+++ b/doc/todo/soft_reject_developer_gpg_keys.mdwn
@@ -0,0 +1,7 @@
+When the user rejects a developer's gpg key, the developer can still
+watch the session, but they cannot chat in the control window. There seems
+no reason not to let them chat, it just needs a new response to tell
+them they have been soft rejected.
+
+Being able to put a developer in chat-only mode would also help
+with [[only_let_one_developer_type_at_a_time]].
diff --git a/doc/todo/verify_hash_chain_in_loadLog.mdwna b/doc/todo/verify_hash_chain_in_loadLog.mdwna
new file mode 100644
index 0000000..92f9741
--- /dev/null
+++ b/doc/todo/verify_hash_chain_in_loadLog.mdwna
@@ -0,0 +1,8 @@
+loadLog should verify the hashes (and signatures) in the log, and
+refuse to use logs that are not valid proofs of a session.
+
+(--replay and --graphvis need this; server's use of loadLog does not)
+
+Everything else in debug-me checks a session's proof as it goes.
+And, everything that saves a log file checks the proof as it goes,
+so perhaps this is not actually necessary?
-- 
cgit v1.2.3