/mandos/release : revision 237.7.325

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to TODO

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 325.
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

Show diffs side-by-side

added added

removed removed

TODO

-*- org -*-

* GIT

** General: [[https://www.atlassian.com/git/workflows][Git Workflows]], [[http://gitimmersion.com/][Git Immersion]], [[https://news.ycombinator.com/item?id=7036628][Simple git workflow is simple]]

** General: [[https://www.atlassian.com/git/workflows][Git Workflows]], [[http://gitimmersion.com/][Git Immersion]], [[https://news.ycombinator.com/item?id=7036628][Simple git workflow is simple]] [[https://news.ycombinator.com/item?id=9661349][On undoing, fixing, or removing commits in git]]

** Intro: [[http://www.eyrie.org/~eagle/notes/debian/git.html#combine][Using Git for Debian Packaging]]

** Use: [[https://honk.sigxcpu.org/piki/projects/git-buildpackage/][git-buildpackage]]

** Migration

* mandos-client

** TODO [#B] Use capabilities instead of seteuid().

https://forums.grsecurity.net/viewtopic.php?f=7&t=2522

** TODO [#B] Use getaddrinfo(hints=AI_NUMERICHOST) instead of inet_pton()

** TODO [#C] Make start_mandos_communication() take "struct server".

** TODO [#C] --interfaces=regex,eth*,noregex (bridge-utils-interfaces(5))

** TODO [#C] Remove code for GNU libc < 2.15

* splashy

** TODO [#B] use scandir(3) instead of readdir(3)

* usplash (Deprecated)

** TODO [#A] Make it work again

** TODO [#B] Make it work again

** TODO [#B] use scandir(3) instead of readdir(3)

* askpass-fifo

** TODO [#B] Drop privileges after opening FIFO.

* password-prompt

** TODO [#B] lock stdin (with flock()?)

*** Hook up stderr of plugins, buffer them, and prepend "Mandos Plugin [plugin name]"

** TODO [#C] use same file name rules as run-parts(8)

** kernel command line option for debug info

** TODO [#C] Remove code for GNU libc < 2.15

* mandos (server)

** TODO [#B] --notify-command

This would allow the mandos.service to use

--notify-command="systemd-notify --pid READY=1"

** TODO [#B] Log level :BUGS:

*** TODO /etc/mandos/clients.d/*.conf

Watch this directory and add/remove/update clients?

+ Approve(False) -> Close client connection immediately

** TODO [#C] python-parsedatetime

** TODO Separate logging logic to own object

** TODO [#A] Limit approval_delay to max gnutls/tls timeout value

** TODO [#B] Limit approval_delay to max gnutls/tls timeout value

** TODO [#B] break the wait on approval_delay if connection dies

** TODO Generate Client.runtime_expansions from client options + extra

** TODO Allow %%(checker)s as a runtime expansion

** TODO Use python-tlslite?

** TODO D-Bus AddClient() method on server object

** TODO Use org.freedesktop.DBus.Method.NoReply annotation on async methods. :2:

** TODO Emit [[http://dbus.freedesktop.org/doc/dbus-specification.html#standard-interfaces-properties][org.freedesktop.DBus.Properties.PropertiesChanged]] signal :2:

TODO Deprecate se.recompile.Mandos.Client.PropertyChanged - annotate!

TODO Can use "invalidates" annotation to also emit on changed secret.

** TODO Support [[http://dbus.freedesktop.org/doc/dbus-specification.html#standard-interfaces-objectmanager][org.freedesktop.DBus.ObjectManager]] interface on server object :2:

Deprecate methods GetAllClients(), GetAllClientsWithProperties()

and signals ClientAdded and ClientRemoved.

** TODO CheckerCompleted method, deprecate CheckedOK

** TODO Secret Service API?

http://standards.freedesktop.org/secret-service/

** TODO Remove D-Bus interfaces with old domain name :2:

** TODO Remove old string_to_delta format :2:

** TODO http://0pointer.de/blog/projects/stateless.html

*** tmpfiles snippet to create /var/lib/mandos with right user+perms

** TODO Error handling on error parsing config files

** TODO init.d script error handling

** TODO D-Bus server properties; address, port, interface, etc. :2:

** TODO [#C] In Python 3.3, use shlex.quote() instead of re.escape()

* mandos.xml

** Add mandos contact info in manual pages

119

123

*** TODO [#C] use same file name rules as run-parts(8)

120

124

*** TODO [#C] Do not install in initrd.img if configured not to.

121

125

Use "/etc/initramfs-tools/hooksconf.d/mandos"?

122

** TODO [#C] /etc/bash_completion.d/mandos

126

** TODO [#C] $(pkg-config --variable=completionsdir bash-completion)

123

127

From XML sources directly?

124

128

125

129

* Side Stuff

Older »