gpgme/TODO
Ben McGinnes b438e5e44c TODO DONE
* Marked off a TODO for this clean-up.

Signed-off-by: Ben McGinnes <ben@adversary.org>
2018-03-04 08:56:26 +11:00

593 lines
18 KiB
Org Mode

Hey Emacs, this is -*- org -*- mode!
* Document all the new stuff.
:PROPERTIES:
:CUSTOM_ID: more-docs-is-better
:END:
** TODO Fix this TODO list.
:PROPERTIES:
:CUSTOM_ID: fix-todo
:END:
Clean up the current TODO list. Include properties as relevant (so
if someone does make a PDF or HTML version the TOC will work).
Also check ans see if some of these ancient things can be removed
(e.g. do we really need to fix things that were broken in GPG
1.3.x? I'm thinking not so much).
* Fix the remaining UI Server problems:
:PROPERTIES:
:CUSTOM_ID: ui-server-fix
:END:
** VERIFY --silent support.
:PROPERTIES:
:CUSTOM_ID: verify-silent
:END:
** ENCRYPT/DECRYPT/VERIFY/SIGN reset the engine, shouldn't be done with UISERVER?
:PROPERTIES:
:CUSTOM_ID: reset-engine-not-ui
:END:
* IMPORTANT
:PROPERTIES:
:CUSTOM_ID: important-stuff-really
:END:
** When using descriptor passing, we need to set the fd to blocking before
:PROPERTIES:
:CUSTOM_ID: set-fd-blocking
:END:
issueing simple commands, because we are mixing synchronous
commands into potentially asynchronous operations.
** Might want to implement nonblock for w32 native backend!
:PROPERTIES:
:CUSTOM_ID: nonblock-win32
:END:
Right now we block reading the next line with assuan.
* Before release:
:PROPERTIES:
:CUSTOM_ID: pre-release
:END:
** Some gpg tests fail with gpg 1.3.4-cvs (gpg/t-keylist-sig)
:PROPERTIES:
:CUSTOM_ID: gpg-1-3-4-really
:END:
The test is currently disabled there and in gpg/t-import.
** When gpg supports it, write binary subpackets directly,
:PROPERTIES:
:CUSTOM_ID: binary-subpackets
:END:
and parse SUBPACKET status lines.
* ABI's to break:
:PROPERTIES:
:CUSTOM_ID: abi-breakage-apparently-on-purpose
:END:
** Old opassuan interface.
:PROPERTIES:
:CUSTOM_ID: old-opassuan
:END:
** Implementation: Remove support for old style error codes in
:PROPERTIES:
:CUSTOM_ID: remove-old-error-codes
:END:
conversion.c::_gpgme_map_gnupg_error.
** gpgme_edit_cb_t: Add "processed" return argument
:PROPERTIES:
:CUSTOM_ID: add-processed-return
:END:
(see edit.c::command_handler).
** I/O and User Data could be made extensible. But this can be done
:PROPERTIES:
:CUSTOM_ID: add-io-user-data
:END:
without breaking the ABI hopefully.
** All enums should be replaced by ints and simple macros for
:PROPERTIES:
:CUSTOM_ID: enums-should-be-ints
:END:
maximum compatibility.
** Compatibility interfaces that can be removed in future versions:
:PROPERTIES:
:CUSTOM_ID: compat-interfaces-to-go
:END:
*** gpgme_data_new_from_filepart
:PROPERTIES:
:CUSTOM_ID: gpgme-data-new-from-filepart
:END:
*** gpgme_data_new_from_file
:PROPERTIES:
:CUSTOM_ID: gpgme-data-new-from-file
:END:
*** gpgme_data_new_with_read_cb
:PROPERTIES:
:CUSTOM_ID: gpgme-data-new-with-read-cb
:END:
*** gpgme_data_rewind
:PROPERTIES:
:CUSTOM_ID: gpgme-data-rewind
:END:
*** gpgme_op_import_ext
:PROPERTIES:
:CUSTOM_ID: gpgme-op-import-ext
:END:
*** gpgme_get_sig_key
:PROPERTIES:
:CUSTOM_ID: gpgme-get-sig-key
:END:
*** gpgme_get_sig_ulong_attr
:PROPERTIES:
:CUSTOM_ID: gpgme-get-sig-ulong-attr
:END:
*** gpgme_get_sig_string_attr
:PROPERTIES:
:CUSTOM_ID: gpgme-get-sig-string-attr
:END:
*** GPGME_SIG_STAT_*
:PROPERTIES:
:CUSTOM_ID: gpgme-sig-stat
:END:
*** gpgme_get_sig_status
:PROPERTIES:
:CUSTOM_ID: gpgme-get-sig-status
:END:
*** gpgme_trust_item_release
:PROPERTIES:
:CUSTOM_ID: gpgme-trust-item-release
:END:
*** gpgme_trust_item_get_string_attr
:PROPERTIES:
:CUSTOM_ID: gpgme-trust-item-get-string-attr
:END:
*** gpgme_trust_item_get_ulong_attr
:PROPERTIES:
:CUSTOM_ID: gpgme-trust-item-get-ulong-attr
:END:
*** gpgme_attr_t
:PROPERTIES:
:CUSTOM_ID: gpgme-attr-t
:END:
*** All Gpgme* typedefs.
:PROPERTIES:
:CUSTOM_ID: all-gpgme-typedefs
:END:
* Thread support:
:PROPERTIES:
:CUSTOM_ID: threads
:END:
** When GNU Pth supports sendmsg/recvmsg, wrap them properly.
:PROPERTIES:
:CUSTOM_ID: wrap-oth
:END:
** Without timegm (3) support our ISO time parser is not thread safe.
:PROPERTIES:
:CUSTOM_ID: time-threads
:END:
There is a configure time warning, though.
* New features:
:PROPERTIES:
:CUSTOM_ID: new-features
:END:
** Flow control for data objects.
:PROPERTIES:
:CUSTOM_ID: flow-control-is-not-a-euphemism-for-an-s-bend
:END:
Currently, gpgme_data_t objects are assumed to be blocking. To
break this assumption, we need either (A) a way for an user I/O
callback to store the current operation in a continuation that can
be resumed later. While the continuation exists, file descriptors
associated with this operation must be removed from their
respective event loop. or (B) a way for gpgme data objects to be
associated with a waitable object, that can be registered with the
user event loop. Neither is particularly simple.
** Extended notation support. When gpg supports arbitrary binary
:PROPERTIES:
:CUSTOM_ID: extended-notation
:END:
notation data, provide a user interface for that.
** notification system
:PROPERTIES:
:CUSTOM_ID: notification-system
:END:
We need a simple notification system, probably a simple callback
with a string and some optional arguments. This is for example
required to notify an application of a changed smartcard, The
application can then do whatever is required. There are other
usages too. This notfication system should be independent of any
contextes of course.
Not sure whether this is still required. GPGME_PROTOCOL_ASSUAN is
sufficient for this.
** --learn-code support
:PROPERTIES:
:CUSTOM_ID: learn-code
:END:
This might be integrated with import. we still need to work out how
to learn a card when gpg and gpgsm have support for smartcards. In
GPA we currently invoke gpg directly.
** Might need a stat() for data objects and use it for length param to gpg.
:PROPERTIES:
:CUSTOM_ID: stat-data
:END:
** Implement support for photo ids.
:PROPERTIES:
:CUSTOM_ID: photo-id
:END:
** Allow selection of subkeys
:PROPERTIES:
:CUSTOM_ID: subkey-selection
:END:
** Allow to return time stamps in ISO format
:PROPERTIES:
:CUSTOM_ID: iso-format-datetime
:END:
This allows us to handle years later than 2037 properly. With the
time_t interface they are all mapped to 2037-12-31
** New features requested by our dear users, but rejected or left for
:PROPERTIES:
:CUSTOM_ID: feature-requests
:END:
later consideration:
*** Allow to export secret keys.
:PROPERTIES:
:CUSTOM_ID: export-secret-keys
:END:
Rejected because this is conceptually flawed. Secret keys on a
smart card can not be exported, for example.
May eventually e supproted with a keywrapping system.
*** Selecting the key ring, setting the version or comment in output.
:PROPERTIES:
:CUSTOM_ID: select-keyring-version
:END:
Rejected because the naive implementation is engine specific, the
configuration is part of the engine's configuration or readily
worked around in a different way
*** Selecting the symmetric cipher.
:PROPERTIES:
:CUSTOM_ID: symmetric-cipher-selection
:END:
*** Exchanging keys with key servers.
:PROPERTIES:
:CUSTOM_ID: key-server-exchange
:END:
* Documentation
:PROPERTIES:
:CUSTOM_ID: documentation
:END:
** TODO Document validity and trust issues.
:PROPERTIES:
:CUSTOM_ID: valid-trust-issues
:END:
** In gpgme.texi: Register callbacks under the right letter in the index.
:PROPERTIES:
:CUSTOM_ID: gpgme-texi
:END:
** TODO Update TODO file
:PROPERTIES:
:CUSTOM_ID: todo-update
:END:
*** DONE fix TODO items
CLOSED: [2018-03-04 Sun 08:55]
:PROPERTIES:
:CUSTOM_ID: fix-todo-items
:END:
Adjust todo items so each can now be referenced by custom-id and
checked off as necessary.
* Engines
:PROPERTIES:
:CUSTOM_ID: engines
:END:
** Do not create/destroy engines, but create engine and then reset it.
:PROPERTIES:
:CUSTOM_ID: reset-engine-is-not-quite-just-ignition
:END:
Internally the reset operation still spawns a new engine process,
but this can be replaced with a reset later. Also, be very sure to
release everything properly at a reset and at an error. Think hard
about where to guarantee what (ie, what happens if start fails, are
the fds unregistered immediately - i think so?)
Note that we need support in gpgsm to set include-certs to default
as RESET does not reset it, also for no_encrypt_to and probably
other options.
** Optimize the case where a data object has an underlying fd we can pass
:PROPERTIES:
:CUSTOM_ID: optimus-data-cousin-of-optimus-prime
:END:
directly to the engine. This will be automatic with socket I/O and
descriptor passing.
** Move code common to all engines up from gpg to engine.
:PROPERTIES:
:CUSTOM_ID: move-code-common-to-engines-out-of-gpg
:END:
** engine operations can return General Error on unknown protocol
:PROPERTIES:
:CUSTOM_ID: general-error-looking-to-be-court-martialled
:END:
(it's an internal error, as select_protocol checks already).
** When server mode is implemented properly, more care has to be taken to
:PROPERTIES:
:CUSTOM_ID: server-mode
:END:
release all resources on error (for example to free assuan_cmd).
** op_import_keys and op_export_keys have a limit in the number of keys.
:PROPERTIES:
:CUSTOM_ID: import-export-problems
:END:
This is because we pass them in gpg via the command line and gpgsm
via an assuan control line. We should pipe them instead and maybe
change gpg/gpgsm to not put them in memory.
* GPG breakage:
:PROPERTIES:
:CUSTOM_ID: gpg-breakage
:END:
** gpg 1.4.2 lacks error reporting if sign/encrypt with revoked key.
:PROPERTIES:
:CUSTOM_ID: gpg-classic-lacks-stuff
:END:
** gpg 1.4.2 does crappy error reporting (namely none at all) when
:PROPERTIES:
:CUSTOM_ID: gpg-classic-problems-but-do-we-care
:END:
smart card is missing for sign operation:
[GNUPG:] CARDCTRL 4
gpg: selecting openpgp failed: ec=6.110
gpg: signing failed: general error
[GNUPG:] BEGIN_ENCRYPTION 2 10
gpg: test: sign+encrypt failed: general error
** Without agent and with wrong passphrase, gpg 1.4.2 enters into an
:PROPERTIES:
:CUSTOM_ID: recursive-gpg-classic
:END:
infinite loop.
** Use correct argv[0]
:PROPERTIES:
:CUSTOM_ID: correct-argv
:END:
In rungpg.c:build_argv we use
argv[argc] = strdup ("gpg"); /* argv[0] */
This should be changed to take the real file name used in account.
* Operations
:PROPERTIES:
:CUSTOM_ID: operations-are-not-surgical
:END:
** Include cert values -2, -1, 0 and 1 should be defined as macros.
:PROPERTIES:
:CUSTOM_ID: certified-macros
:END:
** If an operation failed, make sure that the result functions don't return
:PROPERTIES:
:CUSTOM_ID: operation-failure
:END:
corrupt partial information. !!!
NOTE: The EOF status handler is not called in this case !!!
** Verify must not fail on NODATA premature if auto-key-retrieval failed.
:PROPERTIES:
:CUSTOM_ID: autobot-key-retrieval
:END:
It should not fail silently if it knows there is an error. !!!
** All operations: Better error reporting. !!
:PROPERTIES:
:CUSTOM_ID: better-reporting-not-like-fox-news
:END:
** Export status handler need much more work. !!!
:PROPERTIES:
:CUSTOM_ID: export-status-handler
:END:
** Import should return a useful error when one happened.
:PROPERTIES:
:CUSTOM_ID: import-useful-stuff-even-wrong-stuff
:END:
*** Import does not take notice of NODATA status report.
:PROPERTIES:
:CUSTOM_ID: import-no-data
:END:
*** When GPGSM does issue IMPORT_OK status reports, make sure to check for
:PROPERTIES:
:CUSTOM_ID: gpgsm-import-ok
:END:
them in tests/gpgs m/t-import.c.
** Verify can include info about version/algo/class, but currently
:PROPERTIES:
:CUSTOM_ID: verify-class
:END:
this is only available for gpg, not gpgsm.
** Return ENC_TO output in verify result. Again, this is not available
:PROPERTIES:
:CUSTOM_ID: return-to-enc
:END:
for gpgsm.
** Genkey should return something more useful than General_Error.
:PROPERTIES:
:CUSTOM_ID: general-key-assumed-command-from-general-error
:END:
** If possible, use --file-setsize to set the file size for proper progress
:PROPERTIES:
:CUSTOM_ID: file-setsize
:END:
callback handling. Write data interface for file size.
** Optimize the file descriptor list, so the number of open fds is
:PROPERTIES:
:CUSTOM_ID: optimus-descriptus-younger-brother-of-optimus-prime
:END:
always known easily.
** Encryption: It should be verified that the behaviour for partially untrusted
:PROPERTIES:
:CUSTOM_ID: only-mostly-dead-means-partially-alive
:END:
recipients is correct.
** When GPG issues INV_something for invalid signers, catch them.
:PROPERTIES:
:CUSTOM_ID: invalid-sig
:END:
* Error Values
:PROPERTIES:
:CUSTOM_ID: error-value
:END:
** Map ASSUAN/GpgSM ERR error values in a better way than is done now. !!
:PROPERTIES:
:CUSTOM_ID: map-ass-error
:END:
** Some error values should identify the source more correctly (mostly error
:PROPERTIES:
:CUSTOM_ID: source-errors
:END:
values derived from status messages).
** In rungpg.c we need to check the version of the engine
:PROPERTIES:
:CUSTOM_ID: rungpg-c-engine-ver
:END:
This requires a way to get the cached version number from the
engine layer.
* Tests
:PROPERTIES:
:CUSTOM_ID: tests
:END:
** TODO Write a fake gpg-agent so that we can supply known passphrases to
:PROPERTIES:
:CUSTOM_ID: test-fake-gpg-agent
:END:
gpgsm and setup the configuration files to use the agent. Without
this we are testing a currently running gpg-agent which is not a
clever idea. !
** t-data
:PROPERTIES:
:CUSTOM_ID: test-data
:END:
*** Test gpgme_data_release_and_get_mem.
:PROPERTIES:
:CUSTOM_ID: test-gpgme-data-release-mem
:END:
*** Test gpgme_data_seek for invalid types.
:PROPERTIES:
:CUSTOM_ID: test-gpgme-data-seek
:END:
** t-keylist
:PROPERTIES:
:CUSTOM_ID: test-keylist
:END:
Write a test for ext_keylist.
** Test reading key signatures.
:PROPERTIES:
:CUSTOM_ID: test-key-sig
:END:
* Debug
:PROPERTIES:
:CUSTOM_ID:
:END:
** Tracepoints should be added at: Every public interface enter/leave,
:PROPERTIES:
:CUSTOM_ID: tracepoint-pub-int
:END:
before and in every callback, at major decision points, at every
internal data point which might easily be observed by the outside
(system handles). We also trace handles and I/O support threads in
the w32 implementation because that's fragile code.
Files left to do:
data-fd.c data-mem.c data-stream.c data-user.c debug.c rungpg.c
engine.c engine-gpgsm.c funopen.c w32-glib-io.c wait.c
wait-global.c wait-private.c wait-user.c op-support.c decrypt.c
decrypt-verify.c delete.c edit.c encrypt.c encrypt-sign.c export.c
genkey.c import.c key.c keylist.c passphrase.c progress.c signers.c
sig-notation.c trust-item.c trustlist.c verify.c
** TODO Handle malloc and vasprintf errors. But decide first if they should be
:PROPERTIES:
:CUSTOM_ID: malloc-vasprintf
:END:
ignored (and logged with 255?!), or really be assertions. !
* Build suite
:PROPERTIES:
:CUSTOM_ID:
:END:
** TODO Make sure everything is cleaned correctly (esp. test area).
:PROPERTIES:
:CUSTOM_ID: clean-tests
:END:
** TODO Enable AC_CONFIG_MACRO_DIR and bump up autoconf version requirement.
:PROPERTIES:
:CUSTOM_ID: autoconf-macros
:END:
(To fix "./autogen.sh; ./configure --enable-maintainer-mode; touch
configure.ac; make"). Currently worked around with ACLOCAL_AMFLAGS???
* Error checking
:PROPERTIES:
:CUSTOM_ID: error-checking
:END:
** TODO engine-gpgsm, with-validation
:PROPERTIES:
:CUSTOM_ID: gpgsm-validation
:END:
Add error checking some time after releasing a new gpgsm.
* Language bindings and related components
:PROPERTIES:
:CUSTOM_ID: language-bindings-and-related-stuff
:END:
** TODO Emacs and elisp binding
:PROPERTIES:
:CUSTOM_ID: emacs-and-elisp
:END:
Currently GNU Emacs uses EPA and EPG to provide GnuPG support. EPG
does this by calling the GPG executable and wrapping the commands
with elisp functions. A more preferable solution would be to
implement an epgme.el which integrated with GPGME, then if it could
not to attempt calling the gpgme-tool and only if those failed to
fall back to the current epg.el and calling the command line
binaries.
** TODO API of an API
:PROPERTIES:
:CUSTOM_ID: api-squared
:END:
See the more detailed notes on this in the [[lang/python/docs/TODO.org][python TODO]].
** TODO GPGME installation and package management guide
:PROPERTIES:
:CUSTOM_ID: package-management
:END:
Write a guide/best practices for maintainers of GPGME packages with
third party package management systems.
Copyright 2004, 2005, 2018 g10 Code GmbH
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.