== BEFORE FIRST RELEASE! ==
[ ] See diff for merge requests.
[ ] JUNK1/JUNK2: http://rg.embedromix.ro:8000/user/catab/rocketgit/commit/afd1df2..f919c9b
[ ] Confirmation e-mail comes from rg1.
[ ] rg_log: why the fd is NULL?!
[ ] Install text files in /usr/share/doc
[ ] "log" does not list last entries! More exactly, seems the owner does not update repo!
[ ] @@branch@@ is not defined for merge requests. Should it? Probably yes, to filter them.
[ ] Create a repo and click on it; seems we get error (gabi)!
[ ] Add permission to add bug tracker to a project.
[ ] Remove all @@ DUMP @@s from templates.
[ ] We are escaping when we insert in database _and_ when we output on screen!
	What should we do?
[ ] 


== Medium ==
[ ] Check admin creatin of an account.
[ ] Add possibility to reject merge requests, to apply, to delete etc.
[ ] Do we need to escape some chars in console (ssh rocketgit@host repo X)?
[ ] We need to switch to a template for the user form to get rid of a lot of
	mambo-jumbo with the _u array passed!
[ ] Show the API on the webpage, exactly like Blender.
[ ] We can pass in authorized_keys aslo the key id. Maybe for usage?
[ ] Migrate to a single function to deal with a request so we can do better
	unit testing.
[ ] We should have a 'policy' table where we have something like:
	ID	max_speed	max_users	max_disk_space
	and every user is associated with such a policy, based on payments etc.
	Example: user X paid some money, and we assign it to level 2
	Level 2 has 4 users, max 100MiB disk space, 1Mbit/s speed.
	He creates a repo and assigns 2 users to it.
	[ ] Notifications when disk space is low.
[ ] Check webSSO for authentification.
[ ] Check http://gitlist.org/
[ ] use do {} while(0) to respect profiling!
[ ] If we do ssh without any command, be nice and show how to clone,
	show projects, rights etc. Check ssh.inc.php.
[ ] Enforce Signoff-by lines per project (a new permission)
	= reject commits without signoff!
	Maybe, do it generic, allow a text field to enumerate what should be in a commit!
	Also, present a list with checkboxex: at least Signoff-by, Reported-by, Acked-by!
[ ] Linus on why GitHub sucks: https://github.com/torvalds/linux/pull/17#issuecomment-5654674
[ ] Warn if commit messages are too long (no wrap).
[ ] Allow possibility to send an e-mail to mainteiner from web with a pull request
[ ] Check https://github.com/torvalds/linux/pull/17#issuecomment-5654674
[ ] Merge requests e-mail: explanation of why to pull, diffstat! Maybe also the patch if is small.
[ ] Check git-request-pull
[ ] Show the size of a repository. Also when you ssh from terminal.
	See git-count-objects and http://stackoverflow.com/questions/8185276/find-size-of-git-repo.
[ ] Logo for project.
[ ] Default branch per project[/user].
[ ] Main language of the project.
[ ] Web site for a project.
[ ] 

== Normal priority ==
[ ] Add hint about "ssh rocketgit@server" to quickly find status etc.
[ ] rg_redirect does not record profiling information!
[ ] git bundle
[ ] How to sign merge requests?!
[ ] Signal, with red, if a key was uploaded in the last X days.
[ ] Store in a cookie the last uid used, and if > 0, lookup e-mail and prefill
	forgot password e-mail field.
[ ] Yeah BitBucket's pricing is much better they only charge on the number of collaborators.
[ ] Permit "log" to see more rows.
[ ] Allow admin to upload keys for a user.
[ ] Make an option to not allow a client to upload keys.
[ ] Can we bypass ssh auth to allow pushes?
	This way maybe we can identify client by fingerprint.
[ ] Use rg_git_diff_tree to test for path based restrictions. Also, take care of renmaes, copies etc.
[ ] See Gerrit: https://codereview.qt-project.org/#change,22764
[ ] user-conf: option: auto-create-repo-on-push
[ ] Use git push to do all kind of commands: create repo, delete repo, update description etc.
[ ] Allow creating a template for repositories.
[ ] Optionally init a repo with some files (README, TODO etc.)
[ ] Check https://git.wiki.kernel.org/articles/g/i/t/GitHosting_2036.html
[ ] Add RocketGit to https://git.wiki.kernel.org/articles/g/i/t/GitHosting_2036.html
[ ] Add a dependency on sendmail.
[ ] Improve e-mails to not be considered spam.
[ ] Statistics (number, tool etc.) for project access.
[ ] For bugtracker use BerliOS as a starting point.
[ ] Allow (anonymous) editing files on web and transform them in merge request.
[ ] On the first page no search form! It is useless!
[ ] Add stats for a repo. Some stuff is already in git.inc.php.
[ ] Anti-spam: hide e-mail addresses!
[ ] Check if a merge request was integrated (hm; what integrated means?!) and
	signal this in merge requests list?
[ ] Add rg_branch_allow_chars and rg_tags_allow_chars.
[ ] repo/tag|branch/<name> page shoul put next to the commit also the tag/branch.
[ ] Order tags by mtime desc.
[ ] If a user pushes an unknown repo, we may automatically create a repo!
[ ] Fix the "edit repo" page!
[ ] rg-repos should be split in rg_repos and rg_var_lib.
[ ] 'cop' variable is not good - I do not remember what it means!
[ ] $blocks = explode("@@left@@-=ROCKETGIT=-@@left@@", $a) - seems that \0 is replaced!
[ ] Changing repo name probably is not working right.
[ ] Check XSRF attacks and other types.
[ ] Validate e-mails.
[ ] Take care of PHP's time limit to not interfere with the rest.
[ ] Run update.php before rpm upgrade the scripts.
[ ] Store by uid the repos, and make links to them. Make a function to rename
	a username. We have to keep track of renames so old links will
	still work.
[ ] Differentiate between owner of a repository, currently logged in user and admin.
[ ] Warn before deleting a repo!
[ ] Update of database must be done from a global init function, not by admin.
[ ] Switch all menus to templates.
[ ] Switch all forms to templates.
[ ] Check double slashes in URLs.
[ ] Automatically create user on anonymous push?
[ ] I am not sure I can reload xinetd and httpd from spec file
[ ] Check SELinux context on /var/lib/rocketgit
[ ] admin: "Lock or accounts" and "Reset password for all accounts and send mail".
[ ] rg_repo_allow seems to not be used.
[ ] Get memory statistics from /proc.
[ ] Delay connection to database.
[ ] Add support for refs/notes/ pushes.
[ ] When logging _SERVER variables, log only the ones prefixed by ROCKETGIT_.
[ ] Ask password when doing any critical change of the account and send mail.
[ ] Add commercial posibility for VPNs to be sure you can push/fetch safely.
[ ] Add a possibiliy (link shown in push message) to delete/update/etc. the
	merge request.
[ ] Allow a nonstandard port for web.
[ ] Put form error messages next to the label.
[ ] Get rid of $rr!
[ ] favicon.ico is not in theme!
[ ] Create unit testing for all functions.
[ ] Test error code for rg_sql_query.
[ ] Log $ret['errmsg'] for rg_exec
[ ] Audit code to replace parts with rg_internal_error.
[ ] TODO feature for projects.
[ ] Allow SSH keys per repository (only)?
[ ] Allow remote 'gc' of a repo, besides an automatic one.
[ ] Take care of caching of passwords. Maybe allow a purge of a file from browser?
[ ] "Lock" button to temporary block access to repository.
	Only owner will have access.
	We may add also a text that will be output to clients.
[ ] List chages introduced by a merge: git diff-tree --always [--cc] -m -p f7d5b5770f4c6b5a124dad6358bed310d56bf909
[ ] ACL per IP (only for private repos).
[ ] Check pack-protocol.txt!
[ ] When push is executed with success, show a nice message from RocketGit.
[ ] Move is_private member in repo array, not test for empty on default rights
[ ] Move default rights to rights table - I do not remember why.
	Maybe for consistency.
	Ah, yes, also to be able to set rights per branches and per files.
[ ] Log files may be written per repo and per user, with locking...
[ ] Push may be always allowed - but will be done as a merge request! Cool.
	Disk space accounting?
[ ] We should make a repo dirty ony if user pushed something with success.
[ ] <link rel="icon" type="image/png" id="favicon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8%2F9hAAAACGFjVEwAAAASAAAAAJNtBPIAAAAaZmNUTAAAAAAAAAAQAAAAEAAAAAAAAAAALuAD6AABhIDeugAAALhJREFUOI2Nk8sNxCAMRDlGohauXFOMpfTiAlxICqAELltHLqlgctg1InzMRhpFAc%2BLGWTnmoeZYamt78zXdZmaQtQMADlnU0OIAlbmJUBEcO4bRKQY2rUXIPmAGnDuG%2FBx3%2FfvOPVaDUg%2BoAPUf1PArIMCSD5glMEsUGaG%2BkyAFWIBaCsKuA%2BHGCNijLgP133XgOEtaPFMy2vUolEGJoCIzBmoRUR9%2B7rxj16DZaW%2FmgtmxnJ8V3oAnApQwNS5zpcAAAAaZmNUTAAAAAEAAAAQAAAAEAAAAAAAAAAAAB4D6AIB52fclgAAACpmZEFUAAAAAjiNY2AYBVhBc3Pzf2LEcGreqcbwH1kDNjHauWAUjAJyAADymxf9WF%2Bu8QAAABpmY1RMAAAAAwAAABAAAAAQAAAAAAAAAAAAHgPoAgEK8Q9%2FAAAAFmZkQVQAAAAEOI1jYBgFo2AUjAIIAAAEEAAB0xIn4wAAABpmY1RMAAAABQAAABAAAAAQAAAAAAAAAAAAHgPoAgHnO30FAAAAQGZkQVQAAAAGOI1jYBieYKcaw39ixHCC%2F6cwFWMTw2rz%2F1MM%2F6Vu%2Ff%2F%2F%2FxTD%2F51qEIwuRjsXILuEGLFRMApgAADhNCsVfozYcAAAABpmY1RMAAAABwAAABAAAAAQAAAAAAAAAAAAHgPoAgEKra7sAAAAFmZkQVQAAAAIOI1jYBgFo2AUjAIIAAAEEAABM9s3hAAAABpmY1RMAAAACQAAABAAAAAQAAAAAAAAAAAAHgPoAgHn3p%2BwAAAAKmZkQVQAAAAKOI1jYBgFWEFzc%2FN%2FYsRwat6pxvAfWQM2Mdq5YBSMAnIAAPKbF%2F1BhPl6AAAAGmZjVEwAAAALAAAAEAAAABAAAAAAAAAAAAAeA%2BgCAQpITFkAAAAWZmRBVAAAAAw4jWNrgAWjYBSMArgAAAQQAAHaszpmAAAAGmZjVEwAAAANAAAAEAAAABAAAAAAAAAAAAAeA%2BgCAeeCPiMAAABAZmRBVAAAAA44jWNrgJ5gpxrDf2LEcIL%2FpzAVYxPDavP%2FUwz%2FpW79%2F%2F%2F%2FFMP%2FnWoQjC5GOxcgu4QYsVEwCmAAAOE0KxUmBL0KAAAAGmZjVEwAAAAPAAAAEAAAABAAAAAAAAAAAAAeA%2BgCAQoU7coAAAAWZmRBVAAAABA4jWNrgAWjYBSMArgAAAQQAAEpOBELAAAAGmZjVEwAAAARAAAAEAAAABAAAAAAAAAAAAAeA%2BgCAeYVWtoAAAAqZmRBVAAAABI4jWNrgAVYQXNz839ixHBq3qnG8B9ZAzYx2rlgFIwCcgAA8psX%2FWvpAecAAAAaZmNUTAAAABMAAAAQAAAAEAAAAAAAAAAAAB4D6AIBC4OJMwAAABZmZEFUAAAAFDiNY2AYBaNgFIwCCAAABBAAAcBQHOkAAAAaZmNUTAAAABUAAAAQAAAAEAAAAAAAAAAAAB4D6AIB5kn7SQAAAEBmZEFUAAAAFjiNY2AYnmCnGsN%2FYsRwgv%2BnMBVjE8Nq8%2F9TDP%2Blbv3%2F%2F%2F8Uw%2F%2BdahCMLkY7FyC7hBixUTAKYAAA4TQrFc%2BcEoQAAAAaZmNUTAAAABcAAAAQAAAAEAAAAAAAAAAAAB4D6AIBC98ooAAAABZmZEFUAAAAGDiNY2AYBaNgFIwCCAAABBAAASCZDI4AAAAaZmNUTAAAABkAAAAQAAAAEAAAAAAAAAAAAB4D6AIB5qwZ%2FAAAACpmZEFUAAAAGjiNY2AYBVhBc3Pzf2LEcGreqcbwH1kDNjHauWAUjAJyAADymxf9cjJWbAAAABpmY1RMAAAAGwAAABAAAAAQAAAAAAAAAAAAHgPoAgELOsoVAAAAFmZkQVQAAAAcOI1jYBgFo2AUjAIIAAAEEAAByfEBbAAAABpmY1RMAAAAHQAAABAAAAAQAAAAAAAAAAAAHgPoAgHm8LhvAAAAQGZkQVQAAAAeOI1jYBieYKcaw39ixHCC%2F6cwFWMTw2rz%2F1MM%2F6Vu%2Ff%2F%2F%2FxTD%2F51qEIwuRjsXILuEGLFRMApgAADhNCsVlxR3%2FgAAABpmY1RMAAAAHwAAABAAAAAQAAAAAAAAAAAAHgPoAgELZmuGAAAAFmZkQVQAAAAgOI1jYBgFo2AUjAIIAAAEEAABHP5cFQAAABpmY1RMAAAAIQAAABAAAAAQAAAAAAAAAAAAHgPoAgHlgtAOAAAAKmZkQVQAAAAiOI1jYBgFWEFzc%2FN%2FYsRwat6pxvAfWQM2Mdq5YBSMAnIAAPKbF%2F0%2FMvDdAAAAAElFTkSuQmCC"/>
[ ] "Add key" form may be joined with list keys command!
[ ] Allow to recover a deleted repository.
[ ] Deny access in all functions to deleted repositories.
[ ] Count the numbers of clones/pushes/pulls.
[ ] Add memcache caching for all database lookups.
[ ] Allow to configure the limit of the patch size to prevent abuses.
[ ] Allow to configure to refuse binary files.
[ ] Allow to configure to refuse commits with broken spaces/tab mixes.
[ ] Add a repo_prop_set/get function that will set/get a file in .git folder.
	This way we can speed up some lookups (no need for database). Hm.
[ ] When we delete a repository, we will do repo_prop_set(repo, disabled) and we will
	return OK, in the background we will do the removing.
	Do not forget to also remove clones. Hm.
[ ] E-mail aliases section.
[ ] User details section (full name, blog, avatar, mail notifications).
[ ] Check if user is over-quota on push.
[ ] The cron will have to:
	[ ] Compute disk usage, ignoring hard links. Hm. Probably we will add
		only the owner, even if the files have multiple links. TBD.
	[ ] 
[ ] UTF-8 checks of patches.
[ ] W3C validation on all pages.
[ ] Validate user and repo names. Probably other things.
[ ] What happens if a user is suspended? Do we allow forgot pass sending?
[ ] Do not allow session updates/any command if user is suspended after his/her login.
[ ] Timeout for connections (ssh/git-daemon/etc.)!
[ ] Check if we have to respect 4HEXA also on SSH. I think not.
[ ] Limit number of simultaneously connection per repo and per user.
	Maybe also the time!
[ ] Make everywhere present a "Make a sugestion" area.
[ ] On rocketgit website, add "Feedback" area.
[ ] Allow multiple virtual hosts, with different configurations.
[ ] session_time should be set at login time? And/or default s_t should be set from database?
[ ] Do not let user upload an already uploaded key.
[ ] Do not permit more than X auth attempts per second.
[ ] See prepare-commit-msg.sample - we can auto add a line to every commit.
[ ] Check http://plathrop.tertiusfamily.net/blog/2010/05/11/git-hooks-branch-acls-and-more/ to block updates that have not pull - a la  SVN
[ ] Maybe we should mark the repository as dirty, only in the post-receive hook? Or update is the best place?
[ ] Limit number of commits per push.
[ ] Compute disk_used_mb per user.
[ ] Enforce disk quota.
[ ] RSS
[ ] Config file must be able to be set from a env var, to be able to run
	multiple instances of rocketgit on the same server.
[ ] Smart HTTP transport
[ ] Move forget pass token into users table.
[ ] Audit all error messages to not propage usefull info to an attacker.
	Split in two error messages: one for logs and one for user.
[ ] git-daemon connection - cannot get IP info? setenv?
[ ] Do not show submenus if user is not logged in on repopage (ialbeascu)
	- duplicate menus?! maybe add an admin link in repopage that goes
	to repo.
[ ] Undo SELinux stuff when uninstalling applications.
[ ] Nice graphic (unrelated to git): http://tctechcrunch2011.files.wordpress.com/2011/07/hadoop2.png?w=640
[ ] git-notes may be used to attach messages to commits. Nice.
[ ] Store also the size of the patch along history/commit info.
[ ] Check SELinux MLS
[ ] Store users and repositories to /var/lib/rocketgit so we can set a proper
	SELinux context on that folder.
[ ] Test if 'first_install' state is working correctly.
[ ] Deal with empty repositories (rg_git_ls_tree etc.).
[ ] Show age of an user/org/repo. Example: 1 year, 3 months, 4 days.
[ ] The rewrite engine should pass a single op for user and for org, but with para org=0 or 1.
	This is to have the same page for both types of users.
[ ] From: http://lwn.net/Articles/460376/
	I can confirm that shortcomings with Gitorious' ACL systems were
	definitely one of the reasons we ended up deciding against it --
	it's just not fine-grained enough and made it impossible to achieve
	the balance of project maintainer / repo manager autonomy and
	fool-proofness we wanted. gitolite makes us super-happy in that regard
	now, though.
	We use a Gitorious instance where I work. One thing that seems
	impossible to do is have custom hooks. Everything must go through
	Gitorious' global hooks. If there's a way around this (new version,
	black magic, whatever), I'd love to hear it.
[ ] Allow git over TLS on a specific port (gits://...).
[ ] KDE: http://news.ycombinator.com/item?id=2972107
[ ] To investigate how gitolite is dealing with pushes without custom daemon.
[ ] Record in notes who pushed a commit first, for trace reasons?
[ ] Add support for hooks/pre-receive-signature
[ ] Work flows: Allow user to edit workflows. For example:
	- A merge request that is approved in a MR queue will make it
	automatically to the specified queues.
[ ] At push time we may generate some nice informative output (commits,
	last time when current user commited etc.)
[ ] Team suports
[ ] Bulk add users/teams/repos/bugs/etc.

== Graphics ==
[ ] http://static.phpcloud.com/images/banner/phpcloudcom-spaceship-banner-970x404px.jpg
[ ] 

== Versus ==
* http://www.wikivs.com/wiki/GitHub_vs_Gitorious
* http://unfuddle.com/about/tour/plans
* bitbucket.org
* 


== To recheck ==
* http://techbase.kde.org/Projects/MovetoGit#Post_Update_hooks
* 


== Rights management - to be implemented ==

- A user is trying to push some commits in a branch B, for a file F
- The set of rights may be:
	Branch	File		Rights
	B2	dir/*.png	FPA
	*	dir2		A
	*	*		F