== BEFORE FIRST RELEASE! ==
[ ] Take care of PHP's time limit to not interfere with the rest.
[ ] Validate e-mails.
[ ] You cannot admin rights of a repository if is not yours.
[ ] Check XSRF attacks and other types.
[ ] $rg_pass_key should be done in init.php
[ ] Changing repo name probably is not working right.
[ ] Run update.php before rpm upgrade the scripts.
[ ] Check if /var/run/rocketgit is really created. Maybe is boot related.
	Locking is working right? Because seems the repo were created!
[ ] rg_repo_allow seems to not be used.
[ ] Deny any operation till schema update is done.
[ ] Test and fix update.php script.
[ ] Check if rewinds are working as expected.
[ ] 

== Normal priority ==
[ ] "Lock" button to temporary block access to repository.
	Only owner will have access.
	We may add also a text that will be output to clients.
[ ] List chages introduced by a merge: git diff-tree --always [--cc] -m -p f7d5b5770f4c6b5a124dad6358bed310d56bf909
[ ] ACL per IP (only for private repos).
[ ] Check pack-protocol.txt!
[ ] When push is executed with success, show a nice message from RocketGit.
[ ] Move is_private member in repo array, not test for empty on default rights
[ ] Move default rights to rights table - I do not remember why.
	Maybe for consistency.
	Ah, yes, also to be able to set rights per branches and per files.
[ ] Log files may be written per repo and per user, with locking...
[ ] Push may be always allowed - but will be done as a merge request! Cool.
	Disk space accounting?
[ ] We should make a repo dirty ony if user pushed something with success.
[ ] <link rel="icon" type="image/png" id="favicon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8%2F9hAAAACGFjVEwAAAASAAAAAJNtBPIAAAAaZmNUTAAAAAAAAAAQAAAAEAAAAAAAAAAALuAD6AABhIDeugAAALhJREFUOI2Nk8sNxCAMRDlGohauXFOMpfTiAlxICqAELltHLqlgctg1InzMRhpFAc%2BLGWTnmoeZYamt78zXdZmaQtQMADlnU0OIAlbmJUBEcO4bRKQY2rUXIPmAGnDuG%2FBx3%2FfvOPVaDUg%2BoAPUf1PArIMCSD5glMEsUGaG%2BkyAFWIBaCsKuA%2BHGCNijLgP133XgOEtaPFMy2vUolEGJoCIzBmoRUR9%2B7rxj16DZaW%2FmgtmxnJ8V3oAnApQwNS5zpcAAAAaZmNUTAAAAAEAAAAQAAAAEAAAAAAAAAAAAB4D6AIB52fclgAAACpmZEFUAAAAAjiNY2AYBVhBc3Pzf2LEcGreqcbwH1kDNjHauWAUjAJyAADymxf9WF%2Bu8QAAABpmY1RMAAAAAwAAABAAAAAQAAAAAAAAAAAAHgPoAgEK8Q9%2FAAAAFmZkQVQAAAAEOI1jYBgFo2AUjAIIAAAEEAAB0xIn4wAAABpmY1RMAAAABQAAABAAAAAQAAAAAAAAAAAAHgPoAgHnO30FAAAAQGZkQVQAAAAGOI1jYBieYKcaw39ixHCC%2F6cwFWMTw2rz%2F1MM%2F6Vu%2Ff%2F%2F%2FxTD%2F51qEIwuRjsXILuEGLFRMApgAADhNCsVfozYcAAAABpmY1RMAAAABwAAABAAAAAQAAAAAAAAAAAAHgPoAgEKra7sAAAAFmZkQVQAAAAIOI1jYBgFo2AUjAIIAAAEEAABM9s3hAAAABpmY1RMAAAACQAAABAAAAAQAAAAAAAAAAAAHgPoAgHn3p%2BwAAAAKmZkQVQAAAAKOI1jYBgFWEFzc%2FN%2FYsRwat6pxvAfWQM2Mdq5YBSMAnIAAPKbF%2F1BhPl6AAAAGmZjVEwAAAALAAAAEAAAABAAAAAAAAAAAAAeA%2BgCAQpITFkAAAAWZmRBVAAAAAw4jWNrgAWjYBSMArgAAAQQAAHaszpmAAAAGmZjVEwAAAANAAAAEAAAABAAAAAAAAAAAAAeA%2BgCAeeCPiMAAABAZmRBVAAAAA44jWNrgJ5gpxrDf2LEcIL%2FpzAVYxPDavP%2FUwz%2FpW79%2F%2F%2F%2FFMP%2FnWoQjC5GOxcgu4QYsVEwCmAAAOE0KxUmBL0KAAAAGmZjVEwAAAAPAAAAEAAAABAAAAAAAAAAAAAeA%2BgCAQoU7coAAAAWZmRBVAAAABA4jWNrgAWjYBSMArgAAAQQAAEpOBELAAAAGmZjVEwAAAARAAAAEAAAABAAAAAAAAAAAAAeA%2BgCAeYVWtoAAAAqZmRBVAAAABI4jWNrgAVYQXNz839ixHBq3qnG8B9ZAzYx2rlgFIwCcgAA8psX%2FWvpAecAAAAaZmNUTAAAABMAAAAQAAAAEAAAAAAAAAAAAB4D6AIBC4OJMwAAABZmZEFUAAAAFDiNY2AYBaNgFIwCCAAABBAAAcBQHOkAAAAaZmNUTAAAABUAAAAQAAAAEAAAAAAAAAAAAB4D6AIB5kn7SQAAAEBmZEFUAAAAFjiNY2AYnmCnGsN%2FYsRwgv%2BnMBVjE8Nq8%2F9TDP%2Blbv3%2F%2F%2F8Uw%2F%2BdahCMLkY7FyC7hBixUTAKYAAA4TQrFc%2BcEoQAAAAaZmNUTAAAABcAAAAQAAAAEAAAAAAAAAAAAB4D6AIBC98ooAAAABZmZEFUAAAAGDiNY2AYBaNgFIwCCAAABBAAASCZDI4AAAAaZmNUTAAAABkAAAAQAAAAEAAAAAAAAAAAAB4D6AIB5qwZ%2FAAAACpmZEFUAAAAGjiNY2AYBVhBc3Pzf2LEcGreqcbwH1kDNjHauWAUjAJyAADymxf9cjJWbAAAABpmY1RMAAAAGwAAABAAAAAQAAAAAAAAAAAAHgPoAgELOsoVAAAAFmZkQVQAAAAcOI1jYBgFo2AUjAIIAAAEEAAByfEBbAAAABpmY1RMAAAAHQAAABAAAAAQAAAAAAAAAAAAHgPoAgHm8LhvAAAAQGZkQVQAAAAeOI1jYBieYKcaw39ixHCC%2F6cwFWMTw2rz%2F1MM%2F6Vu%2Ff%2F%2F%2FxTD%2F51qEIwuRjsXILuEGLFRMApgAADhNCsVlxR3%2FgAAABpmY1RMAAAAHwAAABAAAAAQAAAAAAAAAAAAHgPoAgELZmuGAAAAFmZkQVQAAAAgOI1jYBgFo2AUjAIIAAAEEAABHP5cFQAAABpmY1RMAAAAIQAAABAAAAAQAAAAAAAAAAAAHgPoAgHlgtAOAAAAKmZkQVQAAAAiOI1jYBgFWEFzc%2FN%2FYsRwat6pxvAfWQM2Mdq5YBSMAnIAAPKbF%2F0%2FMvDdAAAAAElFTkSuQmCC"/>
[ ] "Add key" form may be joined with list keys command!
[ ] Allow to recover a deleted repository.
[ ] Deny access in all functions to deleted repositories.
[ ] Count the numbers of clones/pushes/pulls.
[ ] Add memcache caching for all database lookups.
[ ] Allow to configure the limit of the patch size to prevent abuses.
[ ] Allow to configure to refuse binary files.
[ ] Allow to configure to refuse commits with broken spaces/tab mixes.
[ ] Add a repo_prop_set/get function that will set/get a file in .git folder.
	This way we can speed up some lookups (no need for database). Hm.
[ ] When we delete an repository, we will do repo_prop_set(repo, disabled) and we will
	return OK, in the background we will do the removing.
	Do not forget to also remove clones. Hm.
[ ] E-mail aliases section.
[ ] User details section (full name, blog, avatar, mail notifications).
[ ] Check if user is over-quota on push.
[ ] The cron will have to:
	[ ] Compute disk usage, ignoring hard links. Hm. Probably we will add
		only the owner, even if the files have multiple links. TBD.
	[ ] 
[ ] UTF-8 checks of patches.
[ ] W3C validation on all pages.
[ ] Validate user and repo names. Probably other things.
[ ] What happens if a user is suspended? Do we allow forgot pass sending?
[ ] Do not allow session updates/any command if user is suspended after his/her login.
[ ] Timeout for connections (ssh/git-daemon/etc.)!
[ ] Check if we have to respect 4HEXA also on SSH. I think not.
[ ] Limit number of simultaneously connection per repo and per user. Maybe also the time!
[ ] Make everywhere present a "Make a sugestion" area.
[ ] On rocketgit website, add "Feedback" area.
[ ] Allow multiple virtual hosts, with different configurations.
[ ] session_time should be set at login time? And/or default s_t should be set from database?
[ ] Do not let user upload an already uploaded key.
[ ] Do not permit more than X auth attempts per second.
[ ] See prepare-commit-msg.sample - we can auto add a line to every commit.
[ ] Check http://plathrop.tertiusfamily.net/blog/2010/05/11/git-hooks-branch-acls-and-more/ to block updates that have not pull - a la  SVN
[ ] Maybe we should mark the repository as dirty, only in the post-receive hook? Or update is the best place?
[ ] Limit number of commits per push.
[ ] In %post section we may want to run a script that will do the update of the
	database, for example.
[ ] Compute disk_used_mb per user.
[ ] Enforce disk quota.
[ ] RSS
[ ] Config file must be able to be set from a env var, to be able to run
	multiple instances of rocketgit on the same server.
[ ] Smart HTTP transport
[ ] Move forget pass token into users table.
[ ] Audit all error messages to not propage usefull info to an attacker.
	Split in two error messages: one for logs and one for user.
[ ] git-daemon connection - cannot get IP info? setenv?
[ ] Do not show submenus if user is not logged in on repopage (ialbeascu)
	- duplicate menus?! maybe add an admin link in repopage that goes
	to repo.
[ ] Undo SELinux stuff when uninstalling applications.
[ ] Nice graphic (unrelated to git): http://tctechcrunch2011.files.wordpress.com/2011/07/hadoop2.png?w=640
[ ] git-notes may be used to attach messages to commits. Nice.
[ ] Store also the size of the patch aong history/commit info.
[ ] Check SELinux MLS
[ ] Store users and repositories to /var/lib/rocketgit so we can set a proper
	SELinux context on that folder.
[ ] Test if 'first_install' state is working correctly.
[ ] Deal with empty repositories (rg_git_ls_tree etc.).
[ ] Show age of an user/org/repo. Example: 1 year, 3 months, 4 days.
[ ] The rewrite engine should pass a single op for user and for org, but with para org=0 or 1.
	This is to have the same page for both types of users.
[ ] From: http://lwn.net/Articles/460376/
	I can confirm that shortcomings with Gitorious' ACL systems were definitely one of the reasons we ended up deciding against it -- it's just not fine-grained enough and made it impossible to achieve the balance of project maintainer / repo manager autonomy and fool-proofness we wanted. gitolite makes us super-happy in that regard now, though.
	We use a Gitorious instance where I work. One thing that seems impossible to do is have custom hooks. Everything must go through Gitorious' global hooks. If there's a way around this (new version, black magic, whatever), I'd love to hear it.
[ ] Allow git over TLS on a specific port (gits://...).
[ ] KDE: http://news.ycombinator.com/item?id=2972107
[ ] To investigate how gitolite is dealing with pushes without custom daemon.
[ ] 

== Versus ==
* http://www.wikivs.com/wiki/GitHub_vs_Gitorious
* http://unfuddle.com/about/tour/plans
* 


== To recheck ==
* http://techbase.kde.org/Projects/MovetoGit#Post_Update_hooks
*