| File TODO changed (mode: 100644) (index c037975..84be9e7) |
| 1 |
1 |
== Where I stopped last time == |
== Where I stopped last time == |
| 2 |
2 |
[ ] test docker |
[ ] test docker |
| 3 |
|
[ ] robots.txt: disallow diffs to show in search engines. Makes not sense. |
|
| 4 |
|
[ ] Disallow big diffs. How to do this? Forbit the operation or used files |
|
| 5 |
|
to generate the output? |
|
| 6 |
|
Get stats from old, then for new and do the difference. If bigger than X |
|
| 7 |
|
do not show that diff? |
|
|
3 |
|
[ ] Is the length of the password is check for forget_link page? |
|
4 |
|
[ ] clean_cookies must be used everywhere! |
| 8 |
5 |
[ ] |
[ ] |
| 9 |
6 |
|
|
| 10 |
7 |
== BEFORE NEXT RELEASE == |
== BEFORE NEXT RELEASE == |
|
8 |
|
[ ] Use 'restrict' when generating authorized_keys file. |
|
9 |
|
[ ] In report, report also the space used and a top 5? |
|
10 |
|
[ ] At login time to destroy all forgot password pending tokens? |
|
11 |
|
[ ] promise to not sell user data. |
|
12 |
|
[ ] admin settings: disable reports by e-mail. |
|
13 |
|
[ ] web: How can you help: sponsor us! |
|
14 |
|
[ ] ldap: add groups support |
|
15 |
|
[ ] repo stats: at least generate the log into a file and parse the file? |
|
16 |
|
[ ] Should 'logout' be a form to not be followed by browser automatically? |
|
17 |
|
[ ] mail template mail/user/rename seems to not have the files! |
|
18 |
|
[ ] Add hints on how to share a branch with a third party? |
|
19 |
|
[ ] I can try to deduplicate the objects across all repos! |
|
20 |
|
[ ] Get rid of the replace of '.' with ',' in branch names. Maybe also in file |
|
21 |
|
names? Just use HTTP URL encoding? Keep backward compatibility! |
|
22 |
|
[ ] Add an Ansible playbook on Ansible site. |
|
23 |
|
[ ] rg_re_repo_http must be removed. |
|
24 |
|
[ ] If user does not provide an e-mail, I should not generate an internal error! |
|
25 |
|
[ ] recover password: we never show the username! If the user forgot the |
|
26 |
|
username, this is bad! |
|
27 |
|
[ ] https://tomu.im/ for 2fa |
|
28 |
|
[ ] Slack: shouldn't have a link to a diff not to a commit? |
|
29 |
|
[ ] user.inc - more cases when I have to send the http code? |
|
30 |
|
I am not really happy with 200 code! Check the source! |
|
31 |
|
[ ] When reading state from cache, we should retrieve the whole state array |
|
32 |
|
to have it locally. |
|
33 |
|
Already done? I think not. |
|
34 |
|
[ ] Log also HTTP_USER_AGENT (git/2.x.x for example) when fetching/pushing. |
|
35 |
|
We can extract statistics about what clients people use. |
|
36 |
|
[ ] nginx: investigate fastcgi_pass_request_body. |
|
37 |
|
[ ] Do update of the session, key used etc. after the page was delivered |
|
38 |
|
to the client to lower the delivery time. |
|
39 |
|
[ ] PHP reads 8192 bytes from /dev/urandom, I can read so much and keep that |
|
40 |
|
data and reuse it when necesary. |
|
41 |
|
[ ] q_ms seems to not be ok - always increasing and = with MAIN |
|
42 |
|
[ ] git_receive_pack: |
|
43 |
|
PHP ERROR: Unknown:0: Unknown: POST Content-Length of 8564467 bytes |
|
44 |
|
exceeds the limit of 8388608 bytes (errno=2) |
|
45 |
|
I need to send an error before processing data! |
|
46 |
|
Done! |
|
47 |
|
We may want admin to further limit it? |
|
48 |
|
[ ] For PostgreSQL stats: |
|
49 |
|
http://bonesmoses.org/2017/04/21/pg-phriday-who-died-and-made-you-boss-the-investigatining/ |
|
50 |
|
[ ] Test with lighttpd and nginx the git_big_push test. |
|
51 |
|
[ ] rg_exec: add a 'timout' parameter! |
|
52 |
|
[ ] When notify webhooks, add also the text with the log between old id |
|
53 |
|
and the new id: so people know what was pushed. |
|
54 |
|
Maybe also the test phase output? |
|
55 |
|
[ ] git-receive-pack processes seems to hang. |
|
56 |
|
Do we have a php-fpm config option? Or time limit php? |
|
57 |
|
rg_user_http_git: the time limit must go. |
|
58 |
|
And rg_exec must have a 'timeout' parameter. |
|
59 |
|
If nothing happens, just log an error and exit. |
|
60 |
|
probably, we have to test also if the connection is broken. |
|
61 |
|
[ ] Allow '<' and '>' in user/repo names? |
|
62 |
|
[ ] Fix "repo is empty" test. User may not have master branch! |
|
63 |
|
I think we need to test for this before calling rg_git_log. |
|
64 |
|
[ ] Write a tutorial in 'docs' using 'pass' and 'git'? |
|
65 |
|
[ ] Move VM stuff in 'docs' section? |
|
66 |
|
[ ] Add to docs? |
|
67 |
|
export GIT_CURL_VERBOSE=1 GIT_TRACE=1 GIT_TRACE_PACKET=1 |
|
68 |
|
[ ] https://hunleyd.github.io/posts/PostgreSQL-Streaming-Replication-In-10-Minutes/ |
|
69 |
|
[ ] https://developers.google.com/web/fundamentals/security/csp/ |
|
70 |
|
[ ] When changing repo properties, we may want to write this into the log |
|
71 |
|
(Last events). |
|
72 |
|
[ ] When pushing, warn users to not forget to push also the tags? |
|
73 |
|
[ ] rg_git_diff may be affected by the same problem as rg_git_log (big diff). |
|
74 |
|
[ ] Dis-allow webhook to connect to local services! |
|
75 |
|
Or, maybe, ask the user to prove that is the owner of the URL. |
|
76 |
|
[ ] rename tests/http_keys into admin_set_ssh? |
|
77 |
|
[ ] 'commit_url' is still used? |
|
78 |
|
[ ] CSRF https://seclab.stanford.edu/websec/csrf/csrf.pdf |
|
79 |
|
Use Origin header! |
|
80 |
|
[ ] Interface with Mastodon (https://github.com/halcy/MastodonToTwitter/blob/master/MastodonToTwitter.py) |
|
81 |
|
[ ] Interface with Twitter (http://dev.twitter.com/) |
|
82 |
|
[ ] Warn https users that Java version xxx cannot use https with DH > 2048! |
|
83 |
|
Do this in "hints"? Create a special page to describe this? |
|
84 |
|
"Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)" |
|
85 |
|
http://stackoverflow.com/questions/6851461/java-why-does-ssl-handshake-give-could-not-generate-dh-keypair-exception |
|
86 |
|
jre/lib/security/java.security: jdk.tls.disabledAlgorithms=SSLv3, DHE |
|
87 |
|
apache: http://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh |
|
88 |
|
[ ] Add docs about how to use let's encrypt. And make sure the rewrite will |
|
89 |
|
not block let's encrypt request! |
|
90 |
|
[ ] When I am on a merge request, "Pending" menu is not selected. |
|
91 |
|
[ ] "Source": make ids links. Also a diff. |
|
92 |
|
[ ] "Source" is not a proper name! Better: "History & files". |
|
93 |
|
Maybe replace "History" with "Log" and "Tree" and make the |
|
94 |
|
select of the branch/tag as a select. |
|
95 |
|
This is to not have another menu line. Is overkill. |
|
96 |
|
[ ] Document GIT_TRACE=1 in the hints? |
|
97 |
|
[ ] If a repo is empty, should I show "Tree" menu?! |
|
98 |
|
Or at least, do not show an error! |
|
99 |
|
[ ] Why do I not block the receiving of the commits in 'pre-receive' hook?! |
|
100 |
|
Because I cannot block individual commits. |
|
101 |
|
Still, if no rights are present, I can avoid receiving the data... |
|
102 |
|
[ ] robots.txt: disallow diffs to show in search engines: makes not sense. |
|
103 |
|
[ ] Allow companies to pay for support adds on projects. |
|
104 |
|
[ ] wh: store data in mongodb and other NoSQL & SQL dbs. |
|
105 |
|
[ ] Add a page with PostgreSQL stats and graphics. |
|
106 |
|
[ ] Add project to HackerOne? |
|
107 |
|
[ ] Add log_autovacuum_min_duration = 0 to log all autovacuum stuff. |
|
108 |
|
[ ] postgresql: Use wal_compression = on / full_page_writes = off? |
|
109 |
|
[ ] Do not report errors for old versions? |
|
110 |
|
[ ] Add the rg version to e-mails sent? At least the one with error reporting? |
|
111 |
|
[ ] comparison: Link "anonymous push" with the link to the doc. |
|
112 |
|
[ ] ToS: disallow filesystems over rg? |
|
113 |
|
[ ] Should I reissue the cookie if a token error appears? |
|
114 |
|
[ ] repo surgery: man git-filter-branch |
|
115 |
|
[ ] html5: new types: http://html5doctor.com/html5-forms-input-types/ |
|
116 |
|
[ ] WebAssembly: run rocketgit in a browser! |
| 11 |
117 |
[ ] Rate limit rg.com (both connlimit and x) |
[ ] Rate limit rg.com (both connlimit and x) |
| 12 |
118 |
[ ] ETag must not contain the inode (per vhost) |
[ ] ETag must not contain the inode (per vhost) |
| 13 |
119 |
Apache goes with a sane default. |
Apache goes with a sane default. |