BUGS:

(1.24c fixed) Do config writeability permissions check, move
overly permissive readability check into Config package.

(1.24b fixed) Use right location for sysctl (/usr/sbin) on macOS
and right format for securelevel output on macOS (: instead of =).
Change process names of child processes.

(1.24a fixes) Added interrupt handler to passphrase input to
restore tty echo. Make macos.sigtree.conf name all lower case.

(1.24 fixes) Added safe_open_for_write helper to open and lock files
for writing (for changed files and specs) to not follow symlinks,
modified handle_open_request to not follow symlinks for privileged
opens for writing, tightened is_sigtree_managed_file checks to reject
directory traversal and be stricter about filenames, wipe $pgp_passphrase
from memory after use in get_pgp_passphrase.

(1.23a fixes) Added warning for config file and spec permissions
when group- and world-readable.

(1.23 fixes) Bug in critical-log (mtimestasis keyword) handling.

(1.21a fixes) Bug in handling link targets.

(1.20b fixes) Initialize on /dev takes forever for Proxmox/Debian Linux
(problem is /dev/core, default config now ignores).

(1.20b fixes) When -s <set name> is used, messages are still displayed for forking
children that are not being initialized.

if a tree is removed from config while present in the changed file,
update will not remove it from the changed file. (Shouldn't check do this with its call to reset_changed_file?)

when reporting change in mode, show the changed mode?

Doesn't report SHA digest changes or directory file changes for link targets.

Errors can sometimes occur if -s <bogussetname> is used.

If /var/db/sigtree/spec/host or /var/db/sigtree/secondary/spec/host is
in the changed file, initialize_specs doesn't take it out. (Have modified
update to permit updating a changed spec directory with version 1.14.)

FEATURES TO ADD:

Add a way to run check against a non-local host using a copy of the
specs, that has a different file system prefix (e.g., a backup or
separately mounted file system); it would pre-pend the prefix on the
files being checked. (Also support for update?) Need to think through
the pros and cons of verifying rsynced specs from the original host vs.
just running a separate initialize/check/update on the backup, which
would require a separate config.

Add sign_specs that signs (or re-signs) them all, perhaps as an option
to initialize_specs. Currently the only way to do that is re-initializing
each tree (i.e., initialize_specs doesn't do it).

Set user immutable or +i on changed file if immutable flags are used.

(DONE 1.22) Optional privilege separation, with -p or privsep: yes in
config file. Requires a _sigtree user and group.  Sigtree-managed
files remain owned by root.

(DONE) Allow forking child processes to run check_tree (e.g., using
Parallel::ForkManager; it will require adding 'proc' to pledge
and pledge can potentially be ratcheted down for the child
processes (which should inherit the same pledge/unveil of the
parent).
(DONE) Ditto for initialize.
(DONE)ToDo: add -f <N> option to specify number of children to allow (0-5?).

Allow sigtree to be used to check backups of multiple hosts, which
would require a --host <hostname> and --altroot <altroot-prefix>
option to check, check_file, check_specs.  (prefix would have to be
stuck on the front of each tree and unveiled). Also allow a random
sample (random files from random trees in a possibly specified set)
to be checked with check_file. [The original point of different hostname
dirs was to allow specs from multiple hosts to be in one place, but
it's not really practical unless implemented within sigtree itself
somehow, at least when immutability is used. Maybe import specs from
backup/check backup? Note that I don't backup some things that are
monitored -- e.g., binaries.]]

Should do more consistent escaping of potentially dangerous characters in filenames
that will be used in command lines. (DONE)

Could use append-only file flags to create checkpoint files for hashes
of spec files, which are verified at time of update (sappnd for primary,
uappnd for secondary, perhaps--or sappnd for secondary also).

On macOS have a mode or report that doesn't report details below directories
named "<name>.app". (DONE but is buggy)

Allow doing comparison of the contents of a sigtree database against a set
of directories that may be mounted or on an altroot, so that there is a
prefix on the directory name. This would probably need to be limited to
check, no initialize or update, and would probably require passing an
extra parameter around through a number of functions and packages.

Allow importing hashes from mtree and pkg db? Or sha2/3_create files?
  Or via config file reference to same? (Import sounds better.)
Add to config file a reference to file of system SHA hashes, and ability to
   check against that (hash check only). Ability to create such a file?
   (i.e., incorporate sha3_create/compare capability).

Add use of user immutability (uchg) for changed files.

Add ability to re-initialize signatures for all specs (initialize_specs doesn't
and probably shouldn't do that).

Add ability to auto-generate a configuration via interactive questions
about directories off the root directory (descending the tree on
demand).

Add ability to send notifications, with email addresses definable
per-set and per-tree. (Or more general API interface to functionality.)

Add ability to initialize new trees added to the conf file without
initializing anything else or having to put those trees into a special
set.  Perhaps create an implicit set called "new" or "uncreated" that
includes all and only trees without specifications. (Or via interactive
browsing feature.) ('new" set DONE)

Per-user sigtree conf files (~/.sigtree.conf ?), when run as non-root.
Allow setting root dir, spec dir in ~/.sigtree.conf; perhaps also
via environmental variables.

Add keyword(s) for cyclog/multilog dirs, so that it won't keep
commenting on every new addition to/deletion from the log directory
unless it somehow violates the format of a cyclog/multilog dir.
The reason this can't currently be done with exceptions is that
there is no flag to ignore file adds/deletions.  (With regexps,
you could get close, by having it ignore files in the directory
that are of the appropriate format.) [This can now be done with exceptions
using the "ignore" set:  exception-tree: logdir:IGN.]

Allow the ability to use reg exps (or limited regexps) in exception:
fields.  (Will require changing the subroutines underlying the
determination of primary set...)  Useful for, e.g., measuring
different things based on file suffixes.

Create an API layer to expose functionality for other tools.

Add functionality to facilitate remote execution (i.e., keep 
specifications on a secure bastion host, scp them (and the code)
out to each remote host, run the check, and summarize changes
for all hosts; run updates on all hosts and scp the specifications
back to the bastion host).  Use a client/server architecture.
GUI?  Showing hosts, files changed/added/deleted?

Or: add ability to detect changes in real-time and report back
to a central server.

Add the ability to attempt to correlate file changes with entries in
logs (in particular, in the sudo log --/var/log/security, where we can
come up with a username, and perhaps also with /var/log/messages).

Add support for Windows and MacOS.  (Will need to use File::Basename
in a lot of places.)  (Actually, this should already work on Mac OS X
now--or Cygwin.)

Add the ability to generate an mtree file from a spec. (low priority)
(And vice versa?)
