o Write a testsuite for all programs.
  | Jeff Bailey should be working on this, but isn't

o Write two libraries:
  - libpasswd for raw passwd/shadow file manipulation.
  - libutmpx for things that need that information.  That way we have a clean
    interface, despite the fact that the data will vary from system to system.

o Figure out the best Hurdish way to not need these to be SUID root.
  Might not be possible.

o Fix all programs to use is_*admin properly, including error-checking.

o Make sure that all users of strdup, strjoin, strjoinv,
  strsplit, malloc etc. check their return values.

o Security- and memleak-audit everything _thoroughly_.

o Make sure create_home_directory works properly.
  | Make directories created inside /home have the same user:group
  | and rights as /home itself, apart from the home-directories.

o Add a function that securely copies something recursively.

o Minimise the use of malloc/strncpy etc; prefer strdup, strjoin,
  asprintf, etc.

o add a configure-script for NGROUPS.

o Add PAM, NIS, and LDAP support.

o Make mkuser and mkgroup take a file as input to batch-create users.

o Use a better strategy when creating temporary files;
  while /etc isn't world-writable, it is still bad
  programming-practice to create temporary-files with
  predictable names.

o Add audits for file-operations.

o Add support for capabilities.

o Make chgrpmem remmems and remadms accept non-existing users,
  and ignore them; only warn if `--verbose' has been specified.

o Fix autoconf-usage; at the moment a lot of unconditional includes
  are in the *.c files; fix this!

o Possible failure-modes in configure:
  - No md5-support in crypt (can be worked around, but do we really
    want to give the user a false sense of security?)
  - No pwd.h, grp.h, or shadow.h (on systems that lack these
    it is unlikely that we're doing much good anyway...)

o Should we use EPERM or EACCES for incorrect password and
  insufficient privileges?

o Write a parser for mkgroup.default and mkuser.default.

o Update doc/timeline.txt to cover all intended programs.

o When we implement pwck and grpck, make sure there is an option to
  transition /etc/shadow and /etc/gshadow.  The other direction is less
  important, but should probably be supported as well, for sake of symmetry.

o Do we need to perform locking on /etc/shells?!

o Update manual-pages to cover usage-changes.

o Make things work on systems that lack support for shadow-passwords
  and/or just doesn't use them, and add possibility to use DES-passwords
  instead of MD5 (ugh!)

o Add options to explicitly specify MD5 or DES passwords.

o Make sure that all commands contain all *sane* functionality from the
  counterparts on other Unix-systems.

o Audit setuid/setgid behaviour, use:
	#ifdef _POSIX_SAVED_IDS
	seteuid(user_user_id);
	#else
	setreuid(geteuid(), getuid());
	#endif

	#ifdef _POSIX_SAVED_IDS
	setegid(user_group_id);
	#else
	setregid(getegid(), getgid());
	#endif

o Use mlock to make sure no passwords ever get swapped out.

o Make chuser and chgroup handle lack of shadow-files.

o chuser and chgroup cannot modify locked.

o `*' is disabled (no login), `!' is invalid (ssh key login for instance)

o Block clearout for wall, output cleanup for wall and write

o Investigate the syntax of chgrpmem further; should it be:
  chgrpmem -m + mem1 mem2, for compatibility? (or at least support that)

o Find out if negative values are valid for aging information

o Make attribute=value-pairs groups and admgroups for lsuser,
  and users and adms for lsgroup match on individual names rather than
  on an exact match

o The following needs to be changed to make everything work properly with
  sysconfdir:

	getpwnam:
		chage.c
		chfn.c
		chsh.c
		chuser.c
		lastlog.c
		lsuser.c
		sysutils.c

	getpwuid:
		lastlog.c
		sysutils.c
		wall.c
		write.c
		
	getpwent:
		sysutils.c --> fgetpwent()
	
	getspnam:
		chage.c
		libpasswd.c
		lsage.c
		sysutils.c
	
	getgrnam:
		chgroup.c
		chgrpmem.c
		chuser.c
		lsgroup.c
		mkuser.c
		rmgroup.c
		sysutils.c
	
	getgrgid:
		sysutils.c
	
	getgrent:
		sysutils.c --> fgetgrent()
	
	getsgnam:
		The implementation in gshadow.c/gshadow.h works
	
o add-shell/remove-shell/lastlog uses other functions that assume fixed
  paths.  Should we bother?

o Find a better way to output local time than _(%H:%M); this will only work
  when LC_TIME == LC_MESSAGES.  NOT good.  %X seems closest so far.

o Implement `-k, --keep-tokens' from passwd (only change password if
  it has not expired), but change the name of the option to something
  more sensible...

o Implement chpasswd and chgpasswd.

o Find out how to limit the scope of structs,
  so that different structs with the same name do not get merged by doxygen =/
