There's a large amount of work to do in rpminspect.  Any of the items below are
welcome contributions as well as bug fixes and other such updates.


INSPECTIONS
===========

The inspections in librpminspect do the work of the program.  There are
several now, but that can be expanded.  Here is a list of inspection ideas:

* abi

Runs 'abidiff' on ELF files in before and after packages to collect symbol
information and report on new or removed symbols.  This inspection should also
honor the rpminspect "ABI whitelist" as defined in the data/ subdirectory.
Additionally, SRPMs can contain Source* lines that specify *.abignore files
that should be used by abidiff in this inspection.

* kmi

Kernel Module Interface comparison and report using kmidiff.  This is the same
as the 'abi' test for ELF objects, but is strictly for kernel objects.  The
inspection should honor an optional kmi whitelist in the same context as the
"ABI whitelist" for the 'abi' test.

* config (in %files)


* doc (in %files)


* license (in %files)

The license inspection right now validates the short form in the License
header tag, but we should also make sure a license file is included in the
%files section of one of the packages.

* elflint

Run elflint on all ELF objects in before and after packages, report any
changes of gaining or losing things.  Also report architecture mismatches
based on the architecturt given by elflint and the architecture of the
package the file is in.  Needs special handling for vdso32- files and files
in the /usr/lib/grub directory.

* elfcheck

Run annocheck on ELF files and report changes.  Should skip the kernel and
kernel modules.  Check for losing or gaining any of these things in ELF
objects:

    execstack
    textrel
    relro
    built with -D_FORTIFY_SOURCE=N
    PIE
    PIC

Things appearing in the after package should be reported as RESULT_BAD and
require a security team waiver.  Things lost are the same way.  It might be a
better idea for each of these sub inspections to be their own inspection so
they can be individually enabled and disabled at runtime.


OTHER WORK
==========

- Test suite
      - Invoked via 'meson test'
      - Unit tests for librpminspect
      - Inspection test suite with valid and invalid data

- Documentation
      - User documentation
      - Developer documentation


NOTES ABOUT TESTS
=================

Aside from unit tests, we should have an integration test suite to validate the
functionality of the program when run against real builds.  Here are some notes
about tests to implement:

* Handle empty RPMs (i.e., missing RPMTAG_FILELIST).  This is legal and allows
  RPMs to just provide metadata.
