-TODO
-====
-
-Security checks
----------------
-
-### Security history
-
-The only past security issues I could find in GNU gettext and po4a
-are:
-
-- [CVE-2004-0966](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966),
- *i.e.* [Debian bug #278283](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278283):
- the autopoint and gettextize scripts in the GNU gettext package
- 1.14 and later versions, as used in Trustix Secure Linux 1.5
- through 2.1 and other operating systems, allows local users to
- overwrite files via a symlink attack on temporary files.
-- [CVE-2007-4462](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462):
- `lib/Locale/Po4a/Po.pm` in po4a before 0.32 allows local users to
- overwrite arbitrary files via a symlink attack on the
- gettextization.failed.po temporary file.
-
-**FIXME**: check whether this plugin would have been a possible attack
-vector to exploit these vulnerabilities.
-
-Depending on my mood, the lack of found security issues can either
-indicate that there are none, or reveal that no-one ever bothered to
-find (and publish) them.
-
-### PO file features
-
-Can any sort of directives be put in po files that will cause mischief
-(ie, include other files, run commands, crash gettext, whatever)?
-
-> No [documented](http://www.gnu.org/software/gettext/manual/gettext.html#PO-Files)
-> directive is supposed to do so. [[--intrigeri]]
-
-### Running po4a on untrusted content
-
-Are there any security issues on running po4a on untrusted content?
-
-To say the least, this issue is not well covered, at least publicly:
-
-- the documentation does not talk about it;
-- grep'ing the source code for `security` or `trust` gives no answer.
-
-On the other hand, a po4a developer answered my questions in
-a convincing manner, stating that processing untrusted content was not
-an initial goal, and analysing in detail the possible issues.
-
-#### Already checked
-
-- the core (`Po.pm`, `Transtractor.pm`) should be safe
-- po4a source code was fully checked for other potential symlink
- attacks, after discovery of one such issue
-- the only external program run by the core is `diff`, in `Po.pm` (in
- parts of its code we don't use)
-- `Locale::gettext`: only used to display translated error messages
-- Nicolas François "hopes" `DynaLoader` is safe, and has "no reason to
- think that `Encode` is not safe"
-- Nicolas François has "no reason to think that `Encode::Guess` is not
- safe". The po plugin nevertheless avoids using it by defining the
- input charset (`file_in_charset`) before asking `Transtractor` to
- read any file. NB: this hack depends on po4a internals to stay
- the same.
-
-#### To be checked
-
-##### Locale::Po4a modules
-
-- the modules we want to use have to be checked, as not all are safe
- (e.g. the LaTeX module's behaviour is changed by commands included
- in the content); they may use regexps generated from the content; we
- currently only use the `Text` module
-- the `Text` module does not run any external program
-- check that no module is loaded by `Chooser.pm`, when we tell it to
- load the `Text` one
-- `nsgmls` is used by `Sgml.pm`
-
-##### Text::WrapI18N