As for malleability, so anyone wanna say why that can't be done properly on it's own without segwit?
Fair question as it's simple to implement.
When hashing the transaction data to generate a txid, simply skip over the signature data. Everything else stays the same.
Deployment and activation would be via a hard fork set at a certain block height.
This has been discussed before albeit in another thread.
So what happens with transactions that are unconfirmed when that happens? Sure the idea of it sounds simple, but deploying such a hard fork would be a major clusterfuck.