Recent changes to this wiki:

Added a comment
diff --git a/doc/forum/configuring_texlive_papersize/comment_1_e4c1bd36c3739d4dd9bf7316c9021a14._comment b/doc/forum/configuring_texlive_papersize/comment_1_e4c1bd36c3739d4dd9bf7316c9021a14._comment
new file mode 100644
index 00000000..ac85d2b3
--- /dev/null
+++ b/doc/forum/configuring_texlive_papersize/comment_1_e4c1bd36c3739d4dd9bf7316c9021a14._comment
@@ -0,0 +1,20 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 1"
+ date="2018-09-18T22:17:07Z"
+ content="""
+I have this (the laptop is otherwise en_GB):
+
+    -- iris is in the US
+    & \"en_US.UTF-8\" `Locale.selectedFor`
+    	[ \"LC_PAPER\"
+    	, \"LC_ADDRESS\"
+    	, \"LC_MONETARY\"
+    	, \"LC_TELEPHONE\"
+    	, \"LC_TIME\"
+    	]
+    & \"/etc/papersize\" `File.hasContent` [\"letter\"]
+    	`onChange` Apt.reConfigure \"libpaper1\" []
+
+"""]]

Added a comment
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_7_054a8fa511b28ba6a299e3dfd9ed4dd6._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_7_054a8fa511b28ba6a299e3dfd9ed4dd6._comment
new file mode 100644
index 00000000..ca5cf43d
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_7_054a8fa511b28ba6a299e3dfd9ed4dd6._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 7"
+ date="2018-09-17T21:57:48Z"
+ content="""
+Database is a database name.
+
+I will make the change as soon as I have some time, thanks for the review!
+"""]]

diff --git a/doc/forum/configuring_texlive_papersize.mdwn b/doc/forum/configuring_texlive_papersize.mdwn
new file mode 100644
index 00000000..1890887d
--- /dev/null
+++ b/doc/forum/configuring_texlive_papersize.mdwn
@@ -0,0 +1 @@
+I just observed that installing texlive via propellor means I have A4 paper chose as a default. Which is all very good from an ideological point of view, but it means I can't submit this grant application ;).  Is it worth having a propellor property that runs paperconfig?

comment
diff --git a/doc/todo/Apt.trustsKey_should_not_invoke_apt-key/comment_1_49003d4fdd0e75d477415cb0bb6bbd3c._comment b/doc/todo/Apt.trustsKey_should_not_invoke_apt-key/comment_1_49003d4fdd0e75d477415cb0bb6bbd3c._comment
new file mode 100644
index 00000000..67ad5260
--- /dev/null
+++ b/doc/todo/Apt.trustsKey_should_not_invoke_apt-key/comment_1_49003d4fdd0e75d477415cb0bb6bbd3c._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-09-17T18:16:56Z"
+ content="""
+Fine by me as long as it cleans up or overwrites the file that apt-key
+installed earlier.
+"""]]

review
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_6_8ebb3d150b06c086d8ad45b9d994877f._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_6_8ebb3d150b06c086d8ad45b9d994877f._comment
new file mode 100644
index 00000000..bd924fed
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_6_8ebb3d150b06c086d8ad45b9d994877f._comment
@@ -0,0 +1,41 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 6"""
+ date="2018-09-17T17:21:52Z"
+ content="""
+Some review, sorry it took me so long to take a look at it..
+
+It's not clear to me how to construct a `Database`;
+what is the `String` inside it? The path? A database name?
+What makes for a legal or illegal database name?
+(May be more obvious to people who use mysql than to me.)
+
+Looks like `Show Privilege` is being used to generate configuration.
+I dislike using `Show` for that, because it precludes it being used with
+Read, and is generally unclear that the strings in show need to be
+formatted exactly as they are.
+
+You could simplify allPrivileges using `Enum`,
+with `[minBound..maxBound]`.
+
+Reverting `databaseExists` and also reverting `installed`
+leads to the package being installed and then removed repeatedly.
+Perhaps `databaseExists` could avoid doing anything when the
+server has already been removed.
+
+Some of the SQL construction doesn't seem entirely safe with quoting.
+While there's no security problem with it, it may have a correctness
+problem..
+
+... In `userGrantedOnDatabase` when it creates the privLevel
+it looks like it doesn't escape the dbname at all,
+and I guess this means it doesn't need to be escaped, or
+can't contain back quotes.
+
+... In `userGranted'` the quser is delimited by single quotes,
+but it's actually valid to have a `User` with a single quote in their name,
+and many of the Klingons out there probably depend on that.
+
+... In `hashPassword` it looks like the password is also assumed to not
+contain single quotes.
+"""]]

todo
diff --git a/doc/todo/apt_mark_support.mdwn b/doc/todo/apt_mark_support.mdwn
new file mode 100644
index 00000000..50591222
--- /dev/null
+++ b/doc/todo/apt_mark_support.mdwn
@@ -0,0 +1,27 @@
+I'd like a property that removes all packages that were not installed by
+the current set of propellor properties. For systems that are fully
+specified by propellor, this would keep the cruft from piling up.
+
+This could be done using apt-mark. Before propellor installs anything with
+apt, go through the apt-mark list and set all packages to auto. When apt is
+run to install a package, it will mark it as manually installed. Since
+Apt.installed skips running apt when packages are already installed, it
+would need to either be changed to run apt anyway, or to run apt-mark
+manual. And then after all other properties, run apt-get autoremove.
+
+Running the autoremove at the end is supported by the propellor monad,
+but there's currently no way to run something before all properties.
+The first Apt.install to run could handle the apt-mark-list-to-auto part,
+although there's also not currently any state for the property to keep
+track of if it's run before.
+
+It would also be possible to not do the apt-mark at the beginning. Instead,
+make the Propellor monad a Writer (polymorphized somehow perhaps like Info
+is) and have Apt.install track the packages that are installed. (Or it
+could be changed to a HasInfo property, and then the list of packages would
+accumulate in Info, but there are likely things that use Apt.installed
+inside ensureProperty which that would cause problems for.) 
+
+Either way, an action run at the end can then update the apt-mark data to
+reflect the gathered list of packages, and run apt-get autoremove.
+--[[Joey]]

Added a comment
diff --git a/doc/forum/bind_mounting_in_Sbuild_chroots/comment_1_0f41fc776bb0d595af239f087e5a1d35._comment b/doc/forum/bind_mounting_in_Sbuild_chroots/comment_1_0f41fc776bb0d595af239f087e5a1d35._comment
new file mode 100644
index 00000000..71927311
--- /dev/null
+++ b/doc/forum/bind_mounting_in_Sbuild_chroots/comment_1_0f41fc776bb0d595af239f087e5a1d35._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 1"
+ date="2018-09-08T16:54:24Z"
+ content="""
+You could use
+
+    & File.containsLine \"/etc/schroot/sbuild/fstab\" \"...\"
+
+but yes, I think it's cleaner to use the sbuild chroots only for building, and for interactive use some other chroot.
+"""]]

diff --git a/doc/forum/bind_mounting_in_Sbuild_chroots.mdwn b/doc/forum/bind_mounting_in_Sbuild_chroots.mdwn
new file mode 100644
index 00000000..f2fb8e11
--- /dev/null
+++ b/doc/forum/bind_mounting_in_Sbuild_chroots.mdwn
@@ -0,0 +1,2 @@
+I typically bind mount some user writable directory into an Sbuild chroot, so that I can e.g. access in a git repo or package to install.
+Is there a clean way to do this with propellor's Sbuild module, or is the intent maintain a seperate container / chroot of some kind for interactive debugging?

create new bug
diff --git a/doc/todo/Apt.trustsKey_should_not_invoke_apt-key.mdwn b/doc/todo/Apt.trustsKey_should_not_invoke_apt-key.mdwn
new file mode 100644
index 00000000..d2f9e6db
--- /dev/null
+++ b/doc/todo/Apt.trustsKey_should_not_invoke_apt-key.mdwn
@@ -0,0 +1,9 @@
+[Over at the Debian BTS](https://bugs.debian.org/907290), David Bremner points out that the apt-key manpage, on Debian stable, says
+
+> Instead of using this [add] [sub]command a keyring should be placed
+> directly in the /etc/apt/trusted.gpg.d/ directory with a
+> descriptive name and either "gpg" or "asc" as file extension.
+
+So ISTM that `Apt.trustsKey` should be implemented simply with `File.hasContents`, i.e., the property should delete any old `.gpg` file and then create a `.asc` file with the text  string content of the `AptKey`.
+
+--spwhitton

Added a comment
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_5_10eb776b64b213ca8f8166aacfba9a4d._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_5_10eb776b64b213ca8f8166aacfba9a4d._comment
new file mode 100644
index 00000000..df119fe7
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_5_10eb776b64b213ca8f8166aacfba9a4d._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 5"
+ date="2018-08-31T20:53:01Z"
+ content="""
+Also added a function to grant global privileges, useful for a backup user.
+"""]]

Added a comment
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_4_22895a34904df9023fcdac0b3937a7c5._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_4_22895a34904df9023fcdac0b3937a7c5._comment
new file mode 100644
index 00000000..786da77a
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_4_22895a34904df9023fcdac0b3937a7c5._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 4"
+ date="2018-08-30T21:14:32Z"
+ content="""
+Hello,
+
+I have made a first version to support MySQL databases and users for classic web applications.
+
+You can pull the mysql branch at http://git.ni.fr.eu.org/nicolas/propellor.git
+
+Can you have a look? I find userGrantedOnDatabase.setup' a little hard to read. Is it OK, or do you see a clearer way to write it?
+
+Thanks!
+"""]]

Added a comment: OIC
diff --git a/doc/forum/integration_with_gitolite/comment_6_232d8ab023d060d7d9c000e4c6783ef8._comment b/doc/forum/integration_with_gitolite/comment_6_232d8ab023d060d7d9c000e4c6783ef8._comment
new file mode 100644
index 00000000..80130d5b
--- /dev/null
+++ b/doc/forum/integration_with_gitolite/comment_6_232d8ab023d060d7d9c000e4c6783ef8._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="OIC"
+ date="2018-08-27T14:14:09Z"
+ content="""
+Oh, I see now we are doing essentially the same thing. For those of you following along at home, mine is using that cryptic path because for the key because I am using both gitolite's native key handling and propellor to install keys.
+"""]]

Added a comment
diff --git a/doc/forum/integration_with_gitolite/comment_5_1e71a38b32148228b94c7429e721685f._comment b/doc/forum/integration_with_gitolite/comment_5_1e71a38b32148228b94c7429e721685f._comment
new file mode 100644
index 00000000..8a1e6473
--- /dev/null
+++ b/doc/forum/integration_with_gitolite/comment_5_1e71a38b32148228b94c7429e721685f._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 5"
+ date="2018-08-26T17:14:20Z"
+ content="""
+It's these lines:
+
+	-- make my SSH key available to gitolite
+	& File.hasContent \"/srv/git/.gitolite/keydir/spwhitton.pub\"
+		[SPW.mySSHKey]
+	`onChange` (userScriptProperty (User \"git\")
+		[\"gitolite compile\", \"gitolite trigger POST_COMPILE\"]
+		`assume` MadeChange)
+"""]]

comment
diff --git a/doc/forum/making_sure_a_package_is_at_the_latest_version/comment_3_48fe0419c259c9555b6349c3221a80a0._comment b/doc/forum/making_sure_a_package_is_at_the_latest_version/comment_3_48fe0419c259c9555b6349c3221a80a0._comment
new file mode 100644
index 00000000..ae45baec
--- /dev/null
+++ b/doc/forum/making_sure_a_package_is_at_the_latest_version/comment_3_48fe0419c259c9555b6349c3221a80a0._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2018-08-26T15:14:50Z"
+ content="""
+One approach would be to have a property like spwhitton suggests,
+and use it with the `Apt.robustly` combinator. That way, when you update
+the config to specify a new package version, and apt fails to install it,
+propellor will run apt update and then retry the install.
+"""]]

comment
diff --git a/doc/todo/spin_failure_HEAD/comment_4_684adfe4d134b4e27ed00db62f8e3372._comment b/doc/todo/spin_failure_HEAD/comment_4_684adfe4d134b4e27ed00db62f8e3372._comment
new file mode 100644
index 00000000..3f6aebcb
--- /dev/null
+++ b/doc/todo/spin_failure_HEAD/comment_4_684adfe4d134b4e27ed00db62f8e3372._comment
@@ -0,0 +1,43 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2018-08-26T14:50:22Z"
+ content="""
+As far as I know, this was fixed in a series of commits,
+[[!commit 01fc1375cece096ab2dec480b843ecdbc4f0d94e]]
+[[!commit 1555c6f88a0446d3e29149eff8315817696731e1]]
+[[!commit 53fe5ffaac4a243bb9fd3cf0e757128150a6a199]]
+
+The problem was intermittent for me, I think based on network timing and
+different buffering behavior with different timings,
+which made it hard to debug, but I've not seen it since and I was seeing it
+frequently enough to be fairly sure I fixed it.
+
+So I wonder if you might have some sort of version skew issue on the host
+being spun (eg, it could have an old version of propellor installed and be
+failing before spin can update it to the fixed version). The easy way to
+verify you have the fixed version is to run `git config propellor.debug 1`
+in /usr/local/propellor/ on the host being spun, and look for
+"--upload-pack ./propellor --gitpush" in a debug message.
+
+If you're confident the remote propellor has the above commits in it,
+you're going to need to do some debugging.
+Setting `GIT_TRACE_PACKET=1` on the remote system was very helpful in
+understanding the problem, and should probably be your first step.
+Setting that environment inside Propellor.Spin.gitPullFromUpdateServer
+should work, of course you'll have to get the remote host to build
+propellor with that change somehow despite --spin to it not working.
+
+	diff --git a/src/Propellor/Spin.hs b/src/Propellor/Spin.hs
+	index 4a945e82..aa73e3b7 100644
+	--- a/src/Propellor/Spin.hs
+	+++ b/src/Propellor/Spin.hs
+	@@ -359,6 +359,7 @@ spinCommitMessage = "propellor spin"
+	 -- to receive the data.
+	 gitPullFromUpdateServer :: IO ()
+	 gitPullFromUpdateServer = req NeedGitPush gitPushMarker $ \_ -> do
+	+	setEnv "GIT_TRACE_PACKET" "1" True
+	 	-- IO involving stdin can cause data to be buffered in the Handle
+ 		-- (even when it's set NoBuffering), but we need to pass a FD to
+	 	-- git fetch containing all of stdin after the gitPushMarker,
+"""]]

fix html
diff --git a/doc/todo/spin_failure_HEAD.mdwn b/doc/todo/spin_failure_HEAD.mdwn
index 1a591b35..e49df633 100644
--- a/doc/todo/spin_failure_HEAD.mdwn
+++ b/doc/todo/spin_failure_HEAD.mdwn
@@ -81,7 +81,7 @@ Sending privdata (73139 bytes) to kite.kitenet.net ... done
 [2017-06-18 16:31:16 EDT] received marked GITPUSH
 [2017-06-18 16:31:16 EDT] command line:  GitPush 11 12
 16:31:16.361717 pkt-line.c:80           packet:        fetch< 17abde8439d17d49676f549f357f45eb2adce868 refs/remotes/db48x/master
-<pre>
+</pre>
 
 > > So there's an actual protocol error here; the first 13 lines
 > > of git protocol were not sent.

response
diff --git a/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_3_1aa2a2c87eab63305143768575c2f0d9._comment b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_3_1aa2a2c87eab63305143768575c2f0d9._comment
new file mode 100644
index 00000000..f76ac16c
--- /dev/null
+++ b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_3_1aa2a2c87eab63305143768575c2f0d9._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2018-08-26T14:34:18Z"
+ content="""
+@david, you might need to edit your config.cabal and specify a newer
+propellor version, although cabal usually picks the most recent version of
+a dependency. Propellor got the patch from this page in version 5.3.4.
+
+Anyway, I don't think the version of propellor matters, the error message
+you quote is related to
+<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844724>.
+I think that the apt key you're using has been generated on a newer system
+and won't work with older gpg.
+"""]]

Added a comment: pulling from a central repo via ssh
diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_4_75a0a229527a7c0c1633b4bd8e461607._comment b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_4_75a0a229527a7c0c1633b4bd8e461607._comment
new file mode 100644
index 00000000..e60cd5bb
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_4_75a0a229527a7c0c1633b4bd8e461607._comment
@@ -0,0 +1,27 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="pulling from a central repo via ssh"
+ date="2018-08-25T18:50:39Z"
+ content="""
+I ended up updating to a more recent propellor for other reasons, but here's my hack to have propellor fetch over ssh:
+[[!format haskell \"\"\"
+rootSsh :: Property (HasInfo + UnixLike)
+rootSsh = propertyList \"ssh setup for root\" $ props
+  & Ssh.userKeyAt (Just keypath) (User \"root\") (Context \"propellor\") (SshRsa, Tethera.Keys.propellor_deploy_ssh)
+  & Ssh.knownHost hosts \"gitolite.tethera.net\" (User \"root\")
+  & File.containsBlock configpath [ \"Host propellor-deploy\"
+                               , \"     Hostname gitolite.tethera.net\"
+                               , \"     User git\"
+                               , \"     IdentityFile ~/.ssh/propellor_deploy\"
+                               ]
+  where
+    keypath = \"/root/.ssh/propellor_deploy\"
+    configpath = \"/root/.ssh/config\"
+\"\"\"]]
+
+Propellor is used to initially deply a passwordless role key that can be used to pull from the central repo.
+One thing that surprised me a bit is that Ssh.userKeyAt expects an absolute path, or a path relative to /usr/local/propellor.
+
+
+"""]]

Added a comment: version 2
diff --git a/doc/forum/integration_with_gitolite/comment_4_448d79859b2b35e1731adfaa460aa844._comment b/doc/forum/integration_with_gitolite/comment_4_448d79859b2b35e1731adfaa460aa844._comment
new file mode 100644
index 00000000..2aaacf0b
--- /dev/null
+++ b/doc/forum/integration_with_gitolite/comment_4_448d79859b2b35e1731adfaa460aa844._comment
@@ -0,0 +1,33 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="version 2"
+ date="2018-08-25T17:25:03Z"
+ content="""
+I didn't see how you were handling keys, Sean. Did I miss something obvious or are you handling them outside propellor?
+
+Anyway, here's my second version
+[[!format haskell \"\"\"
+gitoliteKeys :: User -> [(FilePath, String)] -> Property UnixLike
+gitoliteKeys user@(User username) keys = property' (\"set up gitolite keys for \" ++ username) $ \w -> do
+      home <- liftIO (User.homedir user)
+      ensureProperty w $ go home
+  where
+    go :: FilePath -> Property UnixLike
+    go home = installKeys keys
+                `onChange` recompile
+                `requires` File.dirExists keydir
+        where
+          keydir = home </> \".gitolite/keydir/zzz/propellor\"
+          recompile = Cmd.userScriptProperty user [ \"gitolite trigger POST_COMPILE\" ]
+                      `changesFile` (home </> \"gitolite/.ssh/authorized_keys\")
+          installKeys :: [(FilePath, String)] -> Property UnixLike
+          installKeys [] = doNothing
+          installKeys ((path, content):rest) = File.hasContent (keydir </> path ++ \".pub\") [content]
+                                               `before` installKeys rest
+\"\"\"]]
+
+I spent a while talking to the gitolite author, and managed to write something more optimal than \"gitolite trigger POST_COMPILE\", but then I realized that
+had my username hardcoded into it. So it takes about 1s longer to run, but is more robust this way.
+
+"""]]

removed
diff --git a/doc/forum/integration_with_gitolite/comment_4_acaa1d125ea406c2a5617a4effc4b115._comment b/doc/forum/integration_with_gitolite/comment_4_acaa1d125ea406c2a5617a4effc4b115._comment
deleted file mode 100644
index 3a02b96e..00000000
--- a/doc/forum/integration_with_gitolite/comment_4_acaa1d125ea406c2a5617a4effc4b115._comment
+++ /dev/null
@@ -1,33 +0,0 @@
-[[!comment format=mdwn
- username="david"
- avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
- subject="getting closer"
- date="2018-08-25T17:16:48Z"
- content="""
-maybe I suffer from Haskell blindness, but I didn't see how you handled keys
-
-here's my latest revision
-[[!format haskell \"\"\"
-gitoliteKeys :: User -> [(FilePath, String)] -> Property UnixLike
-gitoliteKeys user@(User username) keys = property' (\"set up gitolite keys for \" ++ username) $ \w -> do
-      home <- liftIO (User.homedir user)
-      ensureProperty w $ go home
-  where
-    go :: FilePath -> Property UnixLike
-    go home = installKeys keys
-                `onChange` recompile
-                `requires` File.dirExists keydir
-        where
-          keydir = home </> \".gitolite/keydir/zzz/propellor\"
-          recompile = Cmd.userScriptProperty user [ \"gitolite ../triggers/post-compile/ssh-authkeys\"
-                                                  , \"gitolite ../triggers/post-compile/ssh-authkeys-shell-users bremner\"
-                                                  ]
-                      `changesFile` (home </> \"gitolite/.ssh/authorized_keys\")
-          installKeys :: [(FilePath, String)] -> Property UnixLike
-          installKeys [] = doNothing
-          installKeys ((path, content):rest) = File.hasContent (keydir </> path ++ \".pub\") [content]
-                                               `before` installKeys rest
-\"\"\"]]
-
-It still has one piece of hardcoding in it (the shell user bremner)
-"""]]

Added a comment: getting closer
diff --git a/doc/forum/integration_with_gitolite/comment_4_acaa1d125ea406c2a5617a4effc4b115._comment b/doc/forum/integration_with_gitolite/comment_4_acaa1d125ea406c2a5617a4effc4b115._comment
new file mode 100644
index 00000000..3a02b96e
--- /dev/null
+++ b/doc/forum/integration_with_gitolite/comment_4_acaa1d125ea406c2a5617a4effc4b115._comment
@@ -0,0 +1,33 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="getting closer"
+ date="2018-08-25T17:16:48Z"
+ content="""
+maybe I suffer from Haskell blindness, but I didn't see how you handled keys
+
+here's my latest revision
+[[!format haskell \"\"\"
+gitoliteKeys :: User -> [(FilePath, String)] -> Property UnixLike
+gitoliteKeys user@(User username) keys = property' (\"set up gitolite keys for \" ++ username) $ \w -> do
+      home <- liftIO (User.homedir user)
+      ensureProperty w $ go home
+  where
+    go :: FilePath -> Property UnixLike
+    go home = installKeys keys
+                `onChange` recompile
+                `requires` File.dirExists keydir
+        where
+          keydir = home </> \".gitolite/keydir/zzz/propellor\"
+          recompile = Cmd.userScriptProperty user [ \"gitolite ../triggers/post-compile/ssh-authkeys\"
+                                                  , \"gitolite ../triggers/post-compile/ssh-authkeys-shell-users bremner\"
+                                                  ]
+                      `changesFile` (home </> \"gitolite/.ssh/authorized_keys\")
+          installKeys :: [(FilePath, String)] -> Property UnixLike
+          installKeys [] = doNothing
+          installKeys ((path, content):rest) = File.hasContent (keydir </> path ++ \".pub\") [content]
+                                               `before` installKeys rest
+\"\"\"]]
+
+It still has one piece of hardcoding in it (the shell user bremner)
+"""]]

Added a comment: just needs Apt.update?
diff --git a/doc/forum/making_sure_a_package_is_at_the_latest_version/comment_2_7a911c68e4c81031c98dbefce730ade8._comment b/doc/forum/making_sure_a_package_is_at_the_latest_version/comment_2_7a911c68e4c81031c98dbefce730ade8._comment
new file mode 100644
index 00000000..8e74d21f
--- /dev/null
+++ b/doc/forum/making_sure_a_package_is_at_the_latest_version/comment_2_7a911c68e4c81031c98dbefce730ade8._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="just needs Apt.update?"
+ date="2018-08-25T13:04:50Z"
+ content="""
+Thinking about this a bit more, it should be enough to require Apt.update once per host, then rely on Apt.installed to do the right thing. I'll have to test this next time I roll out a new version. In theory I could run apt.update for a single source, but that seems to be tricky on the apt level.
+"""]]

Added a comment
diff --git a/doc/forum/making_sure_a_package_is_at_the_latest_version/comment_1_6a73c8b0de1999f05af184bf63ad014a._comment b/doc/forum/making_sure_a_package_is_at_the_latest_version/comment_1_6a73c8b0de1999f05af184bf63ad014a._comment
new file mode 100644
index 00000000..98fb61eb
--- /dev/null
+++ b/doc/forum/making_sure_a_package_is_at_the_latest_version/comment_1_6a73c8b0de1999f05af184bf63ad014a._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 1"
+ date="2018-08-24T23:12:17Z"
+ content="""
+The existing properties cannot do what you want.  You are going to need to write a new one.  Simplest implementation would be something that calls `apt-get install foo=1.2.3`.
+"""]]

Added a comment: definitely network related
diff --git a/doc/todo/spin_failure_HEAD/comment_3_952939a1333d6fc24ed288a80b76f168._comment b/doc/todo/spin_failure_HEAD/comment_3_952939a1333d6fc24ed288a80b76f168._comment
new file mode 100644
index 00000000..98d7f18b
--- /dev/null
+++ b/doc/todo/spin_failure_HEAD/comment_3_952939a1333d6fc24ed288a80b76f168._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="definitely network related"
+ date="2018-08-24T13:58:49Z"
+ content="""
+I can spin the same host from a different host on the office LAN (in fact they are connected to a cheapo hub, so that might not be much of a test), and from itself. So I guess it definitely has to do with networking. Does propellor need anything other than port 22 open?
+"""]]

Added a comment: still in 5.4.1, but only on one machine
diff --git a/doc/todo/spin_failure_HEAD/comment_2_a9b7013305a7f8d58175510b57bbadd2._comment b/doc/todo/spin_failure_HEAD/comment_2_a9b7013305a7f8d58175510b57bbadd2._comment
new file mode 100644
index 00000000..a8866294
--- /dev/null
+++ b/doc/todo/spin_failure_HEAD/comment_2_a9b7013305a7f8d58175510b57bbadd2._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="still in 5.4.1, but only on one machine"
+ date="2018-08-24T10:11:16Z"
+ content="""
+I updated to 5.4.1, and I still consistenly see this trying to spin my office computer from home. Weirdly a VM running Debian stretch on the same network does not repropduce. I'll have to try from a different machine on the office network to see if that makes a difference.
+"""]]

Added a comment: still in 5.3.6
diff --git a/doc/todo/spin_failure_HEAD/comment_1_9c7d9ae7860d9cfc28e7d015b015dc2e._comment b/doc/todo/spin_failure_HEAD/comment_1_9c7d9ae7860d9cfc28e7d015b015dc2e._comment
new file mode 100644
index 00000000..8fb8a027
--- /dev/null
+++ b/doc/todo/spin_failure_HEAD/comment_1_9c7d9ae7860d9cfc28e7d015b015dc2e._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="david@1439a1cab13195a56248b6a8fd98a62028bcba8a"
+ nickname="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="still in 5.3.6"
+ date="2018-08-24T02:12:44Z"
+ content="""
+I'm seeing this problem in 5.3.6, but only when the remote is Debian stable. Both ends are running 5.3.6 built from source.
+"""]]

Added a comment: GPG keybox database version 1
diff --git a/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_2_d5d1611896fa72bda22e5406285ade2e._comment b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_2_d5d1611896fa72bda22e5406285ade2e._comment
new file mode 100644
index 00000000..90151369
--- /dev/null
+++ b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_2_d5d1611896fa72bda22e5406285ade2e._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject=" GPG keybox database version 1"
+ date="2018-08-24T00:29:50Z"
+ content="""
+I have propellor 5.3.6 running on debian testing. If I spin to the testing host, trustsKey works fine. On stretch I get at 'GPG keybox database version 1' installed. I guess on stretch it's still building propellor from the old sources? In any case, gpg doesn't know what do do with that keybox file (i.e. gpg < file craps out). Weird but true. In any case this breaks apt-key on that host, which is unfortunate. I guess I'll try overriding the trustsKey function in my config.hs
+
+"""]]

Added a comment: Still biting me
diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_3_6f6485b10beb3e371c6f5371a9a9c2c4._comment b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_3_6f6485b10beb3e371c6f5371a9a9c2c4._comment
new file mode 100644
index 00000000..6b32f1bb
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_3_6f6485b10beb3e371c6f5371a9a9c2c4._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="david@1439a1cab13195a56248b6a8fd98a62028bcba8a"
+ nickname="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="Still biting me"
+ date="2018-08-23T20:32:18Z"
+ content="""
+I have a similar problem with inaccessible central repo. This crash is still biting me when spinning from a Debian stable (stretch) host to itself.
+I could potentially make the central repo accessible via adding a key, but I think the pull is too early in the process for that work out. Any other ideas? Can I just turn off this pull for some hosts?
+"""]]

Added a comment
diff --git a/doc/forum/integration_with_gitolite/comment_3_394a42544ad97e30a8e28ed10de7cd3c._comment b/doc/forum/integration_with_gitolite/comment_3_394a42544ad97e30a8e28ed10de7cd3c._comment
new file mode 100644
index 00000000..1cab310c
--- /dev/null
+++ b/doc/forum/integration_with_gitolite/comment_3_394a42544ad97e30a8e28ed10de7cd3c._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 3"
+ date="2018-08-23T19:59:13Z"
+ content="""
+It's not a proper module, but my gitolite setup is here: https://git.spwhitton.name/propellor/tree/src/Propellor/Property/SiteSpecific/SPW/Sites.hs#n200
+"""]]

Added a comment: first attempt
diff --git a/doc/forum/integration_with_gitolite/comment_2_42d3e861e2044479523609ff7b339f6b._comment b/doc/forum/integration_with_gitolite/comment_2_42d3e861e2044479523609ff7b339f6b._comment
new file mode 100644
index 00000000..ab7cc893
--- /dev/null
+++ b/doc/forum/integration_with_gitolite/comment_2_42d3e861e2044479523609ff7b339f6b._comment
@@ -0,0 +1,29 @@
+[[!comment format=mdwn
+ username="david@1439a1cab13195a56248b6a8fd98a62028bcba8a"
+ nickname="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="first attempt"
+ date="2018-08-23T13:36:52Z"
+ content="""
+Here's my first attempt, so you can snicker at my clumsy Haskell.
+
+<pre>
+gitoliteKeys :: User -> Property UnixLike
+gitoliteKeys user@(User username) = property' (\"set up gitolite keys for \" ++ username) $ \w -> do
+      home <- liftIO (User.homedir user)
+      ensureProperty w $ go home
+  where
+    go :: FilePath -> Property UnixLike
+    go home = File.hasContent (home </> \".gitolite/keydir/zzz/propellor\" </> \"bremner@propellor.pub\")
+                        [ Tethera.Keys.bremner_ssh ]
+              `before`
+              (Cmd.userScriptProperty user [ \"gitolite compile\", \"gitolite trigger POST_COMPILE\" ]
+                           `changesFile` (home </> \"gitolite/.ssh/authorized_keys\"))
+</pre>
+
+
+I think the next step is something like 
+<pre>
+Directory.hasContent :: FilePath -> [ (FilePath, [Line]) ] -> Property UnixLike
+</pre>
+"""]]

Added a comment: "For people who use puppet and similar systems"
diff --git a/doc/forum/integration_with_gitolite/comment_1_b2989bbf9e980ceebf2f4cccd4d379e1._comment b/doc/forum/integration_with_gitolite/comment_1_b2989bbf9e980ceebf2f4cccd4d379e1._comment
new file mode 100644
index 00000000..2432b063
--- /dev/null
+++ b/doc/forum/integration_with_gitolite/comment_1_b2989bbf9e980ceebf2f4cccd4d379e1._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ username="david@1439a1cab13195a56248b6a8fd98a62028bcba8a"
+ nickname="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="&quot;For people who use puppet and similar systems&quot;"
+ date="2018-08-23T01:46:30Z"
+ content="""
+Probably the sane way is to [not use the gitolite-admin repo](http://gitolite.com/gitolite/odds-and-ends/#administering-gitolite-directly-on-the-server). Aside from being unfamiliar, that means I have to deal with a bunch small config files (say 50 - 100) in propellor. So far I'm not loving the idea of converting them all to Haskell, even with a script. But maybe I'll come around to it.
+
+
+"""]]

diff --git a/doc/forum/integration_with_gitolite.mdwn b/doc/forum/integration_with_gitolite.mdwn
new file mode 100644
index 00000000..956d35c3
--- /dev/null
+++ b/doc/forum/integration_with_gitolite.mdwn
@@ -0,0 +1,2 @@
+Does anyone have any experience with integrating propellor and gitolite? I'd be happy with just ssh pubkey management.
+There seem to be two main options. The typical way of managing a gitolite site is by pushing a special git repository "gitolite-admin". There are also a script called [ukm](http://gitolite.com/gitolite/ukm.html). I'm not sure what will be the least hassle. Currently I have to manually commit and push various keys (including the keys needed for access to the propellor repos). Part of the problem could be solved by making the propellor repos available anonymously, but I still have my own ssh key(s) to manage.

removed
diff --git a/doc/forum/spinning_localhost.mdwn b/doc/forum/spinning_localhost.mdwn
deleted file mode 100644
index ac8b4d50..00000000
--- a/doc/forum/spinning_localhost.mdwn
+++ /dev/null
@@ -1 +0,0 @@
-I have several machines that don't have internet facing domain-names / IP addresses. They can pull, but they (easily) can't be pushed to. I guess I can manually spin them (or run cron jobs). I guess I need to manually add a unique hostname to each /etc/hosts, which sounds like a job for propellor, not for a human. Does anyone have any good setups to share for this kind of scenario? 

diff --git a/doc/forum/spinning_localhost.mdwn b/doc/forum/spinning_localhost.mdwn
new file mode 100644
index 00000000..ac8b4d50
--- /dev/null
+++ b/doc/forum/spinning_localhost.mdwn
@@ -0,0 +1 @@
+I have several machines that don't have internet facing domain-names / IP addresses. They can pull, but they (easily) can't be pushed to. I guess I can manually spin them (or run cron jobs). I guess I need to manually add a unique hostname to each /etc/hosts, which sounds like a job for propellor, not for a human. Does anyone have any good setups to share for this kind of scenario? 

rename forum/versioned_depends.mdwn to forum/making_sure_a_package_is_at_the_latest_version.mdwn
diff --git a/doc/forum/versioned_depends.mdwn b/doc/forum/making_sure_a_package_is_at_the_latest_version.mdwn
similarity index 100%
rename from doc/forum/versioned_depends.mdwn
rename to doc/forum/making_sure_a_package_is_at_the_latest_version.mdwn

diff --git a/doc/forum/versioned_depends.mdwn b/doc/forum/versioned_depends.mdwn
new file mode 100644
index 00000000..5eff9424
--- /dev/null
+++ b/doc/forum/versioned_depends.mdwn
@@ -0,0 +1,13 @@
+The following property sets up my wacky outbound mail setup.
+<pre>
+smtpLeaf :: Property (HasInfo + DebianLike)
+smtpLeaf = propertyList "smtp leaf node" $ props
+         & Apt.installed["nullmailer", "bsd-mailx"]
+         & File.hasPrivContent "/etc/nullmailer/remotes" anyContext
+         & tetheraApt
+         & Apt.installed ["nullmailer-extras"] & Apt.update & Apt.upgrade
+         & Ssh.userKeys (User "mail") anyContext [ (SshRsa, Tethera.Keys.mail_ssh) ]
+         & Ssh.knownHost hosts "smtp.tethera.net" (User "mail")
+</pre>
+
+The "Apt.update & Apt.upgrade" is there because nullmailer-extras is kindof a work in progress and I need to make sure that when I add a new version to the private apt repo it's drawing from, that get's installed. It works but it seems a bit slow, and more importantly upgrading everything is kindof a heavy side effect (which might even break things), in order to update this one package. Is there a better way to do this? Don't assume I know anything, I started using propellor 2 days ago...

Split mailname property out of Hostname.sane
Since bad mailname guesses can lead to ugly surprises. (API change)
Kept it in the Hostname module for easy discoverability, and similar to
Hostname.searchDomain it sets a value based on the hostname so makes sense
to keep it in that module.
Didn't implement the mailname equivilant of Hostname.setTo, because it's
trivial to write the mailname file with a custom value if desired.
This commit was sponsored by John Pellman on Patreon.
diff --git a/debian/changelog b/debian/changelog
index 1da97c15..080884ab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
-propellor (5.4.2) UNRELEASED; urgency=medium
+propellor (5.5.0) UNRELEASED; urgency=medium
 
   * letsencrypt': Pass --expand to support expanding the list of domains
+  * Split mailname property out of Hostname.sane, since bad mailname
+    guesses can lead to ugly surprises. (API change)
 
  -- Joey Hess <id@joeyh.name>  Thu, 09 Aug 2018 10:54:41 -0400
 
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_6_3c962f6aeff10726ae469ca7f48ab34c._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_6_3c962f6aeff10726ae469ca7f48ab34c._comment
new file mode 100644
index 00000000..f9666ca1
--- /dev/null
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_6_3c962f6aeff10726ae469ca7f48ab34c._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 6"""
+ date="2018-08-19T17:22:18Z"
+ content="""
+Ok, did that.
+"""]]
diff --git a/joeyconfig.hs b/joeyconfig.hs
index 4b9fb785..05c93346 100644
--- a/joeyconfig.hs
+++ b/joeyconfig.hs
@@ -66,6 +66,7 @@ darkstar = host "darkstar.kitenet.net" $ props
 	& osDebian Unstable X86_64
 	& ipv6 "2001:4830:1600:187::2"
 	& Hostname.sane
+	& Hostname.mailname
 	& Apt.serviceInstalledRunning "swapspace"
 	& Laptop.powertopAutoTuneOnBoot
 	& Laptop.trimSSD
@@ -461,6 +462,7 @@ keysafe :: Host
 keysafe = host "keysafe.joeyh.name" $ props
 	& ipv4 "139.59.17.168"
 	& Hostname.sane
+	& Hostname.mailname
 	& osDebian (Stable "stretch") X86_64
 	& Apt.stdSourcesList `onChange` Apt.upgrade
 	& Apt.unattendedUpgrades
@@ -565,6 +567,7 @@ standardSystemUnhardened :: DebianSuite -> Architecture -> Motd -> Property (Has
 standardSystemUnhardened suite arch motd = propertyList "standard system" $ props
 	& osDebian suite arch
 	& Hostname.sane
+	& Hostname.mailname
 	& Hostname.searchDomain
 	& Locale.available "en_US.UTF-8"
 	& File.hasContent "/etc/motd" ("":motd++[""])
diff --git a/propellor.cabal b/propellor.cabal
index 26c05a1d..904a8f64 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -1,5 +1,5 @@
 Name: propellor
-Version: 5.4.1
+Version: 5.5.0
 Cabal-Version: 1.20
 License: BSD2
 Maintainer: Joey Hess <id@joeyh.name>
diff --git a/src/Propellor/Property/HostingProvider/CloudAtCost.hs b/src/Propellor/Property/HostingProvider/CloudAtCost.hs
index 48c19572..839aa14e 100644
--- a/src/Propellor/Property/HostingProvider/CloudAtCost.hs
+++ b/src/Propellor/Property/HostingProvider/CloudAtCost.hs
@@ -13,6 +13,7 @@ import qualified Propellor.Property.User as User
 decruft :: Property DebianLike
 decruft = propertyList "cloudatcost cleanup" $ props
 	& Hostname.sane
+	& Hostname.mailname
 	& grubbugfix
 	& nukecruft
   where
diff --git a/src/Propellor/Property/Hostname.hs b/src/Propellor/Property/Hostname.hs
index 1eb9d690..0ece92a8 100644
--- a/src/Propellor/Property/Hostname.hs
+++ b/src/Propellor/Property/Hostname.hs
@@ -14,8 +14,6 @@ import Data.List
 -- (However, when used inside a chroot, avoids setting the current hostname
 -- as that would impact the system outside the chroot.)
 --
--- Configures </etc/mailname> with the domain part of the hostname.
---
 -- </etc/hosts> is also configured, with an entry for 127.0.1.1, which is
 -- standard at least on Debian to set the FDQN.
 --
@@ -46,8 +44,6 @@ setTo' extractdomain hn = combineProperties desc $ toProps
 	, check (not <$> inChroot) $
 		cmdProperty "hostname" [basehost]
 			`assume` NoChange
-	, "/etc/mailname" `File.hasContent`
-		[if null domain then hn else domain]
 	]
   where
 	desc = "hostname " ++ hn
@@ -85,6 +81,19 @@ searchDomain' extractdomain = property' desc $ \w ->
 			| "search " `isPrefixOf` l = False
 			| otherwise = True
 
+-- Configures </etc/mailname> with the domain part of the hostname of the
+-- `Host` it's used in.
+mailname :: Property UnixLike
+mailname = mailname' extractDomain
+
+mailname' :: ExtractDomain -> Property UnixLike
+mailname' extractdomain = property' ("mailname set from hostname") $ \w ->
+	ensureProperty w . go =<< asks hostName
+  where
+	go mn = "/etc/mailname" `File.hasContent` [if null mn' then mn else mn']
+	  where
+	 	mn' = extractdomain mn
+
 -- | Function to extract the domain name from a HostName.
 type ExtractDomain = HostName -> String
 
diff --git a/src/Propellor/Property/Installer/Target.hs b/src/Propellor/Property/Installer/Target.hs
index 8c865143..c6889dc5 100644
--- a/src/Propellor/Property/Installer/Target.hs
+++ b/src/Propellor/Property/Installer/Target.hs
@@ -24,6 +24,7 @@
 -- > seed ver = host "debian.local" $ props
 -- > 	& osDebian Unstable X86_64
 -- > 	& Hostname.sane
+-- >	& Hostname.mailname
 -- > 	& Apt.stdSourcesList
 -- > 	& Apt.installed ["linux-image-amd64"]
 -- > 	& Grub.installed PC
diff --git a/src/Propellor/Property/OS.hs b/src/Propellor/Property/OS.hs
index c31bef7b..503f303d 100644
--- a/src/Propellor/Property/OS.hs
+++ b/src/Propellor/Property/OS.hs
@@ -58,6 +58,7 @@ import Control.Exception (throw)
 -- >        -- , oldOsRemoved (Confirmed "foo.example.com")
 -- >        ]
 -- > & Hostname.sane
+-- > & Hostname.mailname
 -- > & Apt.installed ["linux-image-amd64"]
 -- > & Apt.installed ["ssh"]
 -- > & User.hasSomePassword "root"

Added a comment
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_8_39bead6f61bd8e458bf8eaf992757e62._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_8_39bead6f61bd8e458bf8eaf992757e62._comment
new file mode 100644
index 00000000..776e3fba
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_8_39bead6f61bd8e458bf8eaf992757e62._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 8"
+ date="2018-08-18T14:19:42Z"
+ content="""
+I tested printing out the encoding after changing it to make sure it was UTF-8, and it is, but the privdata is somehow still corrupt. Could the problem have something to do with writing out the privdata instead?
+"""]]

Added a comment
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_5_b4c1265f881e96d999528d8a433176cc._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_5_b4c1265f881e96d999528d8a433176cc._comment
new file mode 100644
index 00000000..0f1ba25c
--- /dev/null
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_5_b4c1265f881e96d999528d8a433176cc._comment
@@ -0,0 +1,24 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 5"
+ date="2018-08-17T14:36:19Z"
+ content="""
+I worked around the problem in the following way:
+
+    module Propellor.Property.SiteSpecific.SPW.Hostname (sane) where
+
+    import Propellor.Base
+    import qualified Propellor.Property.Hostname as Hostname
+
+    sane :: Property UnixLike
+    sane = Hostname.sane' id
+
+> How about we add a separate mailname property and make Hostname.sane not touch the mailname. mailname could take a Maybe and guess based on the hostname when Nothing is specified.
+
+This seems reasonable.  `Hostname.sane` is often wanted but `Mailname.sane` will be wanted only occasionally, so it makes sense for them to be separate properties.
+
+> Or, the mailname property could only set Info, and Hostname.sane use that info when set and guess when not. But, I suspect that would not have avoided your email-losing misconfiguration from happening in the first place.
+
+This wouldn't be much different from my workaround, indeed.
+"""]]

followup
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_7_959c8da37727c46436c5905bc6fabd88._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_7_959c8da37727c46436c5905bc6fabd88._comment
new file mode 100644
index 00000000..a0fefc17
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_7_959c8da37727c46436c5905bc6fabd88._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 7"""
+ date="2018-08-16T15:37:48Z"
+ content="""
+Since `update` receives the changes to propellor's source code,
+it would have been running the old code at that point. You
+probably need to spin a second time to test your changes to that function.
+"""]]

followup
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_4_2c90ee4cd4fe54299ce9742c28730b9a._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_4_2c90ee4cd4fe54299ce9742c28730b9a._comment
new file mode 100644
index 00000000..b67a80d8
--- /dev/null
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_4_2c90ee4cd4fe54299ce9742c28730b9a._comment
@@ -0,0 +1,18 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2018-08-16T15:23:09Z"
+ content="""
+I notice that the property is certianly wrong for domains such as
+"foo.org.uk". And I don't want to build in the list of exceptions needed to
+properly deal with those.
+
+How about we add a separate mailname property and make Hostname.sane not
+touch the mailname. mailname could take a Maybe and guess based on the
+hostname when Nothing is specified.
+
+Or, the mailname property could only set Info, and Hostname.sane
+use that info when set and guess when not. But, I suspect that would not
+have avoided your email-losing misconfiguration from happening in the first
+place.
+"""]]

Added a comment
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_6_ce746457c2a7654a090885ad960eb983._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_6_ce746457c2a7654a090885ad960eb983._comment
new file mode 100644
index 00000000..01748242
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_6_ce746457c2a7654a090885ad960eb983._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 6"
+ date="2018-08-16T15:35:27Z"
+ content="""
+The `hSetEncoding stdin utf8` in `update` doesn't seem to work unfortunately, not sure why not.
+"""]]

response
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_5_f12c57263372437edbcdfe89cd69b95d._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_5_f12c57263372437edbcdfe89cd69b95d._comment
new file mode 100644
index 00000000..51f25ecc
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_5_f12c57263372437edbcdfe89cd69b95d._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 5"""
+ date="2018-08-16T15:12:58Z"
+ content="""
+Ah, good debugging!
+
+The code that runs on the remote side is Propellor.Spin.update,
+and it uses Propellor.Protocol.req which reads from stdin. So,
+I think that putting `hSetEncoding stdin utf8` in the update function
+may fix it for you.
+
+If so, the real fix will involve making propellor force utf8 on both sides
+of its protocol, because the spin might be run in some other locale too.
+(Or chainging to a binary protocol that doesn't suffer 
+from encoding mismatch problems, if someone is ambitious!)
+"""]]

Added a comment
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_4_7f6773e21b9bb62961b0c291d0f8b7d0._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_4_7f6773e21b9bb62961b0c291d0f8b7d0._comment
new file mode 100644
index 00000000..733f7d33
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_4_7f6773e21b9bb62961b0c291d0f8b7d0._comment
@@ -0,0 +1,20 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 4"
+ date="2018-08-16T13:12:35Z"
+ content="""
+Err, this patch:
+
+    --- a/src/Propellor/Spin.hs
+    +++ b/src/Propellor/Spin.hs
+    @@ -181,6 +181,8 @@
+     -- running the updateServer
+     update :: Maybe HostName -> IO ()
+     update forhost = do
+    +       hPrint stderr =<< hGetEncoding stdin
+    +       hSetEncoding stdin utf8
+            whenM hasGitRepo $
+                    req NeedRepoUrl repoUrlMarker setRepoUrl
+
+"""]]

Added a comment
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_3_c51e4ae44dc6401af54f109f2cb70995._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_3_c51e4ae44dc6401af54f109f2cb70995._comment
new file mode 100644
index 00000000..05b5956b
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_3_c51e4ae44dc6401af54f109f2cb70995._comment
@@ -0,0 +1,23 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 3"
+ date="2018-08-15T19:15:21Z"
+ content="""
+I tried this patch:
+
+```
+--- a/src/Propellor/Spin.hs
++++ b/src/Propellor/Spin.hs
+@@ -181,6 +181,8 @@ getSshTarget target hst
+ -- running the updateServer
+ update :: Maybe HostName -> IO ()
+ update forhost = do
++       hPrint stderr =<< hGetEncoding stdin
++       hSetEncoding stdin utf8
+        whenM hasGitRepo $
+                req NeedRepoUrl repoUrlMarker setRepoUrl
+```
+
+I get `Just ANSI_X3.4-1968` from the remote side but unfortunately the corruption persists.
+"""]]

Added a comment
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_2_2a4f3ddcc92f0cf8be2472d2a45e69cc._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_2_2a4f3ddcc92f0cf8be2472d2a45e69cc._comment
new file mode 100644
index 00000000..d4d596d8
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_2_2a4f3ddcc92f0cf8be2472d2a45e69cc._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 2"
+ date="2018-08-15T18:53:03Z"
+ content="""
+I get `Just UTF-8` in both cases and the corruption is not fixed. I think the problem may be on the _receiving_ side? On macOS my `$LC_CTYPE` is set to `\"UTF-8\"` which is passed through by SSH but is an invalid locale on Linux. Running `env LC_CTYPE=C.UTF-8 ./propellor --spin blah` fixes the corruption.
+"""]]

response
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_1_0443c1dc8f7a74864c2a981740992ee4._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_1_0443c1dc8f7a74864c2a981740992ee4._comment
new file mode 100644
index 00000000..3b047d9d
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_1_0443c1dc8f7a74864c2a981740992ee4._comment
@@ -0,0 +1,27 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-08-14T21:33:55Z"
+ content="""
+Sounds like a problem with sendPrivData, which writes it to a Handle that's 
+connected to propellor on the host being spun.
+
+Handles have an associated encoding, which comes from the locale settings.
+The char8 TextEncoding sounds like what you describe (code point modulo
+256). hSetEncoding can change it.
+
+Here's a patch you could try that prints out the encoding in use and tries
+to force utf8.
+
+	--- a/src/Propellor/Spin.hs
+	+++ b/src/Propellor/Spin.hs
+	@@ -252,6 +252,8 @@ sendRepoUrl hst toh = sendMarked toh repoUrlMarker =<< geturl
+	
+	 sendPrivData :: HostName -> Handle -> PrivMap -> IO ()
+	 sendPrivData hn toh privdata = void $ actionMessage msg $ do
+	+	hPutStrLn stderr . show =<< hGetEncoding toh
+	+	hSetEncoding toh utf8
+ 		sendMarked toh privDataMarker d
+	 	return True
+	   where
+"""]]

Fix another typo
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
index 2cc827b1..d4df4bac 100644
--- a/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
@@ -1 +1 @@
-I recently added a binary file as privdata (installed with `File.hasPrivContent`). When I `propellor --dump` the property on either Linux or macOS, the contents is correct. Spinning from Linux also works, but spinning from macOS installs a corrupt version of the file. The corruption looks like every valid UTF-8 sequence has been replaced with a single byte which is the lowest byte of the Unicode codepoint encoded by the sequence, so this must have something to do with encodings, but from staring at the source code I can't figure out what. The data from `--dump` is not corrupted which seems especially strange.
+I recently added a binary file as privdata (installed with `File.hasPrivContent`). When I `propellor --dump` the privdata on either Linux or macOS, the contents is correct. Spinning from Linux also works, but spinning from macOS installs a corrupt version of the file. The corruption looks like every valid UTF-8 sequence has been replaced with a single byte which is the lowest byte of the Unicode codepoint encoded by the sequence, so this must have something to do with encodings, but from staring at the source code I can't figure out what. The data from `--dump` is not corrupted which seems especially strange.

Fix typo
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
index e3e6e0f9..2cc827b1 100644
--- a/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
@@ -1 +1 @@
-I recently added a binary file as privdata (installed with `File.hasPrivContents`). When I `propellor --dump` the property on either Linux or macOS, the contents is correct. Spinning from Linux also works, but spinning from macOS installs a corrupt version of the file. The corruption looks like every valid UTF-8 sequence has been replaced with a single byte which is the lowest byte of the Unicode codepoint encoded by the sequence, so this must have something to do with encodings, but from staring at the source code I can't figure out what. The data from `--dump` is not corrupted which seems especially strange.
+I recently added a binary file as privdata (installed with `File.hasPrivContent`). When I `propellor --dump` the property on either Linux or macOS, the contents is correct. Spinning from Linux also works, but spinning from macOS installs a corrupt version of the file. The corruption looks like every valid UTF-8 sequence has been replaced with a single byte which is the lowest byte of the Unicode codepoint encoded by the sequence, so this must have something to do with encodings, but from staring at the source code I can't figure out what. The data from `--dump` is not corrupted which seems especially strange.

diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
new file mode 100644
index 00000000..e3e6e0f9
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
@@ -0,0 +1 @@
+I recently added a binary file as privdata (installed with `File.hasPrivContents`). When I `propellor --dump` the property on either Linux or macOS, the contents is correct. Spinning from Linux also works, but spinning from macOS installs a corrupt version of the file. The corruption looks like every valid UTF-8 sequence has been replaced with a single byte which is the lowest byte of the Unicode codepoint encoded by the sequence, so this must have something to do with encodings, but from staring at the source code I can't figure out what. The data from `--dump` is not corrupted which seems especially strange.

fix sequence
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_3_d82e10087205a4b2896e4fd07032643d._comment
similarity index 91%
rename from doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment
rename to doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_3_d82e10087205a4b2896e4fd07032643d._comment
index 24c0efcf..df002711 100644
--- a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_3_d82e10087205a4b2896e4fd07032643d._comment
@@ -1,6 +1,6 @@
 [[!comment format=mdwn
  username="joey"
- subject="""comment 2"""
+ subject="""comment 3"""
  date="2018-08-10T14:56:07Z"
  content="""
 I have probably generalized too much from my own use case then, where

followup
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment
new file mode 100644
index 00000000..24c0efcf
--- /dev/null
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2018-08-10T14:56:07Z"
+ content="""
+I have probably generalized too much from my own use case then, where
+I always have foo.example.com as the full hostname, but want mail to be
+sent with example.com as the name.
+"""]]

Added a comment
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_ac8e2bdd7bd16058f46ef8352df09700._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_ac8e2bdd7bd16058f46ef8352df09700._comment
new file mode 100644
index 00000000..3cdfaeaa
--- /dev/null
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_ac8e2bdd7bd16058f46ef8352df09700._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 2"
+ date="2018-08-10T10:36:35Z"
+ content="""
+Could you explain why it's right to not use the full hostname, please?
+
+Careless use of `Hostname.sane` on my part recently broke my mail sending setup.  I discovered that I am relying on /etc/mailname containing the full hostname, but maybe I should not be doing that.
+"""]]

letsencrypt': Pass --expand to support expanding the list of domains
diff --git a/debian/changelog b/debian/changelog
index 171cd8fe..1da97c15 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+propellor (5.4.2) UNRELEASED; urgency=medium
+
+  * letsencrypt': Pass --expand to support expanding the list of domains
+
+ -- Joey Hess <id@joeyh.name>  Thu, 09 Aug 2018 10:54:41 -0400
+
 propellor (5.4.1) unstable; urgency=medium
 
   * Modernized and simplified the MetaTypes implementation now that
diff --git a/doc/forum/Certbot_cert_expanding/comment_2_2a16c69729cff4262c9a37b264c60ae0._comment b/doc/forum/Certbot_cert_expanding/comment_2_2a16c69729cff4262c9a37b264c60ae0._comment
new file mode 100644
index 00000000..8aba068a
--- /dev/null
+++ b/doc/forum/Certbot_cert_expanding/comment_2_2a16c69729cff4262c9a37b264c60ae0._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2018-08-09T14:55:33Z"
+ content="""
+Ok, patched it in.
+"""]]
diff --git a/src/Propellor/Property/LetsEncrypt.hs b/src/Propellor/Property/LetsEncrypt.hs
index 9e4898dd..99c23715 100644
--- a/src/Propellor/Property/LetsEncrypt.hs
+++ b/src/Propellor/Property/LetsEncrypt.hs
@@ -77,6 +77,9 @@ letsEncrypt' (AgreeTOS memail) domain domains webroot =
 		, "--text"
 		, "--noninteractive"
 		, "--keep-until-expiring"
+		-- The list of domains may be changed, adding more, so
+		-- always request expansion.
+		, "--expand"
 		] ++ map (\d -> "--domain="++d) alldomains
 
 	getstats = mapM statcertfiles alldomains

Added a comment
diff --git a/doc/forum/Certbot_cert_expanding/comment_2_a4ca6b57c77651936c7f74f730f832e7._comment b/doc/forum/Certbot_cert_expanding/comment_2_a4ca6b57c77651936c7f74f730f832e7._comment
new file mode 100644
index 00000000..f1af3dca
--- /dev/null
+++ b/doc/forum/Certbot_cert_expanding/comment_2_a4ca6b57c77651936c7f74f730f832e7._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 2"
+ date="2018-08-09T13:18:37Z"
+ content="""
+I have now tested this and it works fine.
+"""]]

add news item for propellor 5.4.1
diff --git a/doc/news/version_5.3.3.mdwn b/doc/news/version_5.3.3.mdwn
deleted file mode 100644
index 18f80d5f..00000000
--- a/doc/news/version_5.3.3.mdwn
+++ /dev/null
@@ -1,8 +0,0 @@
-propellor 5.3.3 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Warn again about new upstream version when ~/.propellor was cloned from the
-     Debian git bundle using an older version of propellor that set up an
-     upstream remote.
-   * Avoid crashing if initial fetch from origin fails when spinning a host.
-   * Added Propllor.Property.Openssl module contributed by contributed by
-     Félix Sipma."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.4.1.mdwn b/doc/news/version_5.4.1.mdwn
new file mode 100644
index 00000000..ebb0e261
--- /dev/null
+++ b/doc/news/version_5.4.1.mdwn
@@ -0,0 +1,14 @@
+propellor 5.4.1 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Modernized and simplified the MetaTypes implementation now that
+     compatability with ghc 7 is no longer needed.
+   * Use git verify-commit to verify gpg signatures, rather than the old
+     method of parsing git log output. Needs git 2.0.
+   * Added ConfFile.containsShellSetting, ConfFile.lacksShellSetting,
+     and EtcDefault.set properties. Thanks, Sean Whitton
+   * Dns: Support TXT values longer than bind's maximum string length
+     of 255 bytes. Thanks, rsiddharth.
+   * Docker and HostingProvider.CloudAtCost modules are not being
+     maintained, so marked them as such.
+     Seeking a maintainer for the Docker module; I anticipate
+     removing the CloudAtCost module in the next API bump."""]]
\ No newline at end of file

response
diff --git a/doc/forum/Certbot_cert_expanding/comment_1_1f6b33d757294b69172a9b59b2c0ea4f._comment b/doc/forum/Certbot_cert_expanding/comment_1_1f6b33d757294b69172a9b59b2c0ea4f._comment
new file mode 100644
index 00000000..fb7354d1
--- /dev/null
+++ b/doc/forum/Certbot_cert_expanding/comment_1_1f6b33d757294b69172a9b59b2c0ea4f._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-07-31T14:25:34Z"
+ content="""
+Makes sense. The man page says:
+
+            --expand              If an existing certificate is a strict subset of the
+                                  requested names, always expand and replace it with the
+                                  additional names. (default: Ask)
+
+Which reads like it will not change behavior in other cases. 
+Still, it would be good for someone to test it before the change is
+made to propellor..
+"""]]

diff --git a/doc/forum/Certbot_cert_expanding.mdwn b/doc/forum/Certbot_cert_expanding.mdwn
index db67cbf3..90be60d6 100644
--- a/doc/forum/Certbot_cert_expanding.mdwn
+++ b/doc/forum/Certbot_cert_expanding.mdwn
@@ -1,14 +1,16 @@
 When adding a name to the list for a `letsEncrypt` property, certbot fails thusly:
 
-Saving debug log to /var/log/letsencrypt/letsencrypt.log
-Plugins selected: Authenticator webroot, Installer None
-Missing command line flag or config entry for this setting:
-You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/fusionapp.com.conf)
+    Saving debug log to /var/log/letsencrypt/letsencrypt.log
+    Plugins selected: Authenticator webroot, Installer None
+    Missing command line flag or config entry for this setting:
+    You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/…)
 
-It contains these names: fusionapp.com, bn.fusionapp.com, bz-entropy.fusionapp.com, bz-ext.fusionapp.com, bz.fusionapp.com, entropy.fusionapp.com, prod.fusionapp.com
+    It contains these names: …
 
-You requested these names for the new certificate: fusionapp.com, entropy.fusionapp.com, bz-entropy.fusionapp.com, bz-ext.fusionapp.com, prod.fusionapp.com, bz.fusionapp.com, bn.fusionapp.com, entropy.fusiontest.net.
+    You requested these names for the new certificate: …
 
-Do you want to expand and replace this existing certificate with the new certificate?
+    Do you want to expand and replace this existing certificate with the new certificate?
 
-(You can set this with the --expand flag)
+    (You can set this with the --expand flag)
+
+I think maybe Propellor should always pass --expand? I haven't tested if that works correctly when not changing the names.

diff --git a/doc/forum/Certbot_cert_expanding.mdwn b/doc/forum/Certbot_cert_expanding.mdwn
new file mode 100644
index 00000000..db67cbf3
--- /dev/null
+++ b/doc/forum/Certbot_cert_expanding.mdwn
@@ -0,0 +1,14 @@
+When adding a name to the list for a `letsEncrypt` property, certbot fails thusly:
+
+Saving debug log to /var/log/letsencrypt/letsencrypt.log
+Plugins selected: Authenticator webroot, Installer None
+Missing command line flag or config entry for this setting:
+You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/fusionapp.com.conf)
+
+It contains these names: fusionapp.com, bn.fusionapp.com, bz-entropy.fusionapp.com, bz-ext.fusionapp.com, bz.fusionapp.com, entropy.fusionapp.com, prod.fusionapp.com
+
+You requested these names for the new certificate: fusionapp.com, entropy.fusionapp.com, bz-entropy.fusionapp.com, bz-ext.fusionapp.com, prod.fusionapp.com, bz.fusionapp.com, bn.fusionapp.com, entropy.fusiontest.net.
+
+Do you want to expand and replace this existing certificate with the new certificate?
+
+(You can set this with the --expand flag)

inverted
diff --git a/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment b/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment
index 24ad2c45..f4ff3615 100644
--- a/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment
+++ b/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment
@@ -10,9 +10,9 @@ so is `debootstrapTheChrootAndPackIntoQcow2File`,
 so to check if the disk image exists, you'll instead
 want to use the `check` combinator. Something like:
 
-	& check (doesFileExist "/path/to/image.qcow2")
-		debootstrapTheChrootAndPackIntoQcow2File theHost
 	& check (not <$> doesFileExist "/path/to/image.qcow2")
+		debootstrapTheChrootAndPackIntoQcow2File theHost
+	& check (doesFileExist "/path/to/image.qcow2")
 		conducts [theHost] `requires` KVM.booted theHost
 
 Perhaps the redundancy in that can be reduced with a new combinator

response
diff --git a/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment b/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment
new file mode 100644
index 00000000..24ad2c45
--- /dev/null
+++ b/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment
@@ -0,0 +1,29 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-07-20T15:54:17Z"
+ content="""
+That seems like a good plan to me, and nice use of the Conductor module.
+
+Of course, `conducts` is a Property, not an IO action and presumably
+so is `debootstrapTheChrootAndPackIntoQcow2File`,
+so to check if the disk image exists, you'll instead
+want to use the `check` combinator. Something like:
+
+	& check (doesFileExist "/path/to/image.qcow2")
+		debootstrapTheChrootAndPackIntoQcow2File theHost
+	& check (not <$> doesFileExist "/path/to/image.qcow2")
+		conducts [theHost] `requires` KVM.booted theHost
+
+Perhaps the redundancy in that can be reduced with a new combinator
+that chooses which action to run.
+
+You may want to also delete the chroot once the disk image is built.
+
+There could also be a minor gotcha with the Conductor module trying to
+conduct the VM before it's gotten set up yet, at worst this would make
+propellor display a warning.
+
+Let me know if you need help with this, 
+although I will next be available on July 30th.
+"""]]

post TODO for feedback
diff --git a/doc/todo/support_for_libvirt_KVM_VMs.mdwn b/doc/todo/support_for_libvirt_KVM_VMs.mdwn
new file mode 100644
index 00000000..529cf721
--- /dev/null
+++ b/doc/todo/support_for_libvirt_KVM_VMs.mdwn
@@ -0,0 +1,27 @@
+I've been thinking about how to add support for libvirt VMs to
+propellor.  TTBOMK setting up the VMs is a matter of creating some
+files in /etc, so that part is straightforward; might not want very
+much abstraction in propellor at all.  The interesting part is
+creating the corresponding disk images.
+
+I first thought that I could just extend propellor's existing support
+for generating disk images by debootstrapping in a chroot and then
+generating an image based on that chroot.  It would just be a matter
+of using `.qcow2` images rather than `.img`.  But the problem with
+this is that once the VM is in use, propellor should not just be
+overwriting the `.qcow2` file.  So something different is needed.
+
+What I have in mind is a conditional property that works something
+like this:
+
+    ifM ( doesFileExist "/path/to/image.qcow2"
+        , debootstrapTheChrootAndPackIntoQcow2File theHost
+        , conducts [theHost] `requires` KVM.booted theHost
+        )
+
+where `theHost :: Host` and either the user's libvirt config or some
+property somewhere ensures it can be SSHed to from localhost.
+
+Does this seem like the right approach?
+
+--spwhitton

two unmaintained modules
diff --git a/debian/changelog b/debian/changelog
index 8d9179e4..659bd8d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,10 @@ propellor (5.4.1) UNRELEASED; urgency=medium
     method of parsing git log output. Needs git 2.0.
   * Added ConfFile.containsShellSetting, ConfFile.lacksShellSetting,
     and EtcDefault.set properties. Thanks, Sean Whitton
+  * Docker and HostingProvider.CloudAtCost modules are not being
+    maintained, so marked them as such, including build-time warnings. 
+    Seeking a maintainer for the Docker module; I anticipate
+    removing the CloudAtCost module in the next API bump.
 
  -- Joey Hess <id@joeyh.name>  Fri, 18 May 2018 10:25:05 -0400
 
diff --git a/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment b/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
index 6f06f87f..bf75470b 100644
--- a/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
+++ b/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
@@ -4,8 +4,9 @@
  date="2018-06-13T14:32:43Z"
  content="""
 I can't see any docker-engine package in any version of Debian. Unstable
-still has a docker.io, though testing does not. It looks like perhaps
-docker was not included in the last stable release, though I am not sure.
+still has a docker.io, though testing does not (update: it does now; the
+docker package also recently got updated to a more current version).
+Docker was not included in the last stable release.
 
 I have not used docker in quite some time. I use systemd-nspawn containers
 which are much easier to build and maintain. So, it may make sense to
diff --git a/doc/todo/Outdated_Docker_Package__63__/comment_2_8da1d2a1a6e6569a2197ab867665dad1._comment b/doc/todo/Outdated_Docker_Package__63__/comment_2_8da1d2a1a6e6569a2197ab867665dad1._comment
new file mode 100644
index 00000000..e0f14b92
--- /dev/null
+++ b/doc/todo/Outdated_Docker_Package__63__/comment_2_8da1d2a1a6e6569a2197ab867665dad1._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2018-07-11T16:01:37Z"
+ content="""
+Marked the module as unmaintained. If you would like to take over
+maintanance of it, just send me patches putting your name in the maintainer
+slot etc.
+"""]]
diff --git a/joeyconfig.hs b/joeyconfig.hs
index 0d971b03..7541c78b 100644
--- a/joeyconfig.hs
+++ b/joeyconfig.hs
@@ -33,7 +33,6 @@ import qualified Propellor.Property.Systemd as Systemd
 import qualified Propellor.Property.Journald as Journald
 import qualified Propellor.Property.Fail2Ban as Fail2Ban
 import qualified Propellor.Property.Laptop as Laptop
-import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost
 import qualified Propellor.Property.HostingProvider.Linode as Linode
 import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean
 import qualified Propellor.Property.SiteSpecific.GitHome as GitHome
@@ -101,7 +100,6 @@ clam = host "clam.kitenet.net" $ props
 		["Unreliable server. Anything here may be lost at any time!" ]
 	& ipv4 "64.137.164.186"
 
-	& CloudAtCost.decruft
 	& User.hasPassword (User "root")
 	& Ssh.hostKeys hostContext
 		[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAI3WUq0RaigLlcUivgNG4sXpso2ORZkMvfqKz6zkc60L6dpxvWDNmZVEH8hEjxRSYG07NehcuOgQqeyFnS++xw1hdeGjf37JqCUH49i02lra3Zxv8oPpRxyeqe5MmuzUJhlWvBdlc3O/nqZ4bTUfnxMzSYWyy6++s/BpSHttZplNAAAAFQC1DE0vzgVeNAv9smHLObQWZFe2VQAAAIBECtpJry3GC8NVTFsTHDGWksluoFPIbKiZUFFztZGdM0AO2VwAbiJ6Au6M3VddGFANgTlni6d2/9yS919zO90TaFoIjywZeXhxE2CSuRfU7sx2hqDBk73jlycem/ER0sanFhzpHVpwmLfWneTXImWyq37vhAxatJANOtbj81vQ3AAAAIBV3lcyTT9xWg1Q4vERJbvyF8mCliwZmnIPa7ohveKkxlcgUk5d6dnaqFfjVaiXBPN3Qd08WXoQ/a9k3chBPT9nW2vWgzzM8l36j2MbHLmaxGwevAc9+vx4MXqvnGHzd2ex950mC33ct3j0fzMZlO6vqEsgD4CYmiASxhfefj+JCQ==")
diff --git a/src/Propellor/Property/Docker.hs b/src/Propellor/Property/Docker.hs
index 66418253..522aecd9 100644
--- a/src/Propellor/Property/Docker.hs
+++ b/src/Propellor/Property/Docker.hs
@@ -1,11 +1,14 @@
 {-# LANGUAGE FlexibleContexts, TypeSynonymInstances, FlexibleInstances, TypeFamilies #-}
 
--- | Docker support for propellor
+-- | Maintainer: currently unmaintained; your name here!
+--
+-- Docker support for propellor
 --
 -- The existance of a docker container is just another Property of a system,
 -- which propellor can set up. See config.hs for an example.
 
-module Propellor.Property.Docker (
+module Propellor.Property.Docker
+	{-# WARNING "This module does not have a maintainer. It might not work right anymore. If you use it, please consider becoming its maintainer." #-} (
 	-- * Host properties
 	installed,
 	configured,
diff --git a/src/Propellor/Property/HostingProvider/CloudAtCost.hs b/src/Propellor/Property/HostingProvider/CloudAtCost.hs
index 5c4788e2..48c19572 100644
--- a/src/Propellor/Property/HostingProvider/CloudAtCost.hs
+++ b/src/Propellor/Property/HostingProvider/CloudAtCost.hs
@@ -1,4 +1,8 @@
-module Propellor.Property.HostingProvider.CloudAtCost where
+-- | Maintainer: currently unmaintained; your name here!
+
+module Propellor.Property.HostingProvider.CloudAtCost
+	{-# WARNING "This module does not have a maintainer. It might not work right anymore. If you use it, please consider becoming its maintainer." #-}
+	where
 
 import Propellor.Base
 import qualified Propellor.Property.Hostname as Hostname

response
diff --git a/doc/forum/Separation_of_data_and_code/comment_1_0ba5dff744eeba857ab7fadfad883b13._comment b/doc/forum/Separation_of_data_and_code/comment_1_0ba5dff744eeba857ab7fadfad883b13._comment
new file mode 100644
index 00000000..ae50a008
--- /dev/null
+++ b/doc/forum/Separation_of_data_and_code/comment_1_0ba5dff744eeba857ab7fadfad883b13._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-07-06T20:19:27Z"
+ content="""
+I was going to write something asserting that it's entirely data,
+and not code, though typed data expressed in a programming language.
+
+However, I think it's better to say that this code/data distinction is
+much less a useful distinction that commonly thought, one that things,
+especially in the configuration management space often chafe under (see
+all the turing complete ill-specified languages built on top of what
+started out as some pure data format that are in use by almost every other
+configuration management tool), and that Propellor is an attempt to
+move in a more useful and less ridigly defined direction.
+"""]]

diff --git a/doc/forum/Separation_of_data_and_code.mdwn b/doc/forum/Separation_of_data_and_code.mdwn
new file mode 100644
index 00000000..3a09a237
--- /dev/null
+++ b/doc/forum/Separation_of_data_and_code.mdwn
@@ -0,0 +1,11 @@
+I'm using Fedora for the desktop and CentOS on my server. I have many software packages to install. I store them in shell scripts, with lines like this:
+
+    yum -y install vim-common vim-enhanced gvim vim-X11 # the latter for clipboard support
+
+I'm thinking about some more elaborate way to do that (to put some packages to specific hosts and groups). Propellor seems an interesting tool for that, but when I see an [example configuration file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs), it looks like this is a mixture of data and logic, which is considered [not a very good practice](https://softwareengineering.stackexchange.com/questions/229479/how-did-separation-of-code-and-data-become-a-practice).
+
+I know that Haskell itself is a very declarative language (in the sense it's not imperative), but still I have this feeling of a mixture of code with constants. What do you think of that?
+
+Is there a way to cleanly store names of packages (with comments and some configuration options (e.g. on what hosts they should be used)) in one place and use propellor's logic to install them in another place? 
+
+I understand that the power of propellor is to `do` things apart of just enumerating them, but I think that this separation could be useful.

Dns: Support TXT values longer than bind's maximum string length of 255 bytes. Thanks, rsiddharth.
diff --git a/debian/changelog b/debian/changelog
index 8d9179e4..bad0cad2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ propellor (5.4.1) UNRELEASED; urgency=medium
     method of parsing git log output. Needs git 2.0.
   * Added ConfFile.containsShellSetting, ConfFile.lacksShellSetting,
     and EtcDefault.set properties. Thanks, Sean Whitton
+  * Dns: Support TXT values longer than bind's maximum string length
+    of 255 bytes. Thanks, rsiddharth.
 
  -- Joey Hess <id@joeyh.name>  Fri, 18 May 2018 10:25:05 -0400
 
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_3_00f57bb6a54dee0dfbb799babf72a827._comment b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_3_00f57bb6a54dee0dfbb799babf72a827._comment
new file mode 100644
index 00000000..8809f999
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_3_00f57bb6a54dee0dfbb799babf72a827._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2018-06-24T15:21:29Z"
+ content="""
+Looks good to me, merged.
+"""]]

Add s user page.
diff --git a/doc/user/s.mdwn b/doc/user/s.mdwn
new file mode 100644
index 00000000..08ef7bc8
--- /dev/null
+++ b/doc/user/s.mdwn
@@ -0,0 +1,3 @@
+s [propels some computers][1] using propellor.
+
+[1]: https://git.ricketyspace.net/propellor/tree/config.hs

Added a comment
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_2_ccd261bdc9615b7490ec0f6824f35e19._comment b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_2_ccd261bdc9615b7490ec0f6824f35e19._comment
new file mode 100644
index 00000000..3fbd389f
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_2_ccd261bdc9615b7490ec0f6824f35e19._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="s@aa9ff9ce06b08acfd2a93ebd342ce6879430fbdd"
+ nickname="s"
+ avatar="http://cdn.libravatar.org/avatar/81bf27f8b35011d1846711fa37a5588f"
+ subject="comment 2"
+ date="2018-06-24T14:58:53Z"
+ content="""
+joeyh, Thanks for the feedback.
+
+I updated the definition of `TXT`'s `rValue` according to your suggestion and removed the `MTXT` record -- [patch][patch].
+
+I would like to get the patch merged into upstream, let me know if I've to refactor it.
+
+[patch]: https://ricketyspace.net/file/0001-update-rValue-of-Dns-TXT-record-type.patch
+"""]]

update link 2
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
index 69a62b59..e6f2b478 100644
--- a/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
@@ -16,4 +16,4 @@ I'm [currently using this recipe][2] to provision the DKIM TXT record.
 I want to know if there is a better way to do this without having to add the MTXT record type?
 
 [1]: https://ricketyspace.net/file/0001-add-MTXT-record-type-to-Propellor.Types.DNS.Record.patch
-[2]: https://git.ricketyspace.net/propellor/tree/config.hs#n722
+[2]: https://git.ricketyspace.net/propellor/tree/config.hs?id=67f47e5a23e8c7814014ea58f2dbc9f7c58ede3a#n722

response
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_3_14b6968853d30a2054cc675c6005f29f._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_3_14b6968853d30a2054cc675c6005f29f._comment
new file mode 100644
index 00000000..b566f3c5
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_3_14b6968853d30a2054cc675c6005f29f._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2018-06-23T19:13:59Z"
+ content="""
+Well, cabal files can have flags that enable additional dependencies, but
+using them complicates testing the program since you have to try building
+it with different combinations of flags. And deploying propellor with the
+desired flags turned on would be an additional complication.
+
+I feel that additional libraries that depend on propellor and the sql
+library and provide properties is a better approach. The user can easily
+add the dependency to their ~/.propellor/config.cabal, and the necessary
+dependencies will be automatically installed when propellor is deploying
+itself to a new host.
+"""]]

response
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_1_b97c158ae4e3abb6e4c90a2c91e0c207._comment b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_1_b97c158ae4e3abb6e4c90a2c91e0c207._comment
new file mode 100644
index 00000000..5595af19
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_1_b97c158ae4e3abb6e4c90a2c91e0c207._comment
@@ -0,0 +1,25 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-06-23T18:42:32Z"
+ content="""
+It seems that the limit is 255 characters, and this
+limit applies to any string in a bind zone file,
+rather than being a maximim line length. A single line can contain multiple
+such strings, although there's probably a maximum line length somewhere 
+too, so using parens to extend across multiple lines is wise.
+
+The values inside the parens are concacenated together, no newline is added
+to the string that bind builds up from them AFAICS.
+
+So it seems your code is stripping out the newlines from the TXT value.
+Which probably doesn't matter for DKIM public key material,
+and I don't think that bind zone files support multiline strings anyway.
+But a single line could be too long and splitting on newlines would not
+help then.
+
+So, I think the thing to do would be to make `rValue` break TXT
+strings into substrings no longer than 255 characters. Then you don't
+need a new constructor, and long SSHFP etc records could also be handled
+that way.
+"""]]

Added a comment
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_2_e18fc448f51478617e5b2b9b05ce4a0f._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_2_e18fc448f51478617e5b2b9b05ce4a0f._comment
new file mode 100644
index 00000000..74654902
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_2_e18fc448f51478617e5b2b9b05ce4a0f._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 2"
+ date="2018-06-19T18:56:28Z"
+ content="""
+I am looking for a solution which could be integrated to propellor. Is it possible to include those additional libraries in propellor sources and have them included in the build on demand? I am not very familiar with the haskell build systems.
+
+About generated passwords, a nice solution would be to do it in PrivData.  The user would provide a salt as the private data and it would be combined to context to generate a password.  I can try find how this could be done.
+"""]]

New post - DNS - Support for Multiline TXT records.
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
new file mode 100644
index 00000000..69a62b59
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
@@ -0,0 +1,19 @@
+bind9 has a limit on the number of characters in a single line TXT record. I was unable to provision the DKIM TXT record using propellor due to this limit.
+
+I added a new MTXT record type to `Propellor.Types.DNS.Record` ([patch][1]).
+
+MTXT creates a multiline TXT record. It splits the record's text (say
+"long string...\n...xyz") at `'\n'` and creates a TXT record of the
+form:
+
+
+    domain IN      TXT     ( "long string..."
+            "...xyz" )
+
+
+I'm [currently using this recipe][2] to provision the DKIM TXT record.
+
+I want to know if there is a better way to do this without having to add the MTXT record type?
+
+[1]: https://ricketyspace.net/file/0001-add-MTXT-record-type-to-Propellor.Types.DNS.Record.patch
+[2]: https://git.ricketyspace.net/propellor/tree/config.hs#n722

add shortcuts page so !commit works
I think none of the default shortcuts were being used, and I trimmed the
list down
diff --git a/doc/shortcuts.mdwn b/doc/shortcuts.mdwn
new file mode 100644
index 00000000..9c8b7605
--- /dev/null
+++ b/doc/shortcuts.mdwn
@@ -0,0 +1,12 @@
+[[!if test="enabled(shortcut)"
+     then="This wiki has shortcuts **enabled**."
+     else="This wiki has shortcuts **disabled**."]]
+
+This page controls what shortcut links the wiki supports.
+
+* [[!shortcut name=debbug url="http://bugs.debian.org/%S" desc="Debian bug #%s"]]
+* [[!shortcut name=iki url="http://ikiwiki.info/%S/"]]
+* [[!shortcut name=rfc url="https://www.ietf.org/rfc/rfc%s.txt" desc="RFC %s"]]
+* [[!shortcut name=cve url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=%s"]]
+* [[!shortcut name=hackage url="http://hackage.haskell.org/package/%s"]]
+* [[!shortcut name=commit url="http://source.propellor.branchable.com/?p=source.git;a=commitdiff;h=%s"]]

improve docs
diff --git a/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment b/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment
index 7649e95e..4869922e 100644
--- a/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment
+++ b/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment
@@ -1,23 +1,43 @@
 [[!comment format=mdwn
  username="joey"
- subject="""comment 1"""
+ subject="""supported OS's and how to add more"""
  date="2014-12-07T15:58:03Z"
  content="""
-I have heard of propellor being used on OSX. Probably that user wrote their
-own code for OSX specific stuff.
+Propellor supports Debian and its derivatives, as well as FreeBSD and
+ArchLinux. See
+<http://hackage.haskell.org/package/propellor-5.4.0/docs/Propellor-Types-OS.html>
 
-Propellor properites can be parameterized by OS. Currently it has support
-for Debian and some untested support for *buntu. A property can be parameterized
-like this:
+Propellor keeps track of what OS's each property supports, as part of the
+type of the propery. So for example, it has separate properties for Debian
+and for FreeBSD that keep the OS's upgraded using their respective
+package managers:
 
-	foo :: Property
-	foo = property "foo" withOS desc $ \o -> case o of
-	                (Just (System (Debian _) _)) -> ensureProperty fooDebian
-	                (Just (System (Buntish _) _)) -> ensureProperty fooBuntu
+	Apt.upgraded :: Property DebianLike
+	
+	Pkg.upgraded :: Property FreeBSD
 
-The first step for adding a new OS will be to modify <http://hackage.haskell.org/package/propellor/docs/Propellor-Types-OS.html>.
-Compilation will then warn about all OS parameterized properties that
-need to be updated to support your added OS, and it can be taken from there.
+Properties can be combined using `pickOS` to make a property that works
+on multiple OS's:
 
-I'll accept reasonable patches to support other OS's.
+	upgraded :: Property (DebianLike + FreeBSD)
+	upgraded = Apt.upgraded `pickOS` Pkg.upgraded
+
+The `withOS` function lets a single property do different things for
+different OS versions as well as different OS's.
+
+The ArchLinux and FreeBSD ports were done by propellor users,
+and both are good examples of the scope of the changes involved in making
+propellor support a new OS. 
+
+Here are Zihao Wang's commits for ArchLinux support:
+
+* add types for Arch Linux [[!commit 442fa3706de3d7329552c78d314b5a8f653ca65d]]
+* bootstrap propellor using Pacman [[!commit 44f7f7f1c3014586fd574ba1d10a1063204850a7]]
+* add properties for Pacman [[!commit 5b946ea4e32657f64771f3e2ef8bc865afc4c1fc]]
+* add ArchLinux support to specific properties
+  [[!commit 92168164943dcf033682b9f9a26f81beb3c537f4]]
+  [[!commit 0b936d63931baa9cda6b243cf643ad1c71ce5c0b]]
+  [[!commit f95e4fc7dccb9691b8185166c44f83ce884463dc]]
+* fixed type of a property that wrongly claimed to support any Linux but actually
+  only supported DebianLike [[!commit 7781c8098f45481ac03c5ede989614eb8411a6aa]]
 """]]
diff --git a/doc/forum/Supported_OS/comment_2_4fcaadea6d57e4bf127fd28720e3ba20._comment b/doc/forum/Supported_OS/comment_2_4fcaadea6d57e4bf127fd28720e3ba20._comment
deleted file mode 100644
index 07c12d0b..00000000
--- a/doc/forum/Supported_OS/comment_2_4fcaadea6d57e4bf127fd28720e3ba20._comment
+++ /dev/null
@@ -1,7 +0,0 @@
-[[!comment format=mdwn
- username="joey"
- subject="""comment 2"""
- date="2016-03-08T01:48:35Z"
- content="""
-Propellor just got support for [[FreeBSD]]!
-"""]]
diff --git a/doc/forum/Supported_OS/comment_3_f2924708a819b962ba7ed690019601ed._comment b/doc/forum/Supported_OS/comment_3_f2924708a819b962ba7ed690019601ed._comment
deleted file mode 100644
index c03f6cd9..00000000
--- a/doc/forum/Supported_OS/comment_3_f2924708a819b962ba7ed690019601ed._comment
+++ /dev/null
@@ -1,7 +0,0 @@
-[[!comment format=mdwn
- username="joey"
- subject="""Arch too!"""
- date="2017-02-04T21:30:26Z"
- content="""
-Propellor just got support for Arch Linux!
-"""]]

response
diff --git a/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment b/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
new file mode 100644
index 00000000..6f06f87f
--- /dev/null
+++ b/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-06-13T14:32:43Z"
+ content="""
+I can't see any docker-engine package in any version of Debian. Unstable
+still has a docker.io, though testing does not. It looks like perhaps
+docker was not included in the last stable release, though I am not sure.
+
+I have not used docker in quite some time. I use systemd-nspawn containers
+which are much easier to build and maintain. So, it may make sense to
+either mark the docker module in propellor as unmaintained, or find someone
+else to maintain it.
+"""]]

diff --git a/doc/todo/Outdated_Docker_Package__63__.mdwn b/doc/todo/Outdated_Docker_Package__63__.mdwn
new file mode 100644
index 00000000..9564bbc8
--- /dev/null
+++ b/doc/todo/Outdated_Docker_Package__63__.mdwn
@@ -0,0 +1,9 @@
+G'day Joey.
+
+In [Docker.hs, line 73](https://git.joeyh.name/index.cgi/propellor.git/tree/src/Propellor/Property/Docker.hs?h=5.4.0#n73), docker.io is listed as the package to be installed.
+
+Docker.installed currently fails for me on Stretch with:
+
+    E: Package 'docker.io' has no installation candidate
+
+Unless I'm mistaken, from Stretch this is now replaced by "docker-engine".

response
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_1_6dc3fa35fb61bd53a5f5c88ea5bdbb45._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_1_6dc3fa35fb61bd53a5f5c88ea5bdbb45._comment
new file mode 100644
index 00000000..5376b576
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_1_6dc3fa35fb61bd53a5f5c88ea5bdbb45._comment
@@ -0,0 +1,19 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-06-12T14:38:22Z"
+ content="""
+We want to avoid adding heavy dependencies to propellor since that makes
+propellor more expensive to bootstrap and adds a point of failure.
+
+But, it should be easy enough to add dependencies to your own 
+~/.propellor/config.cabal and write your properties using them. It would
+also be fine to have additional libraries of propellor properties extending
+propellor.
+
+As for crypto hashes, it's certianly general enough to consider adding to
+propellor, but it's also striking that propellor has mostly avoided needing
+any hashes (except for some small uses of hashable and one place that
+shells out to sha1). If there's a general purpose property that uses a
+crypto hash, we could talk about adding it.
+"""]]

creating Adding support for a SQL server
diff --git a/doc/forum/Adding_support_for_a_SQL_server.mdwn b/doc/forum/Adding_support_for_a_SQL_server.mdwn
new file mode 100644
index 00000000..00ec42ad
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server.mdwn
@@ -0,0 +1,17 @@
+Hello,
+
+I would like to add support for MySQL/MariaDB and I have some questions about it.
+
+I suppose the nicest way to do it would be to use some haskell binding and to
+connect directly to the server from propellor.  However, this would add a
+dependency to build it.  Is it acceptable?
+
+Another solution is to use a command line client and parse its output, but the
+SQL syntax is so strange that I fear this will be painful.
+
+Another question is about password generation as I will need many passwords, I
+would like to generate them using a crypto hash of a secret combined with a
+public part in the propellor config.  Do you have a suggestion to compute this
+hash?  I think a dependency on a hash library is easier to accept.
+
+Thanks.

add news item for propellor 5.4.0
diff --git a/doc/news/version_5.3.2.mdwn b/doc/news/version_5.3.2.mdwn
deleted file mode 100644
index cd16116e..00000000
--- a/doc/news/version_5.3.2.mdwn
+++ /dev/null
@@ -1,10 +0,0 @@
-propellor 5.3.2 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Added Propellor.Property.Atomic, which can make a non-atomic property
-     that operates on a directory into an atomic property.
-     (Inspired by Vaibhav Sagar's talk on Functional Devops in a
-     Dysfunctional World at LCA 2018.)
-   * Added Git.pulled.
-   * Systemd.machined: Install systemd-container on Debian
-     stretch.
-     Thanks, Sean Whitton"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.4.0.mdwn b/doc/news/version_5.4.0.mdwn
new file mode 100644
index 00000000..e63f8c6c
--- /dev/null
+++ b/doc/news/version_5.4.0.mdwn
@@ -0,0 +1,13 @@
+propellor 5.4.0 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * [ Sean Whitton ]
+   * Apt.installedBackport replaced with Apt.backportInstalled.  (API change)
+     The old property would install dependencies from backports even when
+     the versions in stable satisfy the requested backport's dependencies.
+     The new property installs only the listed packages from backports;
+     all other dependencies come from stable.
+     So in some cases, you may need to list additional backports to install,
+     that would not have needed to be listed before. Due to this behavior
+     change the property has been renamed so uses of it will be checked.
+   * Restic.installed: stop trying to install a backport on jessie, because no
+     such backport exists."""]]
\ No newline at end of file

add missing close paren
diff --git a/doc/README.mdwn b/doc/README.mdwn
index 69b34e2d..88726a6d 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG)
+[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG))

fix link
diff --git a/doc/README.mdwn b/doc/README.mdwn
index c1550d23..69b34e2d 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])
+[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG)

add news item for propellor 5.3.6
diff --git a/doc/news/version_5.3.1.mdwn b/doc/news/version_5.3.1.mdwn
deleted file mode 100644
index 4f660270..00000000
--- a/doc/news/version_5.3.1.mdwn
+++ /dev/null
@@ -1,5 +0,0 @@
-propellor 5.3.1 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Last release mistakenly contained my personal branch not master.
-   * contrib/post-merge-hook documentation updated to recommend also using
-     it as a post-checkout hook, to avoid such problems."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.3.6.mdwn b/doc/news/version_5.3.6.mdwn
new file mode 100644
index 00000000..7a7a417e
--- /dev/null
+++ b/doc/news/version_5.3.6.mdwn
@@ -0,0 +1,13 @@
+propellor 5.3.6 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Fix build with ghc 8.4, which broke due to the Semigroup Monoid change.
+   * Dropped support for building propellor with ghc 7 (as in debian
+     oldstable), to avoid needing to depend on the semigroups transitional
+     package, but also because it's just too old to be worth supporting.
+   * stack.yaml: Updated to lts-9.21.
+   * Make Schroot.overlaysInTmpfs revertable
+     Thanks, Sean Whitton
+   * Update shim each time propellor is run in a container, to deal with
+     library version changes.
+   * Unbound: Added support for various DNS record types.
+     Thanks, Félix Sipma."""]]
\ No newline at end of file

fix link
diff --git a/doc/README.mdwn b/doc/README.mdwn
index df1b8ada..c1550d23 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[try this|http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])
+[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])

markdown
diff --git a/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
index 76c11464..ef3f4dad 100644
--- a/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
+++ b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
@@ -6,8 +6,8 @@
 I don't think you need to use a different name for your config file, unless
 it somehow makes things easier for you.
 
-It's fine to use Utility.* like that, but do note that there's no guaranteed 
+It's fine to use `Utility.*` like that, but do note that there's no guaranteed 
 API stability for those. OTOH, if you might later contribute some
-properties built using Utility.* back to propellor, it certianly makes
+properties built using `Utility.*` back to propellor, it certianly makes
 sense to use those.
 """]]

comment
diff --git a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config/comment_1_5039acea906faba7a0b33094028a475f._comment b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config/comment_1_5039acea906faba7a0b33094028a475f._comment
new file mode 100644
index 00000000..b4b924ac
--- /dev/null
+++ b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config/comment_1_5039acea906faba7a0b33094028a475f._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-05-03T16:46:45Z"
+ content="""
+Agreed on all points, also there are some 
+`File.containsLine` properties for /etc/default files elsewhere that
+don't necessarily work correctly if a later line changes the value,
+that could be converted to use this new property.
+
+Your name ideas sound fine to me.
+"""]]

remove badly placed and redundant comment
diff --git a/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
new file mode 100644
index 00000000..76c11464
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2018-05-03T16:30:15Z"
+ content="""
+I don't think you need to use a different name for your config file, unless
+it somehow makes things easier for you.
+
+It's fine to use Utility.* like that, but do note that there's no guaranteed 
+API stability for those. OTOH, if you might later contribute some
+properties built using Utility.* back to propellor, it certianly makes
+sense to use those.
+"""]]

Added a comment
diff --git a/doc/forum/5.3.5_import_errors/comment_3_a4774959fd93039d49196e7cff232089._comment b/doc/forum/5.3.5_import_errors/comment_3_a4774959fd93039d49196e7cff232089._comment
new file mode 100644
index 00000000..c861f1cc
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_3_a4774959fd93039d49196e7cff232089._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 3"
+ date="2018-05-01T07:07:54Z"
+ content="""
+* Do you think that I should use a dedicated config-soleil.hs file instead of the config.hs file ?
+
+* I use the combinesModes in order to set the right mode.
+
+    +rra :: Property UnixLike
+    +rra = fetch `onChange` execmode
+    +    where
+    +      fetch :: Property UnixLike
+    +      fetch = property \"install rra scripts\"
+    +              (liftIO $ toResult <$> download \"https://archives.eyrie.org/software/devel/backport\" \"/usr/local/bin/backport\")
+    +
+    +      execmode :: Property UnixLike
+    +      execmode = File.mode \"/usr/local/bin/backport\" (combineModes (ownerWriteMode:readModes ++ executeModes))
+
+"""]]

notes on failed attempt to migrate
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 347ea9e5..c3641385 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -7,3 +7,23 @@ Waiting on concurrent-output reaching Debian stable.
 > supporting the current oldstable, I believe.. --[[Joey]]
 
 [[!tag user/joey]]
+
+> This was attempted again in 2018 and had to be reverted
+> in [[!commit b6ac64737b59e74d4aa2d889690e8fab3772d2c6]].
+> 
+> The strange output I was seeing is the first line 
+> of "apt-cache policy apache2" (but not subsequent lines)
+> and the ssh-keygen command run by `genSSHFP'`
+
+> Propellor also misbehaved in some other ways likely due to not seeing
+> the command output it expected. In particular Git.cloned must have
+> failed to see an origin url in git config output, because it nuked and
+> re-cloned a git repo (losing data).
+> 
+> So, it seems that readProcess was somehow leaking output to the console
+> and also likely not providing it to the caller. 
+> 
+> The affected system had libghc-concurrent-output-dev 1.10.5-1 installed
+> from debian. That is a somewhat old version and perhaps it was buggy?
+> However, I have not had any luck reproducing the problem there running
+> readProcess in ghci. --[[Joey]]

Added a comment
diff --git a/doc/forum/5.3.5_errors_building_with_Stack/comment_2_be534b87de24660fb8565c2916ddefb5._comment b/doc/forum/5.3.5_errors_building_with_Stack/comment_2_be534b87de24660fb8565c2916ddefb5._comment
new file mode 100644
index 00000000..43e83fb7
--- /dev/null
+++ b/doc/forum/5.3.5_errors_building_with_Stack/comment_2_be534b87de24660fb8565c2916ddefb5._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="jsza"
+ avatar="http://cdn.libravatar.org/avatar/72c6bc8c0cdfb0fff175e90c3b036415"
+ subject="comment 2"
+ date="2018-04-30T14:27:19Z"
+ content="""
+Nice, thank you! Can confirm that it's now working for me.
+
+I'd also just like to say that using Propellor to manage our eleven or so TF2 game servers has been an absolute pleasure and a time saver.
+
+Thanks for all the work you've put into making Propellor so awesome.
+"""]]

responses
diff --git a/doc/forum/5.3.5_errors_building_with_Stack/comment_1_bf0296c4293a52b4533a9465795366e4._comment b/doc/forum/5.3.5_errors_building_with_Stack/comment_1_bf0296c4293a52b4533a9465795366e4._comment
new file mode 100644
index 00000000..03121a74
--- /dev/null
+++ b/doc/forum/5.3.5_errors_building_with_Stack/comment_1_bf0296c4293a52b4533a9465795366e4._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-04-30T13:23:47Z"
+ content="""
+Think I've fixed this now.
+"""]]
diff --git a/doc/forum/5.3.5_import_errors/comment_2_32d521dad51ada52e98c9540ab97add6._comment b/doc/forum/5.3.5_import_errors/comment_2_32d521dad51ada52e98c9540ab97add6._comment
new file mode 100644
index 00000000..6edd05d7
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_2_32d521dad51ada52e98c9540ab97add6._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2018-04-30T13:24:30Z"
+ content="""
+Seems this must be caused by [[!commit d8d2faece72eabd18c2ff303e5fb63c3a69961f6]]
+
+And I guess you've modified the config.hs in propellor
+for your own systems?
+
+You will indeed need to add dependencies to the cabal stanza for
+propellor-config.
+
+I think that you may be able to add Other-Modules: Utility.FileMode
+to the cabal stanza for propellor-config and get access to the unexported
+module that way. Not 100% sure.
+
+I'm curious: Is there part of propellor's published modules that made you
+need something from Utility.FileMode to use it, or were you writing your
+own property and happened to use something from Utility.FileMode?
+"""]]

Revert "Added dependency on concurrent-output; removed embedded copy."
This reverts commit 02eca2ae4cf51d8e83d94d8359e15ac053451109.
This seems to have broken propellor badly, in testing I'm seeing it
crash at the end of a run with "thread blocked indefinitely in an STM
transaction" and also during the run it printed out some odd output
like:
apache2:
apache2:
dummy IN SSHFP 4 1 35df80973f5877e4041f1b70947385eb2f6a0822
dummy IN SSHFP 4 2 3a0bb426e76eebc5c56e3b0f1428aa9d18539e9621bf8f9e3b7f56a4e7d81c85
Which seems like it might be output of commands that
propellor is supposed to be reading?
Seems likely that there's a bug or two that have crept
into then concurrent-output library since the version embedded in
propellor.
diff --git a/debian/changelog b/debian/changelog
index 42871285..9308a7bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,7 +4,6 @@ propellor (5.3.6) UNRELEASED; urgency=medium
   * Dropped support for building propellor with ghc 7 (as in debian
     oldstable), to avoid needing to depend on the semigroups transitional
     package, but also because it's just too old to be worth supporting.
-  * Added dependency on concurrent-output; removed embedded copy.
   * stack.yaml: Updated to lts-9.21.
 
  -- Joey Hess <id@joeyh.name>  Mon, 23 Apr 2018 13:12:25 -0400
diff --git a/debian/control b/debian/control
index 77bd7eae..5a041c90 100644
--- a/debian/control
+++ b/debian/control
@@ -6,17 +6,19 @@ Build-Depends:
 	git,
 	ghc (>= 7.6),
 	cabal-install,
-	libghc-ansi-terminal-dev,
 	libghc-async-dev,
-	libghc-concurrent-output-dev,
-	libghc-exceptions-dev (>= 0.6),
-	libghc-hashable-dev,
+	libghc-split-dev,
 	libghc-hslogger-dev,
+	libghc-unix-compat-dev,
+	libghc-ansi-terminal-dev,
 	libghc-ifelse-dev,
-	libghc-mtl-dev,
 	libghc-network-dev,
-	libghc-split-dev,
-	libghc-unix-compat-dev,
+	libghc-mtl-dev,
+	libghc-transformers-dev,
+	libghc-exceptions-dev (>= 0.6),
+	libghc-stm-dev,
+	libghc-text-dev,
+	libghc-hashable-dev,
 Maintainer: Joey Hess <id@joeyh.name>
 Standards-Version: 3.9.8
 Vcs-Git: git://git.joeyh.name/propellor
@@ -28,17 +30,19 @@ Section: admin
 Depends: ${misc:Depends}, ${shlibs:Depends},
 	ghc (>= 7.4),
 	cabal-install,
-	libghc-ansi-terminal-dev,
 	libghc-async-dev,
-	libghc-concurrent-output-dev,
-	libghc-exceptions-dev (>= 0.6),
-	libghc-hashable-dev,
+	libghc-split-dev,
 	libghc-hslogger-dev,
+	libghc-unix-compat-dev,
+	libghc-ansi-terminal-dev,
 	libghc-ifelse-dev,
-	libghc-mtl-dev,
 	libghc-network-dev,
-	libghc-split-dev,
-	libghc-unix-compat-dev,
+	libghc-mtl-dev,
+	libghc-transformers-dev,
+	libghc-exceptions-dev (>= 0.6),
+	libghc-stm-dev,
+	libghc-text-dev,
+	libghc-hashable-dev,
 	git,
 Description: property-based host configuration management in haskell
  Propellor ensures that the system it's run in satisfies a list of
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index ddf074f9..347ea9e5 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -5,9 +5,5 @@ Waiting on concurrent-output reaching Debian stable.
 
 > Well, it's in stable now. Not in oldstable yet, and propellor is still
 > supporting the current oldstable, I believe.. --[[Joey]]
-> >
-> > not anymore; dropping it now.
-
-[[done]]
 
 [[!tag user/joey]]
diff --git a/propellor.cabal b/propellor.cabal
index cf9fe7ce..a5b8c8a3 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -42,31 +42,14 @@ Library
     GHC-Options: -fno-warn-redundant-constraints
   Default-Extensions: TypeOperators
   Hs-Source-Dirs: src
-  -- propellor needs to support the ghc shipped in Debian stable,
-  -- and also only depends on packages in Debian stable.
-  -- 
-  -- When updating dependencies here, also update the lists in
-  -- Propellor.Bootstrap
   Build-Depends:
-    ansi-terminal,
-    async,
+    -- propellor needs to support the ghc shipped in Debian stable,
+    -- and also only depends on packages in Debian stable.
     base >= 4.9, base < 5,
-    bytestring,
-    concurrent-output,
-    containers (>= 0.5),
-    directory,
-    exceptions (>= 0.6),
-    filepath,
-    hashable,
-    hslogger,
-    IfElse,
-    mtl,
-    network,
-    process,
-    split,
-    time,
-    unix,
-    unix-compat
+    directory, filepath, IfElse, process, bytestring, hslogger, split,
+    unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
+    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
+
   Exposed-Modules:
     Propellor
     Propellor.Base
@@ -240,6 +223,9 @@ Library
     Utility.Tmp
     Utility.Tuple
     Utility.UserInfo
+    System.Console.Concurrent
+    System.Console.Concurrent.Internal
+    System.Process.Concurrent
     Paths_propellor
 
 Executable propellor-config
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index a8713535..04f23f85 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -138,17 +138,19 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		-- Below are the same deps listed in debian/control.
 		, "ghc"
 		, "cabal-install"
-		, "libghc-ansi-terminal-dev"
 		, "libghc-async-dev"
-		, "libghc-concurrent-output-dev"
-		, "libghc-exceptions-dev"
-		, "libghc-hashable-dev"
+		, "libghc-split-dev"
 		, "libghc-hslogger-dev"
+		, "libghc-unix-compat-dev"
+		, "libghc-ansi-terminal-dev"
 		, "libghc-ifelse-dev"
-		, "libghc-mtl-dev"
 		, "libghc-network-dev"
-		, "libghc-split-dev"
-		, "libghc-unix-compat-dev"
+		, "libghc-mtl-dev"
+		, "libghc-transformers-dev"
+		, "libghc-exceptions-dev"
+		, "libghc-stm-dev"
+		, "libghc-text-dev"
+		, "libghc-hashable-dev"
 		]
 	debdeps Stack =
 		[ "gnupg"
@@ -159,16 +161,19 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		[ "gnupg"
 		, "ghc"
 		, "hs-cabal-install"
-		, "hs-ansi-terminal"
 		, "hs-async"
-		, "hs-exceptions"
-		, "hs-hashable"
+		, "hs-split"
 		, "hs-hslogger"
+		, "hs-unix-compat"
+		, "hs-ansi-terminal"
 		, "hs-IfElse"
-		, "hs-mtl"
 		, "hs-network"
-		, "hs-split"
-		, "hs-unix-compat"
+		, "hs-mtl"
+		, "hs-transformers-base"
+		, "hs-exceptions"
+		, "hs-stm"
+		, "hs-text"
+		, "hs-hashable"
 		]
 	fbsddeps Stack =
 		[ "gnupg"
@@ -179,17 +184,20 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		[ "gnupg"
 		, "ghc"
 		, "cabal-install"
-		, "haskell-hackage-security"
-		, "haskell-ansi-terminal"
 		, "haskell-async"

(Diff truncated)
signature
diff --git a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
index 6a97f8fb..16c791cd 100644
--- a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
+++ b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
@@ -13,3 +13,5 @@ Notes:
 * The use of a tuple for the last two parameters ensures that the property can be used infix.
 
 * I think this property should deduplicate the config key after setting it.  I.e. after uncommenting and modifying ANACRON_RUN_ON_BATTERY_POWER it should remove any further ANACRON_RUN_ON_BATTERY_POWER settings further down the config.  This allows a seamless transition from just using File.containsLine to add to the end of the file.
+
+--spwhitton

we should factor out code in Grub.configured
diff --git a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
new file mode 100644
index 00000000..6a97f8fb
--- /dev/null
+++ b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
@@ -0,0 +1,15 @@
+It would be useful to have a property to set key value pairs in /etc/default configs.  The code is in Grub.configured.  I have not written a patch yet because I am not sure what the module should be called.  Possibilities are:
+
+    & EtcDefault.set "anacron" "ANACRON_RUN_ON_BATTERY_POWER" "no"
+
+or maybe
+
+    & ConfFile.hasShellSetting "/etc/default/anacron" ("ANACRON_RUN_ON_BATTERY_POWER", "no")
+
+Or possibly both of these, with the former implemented in terms of the latter.
+
+Notes:
+
+* The use of a tuple for the last two parameters ensures that the property can be used infix.
+
+* I think this property should deduplicate the config key after setting it.  I.e. after uncommenting and modifying ANACRON_RUN_ON_BATTERY_POWER it should remove any further ANACRON_RUN_ON_BATTERY_POWER settings further down the config.  This allows a seamless transition from just using File.containsLine to add to the end of the file.