Recent changes to this wiki:

Added a comment: Proposal code, and questrion of polymorphism
diff --git a/doc/forum/Adding_a_global_Proxy_information_to_an_host___40__and_using_it__41__/comment_1_80881f7cf73d31b2f69fdb260909437e._comment b/doc/forum/Adding_a_global_Proxy_information_to_an_host___40__and_using_it__41__/comment_1_80881f7cf73d31b2f69fdb260909437e._comment
new file mode 100644
index 00000000..95416ffb
--- /dev/null
+++ b/doc/forum/Adding_a_global_Proxy_information_to_an_host___40__and_using_it__41__/comment_1_80881f7cf73d31b2f69fdb260909437e._comment
@@ -0,0 +1,53 @@
+[[!comment format=mdwn
+ username="serge1cohen@4282f0c177ae4ac2f90ceddf63d2281e1f739cb1"
+ nickname="serge1cohen"
+ avatar="http://cdn.libravatar.org/avatar/c86bcca74216ed367c91a99ff27259f0"
+ subject="Proposal code, and questrion of polymorphism"
+ date="2023-07-11T13:05:10Z"
+ content="""
+Me again.
+
+To start testing, I have writen a minimal module :
+
+    setProxy :: Url -> Property (HasInfo + UnixLike)
+    setProxy u =
+        pureInfoProperty \"Providing general proxy information to the host\"
+            (InfoVal (HostProxy u))
+
+    getProxy :: Propellor (Maybe HostProxy)
+    getProxy = fromInfoVal <$> askInfo
+
+    withProxy :: Desc -> (Maybe HostProxy -> Property DebianLike) -> Property DebianLike
+    withProxy desc mkp = property' desc $ \w -> do
+        p <- getProxy
+        ensureProperty w (mkp p)
+
+In this version the `withProxy` is only handling the case of a `DebianLike` property, whereas I should be able to have a more polymorphic signature akin :
+
+`withProxy :: Desc -> (Maybe HostProxy -> Property a) -> Property a`
+
+But this does not work with the error message :
+
+    [ 76 of 197] Compiling Propellor.Property.Proxy [Source file changed]
+
+    /ActualUsers/serge/IPANEMA/_Info/propellor/src/Propellor/Property/Proxy.hs:37:9: error:
+        • ensureProperty outer Property type is not able to be inferred here.
+          Consider adding a type annotation.
+        • In a stmt of a 'do' block: ensureProperty w (mkp p)
+          In the expression:
+            do p <- getProxy
+               ensureProperty w (mkp p)
+          In the second argument of ‘($)’, namely
+            ‘\ w
+               -> do p <- getProxy
+                     ensureProperty w (mkp p)’
+       |
+    37 |         ensureProperty w (mkp p)
+       |         ^^^^^^^^^^^^^^
+
+And I don't know how to provide the information to the compiler that `Property a` may be any type under the `UnixLike` 'metatype'
+
+
+
+
+"""]]

diff --git a/doc/forum/Adding_a_global_Proxy_information_to_an_host___40__and_using_it__41__.mdwn b/doc/forum/Adding_a_global_Proxy_information_to_an_host___40__and_using_it__41__.mdwn
new file mode 100644
index 00000000..c5ad02cc
--- /dev/null
+++ b/doc/forum/Adding_a_global_Proxy_information_to_an_host___40__and_using_it__41__.mdwn
@@ -0,0 +1,12 @@
+Hello Joey,
+
+I am thinking to add a "Proxy" info to an host, the same way the Apt.proxy (and HostAptProxy) is working so that all services can (optionnally) tap into this information to setup their need for a http[s] proxy (eg. R, WordPress or other CMS/webapp...).
+
+My idea is to write a 'Proxy.hs' module containing just the few functions to set up the host information (let name it `HostProxy`), and use it throught a function `withProxy` taking as argument a function `(HostProxy -> Property w)` and will return a "`Property w`"
+
+Is this a reasonnable way to handle the need ? If I code such a module, would anyone else be interested and would such a solution be accepted on the upstream ?
+Otherwise what would you advise ?
+
+Cheers, and thanks for Propellor !
+
+Serge.

add news item for propellor 5.17
diff --git a/doc/news/version_5.13.mdwn b/doc/news/version_5.13.mdwn
deleted file mode 100644
index 7619e70f..00000000
--- a/doc/news/version_5.13.mdwn
+++ /dev/null
@@ -1,11 +0,0 @@
-propellor 5.13 released with [[!toggle text="these changes"]]
-[[!toggleable text="""  * Network: Added support for network interfaces with several address
-    stanzas, eg ipv4 and ipv6.
-    Thanks, Nicolas Schodet
-  * Sudo.enabledFor: Deal with new @includedir syntax in sudoers file.
-  * Apt.securityUpdates: Stop generating testing-security lines, as
-    testing-security is unused per debian documentation.
-  * Utility.HumanNumber: Fix rounding bug that could result in
-    sometimes quite wrong values, eg "1.1 GB" when the input value was a
-    few bytes less than 2 GB. Properties in Ccache and Journald that
-    used it to generate config files were affected by this bug."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.17.mdwn b/doc/news/version_5.17.mdwn
new file mode 100644
index 00000000..04bfb556
--- /dev/null
+++ b/doc/news/version_5.17.mdwn
@@ -0,0 +1,3 @@
+propellor 5.17 released with [[!toggle text="these changes"]]
+[[!toggleable text="""  * Apt: Enable the non-free-firmware section, when used with Debian
+    bookworm or newer."""]]
\ No newline at end of file

add news item for propellor 5.16
diff --git a/doc/news/version_5.12.mdwn b/doc/news/version_5.12.mdwn
deleted file mode 100644
index 3d664ec1..00000000
--- a/doc/news/version_5.12.mdwn
+++ /dev/null
@@ -1,14 +0,0 @@
-propellor 5.12 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Worked around a situation where ghc uses insane amounts of memory
-     displaying an error message about a property of a host having the
-     wrong number of arguments.
-   * Added libghc-type-errors-dev to debian/control recommends, and
-     install it if available when bootstrapping propellor.
-   * Borg: add UseUmask to BorgRepoOpt.
-     Thanks, Nicolas Schodet
-   * Borg: use "{now}" instead of $(date ...)
-     Thanks, Nicolas Schodet
-   * Makefile: Deal with cabal change that made sdist
-     not output tarball to stdout.
-     Thanks, Sean Whitton"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.16.mdwn b/doc/news/version_5.16.mdwn
new file mode 100644
index 00000000..4a3aad38
--- /dev/null
+++ b/doc/news/version_5.16.mdwn
@@ -0,0 +1,5 @@
+propellor 5.16 released with [[!toggle text="these changes"]]
+[[!toggleable text="""  * Debootstrap: Added UseOldGpgKeyring constructor to DebootstrapConfig,
+    which allows bootstrapping ancient stable releases of Debian.
+  * Qemu: Install binfmt-support along with qemu-user-static.
+  * Fix build with unix-2.8.0.0 and with unix-compat-0.7."""]]
\ No newline at end of file

diff --git a/doc/forum/Push__47__pull_from_remote_github_repo.mdwn b/doc/forum/Push__47__pull_from_remote_github_repo.mdwn
index b7e707ee..729c9553 100644
--- a/doc/forum/Push__47__pull_from_remote_github_repo.mdwn
+++ b/doc/forum/Push__47__pull_from_remote_github_repo.mdwn
@@ -1,6 +1,7 @@
 Hi, 
 It's been a while since I have used propellor and getting back to it feels good!
 I am encountering an issue though, when I set a GH remote in my local repository: Running propellor gives me the following message
+
 ```
 Up to date
 Propellor build ... done

diff --git a/doc/forum/Push__47__pull_from_remote_github_repo.mdwn b/doc/forum/Push__47__pull_from_remote_github_repo.mdwn
new file mode 100644
index 00000000..b7e707ee
--- /dev/null
+++ b/doc/forum/Push__47__pull_from_remote_github_repo.mdwn
@@ -0,0 +1,42 @@
+Hi, 
+It's been a while since I have used propellor and getting back to it feels good!
+I am encountering an issue though, when I set a GH remote in my local repository: Running propellor gives me the following message
+```
+Up to date
+Propellor build ... done
+[main 40dbfa8] propellor spin
+Git commit ... done
+Enumerating objects: 1, done.
+Counting objects: 100% (1/1), done.
+Writing objects: 100% (1/1), 715 bytes | 715.00 KiB/s, done.
+Total 1 (delta 0), reused 0 (delta 0), pack-reused 0
+To github.com:abailly-iohk/propellor.git
+   18ae6b9..40dbfa8  main -> main
+Push to central git repository ... done
+gpg: encrypted with 3072-bit RSA key, ID EB759F128BD1217C, created 2022-03-07
+      "Arnaud Bailly <arnaud.bailly@iohk.io>"
+git@github.com: Permission denied (publickey).
+fatal: Could not read from remote repository.
+
+Please make sure you have the correct access rights
+and the repository exists.
+Pull from central git repository ... failed
+Sending privdata (280 bytes) to cardano.hydra.bzh ... done
+Sending git update to cardano.hydra.bzh ... done
+remote: Enumerating objects: 5, done.
+remote: Counting objects: 100% (5/5), done.
+remote: Compressing objects: 100% (4/4), done.
+remote: Total 4 (delta 1), reused 0 (delta 0), pack-reused 0
+From .
+ * branch            HEAD       -> FETCH_HEAD
+git@github.com: Permission denied (publickey).
+fatal: Could not read from remote repository.
+
+Please make sure you have the correct access rights
+and the repository exists.
+Pull from central git repository ... failed
+Up to date
+Propellor build ... done
+```
+
+What am I doing wrong?

add news item for propellor 5.15
diff --git a/doc/news/version_5.11.mdwn b/doc/news/version_5.11.mdwn
deleted file mode 100644
index 9dcef85d..00000000
--- a/doc/news/version_5.11.mdwn
+++ /dev/null
@@ -1,13 +0,0 @@
-propellor 5.11 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Fix display of concurrent output from processes when using
-     Propellor.Property.Conductor.
-     (Reversion introduced in version 5.5.0.)
-   * Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
-   * Makefile: Fix build with cabal 3.x.
-   * Borg.restored: Fix restoration, which has apparently never worked,
-     at least back to borg 1.0.9.
-     Thanks, Nicolas Schodet.
-   * Borg.init: Added the now required encryption type parameter.
-     Thanks, Nicolas Schodet.
-     (API change)"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.15.mdwn b/doc/news/version_5.15.mdwn
new file mode 100644
index 00000000..6c28be50
--- /dev/null
+++ b/doc/news/version_5.15.mdwn
@@ -0,0 +1,10 @@
+propellor 5.15 released with [[!toggle text="these changes"]]
+[[!toggleable text="""  * Improve propellor's MetaTypes implementation to avoid an expontential
+    blowup when several MetaTypes fail to unify. This should result in less
+    memory use by ghc when there's a type error.
+  * Avoid OOM when built by ghc 9.2.
+  * Thanks to the ghc developers for their assistance, particularly spj
+    and Sam Derbyshire.
+  * Remove workaround to ghc using a lot of memory displaying an error
+    message about a property of a host having the wrong number of
+    arguments. This brings back clear error messages in such situations."""]]
\ No newline at end of file

rewrite Combine to avoid exponential blowup
* Improve propellor's MetaTypes implementation to avoid an expontential
blowup when several MetaTypes fail to unify. This should result in less
memory use by ghc when there's a type error.
* Avoid OOM when built by ghc 9.2.
* Thanks to the GHC developers for their assistance, particularly spj
and Sam Derbyshire.
Sponsored-by: Noam Kremen on Patreon
diff --git a/debian/changelog b/debian/changelog
index 8874bc45..93fcaec0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,13 @@
-propellor (5.14.1) unstable; urgency=medium
+propellor (5.15) UNRELEASED; urgency=medium
 
-  * Fix config.hs example, which was accidentially joeyconfig.hs in the
-    previous release.
+  * Improve propellor's MetaTypes implementation to avoid an expontential
+    blowup when several MetaTypes fail to unify. This should result in less
+    memory use by ghc when there's a type error.
+  * Avoid OOM when built by ghc 9.2.
+  * Thanks to the GHC developers for their assistance, particularly spj
+    and Sam Derbyshire.
 
- -- Joey Hess <id@joeyh.name>  Sat, 15 Oct 2022 14:44:01 -0400
+ -- Joey Hess <id@joeyh.name>  Tue, 15 Nov 2022 14:48:25 -0400
 
 propellor (5.14) unstable; urgency=medium
 
diff --git a/doc/todo/ghc_9.2_OOMS_building_propellor.mdwn b/doc/todo/ghc_9.2_OOMS_building_propellor.mdwn
index c83afe87..de1e2268 100644
--- a/doc/todo/ghc_9.2_OOMS_building_propellor.mdwn
+++ b/doc/todo/ghc_9.2_OOMS_building_propellor.mdwn
@@ -3,3 +3,5 @@ This is a known bug in ghc, and a fix is being discussed here
 
 It might be that changes to propellor's MetaTypes implementation would
 avoid the problem. --[[Joey]]
+
+> [[fixed|done]] --[[Joey]]
diff --git a/src/Propellor/Types/MetaTypes.hs b/src/Propellor/Types/MetaTypes.hs
index 7cef578e..fd25142c 100644
--- a/src/Propellor/Types/MetaTypes.hs
+++ b/src/Propellor/Types/MetaTypes.hs
@@ -128,11 +128,22 @@ type family Concat (list1 :: [a]) (list2 :: [a]) :: [a] where
 -- | Combine two MetaTypes lists, yielding a list
 -- that has targets present in both, and nontargets present in either.
 type family Combine (list1 :: [a]) (list2 :: [a]) :: [a] where
-	Combine (list1 :: [a]) (list2 :: [a]) =
-		(Concat
-			(NonTargets list1 `Union` NonTargets list2)
-			(Targets list1 `Intersect` Targets list2)
-		)
+	Combine ('WithInfo : list1) ('WithInfo : list2) = 'WithInfo ':
+		list1 `Intersect` list2
+	Combine ('WithInfo : list1) list2 = 'WithInfo ':
+		list1 `Intersect` list2
+	Combine list1 ('WithInfo : list2) = 'WithInfo ':
+		list1 `Intersect` list2
+	Combine list1 list2 =
+		list1 `Intersect` list2
+	-- This is a cleaner implementation, but it causes an exponential
+	-- blowup of the type checker due to referencing list1 twice on
+	-- the right hand side.
+	-- Combine (list1 :: [a]) (list2 :: [a]) =
+	--	(Concat
+	--		(NonTargets list1 `Union` NonTargets list2)
+	--		(Targets list1 `Intersect` Targets list2)
+	--	)
 
 -- | Checks if two MetaTypes lists can be safly combined;
 -- eg they have at least one Target in common.

todo
diff --git a/doc/todo/ghc_9.2_OOMS_building_propellor.mdwn b/doc/todo/ghc_9.2_OOMS_building_propellor.mdwn
new file mode 100644
index 00000000..c83afe87
--- /dev/null
+++ b/doc/todo/ghc_9.2_OOMS_building_propellor.mdwn
@@ -0,0 +1,5 @@
+This is a known bug in ghc, and a fix is being discussed here
+<https://gitlab.haskell.org/ghc/ghc/-/issues/21994>.
+
+It might be that changes to propellor's MetaTypes implementation would
+avoid the problem. --[[Joey]]

add news item for propellor 5.14.1
diff --git a/doc/news/version_5.10.2.mdwn b/doc/news/version_5.10.2.mdwn
deleted file mode 100644
index 264b7f60..00000000
--- a/doc/news/version_5.10.2.mdwn
+++ /dev/null
@@ -1,10 +0,0 @@
-propellor 5.10.2 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Fix build with ghc 8.6.3.
-     Thanks, Robin Munn
-   * Bootstrap: Fix typo in Arch Linux dependencies.
-     Thanks, Robin Munn
-   * Bootstrap: Add haskell-type-errors package on Arch Linux.
-     Thanks, Robin Munn
-   * Apt.buildDepIn: Run build-dep command in a temporary directory,
-     since it may sometimes not clean up all the files it creates."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.14.1.mdwn b/doc/news/version_5.14.1.mdwn
new file mode 100644
index 00000000..c738aac3
--- /dev/null
+++ b/doc/news/version_5.14.1.mdwn
@@ -0,0 +1,3 @@
+propellor 5.14.1 released with [[!toggle text="these changes"]]
+[[!toggleable text="""  * Fix config.hs example, which was accidentially joeyconfig.hs in the
+    previous release."""]]
\ No newline at end of file

add news item for propellor 5.14
diff --git a/doc/news/version_5.10.1.mdwn b/doc/news/version_5.10.1.mdwn
deleted file mode 100644
index 797664be..00000000
--- a/doc/news/version_5.10.1.mdwn
+++ /dev/null
@@ -1,15 +0,0 @@
-propellor 5.10.1 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
- * [ Joey Hess ]
-   * Localdir.hasOriginUrl: Depend on Git.installed.
-   * Localdir.hasOriginUrl: Type changed from UnixLike to DebianLike
-     because Git.installed is not implemented for other unixes.
-     (API change)
-   * Changed the ChrootBootstrapper type class's buildchroot method
-     to take a Info parameter, instead of Maybe System.
-     (The System can be extracted from the Info.)
-     (API change)
- * [ Sean Whitton ]
-   * Chroot.{de,}bootstrapped uses the chroot's configured apt proxy and
-     mirror, if these exist, when debootstrapping the chroot.
-   * Rename Sbuild.useHostProxy -&gt; Chroot.useHostProxy. (API change)"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.14.mdwn b/doc/news/version_5.14.mdwn
new file mode 100644
index 00000000..e3289b85
--- /dev/null
+++ b/doc/news/version_5.14.mdwn
@@ -0,0 +1,26 @@
+propellor 5.14 released with [[!toggle text="these changes"]]
+[[!toggleable text="""  * Removed Propellor.Property.OpenID module, since the simpleid package
+    got removed from Debian.
+  * Renamed Linode.mlocateEnabled to Linode.locateEnabled, and made it also
+    make sure plocate is enabled, if it's installed rather than mlocate.
+    (API change)
+  * Debootstrap.built: Stop using the deprecated qemu-debootstrap
+    for bootstrapping foreign architectures. It is not needed since qemu
+    2.12, which, at least on Debian, enabled the
+    binfmt-support --fix-binary option.
+  * Qemu.removeHostEmulationBinary: Removed this property, which is no
+    longer necessary since qemu-debootstrap is not used.
+    (API change)
+  * Flashkernel.installed: Deal with a behavior change in flash-kernel,
+    which will fail to install if is not configured first.
+  * Systemd.resolvConfed is no longer enabled by default in systemd
+    containers. It is probably not necessary on current systems the way it
+    was back in 2014, and this avoids a problem where the host's
+    /etc/resolv.conf gets overwritten when systemd is managing the
+    container's /etc/resolv.conf.
+  * Borg: To support borg 1.2, run borg compact to free up space after pruning.
+  * Add lower bounds on async and split.
+    Thanks, Simon Jakobi
+  * propellor.cabal: Deduplicate exposed modules, which fixes a build
+    problem with recent cabal versions.
+    Thanks, Simon Jakobi"""]]
\ No newline at end of file

propellor.cabal: Deduplicate exposed modules
which fixes a build problem with recent cabal versions
Thanks, Simon Jakobi
diff --git a/debian/changelog b/debian/changelog
index 1929d6c5..bd8a7b38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -21,6 +21,9 @@ propellor (5.14) UNRELEASED; urgency=medium
     container's /etc/resolv.conf. 
   * Add lower bounds on async and split.
     Thanks, Simon Jakobi
+  * propellor.cabal: Deduplicate exposed modules, which fixes a build
+    problem with recent cabal versions.
+    Thanks, Simon Jakobi
 
  -- Joey Hess <id@joeyh.name>  Sat, 14 Aug 2021 14:27:27 -0400
 
diff --git a/doc/todo/Deduplicate_exposed-modules.mdwn b/doc/todo/Deduplicate_exposed-modules.mdwn
index ebee63b4..124cf702 100644
--- a/doc/todo/Deduplicate_exposed-modules.mdwn
+++ b/doc/todo/Deduplicate_exposed-modules.mdwn
@@ -12,3 +12,5 @@
 ```
 
 Context: https://github.com/haskell/cabal/issues/6006#issuecomment-1210344593
+
+> [[done]], thank you! --[[Joey]]
diff --git a/propellor.cabal b/propellor.cabal
index 225ba689..f5e2ba33 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -224,7 +224,6 @@ Library
     Utility.Process.Transcript
     Utility.SafeCommand
     Utility.Scheduled
-    Utility.Scheduled
     Utility.Split
     Utility.SystemDirectory
     Utility.Table

Add lower bounds on async and split
Thanks, Simon Jakobi
diff --git a/debian/changelog b/debian/changelog
index 1db78df7..1929d6c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,6 +19,8 @@ propellor (5.14) UNRELEASED; urgency=medium
     was back in 2014, and this avoids a problem where the host's
     /etc/resolv.conf gets overwritten when systemd is managing the
     container's /etc/resolv.conf. 
+  * Add lower bounds on async and split.
+    Thanks, Simon Jakobi
 
  -- Joey Hess <id@joeyh.name>  Sat, 14 Aug 2021 14:27:27 -0400
 
diff --git a/doc/todo/Add_lower_bounds_on_async_and_split.mdwn b/doc/todo/Add_lower_bounds_on_async_and_split.mdwn
index 0b2daf2b..c07c5f65 100644
--- a/doc/todo/Add_lower_bounds_on_async_and_split.mdwn
+++ b/doc/todo/Add_lower_bounds_on_async_and_split.mdwn
@@ -41,3 +41,5 @@ src/Propellor/Property/Dns.hs:29:44: error:
 29 | import qualified Data.List.Split as Split (chunksOf)
    |                                            ^^^^^^^^
 ```
+
+> [[done]], thank you --[[Joey]]
diff --git a/propellor.cabal b/propellor.cabal
index 4ad47643..225ba689 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -47,9 +47,10 @@ Library
     -- propellor needs to support the ghc shipped in Debian stable,
     -- and also only depends on packages in Debian stable.
     base >= 4.9, base < 5,
-    directory, filepath, IfElse, process, bytestring, hslogger, split,
-    unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
-    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
+    directory, filepath, IfElse, process, bytestring, hslogger,
+    split (>= 0.2.0.0), unix, unix-compat, ansi-terminal, containers (>= 0.5),
+    network, async (>= 2.0.0.0), time, mtl, transformers, exceptions (>= 0.6),
+    stm, text, hashable
   if flag(WithTypeErrors)
     Build-Depends: type-errors
     CPP-Options: -DWITH_TYPE_ERRORS

diff --git a/doc/todo/Add_lower_bounds_on_async_and_split.mdwn b/doc/todo/Add_lower_bounds_on_async_and_split.mdwn
new file mode 100644
index 00000000..0b2daf2b
--- /dev/null
+++ b/doc/todo/Add_lower_bounds_on_async_and_split.mdwn
@@ -0,0 +1,43 @@
+```diff
+--- a/propellor.cabal
++++ b/propellor.cabal
+@@ -47,9 +47,10 @@ Library
+     -- propellor needs to support the ghc shipped in Debian stable,
+     -- and also only depends on packages in Debian stable.
+     base >= 4.9, base < 5,
+-    directory, filepath, IfElse, process, bytestring, hslogger, split,
+-    unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
+-    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
++    directory, filepath, IfElse, process, bytestring, hslogger,
++    split (>= 0.2.0.0), unix, unix-compat, ansi-terminal, containers (>= 0.5),
++    network, async (>= 2.0.0.0), time, mtl, transformers, exceptions (>= 0.6),
++    stm, text, hashable
+   if flag(WithTypeErrors)
+     Build-Depends: type-errors
+     CPP-Options: -DWITH_TYPE_ERRORS
+```
+
+The added bounds prevent the following build errors:
+
+```
+src/System/Console/Concurrent/Internal.hs:28:1: error:
+    Could not load module ‘Control.Concurrent.Async’
+    It is a member of the hidden package ‘async-2.2.4’.
+    Perhaps you need to add ‘async’ to the build-depends in your .cabal file.
+    It is a member of the hidden package ‘async-2.2.4’.
+    Perhaps you need to add ‘async’ to the build-depends in your .cabal file.
+    it is a hidden module in the package ‘tasty-1.4.2.3’
+    Use -v (or `:set -v` in ghci) to see a list of the files searched for.
+   |
+28 | import Control.Concurrent.Async
+   | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+```
+
+
+```
+src/Propellor/Property/Dns.hs:29:44: error:
+    Module ‘Data.List.Split’ does not export ‘chunksOf’
+   |
+29 | import qualified Data.List.Split as Split (chunksOf)
+   |                                            ^^^^^^^^
+```

diff --git a/doc/todo/Deduplicate_exposed-modules.mdwn b/doc/todo/Deduplicate_exposed-modules.mdwn
new file mode 100644
index 00000000..ebee63b4
--- /dev/null
+++ b/doc/todo/Deduplicate_exposed-modules.mdwn
@@ -0,0 +1,14 @@
+```diff
+--- a/propellor.cabal
++++ b/propellor.cabal
+@@ -223,7 +223,6 @@ Library
+     Utility.Process.Transcript
+     Utility.SafeCommand
+     Utility.Scheduled
+-    Utility.Scheduled
+     Utility.Split
+     Utility.SystemDirectory
+     Utility.Table
+```
+
+Context: https://github.com/haskell/cabal/issues/6006#issuecomment-1210344593

update
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index c442c977..9c5ee1aa 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -58,6 +58,10 @@ Waiting on concurrent-output reaching Debian stable.
 > > > >
 > > > > So, propellor will embed the old concurrent-output until
 > > > > process-1.6 is in debian oldstable, and then revert
-> > > > [[!commit ]] and version propellor's dep on process,
+> > > > [[!commit 9c08fa24f2e2bf07413b151656c373d873de7298]] and version propellor's dep on process,
 > > > > and then, finally, once concurrent-output 1.10.12 is in oldstable
 > > > > propellor can stop embedding it. --[[Joey]]
+> > > > 
+> > > > > process-1.6 is in ghc-8.2.2, and oldstable (buster) has 8.4.4, so
+> > > > > the above reversion can be done now, as long as it's ok to break
+> > > > > support for oldoldstable (stretch). --[[Joey]]

close
diff --git a/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn
index b3a3cd90..3cca98a8 100644
--- a/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn
+++ b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn
@@ -27,3 +27,5 @@ It looks like ghc in Debian unstable is defaulting to new style cabal builds whi
 I think the simplest fix is to replace `cabal build` with `cabal v1-build` in `Propellor.Bootstrap.buildCommand`?
 
 --spwhitton
+
+> [[done]] --[[Joey]]
diff --git a/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_2_af71e9431b4f980c3d4adc4dbab3ea8e._comment b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_2_af71e9431b4f980c3d4adc4dbab3ea8e._comment
new file mode 100644
index 00000000..acc47e50
--- /dev/null
+++ b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_2_af71e9431b4f980c3d4adc4dbab3ea8e._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2021-10-21T02:25:10Z"
+ content="""
+Finally tested this, it works.
+"""]]

add news item for propellor 5.13
diff --git a/doc/news/version_5.13.mdwn b/doc/news/version_5.13.mdwn
new file mode 100644
index 00000000..7619e70f
--- /dev/null
+++ b/doc/news/version_5.13.mdwn
@@ -0,0 +1,11 @@
+propellor 5.13 released with [[!toggle text="these changes"]]
+[[!toggleable text="""  * Network: Added support for network interfaces with several address
+    stanzas, eg ipv4 and ipv6.
+    Thanks, Nicolas Schodet
+  * Sudo.enabledFor: Deal with new @includedir syntax in sudoers file.
+  * Apt.securityUpdates: Stop generating testing-security lines, as
+    testing-security is unused per debian documentation.
+  * Utility.HumanNumber: Fix rounding bug that could result in
+    sometimes quite wrong values, eg "1.1 GB" when the input value was a
+    few bytes less than 2 GB. Properties in Ccache and Journald that
+    used it to generate config files were affected by this bug."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.9.1.mdwn b/doc/news/version_5.9.1.mdwn
deleted file mode 100644
index dd7bcd5e..00000000
--- a/doc/news/version_5.9.1.mdwn
+++ /dev/null
@@ -1,11 +0,0 @@
-propellor 5.9.1 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Apt: Debian has changed the name of the suite for testing security updates
-     from testing to testing-security.
-   * Apt: Also the suite for stable releases from bullseye on will be
-     suffixed with "-security".
-   * Apt.update: Pass --allow-releaseinfo-change when updating Unstable
-     or Testing, so that code name changes that happen in those suites
-     during a stable release don't prevent updating the rolling suites.
-   * Systemd.machined: Fix a bug that caused the systemd-container package
-     to not be installed when used with Debian buster."""]]
\ No newline at end of file

diff --git a/doc/forum/Problem_with_boolSystem_and_download.mdwn b/doc/forum/Problem_with_boolSystem_and_download.mdwn
new file mode 100644
index 00000000..b261e045
--- /dev/null
+++ b/doc/forum/Problem_with_boolSystem_and_download.mdwn
@@ -0,0 +1,20 @@
+Hello,
+
+To settup a control system for a RAID interface, I have to install a binary from downloading on internet.
+I am using the function downlaod that I copied over from deboostrap (src/Propellor/Property/Debootstrap.hs):
+
+    download :: Url -> FilePath -> IO Bool
+    download url dest = anyM id
+                    [ boolSystem "curl" [Param "-o", File dest, Param url]
+                    , boolSystem "wget" [Param "-O", File dest, Param url]
+                    ]
+
+As I read it, it should try to download using first `curl`, then `wget`. On this system, `curl` is not installed (but `wget` is). When the property is run I get the following warning :
+
+    ** warning: curl: createProcess: runInteractiveProcess: exec: does not exist (No such file or directory)
+
+Clearly indicating that it does not manage to download using `curl (expected), but then, instead of trying with `wget` it fails with message :
+
+    download ... ... failed
+
+I understand that the `anyM` is interupted before running the second element of the command list. I suspexct that `boolSystem` is not returning `false` when `curl` does not exist, but rather throwing some kind of exception (interupting the anyM tentatives).

Network: Added support for network interfaces with several address stanzas, eg ipv4 and ipv6. Thanks, Nicolas Schodet
diff --git a/debian/changelog b/debian/changelog
index 7579f0d7..84e010b3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+propellor (5.13) UNRELEASED; urgency=medium
+
+  * Network: Added support for network interfaces with several address
+    stanzas, eg ipv4 and ipv6.
+    Thanks, Nicolas Schodet
+
+ -- Joey Hess <id@joeyh.name>  Sat, 02 Jan 2021 11:39:47 -0400
+
 propellor (5.12) unstable; urgency=medium
 
   * Worked around a situation where ghc uses insane amounts of memory
diff --git a/doc/todo/Support_for_several_interfaces_stanzas.mdwn b/doc/todo/Support_for_several_interfaces_stanzas.mdwn
index 1d425064..0dba7f5d 100644
--- a/doc/todo/Support_for_several_interfaces_stanzas.mdwn
+++ b/doc/todo/Support_for_several_interfaces_stanzas.mdwn
@@ -9,3 +9,5 @@ should contains something like this:
 
 I made a patch for Network to allow this, please pull the network-stanzas branch at
 http://git.ni.fr.eu.org/nicolas/propellor.git.
+
+> Great, I've applied this. [[done]] --[[Joey]]

diff --git a/doc/todo/Support_for_several_interfaces_stanzas.mdwn b/doc/todo/Support_for_several_interfaces_stanzas.mdwn
new file mode 100644
index 00000000..1d425064
--- /dev/null
+++ b/doc/todo/Support_for_several_interfaces_stanzas.mdwn
@@ -0,0 +1,11 @@
+When configuring both IPv4 and IPv6 for an interface, the interfaces files
+should contains something like this:
+
+    auto eth0
+    iface eth0 inet static
+        address 192.168.1.1
+    iface eth0 inet6 static
+        address fdb2:c09e:ee01:1:1
+
+I made a patch for Network to allow this, please pull the network-stanzas branch at
+http://git.ni.fr.eu.org/nicolas/propellor.git.

Added a comment
diff --git a/doc/forum/Error_trying_to_remove_a_key/comment_1_8afc2bb09299381c119635e07d76d4e4._comment b/doc/forum/Error_trying_to_remove_a_key/comment_1_8afc2bb09299381c119635e07d76d4e4._comment
new file mode 100644
index 00000000..bb400cf9
--- /dev/null
+++ b/doc/forum/Error_trying_to_remove_a_key/comment_1_8afc2bb09299381c119635e07d76d4e4._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 1"
+ date="2020-12-19T21:46:21Z"
+ content="""
+Workaround: move the secret key elsewhere, then remove the key from the propellor keyring.
+
+I tried with `--disable-dirmngr` with no success.
+"""]]

diff --git a/doc/forum/propellor:_--init_offers_to_use_revoked_GPG_key.mdwn b/doc/forum/propellor:_--init_offers_to_use_revoked_GPG_key.mdwn
new file mode 100644
index 00000000..5e95898d
--- /dev/null
+++ b/doc/forum/propellor:_--init_offers_to_use_revoked_GPG_key.mdwn
@@ -0,0 +1,30 @@
+Hi,
+
+Using the Debian stable package (which downloaded and built the most recent version), `propellor --init` offered to use an expired GPG key. Details are below.
+
+Thanks for another great piece of software, and thanks for using Haskell!
+
+Kind regards,
+Felix Lechner
+
+* * *
+
+    Propellor build ... done
+    
+    Great! Propellor is bootstrapped.
+    
+    ------------------------------------------------------------------------------
+    
+    Propellor can use gpg to encrypt private data about the systems it manages,
+    and to sign git commits.
+    
+    I see you have several gpg keys:
+    ...
+       5   Felix Lechner <felix.lechner@gmail.com>  (keyid 6C0CC7F6ED41E279)
+    Which of your gpg keys should propellor use? [1|2|3|4|5] 
+
+but also (please note the `revoked` indicators)
+
+    sec   dsa1024/0x6C0CC7F6ED41E279 2005-12-07 [SCA] [revoked: 2009-08-24]
+          Key fingerprint = FF3A 9F1A EF4D 24A0 56A8  1026 6C0C C7F6 ED41 E279
+    uid                   [ revoked] Felix Lechner <felix.lechner@gmail.com>

add news item for propellor 5.12
diff --git a/doc/news/version_5.12.mdwn b/doc/news/version_5.12.mdwn
new file mode 100644
index 00000000..3d664ec1
--- /dev/null
+++ b/doc/news/version_5.12.mdwn
@@ -0,0 +1,14 @@
+propellor 5.12 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Worked around a situation where ghc uses insane amounts of memory
+     displaying an error message about a property of a host having the
+     wrong number of arguments.
+   * Added libghc-type-errors-dev to debian/control recommends, and
+     install it if available when bootstrapping propellor.
+   * Borg: add UseUmask to BorgRepoOpt.
+     Thanks, Nicolas Schodet
+   * Borg: use "{now}" instead of $(date ...)
+     Thanks, Nicolas Schodet
+   * Makefile: Deal with cabal change that made sdist
+     not output tarball to stdout.
+     Thanks, Sean Whitton"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.9.0.mdwn b/doc/news/version_5.9.0.mdwn
deleted file mode 100644
index 160b1187..00000000
--- a/doc/news/version_5.9.0.mdwn
+++ /dev/null
@@ -1,26 +0,0 @@
-propellor 5.9.0 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Added custom type error messages when Properties don't combine due to
-     conflicting MetaTypes.
-   * Added custom type error messages for ensureProperty and tightenTargets.
-   * Note that those changes made ghc 8.0.1 in a few cases unable to infer
-     types when ensureProperty or tightenTargets is used, while later ghc
-     versions had no difficulty. If this affects building your properties,
-     adding a type annotation to the code will work around the problem.
-   * Added custom type error messages displayed when type inference
-     fails when using ensureProperty and tightenTargets, that suggest
-     adding a type annotation.
-   * Use the type-errors library to detect when the type checker gets stuck
-     unable to reduce type-level operations on MetaTypes, and avoid
-     displaying massive error messages.
-   * But, since type-errors is a new library not available in eg Debian
-     yet, added a WithTypeErrors build flag. When the library is not
-     available, cabal will automatically disable that build flag,
-     and it will build without the type-errors library.
-   * EnsurePropertyAllowed, TightenTargetsAllowed, and CheckCombinable
-     types have changed to Constraint.
-     (API change)
-   * Try harder to avoid displaying an excessive amount of type error
-     messages when many properties have been combined in a props list.
-   * Libvirt.installed: install libvirt-daemon-system
-     Thanks, David Bremner"""]]
\ No newline at end of file

diff --git a/doc/todo/specify_partition_table_offset.mdwn b/doc/todo/specify_partition_table_offset.mdwn
new file mode 100644
index 00000000..c2a8e65b
--- /dev/null
+++ b/doc/todo/specify_partition_table_offset.mdwn
@@ -0,0 +1,19 @@
+I was trying to use propellor to build an image for a RockPro64 board.
+
+It'd be convenient if there was an easier way to specify where on the disk a partition should start.
+
+The board seems to assume a specific partition layout that's difficult to do with propellor commands.
+
+See http://opensource.rock-chips.com/wiki_Partitions for the official layout.
+
+And a community built image for the RockPro64's table looks like this:
+
+    Number  Start   End     Size    Type     File system  Flags
+     1      16.8MB  83.9MB  67.1MB  primary  fat32        boot, lba
+     2      134MB   5377MB  5243MB  primary  ext4         boot
+
+While the one I generated with propellor (that doesn't work) looks like:
+
+    Number  Start   End     Size    File system  Name     Flags
+     1      4194kB  273MB   268MB   ext2         primary  boot, esp
+     2      273MB   1854MB  1581MB  ext4         primary

Worked around a situation where ghc uses insane amounts of memory displaying an error message about a property of a host having the wrong number of arguments
This is suboptimal, and I hope ghc improves eventually.
But it's a lot better than using all available memory.
This commit was sponsored by Svenne Krap on Patreon.
diff --git a/debian/changelog b/debian/changelog
index f2505f06..de1914c2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 propellor (5.12) UNRELEASED; urgency=medium
 
+  * Worked around a situation where ghc uses insane amounts of memory
+    displaying an error message about a property of a host having the
+    wrong number of arguments.
   * Added libghc-type-errors-dev to debian/control recommends, and
     install it if available when bootstrapping propellor.
   * Borg: add UseUmask to BorgRepoOpt.
diff --git a/doc/todo/avoid_ghc_memory_blow_up_for_huge_metatypes_error_messages.mdwn b/doc/todo/avoid_ghc_memory_blow_up_for_huge_metatypes_error_messages.mdwn
new file mode 100644
index 00000000..d6812b89
--- /dev/null
+++ b/doc/todo/avoid_ghc_memory_blow_up_for_huge_metatypes_error_messages.mdwn
@@ -0,0 +1,127 @@
+Some simple mistakes in config.hs can make ghc use gigabytes of memory,
+apparently just to display a huge type error message.
+
+For example, add this to the beginning of
+a Host that has a few dozen other properties after it:
+
+	& Apt.setSourcesListD [] -- missing a parameter
+
+The size of the ghc error output doubles with each added property.
+With 7 it is 518 lines, with 8, 1030 lines. Once it's up to 100000 lines or
+so, it's already using almost a gigabyte of memory.
+
+The error message looks like this (when built with -f-WithTypeErrors):
+
+	executables/propellor-config.hs:175:42: error:
+	    • Cannot combine Properties:
+	        Property HasInfo + Debian
+	        Property Propellor.Types.MetaTypes.PrettyPrintMetaTypes y0
+	...
+	executables/propellor-config.hs:175:42: error:
+	    • Cannot combine Properties:
+	        Property Propellor.Types.MetaTypes.PrettyPrintMetaTypes
+	                   (Propellor.Types.MetaTypes.Concat
+	                      (Data.Type.Bool.If
+	                         (Propellor.Types.MetaTypes.Elem
+	                            'Propellor.Types.MetaTypes.WithInfo
+	                            (Propellor.Types.MetaTypes.NonTargets y0))
+	                         (Propellor.Types.MetaTypes.NonTargets y0)
+	                         ('Propellor.Types.MetaTypes.WithInfo
+	                            : Propellor.Types.MetaTypes.NonTargets y0))
+	                      (Data.Type.Bool.If
+	                         (Propellor.Types.MetaTypes.Elem
+	                            ('Propellor.Types.MetaTypes.Targeting 'OSDebian)
+	                            (Propellor.Types.MetaTypes.Targets y0))
+	                         '[ 'Propellor.Types.MetaTypes.Targeting 'OSDebian]
+	                         '[]))
+	        Property Debian + Buntish
+	...
+	executables/propellor-config.hs:175:42: error:
+	    • Cannot combine Properties:
+	        Property Propellor.Types.MetaTypes.PrettyPrintMetaTypes
+	                   (Propellor.Types.MetaTypes.Concat
+	                      (Propellor.Types.MetaTypes.Union
+	                         (Propellor.Types.MetaTypes.NonTargets
+	                            (Propellor.Types.MetaTypes.Concat
+	                               (Data.Type.Bool.If
+	                                  (Propellor.Types.MetaTypes.Elem
+	                                     'Propellor.Types.MetaTypes.WithInfo
+	                                     (Propellor.Types.MetaTypes.NonTargets y0))
+	                                  (Propellor.Types.MetaTypes.NonTargets y0)
+	                                  ('Propellor.Types.MetaTypes.WithInfo
+	                                     : Propellor.Types.MetaTypes.NonTargets y0))
+	                               (Data.Type.Bool.If
+	                                  (Propellor.Types.MetaTypes.Elem
+	                                     ('Propellor.Types.MetaTypes.Targeting 'OSDebian)
+	                                     (Propellor.Types.MetaTypes.Targets y0))
+	                                  '[ 'Propellor.Types.MetaTypes.Targeting 'OSDebian]
+	                                  '[])))
+	                         '[])
+	                      (Propellor.Types.MetaTypes.Intersect
+	                         (Propellor.Types.MetaTypes.Targets
+	                            (Propellor.Types.MetaTypes.Concat
+	                               (Data.Type.Bool.If
+	                                  (Propellor.Types.MetaTypes.Elem
+	                                     'Propellor.Types.MetaTypes.WithInfo
+	                                     (Propellor.Types.MetaTypes.NonTargets y0))
+	                                  (Propellor.Types.MetaTypes.NonTargets y0)
+	                                  ('Propellor.Types.MetaTypes.WithInfo
+	                                     : Propellor.Types.MetaTypes.NonTargets y0))
+	                               (Data.Type.Bool.If
+	                                  (Propellor.Types.MetaTypes.Elem
+	                                     ('Propellor.Types.MetaTypes.Targeting 'OSDebian)
+	                                     (Propellor.Types.MetaTypes.Targets y0))
+	                                  '[ 'Propellor.Types.MetaTypes.Targeting 'OSDebian]
+	                                  '[])))
+	                         '[ 'Propellor.Types.MetaTypes.Targeting 'OSDebian,
+	                            'Propellor.Types.MetaTypes.Targeting 'OSBuntish]))
+	        Property Debian + Buntish
+
+Since the type checker is getting stuck it pretty-prints the type level
+expression it was trying to solve, all expanded out, so this can get
+arbitrarily huge.
+
+This really seems like a ghc bug, and may be worth filing? But maybe propellor
+could also avoid it. Perhaps there's some way to write the MetaTypes code
+that avoids this.
+
+Hmm, the "Cannot combine properties" custom type message includes the types
+of the two properties in question. I tried leaving those out, and the error
+message is no longer huge. (But also not comprehensible in other cases.)
+Here's how that change affected memory use:
+
+	-50.50user 4.79system 0:59.28elapsed 93%CPU (0avgtext+0avgdata 2010848maxresident)k
+	+8.70user 0.72system 0:09.41elapsed 100%CPU (0avgtext+0avgdata 964804maxresident)k
+
+Wow! (900 mb or so is what it usually takes to build my config, so there's
+no excess memory use at all really after that change.)
+
+So there are changes to propellor that basically solve this, looks like.
+Question is, how to solve it without eliminating nice things like
+
+	    • Cannot combine Properties:
+	        Property HasInfo + Debian
+	        Property HasInfo + FreeBSD
+
+WithTypeErrors tries to detect just that case, making that message
+check if they're stuck, and not display them. That works as far
+as preventing displaying massive type errors, but ghc still
+uses too much memory despite not displaying them. Here's the
+memory use when it's enabled:
+
+	20.48user 1.36system 0:21.96elapsed 99%CPU (0avgtext+0avgdata 1942220maxresident)k
+
+I think what's probably going on is, WithTypeErrors uses IsStuck, which
+causes ghc to do an equivilant amount of buffering as displaying the type would.
+
+Well, I can't see a way to keep the nice display of metatypes in the non-stuck
+case, while avoiding blowup in the stuck case. But on the other hand,
+it's pretty unusual to actually try to use a FreeBSD on a Debian system
+when adding properties to a host. The metatypes are really more useful
+when programming properties, to eg, avoid using Apt.installed inside
+some property that's LinuxLike and so also needs an implementation for 
+non-Debian.
+
+So, ok, we'll skip displaying the metatypes when (&) is used to combine
+properties eg in a Host definition, but display it when properties are combined
+in other ways. [[done]] --[[Joey]]
diff --git a/propellor.cabal b/propellor.cabal
index e46adc40..29e6ecd4 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -36,7 +36,7 @@ Description:
  It is configured using haskell.
 
 Flag WithTypeErrors
-  Description: Build with type-errors library for better error messages
+  Description: Build with type-errors library for better error messages and less memory use
 
 Library
   Default-Language: Haskell98
diff --git a/src/Propellor/Types/MetaTypes.hs b/src/Propellor/Types/MetaTypes.hs
index 055338af..7cef578e 100644
--- a/src/Propellor/Types/MetaTypes.hs
+++ b/src/Propellor/Types/MetaTypes.hs
@@ -169,10 +169,10 @@ type family CheckCombinableNote (list1 :: [a]) (list2 :: [a]) (note :: ErrorMess
 				('Just ('Text "(" ':<>: note ':<>: 'Text ")"))
 			)
 
--- Checking IfStuck is to avoid massive and useless error message leaking 
--- type families from this module.
 type family CannotCombine (list1 :: [a]) (list2 :: [a]) (note :: Maybe ErrorMessage) :: Constraint where
-	CannotCombine list1 list2 note = 
+	-- Checking IfStuck is to avoid ugly error
+	-- message leaking type families from this module.
+	CannotCombine list1 list2 'Nothing = 
 		IfStuck list1
 			(IfStuck list2
 				(DelayError (CannotCombineMessage UnknownType UnknownType UnknownTypeNote))
@@ -180,8 +180,21 @@ type family CannotCombine (list1 :: [a]) (list2 :: [a]) (note :: Maybe ErrorMess
 			)
 			(IfStuck list2
 				(DelayError (CannotCombineMessage (PrettyPrintMetaTypes list1) UnknownType UnknownTypeNote))
-				(DelayErrorFcf (CannotCombineMessage (PrettyPrintMetaTypes list1) (PrettyPrintMetaTypes list2) note))
+				(DelayErrorFcf (CannotCombineMessage (PrettyPrintMetaTypes list1) (PrettyPrintMetaTypes list2) 'Nothing))
 			)
+	-- When there's a note, don't display the MetaTypes at all.
+	-- This is because the note is used when eg, combining properties
+	-- in a host with (&), and in that case, it's likely that the
+	-- problem resulted in the type checker getting stuck, and that
+	-- displaying the MetaTypes would involve a massive error messsage.
+	-- Displaying, or even checking IfStuck in that case can result in
+	-- huge amounts of memory being used by ghc. So, avoid it, and let
+	-- the note point the user in the right direction to fixing their
+	-- mistake.
+	CannotCombine list1 list2 ('Just note) = 
+		TypeError ('Text "Cannot combine two Properties."
+			':$$: 'Text "(They may have conflicting MetaTypes, or the wrong number of arguments.)"
+			':$$: note)
 
 type family UnknownType :: ErrorMessage where
 	UnknownType = 'Text "<unknown>"

merged nicolas/borg-umask
diff --git a/debian/changelog b/debian/changelog
index 849d132d..f2505f06 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,10 @@ propellor (5.12) UNRELEASED; urgency=medium
 
   * Added libghc-type-errors-dev to debian/control recommends, and
     install it if available when bootstrapping propellor.
+  * Borg: add UseUmask to BorgRepoOpt.
+    Thanks, Nicolas Schodet
+  * Borg: use "{now}" instead of $(date ...)
+    Thanks, Nicolas Schodet
 
  -- Joey Hess <id@joeyh.name>  Thu, 27 Aug 2020 20:57:48 -0400
 
diff --git a/doc/todo/Add_Borg.UseUmask.mdwn b/doc/todo/Add_Borg.UseUmask.mdwn
index 64ca8b83..74284c2d 100644
--- a/doc/todo/Add_Borg.UseUmask.mdwn
+++ b/doc/todo/Add_Borg.UseUmask.mdwn
@@ -7,3 +7,5 @@ Please fetch branch `borg-umask` at `http://git.ni.fr.eu.org/nicolas/propellor.g
 As a side change, I use `{now}` instead of a call to `$(date …)`, I think it's more idiomatic for borg usage.
 
 Tested with stretch and buster.
+
+> [[merged|done]] thanks for the contribution. --[[Joey]]

Added a comment
diff --git a/doc/todo/spin_without_remote_compilation/comment_9_7f8f6e688efeb9a454a3f82777c2743b._comment b/doc/todo/spin_without_remote_compilation/comment_9_7f8f6e688efeb9a454a3f82777c2743b._comment
new file mode 100644
index 00000000..f2db3de5
--- /dev/null
+++ b/doc/todo/spin_without_remote_compilation/comment_9_7f8f6e688efeb9a454a3f82777c2743b._comment
@@ -0,0 +1,38 @@
+[[!comment format=mdwn
+ username="jsza"
+ avatar="http://cdn.libravatar.org/avatar/72c6bc8c0cdfb0fff175e90c3b036415"
+ subject="comment 9"
+ date="2020-08-24T13:06:47Z"
+ content="""
+Hi, I'm trying to spin using the `Precompiled.precompiled` property from the `precompiled`, branch after having merged master. The first time trying to spin after adding the property, this error occurs:
+
+    > ./propellor --spin host_redacted
+    Build profile: -w ghc-8.8.4 -O1
+    In order, the following will be built (use -v for more details):
+     - propellor-5.11 (exe:propellor-config) (file executables/propellor-config.hs changed)
+    Preprocessing executable 'propellor-config' for propellor-5.11..
+    Building executable 'propellor-config' for propellor-5.11..
+    [1 of 1] Compiling Main             ( executables/propellor-config.hs, /home/jayess/propellor/dist-newstyle/build/x86_64-linux/ghc-8.8.4/propellor-5.11/x/propellor-config/build/propellor-config/propellor-config-
+    tmp/Main.o )
+    Linking /home/jayess/propellor/dist-newstyle/build/x86_64-linux/ghc-8.8.4/propellor-5.11/x/propellor-config/build/propellor-config/propellor-config ...
+    Propellor build ... done
+    <git push output snipped>
+    ldd: bin/propellor: No such file or directory
+    propellor: user error (ldd [\"bin/propellor\"] exited 1)
+
+
+Subsequent spin attempts produce this error:
+
+    > ./propellor --spin us4.tempus.xyz
+    Up to date
+    Propellor build ... done
+    <git push output snipped>
+    cp: cannot stat '/home/jayess/propellor/propellor (deleted)': No such file or directory
+    ** error: failed copying in propellor
+    propellor: Cannot continue!
+    CallStack (from HasCallStack):
+      error, called at src/Propellor/Message.hs:143:9 in propellor-5.11-inplace:Propellor.Message
+
+I think `Propellor.Spin.sendPrecompiled` might itself be broken, but I can't quite wrap my head around what's going on here. Any ideas? I'm using `cabal 3.0.0.0` in Debian Unstable.
+
+"""]]

Added a comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_6_c526880fa0d866511c0ffecc6f90fcdf._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_6_c526880fa0d866511c0ffecc6f90fcdf._comment
new file mode 100644
index 00000000..fa241e4b
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_6_c526880fa0d866511c0ffecc6f90fcdf._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="comment 6"
+ date="2020-08-23T02:22:06Z"
+ content="""
+I confirmed that privdata is being transmitted, but that my test file is not. The resulting `/usr/local/propellor/privdata/local` file is not obviously corrupted, but does not contain the string \"/root/foo\". The file \"/root/foo\" also does not show as used anywhere in the output of `propellor --list-fields`. I'm not sure if that is surprising or not.
+"""]]

Added a comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_5_2678027d2a3cf08cd977495d0b0afe91._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_5_2678027d2a3cf08cd977495d0b0afe91._comment
new file mode 100644
index 00000000..dde10ae4
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_5_2678027d2a3cf08cd977495d0b0afe91._comment
@@ -0,0 +1,30 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="comment 5"
+ date="2020-08-22T20:13:07Z"
+ content="""
+In answer to my own question, it's not related to the content.
+Here we can see a PrivFile has content:
+[[!format text \"\"\"
+╭─ convex:~/.propellor 
+╰─ (git)-[master]-% propellor --dump 'PrivFile \"/root/foo\"' 'any'
+[2020-08-22 16:57:32 ADT] command line:  Dump (PrivFile \"/root/foo\") (Context \"any\")
+[2020-08-22 16:57:32 ADT] read: git [\"config\",\"gpg.program\"]
+[2020-08-22 16:57:32 ADT] process done ExitFailure 1
+[2020-08-22 16:57:32 ADT] chat: gpg [\"--decrypt\",\"privdata/privdata.gpg\"]
+gpg: encrypted with 4096-bit RSA key, ID 70E3C0DE87068451, created 2019-06-08
+      \"David Bremner <bremner@debian.org>\"
+[2020-08-22 16:57:33 ADT] process done ExitSuccess
+sekrit
+\"\"\"]]
+On the other hand, when running `propellor --spin convex.local` I get
+[[!format text \"\"\"
+** warning: Missing privdata PrivFile \"/root/foo\" (for any)
+Fix this by running:
+  propellor --set 'PrivFile \"/root/foo\"' 'any' \
+    < /root/foo
+\"\"\"]]
+
+I tried with a different workstation, spinning itself, and the same machine as above (\"convex\"), with the same results.
+"""]]

Added a comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_4_4a0432687efa5b83e4cfefecdb355188._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_4_4a0432687efa5b83e4cfefecdb355188._comment
new file mode 100644
index 00000000..a2688611
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_4_4a0432687efa5b83e4cfefecdb355188._comment
@@ -0,0 +1,26 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="comment 4"
+ date="2020-08-22T17:02:41Z"
+ content="""
+OK, I belatedly see what you mean. It's not relevant if the remote privdata.gpg blob matches or not, since iiuc, only the local one is used by --spin.
+
+I'm having a similar issue with `Property.Gpg.keyImported`.
+
+[[!format text \"\"\"
+** warning: Missing privdata GpgKey (for 815B63982A79F8E7C72786C4762B57BB784206AD)
+Fix this by running:
+  propellor --set 'GpgKey' '815B63982A79F8E7C72786C4762B57BB784206AD' \
+    < (Either a gpg public key, exported with gpg --export -a, or a gpg private key, exported with gpg --export-secret-key -a)
+
+cs2613 root has gpg key \"815B63982A79F8E7C72786C4762B57BB784206AD\" ... failed
+** warning: Missing privdata GpgKey (for 7A18807F100A4570C59684207E4E65C8720B706B)
+Fix this by running:
+  propellor --set 'GpgKey' '7A18807F100A4570C59684207E4E65C8720B706B' \
+    < (Either a gpg public key, exported with gpg --export -a, or a gpg private key, exported with gpg --export-secret-key -a)
+\"\"\"]]
+
+Of course I did what propellor suggests, but it doesn't seem to make a difference.  Is it possible gpg armoured text is being treated specially as privdata?
+
+"""]]

Added a comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_3_51eff7a4898830a1adaa30da2b311c41._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_3_51eff7a4898830a1adaa30da2b311c41._comment
new file mode 100644
index 00000000..2e948dd0
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_3_51eff7a4898830a1adaa30da2b311c41._comment
@@ -0,0 +1,23 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="comment 3"
+ date="2020-08-22T15:08:16Z"
+ content="""
+In this special case I don't really need privData, I worked around it by running `gpg`.
+I'm not sure if my usecase is common enough to warrant extending `Propellor.Property.Gpg`
+
+[[!format haskell \"\"\"
+  & Cmd.cmdProperty \"gpg\" [ \"--output\"
+                          , debugMeKeyFile
+                          , \"--batch\"
+                          , \"--yes\"
+                          , \"--export\"
+                          , \"7A18807F100A4570C59684207E4E65C8720B706B\"
+                          ]
+  `changesFile` debugMeKeyFile
+  `requires` rootGpg
+
+\"\"\"]]
+
+"""]]

Added a comment
diff --git a/doc/todo/Add_Borg.UseUmask/comment_2_a26137bda29948fa501c8a52b8df673c._comment b/doc/todo/Add_Borg.UseUmask/comment_2_a26137bda29948fa501c8a52b8df673c._comment
new file mode 100644
index 00000000..9e0d8453
--- /dev/null
+++ b/doc/todo/Add_Borg.UseUmask/comment_2_a26137bda29948fa501c8a52b8df673c._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 2"
+ date="2020-08-22T13:23:01Z"
+ content="""
+Branch is updated.
+
+I also rebased on 5.11.
+"""]]

Added a comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_2_be582d804ba16e6acd3998eaf3eadb56._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_2_be582d804ba16e6acd3998eaf3eadb56._comment
new file mode 100644
index 00000000..bffa29c1
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_2_be582d804ba16e6acd3998eaf3eadb56._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="comment 2"
+ date="2020-08-21T23:51:40Z"
+ content="""
+In this case it's both the same host, but I don't think that's important. I'm just saying that propellor --dump verifies the local copy has the privdata, and I verified by checksums that the remote (host being managed) privdata blob is the same.
+"""]]

comment
diff --git a/doc/todo/Add_Borg.UseUmask/comment_1_461d217284ff2442d2485b59776826f6._comment b/doc/todo/Add_Borg.UseUmask/comment_1_461d217284ff2442d2485b59776826f6._comment
new file mode 100644
index 00000000..58e5c7c8
--- /dev/null
+++ b/doc/todo/Add_Borg.UseUmask/comment_1_461d217284ff2442d2485b59776826f6._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-08-20T16:58:14Z"
+ content="""
+I checked and there was no justification given for the use of date rather
+than {now} ... Perhaps it predated that?
+
+The only difference between the two is the use of date for some reason
+included nanaosecond precision. Otherwise the format is the same.
+
+I have no objection to making that change, but I think it needs to be done
+in a separate commit, rather than in passing.
+
+Also, I think `UseUmask Int` could be `UseUmask FileMode`. At least
+FileMode is used in some other parts of propellor that deal with umasks.
+"""]]

comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_1_87df80585805b5558264afae3e8afdcc._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_1_87df80585805b5558264afae3e8afdcc._comment
new file mode 100644
index 00000000..d8069651
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_1_87df80585805b5558264afae3e8afdcc._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-08-20T16:44:27Z"
+ content="""
+I think there could be some confusion here about where you run the
+propellor command to set the privdata.
+
+I always run those commands locally, not on the host being managed by
+propellor. --spin decrypts it and copies the parts a host needs to the
+host.
+"""]]

diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey.mdwn b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey.mdwn
new file mode 100644
index 00000000..1ddec6d9
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey.mdwn
@@ -0,0 +1,44 @@
+I have the following property for one of my hosts:
+
+[[!format haskell """
+ File.hasPrivContent "/usr/share/debug-me/keyring/a_CS2613_prof.gpg"  anyContext
+"""]]
+
+Unsurprisingly, the first time I run `propellor --spin my-host` I get
+
+[[!format text """
+** warning: Missing privdata PrivFile "/usr/share/debug-me/keyring/a_CS2613_prof.gpg" (for any)
+Fix this by running:
+  propellor --set 'PrivFile "/usr/share/debug-me/keyring/a_CS2613_prof.gpg"' 'any' \
+    < /usr/share/debug-me/keyring/a_CS2613_prof.gpg
+"""]]
+
+I cut and paste the suggested lines (after previously copying the file into place manually, but it doesn't seem to change anything. On subsequent runs I get the same thing.
+
+if I run `propellor --dump  'PrivFile "/usr/share/debug-me/keyring/a_CS2613_prof.gpg"' 'any' | gpg` I get
+[[!format text """
+gpg: WARNING: no command supplied.  Trying to guess what you mean ...
+[2020-08-20 10:03:07 ADT] command line:  Dump (PrivFile "/usr/share/debug-me/keyring/a_CS2613_prof.gpg") (Context "any")
+[2020-08-20 10:03:07 ADT] read: git ["config","gpg.program"]
+[2020-08-20 10:03:07 ADT] process done ExitFailure 1
+[2020-08-20 10:03:07 ADT] chat: gpg ["--decrypt","privdata/privdata.gpg"]
+gpg: encrypted with 4096-bit RSA key, ID 70E3C0DE87068451, created 2019-06-08
+      "David Bremner <bremner@debian.org>"
+[2020-08-20 10:03:08 ADT] process done ExitSuccess
+pub   rsa4096 2014-09-22 [SC]
+      7A18807F100A4570C59684207E4E65C8720B706B
+uid           David Bremner <bremner@unb.ca>
+uid           David Bremner <david@tethera.net>
+uid           David Bremner <bremner@debian.org>
+sub   rsa4096 2014-09-22 [E] [expired: 2020-07-23]
+sub   rsa3072 2017-07-24 [S] [expired: 2020-07-23]
+sub   rsa4096 2017-07-24 [A] [expired: 2020-07-23]
+sub   rsa4096 2019-06-08 [S] [expires: 2021-06-07]
+sub   rsa4096 2019-06-08 [E] [expires: 2021-06-07]
+sub   rsa4096 2019-06-08 [A] [expires: 2021-06-07]
+"""]]
+
+I understand that the propellor run is using a different copy of privdata, but I verified the checksums match between my user propellor install and the one in /usr/local/propellor.
+
+Other uses of `privFileContent` with anyContext work fine on the same host.
+ 

Fix backticks
diff --git a/doc/todo/Add_Borg.UseUmask.mdwn b/doc/todo/Add_Borg.UseUmask.mdwn
index 66012314..64ca8b83 100644
--- a/doc/todo/Add_Borg.UseUmask.mdwn
+++ b/doc/todo/Add_Borg.UseUmask.mdwn
@@ -4,6 +4,6 @@ Here is again a change for Borg to allow to give the --umask option on each borg
 
 Please fetch branch `borg-umask` at `http://git.ni.fr.eu.org/nicolas/propellor.git`.
 
-As a side change, I use '{now}' instead of a call to `$(date …)`, I think it's more idiomatic for borg usage.
+As a side change, I use `{now}` instead of a call to `$(date …)`, I think it's more idiomatic for borg usage.
 
 Tested with stretch and buster.

diff --git a/doc/todo/Add_Borg.UseUmask.mdwn b/doc/todo/Add_Borg.UseUmask.mdwn
new file mode 100644
index 00000000..66012314
--- /dev/null
+++ b/doc/todo/Add_Borg.UseUmask.mdwn
@@ -0,0 +1,9 @@
+Hello,
+
+Here is again a change for Borg to allow to give the --umask option on each borg invocation.
+
+Please fetch branch `borg-umask` at `http://git.ni.fr.eu.org/nicolas/propellor.git`.
+
+As a side change, I use '{now}' instead of a call to `$(date …)`, I think it's more idiomatic for borg usage.
+
+Tested with stretch and buster.

Added a comment: problems with worms.
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_9_5119af0e60acf5590194f970f5be1424._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_9_5119af0e60acf5590194f970f5be1424._comment
new file mode 100644
index 00000000..61612b82
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_9_5119af0e60acf5590194f970f5be1424._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="problems with worms."
+ date="2020-08-15T14:18:25Z"
+ content="""
+Dangling is the wrong word. I had a symlink pointing to an old build of propellor.
+"""]]

Added a comment
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_5_a5dea814e88aa90959f41a500806270f._comment b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_5_a5dea814e88aa90959f41a500806270f._comment
new file mode 100644
index 00000000..a1898304
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_5_a5dea814e88aa90959f41a500806270f._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 5"
+ date="2020-08-14T21:11:56Z"
+ content="""
+Actually I have no idea how to implement the privdata for init, restored and backup in a sane way, so I will let this challenge for someone else :)
+
+Thanks for the merge.
+"""]]

add news item for propellor 5.11
diff --git a/doc/news/version_5.11.mdwn b/doc/news/version_5.11.mdwn
new file mode 100644
index 00000000..9dcef85d
--- /dev/null
+++ b/doc/news/version_5.11.mdwn
@@ -0,0 +1,13 @@
+propellor 5.11 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Fix display of concurrent output from processes when using
+     Propellor.Property.Conductor.
+     (Reversion introduced in version 5.5.0.)
+   * Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
+   * Makefile: Fix build with cabal 3.x.
+   * Borg.restored: Fix restoration, which has apparently never worked,
+     at least back to borg 1.0.9.
+     Thanks, Nicolas Schodet.
+   * Borg.init: Added the now required encryption type parameter.
+     Thanks, Nicolas Schodet.
+     (API change)"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.8.0.mdwn b/doc/news/version_5.8.0.mdwn
deleted file mode 100644
index a00c611a..00000000
--- a/doc/news/version_5.8.0.mdwn
+++ /dev/null
@@ -1,18 +0,0 @@
-propellor 5.8.0 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Fix bug in File.containsShellSetting that replaced whole shell conffile
-     content with the setting if the file did not previously contain a line
-     setting the key to some value.
-   * Removed inChroot, instead use hasContainerCapability FilesystemContained.
-     (API change)
-   * Hostname: Properties that used to not do anything in a systemd or
-     docker container will now change the container's hostname,
-     since it's namespaced.
-   * Add User.ownsWithPrimaryGroup
-     Thanks, Sean Whitton
-   * Ssh.userKeys, Ssh.userKeyAt: Create .ssh directory when it does not yet
-     exist.
-   * Ssh.userKeyAt: When a relative filepath is provided, it's put inside
-     the user's .ssh directory.
-   * Fix Git.pulled always reporting a change.
-     Thanks, Sean Whitton"""]]
\ No newline at end of file

update
diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_5_43c2450a8858fde866e5f9570d371d80._comment b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_5_43c2450a8858fde866e5f9570d371d80._comment
new file mode 100644
index 00000000..b3086ec1
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_5_43c2450a8858fde866e5f9570d371d80._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 5"""
+ date="2020-08-14T19:57:07Z"
+ content="""
+On second thought, there may be other changes in concurrent-output
+after 1c330fa3814baadf23c1934a8014c91a3251234a that depend on that change.
+I'm not sure, and don't want to find out by breaking it in propellor.
+So, I've reverted this change and will wait the necessary several years.
+"""]]
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 48dd829e..c442c977 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -50,3 +50,14 @@ Waiting on concurrent-output reaching Debian stable.
 > > > I've updated the embedded concurrent-output copy, and it should
 > > > be kept up-to-date as concurrent-output changes, to avoid more
 > > > such reversions. --[[Joey]]
+
+> > > > Unforunately, the embedded concurrent-output copy had to be
+> > > > downgraded again, because it turns out the new version
+> > > > of concurrent-output depends on process-1.6, while propellor
+> > > > neeeds to also work with older versions.
+> > > >
+> > > > So, propellor will embed the old concurrent-output until
+> > > > process-1.6 is in debian oldstable, and then revert
+> > > > [[!commit ]] and version propellor's dep on process,
+> > > > and then, finally, once concurrent-output 1.10.12 is in oldstable
+> > > > propellor can stop embedding it. --[[Joey]]

analysis and followup q to bremner
diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_4_c4c75ff6c06fbb3de5b4c23e5ba2fd1e._comment b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_4_c4c75ff6c06fbb3de5b4c23e5ba2fd1e._comment
new file mode 100644
index 00000000..22ad0b9b
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_4_c4c75ff6c06fbb3de5b4c23e5ba2fd1e._comment
@@ -0,0 +1,42 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2020-08-14T17:06:46Z"
+ content="""
+So the relevant change in that commit, I think, is that
+waitForProcessConcurrent used to do its own locking,
+and would sometimes not even call waitForProcess, but instead
+waitAny. And now it just calls waitForProcess.
+
+That change comes from concurrent-output commit 
+1c330fa3814baadf23c1934a8014c91a3251234a
+Which removed a workaround for
+https://github.com/haskell/process/issues/46 and added
+a depend on `process (>= 1.6)` which fixed its bug.
+
+Propellor does not depend on any particular version of process,
+so it's exposed to the old bug.
+
+But, David, is your system really using an older version of process to
+build propellor?
+(Bearing in mind that the system might ship with a newer version but cabal
+may have chosen to use an older version for whatever reason.)
+Probably the easiest way to check is, edit propellor.cabal,
+make it depend on `process (>= 1.6)`, and rebuild and see if you still have
+the problem.
+
+Anyway, we can either revert 1c330fa3814baadf23c1934a8014c91a3251234a in
+propellor, or revert the whole 162e1d4e82e24f0fe3e2bd3114e4366ddb1062c0
+but I'd really rather not do that because it's been stuck on the old
+version of concurrent-output forever. 
+
+Or, it propellor could depend on the fixed process. process-1.6
+was bundled with ghc-8.2.2. That works back to debian stable, but not
+oldstable, which is still a supported target of propellor.
+
+I guess, if we can confirm the old version of process is really the issue,
+I'm leaning toward reverting 1c330fa3814baadf23c1934a8014c91a3251234a,
+until the far-future time when we emerge blinking from the oldstable stasis
+chamber and propellor can finally depend on concurrent-output rather than
+bundling it.
+"""]]

comment
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_8_913968893edfc56501aada3b2cda8ee2._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_8_913968893edfc56501aada3b2cda8ee2._comment
new file mode 100644
index 00000000..2fdd3d51
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_8_913968893edfc56501aada3b2cda8ee2._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 8"""
+ date="2020-08-14T17:02:55Z"
+ content="""
+Hmm, it overwrites /usr/local/propellor with:
+
+	rename safetycopy "propellor"
+
+That is safe against dangling symlinks. The safetycopy is created
+using `cp -pfL` which also seems safe against dangling symlinks
+(or symlinks pointing to files, though not to directories).
+"""]]

Added a comment: why make clean?
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_7_62e68fd2a14ea23e983fcb6ed3ad536c._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_7_62e68fd2a14ea23e983fcb6ed3ad536c._comment
new file mode 100644
index 00000000..04cc475e
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_7_62e68fd2a14ea23e983fcb6ed3ad536c._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="why make clean?"
+ date="2020-08-14T16:59:44Z"
+ content="""
+I _think_ the problem was the existing dangling \"propellor\" symlink. But I could well be confused.
+"""]]

merged nicolas/borg-fixes
diff --git a/debian/changelog b/debian/changelog
index 24bbf641..e9d6411d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,16 @@
-propellor (5.10.3) UNRELEASED; urgency=medium
+propellor (5.11) UNRELEASED; urgency=medium
 
   * Fix display of concurrent output from processes when using
     Propellor.Property.Conductor.
     (Reversion introduced in version 5.5.0.)
   * Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
   * Makefile: Fix build with cabal 3.x.
+  * Borg.restored: Fix restoration, which has apparently never worked,
+    at least back to borg 1.0.9.
+    Thanks, Nicolas Schodet.
+  * Borg.init: Added the now required encryption type parameter.
+    Thanks, Nicolas Schodet.
+    (API change)
 
  -- Joey Hess <id@joeyh.name>  Fri, 05 Jun 2020 11:26:21 -0400
 
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_4_7685b1c27b0873b9149bc761f4e734af._comment b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_4_7685b1c27b0873b9149bc761f4e734af._comment
new file mode 100644
index 00000000..71ce0ac4
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_4_7685b1c27b0873b9149bc761f4e734af._comment
@@ -0,0 +1,19 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2020-08-14T16:44:43Z"
+ content="""
+I've merged your branch, thanks.
+
+It does seem to me that Borg.init could do the privdata lookup itself, and
+set `BORG_PASSPHRASE`. Otherwise the user is currently left with no
+indication of how to do that, except for the commit message
+[[!commit afab5b2f0b4e06a5c41f064d10f65ead063ab5af]].
+
+And, for BorgEncRepokey and BorgEncKeyfile, wouldn't backup and restore
+also need the passphrase to be provided?
+
+(I don't think these questions need to delay releasing propellor with your
+fixes, since AFAICS your changes won't impact anything that worked with
+propellor before.)
+"""]]

Added a comment: fix / workaround
diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_3_2ea2ebe0e9fe836ad1f1a7e142f77309._comment b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_3_2ea2ebe0e9fe836ad1f1a7e142f77309._comment
new file mode 100644
index 00000000..14f4afe7
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_3_2ea2ebe0e9fe836ad1f1a7e142f77309._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="fix / workaround"
+ date="2020-08-14T16:57:22Z"
+ content="""
+based on a suggestion by joeyh, I reverted 162e1d4e82e24f0fe3e2bd3114e4366ddb1062c0 and this seems to have made the problem go away.
+"""]]

comment
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_6_00f48f55d8a48a7799d81d40bfe11921._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_6_00f48f55d8a48a7799d81d40bfe11921._comment
new file mode 100644
index 00000000..2fa6ef19
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_6_00f48f55d8a48a7799d81d40bfe11921._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 6"""
+ date="2020-08-14T16:31:36Z"
+ content="""
+I'm curious why you needed to make clean. AFAIK the new cabal will ignore
+any cruft left by the old version and should just do a from scratch build
+on its own.
+
+Indeed, one of my hosts managed by propellor has both
+/usr/local/propellor/dist and dist-newstyle, and is building successfully
+in the latter directory.
+"""]]

Added a comment: addendum
diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_2_eb46e45efa0f40dbbc0a7471002eb97d._comment b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_2_eb46e45efa0f40dbbc0a7471002eb97d._comment
new file mode 100644
index 00000000..3ed165d4
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_2_eb46e45efa0f40dbbc0a7471002eb97d._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="addendum"
+ date="2020-08-14T14:32:59Z"
+ content="""
+Actually it seems a bit random as to whether I get the longwinded or the concise failure. Out of about 10 tries, I get the longer run maybe 3 times.
+"""]]

Added a comment: variation on the theme.
diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_1_6271f4830c2a5bcc2bf296c32630bcba._comment b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_1_6271f4830c2a5bcc2bf296c32630bcba._comment
new file mode 100644
index 00000000..d400839b
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_1_6271f4830c2a5bcc2bf296c32630bcba._comment
@@ -0,0 +1,28 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="variation on the theme."
+ date="2020-08-14T14:30:52Z"
+ content="""
+Today for some reason I had one run produce more output, with many repeats of the same warning. It seems to be more than a warning, since the corresponding properties fail. I have rebooted the VM, in case there was some transient resource exhaustion problem.  Successive runs of /usr/local/bin/propellor_cronjob stop very early as in my original report. 
+
+ [[!format text \"\"\"
+lotus.casa.cs.unb.ca apt installed etckeeper apt-transport-https ... ok
+lotus.casa.cs.unb.ca unattended upgrades true ... failed
+lotus.casa.cs.unb.ca replace /etc/apt/apt.conf.d/20-propellor-auto-upgrades ... ok
+lotus.casa.cs.unb.ca git repo at /etc/ config setting user.email set to root@tethera.net ... ok
+** warning: waitForProcess: does not exist (No child processes)
+lotus.casa.cs.unb.ca git repo at /etc/ config setting user.name set to Root ... ok
+lotus.casa.cs.unb.ca ssh installed ... ok
+lotus.casa.cs.unb.ca ssh config: PermitRootLogin without-password ... ok
+lotus.casa.cs.unb.ca ssh config: PasswordAuthentication no ... done
+lotus.casa.cs.unb.ca root has authorized_keys ... failed
+** warning: waitForProcess: does not exist (No child processes)
+lotus.casa.cs.unb.ca root has authorized_keys ... failed
+** warning: waitForProcess: does not exist (No child processes)
+** warning: waitForProcess: does not exist (No child processes)
+lotus.casa.cs.unb.ca root has authorized_keys ... failed
+\"\"\"]]
+
+
+"""]]

diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__.mdwn b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__.mdwn
new file mode 100644
index 00000000..c2bc154a
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__.mdwn
@@ -0,0 +1 @@
+An s390x running Ubuntu Bionic has starting failing with the message in the subject when I run propellor. Any ideas what might be going on there? It seems to be right after it fetches from the central git repo.

Added a comment: Same issues now on Debian testing
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_5_c627ddd43a68235e749b3025b2b6a51a._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_5_c627ddd43a68235e749b3025b2b6a51a._comment
new file mode 100644
index 00000000..cccac0fe
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_5_c627ddd43a68235e749b3025b2b6a51a._comment
@@ -0,0 +1,18 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="Same issues now on Debian testing"
+ date="2020-08-12T17:22:31Z"
+ content="""
+I had to 
+
+- merge from joeyh's master branch
+- cd /usr/local/propellor
+- sudo make clean
+- sudo make
+
+in order to get things going.
+
+I would not be surprised at all to learn there is an easier way (perhaps just blowing away /usr/local/propellor)
+
+"""]]

Added a comment: Branch updated
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_3_c605e8c4b6e13fb1a5168ad34c3c7f46._comment b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_3_c605e8c4b6e13fb1a5168ad34c3c7f46._comment
new file mode 100644
index 00000000..81fb2234
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_3_c605e8c4b6e13fb1a5168ad34c3c7f46._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="Branch updated"
+ date="2020-08-10T21:41:11Z"
+ content="""
+Hello, I updated my branch with:
+
+- a different commit message with a withPrivData example,
+- a fix for --glob-archive and --last not supported on borg 1.0.9,
+- a warning message if no archive is found.
+
+Not sure if it was clear: the restored function did not work either on borg 1.0.9 before my changes.
+
+Tested on buster and stretch.
+"""]]

Added a comment
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_2_0a595f3481c37280bf3d9d9545b2e954._comment b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_2_0a595f3481c37280bf3d9d9545b2e954._comment
new file mode 100644
index 00000000..0cd6f1a7
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_2_0a595f3481c37280bf3d9d9545b2e954._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 2"
+ date="2020-08-01T14:58:33Z"
+ content="""
+HEAD was pointing to a non-existant master branch, sorry about that.
+
+I will try to fix the other issues, thanks for the review.
+"""]]

comment
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_1_4a662d7ab4f49a914718ca6e6f69ee86._comment b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_1_4a662d7ab4f49a914718ca6e6f69ee86._comment
new file mode 100644
index 00000000..7c5d7eb5
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_1_4a662d7ab4f49a914718ca6e6f69ee86._comment
@@ -0,0 +1,29 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-07-31T15:11:20Z"
+ content="""
+pull failed
+
+	joey@darkstar:~/src/propellor>git fetch http://git.ni.fr.eu.org/nicolas/propellor.git
+	fatal: Couldn't find remote ref HEAD
+
+I wonder if perhaps you forgot to run `git update-server-info`?
+Or possibly this is just not an url that actually points to the raw git
+repo, it looks like a gitweb installation and gitweb does not serve git
+repos IIRC.
+
+Hardcoding `BORG_PASSPHRASE` into a propellor configuration does not seem
+good. It could use `withPrivData` to get the passphrase.
+
+If `latestArchive` didn't work, it should probably display a
+`warningMessage` rather than just failing with no indication why.
+
+There is the small problem that borg 1.0.9 is in debian oldstable and if
+someone were using propellor with it, which is supported, the changes
+to extraction would break that. Not as bad as extraction currently being
+broken for everyone with a current version of borg though! But,
+it would be easy to at least detect the old version and refuse to use it to
+restore. Either by borg --version or by using withOS and to match against
+the debian version, like Propellor.Property.Systemd.machined does.
+"""]]

Please pull Borg fix
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored.mdwn b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored.mdwn
new file mode 100644
index 00000000..08d5cf86
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored.mdwn
@@ -0,0 +1,11 @@
+Recent versions of Borg require the `--encryption` option to initialize a repository.
+
+Also, `borg extract` needs an archive name and it extracts the backup in the current directory.
+
+I have made a fix for this, please pull the `borg-fixes` branch at `http://git.ni.fr.eu.org/nicolas/propellor.git`.
+
+Tested with borg version 1.1.9.
+
+My haskell level is still not that great, I would love to get comments on my code.
+
+Thanks.

Added a comment
diff --git a/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning/comment_1_2b0f428151a6d338250c44549791395f._comment b/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning/comment_1_2b0f428151a6d338250c44549791395f._comment
new file mode 100644
index 00000000..7e1c0a5d
--- /dev/null
+++ b/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning/comment_1_2b0f428151a6d338250c44549791395f._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="sravikumar@b98554d12f31e17b71dd07098f122792ca8837ce"
+ nickname="sravikumar"
+ avatar="http://cdn.libravatar.org/avatar/227f208e95d449decbc71eccc658cdbe"
+ subject="comment 1"
+ date="2020-07-10T20:04:47Z"
+ content="""
+Resolved the issue by adding the gpg signing key again to propellor with
+
+```
+propellor --add-key SIGNING_KEY_ID
+```
+"""]]

diff --git a/doc/forum/Error_trying_to_remove_a_key.mdwn b/doc/forum/Error_trying_to_remove_a_key.mdwn
new file mode 100644
index 00000000..252e507f
--- /dev/null
+++ b/doc/forum/Error_trying_to_remove_a_key.mdwn
@@ -0,0 +1,8 @@
+I try to remove a key from my propellor repository, but it fails:
+
+    % propellor --rm-key 41EED9A677C20D87
+    gpg: there is a secret key for public key "41EED9A677C20D87"!
+    gpg: use option "--delete-secret-keys" to delete it first.
+    removing key from propellor's keyring ... failed
+
+I believe gpg gets access to my secret keys using the agent now, it no longer use direct access.

todo
diff --git a/doc/todo/cabal_new-build_cruft.mdwn b/doc/todo/cabal_new-build_cruft.mdwn
new file mode 100644
index 00000000..586e9fde
--- /dev/null
+++ b/doc/todo/cabal_new-build_cruft.mdwn
@@ -0,0 +1,17 @@
+cabal new-build (now the default with recent cabal versions) stores stuff
+in dist-newstyle, versioned by the ghc version and the package version.
+
+So, as propellor builds itself on a host over and over again,
+and the host is upgraded and propellor is upgraded, dist-newstyle will
+accumulate cruft used by old builds.
+
+cabal clean can remove it of course, but then it won't update the build
+incrementally.
+
+What would be good is, a way to detect that the versioning has changed,
+and only then run cabal clean. One way to do that, would be when updating
+the propellor symlink to the cabal built binary, compare the old and new
+binary location. If they're not the same, the versioning has changed,
+and so cabal clean and re-build. --[[Joey]]
+
+(Note that stack probably has the same problem too.)

diff --git a/doc/forum/recommendations_for_setting_up__a_Fedora_chroot_on_a_Debian_host.mdwn b/doc/forum/recommendations_for_setting_up__a_Fedora_chroot_on_a_Debian_host.mdwn
new file mode 100644
index 00000000..c12a7556
--- /dev/null
+++ b/doc/forum/recommendations_for_setting_up__a_Fedora_chroot_on_a_Debian_host.mdwn
@@ -0,0 +1,9 @@
+I'd like a way to set up Fedora chroots for testing purposes on my Debian workstations. Currently I use the example from the systemd-nspawn manpage
+[[!format text """
+# machinectl pull-raw --verify=no \
+                 https://download.fedoraproject.org/pub/fedora/linux/releases/31/Cloud/x86_64/images/Fedora-Cloud-Base-31-1.9.x86_64.raw.xz \
+                 Fedora-Cloud-Base-31-1.9.x86-64
+# systemd-nspawn -M Fedora-Cloud-Base-31-1.9.x86-64
+"""]]
+
+If I understand correctly the existing Systemd.container function needs a way to make a chroot.

comment
diff --git a/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_1_b09c0c736838132b7dd69a1c510ff877._comment b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_1_b09c0c736838132b7dd69a1c510ff877._comment
new file mode 100644
index 00000000..0ca694ff
--- /dev/null
+++ b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_1_b09c0c736838132b7dd69a1c510ff877._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-06-17T22:01:21Z"
+ content="""
+Simplest yes, but also kicking the can down the road as they'll
+presumably remove 1- at some point.
+
+I've implemented new-build support in
+[[!commit 745784f61bdd678e20b1b18743f18d458836a802]].
+Have not actually tested it on bootstrapping a new host yet, but I assume
+it will work barring some dumb typo.
+"""]]

Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
* Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
* Makefile: Fix build with cabal 3.x.
This assumes that, once a new-dist directory is created, the host won't
revert back to using dist. So it always prefers binaries from new-dist
over dist.
This commit was sponsored by LND on Patreon.
diff --git a/.gitignore b/.gitignore
index d9285db3..4e1b918c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,8 @@
 /propellor
 dist/*
+dist-newstyle/*
 tags
+configured
 privdata/local
 privdata/keyring.gpg~
 Setup
@@ -15,4 +17,5 @@ propellor.1
 .cabal-sandbox/
 .dir-locals.el
 cabal.sandbox.config
+cabal.project.local
 *~
diff --git a/Makefile b/Makefile
index 0e4b2ca3..b5d5708b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,35 +1,43 @@
 CABAL?=cabal
 DATE := $(shell dpkg-parsechangelog 2>/dev/null | grep Date | cut -d " " -f2-)
 
-build: tags propellor.1 dist/setup-config
+build: tags propellor.1 configured
 	$(CABAL) build
-	ln -sf dist/build/propellor-config/propellor-config propellor
+	@if [ -d dist-newstyle ]; then \
+		ln -sf $$(find dist-newstyle/ -executable -type f | grep 'build/propellor-config/propellor-config$$') propellor; \
+	else \
+		ln -sf dist/build/propellor-config/propellor-config propellor; \
+	fi
 
 install:
 	install -d $(DESTDIR)/usr/bin $(DESTDIR)/usr/src/propellor
-	install -s dist/build/propellor/propellor $(DESTDIR)/usr/bin/propellor
-	mkdir -p dist/gittmp
-	$(CABAL) sdist
-	cat dist/propellor-*.tar.gz | (cd dist/gittmp && tar zx --strip-components=1)
+	if [ -d dist-newstyle ]; then \
+		install -s $$(find dist-newstyle/ -executable -type f | grep 'build/propellor/propellor$$') $(DESTDIR)/usr/bin/propellor; \
+	else \
+		install -s dist/build/propellor/propellor $(DESTDIR)/usr/bin/propellor; \
+	fi
+	mkdir -p gittmp
+	$(CABAL) sdist -o - | (cd gittmp && tar zx --strip-components=1)
 	# cabal sdist does not preserve symlinks, so copy over file
-	cd dist/gittmp && for f in $$(find -type f); do rm -f $$f; cp -a ../../$$f $$f; done
+	cd gittmp && for f in $$(find -type f); do rm -f $$f; cp -a ../$$f $$f; done
 	# reset mtime on files in git bundle so bundle is reproducible
-	find dist/gittmp -print0 | xargs -0r touch --no-dereference --date="$(DATE)"
+	find gittmp -print0 | xargs -0r touch --no-dereference --date="$(DATE)"
 	export GIT_AUTHOR_NAME=build \
 	&& export GIT_AUTHOR_EMAIL=build@buildhost \
 	&& export GIT_AUTHOR_DATE="$(DATE)" \
 	&& export GIT_COMMITTER_NAME=build \
 	&& export GIT_COMMITTER_EMAIL=build@buildhost \
 	&& export GIT_COMMITTER_DATE="$(DATE)" \
-	&& cd dist/gittmp && git init \
+	&& cd gittmp && git init \
 	&& git add . \
 	&& git commit -q -m "distributed version of propellor" \
 	&& git bundle create $(DESTDIR)/usr/src/propellor/propellor.git master HEAD \
 	&& git show-ref master --hash > $(DESTDIR)/usr/src/propellor/head
-	rm -rf dist/gittmp
+	rm -rf gittmp
 
 clean:
-	rm -rf dist Setup tags propellor propellor.1 privdata/local
+	rm -rf dist dist-newstyle configured Setup \
+		tags propellor propellor.1 privdata/local
 	find . -name \*.o -exec rm {} \;
 	find . -name \*.hi -exec rm {} \;
 
@@ -37,11 +45,12 @@ clean:
 # duplicate tags with Propellor.Property. removed from the start, as we
 # often import qualified by just the module base name.
 tags:
-	find . | grep -v /.git/ | grep -v /tmp/ | grep -v /dist/ | grep -v /doc/ | egrep '\.hs$$' | xargs hothasktags 2>/dev/null | perl -ne 'print; s/Propellor\.Property\.//; print' | sort > tags || true
+	@find . | grep -v /.git/ | grep -v /tmp/ | grep -v dist/ | grep -v /doc/ | egrep '\.hs$$' | xargs hothasktags 2>/dev/null | perl -ne 'print; s/Propellor\.Property\.//; print' | sort > tags || true
 
-dist/setup-config: propellor.cabal
+configured: propellor.cabal
 	@if [ "$(CABAL)" = ./Setup ]; then ghc --make Setup; fi
 	@$(CABAL) configure
+	touch configured
 
 propellor.1: doc/usage.mdwn doc/mdwn2man
 	doc/mdwn2man propellor 1 < doc/usage.mdwn > propellor.1
diff --git a/debian/changelog b/debian/changelog
index b46c4b4e..24bbf641 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ propellor (5.10.3) UNRELEASED; urgency=medium
   * Fix display of concurrent output from processes when using
     Propellor.Property.Conductor.
     (Reversion introduced in version 5.5.0.)
+  * Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
+  * Makefile: Fix build with cabal 3.x.
 
  -- Joey Hess <id@joeyh.name>  Fri, 05 Jun 2020 11:26:21 -0400
 
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_4_294fcbae675879cb81aeb8d37cf3b635._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_4_294fcbae675879cb81aeb8d37cf3b635._comment
new file mode 100644
index 00000000..726067da
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_4_294fcbae675879cb81aeb8d37cf3b635._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2020-06-17T21:33:14Z"
+ content="""
+	cabal install --install-method=symlink --installdir=. exe:propellor --overwrite-policy=always
+
+But, this seems to do a lot of extra work, including generating a tarball
+of all the source code, and possibly building the package again
+unncessarily. And only works with a new enough cabal version.
+
+Ok, I've implemented it using `find`.
+"""]]
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index d772d7c7..0fef92f1 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -81,7 +81,12 @@ buildCommand bs = intercalate " && " (go (getBuilder bs))
 	go Cabal =
 		[ "cabal configure"
 		, "cabal build -j1 propellor-config"
-		, "ln -sf dist/build/propellor-config/propellor-config propellor"
+		, intercalate "; "
+			[ "if [ -d dist-newstyle ]"
+			, "then ln -sf $(find dist-newstyle/ -executable -type f | grep 'build/propellor-config/propellor-config$') propellor"
+			, "else ln -sf dist/build/propellor-config/propellor-config propellor"
+			, "fi"
+			]
 		]
 	go Stack =
 		[ "stack build :propellor-config"

Added a comment: network-manager snippet
diff --git a/doc/forum/DNS_for_LAN/comment_2_bd310b1f5865a2d35502721e138ca091._comment b/doc/forum/DNS_for_LAN/comment_2_bd310b1f5865a2d35502721e138ca091._comment
new file mode 100644
index 00000000..4af921f4
--- /dev/null
+++ b/doc/forum/DNS_for_LAN/comment_2_bd310b1f5865a2d35502721e138ca091._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="network-manager snippet"
+ date="2020-06-11T10:25:10Z"
+ content="""
+[[!format haskell \"\"\"
+File.hasContent \"/etc/NetworkManager/conf.d/mDNS.conf\"  [ \"[connection]\"
+                                                                    , \"connection.mdns=2\"
+                                                                    ]
+          `requires` File.dirExists \"/etc/NetworkManager/conf.d\"
+\"\"\"]]
+
+The `=2` is important if you want the host to actually tell other hosts what it's IP is, and not just query,
+"""]]

Added a comment: prototype
diff --git a/doc/forum/ssh__95__known__95__hosts/comment_1_9447b1382bf54e6f4620bae200a62238._comment b/doc/forum/ssh__95__known__95__hosts/comment_1_9447b1382bf54e6f4620bae200a62238._comment
new file mode 100644
index 00000000..eb52f671
--- /dev/null
+++ b/doc/forum/ssh__95__known__95__hosts/comment_1_9447b1382bf54e6f4620bae200a62238._comment
@@ -0,0 +1,27 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="prototype"
+ date="2020-06-11T01:23:28Z"
+ content="""
+This seems to work for me.  Obviously less hardcoding and code duplication would be nicer.
+
+[[!format haskell \"\"\"
+-- | Puts some host's ssh public key(s), as set using `hostPubKey`
+-- or `hostKey` into /etc/ssh/ssh_known_hosts
+sshKnownHost :: [Host] -> HostName -> Property UnixLike
+sshKnownHost hosts hn  = property' desc $ \w ->
+	go w =<< knownHostLines hosts hn
+  where
+	desc = \" globally known  ssh key for \" ++ hn
+
+	go _ [] = do
+		warningMessage $ \"no configured ssh host keys for \" ++ hn
+		return FailedChange
+	go w ls = do
+		f <- return \"/etc/ssh/ssh_known_hosts\"
+		ensureProperty w $ 
+			f `File.containsLines` ls
+				`requires` File.dirExists (takeDirectory f)
+\"\"\"]]
+"""]]

Added a comment: mDNS is ok
diff --git a/doc/forum/DNS_for_LAN/comment_1_cc8b39a2344a74a32d821c59b499634a._comment b/doc/forum/DNS_for_LAN/comment_1_cc8b39a2344a74a32d821c59b499634a._comment
new file mode 100644
index 00000000..53519ebb
--- /dev/null
+++ b/doc/forum/DNS_for_LAN/comment_1_cc8b39a2344a74a32d821c59b499634a._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="mDNS is ok"
+ date="2020-06-10T23:53:36Z"
+ content="""
+I ended up (finally) enabling mDNS in network-manager and systemd-resolved and it seems work pretty well for my goal of ssh-ing to machines on my LAN.  avahi is the other main mDNS server as far as I know.
+"""]]

yay, back on track to fix this in um ... 3 years
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 5826506e..48dd829e 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -42,3 +42,11 @@ Waiting on concurrent-output reaching Debian stable.
 > > This is really looking like a reversion, or several, in newer
 > > versions of concurrent-output. The code bundled with propellor is
 > > the same as concurrent-output 1.7.4.
+
+> > > I think I've fixed it, concurrent-output (>= 1.10.12 || <= 1.7.4)
+> > > will be needed to avoid the bug. Will be several years until that's
+> > > in debian stable..
+> > > 
+> > > I've updated the embedded concurrent-output copy, and it should
+> > > be kept up-to-date as concurrent-output changes, to avoid more
+> > > such reversions. --[[Joey]]

more
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 2503fe2e..5826506e 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -35,8 +35,10 @@ Waiting on concurrent-output reaching Debian stable.
 > > The former system (kite) had the strange output problem.
 > > 
 > > The latter system (keysafe) seemed ok but crashed at the end with
-> > a STM transaction deadlock. Downgrading to concurrent-output 1.10.6
-> > eliminated that problem.
+> > a STM transaction deadlock. Seemed to only happen when spinning the
+> > host remotely, or not always; I tried to reproduce it running propellor
+> > manually to bisect concurrent-output but without success.
 > > 
 > > This is really looking like a reversion, or several, in newer
-> > versions of concurrent-output. --[[Joey]]
+> > versions of concurrent-output. The code bundled with propellor is
+> > the same as concurrent-output 1.7.4.

meh
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index c3641385..2503fe2e 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -27,3 +27,16 @@ Waiting on concurrent-output reaching Debian stable.
 > from debian. That is a somewhat old version and perhaps it was buggy?
 > However, I have not had any luck reproducing the problem there running
 > readProcess in ghci. --[[Joey]]
+> 
+> > Tried again in 2020, same bugs still happened. On a system running
+> > debian unstable with concurrent-output 1.10.9, and a system running stable that
+> > had cabal installed concurrent-output 1.10.11.
+> > 
+> > The former system (kite) had the strange output problem.
+> > 
+> > The latter system (keysafe) seemed ok but crashed at the end with
+> > a STM transaction deadlock. Downgrading to concurrent-output 1.10.6
+> > eliminated that problem.
+> > 
+> > This is really looking like a reversion, or several, in newer
+> > versions of concurrent-output. --[[Joey]]

Revert "Added dependency on concurrent-output; removed embedded copy."
This reverts commit dbd3ba3400a3097498252097540ffe8075b00833.
Still has the same problem as in 2018!
diff --git a/debian/changelog b/debian/changelog
index 922e481e..b46c4b4e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,7 +3,6 @@ propellor (5.10.3) UNRELEASED; urgency=medium
   * Fix display of concurrent output from processes when using
     Propellor.Property.Conductor.
     (Reversion introduced in version 5.5.0.)
-  * Added dependency on concurrent-output; removed embedded copy.
 
  -- Joey Hess <id@joeyh.name>  Fri, 05 Jun 2020 11:26:21 -0400
 
diff --git a/debian/control b/debian/control
index 8e61fd80..5a46822f 100644
--- a/debian/control
+++ b/debian/control
@@ -14,9 +14,10 @@ Build-Depends:
 	libghc-ifelse-dev,
 	libghc-network-dev,
 	libghc-mtl-dev,
+	libghc-transformers-dev,
 	libghc-exceptions-dev (>= 0.6),
+	libghc-text-dev,
 	libghc-hashable-dev,
-	libghc-concurrent-output-dev,
 Maintainer: Joey Hess <id@joeyh.name>
 Standards-Version: 3.9.8
 Vcs-Git: git://git.joeyh.name/propellor
@@ -36,9 +37,10 @@ Depends: ${misc:Depends}, ${shlibs:Depends},
 	libghc-ifelse-dev,
 	libghc-network-dev,
 	libghc-mtl-dev,
+	libghc-transformers-dev,
 	libghc-exceptions-dev (>= 0.6),
+	libghc-text-dev,
 	libghc-hashable-dev,
-	libghc-concurrent-output-dev,
 	git (>= 2.0),
 Description: property-based host configuration management in haskell
  Propellor ensures that the system it's run in satisfies a list of
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 1bfaab03..c3641385 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -27,5 +27,3 @@ Waiting on concurrent-output reaching Debian stable.
 > from debian. That is a somewhat old version and perhaps it was buggy?
 > However, I have not had any luck reproducing the problem there running
 > readProcess in ghci. --[[Joey]]
-
-> > [[done]] again, hope it sticks this time --[[Joey]]
diff --git a/propellor.cabal b/propellor.cabal
index 93edbb13..4aaf9c0a 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -49,7 +49,7 @@ Library
     base >= 4.9, base < 5,
     directory, filepath, IfElse, process, bytestring, hslogger, split,
     unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
-    time, mtl, exceptions (>= 0.6), hashable, concurrent-output
+    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
   if flag(WithTypeErrors)
     Build-Depends: type-errors
     CPP-Options: -DWITH_TYPE_ERRORS
@@ -233,6 +233,9 @@ Library
     Utility.Tmp.Dir
     Utility.Tuple
     Utility.UserInfo
+    System.Console.Concurrent
+    System.Console.Concurrent.Internal
+    System.Process.Concurrent
     Paths_propellor
 
 Executable propellor-config
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index 66192e36..d772d7c7 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -148,9 +148,12 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, Dep "libghc-ifelse-dev"
 		, Dep "libghc-network-dev"
 		, Dep "libghc-mtl-dev"
+		, Dep "libghc-transformers-dev"
 		, Dep "libghc-exceptions-dev"
+		, Dep "libghc-text-dev"
 		, Dep "libghc-hashable-dev"
-		, Dep "libghc-concurrent-output-dev"
+		-- Deps that are only needed on old systems.
+		, OldDep "libghc-stm-dev"
 		]
 	debdeps Stack =
 		[ Dep "gnupg"
@@ -169,7 +172,10 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, "hs-IfElse"
 		, "hs-network"
 		, "hs-mtl"
+		, "hs-transformers-base"
 		, "hs-exceptions"
+		, "hs-stm"
+		, "hs-text"
 		, "hs-hashable"
 		]
 	fbsddeps Stack =
@@ -190,7 +196,10 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, "haskell-ifelse"
 		, "haskell-network"
 		, "haskell-mtl"
+		, "haskell-transformers-base"
 		, "haskell-exceptions"
+		, "haskell-stm"
+		, "haskell-text"
 		, "haskell-hashable"
 		, "haskell-type-errors"
 		]
diff --git a/src/System/Console/Concurrent.hs b/src/System/Console/Concurrent.hs
new file mode 100644
index 00000000..12447637
--- /dev/null
+++ b/src/System/Console/Concurrent.hs
@@ -0,0 +1,44 @@
+-- | 
+-- Copyright: 2015 Joey Hess <id@joeyh.name>
+-- License: BSD-2-clause
+-- 
+-- Concurrent output handling.
+--
+-- > import Control.Concurrent.Async
+-- > import System.Console.Concurrent
+-- >
+-- > main = withConcurrentOutput $
+-- > 	outputConcurrent "washed the car\n"
+-- > 		`concurrently`
+-- >	outputConcurrent "walked the dog\n"
+-- >		`concurrently`
+-- > 	createProcessConcurrent (proc "ls" [])
+
+{-# LANGUAGE CPP #-}
+
+module System.Console.Concurrent (
+	-- * Concurrent output
+	withConcurrentOutput,
+	Outputable(..),
+	outputConcurrent,
+	errorConcurrent,
+	ConcurrentProcessHandle,
+#ifndef mingw32_HOST_OS
+	createProcessConcurrent,
+#endif
+	waitForProcessConcurrent,
+	createProcessForeground,
+	flushConcurrentOutput,
+	lockOutput,
+	-- * Low level access to the output buffer
+	OutputBuffer,
+	StdHandle(..),
+	bufferOutputSTM,
+	outputBufferWaiterSTM,
+	waitAnyBuffer,
+	waitCompleteLines,
+	emitOutputBuffer,
+) where
+
+import System.Console.Concurrent.Internal
+
diff --git a/src/System/Console/Concurrent/Internal.hs b/src/System/Console/Concurrent/Internal.hs
new file mode 100644
index 00000000..ffe6a9e8
--- /dev/null
+++ b/src/System/Console/Concurrent/Internal.hs
@@ -0,0 +1,546 @@
+{-# LANGUAGE BangPatterns, TypeSynonymInstances, FlexibleInstances, TupleSections #-}
+{-# LANGUAGE CPP #-}
+{-# OPTIONS_GHC -O2 #-}
+{- Building this module with -O0 causes streams not to fuse and too much
+ - memory to be used. -}
+
+-- | 
+-- Copyright: 2015 Joey Hess <id@joeyh.name>
+-- License: BSD-2-clause
+-- 
+-- Concurrent output handling, internals.
+--
+-- May change at any time.
+
+module System.Console.Concurrent.Internal where
+
+import System.IO
+#ifndef mingw32_HOST_OS
+import System.Posix.IO
+#endif
+import System.Directory
+import System.Exit
+import Control.Monad
+import Control.Monad.IO.Class (liftIO, MonadIO)
+import System.IO.Unsafe (unsafePerformIO)
+import Control.Concurrent
+import Control.Concurrent.STM
+import Control.Concurrent.Async
+import Data.Maybe
+import Data.List
+import Data.Monoid

(Diff truncated)
Added dependency on concurrent-output; removed embedded copy.
Trying again what failed in 2018
(commit 02eca2ae4cf51d8e83d94d8359e15ac053451109).
I hope the problem was a broken old version of concurrent-output and that
it will be ok now.
This commit was sponsored by Denis Dzyubenko on Patreon.
diff --git a/debian/changelog b/debian/changelog
index b46c4b4e..922e481e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ propellor (5.10.3) UNRELEASED; urgency=medium
   * Fix display of concurrent output from processes when using
     Propellor.Property.Conductor.
     (Reversion introduced in version 5.5.0.)
+  * Added dependency on concurrent-output; removed embedded copy.
 
  -- Joey Hess <id@joeyh.name>  Fri, 05 Jun 2020 11:26:21 -0400
 
diff --git a/debian/control b/debian/control
index 5a46822f..8e61fd80 100644
--- a/debian/control
+++ b/debian/control
@@ -14,10 +14,9 @@ Build-Depends:
 	libghc-ifelse-dev,
 	libghc-network-dev,
 	libghc-mtl-dev,
-	libghc-transformers-dev,
 	libghc-exceptions-dev (>= 0.6),
-	libghc-text-dev,
 	libghc-hashable-dev,
+	libghc-concurrent-output-dev,
 Maintainer: Joey Hess <id@joeyh.name>
 Standards-Version: 3.9.8
 Vcs-Git: git://git.joeyh.name/propellor
@@ -37,10 +36,9 @@ Depends: ${misc:Depends}, ${shlibs:Depends},
 	libghc-ifelse-dev,
 	libghc-network-dev,
 	libghc-mtl-dev,
-	libghc-transformers-dev,
 	libghc-exceptions-dev (>= 0.6),
-	libghc-text-dev,
 	libghc-hashable-dev,
+	libghc-concurrent-output-dev,
 	git (>= 2.0),
 Description: property-based host configuration management in haskell
  Propellor ensures that the system it's run in satisfies a list of
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index c3641385..1bfaab03 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -27,3 +27,5 @@ Waiting on concurrent-output reaching Debian stable.
 > from debian. That is a somewhat old version and perhaps it was buggy?
 > However, I have not had any luck reproducing the problem there running
 > readProcess in ghci. --[[Joey]]
+
+> > [[done]] again, hope it sticks this time --[[Joey]]
diff --git a/propellor.cabal b/propellor.cabal
index 4aaf9c0a..93edbb13 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -49,7 +49,7 @@ Library
     base >= 4.9, base < 5,
     directory, filepath, IfElse, process, bytestring, hslogger, split,
     unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
-    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
+    time, mtl, exceptions (>= 0.6), hashable, concurrent-output
   if flag(WithTypeErrors)
     Build-Depends: type-errors
     CPP-Options: -DWITH_TYPE_ERRORS
@@ -233,9 +233,6 @@ Library
     Utility.Tmp.Dir
     Utility.Tuple
     Utility.UserInfo
-    System.Console.Concurrent
-    System.Console.Concurrent.Internal
-    System.Process.Concurrent
     Paths_propellor
 
 Executable propellor-config
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index d772d7c7..3621cabb 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -148,12 +148,8 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, Dep "libghc-ifelse-dev"
 		, Dep "libghc-network-dev"
 		, Dep "libghc-mtl-dev"
-		, Dep "libghc-transformers-dev"
 		, Dep "libghc-exceptions-dev"
-		, Dep "libghc-text-dev"
 		, Dep "libghc-hashable-dev"
-		-- Deps that are only needed on old systems.
-		, OldDep "libghc-stm-dev"
 		]
 	debdeps Stack =
 		[ Dep "gnupg"
@@ -172,10 +168,7 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, "hs-IfElse"
 		, "hs-network"
 		, "hs-mtl"
-		, "hs-transformers-base"
 		, "hs-exceptions"
-		, "hs-stm"
-		, "hs-text"
 		, "hs-hashable"
 		]
 	fbsddeps Stack =
@@ -196,10 +189,7 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, "haskell-ifelse"
 		, "haskell-network"
 		, "haskell-mtl"
-		, "haskell-transformers-base"
 		, "haskell-exceptions"
-		, "haskell-stm"
-		, "haskell-text"
 		, "haskell-hashable"
 		, "haskell-type-errors"
 		]
diff --git a/src/System/Console/Concurrent.hs b/src/System/Console/Concurrent.hs
deleted file mode 100644
index 12447637..00000000
--- a/src/System/Console/Concurrent.hs
+++ /dev/null
@@ -1,44 +0,0 @@
--- | 
--- Copyright: 2015 Joey Hess <id@joeyh.name>
--- License: BSD-2-clause
--- 
--- Concurrent output handling.
---
--- > import Control.Concurrent.Async
--- > import System.Console.Concurrent
--- >
--- > main = withConcurrentOutput $
--- > 	outputConcurrent "washed the car\n"
--- > 		`concurrently`
--- >	outputConcurrent "walked the dog\n"
--- >		`concurrently`
--- > 	createProcessConcurrent (proc "ls" [])
-
-{-# LANGUAGE CPP #-}
-
-module System.Console.Concurrent (
-	-- * Concurrent output
-	withConcurrentOutput,
-	Outputable(..),
-	outputConcurrent,
-	errorConcurrent,
-	ConcurrentProcessHandle,
-#ifndef mingw32_HOST_OS
-	createProcessConcurrent,
-#endif
-	waitForProcessConcurrent,
-	createProcessForeground,
-	flushConcurrentOutput,
-	lockOutput,
-	-- * Low level access to the output buffer
-	OutputBuffer,
-	StdHandle(..),
-	bufferOutputSTM,
-	outputBufferWaiterSTM,
-	waitAnyBuffer,
-	waitCompleteLines,
-	emitOutputBuffer,
-) where
-
-import System.Console.Concurrent.Internal
-
diff --git a/src/System/Console/Concurrent/Internal.hs b/src/System/Console/Concurrent/Internal.hs
deleted file mode 100644
index ffe6a9e8..00000000
--- a/src/System/Console/Concurrent/Internal.hs
+++ /dev/null
@@ -1,546 +0,0 @@
-{-# LANGUAGE BangPatterns, TypeSynonymInstances, FlexibleInstances, TupleSections #-}
-{-# LANGUAGE CPP #-}
-{-# OPTIONS_GHC -O2 #-}
-{- Building this module with -O0 causes streams not to fuse and too much
- - memory to be used. -}
-
--- | 
--- Copyright: 2015 Joey Hess <id@joeyh.name>
--- License: BSD-2-clause
--- 
--- Concurrent output handling, internals.
---
--- May change at any time.
-
-module System.Console.Concurrent.Internal where
-
-import System.IO
-#ifndef mingw32_HOST_OS
-import System.Posix.IO
-#endif
-import System.Directory
-import System.Exit
-import Control.Monad
-import Control.Monad.IO.Class (liftIO, MonadIO)
-import System.IO.Unsafe (unsafePerformIO)
-import Control.Concurrent
-import Control.Concurrent.STM
-import Control.Concurrent.Async
-import Data.Maybe
-import Data.List
-import Data.Monoid
-import qualified System.Process as P

(Diff truncated)
diff --git a/doc/forum/ssh__95__known__95__hosts.mdwn b/doc/forum/ssh__95__known__95__hosts.mdwn
new file mode 100644
index 00000000..94db5996
--- /dev/null
+++ b/doc/forum/ssh__95__known__95__hosts.mdwn
@@ -0,0 +1 @@
+I would find it useful if there was a function similar to Ssh.knownHost that updated /etc/ssh/ssh_known_hosts.  I suppose it just requires parameterizing knownHost in terms of what file to operate on, but I'm still pretty clueless about IO in Haskell.

report bug
diff --git a/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn
new file mode 100644
index 00000000..b3a3cd90
--- /dev/null
+++ b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn
@@ -0,0 +1,29 @@
+It looks like ghc in Debian unstable is defaulting to new style cabal builds which bypasses `Bootstrap.bootstrapWith Bootstrap.OSOnly`:
+
+    ...
+    git branch origin/spw3conf gpg signature verified; merging
+    Already up to date.
+    Build profile: -w ghc-8.8.3 -O1
+    In order, the following will be built (use -v for more details):
+     - IfElse-0.85 (lib:IfElse) (requires build)
+     - first-class-families-0.8.0.0 (lib) (requires build)
+     - hsc2hs-0.68.7 (exe:hsc2hs) (requires download & build)
+     - old-locale-1.0.0.7 (lib) (requires build)
+     - syb-0.7.1 (lib) (requires build)
+     - th-abstraction-0.3.2.0 (lib) (requires build)
+     - network-bsd-2.8.1.0 (lib) (requires build)
+     - type-errors-0.2.0.0 (lib) (requires build)
+     - hslogger-1.3.1.0 (lib) (requires build)
+     - propellor-5.10.1 (lib) (first run)
+     - propellor-5.10.1 (exe:propellor-config) (first run)
+    Downloading  hsc2hs-0.68.7
+    Configuring IfElse-0.85...
+    Preprocessing library for IfElse-0.85..
+    Building library for IfElse-0.85..
+    [1 of 1] Compiling Control.Monad.IfElse ( Control/Monad/IfElse.hs, dist/build/Control/Monad/IfElse.o )
+    Downloaded   hsc2hs-0.68.7
+    ...
+
+I think the simplest fix is to replace `cabal build` with `cabal v1-build` in `Propellor.Bootstrap.buildCommand`?
+
+--spwhitton

diff --git a/doc/forum/CUPS_configuration.mdwn b/doc/forum/CUPS_configuration.mdwn
index 335caedc..48e2ff4f 100644
--- a/doc/forum/CUPS_configuration.mdwn
+++ b/doc/forum/CUPS_configuration.mdwn
@@ -1 +1,3 @@
 Any ideas for good ways to manage CUPS config?  /etc/cups/printers.conf starts with `# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING`. I can do the obvious stop / replace / restart, but am curious if anyone has any success stories or pitfalls to relate.
+
+A very quick search suggests using "lpadmin" is the approved way of updating CUPS config. So I guess I can run some Cmd.cmpProperty calls

diff --git a/doc/forum/CUPS_configuration.mdwn b/doc/forum/CUPS_configuration.mdwn
new file mode 100644
index 00000000..335caedc
--- /dev/null
+++ b/doc/forum/CUPS_configuration.mdwn
@@ -0,0 +1 @@
+Any ideas for good ways to manage CUPS config?  /etc/cups/printers.conf starts with `# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING`. I can do the obvious stop / replace / restart, but am curious if anyone has any success stories or pitfalls to relate.

Added a comment: first attempt
diff --git a/doc/todo/Support_for_mirroring_bare_git_repos/comment_1_f8d0ade5f31f85c1db50b3ec6a9a3818._comment b/doc/todo/Support_for_mirroring_bare_git_repos/comment_1_f8d0ade5f31f85c1db50b3ec6a9a3818._comment
new file mode 100644
index 00000000..fb6ff177
--- /dev/null
+++ b/doc/todo/Support_for_mirroring_bare_git_repos/comment_1_f8d0ade5f31f85c1db50b3ec6a9a3818._comment
@@ -0,0 +1,19 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="first attempt"
+ date="2020-05-16T23:44:41Z"
+ content="""
+This isn't very general, but it seems to work
+
+[[!format haskell \"\"\"
+bareMirror :: String -> String -> Property  DebianLike
+bareMirror dir url = propertyList (\"bare mirror of \" ++ url ++ \" in \" ++ dir ) $ props
+  & Git.installed
+  & Git.bareRepo dir (User \"root\") Git.SharedAll
+  & Git.repoConfigured dir (\"remote.origin.url\", url)
+  & Git.repoConfigured dir (\"remote.origin.mirror\", \"true\")
+  & Git.repoConfigured dir (\"remote.origin.fetch\", \"+refs/*:refs/*\")
+  & Cmd.cmdProperty \"git\" [\"-C\", dir, \"fetch\", \"origin\" ] `changesFileContent` (dir </> \"HEAD\")
+\"\"\"]]
+"""]]

diff --git a/doc/todo/Support_for_mirroring_bare_git_repos.mdwn b/doc/todo/Support_for_mirroring_bare_git_repos.mdwn
new file mode 100644
index 00000000..3c5da097
--- /dev/null
+++ b/doc/todo/Support_for_mirroring_bare_git_repos.mdwn
@@ -0,0 +1,2 @@
+Since "git pull" has the potential to fail because of merge problems (this is not theoretical, it happened to me today), I'd prefer to just fetch into a bare repo.
+I don't know the best way to go about this. Maybe a "Git.fetched" function that does not assume a non-bare repo (as Git.cloned currently does). 

add news item for propellor 5.10.2
diff --git a/doc/news/version_5.10.2.mdwn b/doc/news/version_5.10.2.mdwn
new file mode 100644
index 00000000..264b7f60
--- /dev/null
+++ b/doc/news/version_5.10.2.mdwn
@@ -0,0 +1,10 @@
+propellor 5.10.2 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Fix build with ghc 8.6.3.
+     Thanks, Robin Munn
+   * Bootstrap: Fix typo in Arch Linux dependencies.
+     Thanks, Robin Munn
+   * Bootstrap: Add haskell-type-errors package on Arch Linux.
+     Thanks, Robin Munn
+   * Apt.buildDepIn: Run build-dep command in a temporary directory,
+     since it may sometimes not clean up all the files it creates."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.7.0.mdwn b/doc/news/version_5.7.0.mdwn
deleted file mode 100644
index 194a2a6f..00000000
--- a/doc/news/version_5.7.0.mdwn
+++ /dev/null
@@ -1,20 +0,0 @@
-propellor 5.7.0 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Sbuild.built no longer includes Apt.stdSourcesList by default,
-     in order to support non-Debian OS's. (API change)
-     To upgrade: Simply add Sbuild.osDebianStandard to all Sbuild.built
-     calls which have osDebian.
-     Thanks, Sean Whitton
-   * Propellor.Property.PropellorRepo renamed to Propellor.Property.Localdir
-     to widen its scope. (API change)
-   * Added Localdir.removed property.
-     Thanks, Sean Whitton
-   * Sbuild.built uses Localdir.removed to clean up the propellor localdir
-     after it's done running in a schroot.
-     Thanks, Sean Whitton
-   * Cron.runPropellor made revertable. (minor API change)
-     Thanks, Sean Whitton
-   * Added Cron.jobDropped.
-     Thanks, Sean Whitton
-   * Added Utility.FileMode to the modules exported by Propellor.Utilities
-     to propellor library users."""]]
\ No newline at end of file

Fix typo in man page
diff --git a/doc/usage.mdwn b/doc/usage.mdwn
index fb19250e..569637ee 100644
--- a/doc/usage.mdwn
+++ b/doc/usage.mdwn
@@ -141,7 +141,7 @@ and configured in haskell.
 
   If propellor is run in a directory containing a config.hs, it
   assumes that the current directory is a propellor repository, and 
-  uses the configuration from the current directory, rather tnan
+  uses the configuration from the current directory, rather than
   ~/.propellor/ 
 
 # ENVIRONMENT

diff --git a/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning.mdwn b/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning.mdwn
new file mode 100644
index 00000000..48c84b3a
--- /dev/null
+++ b/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning.mdwn
@@ -0,0 +1,79 @@
+When I `propellor --spin HOST`, I started to get this warning:
+
+```
+** warning: git branch origin/master is not signed with a trusted gpg key; refusing to deploy it! (Running with previous configuration instead.)
+```
+
+Here's the relevant output from propellor:
+
+```
+Preprocessing library for propellor-5.9.1..                                                                                                                               
+Building library for propellor-5.9.1..                                                                                                                                    
+Preprocessing executable 'propellor-config' for propellor-5.9.1..                                                                                                         
+Building executable 'propellor-config' for propellor-5.9.1..                                                                                                              
+Propellor build ... done                                                                                                                                                  
+[master ee86ede9] propellor spin                                                                                                                                          
+Git commit ... done                                                                                                                                                       
+Enumerating objects: 1, done.                                                                                                                                             
+Counting objects: 100% (1/1), done.                                                                                                                                       
+Writing objects: 100% (1/1), 869 bytes | 869.00 KiB/s, done.                                                                                                              
+Total 1 (delta 0), reused 0 (delta 0)                                                                                                                                    
+To [redacted].com:sr/propellor.git                                                                                                                      
+   ed5038fa..ee86ede9  master -> master                                                                                                                                  
+Push to central git repository ... done                                                                                                                                  
+gpg: encrypted with 4096-bit RSA key, ID 0x[redacted]0F5, created 2016-09-06                                                                                          
+      "Siddharth Ravikumar <[redacted]@[redacted].com>"                                                                                                                      
+From [redacted].com:sr/propellor                                                                                                                        
+   ed5038fa..ee86ede9  master     -> origin/master                                                                                                                       
+Pull from central git repository ... done                                                                                                                                
+gpg: Signature made Thu Apr  9 09:09:25 2020 EDT                                                                                                                         
+gpg:                using RSA key [redacted]                                                                                               
+gpg: /usr/local/propellor/privdata/trustdb.gpg: trustdb created                                                                                                          
+gpg: Good signature from "Siddharth Ravikumar <[redacted]@[redacted].com>" [expired]                                                                              
+gpg: Note: This key has expired!                                                                                                                                         
+Primary key fingerprint: [redacted]                                                                                              
+gpg: Signature expires Fri Apr  9 09:09:25 2021 EDT                                                                                                                      
+** warning: git branch origin/master is not signed with a trusted gpg key; refusing to deploy it! (Running with previous configuration instead.)                         
+Sending privdata (5352 bytes) to cygnus.[redacted].net ... done                                                                                                        
+From .                                                                                                                                                                   
+ * branch              HEAD       -> FETCH_HEAD                                                                                                                          
+Sending git update to cygnus.[redacted].net ... done                                                                                                                   
+Pull from central git repository ... done                                                                                                                                
+gpg: Signature made Thu Apr  9 09:09:25 2020 EDT                                                                                                                         
+gpg:                using RSA key [redacted]                                                                                               
+gpg: /usr/local/propellor/privdata/trustdb.gpg: trustdb created                                                                                                          
+gpg: Good signature from "Siddharth Ravikumar <[redacted]@[redacted].com>" [expired]                                                                              
+gpg: Note: This key has expired!
+Primary key fingerprint: [redacted]
+gpg: Signature expires Fri Apr  9 09:09:25 2021 EDT
+** warning: git branch origin/master is not signed with a trusted gpg key; refusing to deploy it! (Running with previous configuration instead.)
+Preprocessing library for propellor-5.9.1..
+Building library for propellor-5.9.1..
+Preprocessing executable 'propellor-config' for propellor-5.9.1..
+Building executable 'propellor-config' for propellor-5.9.1..
+Propellor build ... done
+cygnus.[redacted].net has Operating System (Debian Linux (Stable "buster")) X86_64 ... ok
+cygnus.[redacted].net standard sources.list ... ok
+
+```
+
+
+The gpg key in question is not expired and the secret key for it is available on the machine from where I'm doing `propellor --spin`:
+
+
+```
+ gpg --edit-key '[fpr redacted]'
+Secret key is available.
+
+sec  rsa4096/0x[redacted]
+     created: 2016-09-06  expires: 2020-09-02  usage: SC
+     trust: ultimate      validity: ultimate
+ssb  rsa4096/0x[redacted]
+     created: 2016-09-06  expires: 2020-09-02  usage: E
+[ultimate] (1). Siddharth Ravikumar <[redacted]@[redacted].com>
+[ultimate] (2)  Siddharth Ravikumar <[redacted]@[redacted].com>
+
+```
+
+Any idea why I'm getting the warning about the branch not signed with a trusted a gpg key. How should I resolve this issue?
+

diff --git a/doc/forum/DNS_for_LAN.mdwn b/doc/forum/DNS_for_LAN.mdwn
new file mode 100644
index 00000000..da899e9e
--- /dev/null
+++ b/doc/forum/DNS_for_LAN.mdwn
@@ -0,0 +1 @@
+I'd like to setup DNS for hosts on my LAN (mainly for running propellor). I already have dnsmasq installed to support libvirt. Should I just use dnsmasq, or is there some other thing nicely integrated with propellor?

comment
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_3_41d73c97ed105aad773027d64e66cc38._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_3_41d73c97ed105aad773027d64e66cc38._comment
new file mode 100644
index 00000000..f742280f
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_3_41d73c97ed105aad773027d64e66cc38._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2020-02-25T21:22:22Z"
+ content="""
+Ghc 8.8 is fixed thanks to your patch.
+
+I was curious how cabal build failed w/o -dynamic, and found
+this <https://bugs.archlinux.org/task/54563#comment158808>
+which includes a simple change that the archlinux maintainers
+could make if they didh't want this to be a self-inflicted wound
+on their users.
+"""]]

comment
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_2_ee81823a34396b98cda15282019dcafc._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_2_ee81823a34396b98cda15282019dcafc._comment
new file mode 100644
index 00000000..c5b85e05
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_2_ee81823a34396b98cda15282019dcafc._comment
@@ -0,0 +1,30 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2020-02-20T17:47:46Z"
+ content="""
+Seems odd that the way Arch has installed ghc would
+make `cabal install` fail without additional options being added very time.
+That does not strike me as a good decision if it's the case. I guess that
+the -dynamic should only be set on Arch, since only it has inflicted this
+problem on itself.
+
+Would appreciate a patch with the ghc 8.8 fixes.
+
+I would not be surprised if cabal new-build does not provide any good way
+to find out where the executable was put, because after all cabal build
+doesn't either (just it's easier to guess there). Cabal expects a workflow
+where that's followed by cabal install, or cabal run.
+
+This might be one way: `cabal new-install --symlink-bindir=.`  
+But with my older version of cabal, that seems to not actually work,
+indeed I can't get it to install the binaries anywhere. Maybe it does
+work with the newer cabal where new-install is the default.
+
+Needing to detect whether new-build was used or not is an added
+complication.
+
+Best way I've found:
+
+	find dist-newstyle/ -executable -type f |grep 'propellor$'
+"""]]

Added a comment: One more thing
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_1_80326b7fe6ea0f301872a02bb2462a5d._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_1_80326b7fe6ea0f301872a02bb2462a5d._comment
new file mode 100644
index 00000000..5d1fab2d
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_1_80326b7fe6ea0f301872a02bb2462a5d._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="rmunn@24f62461074e9165181dd6ec6ac66473353a24e9"
+ nickname="rmunn"
+ avatar="http://cdn.libravatar.org/avatar/5fb7a86e278e5b3b427f3b9a3cda71e1"
+ subject="One more thing"
+ date="2020-02-18T04:50:58Z"
+ content="""
+I haven't yet prepared a patch for this, but in src/Propellor/Bootstrap.hs, the `archlinuxdeps Cabal` list of should have `\"haskell-type-errors\"` added to it. That's the name of the Archlinux package for [https://hackage.haskell.org/package/type-errors](https://hackage.haskell.org/package/type-errors). Without that package, Cabal has to download type-errors and its dependencies before building Propellor, but with that package added, Archlinux's package manager can manage that package (and keep it up-to-date) instead.
+
+With that one change, the `archlinuxdeps Cabal` list is complete (at least as of yesterday when I tested it).
+
+I'll prepare a patch for this and submit it to propellor@joeyh.name soon.
+"""]]

Describe three different Haskell issues with bootstrapping on Archlinux
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails.mdwn b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails.mdwn
new file mode 100644
index 00000000..0ff23880
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails.mdwn
@@ -0,0 +1,46 @@
+Bootstrapping Propellor with Cabal is currently failing for me on Archlinux, for several reasons.
+
+## Dynamic linking
+
+The `ghc` package in Archlinux [uses dynamic linking](https://wiki.archlinux.org/index.php/Haskell#Problems_with_linking) for the GHC boot libraries. This means that the `cabal install` and `cabal build` steps in src/Propellor/Bootstrap.hs need the `--ghc-options=-dynamic` option added. I don't know if it's safe to do that for all OSes, or if this is something that Bootstrap.hs will need to do only on Arch.
+
+## GHC 8.8
+
+Archlinux, being a rolling-release distro, has version 8.8.1 of GHC available. This means that once I add the `--ghc-options=-dynamic` option to the `cabal install` and `cabal build` steps, Propellor now fails to build on my Archlinux system with the GHC compiler complaining about src/Propellor/Property/Installer/Target.hs. Specifically, the `UserInput i` line in the definition of `targetInstalled` produces an "Illegal polymorphic type" error:
+
+```
+src/Propellor/Property/Installer/Target.hs:137:12: error:
+    • Illegal polymorphic type:
+        forall metatypes.
+        (Combines
+           (RevertableProperty metatypes metatypes)
+           (RevertableProperty metatypes metatypes),
+         CombinedType
+           (RevertableProperty metatypes metatypes)
+           (RevertableProperty metatypes metatypes)
+         ~ RevertableProperty metatypes metatypes) =>
+        Propellor.Property.Versioned.VerSpec v metatypes
+        -> RevertableProperty metatypes metatypes
+      Perhaps you intended to use RankNTypes
+    • In the expansion of type synonym ‘Propellor.Property.Versioned.VersionedBy’
+      In the expansion of type synonym ‘Versioned’
+      In the type signature:
+        targetInstalled :: UserInput i =>
+                           Versioned v Host
+                           -> v
+                              -> i
+                                 -> TargetPartTable
+                                    -> RevertableProperty (HasInfo + DebianLike) (HasInfo
+                                                                                  + DebianLike)
+    |
+137 |         :: UserInput i 
+    |            ^^^^^^^^^^^^...
+```
+
+This appears to be  due to [stricter type synonym validity-checking in GHC 8.8](https://gitlab.haskell.org/ghc/ghc/wikis/migration/8.8#stricter-type-synonym-validity-checking). I had to add the `RankNTypes`, `TypeFamilies`, and `FlexibleContexts` extensions to Target.hs in order to make GHC 8.8 happy. (That's a minimal set: removing any one of those three produced one of three different compiler errors, which I won't reproduce here for brevity's safe). This appears to be safe on all OSes, since Propellor compiled happily on my laptop, which is running a Buntish variant called Linux Mint (where GHC 8.0.2 is what Apt gave me). (Though do note that I only tested that on Arch and Mint, and didn't do any testing on Debian to see whether GHC 7.x or earlier is still happy with those extensions being present in the source file).
+
+## New-style cabal
+
+Once I added the `--ghc-options=-dynamic` option to Cabal, and added those three extensions to the first line of Target.hs, I was then faced with another error: the `ln -sf` step failed because `dist/build/propellor-config/propellor-config` didn't exist. The version of Cabal that comes with Archlinux has apparently switched to [Nix-style local builds](https://cabal.readthedocs.io/en/latest/nix-local-build-overview.html) as the default action when you run `cabal build`, and the `propellor-config` binary ended up in `/usr/local/propellor/dist-newstyle/build/x86_64-linux/ghc-8.8.1/propellor-5.10.1/x/propellor-config/build/propellor-config/propellor-config`.
+
+This is the point where, not being a Haskell programmer myself, my ability to Google the problem was exhausted. I'm sure there's a way to get Cabal to tell you where it will put the files it's about to build (similar to `stack path --dist-dir`), but at this point, I needed to get back to working on other things. So I punted and just added `& bootstrapWith (Robustly Stack)` to the properties of my Archlinux host. :-) Bootstrapping with Stack was successful, BTW.

Added a comment
diff --git a/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_2_b58e57d9edb7c574ff8a72dbcd24d1b7._comment b/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_2_b58e57d9edb7c574ff8a72dbcd24d1b7._comment
new file mode 100644
index 00000000..9356298b
--- /dev/null
+++ b/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_2_b58e57d9edb7c574ff8a72dbcd24d1b7._comment
@@ -0,0 +1,18 @@
+[[!comment format=mdwn
+ username="https://launchpad.net/~barthelemy"
+ nickname="barthelemy"
+ avatar="http://cdn.libravatar.org/avatar/e99cb15f6029de3225721b3ebdd0233905eb69698e9b229a8c4cc510a4135438"
+ subject="comment 2"
+ date="2020-01-07T00:38:09Z"
+ content="""
+Hi Joey,
+
+thank you for the feedback. I'm glad to know it is supposed to work in those cases.
+It seems freedombox uses btrfs and swapfiles do not work on btrfs partitions. I thus tried with zram (apt get install zram-tools, which set up a 256 MiB swap).
+
+I could then run propellor --spin to the server, it passed.
+Then I rm -rf /usr/local/propellor on server and ran propellor --spin again.
+The build passed again (it took ~75 minute and at some point ghc took 570MiB but it succeedded).
+
+I'm back on track, thank you again!
+"""]]

comment
diff --git a/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_1_fc192587233c3cda7d0f78f67311de49._comment b/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_1_fc192587233c3cda7d0f78f67311de49._comment
new file mode 100644
index 00000000..af019cf6
--- /dev/null
+++ b/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_1_fc192587233c3cda7d0f78f67311de49._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-01-04T19:02:08Z"
+ content="""
+500 mb seems a bit higher than typical; my own config.hs (500 lines)
+needs 416 mb to build, and the example config.hs included in propellor
+needs 245 mb.
+
+I typically install swapspace on systems with 1 gb or less and it works
+fine. I think the smallest system I've used propellor with was 500 mb.
+"""]]

diff --git a/doc/forum/using_propellor_on_low_RAM_devices__63__.mdwn b/doc/forum/using_propellor_on_low_RAM_devices__63__.mdwn
new file mode 100644
index 00000000..7bcbd0cc
--- /dev/null
+++ b/doc/forum/using_propellor_on_low_RAM_devices__63__.mdwn
@@ -0,0 +1,18 @@
+I'm trying to use propellor (and to learn haskell!) to manage my laptop and a small server, both running debian stable. 
+
+The server is a lime2 soc [1], with only 1GiB of RAM, and no swap (I think this is the default setup from the freedombox image).
+
+propellor --spin failed when targeting the server: on the server, ghc got killed by the OOM killer.
+
+I then simplified my config.hs and successfully ran "cabal build -j1" from the server.
+At some point during the successful build, ghc was using 400MiB of memory.
+This is 40% of the whole memory, I fear the OOM killer will strike again if I don't change something.
+I'll probably try to enable swap.
+
+Propellor seems designed with embedded devices in mind (eg. with the image builder), I'm surprised it demands that much RAM.
+Am I missing something?
+Do people cross-compile propellor to avoid the issue?
+
+Cheers!
+
+[1] https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXino-LIME2

Added a comment
diff --git a/doc/todo/spin_without_remote_compilation/comment_8_6a7a6a3acce0b0865e2a389e60c46179._comment b/doc/todo/spin_without_remote_compilation/comment_8_6a7a6a3acce0b0865e2a389e60c46179._comment
new file mode 100644
index 00000000..1325399d
--- /dev/null
+++ b/doc/todo/spin_without_remote_compilation/comment_8_6a7a6a3acce0b0865e2a389e60c46179._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="balu"
+ avatar="http://cdn.libravatar.org/avatar/2ec9dd5a234ce82f117bd81d1e44f2cb"
+ subject="comment 8"
+ date="2019-11-27T16:28:41Z"
+ content="""
+I am very interested in having this feature in the debian package of propellor and would like to help. What is missing to accomplish that?
+"""]]

Added a comment
diff --git a/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_3_ab42e31ff116bf56dca6cdff9bba2d29._comment b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_3_ab42e31ff116bf56dca6cdff9bba2d29._comment
new file mode 100644
index 00000000..eb8abfb3
--- /dev/null
+++ b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_3_ab42e31ff116bf56dca6cdff9bba2d29._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="eugen"
+ avatar="http://cdn.libravatar.org/avatar/7e7e5700d7017735fd00c2dfcd3f91e4"
+ subject="comment 3"
+ date="2019-11-21T20:29:20Z"
+ content="""
+Indeed, I can see how etckeeper provides a very easy way to check exactly what has changed to /etc (also) after a propellor spin. When I'm manually editing an /etc file I know what the changes are, but not so when a tool does it for me. So, it's important to verify, for example, that propellor did indeed what I *thought* I told it to do (not sure if propellor has an option to report the /etc changes it did).
+
+By using both etckeeper and propellor, which one do you consider to have the authoritative status (power?) over /etc? Do you still manually edit /etc files?
+"""]]

comment
diff --git a/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_2_41084ce268e4aa667b1c59f8352aa774._comment b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_2_41084ce268e4aa667b1c59f8352aa774._comment
new file mode 100644
index 00000000..84c22a04
--- /dev/null
+++ b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_2_41084ce268e4aa667b1c59f8352aa774._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2019-11-21T15:16:36Z"
+ content="""
+Also, when the propellor configuration is changed, it's very useful to have
+a record of how that change affected the host. While etckeeper's record is
+limited to /etc, that does cover a large percentage of such changes.
+"""]]

comment
diff --git a/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_1_008690e4e3828123a2c47a4b1abc413e._comment b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_1_008690e4e3828123a2c47a4b1abc413e._comment
new file mode 100644
index 00000000..752bbd01
--- /dev/null
+++ b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_1_008690e4e3828123a2c47a4b1abc413e._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2019-11-21T14:57:57Z"
+ content="""
+I use both. To be fully described by the propellor configuration, it would
+need to pin the system to a specific version of every package installed on
+it, and that's generally not practical because there are new security
+updates all the time. It's useful to have etckeeper keeping track of
+changes made to configuration during upgrades.
+
+I do find etckeeper generally less useful on those type of systems, but it
+still more than pays for itself.
+"""]]

diff --git a/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn b/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn
index b35d49c9..ea605ef4 100644
--- a/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn
+++ b/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn
@@ -1 +1,2 @@
 I'm still learning about these two programs.  I haven't use them yet, but I will (at least propellor). It seems to me there exists a bit of functionality overlapping between them: propellor's config file might be enough to describe all your changes you want to /etc for a host..? In this case, etckeeper would appear to be useful just as a "change log".. What's your thoughts on this? Do you use both propellor and etckeeper?
+-- eugen

diff --git a/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn b/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn
new file mode 100644
index 00000000..b35d49c9
--- /dev/null
+++ b/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn
@@ -0,0 +1 @@
+I'm still learning about these two programs.  I haven't use them yet, but I will (at least propellor). It seems to me there exists a bit of functionality overlapping between them: propellor's config file might be enough to describe all your changes you want to /etc for a host..? In this case, etckeeper would appear to be useful just as a "change log".. What's your thoughts on this? Do you use both propellor and etckeeper?