Recent changes to this wiki:

response
diff --git a/doc/forum/Separation_of_data_and_code/comment_1_0ba5dff744eeba857ab7fadfad883b13._comment b/doc/forum/Separation_of_data_and_code/comment_1_0ba5dff744eeba857ab7fadfad883b13._comment
new file mode 100644
index 00000000..ae50a008
--- /dev/null
+++ b/doc/forum/Separation_of_data_and_code/comment_1_0ba5dff744eeba857ab7fadfad883b13._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-07-06T20:19:27Z"
+ content="""
+I was going to write something asserting that it's entirely data,
+and not code, though typed data expressed in a programming language.
+
+However, I think it's better to say that this code/data distinction is
+much less a useful distinction that commonly thought, one that things,
+especially in the configuration management space often chafe under (see
+all the turing complete ill-specified languages built on top of what
+started out as some pure data format that are in use by almost every other
+configuration management tool), and that Propellor is an attempt to
+move in a more useful and less ridigly defined direction.
+"""]]

diff --git a/doc/forum/Separation_of_data_and_code.mdwn b/doc/forum/Separation_of_data_and_code.mdwn
new file mode 100644
index 00000000..3a09a237
--- /dev/null
+++ b/doc/forum/Separation_of_data_and_code.mdwn
@@ -0,0 +1,11 @@
+I'm using Fedora for the desktop and CentOS on my server. I have many software packages to install. I store them in shell scripts, with lines like this:
+
+    yum -y install vim-common vim-enhanced gvim vim-X11 # the latter for clipboard support
+
+I'm thinking about some more elaborate way to do that (to put some packages to specific hosts and groups). Propellor seems an interesting tool for that, but when I see an [example configuration file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs), it looks like this is a mixture of data and logic, which is considered [not a very good practice](https://softwareengineering.stackexchange.com/questions/229479/how-did-separation-of-code-and-data-become-a-practice).
+
+I know that Haskell itself is a very declarative language (in the sense it's not imperative), but still I have this feeling of a mixture of code with constants. What do you think of that?
+
+Is there a way to cleanly store names of packages (with comments and some configuration options (e.g. on what hosts they should be used)) in one place and use propellor's logic to install them in another place? 
+
+I understand that the power of propellor is to `do` things apart of just enumerating them, but I think that this separation could be useful.

Dns: Support TXT values longer than bind's maximum string length of 255 bytes. Thanks, rsiddharth.
diff --git a/debian/changelog b/debian/changelog
index 8d9179e4..bad0cad2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ propellor (5.4.1) UNRELEASED; urgency=medium
     method of parsing git log output. Needs git 2.0.
   * Added ConfFile.containsShellSetting, ConfFile.lacksShellSetting,
     and EtcDefault.set properties. Thanks, Sean Whitton
+  * Dns: Support TXT values longer than bind's maximum string length
+    of 255 bytes. Thanks, rsiddharth.
 
  -- Joey Hess <id@joeyh.name>  Fri, 18 May 2018 10:25:05 -0400
 
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_3_00f57bb6a54dee0dfbb799babf72a827._comment b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_3_00f57bb6a54dee0dfbb799babf72a827._comment
new file mode 100644
index 00000000..8809f999
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_3_00f57bb6a54dee0dfbb799babf72a827._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2018-06-24T15:21:29Z"
+ content="""
+Looks good to me, merged.
+"""]]

Add s user page.
diff --git a/doc/user/s.mdwn b/doc/user/s.mdwn
new file mode 100644
index 00000000..08ef7bc8
--- /dev/null
+++ b/doc/user/s.mdwn
@@ -0,0 +1,3 @@
+s [propels some computers][1] using propellor.
+
+[1]: https://git.ricketyspace.net/propellor/tree/config.hs

Added a comment
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_2_ccd261bdc9615b7490ec0f6824f35e19._comment b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_2_ccd261bdc9615b7490ec0f6824f35e19._comment
new file mode 100644
index 00000000..3fbd389f
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_2_ccd261bdc9615b7490ec0f6824f35e19._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="s@aa9ff9ce06b08acfd2a93ebd342ce6879430fbdd"
+ nickname="s"
+ avatar="http://cdn.libravatar.org/avatar/81bf27f8b35011d1846711fa37a5588f"
+ subject="comment 2"
+ date="2018-06-24T14:58:53Z"
+ content="""
+joeyh, Thanks for the feedback.
+
+I updated the definition of `TXT`'s `rValue` according to your suggestion and removed the `MTXT` record -- [patch][patch].
+
+I would like to get the patch merged into upstream, let me know if I've to refactor it.
+
+[patch]: https://ricketyspace.net/file/0001-update-rValue-of-Dns-TXT-record-type.patch
+"""]]

update link 2
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
index 69a62b59..e6f2b478 100644
--- a/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
@@ -16,4 +16,4 @@ I'm [currently using this recipe][2] to provision the DKIM TXT record.
 I want to know if there is a better way to do this without having to add the MTXT record type?
 
 [1]: https://ricketyspace.net/file/0001-add-MTXT-record-type-to-Propellor.Types.DNS.Record.patch
-[2]: https://git.ricketyspace.net/propellor/tree/config.hs#n722
+[2]: https://git.ricketyspace.net/propellor/tree/config.hs?id=67f47e5a23e8c7814014ea58f2dbc9f7c58ede3a#n722

response
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_3_14b6968853d30a2054cc675c6005f29f._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_3_14b6968853d30a2054cc675c6005f29f._comment
new file mode 100644
index 00000000..b566f3c5
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_3_14b6968853d30a2054cc675c6005f29f._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2018-06-23T19:13:59Z"
+ content="""
+Well, cabal files can have flags that enable additional dependencies, but
+using them complicates testing the program since you have to try building
+it with different combinations of flags. And deploying propellor with the
+desired flags turned on would be an additional complication.
+
+I feel that additional libraries that depend on propellor and the sql
+library and provide properties is a better approach. The user can easily
+add the dependency to their ~/.propellor/config.cabal, and the necessary
+dependencies will be automatically installed when propellor is deploying
+itself to a new host.
+"""]]

response
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_1_b97c158ae4e3abb6e4c90a2c91e0c207._comment b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_1_b97c158ae4e3abb6e4c90a2c91e0c207._comment
new file mode 100644
index 00000000..5595af19
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_1_b97c158ae4e3abb6e4c90a2c91e0c207._comment
@@ -0,0 +1,25 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-06-23T18:42:32Z"
+ content="""
+It seems that the limit is 255 characters, and this
+limit applies to any string in a bind zone file,
+rather than being a maximim line length. A single line can contain multiple
+such strings, although there's probably a maximum line length somewhere 
+too, so using parens to extend across multiple lines is wise.
+
+The values inside the parens are concacenated together, no newline is added
+to the string that bind builds up from them AFAICS.
+
+So it seems your code is stripping out the newlines from the TXT value.
+Which probably doesn't matter for DKIM public key material,
+and I don't think that bind zone files support multiline strings anyway.
+But a single line could be too long and splitting on newlines would not
+help then.
+
+So, I think the thing to do would be to make `rValue` break TXT
+strings into substrings no longer than 255 characters. Then you don't
+need a new constructor, and long SSHFP etc records could also be handled
+that way.
+"""]]

Added a comment
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_2_e18fc448f51478617e5b2b9b05ce4a0f._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_2_e18fc448f51478617e5b2b9b05ce4a0f._comment
new file mode 100644
index 00000000..74654902
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_2_e18fc448f51478617e5b2b9b05ce4a0f._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 2"
+ date="2018-06-19T18:56:28Z"
+ content="""
+I am looking for a solution which could be integrated to propellor. Is it possible to include those additional libraries in propellor sources and have them included in the build on demand? I am not very familiar with the haskell build systems.
+
+About generated passwords, a nice solution would be to do it in PrivData.  The user would provide a salt as the private data and it would be combined to context to generate a password.  I can try find how this could be done.
+"""]]

New post - DNS - Support for Multiline TXT records.
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
new file mode 100644
index 00000000..69a62b59
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
@@ -0,0 +1,19 @@
+bind9 has a limit on the number of characters in a single line TXT record. I was unable to provision the DKIM TXT record using propellor due to this limit.
+
+I added a new MTXT record type to `Propellor.Types.DNS.Record` ([patch][1]).
+
+MTXT creates a multiline TXT record. It splits the record's text (say
+"long string...\n...xyz") at `'\n'` and creates a TXT record of the
+form:
+
+
+    domain IN      TXT     ( "long string..."
+            "...xyz" )
+
+
+I'm [currently using this recipe][2] to provision the DKIM TXT record.
+
+I want to know if there is a better way to do this without having to add the MTXT record type?
+
+[1]: https://ricketyspace.net/file/0001-add-MTXT-record-type-to-Propellor.Types.DNS.Record.patch
+[2]: https://git.ricketyspace.net/propellor/tree/config.hs#n722

add shortcuts page so !commit works
I think none of the default shortcuts were being used, and I trimmed the
list down
diff --git a/doc/shortcuts.mdwn b/doc/shortcuts.mdwn
new file mode 100644
index 00000000..9c8b7605
--- /dev/null
+++ b/doc/shortcuts.mdwn
@@ -0,0 +1,12 @@
+[[!if test="enabled(shortcut)"
+     then="This wiki has shortcuts **enabled**."
+     else="This wiki has shortcuts **disabled**."]]
+
+This page controls what shortcut links the wiki supports.
+
+* [[!shortcut name=debbug url="http://bugs.debian.org/%S" desc="Debian bug #%s"]]
+* [[!shortcut name=iki url="http://ikiwiki.info/%S/"]]
+* [[!shortcut name=rfc url="https://www.ietf.org/rfc/rfc%s.txt" desc="RFC %s"]]
+* [[!shortcut name=cve url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=%s"]]
+* [[!shortcut name=hackage url="http://hackage.haskell.org/package/%s"]]
+* [[!shortcut name=commit url="http://source.propellor.branchable.com/?p=source.git;a=commitdiff;h=%s"]]

improve docs
diff --git a/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment b/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment
index 7649e95e..4869922e 100644
--- a/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment
+++ b/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment
@@ -1,23 +1,43 @@
 [[!comment format=mdwn
  username="joey"
- subject="""comment 1"""
+ subject="""supported OS's and how to add more"""
  date="2014-12-07T15:58:03Z"
  content="""
-I have heard of propellor being used on OSX. Probably that user wrote their
-own code for OSX specific stuff.
+Propellor supports Debian and its derivatives, as well as FreeBSD and
+ArchLinux. See
+<http://hackage.haskell.org/package/propellor-5.4.0/docs/Propellor-Types-OS.html>
 
-Propellor properites can be parameterized by OS. Currently it has support
-for Debian and some untested support for *buntu. A property can be parameterized
-like this:
+Propellor keeps track of what OS's each property supports, as part of the
+type of the propery. So for example, it has separate properties for Debian
+and for FreeBSD that keep the OS's upgraded using their respective
+package managers:
 
-	foo :: Property
-	foo = property "foo" withOS desc $ \o -> case o of
-	                (Just (System (Debian _) _)) -> ensureProperty fooDebian
-	                (Just (System (Buntish _) _)) -> ensureProperty fooBuntu
+	Apt.upgraded :: Property DebianLike
+	
+	Pkg.upgraded :: Property FreeBSD
 
-The first step for adding a new OS will be to modify <http://hackage.haskell.org/package/propellor/docs/Propellor-Types-OS.html>.
-Compilation will then warn about all OS parameterized properties that
-need to be updated to support your added OS, and it can be taken from there.
+Properties can be combined using `pickOS` to make a property that works
+on multiple OS's:
 
-I'll accept reasonable patches to support other OS's.
+	upgraded :: Property (DebianLike + FreeBSD)
+	upgraded = Apt.upgraded `pickOS` Pkg.upgraded
+
+The `withOS` function lets a single property do different things for
+different OS versions as well as different OS's.
+
+The ArchLinux and FreeBSD ports were done by propellor users,
+and both are good examples of the scope of the changes involved in making
+propellor support a new OS. 
+
+Here are Zihao Wang's commits for ArchLinux support:
+
+* add types for Arch Linux [[!commit 442fa3706de3d7329552c78d314b5a8f653ca65d]]
+* bootstrap propellor using Pacman [[!commit 44f7f7f1c3014586fd574ba1d10a1063204850a7]]
+* add properties for Pacman [[!commit 5b946ea4e32657f64771f3e2ef8bc865afc4c1fc]]
+* add ArchLinux support to specific properties
+  [[!commit 92168164943dcf033682b9f9a26f81beb3c537f4]]
+  [[!commit 0b936d63931baa9cda6b243cf643ad1c71ce5c0b]]
+  [[!commit f95e4fc7dccb9691b8185166c44f83ce884463dc]]
+* fixed type of a property that wrongly claimed to support any Linux but actually
+  only supported DebianLike [[!commit 7781c8098f45481ac03c5ede989614eb8411a6aa]]
 """]]
diff --git a/doc/forum/Supported_OS/comment_2_4fcaadea6d57e4bf127fd28720e3ba20._comment b/doc/forum/Supported_OS/comment_2_4fcaadea6d57e4bf127fd28720e3ba20._comment
deleted file mode 100644
index 07c12d0b..00000000
--- a/doc/forum/Supported_OS/comment_2_4fcaadea6d57e4bf127fd28720e3ba20._comment
+++ /dev/null
@@ -1,7 +0,0 @@
-[[!comment format=mdwn
- username="joey"
- subject="""comment 2"""
- date="2016-03-08T01:48:35Z"
- content="""
-Propellor just got support for [[FreeBSD]]!
-"""]]
diff --git a/doc/forum/Supported_OS/comment_3_f2924708a819b962ba7ed690019601ed._comment b/doc/forum/Supported_OS/comment_3_f2924708a819b962ba7ed690019601ed._comment
deleted file mode 100644
index c03f6cd9..00000000
--- a/doc/forum/Supported_OS/comment_3_f2924708a819b962ba7ed690019601ed._comment
+++ /dev/null
@@ -1,7 +0,0 @@
-[[!comment format=mdwn
- username="joey"
- subject="""Arch too!"""
- date="2017-02-04T21:30:26Z"
- content="""
-Propellor just got support for Arch Linux!
-"""]]

response
diff --git a/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment b/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
new file mode 100644
index 00000000..6f06f87f
--- /dev/null
+++ b/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-06-13T14:32:43Z"
+ content="""
+I can't see any docker-engine package in any version of Debian. Unstable
+still has a docker.io, though testing does not. It looks like perhaps
+docker was not included in the last stable release, though I am not sure.
+
+I have not used docker in quite some time. I use systemd-nspawn containers
+which are much easier to build and maintain. So, it may make sense to
+either mark the docker module in propellor as unmaintained, or find someone
+else to maintain it.
+"""]]

diff --git a/doc/todo/Outdated_Docker_Package__63__.mdwn b/doc/todo/Outdated_Docker_Package__63__.mdwn
new file mode 100644
index 00000000..9564bbc8
--- /dev/null
+++ b/doc/todo/Outdated_Docker_Package__63__.mdwn
@@ -0,0 +1,9 @@
+G'day Joey.
+
+In [Docker.hs, line 73](https://git.joeyh.name/index.cgi/propellor.git/tree/src/Propellor/Property/Docker.hs?h=5.4.0#n73), docker.io is listed as the package to be installed.
+
+Docker.installed currently fails for me on Stretch with:
+
+    E: Package 'docker.io' has no installation candidate
+
+Unless I'm mistaken, from Stretch this is now replaced by "docker-engine".

response
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_1_6dc3fa35fb61bd53a5f5c88ea5bdbb45._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_1_6dc3fa35fb61bd53a5f5c88ea5bdbb45._comment
new file mode 100644
index 00000000..5376b576
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_1_6dc3fa35fb61bd53a5f5c88ea5bdbb45._comment
@@ -0,0 +1,19 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-06-12T14:38:22Z"
+ content="""
+We want to avoid adding heavy dependencies to propellor since that makes
+propellor more expensive to bootstrap and adds a point of failure.
+
+But, it should be easy enough to add dependencies to your own 
+~/.propellor/config.cabal and write your properties using them. It would
+also be fine to have additional libraries of propellor properties extending
+propellor.
+
+As for crypto hashes, it's certianly general enough to consider adding to
+propellor, but it's also striking that propellor has mostly avoided needing
+any hashes (except for some small uses of hashable and one place that
+shells out to sha1). If there's a general purpose property that uses a
+crypto hash, we could talk about adding it.
+"""]]

creating Adding support for a SQL server
diff --git a/doc/forum/Adding_support_for_a_SQL_server.mdwn b/doc/forum/Adding_support_for_a_SQL_server.mdwn
new file mode 100644
index 00000000..00ec42ad
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server.mdwn
@@ -0,0 +1,17 @@
+Hello,
+
+I would like to add support for MySQL/MariaDB and I have some questions about it.
+
+I suppose the nicest way to do it would be to use some haskell binding and to
+connect directly to the server from propellor.  However, this would add a
+dependency to build it.  Is it acceptable?
+
+Another solution is to use a command line client and parse its output, but the
+SQL syntax is so strange that I fear this will be painful.
+
+Another question is about password generation as I will need many passwords, I
+would like to generate them using a crypto hash of a secret combined with a
+public part in the propellor config.  Do you have a suggestion to compute this
+hash?  I think a dependency on a hash library is easier to accept.
+
+Thanks.

add news item for propellor 5.4.0
diff --git a/doc/news/version_5.3.2.mdwn b/doc/news/version_5.3.2.mdwn
deleted file mode 100644
index cd16116e..00000000
--- a/doc/news/version_5.3.2.mdwn
+++ /dev/null
@@ -1,10 +0,0 @@
-propellor 5.3.2 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Added Propellor.Property.Atomic, which can make a non-atomic property
-     that operates on a directory into an atomic property.
-     (Inspired by Vaibhav Sagar's talk on Functional Devops in a
-     Dysfunctional World at LCA 2018.)
-   * Added Git.pulled.
-   * Systemd.machined: Install systemd-container on Debian
-     stretch.
-     Thanks, Sean Whitton"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.4.0.mdwn b/doc/news/version_5.4.0.mdwn
new file mode 100644
index 00000000..e63f8c6c
--- /dev/null
+++ b/doc/news/version_5.4.0.mdwn
@@ -0,0 +1,13 @@
+propellor 5.4.0 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * [ Sean Whitton ]
+   * Apt.installedBackport replaced with Apt.backportInstalled.  (API change)
+     The old property would install dependencies from backports even when
+     the versions in stable satisfy the requested backport's dependencies.
+     The new property installs only the listed packages from backports;
+     all other dependencies come from stable.
+     So in some cases, you may need to list additional backports to install,
+     that would not have needed to be listed before. Due to this behavior
+     change the property has been renamed so uses of it will be checked.
+   * Restic.installed: stop trying to install a backport on jessie, because no
+     such backport exists."""]]
\ No newline at end of file

add missing close paren
diff --git a/doc/README.mdwn b/doc/README.mdwn
index 69b34e2d..88726a6d 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG)
+[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG))

fix link
diff --git a/doc/README.mdwn b/doc/README.mdwn
index c1550d23..69b34e2d 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])
+[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG)

add news item for propellor 5.3.6
diff --git a/doc/news/version_5.3.1.mdwn b/doc/news/version_5.3.1.mdwn
deleted file mode 100644
index 4f660270..00000000
--- a/doc/news/version_5.3.1.mdwn
+++ /dev/null
@@ -1,5 +0,0 @@
-propellor 5.3.1 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Last release mistakenly contained my personal branch not master.
-   * contrib/post-merge-hook documentation updated to recommend also using
-     it as a post-checkout hook, to avoid such problems."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.3.6.mdwn b/doc/news/version_5.3.6.mdwn
new file mode 100644
index 00000000..7a7a417e
--- /dev/null
+++ b/doc/news/version_5.3.6.mdwn
@@ -0,0 +1,13 @@
+propellor 5.3.6 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Fix build with ghc 8.4, which broke due to the Semigroup Monoid change.
+   * Dropped support for building propellor with ghc 7 (as in debian
+     oldstable), to avoid needing to depend on the semigroups transitional
+     package, but also because it's just too old to be worth supporting.
+   * stack.yaml: Updated to lts-9.21.
+   * Make Schroot.overlaysInTmpfs revertable
+     Thanks, Sean Whitton
+   * Update shim each time propellor is run in a container, to deal with
+     library version changes.
+   * Unbound: Added support for various DNS record types.
+     Thanks, Félix Sipma."""]]
\ No newline at end of file

fix link
diff --git a/doc/README.mdwn b/doc/README.mdwn
index df1b8ada..c1550d23 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[try this|http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])
+[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])

markdown
diff --git a/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
index 76c11464..ef3f4dad 100644
--- a/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
+++ b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
@@ -6,8 +6,8 @@
 I don't think you need to use a different name for your config file, unless
 it somehow makes things easier for you.
 
-It's fine to use Utility.* like that, but do note that there's no guaranteed 
+It's fine to use `Utility.*` like that, but do note that there's no guaranteed 
 API stability for those. OTOH, if you might later contribute some
-properties built using Utility.* back to propellor, it certianly makes
+properties built using `Utility.*` back to propellor, it certianly makes
 sense to use those.
 """]]

comment
diff --git a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config/comment_1_5039acea906faba7a0b33094028a475f._comment b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config/comment_1_5039acea906faba7a0b33094028a475f._comment
new file mode 100644
index 00000000..b4b924ac
--- /dev/null
+++ b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config/comment_1_5039acea906faba7a0b33094028a475f._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-05-03T16:46:45Z"
+ content="""
+Agreed on all points, also there are some 
+`File.containsLine` properties for /etc/default files elsewhere that
+don't necessarily work correctly if a later line changes the value,
+that could be converted to use this new property.
+
+Your name ideas sound fine to me.
+"""]]

remove badly placed and redundant comment
diff --git a/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
new file mode 100644
index 00000000..76c11464
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2018-05-03T16:30:15Z"
+ content="""
+I don't think you need to use a different name for your config file, unless
+it somehow makes things easier for you.
+
+It's fine to use Utility.* like that, but do note that there's no guaranteed 
+API stability for those. OTOH, if you might later contribute some
+properties built using Utility.* back to propellor, it certianly makes
+sense to use those.
+"""]]

Added a comment
diff --git a/doc/forum/5.3.5_import_errors/comment_3_a4774959fd93039d49196e7cff232089._comment b/doc/forum/5.3.5_import_errors/comment_3_a4774959fd93039d49196e7cff232089._comment
new file mode 100644
index 00000000..c861f1cc
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_3_a4774959fd93039d49196e7cff232089._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 3"
+ date="2018-05-01T07:07:54Z"
+ content="""
+* Do you think that I should use a dedicated config-soleil.hs file instead of the config.hs file ?
+
+* I use the combinesModes in order to set the right mode.
+
+    +rra :: Property UnixLike
+    +rra = fetch `onChange` execmode
+    +    where
+    +      fetch :: Property UnixLike
+    +      fetch = property \"install rra scripts\"
+    +              (liftIO $ toResult <$> download \"https://archives.eyrie.org/software/devel/backport\" \"/usr/local/bin/backport\")
+    +
+    +      execmode :: Property UnixLike
+    +      execmode = File.mode \"/usr/local/bin/backport\" (combineModes (ownerWriteMode:readModes ++ executeModes))
+
+"""]]

notes on failed attempt to migrate
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 347ea9e5..c3641385 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -7,3 +7,23 @@ Waiting on concurrent-output reaching Debian stable.
 > supporting the current oldstable, I believe.. --[[Joey]]
 
 [[!tag user/joey]]
+
+> This was attempted again in 2018 and had to be reverted
+> in [[!commit b6ac64737b59e74d4aa2d889690e8fab3772d2c6]].
+> 
+> The strange output I was seeing is the first line 
+> of "apt-cache policy apache2" (but not subsequent lines)
+> and the ssh-keygen command run by `genSSHFP'`
+
+> Propellor also misbehaved in some other ways likely due to not seeing
+> the command output it expected. In particular Git.cloned must have
+> failed to see an origin url in git config output, because it nuked and
+> re-cloned a git repo (losing data).
+> 
+> So, it seems that readProcess was somehow leaking output to the console
+> and also likely not providing it to the caller. 
+> 
+> The affected system had libghc-concurrent-output-dev 1.10.5-1 installed
+> from debian. That is a somewhat old version and perhaps it was buggy?
+> However, I have not had any luck reproducing the problem there running
+> readProcess in ghci. --[[Joey]]

Added a comment
diff --git a/doc/forum/5.3.5_errors_building_with_Stack/comment_2_be534b87de24660fb8565c2916ddefb5._comment b/doc/forum/5.3.5_errors_building_with_Stack/comment_2_be534b87de24660fb8565c2916ddefb5._comment
new file mode 100644
index 00000000..43e83fb7
--- /dev/null
+++ b/doc/forum/5.3.5_errors_building_with_Stack/comment_2_be534b87de24660fb8565c2916ddefb5._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="jsza"
+ avatar="http://cdn.libravatar.org/avatar/72c6bc8c0cdfb0fff175e90c3b036415"
+ subject="comment 2"
+ date="2018-04-30T14:27:19Z"
+ content="""
+Nice, thank you! Can confirm that it's now working for me.
+
+I'd also just like to say that using Propellor to manage our eleven or so TF2 game servers has been an absolute pleasure and a time saver.
+
+Thanks for all the work you've put into making Propellor so awesome.
+"""]]

responses
diff --git a/doc/forum/5.3.5_errors_building_with_Stack/comment_1_bf0296c4293a52b4533a9465795366e4._comment b/doc/forum/5.3.5_errors_building_with_Stack/comment_1_bf0296c4293a52b4533a9465795366e4._comment
new file mode 100644
index 00000000..03121a74
--- /dev/null
+++ b/doc/forum/5.3.5_errors_building_with_Stack/comment_1_bf0296c4293a52b4533a9465795366e4._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-04-30T13:23:47Z"
+ content="""
+Think I've fixed this now.
+"""]]
diff --git a/doc/forum/5.3.5_import_errors/comment_2_32d521dad51ada52e98c9540ab97add6._comment b/doc/forum/5.3.5_import_errors/comment_2_32d521dad51ada52e98c9540ab97add6._comment
new file mode 100644
index 00000000..6edd05d7
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_2_32d521dad51ada52e98c9540ab97add6._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2018-04-30T13:24:30Z"
+ content="""
+Seems this must be caused by [[!commit d8d2faece72eabd18c2ff303e5fb63c3a69961f6]]
+
+And I guess you've modified the config.hs in propellor
+for your own systems?
+
+You will indeed need to add dependencies to the cabal stanza for
+propellor-config.
+
+I think that you may be able to add Other-Modules: Utility.FileMode
+to the cabal stanza for propellor-config and get access to the unexported
+module that way. Not 100% sure.
+
+I'm curious: Is there part of propellor's published modules that made you
+need something from Utility.FileMode to use it, or were you writing your
+own property and happened to use something from Utility.FileMode?
+"""]]

Revert "Added dependency on concurrent-output; removed embedded copy."
This reverts commit 02eca2ae4cf51d8e83d94d8359e15ac053451109.
This seems to have broken propellor badly, in testing I'm seeing it
crash at the end of a run with "thread blocked indefinitely in an STM
transaction" and also during the run it printed out some odd output
like:
apache2:
apache2:
dummy IN SSHFP 4 1 35df80973f5877e4041f1b70947385eb2f6a0822
dummy IN SSHFP 4 2 3a0bb426e76eebc5c56e3b0f1428aa9d18539e9621bf8f9e3b7f56a4e7d81c85
Which seems like it might be output of commands that
propellor is supposed to be reading?
Seems likely that there's a bug or two that have crept
into then concurrent-output library since the version embedded in
propellor.
diff --git a/debian/changelog b/debian/changelog
index 42871285..9308a7bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,7 +4,6 @@ propellor (5.3.6) UNRELEASED; urgency=medium
   * Dropped support for building propellor with ghc 7 (as in debian
     oldstable), to avoid needing to depend on the semigroups transitional
     package, but also because it's just too old to be worth supporting.
-  * Added dependency on concurrent-output; removed embedded copy.
   * stack.yaml: Updated to lts-9.21.
 
  -- Joey Hess <id@joeyh.name>  Mon, 23 Apr 2018 13:12:25 -0400
diff --git a/debian/control b/debian/control
index 77bd7eae..5a041c90 100644
--- a/debian/control
+++ b/debian/control
@@ -6,17 +6,19 @@ Build-Depends:
 	git,
 	ghc (>= 7.6),
 	cabal-install,
-	libghc-ansi-terminal-dev,
 	libghc-async-dev,
-	libghc-concurrent-output-dev,
-	libghc-exceptions-dev (>= 0.6),
-	libghc-hashable-dev,
+	libghc-split-dev,
 	libghc-hslogger-dev,
+	libghc-unix-compat-dev,
+	libghc-ansi-terminal-dev,
 	libghc-ifelse-dev,
-	libghc-mtl-dev,
 	libghc-network-dev,
-	libghc-split-dev,
-	libghc-unix-compat-dev,
+	libghc-mtl-dev,
+	libghc-transformers-dev,
+	libghc-exceptions-dev (>= 0.6),
+	libghc-stm-dev,
+	libghc-text-dev,
+	libghc-hashable-dev,
 Maintainer: Joey Hess <id@joeyh.name>
 Standards-Version: 3.9.8
 Vcs-Git: git://git.joeyh.name/propellor
@@ -28,17 +30,19 @@ Section: admin
 Depends: ${misc:Depends}, ${shlibs:Depends},
 	ghc (>= 7.4),
 	cabal-install,
-	libghc-ansi-terminal-dev,
 	libghc-async-dev,
-	libghc-concurrent-output-dev,
-	libghc-exceptions-dev (>= 0.6),
-	libghc-hashable-dev,
+	libghc-split-dev,
 	libghc-hslogger-dev,
+	libghc-unix-compat-dev,
+	libghc-ansi-terminal-dev,
 	libghc-ifelse-dev,
-	libghc-mtl-dev,
 	libghc-network-dev,
-	libghc-split-dev,
-	libghc-unix-compat-dev,
+	libghc-mtl-dev,
+	libghc-transformers-dev,
+	libghc-exceptions-dev (>= 0.6),
+	libghc-stm-dev,
+	libghc-text-dev,
+	libghc-hashable-dev,
 	git,
 Description: property-based host configuration management in haskell
  Propellor ensures that the system it's run in satisfies a list of
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index ddf074f9..347ea9e5 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -5,9 +5,5 @@ Waiting on concurrent-output reaching Debian stable.
 
 > Well, it's in stable now. Not in oldstable yet, and propellor is still
 > supporting the current oldstable, I believe.. --[[Joey]]
-> >
-> > not anymore; dropping it now.
-
-[[done]]
 
 [[!tag user/joey]]
diff --git a/propellor.cabal b/propellor.cabal
index cf9fe7ce..a5b8c8a3 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -42,31 +42,14 @@ Library
     GHC-Options: -fno-warn-redundant-constraints
   Default-Extensions: TypeOperators
   Hs-Source-Dirs: src
-  -- propellor needs to support the ghc shipped in Debian stable,
-  -- and also only depends on packages in Debian stable.
-  -- 
-  -- When updating dependencies here, also update the lists in
-  -- Propellor.Bootstrap
   Build-Depends:
-    ansi-terminal,
-    async,
+    -- propellor needs to support the ghc shipped in Debian stable,
+    -- and also only depends on packages in Debian stable.
     base >= 4.9, base < 5,
-    bytestring,
-    concurrent-output,
-    containers (>= 0.5),
-    directory,
-    exceptions (>= 0.6),
-    filepath,
-    hashable,
-    hslogger,
-    IfElse,
-    mtl,
-    network,
-    process,
-    split,
-    time,
-    unix,
-    unix-compat
+    directory, filepath, IfElse, process, bytestring, hslogger, split,
+    unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
+    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
+
   Exposed-Modules:
     Propellor
     Propellor.Base
@@ -240,6 +223,9 @@ Library
     Utility.Tmp
     Utility.Tuple
     Utility.UserInfo
+    System.Console.Concurrent
+    System.Console.Concurrent.Internal
+    System.Process.Concurrent
     Paths_propellor
 
 Executable propellor-config
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index a8713535..04f23f85 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -138,17 +138,19 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		-- Below are the same deps listed in debian/control.
 		, "ghc"
 		, "cabal-install"
-		, "libghc-ansi-terminal-dev"
 		, "libghc-async-dev"
-		, "libghc-concurrent-output-dev"
-		, "libghc-exceptions-dev"
-		, "libghc-hashable-dev"
+		, "libghc-split-dev"
 		, "libghc-hslogger-dev"
+		, "libghc-unix-compat-dev"
+		, "libghc-ansi-terminal-dev"
 		, "libghc-ifelse-dev"
-		, "libghc-mtl-dev"
 		, "libghc-network-dev"
-		, "libghc-split-dev"
-		, "libghc-unix-compat-dev"
+		, "libghc-mtl-dev"
+		, "libghc-transformers-dev"
+		, "libghc-exceptions-dev"
+		, "libghc-stm-dev"
+		, "libghc-text-dev"
+		, "libghc-hashable-dev"
 		]
 	debdeps Stack =
 		[ "gnupg"
@@ -159,16 +161,19 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		[ "gnupg"
 		, "ghc"
 		, "hs-cabal-install"
-		, "hs-ansi-terminal"
 		, "hs-async"
-		, "hs-exceptions"
-		, "hs-hashable"
+		, "hs-split"
 		, "hs-hslogger"
+		, "hs-unix-compat"
+		, "hs-ansi-terminal"
 		, "hs-IfElse"
-		, "hs-mtl"
 		, "hs-network"
-		, "hs-split"
-		, "hs-unix-compat"
+		, "hs-mtl"
+		, "hs-transformers-base"
+		, "hs-exceptions"
+		, "hs-stm"
+		, "hs-text"
+		, "hs-hashable"
 		]
 	fbsddeps Stack =
 		[ "gnupg"
@@ -179,17 +184,20 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		[ "gnupg"
 		, "ghc"
 		, "cabal-install"
-		, "haskell-hackage-security"
-		, "haskell-ansi-terminal"
 		, "haskell-async"

(Diff truncated)
signature
diff --git a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
index 6a97f8fb..16c791cd 100644
--- a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
+++ b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
@@ -13,3 +13,5 @@ Notes:
 * The use of a tuple for the last two parameters ensures that the property can be used infix.
 
 * I think this property should deduplicate the config key after setting it.  I.e. after uncommenting and modifying ANACRON_RUN_ON_BATTERY_POWER it should remove any further ANACRON_RUN_ON_BATTERY_POWER settings further down the config.  This allows a seamless transition from just using File.containsLine to add to the end of the file.
+
+--spwhitton

we should factor out code in Grub.configured
diff --git a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
new file mode 100644
index 00000000..6a97f8fb
--- /dev/null
+++ b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
@@ -0,0 +1,15 @@
+It would be useful to have a property to set key value pairs in /etc/default configs.  The code is in Grub.configured.  I have not written a patch yet because I am not sure what the module should be called.  Possibilities are:
+
+    & EtcDefault.set "anacron" "ANACRON_RUN_ON_BATTERY_POWER" "no"
+
+or maybe
+
+    & ConfFile.hasShellSetting "/etc/default/anacron" ("ANACRON_RUN_ON_BATTERY_POWER", "no")
+
+Or possibly both of these, with the former implemented in terms of the latter.
+
+Notes:
+
+* The use of a tuple for the last two parameters ensures that the property can be used infix.
+
+* I think this property should deduplicate the config key after setting it.  I.e. after uncommenting and modifying ANACRON_RUN_ON_BATTERY_POWER it should remove any further ANACRON_RUN_ON_BATTERY_POWER settings further down the config.  This allows a seamless transition from just using File.containsLine to add to the end of the file.

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_15_35822590f6eeab15f6d1b25ac2bcbba7._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_15_35822590f6eeab15f6d1b25ac2bcbba7._comment
new file mode 100644
index 00000000..70e31058
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_15_35822590f6eeab15f6d1b25ac2bcbba7._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 15"
+ date="2018-04-29T16:06:12Z"
+ content="""
+Hello,
+
+--allow-unrelated-history is your friend :)
+"""]]

Added a comment
diff --git a/doc/forum/5.3.5_import_errors/comment_1_13d5f4cc224ad25ab3f1c78061ff4423._comment b/doc/forum/5.3.5_import_errors/comment_1_13d5f4cc224ad25ab3f1c78061ff4423._comment
new file mode 100644
index 00000000..e06e4683
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_1_13d5f4cc224ad25ab3f1c78061ff4423._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 1"
+ date="2018-04-29T16:05:18Z"
+ content="""
+I solved my problem by creating a SiteSpecific module directly in the library part of Propellor
+"""]]

diff --git a/doc/forum/5.3.5_import_errors.mdwn b/doc/forum/5.3.5_import_errors.mdwn
new file mode 100644
index 00000000..f69934f2
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors.mdwn
@@ -0,0 +1,35 @@
+Hello, with the new 5.3.5 version,I have these errors now.
+
+At least for the two first I know that I need to add the dependencies to the executable.
+but for the last one, I do not know how to proceed properly.
+
+Cheers
+
+
+    Building executable 'propellor-config' for propellor-5.3.5..
+    [1 of 1] Compiling Main             ( executables/propellor-config.hs, dist/build/propellor-config/propellor-config-tmp/Main.o )
+
+    executables/propellor-config.hs:14:1-25: error:
+        Could not find module ‘System.Posix.Files’
+        Perhaps you meant System.Posix.Types (from base-4.10.1.0)
+        Use -v to see a list of the files searched for.
+       |
+    14 | import System.Posix.Files
+       | ^^^^^^^^^^^^^^^^^^^^^^^^^
+
+    executables/propellor-config.hs:15:1-66: error:
+        Could not find module ‘System.FilePath.Posix’
+        Use -v to see a list of the files searched for.
+       |
+    15 | import System.FilePath.Posix ((</>), dropExtension, takeDirectory)
+       | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+    executables/propellor-config.hs:28:1-23: error:
+        Could not find module ‘Utility.FileMode’
+        it is a hidden module in the package ‘propellor-5.3.5’
+        Use -v to see a list of the files searched for.
+       |
+    28 | import Utility.FileMode
+       | ^^^^^^^^^^^^^^^^^^^^^^^
+
+    HsCompilation exited abnormally with code 1 at Sun Apr 29 09:35:08

diff --git a/doc/forum/5.3.5_errors_building_with_Stack.mdwn b/doc/forum/5.3.5_errors_building_with_Stack.mdwn
index e612579d..bdda6bca 100644
--- a/doc/forum/5.3.5_errors_building_with_Stack.mdwn
+++ b/doc/forum/5.3.5_errors_building_with_Stack.mdwn
@@ -1,6 +1,6 @@
 I'm able to reproduce the following with a freshly cloned Propellor:
 
->    stack build
+    > stack build
     propellor-5.3.5: build (lib + exe)
     Preprocessing library propellor-5.3.5...
     [ 43 of 171] Compiling Propellor.Types  ( src/Propellor/Types.hs, .stack-work/dist/x86_64-linux-nopie/Cabal-1.24.2.0/build/Propellor/Types.o )

diff --git a/doc/forum/5.3.5_errors_building_with_Stack.mdwn b/doc/forum/5.3.5_errors_building_with_Stack.mdwn
new file mode 100644
index 00000000..e612579d
--- /dev/null
+++ b/doc/forum/5.3.5_errors_building_with_Stack.mdwn
@@ -0,0 +1,38 @@
+I'm able to reproduce the following with a freshly cloned Propellor:
+
+>    stack build
+    propellor-5.3.5: build (lib + exe)
+    Preprocessing library propellor-5.3.5...
+    [ 43 of 171] Compiling Propellor.Types  ( src/Propellor/Types.hs, .stack-work/dist/x86_64-linux-nopie/Cabal-1.24.2.0/build/Propellor/Types.o )
+
+    /home/jayess/code/propellor/src/Propellor/Types.hs:251:37: error:
+        • Could not deduce (Monoid (Property setupmetatypes))
+            arising from a use of ‘<>’
+          from the context: (Sem.Semigroup (Property setupmetatypes),
+                             Sem.Semigroup (Property undometatypes))
+            bound by the instance declaration
+            at src/Propellor/Types.hs:(245,9)-(248,74)
+        • In the first argument of ‘RevertableProperty’, namely
+            ‘(s1 <> s2)’
+          In the expression: RevertableProperty (s1 <> s2) (u2 <> u1)
+          In an equation for ‘<>’:
+              (RevertableProperty s1 u1) <> (RevertableProperty s2 u2)
+                = RevertableProperty (s1 <> s2) (u2 <> u1)
+
+    /home/jayess/code/propellor/src/Propellor/Types.hs:251:48: error:
+        • Could not deduce (Monoid (Property undometatypes))
+            arising from a use of ‘<>’
+          from the context: (Sem.Semigroup (Property setupmetatypes),
+                             Sem.Semigroup (Property undometatypes))
+            bound by the instance declaration
+            at src/Propellor/Types.hs:(245,9)-(248,74)
+        • In the second argument of ‘RevertableProperty’, namely
+            ‘(u2 <> u1)’
+          In the expression: RevertableProperty (s1 <> s2) (u2 <> u1)
+          In an equation for ‘<>’:
+              (RevertableProperty s1 u1) <> (RevertableProperty s2 u2)
+                = RevertableProperty (s1 <> s2) (u2 <> u1)
+
+    --  While building package propellor-5.3.5 using:
+          /home/jayess/.stack/setup-exe-cache/x86_64-linux-nopie/Cabal-simple_mPHDZzAJ_1.24.2.0_ghc-8.0.2 --builddir=.stack-work/dist/x86_64-linux-nopie/Cabal-1.24.2.0 build lib:propellor exe:propellor exe:propellor-config --ghc-options " -ddump-hi -ddump-to-file"
+        Process exited with code: ExitFailure 1

Added dependency on concurrent-output; removed embedded copy.
Removed deps on transformers, text, stm. Updated debian/control and
Propellor.Bootstrap accordingly. Sorted the lists of deps to make it easier
to keep them in sync.
This commit was sponsored by Nick Daly on Patreon.
diff --git a/debian/changelog b/debian/changelog
index cb8ed552..729eed4f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ propellor (5.3.6) UNRELEASED; urgency=medium
   * Dropped support for building propellor with ghc 7 (as in debian
     oldstable), to avoid needing to depend on the semigroups transitional
     package, but also because it's just too old to be worth supporting.
+  * Added dependency on concurrent-output; removed embedded copy.
 
  -- Joey Hess <id@joeyh.name>  Mon, 23 Apr 2018 13:12:25 -0400
 
diff --git a/debian/control b/debian/control
index 5a041c90..77bd7eae 100644
--- a/debian/control
+++ b/debian/control
@@ -6,19 +6,17 @@ Build-Depends:
 	git,
 	ghc (>= 7.6),
 	cabal-install,
+	libghc-ansi-terminal-dev,
 	libghc-async-dev,
-	libghc-split-dev,
+	libghc-concurrent-output-dev,
+	libghc-exceptions-dev (>= 0.6),
+	libghc-hashable-dev,
 	libghc-hslogger-dev,
-	libghc-unix-compat-dev,
-	libghc-ansi-terminal-dev,
 	libghc-ifelse-dev,
-	libghc-network-dev,
 	libghc-mtl-dev,
-	libghc-transformers-dev,
-	libghc-exceptions-dev (>= 0.6),
-	libghc-stm-dev,
-	libghc-text-dev,
-	libghc-hashable-dev,
+	libghc-network-dev,
+	libghc-split-dev,
+	libghc-unix-compat-dev,
 Maintainer: Joey Hess <id@joeyh.name>
 Standards-Version: 3.9.8
 Vcs-Git: git://git.joeyh.name/propellor
@@ -30,19 +28,17 @@ Section: admin
 Depends: ${misc:Depends}, ${shlibs:Depends},
 	ghc (>= 7.4),
 	cabal-install,
+	libghc-ansi-terminal-dev,
 	libghc-async-dev,
-	libghc-split-dev,
+	libghc-concurrent-output-dev,
+	libghc-exceptions-dev (>= 0.6),
+	libghc-hashable-dev,
 	libghc-hslogger-dev,
-	libghc-unix-compat-dev,
-	libghc-ansi-terminal-dev,
 	libghc-ifelse-dev,
-	libghc-network-dev,
 	libghc-mtl-dev,
-	libghc-transformers-dev,
-	libghc-exceptions-dev (>= 0.6),
-	libghc-stm-dev,
-	libghc-text-dev,
-	libghc-hashable-dev,
+	libghc-network-dev,
+	libghc-split-dev,
+	libghc-unix-compat-dev,
 	git,
 Description: property-based host configuration management in haskell
  Propellor ensures that the system it's run in satisfies a list of
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 347ea9e5..ddf074f9 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -5,5 +5,9 @@ Waiting on concurrent-output reaching Debian stable.
 
 > Well, it's in stable now. Not in oldstable yet, and propellor is still
 > supporting the current oldstable, I believe.. --[[Joey]]
+> >
+> > not anymore; dropping it now.
+
+[[done]]
 
 [[!tag user/joey]]
diff --git a/propellor.cabal b/propellor.cabal
index a5b8c8a3..cf9fe7ce 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -42,14 +42,31 @@ Library
     GHC-Options: -fno-warn-redundant-constraints
   Default-Extensions: TypeOperators
   Hs-Source-Dirs: src
+  -- propellor needs to support the ghc shipped in Debian stable,
+  -- and also only depends on packages in Debian stable.
+  -- 
+  -- When updating dependencies here, also update the lists in
+  -- Propellor.Bootstrap
   Build-Depends:
-    -- propellor needs to support the ghc shipped in Debian stable,
-    -- and also only depends on packages in Debian stable.
+    ansi-terminal,
+    async,
     base >= 4.9, base < 5,
-    directory, filepath, IfElse, process, bytestring, hslogger, split,
-    unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
-    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
-
+    bytestring,
+    concurrent-output,
+    containers (>= 0.5),
+    directory,
+    exceptions (>= 0.6),
+    filepath,
+    hashable,
+    hslogger,
+    IfElse,
+    mtl,
+    network,
+    process,
+    split,
+    time,
+    unix,
+    unix-compat
   Exposed-Modules:
     Propellor
     Propellor.Base
@@ -223,9 +240,6 @@ Library
     Utility.Tmp
     Utility.Tuple
     Utility.UserInfo
-    System.Console.Concurrent
-    System.Console.Concurrent.Internal
-    System.Process.Concurrent
     Paths_propellor
 
 Executable propellor-config
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index 04f23f85..a8713535 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -138,19 +138,17 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		-- Below are the same deps listed in debian/control.
 		, "ghc"
 		, "cabal-install"
+		, "libghc-ansi-terminal-dev"
 		, "libghc-async-dev"
-		, "libghc-split-dev"
+		, "libghc-concurrent-output-dev"
+		, "libghc-exceptions-dev"
+		, "libghc-hashable-dev"
 		, "libghc-hslogger-dev"
-		, "libghc-unix-compat-dev"
-		, "libghc-ansi-terminal-dev"
 		, "libghc-ifelse-dev"
-		, "libghc-network-dev"
 		, "libghc-mtl-dev"
-		, "libghc-transformers-dev"
-		, "libghc-exceptions-dev"
-		, "libghc-stm-dev"
-		, "libghc-text-dev"
-		, "libghc-hashable-dev"
+		, "libghc-network-dev"
+		, "libghc-split-dev"
+		, "libghc-unix-compat-dev"
 		]
 	debdeps Stack =
 		[ "gnupg"
@@ -161,19 +159,16 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		[ "gnupg"
 		, "ghc"
 		, "hs-cabal-install"
+		, "hs-ansi-terminal"
 		, "hs-async"
-		, "hs-split"
+		, "hs-exceptions"
+		, "hs-hashable"
 		, "hs-hslogger"
-		, "hs-unix-compat"
-		, "hs-ansi-terminal"
 		, "hs-IfElse"
-		, "hs-network"
 		, "hs-mtl"
-		, "hs-transformers-base"
-		, "hs-exceptions"
-		, "hs-stm"
-		, "hs-text"
-		, "hs-hashable"
+		, "hs-network"
+		, "hs-split"
+		, "hs-unix-compat"
 		]
 	fbsddeps Stack =
 		[ "gnupg"
@@ -184,20 +179,17 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		[ "gnupg"
 		, "ghc"
 		, "cabal-install"
-		, "haskell-async"
-		, "haskell-split"
-		, "haskell-hslogger"

(Diff truncated)
update
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index cf985166..347ea9e5 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -3,4 +3,7 @@ should be converted to a dependency.
 
 Waiting on concurrent-output reaching Debian stable.
 
+> Well, it's in stable now. Not in oldstable yet, and propellor is still
+> supporting the current oldstable, I believe.. --[[Joey]]
+
 [[!tag user/joey]]

add news item for propellor 5.3.5
diff --git a/doc/news/version_5.3.5.mdwn b/doc/news/version_5.3.5.mdwn
new file mode 100644
index 00000000..a7da0f0c
--- /dev/null
+++ b/doc/news/version_5.3.5.mdwn
@@ -0,0 +1,7 @@
+propellor 5.3.5 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Apt.stdSourcesList now adds stable-updates suite
+     Thanks, Sean Whitton
+   * Significantly increased propellor build speed when your config.hs
+     is in a fork of the propellor repository, by avoiding redundant builds
+     of propellor library."""]]
\ No newline at end of file

diff --git a/doc/forum/Problem_with_getting_started.mdwn b/doc/forum/Problem_with_getting_started.mdwn
index 4d750553..f929c3b3 100644
--- a/doc/forum/Problem_with_getting_started.mdwn
+++ b/doc/forum/Problem_with_getting_started.mdwn
@@ -3,25 +3,29 @@ Hello, I hope this is the right place to ask for help.
 I am new to Haskell and Propellor; just want to give it a try. I have been using ansible but now looking for an alternative.
 
 I did the following steps:
-- install propellor on control machine with: `stack install propellor`
-- `propellor --init`
-- create a minimal config.hs file, which does nothing:
-```
-abc :: Host
-abc = host "abc" $ props
-	& osDebian (Stable "stretch") X86_64
-```
-
-when I run `propellor --spin abc`, it ended with the last following:
-.
-.
-Installed propellor-5.3.4
-Resolving dependencies...
-Configuring config-0...
-Preprocessing executable 'propellor-config' for config-0...
-cabal: can't find source for config in .
-sh: 1: ./propellor: not found
-propellor: user error (ssh <long text>
+
+* install propellor on control machine with: `stack install propellor`
+
+* `propellor --init`
+
+* create a minimal config.hs file, which does nothing:
+
+        abc :: Host
+        abc = host "abc" $ props
+            & osDebian (Stable "stretch") X86_64
+
+
+when I run `propellor --spin abc`, it ended with the following message:
+
+    .
+    .
+    Installed propellor-5.3.4
+    Resolving dependencies...
+    Configuring config-0...
+    Preprocessing executable 'propellor-config' for config-0...
+    cabal: can't find source for config in .
+    sh: 1: ./propellor: not found
+    propellor: user error (ssh <long text>
 
 Can someone give me a hint how to process further?
 

diff --git a/doc/forum/Problem_with_getting_started.mdwn b/doc/forum/Problem_with_getting_started.mdwn
index 6c438b6e..4d750553 100644
--- a/doc/forum/Problem_with_getting_started.mdwn
+++ b/doc/forum/Problem_with_getting_started.mdwn
@@ -5,12 +5,12 @@ I am new to Haskell and Propellor; just want to give it a try. I have been using
 I did the following steps:
 - install propellor on control machine with: `stack install propellor`
 - `propellor --init`
-- create a minimal config.hs file, which does nothing
-
+- create a minimal config.hs file, which does nothing:
+```
 abc :: Host
 abc = host "abc" $ props
 	& osDebian (Stable "stretch") X86_64
-
+```
 
 when I run `propellor --spin abc`, it ended with the last following:
 .

diff --git a/doc/forum/Problem_with_getting_started.mdwn b/doc/forum/Problem_with_getting_started.mdwn
new file mode 100644
index 00000000..6c438b6e
--- /dev/null
+++ b/doc/forum/Problem_with_getting_started.mdwn
@@ -0,0 +1,30 @@
+Hello, I hope this is the right place to ask for help.
+
+I am new to Haskell and Propellor; just want to give it a try. I have been using ansible but now looking for an alternative.
+
+I did the following steps:
+- install propellor on control machine with: `stack install propellor`
+- `propellor --init`
+- create a minimal config.hs file, which does nothing
+
+abc :: Host
+abc = host "abc" $ props
+	& osDebian (Stable "stretch") X86_64
+
+
+when I run `propellor --spin abc`, it ended with the last following:
+.
+.
+Installed propellor-5.3.4
+Resolving dependencies...
+Configuring config-0...
+Preprocessing executable 'propellor-config' for config-0...
+cabal: can't find source for config in .
+sh: 1: ./propellor: not found
+propellor: user error (ssh <long text>
+
+Can someone give me a hint how to process further?
+
+Regards,
+Tony
+

Added a comment
diff --git a/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_2_db1e5b7fcb324d5beb4429945f026096._comment b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_2_db1e5b7fcb324d5beb4429945f026096._comment
new file mode 100644
index 00000000..ab80fbc6
--- /dev/null
+++ b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_2_db1e5b7fcb324d5beb4429945f026096._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="gueux"
+ avatar="http://cdn.libravatar.org/avatar/2982bac2c2cd94ab3860efb189deafc8"
+ subject="comment 2"
+ date="2018-04-05T10:41:02Z"
+ content="""
+The same we get from using http://deb.debian.org/debian instead of http://ftp.debian.org/debian : redundancy, avoiding overloading security.debian.org, ...
+"""]]

response
diff --git a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment
new file mode 100644
index 00000000..b2124dd7
--- /dev/null
+++ b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-04-03T22:39:14Z"
+ content="""
+Mostly I point people at my [personal propellor config file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs)
+which is quite big, but demos a lot of propellor's features. And unlike
+an artificial example, it's always tested and working.
+"""]]

fix urls for change from gitweb to cgit
diff --git a/doc/FreeBSD.mdwn b/doc/FreeBSD.mdwn
index 47b9c65b..ca340163 100644
--- a/doc/FreeBSD.mdwn
+++ b/doc/FreeBSD.mdwn
@@ -6,5 +6,5 @@ additional porting to support FreeBSD. Such properties have types like
 `Property DebianLike`. The type checker will detect and reject attempts
 to combine such properties with `Property FreeBSD`.
 
-[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=config-freebsd.hs)
+[Sample config file](https://git.joeyh.name/index.cgi/propellor.git/tree/config-freebsd.hs)
 which configures a FreeBSD system, as well as a Linux one.
diff --git a/doc/index.mdwn b/doc/index.mdwn
index 1e3af9dd..264a6f48 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -4,7 +4,7 @@
 [[Download]]  
 [API documentation](http://hackage.haskell.org/package/propellor)  
 [[Other Documentation|documentation]]
-[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=joeyconfig.hs)  
+[Sample config file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs)  
 [[Security]]  
 [[Todo]]  
 [[Forum]]  

Added a comment
diff --git a/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment
new file mode 100644
index 00000000..8565ee93
--- /dev/null
+++ b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 1"
+ date="2018-04-03T00:20:41Z"
+ content="""
+What would that achieve?
+"""]]

diff --git a/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn b/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn
new file mode 100644
index 00000000..a918a402
--- /dev/null
+++ b/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn
@@ -0,0 +1 @@
+Maybe we could use deb.debian.org/debian-security instead of security.debian.org in Apt properties. What do you think about this?

diff --git a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
index b34fbcce..c3260c1c 100644
--- a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
+++ b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
@@ -1,6 +1,3 @@
 Hello,
 
 where can I find practical, working examples on how to use Propellor? For example, how to use Propellor to setup a LAMP debian or ubuntu server.
-
-Regards,
-Thanh

diff --git a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
new file mode 100644
index 00000000..b34fbcce
--- /dev/null
+++ b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
@@ -0,0 +1,6 @@
+Hello,
+
+where can I find practical, working examples on how to use Propellor? For example, how to use Propellor to setup a LAMP debian or ubuntu server.
+
+Regards,
+Thanh

add news item for propellor 5.3.4
diff --git a/doc/news/version_5.3.4.mdwn b/doc/news/version_5.3.4.mdwn
new file mode 100644
index 00000000..09358138
--- /dev/null
+++ b/doc/news/version_5.3.4.mdwn
@@ -0,0 +1,8 @@
+propellor 5.3.4 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Apt.trustsKey: Use apt-key to add key rather than manually driving gpg,
+     which seems to not work anymore.
+     Thanks, Russell Sim.
+   * Firewall: Reorder iptables parameters that are order
+     dependant to make --to-dest and --to-source work.
+     Thanks, Russell Sim"""]]
\ No newline at end of file

don't use ikiwiki link in readme
diff --git a/doc/README.mdwn b/doc/README.mdwn
index 8bdb6c83..df1b8ada 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[[try this|forum/Simple_quickstart_without_git__44___SSH__44___GPG]])
+[try this|http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment
new file mode 100644
index 00000000..c5427cd7
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment
@@ -0,0 +1,35 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 14"
+ date="2018-03-04T10:41:01Z"
+ content="""
+Hello, sorry to bother you with this BUT :))
+
+Now I have the right message which explain how to upgrade my .propellor
+(sorry for the french)
+
+    picca@mordor:~$ propellor
+    Fusion automatique de src/Propellor/Property/Systemd.hs
+    Fusion automatique de src/Propellor/Property/SiteSpecific/JoeySites.hs
+    Fusion automatique de src/Propellor/Property/Git.hs
+    Fusion automatique de src/Propellor/Git/VerifiedBranch.hs
+    Fusion automatique de src/Propellor/Git.hs
+    Fusion automatique de src/Propellor/EnsureProperty.hs
+    Fusion automatique de src/Propellor/DotDir.hs
+    Fusion automatique de propellor.cabal
+    Fusion automatique de joeyconfig.hs
+    Fusion automatique de doc/README.mdwn
+    Fusion automatique de debian/changelog
+    ** warning: ** Your ~/.propellor/ is out of date..
+       A newer upstream version is available in /usr/src/propellor/propellor.git
+       To merge it, run: git merge upstream/master
+
+but when I try to do the merge, I get this error message
+
+    picca@mordor:~/.propellor$ LANG=C git merge upstream/master
+    fatal: refusing to merge unrelated histories
+
+How can I help to solve this issue ?
+
+"""]]

Apt.trustsKey: Use apt-key to add key rather than manually driving gpg, which seems to not work anymore.
Thanks, Russell Sim.
diff --git a/debian/changelog b/debian/changelog
index b081d04f..92581607 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+propellor (5.3.4) UNRELEASED; urgency=medium
+
+  * Apt.trustsKey: Use apt-key to add key rather than manually driving gpg,
+    which seems to not work anymore.
+    Thanks, Russell Sim.
+
+ -- Joey Hess <id@joeyh.name>  Thu, 01 Mar 2018 18:25:04 -0400
+
 propellor (5.3.3) unstable; urgency=medium
 
   * Warn again about new upstream version when ~/.propellor was cloned from the
diff --git a/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment
new file mode 100644
index 00000000..b1f82b19
--- /dev/null
+++ b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-03-01T22:20:54Z"
+ content="""
+I added trustsKey in 2014, but my current config is not using
+it for anything, so it seems likely it's bitrotted in some way.
+And there's no rationalle documented for why it manually drives gpg.
+
+I've applied your change to use apt-key.
+
+I wonder if the nukeFile of the "gpg dropping" is actually needed
+anymore?
+"""]]
diff --git a/src/Propellor/Property/Apt.hs b/src/Propellor/Property/Apt.hs
index d44b5c38..7275205a 100644
--- a/src/Propellor/Property/Apt.hs
+++ b/src/Propellor/Property/Apt.hs
@@ -447,7 +447,7 @@ trustsKey k = trustsKey' k <!> untrustKey k
 trustsKey' :: AptKey -> Property DebianLike
 trustsKey' k = check (not <$> doesFileExist f) $ property desc $ makeChange $ do
 	withHandle StdinHandle createProcessSuccess
-		(proc "gpg" ["--no-default-keyring", "--keyring", f, "--import", "-"]) $ \h -> do
+		(proc "apt-key" ["--keyring", f, "add", "-"]) $ \h -> do
 			hPutStr h (pubkey k)
 			hClose h
 	nukeFile $ f ++ "~" -- gpg dropping

Added a comment: LUKS desired ;-)
diff --git a/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment
new file mode 100644
index 00000000..93248324
--- /dev/null
+++ b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ username="dominik"
+ avatar="http://cdn.libravatar.org/avatar/41b0caab63708c0b81d8aeda611afad5"
+ subject="LUKS desired ;-)"
+ date="2018-03-01T11:40:27Z"
+ content="""
+I'd love to use LUKS partitions in Propeller.
+
+Thanks Joey.
+
+"""]]

diff --git a/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn b/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn
new file mode 100644
index 00000000..3c0853db
--- /dev/null
+++ b/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn
@@ -0,0 +1,90 @@
+I've been hitting a problem when importing APT keys on a debian stretch VM. I'm using a property like
+
+    mybox :: Host
+    mybox = host "henry1.home" $ props
+      & osDebian (Stable "stretch") X86_64
+      & Apt.stdSourcesList
+      & Apt.unattendedUpgrades
+      & installKubernetes
+
+
+    installKubernetes :: Property DebianLike
+    installKubernetes = Apt.installed ["kubelet", "kubeadm", "kubectl"]
+      `requires` Apt.setSourcesListD ["deb http://apt.kubernetes.io/ kubernetes-xenial main"] "google-cloud"
+      `requires` Apt.trustsKey googleKey
+
+    googleKey :: Apt.AptKey
+    googleKey =
+      Apt.AptKey "google-key" $ unlines
+      [ "-----BEGIN PGP PUBLIC KEY BLOCK-----"
+      , ""
+      , "mQENBFUd6rIBCAD6mhKRHDn3UrCeLDp7U5IE7AhhrOCPpqGF7mfTemZYHf/5Jdjx"
+      , "cOxoSFlK7zwmFr3lVqJ+tJ9L1wd1K6P7RrtaNwCiZyeNPf/Y86AJ5NJwBe0VD0xH"
+      , "TXzPNTqRSByVYtdN94NoltXUYFAAPZYQls0x0nUD1hLMlOlC2HdTPrD1PMCnYq/N"
+      , "uL/Vk8sWrcUt4DIS+0RDQ8tKKe5PSV0+PnmaJvdF5CKawhh0qGTklS2MXTyKFoqj"
+      , "XgYDfY2EodI9ogT/LGr9Lm/+u4OFPvmN9VN6UG+s0DgJjWvpbmuHL/ZIRwMEn/tp"
+      , "uneaLTO7h1dCrXC849PiJ8wSkGzBnuJQUbXnABEBAAG0QEdvb2dsZSBDbG91ZCBQ"
+      , "YWNrYWdlcyBBdXRvbWF0aWMgU2lnbmluZyBLZXkgPGdjLXRlYW1AZ29vZ2xlLmNv"
+      , "bT6JAT4EEwECACgFAlUd6rICGy8FCQWjmoAGCwkIBwMCBhUIAgkKCwQWAgMBAh4B"
+      , "AheAAAoJEDdGwginMXsPcLcIAKi2yNhJMbu4zWQ2tM/rJFovazcY28MF2rDWGOnc"
+      , "9giHXOH0/BoMBcd8rw0lgjmOosBdM2JT0HWZIxC/Gdt7NSRA0WOlJe04u82/o3OH"
+      , "WDgTdm9MS42noSP0mvNzNALBbQnlZHU0kvt3sV1YsnrxljoIuvxKWLLwren/GVsh"
+      , "FLPwONjw3f9Fan6GWxJyn/dkX3OSUGaduzcygw51vksBQiUZLCD2Tlxyr9NvkZYT"
+      , "qiaWW78L6regvATsLc9L/dQUiSMQZIK6NglmHE+cuSaoK0H4ruNKeTiQUw/EGFaL"
+      , "ecay6Qy/s3Hk7K0QLd+gl0hZ1w1VzIeXLo2BRlqnjOYFX4A="
+      , "=HVTm"
+      , "-----END PGP PUBLIC KEY BLOCK-----"
+      ]
+
+
+the import works fine, but the packages fail to install because the key isn't valid, i can list the key
+
+    root@henry1:~# apt-key list | grep -A 6 google-key
+    Warning: apt-key output should not be parsed (stdout is not a terminal)
+    /etc/apt/trusted.gpg.d/google-key.gpg
+    -------------------------------------
+    pub   rsa2048 2015-04-03 [SCEA] [expires: 2018-04-02]
+          D0BC 747F D8CA F711 7500  D6FA 3746 C208 A731 7B0F
+    uid           [ unknown] Google Cloud Packages Automatic Signing Key <gc-team@google.com>
+
+
+but i can't export it. I've tried the gpg command listed in the Apt.trustsKey function and running it locally (on the vm) with a local file doesn't work either.
+
+    root@henry1:~# apt-key export D6FA3746A7317B0F
+    gpg: [don't know]: invalid packet (ctb=00)
+    gpg: WARNING: nothing exported
+    gpg: key export failed: Invalid packet
+
+
+Gpg version info
+
+    root@henry1:~# gpg --version
+    gpg (GnuPG) 2.1.18
+    libgcrypt 1.7.6-beta
+    Copyright (C) 2017 Free Software Foundation, Inc.
+    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
+    This is free software: you are free to change and redistribute it.
+    There is NO WARRANTY, to the extent permitted by law.
+    
+    Home: /root/.gnupg
+    Supported algorithms:
+    Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
+    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
+            CAMELLIA128, CAMELLIA192, CAMELLIA256
+    Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
+    Compression: Uncompressed, ZIP, ZLIB, BZIP2
+
+I ended up changing the Apt.trustsKey command to a version which uses apt-key and everything works now
+
+    trustsKey' :: AptKey -> Property DebianLike
+    trustsKey' k = check (not <$> doesFileExist f) $ property desc $ makeChange $ do
+    	withHandle StdinHandle createProcessSuccess
+    		(proc "apt-key" ["--keyring", f, "add", "-"]) $ \h -> do
+    			hPutStr h (pubkey k)
+    			hClose h
+    	nukeFile $ f ++ "~" -- gpg dropping
+      where
+    	desc = "apt trusts key " ++ keyname k
+    	f = aptKeyFile k
+
+Any thoughts as to why this wouldn't be working?  Would it be reasonable to change this command upstream?

add news item for propellor 5.3.3
diff --git a/doc/news/version_5.3.3.mdwn b/doc/news/version_5.3.3.mdwn
new file mode 100644
index 00000000..18f80d5f
--- /dev/null
+++ b/doc/news/version_5.3.3.mdwn
@@ -0,0 +1,8 @@
+propellor 5.3.3 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Warn again about new upstream version when ~/.propellor was cloned from the
+     Debian git bundle using an older version of propellor that set up an
+     upstream remote.
+   * Avoid crashing if initial fetch from origin fails when spinning a host.
+   * Added Propllor.Property.Openssl module contributed by contributed by
+     Félix Sipma."""]]
\ No newline at end of file

Added a comment
diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_2_7b1f28e3eeb7f181f5715863bc836bb7._comment b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_2_7b1f28e3eeb7f181f5715863bc836bb7._comment
new file mode 100644
index 00000000..5cb2fc0b
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_2_7b1f28e3eeb7f181f5715863bc836bb7._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="gueux"
+ avatar="http://cdn.libravatar.org/avatar/2982bac2c2cd94ab3860efb189deafc8"
+ subject="comment 2"
+ date="2018-02-23T13:16:09Z"
+ content="""
+I don't want my central repo to be accessible to anyone, but I still want to push there and use it for some of my hosts. Anyway, your fix works great, thanks!
+"""]]

Avoid crashing if initial fetch from origin fails when spinning a host.
diff --git a/debian/changelog b/debian/changelog
index 55ca5a93..bc7a4a69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ propellor (5.3.3) UNRELEASED; urgency=medium
   * Warn again about new upstream version when ~/.propellor was cloned from the
     Debian git bundle using an older version of propellor that set up an
     upstream remote.
+  * Avoid crashing if initial fetch from origin fails when spinning a host.
 
  -- Joey Hess <id@joeyh.name>  Mon, 19 Feb 2018 12:44:24 -0400
 
diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_1_be4533d304096f431ac8d35bbf990dab._comment b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_1_be4533d304096f431ac8d35bbf990dab._comment
new file mode 100644
index 00000000..e79fabfb
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_1_be4533d304096f431ac8d35bbf990dab._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-02-22T15:34:07Z"
+ content="""
+--spin has always pushed/pulled from origin, if there is
+a central git repository.
+
+It's an optional thing though, since the update is pushed directly to the
+host it spins too.
+
+I've improved the code to avoid this particular crash..
+"""]]
diff --git a/src/Propellor/Git/VerifiedBranch.hs b/src/Propellor/Git/VerifiedBranch.hs
index 51fcb573..df607bd2 100644
--- a/src/Propellor/Git/VerifiedBranch.hs
+++ b/src/Propellor/Git/VerifiedBranch.hs
@@ -30,12 +30,17 @@ verifyOriginBranch originbranch = do
 -- Returns True if HEAD is changed by fetching and merging from origin.
 fetchOrigin :: IO Bool
 fetchOrigin = do
+	fetched <- actionMessage "Pull from central git repository" $
+		boolSystem "git" [Param "fetch"]
+	if fetched
+		then mergeOrigin
+		else return False
+
+mergeOrigin :: IO Bool
+mergeOrigin = do
 	branchref <- getCurrentBranch
 	let originbranch = "origin" </> branchref
 
-	void $ actionMessage "Pull from central git repository" $
-		boolSystem "git" [Param "fetch"]
-
 	oldsha <- getCurrentGitSha1 branchref
 
 	keyring <- privDataKeyring

diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__.mdwn b/doc/forum/--spin_tries_to_pull_from_central_repository__63__.mdwn
new file mode 100644
index 00000000..5bd97367
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__.mdwn
@@ -0,0 +1,28 @@
+Did something changed recently concerning `--spin`? It seems like I can't use it without a central repo anymore...
+
+
+    $ ./propellor --spin server
+    Preprocessing executable 'propellor-config' for propellor-5.3.2...
+    Propellor build ... done
+    [master cabbc1b4e] propellor spin
+    Git commit ... done
+    Counting objects: 1, done.
+    Writing objects: 100% (1/1), 860 bytes | 860.00 KiB/s, done.
+    Total 1 (delta 0), reused 0 (delta 0)
+    To example.org:/var/lib/git/private/propellor.git
+       8c8c1b2f6..cabbc1b4e  master -> master
+    Push to central git repository ... done
+    gpg: encrypted with 4096-bit RSA key, ID EC0B9FA927E29C5C, created 2013-01-29
+          "Félix Sipma <felix.sipma@riseup.net>"
+    Host key verification failed.
+    fatal: Could not read from remote repository.
+    
+    Please make sure you have the correct access rights
+    and the repository exists.
+    Pull from central git repository ... failed
+    fatal: ambiguous argument 'origin/master': unknown revision or path not in the working tree.
+    Use '--' to separate paths from revisions, like this:
+    'git <command> [<revision>...] -- [<file>...]'
+    propellor: user error (git ["log","-n","1","--format=%G?","origin/master"] exited 128)
+    propellor: user error (ssh ["-o","ControlPath=/home/example/.ssh/propellor/server.example.org.sock","-o","ControlMaster=auto","-o","ControlPersist=yes","root@server.example.org","sh -c 'rm -rf /usr/local/propellor-precompiled ; if [ ! -d /usr/local/propellor/.git ] ; then (if ! git --version >/dev/null 2>&1; then apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -qq --no-install-recommends --no-upgrade -y install git; fi && echo STATUSNeedGitClone) || echo STATUSNeedPrecompiled ; else cd /usr/local/propellor && if ! cabal configure >/dev/null 2>&1; then ( apt-get update ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install gnupg ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install ghc ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install cabal-install ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-async-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-split-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-hslogger-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-unix-compat-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-ansi-terminal-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-ifelse-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-network-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-mtl-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-transformers-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-exceptions-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-stm-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-text-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-hashable-dev) || true; fi&& if ! test -x ./propellor; then cabal configure && cabal build -j1 propellor-config && ln -sf dist/build/propellor-config/propellor-config propellor; fi;if test -x ./propellor && ! ./propellor --check; then cabal clean && cabal configure && cabal build -j1 propellor-config && ln -sf dist/build/propellor-config/propellor-config propellor; fi && ./propellor --boot server.example.org ; fi'"] exited 1)
+    

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_13_a3039c7e86f85af4ff44bdbcd7b46313._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_13_a3039c7e86f85af4ff44bdbcd7b46313._comment
new file mode 100644
index 00000000..39feff2e
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_13_a3039c7e86f85af4ff44bdbcd7b46313._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 13"
+ date="2018-02-20T05:58:48Z"
+ content="""
+Thanks a lot joey,
+
+and you are right, I am fund of your works :).
+
+Cheers.
+"""]]

Warn again about new upstream version when ~/.propellor was cloned from the Debian git bundle using an older version of propellor that set up an upstream remote.
This commit was sponsored by Jake Vosloo on Patreon.
diff --git a/debian/changelog b/debian/changelog
index 3515497b..55ca5a93 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+propellor (5.3.3) UNRELEASED; urgency=medium
+
+  * Warn again about new upstream version when ~/.propellor was cloned from the
+    Debian git bundle using an older version of propellor that set up an
+    upstream remote.
+
+ -- Joey Hess <id@joeyh.name>  Mon, 19 Feb 2018 12:44:24 -0400
+
 propellor (5.3.2) unstable; urgency=medium
 
   * Added Propellor.Property.Atomic, which can make a non-atomic property
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_12_aea497eeecb077659db3f1dfb1e5f289._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_12_aea497eeecb077659db3f1dfb1e5f289._comment
new file mode 100644
index 00000000..90d0ba2c
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_12_aea497eeecb077659db3f1dfb1e5f289._comment
@@ -0,0 +1,20 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 12"""
+ date="2018-02-19T15:48:21Z"
+ content="""
+What propellor --init sets up, when you select the clone option
+and the Debian package is installed, is no remote
+defined, but a remotes/upsteam/master tracking branch.
+
+So not normally this:
+
+    upstream        /usr/src/propellor/propellor.git (fetch)
+
+Aha! The very first revision of propellor --init
+*did* set up an upstream remote pointing at the distrepo. At some point
+that changed to the above described behavior. You're bitten by being an
+early adopter.
+
+I've adjusted the logic to handle that case.
+"""]]
diff --git a/src/Propellor/DotDir.hs b/src/Propellor/DotDir.hs
index 17eb095a..39c111f6 100644
--- a/src/Propellor/DotDir.hs
+++ b/src/Propellor/DotDir.hs
@@ -387,16 +387,17 @@ checkRepoUpToDate = whenM (gitbundleavail <&&> dotpropellorpopulated) $ do
 -- into the user's repository, as if fetching from a upstream remote,
 -- yielding a new upstream/master branch.
 --
--- If there's no upstream/master, the user is not using the distrepo,
--- so do nothing. And, if there's a remote named "upstream", the user
--- must have set that up and is not using the distrepo, so do nothing.
+-- If there's no upstream/master, or the repo is not using the distrepo,
+-- do nothing.
 updateUpstreamMaster :: String -> IO ()
-updateUpstreamMaster newref = unlessM (hasRemote "upstream") $ do
+updateUpstreamMaster newref = do
 	changeWorkingDirectory =<< dotPropellor
-	go =<< catchMaybeIO getoldrev
+	v <- getoldrev
+	case v of
+		Nothing -> return ()
+		Just oldref -> go oldref
   where
-	go Nothing = return ()
-	go (Just oldref) = do
+	go oldref = do
 		let tmprepo = ".git/propellordisttmp"
 		let cleantmprepo = void $ catchMaybeIO $ removeDirectoryRecursive tmprepo
 		cleantmprepo
@@ -421,13 +422,37 @@ updateUpstreamMaster newref = unlessM (hasRemote "upstream") $ do
 		cleantmprepo
 		warnoutofdate True
 
-	getoldrev = takeWhile (/= '\n')
-		<$> readProcess "git" ["show-ref", upstreambranch, "--hash"]
-
 	git = run "git"
 	run cmd ps = unlessM (boolSystem cmd (map Param ps)) $
 		error $ "Failed to run " ++ cmd ++ " " ++ show ps
 
+	-- Get ref that the upstreambranch points to, only when
+	-- the distrepo is being used.
+	getoldrev = do
+		mrev <- catchMaybeIO $ takeWhile (/= '\n')
+			<$> readProcess "git" ["show-ref", upstreambranch, "--hash"]
+		print mrev
+		case mrev of
+			Just _ -> do
+				-- Normally there will be no upstream
+				-- remote when the distrepo is used.
+				-- Older versions of propellor set up
+				-- an upstream remote pointing at the 
+				-- distrepo.
+				ifM (hasRemote "upstream")
+					( do
+						v <- remoteUrl "upstream"
+						print ("remote url", v)
+						return $ case v of
+							Just rurl | rurl == distrepo -> mrev
+							_ -> Nothing
+					, return mrev
+					)
+			Nothing -> return mrev
+
+-- And, if there's a remote named "upstream"
+-- that does not point at the distrepo, the user must have set that up
+-- and is not using the distrepo, so do nothing.
 warnoutofdate :: Bool -> IO ()
 warnoutofdate havebranch = do
 	warningMessage ("** Your ~/.propellor/ is out of date..")
diff --git a/src/Propellor/Git.hs b/src/Propellor/Git.hs
index 10b88ddd..c446f67a 100644
--- a/src/Propellor/Git.hs
+++ b/src/Propellor/Git.hs
@@ -30,6 +30,10 @@ hasRemote remotename = catchDefaultIO False $ do
 	rs <- lines <$> readProcess "git" ["remote"]
 	return $ remotename `elem` rs
 
+remoteUrl :: String -> IO (Maybe String)
+remoteUrl remotename = catchDefaultIO Nothing $ headMaybe . lines
+	<$> readProcess "git" ["config", "remote." ++ remotename ++ ".url"]
+
 hasGitRepo :: IO Bool
 hasGitRepo = doesFileExist ".git/HEAD"
 

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_11_67fe9f07dd726f890cf1c7956cbb1d86._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_11_67fe9f07dd726f890cf1c7956cbb1d86._comment
new file mode 100644
index 00000000..106d993f
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_11_67fe9f07dd726f890cf1c7956cbb1d86._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 11"
+ date="2018-02-19T06:31:32Z"
+ content="""
+Yes sir :)
+
+    picca@mordor:~/.propellor$ git remote -v
+    deploy  https://salsa.debian.org/picca/propellor.git (fetch)
+    deploy  https://salsa.debian.org/picca/propellor.git (push)
+    origin  git@salsa.debian.org:picca/propellor.git (fetch)
+    origin  git@salsa.debian.org:picca/propellor.git (push)
+    upstream        /usr/src/propellor/propellor.git (fetch)
+    upstream        /usr/src/propellor/propellor.git (push)
+
+"""]]

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_10_8d27d1de5e891160c3e881bd1230829f._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_10_8d27d1de5e891160c3e881bd1230829f._comment
new file mode 100644
index 00000000..25d6ff1e
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_10_8d27d1de5e891160c3e881bd1230829f._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 10"
+ date="2018-02-18T21:35:23Z"
+ content="""
+Do you have a git remote named 'upstream'?
+"""]]

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_9_f6d40ae7c03a9d94cfe8e16f11264622._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_9_f6d40ae7c03a9d94cfe8e16f11264622._comment
new file mode 100644
index 00000000..492f40e1
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_9_f6d40ae7c03a9d94cfe8e16f11264622._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 9"
+ date="2018-02-18T19:10:32Z"
+ content="""
+Hello, I think that my problem is related to this one.
+
+I have a repository created from the Debian package and which is from the 5.1.0 version.
+I just upgrade the package to 5.3.1 and now I do not have the message explaining that a new upstream version is available.
+So I do not know how to upgrade my current repository.
+
+Before, I just had to do
+
+    git merge upstream/master
+
+And now ?
+
+
+thanks for your help
+"""]]

add news item for propellor 5.3.2
diff --git a/doc/news/version_5.3.2.mdwn b/doc/news/version_5.3.2.mdwn
new file mode 100644
index 00000000..cd16116e
--- /dev/null
+++ b/doc/news/version_5.3.2.mdwn
@@ -0,0 +1,10 @@
+propellor 5.3.2 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Added Propellor.Property.Atomic, which can make a non-atomic property
+     that operates on a directory into an atomic property.
+     (Inspired by Vaibhav Sagar's talk on Functional Devops in a
+     Dysfunctional World at LCA 2018.)
+   * Added Git.pulled.
+   * Systemd.machined: Install systemd-container on Debian
+     stretch.
+     Thanks, Sean Whitton"""]]
\ No newline at end of file

comment
diff --git a/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_1_62fc297972ab5be50b9cb8cd3aa269c0._comment b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_1_62fc297972ab5be50b9cb8cd3aa269c0._comment
new file mode 100644
index 00000000..0962459f
--- /dev/null
+++ b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_1_62fc297972ab5be50b9cb8cd3aa269c0._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-02-06T15:37:45Z"
+ content="""
+Not aware of anyone using propellor for that yet.
+
+Propellor's LVM module would probably be a decent starting point for
+implementing dm-crypt support.
+
+Key/passwords could certianly be managed with propellor's privdata
+interface. Whether it makes sense to do so for security is probably up to
+the individual user, since privdata can be decrypted with your gpg private
+key, which you might not want to equate to access to your encrypted volume.
+Also, privdata is stored on the host that uses it in unencrypted form
+protected only by file permissions.
+"""]]

Ask about dm-crypt/LUKS
diff --git a/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management.mdwn b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management.mdwn
new file mode 100644
index 00000000..12a2bea5
--- /dev/null
+++ b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management.mdwn
@@ -0,0 +1 @@
+Hi. Searching for *luks* in the git repository and the forum doesn’t bring up any hits. Am I right to assume, that encrypting the disk with dm-crypt/LUKS and managing keys/passwords is currently not easily doable?

remove old version announces
diff --git a/doc/news/version_4.7.6.mdwn b/doc/news/version_4.7.6.mdwn
deleted file mode 100644
index 4c8abd97..00000000
--- a/doc/news/version_4.7.6.mdwn
+++ /dev/null
@@ -1,6 +0,0 @@
-propellor 4.7.6 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Sbuild: Add Sbuild.userConfig property.
-     Thanks, Sean Whitton
-   * Locale: Make sure that the locales package is installed when enabling
-     locales."""]]
\ No newline at end of file
diff --git a/doc/news/version_4.7.7.mdwn b/doc/news/version_4.7.7.mdwn
deleted file mode 100644
index 258f0f23..00000000
--- a/doc/news/version_4.7.7.mdwn
+++ /dev/null
@@ -1,11 +0,0 @@
-propellor 4.7.7 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Locale: Display an error message when /etc/locale.gen does not contain
-     the requested locale.
-   * Attic module is deprecated and will warn when used.
-     Attic is no longer available in Debian and appears to have been
-     mostly supersceded by Borg.
-   * Obnam module is deprecated and will warn when used.
-     Obnam has been retired by its author.
-   * Add Typeable instance to Bootstrapper, fixing build with old versions
-     of ghc. (Previous attempt was incomplete.)"""]]
\ No newline at end of file
diff --git a/doc/news/version_4.8.0.mdwn b/doc/news/version_4.8.0.mdwn
deleted file mode 100644
index 217c3154..00000000
--- a/doc/news/version_4.8.0.mdwn
+++ /dev/null
@@ -1,21 +0,0 @@
-propellor 4.8.0 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * DiskImage: Made a DiskImage type class, so that different disk image
-     formats can be implemented. The properties in this module can generate
-     any type that is a member of DiskImage. (API change)
-     (To convert existing configs, convert the filename of the disk image
-     to RawDiskImage filename.)
-   * Removed DiskImage.vmdkBuiltFor property. (API change)
-     Instead, use VirtualBoxPointer in the property that creates the disk
-     image.
-   * Apt.isInstalled: Fix handling of packages that are not known at all
-     to apt.
-   * Borg: Converted BorgRepo from a String alias to a data type.
-     (API change)
-   * Borg: Allow specifying ssh private key to use when accessing a borg
-     repo by using the BorgRepoUsing constructor with UseSshKey.
-   * Borg: Fix broken shell escaping in borg cron job.
-   * Attic: Fix broken shell escaping in attic cron job.
-   * Make lock file descriptors close-on-exec.
-   * Lvm: New module for setting up LVM volumes.
-     Thanks, Nicolas Schodet"""]]
\ No newline at end of file
diff --git a/doc/news/version_4.8.1.mdwn b/doc/news/version_4.8.1.mdwn
deleted file mode 100644
index fbd293cd..00000000
--- a/doc/news/version_4.8.1.mdwn
+++ /dev/null
@@ -1,4 +0,0 @@
-propellor 4.8.1 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Borg: Fix propigation of exit status of borg backup.
-   * Borg: Fix handling of UseSshKey."""]]
\ No newline at end of file
diff --git a/doc/news/version_4.9.0.mdwn b/doc/news/version_4.9.0.mdwn
deleted file mode 100644
index c625e0c7..00000000
--- a/doc/news/version_4.9.0.mdwn
+++ /dev/null
@@ -1,23 +0,0 @@
-propellor 4.9.0 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * When the ipv4 and ipv6 properties are used with a container, avoid
-     propagating the address out to the host.
-   * DnsInfo has been replaced with DnsInfoPropagated and
-     DnsInfoUnpropagated. (API change)
-   * Code that used fromDnsInfo . fromInfo changes to use getDnsInfo.
-   * addDNS takes an additional Bool parameter to control whether
-     the DNS info should propagate out of containers. (API change)
-   * Made the PropellorRepo.hasOriginUrl property override the repository
-     url that --spin passes to a host.
-   * PropellorRepo.hasOriginUrl type changed to include HasInfo. (API change)
-   * Fstab.mounted: Create mount point if necessary, and mount it
-     if it's not already mounted.
-     Thanks, Nicolas Schodet
-   * Properties that check for an empty directory now treat a directory
-     containing only "lost+found" as effectively empty, to support
-     situations where the directory is a mount point of an EXT* filesystem.
-     Thanks, Nicolas Schodet
-   * Make addInfo accumulate Info in order properties appear, not
-     reverse order.
-     This fixes a bug involving reverting Systemd.resolvConfed or
-     Systemd.linkJournal."""]]
\ No newline at end of file

Merge branch 'joeyconfig'
fix typography
diff --git a/doc/README.mdwn b/doc/README.mdwn
index a4a38c5f..356c9304 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -18,12 +18,10 @@ There is fairly complete
 which includes many built-in Properties for dealing with
 [Apt](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Apt.html)
 and
-[Apache](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Apache.html)
-,
+[Apache](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Apache.html),
 [Cron](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Cron.html)
 and
-[Commands](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Cmd.html)
-,
+[Commands](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Cmd.html),
 [Dns](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Dns.html)
 and
 [Docker](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Docker.html), etc.

link to simple quickstart
diff --git a/doc/README.mdwn b/doc/README.mdwn
index a4a38c5f..6d7e6508 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,3 +56,6 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
    each host becomes tiresome, you can
    [automate that](http://propellor.branchable.com/automated_spins/).
 7. Write some neat new properties and send patches!
+
+(Want to get your feet wet with propellor before plunging in?
+[[try this|forum/Simple_quickstart_without_git__44___SSH__44___GPG]])
diff --git a/doc/forum/Simple_quickstart_without_git__44___SSH__44___GPG/comment_1_031851f4a01a8a4d9fb4bd1f9ac077c8._comment b/doc/forum/Simple_quickstart_without_git__44___SSH__44___GPG/comment_1_031851f4a01a8a4d9fb4bd1f9ac077c8._comment
new file mode 100644
index 00000000..a99e83e2
--- /dev/null
+++ b/doc/forum/Simple_quickstart_without_git__44___SSH__44___GPG/comment_1_031851f4a01a8a4d9fb4bd1f9ac077c8._comment
@@ -0,0 +1,22 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-02-04T16:09:17Z"
+ content="""
+Thank you for this excellent idea and post! I've added a link to it under
+the quick start on the front page.
+
+Propellor's deployment system
+is just what happened to meet my needs, but certianly not ideal for anyone,
+and what I really like about this is it shows how the core of propellor is
+not locked into that one system.
+
+I see that `entr` automatically re-transfers the file when it has changed,
+so am I right that you could use this in combination with eg 
+`stack build --file-watch` to immediately test each change to config.hs?
+
+Do note that your method doesn't transfer over any private data that
+propellor might use on the host. And, some container properties need
+the propellor binary in /usr/local/propellor/ in order to work. 
+But until you need such properties, it's a nice way to get your feet wet.
+"""]]

add news item for propellor 5.3.1
diff --git a/doc/news/version_5.3.0.mdwn b/doc/news/version_5.3.0.mdwn
deleted file mode 100644
index 07900e0b..00000000
--- a/doc/news/version_5.3.0.mdwn
+++ /dev/null
@@ -1,16 +0,0 @@
-propellor 5.3.0 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Avoid bogus warning about new upstream version when /usr/bin/propellor
-     is run on a Debian system, but ~/.propellor was not cloned from the
-     Debian git bundle.
-   * Parted: Allow partitions to have no filesystem, for eg, GPT BIOS boot
-     partitions. (API change)
-   * Added rawPartition to PartSpec, for specifying partitions with no
-     filesystem.
-   * Added BiosGrubFlag to PartFlag.
-   * Add HasCallStack constraint to pickOS and unsupportedOS, so the
-     call stack includes the caller.
-   * Run su with --login, to avoid inheriting some problematic environment
-     variables, such as TMP, from the caller.
-   * Grub: Added properties to configure /etc/default/grub.
-   * Laptop: New module, starting with powertopAutoTuneOnBoot."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.3.1.mdwn b/doc/news/version_5.3.1.mdwn
new file mode 100644
index 00000000..4f660270
--- /dev/null
+++ b/doc/news/version_5.3.1.mdwn
@@ -0,0 +1,5 @@
+propellor 5.3.1 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Last release mistakenly contained my personal branch not master.
+   * contrib/post-merge-hook documentation updated to recommend also using
+     it as a post-checkout hook, to avoid such problems."""]]
\ No newline at end of file

diff --git a/doc/forum/Simple_quickstart_without_git__44___SSH__44___GPG.mdwn b/doc/forum/Simple_quickstart_without_git__44___SSH__44___GPG.mdwn
new file mode 100644
index 00000000..d0920424
--- /dev/null
+++ b/doc/forum/Simple_quickstart_without_git__44___SSH__44___GPG.mdwn
@@ -0,0 +1,35 @@
+I wanted to start using propellor in the most simple way and the requirement to have a GPG key, signed commits, propellor updating itself, and so on was way too much to start with.
+
+So I wrote this Haskell file:
+
+
+    module Main where
+    
+    import           Propellor
+    import           Propellor.Engine
+    import qualified Propellor.Property.Apt as Apt
+    
+    main :: IO ()
+    main = mainProperties myHost
+    
+    myHost :: Host
+    myHost = host "local" $ props
+      & Apt.installed [
+          "etckeeper"
+        , "git"
+        , "rsync"
+        , "tmux"
+        , "tree"
+        , "unattended-upgrades"
+        , "zsh"
+      ]
+
+And then used the Debian package *entr* to scp the executable to a test server and have it executed there:
+
+    echo mytest-exe | entr scp /_ mytesthost:
+
+and on the test host:
+
+    echo mytest-exe | entr sudo ./mytest-exe
+
+Maybe somebody finds this useful as a starting point to learn propellor.

add news item for propellor 5.3.0
diff --git a/doc/news/version_5.2.0.mdwn b/doc/news/version_5.2.0.mdwn
deleted file mode 100644
index 8cd1edaf..00000000
--- a/doc/news/version_5.2.0.mdwn
+++ /dev/null
@@ -1,24 +0,0 @@
-propellor 5.2.0 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
- * [ Joey Hess ]
-   * bootstrappedFrom: Set up local privdata file.
-   * Parted: Fix names used for FAT and VFAT partitions.
-   * Parted: Add an Alignment parameter. (API change)
-     A good default to use is safeAlignment, which is 4MiB,
-     well suited for inexpensive flash drives, and fine for other disks too.
-     Previously, a very non-optimial 1MB (not 1MiB) alignment had been used.
-   * DiskImage: Use safeAlignment. It didn't seem worth making the
-     alignment configurable here.
-   * Fixed rounding bug in Parted.calcPartTable.
-   * DiskImage: Fix rsync crash when a mount point does not exist in the
-     chroot.
-   * Fix bug in unmountBelow that caused unmounting of nested mounts to
-     fail.
-   * Grub.boots, Grub.bootsMounted: Pass --target to grub-install.
-   * Added Propellor.Property.Installer modules, which can be used to create
-     bootable installer disk images, which then run propellor to install
-     a system. This code was extracted from the demo I gave in my
-     talk at DebConf 2017.
- * [ Sean Whitton ]
-   * Sbuild: add notes about Debian jessie hosts and backports of sbuild and
-     autopkgtest."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.3.0.mdwn b/doc/news/version_5.3.0.mdwn
new file mode 100644
index 00000000..07900e0b
--- /dev/null
+++ b/doc/news/version_5.3.0.mdwn
@@ -0,0 +1,16 @@
+propellor 5.3.0 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Avoid bogus warning about new upstream version when /usr/bin/propellor
+     is run on a Debian system, but ~/.propellor was not cloned from the
+     Debian git bundle.
+   * Parted: Allow partitions to have no filesystem, for eg, GPT BIOS boot
+     partitions. (API change)
+   * Added rawPartition to PartSpec, for specifying partitions with no
+     filesystem.
+   * Added BiosGrubFlag to PartFlag.
+   * Add HasCallStack constraint to pickOS and unsupportedOS, so the
+     call stack includes the caller.
+   * Run su with --login, to avoid inheriting some problematic environment
+     variables, such as TMP, from the caller.
+   * Grub: Added properties to configure /etc/default/grub.
+   * Laptop: New module, starting with powertopAutoTuneOnBoot."""]]
\ No newline at end of file

Added a comment: response
diff --git a/doc/forum/__34__Unknown_host_OS__34___after_merging_recent_propellor/comment_2_8592411690ea524b65e4fba580d51ba8._comment b/doc/forum/__34__Unknown_host_OS__34___after_merging_recent_propellor/comment_2_8592411690ea524b65e4fba580d51ba8._comment
new file mode 100644
index 00000000..430c4e90
--- /dev/null
+++ b/doc/forum/__34__Unknown_host_OS__34___after_merging_recent_propellor/comment_2_8592411690ea524b65e4fba580d51ba8._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="response"
+ date="2018-01-29T20:49:46Z"
+ content="""
+Thanks, it works :)
+
+riva4 is not configured by propellor yet, but osDebian does not touch anything so it's OK.
+"""]]

Added a comment
diff --git a/doc/forum/imageBuiltFor_mount_points_not_automatically_created/comment_19_22178bd21d8a44bdd67cad162f71c400._comment b/doc/forum/imageBuiltFor_mount_points_not_automatically_created/comment_19_22178bd21d8a44bdd67cad162f71c400._comment
new file mode 100644
index 00000000..bd34df0a
--- /dev/null
+++ b/doc/forum/imageBuiltFor_mount_points_not_automatically_created/comment_19_22178bd21d8a44bdd67cad162f71c400._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ username="gueux"
+ avatar="http://cdn.libravatar.org/avatar/2982bac2c2cd94ab3860efb189deafc8"
+ subject="comment 19"
+ date="2018-01-29T17:55:43Z"
+ content="""
+I tried several configurations, without success. Without a serial console, that was not fun to debug... I finally tried to boot the image with qemu, and that worked! So I thought that maybe I should try to use a MSDOS partition table instead of a GPT one, just to be sure. And that finally produced a bootable image on that damn card! :) I'll report a bug to PCEngines. It's unfortunate I can't test the GPT code more, but it would probably work, as it booted in qemu.
+
+Thanks a lot Joey!
+
+"""]]

Add HasCallStack constraint to pickOS and unsupportedOS, so the call stack includes the caller.
This commit was sponsored by Jochen Bartl on Patreon.
diff --git a/debian/changelog b/debian/changelog
index 4545bcd1..2ffe4f8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,8 @@ propellor (5.3.0) UNRELEASED; urgency=medium
   * Added rawPartition to PartSpec, for specifying partitions with no
     filesystem.
   * Added BiosGrubFlag to PartFlag.
+  * Add HasCallStack constraint to pickOS and unsupportedOS, so the
+    call stack includes the caller.
 
  -- Joey Hess <id@joeyh.name>  Tue, 02 Jan 2018 13:06:45 -0400
 
diff --git a/doc/forum/__34__Unknown_host_OS__34___after_merging_recent_propellor/comment_1_6ed53a6752f3f88acce023a4fe1b9bf6._comment b/doc/forum/__34__Unknown_host_OS__34___after_merging_recent_propellor/comment_1_6ed53a6752f3f88acce023a4fe1b9bf6._comment
new file mode 100644
index 00000000..608bc3e2
--- /dev/null
+++ b/doc/forum/__34__Unknown_host_OS__34___after_merging_recent_propellor/comment_1_6ed53a6752f3f88acce023a4fe1b9bf6._comment
@@ -0,0 +1,27 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-01-24T16:55:19Z"
+ content="""
+This comes from something using `unsupportedOS'`, perhaps via `pickOS`.
+
+Probably it's coming from the use of `Systemd.nspawned`,
+which is going to use debootstrap to build the container,
+since the container uses debian. To use debootstrap,
+it needs to install it, and `Debootstrap.installed`
+uses `pickOS` to work out how to install it, but only supports
+installing debootstrap on linux hosts. Your riva4 host does not have its OS
+declared, leading to the failure.
+
+It seems there ought to be a way to get a deeper call
+stack, to make it easier to work this out. It's possible to build
+propellor with profiling and get a complete call stack, as shown at
+<https://wiki.haskell.org/Debugging#Stack_trace>. It might make sense for
+propellor to always be built that way. 
+
+A simpler approach is to 
+add `HasCallStack =>` constraints to `pickOS` and `unsupportedOS'`,
+so that those will have a call stack that reaches back to their
+caller, which in your case would reach back to `Debootstrap.installed`,
+which is probably enough. For now, I've made this change.
+"""]]
diff --git a/src/Propellor/Property.hs b/src/Propellor/Property.hs
index 884ee683..8c0a5859 100644
--- a/src/Propellor/Property.hs
+++ b/src/Propellor/Property.hs
@@ -55,6 +55,7 @@ import Data.Maybe
 import Data.List
 import Data.Hashable
 import Control.Applicative
+import GHC.Stack
 import Prelude
 
 import Propellor.Types
@@ -283,6 +284,7 @@ isNewerThan x y = do
 -- fail that way.
 pickOS
 	::
+		HasCallStack =>
 		( SingKind ('KProxy :: KProxy ka)
 		, SingKind ('KProxy :: KProxy kb)
 		, DemoteRep ('KProxy :: KProxy ka) ~ [MetaType]
@@ -344,7 +346,7 @@ unsupportedOS = property "unsupportedOS" unsupportedOS'
 
 -- | Throws an error, for use in `withOS` when a property is lacking
 -- support for an OS.
-unsupportedOS' :: Propellor Result
+unsupportedOS' :: HasCallStack => Propellor Result
 unsupportedOS' = go =<< getOS
 	  where
 		go Nothing = error "Unknown host OS is not supported by this property."

creating "Unknown host OS" after merging recent propellor
diff --git a/doc/forum/__34__Unknown_host_OS__34___after_merging_recent_propellor.mdwn b/doc/forum/__34__Unknown_host_OS__34___after_merging_recent_propellor.mdwn
new file mode 100644
index 00000000..8625ee00
--- /dev/null
+++ b/doc/forum/__34__Unknown_host_OS__34___after_merging_recent_propellor.mdwn
@@ -0,0 +1,43 @@
+Hello,
+
+I merged 5.2.0 into my .propellor, last merge was merging f6797bed.
+
+Since the merge, when I try to spin, I get:
+
+    riva4.ni.fr.eu.org has ipv4 91.121.114.4 ... ok
+    ** warning: Unknown host OS is not supported by this property.
+    CallStack (from HasCallStack):
+      error, called at src/Propellor/Property.hs:350:30 in main:Propellor.Property
+    riva4.ni.fr.eu.org container vz-web2 ... failed
+    riva4.ni.fr.eu.org overall ... failed
+
+I have in my config.hs:
+
+    riva4 :: Host   
+    riva4 = host "riva4.ni.fr.eu.org" $ props
+	    & ipv4 "91.121.114.4"
+	    & stdContainerSpawn "vz-web2" "2g" vzWeb2
+
+    stdContainerSpawn :: Systemd.MachineName
+		      -> String
+		      -> Systemd.Container
+		      -> Property (HasInfo + DebianLike)
+    stdContainerSpawn name size container =
+	    Lvm.lvFormatted Lvm.YesReallyFormatLogicalVolume
+		    (Lvm.LogicalVolume name (Lvm.VolumeGroup "vg0")) size
+		    Partition.EXT4
+		    `before` Fstab.mounted "auto" dev dir mempty
+		    `before` Systemd.nspawned container
+		    `describe` ("container " ++ name)
+      where 
+	    dev = "/dev/vg0" </> name
+	    dir = "/var/lib/container" </> name
+
+    vzWeb2 :: Systemd.Container
+    vzWeb2 = Systemd.debContainer "vz-web2" $ props
+	    & osDebian (Stable "stretch") X86_64
+	    & ipv4 "10.42.2.13"
+
+I reviewed all changes in propellor, but I cannot find what can cause this.
+
+How can I debug this?

Added a comment
diff --git a/doc/todo/partition_properties_should_install_e2fsprogs/comment_2_54a6e8a53221d0db2fe37703cd0a011d._comment b/doc/todo/partition_properties_should_install_e2fsprogs/comment_2_54a6e8a53221d0db2fe37703cd0a011d._comment
new file mode 100644
index 00000000..e7527bdc
--- /dev/null
+++ b/doc/todo/partition_properties_should_install_e2fsprogs/comment_2_54a6e8a53221d0db2fe37703cd0a011d._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 2"
+ date="2018-01-19T22:59:44Z"
+ content="""
+Thanks for checking this!
+"""]]

followup and close
diff --git a/doc/todo/partition_properties_should_install_e2fsprogs.mdwn b/doc/todo/partition_properties_should_install_e2fsprogs.mdwn
index 02b9491f..7232bdeb 100644
--- a/doc/todo/partition_properties_should_install_e2fsprogs.mdwn
+++ b/doc/todo/partition_properties_should_install_e2fsprogs.mdwn
@@ -1 +1,3 @@
 The e2fsprogs package is becoming non-essential in Debian.  Properties that invoke `mkfs.ext*` should start explicitly requiring that the package is installed (probably using `Apt.installed`).  --spwhitton
+
+> [[done]] seems no change needed --[[Joey]]
diff --git a/doc/todo/partition_properties_should_install_e2fsprogs/comment_1_0a6335e03587b18d5ae085f9a7bc0656._comment b/doc/todo/partition_properties_should_install_e2fsprogs/comment_1_0a6335e03587b18d5ae085f9a7bc0656._comment
new file mode 100644
index 00000000..555ae84f
--- /dev/null
+++ b/doc/todo/partition_properties_should_install_e2fsprogs/comment_1_0a6335e03587b18d5ae085f9a7bc0656._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-01-17T17:02:36Z"
+ content="""
+AFAICS, only Partition.formatted runs that, and it's always made sure to
+install e2fsprogs.
+
+Closing this, unless you know of something else that my grep didn't turn
+up.
+"""]]

fix syntax
diff --git a/doc/todo/Sbuild_and_jessie.mdwn b/doc/todo/Sbuild_and_jessie.mdwn
index 4960c5d8..d90a23a3 100644
--- a/doc/todo/Sbuild_and_jessie.mdwn
+++ b/doc/todo/Sbuild_and_jessie.mdwn
@@ -22,4 +22,4 @@ Cheers and thanks for this new Sbuild which is really nice :))
 
 Frederic
 
-:[[done]] --spwhitton
+> [[done]] --spwhitton

patch merged
diff --git a/doc/todo/Sbuild_and_jessie.mdwn b/doc/todo/Sbuild_and_jessie.mdwn
index 3786a26f..4960c5d8 100644
--- a/doc/todo/Sbuild_and_jessie.mdwn
+++ b/doc/todo/Sbuild_and_jessie.mdwn
@@ -21,3 +21,5 @@ So to my opinion the autopkgtest dependency is missing.
 Cheers and thanks for this new Sbuild which is really nice :))
 
 Frederic
+
+:[[done]] --spwhitton

rename forum/Sbuild_and_jessie.mdwn to todo/Sbuild_and_jessie.mdwn
diff --git a/doc/forum/Sbuild_and_jessie.mdwn b/doc/todo/Sbuild_and_jessie.mdwn
similarity index 100%
rename from doc/forum/Sbuild_and_jessie.mdwn
rename to doc/todo/Sbuild_and_jessie.mdwn
diff --git a/doc/forum/Sbuild_and_jessie/comment_1_31dc85774c182a583aeb1935e9fef2d6._comment b/doc/todo/Sbuild_and_jessie/comment_1_31dc85774c182a583aeb1935e9fef2d6._comment
similarity index 100%
rename from doc/forum/Sbuild_and_jessie/comment_1_31dc85774c182a583aeb1935e9fef2d6._comment
rename to doc/todo/Sbuild_and_jessie/comment_1_31dc85774c182a583aeb1935e9fef2d6._comment
diff --git a/doc/forum/Sbuild_and_jessie/comment_2_41ed6253709b18ec799624a66b9b8078._comment b/doc/todo/Sbuild_and_jessie/comment_2_41ed6253709b18ec799624a66b9b8078._comment
similarity index 100%
rename from doc/forum/Sbuild_and_jessie/comment_2_41ed6253709b18ec799624a66b9b8078._comment
rename to doc/todo/Sbuild_and_jessie/comment_2_41ed6253709b18ec799624a66b9b8078._comment
diff --git a/doc/forum/Sbuild_and_jessie/comment_3_a4d6fdbed71270d7a4ffbfe98d1aa479._comment b/doc/todo/Sbuild_and_jessie/comment_3_a4d6fdbed71270d7a4ffbfe98d1aa479._comment
similarity index 100%
rename from doc/forum/Sbuild_and_jessie/comment_3_a4d6fdbed71270d7a4ffbfe98d1aa479._comment
rename to doc/todo/Sbuild_and_jessie/comment_3_a4d6fdbed71270d7a4ffbfe98d1aa479._comment
diff --git a/doc/forum/Sbuild_and_jessie/comment_4_9e409a59abc81786481207ffbbd7c3ac._comment b/doc/todo/Sbuild_and_jessie/comment_4_9e409a59abc81786481207ffbbd7c3ac._comment
similarity index 100%
rename from doc/forum/Sbuild_and_jessie/comment_4_9e409a59abc81786481207ffbbd7c3ac._comment
rename to doc/todo/Sbuild_and_jessie/comment_4_9e409a59abc81786481207ffbbd7c3ac._comment
diff --git a/doc/forum/Sbuild_and_jessie/comment_5_6303943e3425b29b1e4727d809574cda._comment b/doc/todo/Sbuild_and_jessie/comment_5_6303943e3425b29b1e4727d809574cda._comment
similarity index 100%
rename from doc/forum/Sbuild_and_jessie/comment_5_6303943e3425b29b1e4727d809574cda._comment
rename to doc/todo/Sbuild_and_jessie/comment_5_6303943e3425b29b1e4727d809574cda._comment
diff --git a/doc/forum/Sbuild_and_jessie/comment_6_a88b331c80f57acdf55ac0c0ce3dce6f._comment b/doc/todo/Sbuild_and_jessie/comment_6_a88b331c80f57acdf55ac0c0ce3dce6f._comment
similarity index 100%
rename from doc/forum/Sbuild_and_jessie/comment_6_a88b331c80f57acdf55ac0c0ce3dce6f._comment
rename to doc/todo/Sbuild_and_jessie/comment_6_a88b331c80f57acdf55ac0c0ce3dce6f._comment
diff --git a/doc/forum/Sbuild_and_jessie/comment_7_38650a2151201eaf6f40d8becbbe8861._comment b/doc/todo/Sbuild_and_jessie/comment_7_38650a2151201eaf6f40d8becbbe8861._comment
similarity index 100%
rename from doc/forum/Sbuild_and_jessie/comment_7_38650a2151201eaf6f40d8becbbe8861._comment
rename to doc/todo/Sbuild_and_jessie/comment_7_38650a2151201eaf6f40d8becbbe8861._comment

submit bug report
diff --git a/doc/todo/partition_properties_should_install_e2fsprogs.mdwn b/doc/todo/partition_properties_should_install_e2fsprogs.mdwn
new file mode 100644
index 00000000..02b9491f
--- /dev/null
+++ b/doc/todo/partition_properties_should_install_e2fsprogs.mdwn
@@ -0,0 +1 @@
+The e2fsprogs package is becoming non-essential in Debian.  Properties that invoke `mkfs.ext*` should start explicitly requiring that the package is installed (probably using `Apt.installed`).  --spwhitton

response
diff --git a/doc/forum/Executing_a_property_within_a_explicit_CWD/comment_3_60154b98f64306e627a417905e2bef73._comment b/doc/forum/Executing_a_property_within_a_explicit_CWD/comment_3_60154b98f64306e627a417905e2bef73._comment
new file mode 100644
index 00000000..e24bc461
--- /dev/null
+++ b/doc/forum/Executing_a_property_within_a_explicit_CWD/comment_3_60154b98f64306e627a417905e2bef73._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2018-01-08T22:52:51Z"
+ content="""
+That is what I was suggesting yes.
+
+Another way to do it is using `cmdProperty'`, for example:
+
+	import Utility.Process
+	import Propellor.Property.Cmd
+
+	foo = cmdProperty' "apt-get" ["-y", "install", "gitlab"]
+		(\p -> p { cwd = Just "/tmp" })
+		`assume` MadeChange
+"""]]

Added a comment: To be sure to understand…
diff --git a/doc/forum/Executing_a_property_within_a_explicit_CWD/comment_2_b9ba322a7770ca537174795792ec0a40._comment b/doc/forum/Executing_a_property_within_a_explicit_CWD/comment_2_b9ba322a7770ca537174795792ec0a40._comment
new file mode 100644
index 00000000..aba3618f
--- /dev/null
+++ b/doc/forum/Executing_a_property_within_a_explicit_CWD/comment_2_b9ba322a7770ca537174795792ec0a40._comment
@@ -0,0 +1,18 @@
+[[!comment format=mdwn
+ username="serge1cohen@4282f0c177ae4ac2f90ceddf63d2281e1f739cb1"
+ nickname="serge1cohen"
+ avatar="http://cdn.libravatar.org/avatar/c86bcca74216ed367c91a99ff27259f0"
+ subject="To be sure to understand…"
+ date="2018-01-08T20:49:28Z"
+ content="""
+Hi again,
+
+Thanks for the swift answer. As I am not (yet ?-) an expert of either Haskell or Propellor I'd prefer to be sure before going further.
+Your proposal is to somehow «copy» the machinery of Apt.installed and Apt.reConfigure but using this time «createProcess with {cwd = whatever}». And I should find useful examples/snippets to implement this in the Property.DnsSec.forceZoneSigned sources.
+
+If I manage that I'll definitely propose a contribution on it :-)
+
+By the way, thanks for the complete system. As often elegance comes with a great quality of use !
+
+Serge.
+"""]]

response
diff --git a/doc/forum/Executing_a_property_within_a_explicit_CWD/comment_1_00e636c4ec122361213f0e1062569704._comment b/doc/forum/Executing_a_property_within_a_explicit_CWD/comment_1_00e636c4ec122361213f0e1062569704._comment
new file mode 100644
index 00000000..b898b822
--- /dev/null
+++ b/doc/forum/Executing_a_property_within_a_explicit_CWD/comment_1_00e636c4ec122361213f0e1062569704._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-01-08T18:33:06Z"
+ content="""
+Since propellor can run multiple properties at the same time
+(Propellor.Property.Concurrent), setting the CWD while running a property
+is probably not a good idea, as it would affect any other property that's
+currently running. Might be possible to fork and set CWD, 
+but haskell is not great at supporting fork w/o exec.
+
+Instead, the best way to do it is to use `createProcess` with
+`{cwd = whatever}` when your property runs apt and dpkg-reconfigure.
+See Property.DnsSec.forceZoneSigned for an example.
+"""]]

diff --git a/doc/forum/Executing_a_property_within_a_explicit_CWD.mdwn b/doc/forum/Executing_a_property_within_a_explicit_CWD.mdwn
new file mode 100644
index 00000000..e1b6ae7b
--- /dev/null
+++ b/doc/forum/Executing_a_property_within_a_explicit_CWD.mdwn
@@ -0,0 +1,11 @@
+I am trying to create a Property to install (and configure) gitlab through Propellor.
+To perform the installation and configuration I am using Apt.installed and Apt.reConfigure. When ever Propellor has to go though configuration of the package it «fails» (cf. bug report on gitlab package : 
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886657
+
+Awaiting a resolution of the bug itself, a workaround would be to perform the apt-get install or dpkg-reconfigure from a «world-readable» directory (such as /tmp or /etc or ...). Currently these properties are executed with CWD eing the propellor repository.
+
+I have looked for, but not found yet, a way to perform the work of this property within a specific directory.
+
+Thanks in advance for any help or pointers,
+
+Serge.

Added a comment: central git repository git.joeyh.name
diff --git a/doc/forum/secret-project_deliverable/comment_14_4b6959a061c468f3498005fce19019d0._comment b/doc/forum/secret-project_deliverable/comment_14_4b6959a061c468f3498005fce19019d0._comment
new file mode 100644
index 00000000..70e222fc
--- /dev/null
+++ b/doc/forum/secret-project_deliverable/comment_14_4b6959a061c468f3498005fce19019d0._comment
@@ -0,0 +1,82 @@
+[[!comment format=mdwn
+ username="stappers@eb96885816da287c29f6f699999434d532149234"
+ nickname="stappers"
+ avatar="http://cdn.libravatar.org/avatar/bf33450acf6fc2a17a8b4e6fc7749c65"
+ subject="central git repository git.joeyh.name"
+ date="2018-01-07T22:10:40Z"
+ content="""
+I got my copy of `secret-project` by
+
+	git clone https://git.joeyh.name/git/secret-project.git
+
+During build it tries to contact git.joeyh.name
+
+	$ propellor
+	Pull from central git repository ... done
+	Copying from /home/stappers/src/secret-project/.stack-work/install/x86_64-linux-nopie/lts-8.12/8.0.2/bin/propellor-config to /home/stappers/src/secret-project/.built/propellor-config
+	
+	Copied executables to /home/stappers/src/secret-project/.built:
+	- propellor-config
+	
+	Warning: Installation path /home/stappers/src/secret-project/.built
+	         not found on the PATH environment variable.
+	Propellor build ... done
+	[master 7d7bc07] propellor spin
+	Git commit ... done
+	error: Cannot access URL https://git.joeyh.name/git/secret-project.git/, return code 22
+	fatal: git-http-push failed
+	error: failed to push some refs to 'https://git.joeyh.name/git/secret-Push to central git repository ... failed
+	project.git'
+	Stop listening request sent.
+	Pull from central git repository ... done
+	Sending privdata (11 bytes) to paddy.gpm.stappers.nl ... done
+	remote: Counting objects: 1, done.        
+	remote: Total 1 (delta 0), reused 0 (delta 0)        
+	Sending git update to paddy.gpm.stappers.nl ... done
+	From .
+	 * branch            HEAD       -> FETCH_HEAD
+	Pull from central git repository ... done
+	Copying from /usr/local/propellor/.stack-work/install/x86_64-linux-nopie/lts-8.12/8.0.2/bin/propellor-config to /usr/local/propellor/.built/propellor-config
+	
+	Copied executables to /usr/local/propellor/.built:
+	- propellor-config
+	
+	Warning: Installation path /usr/local/propellor/.built not found on the PATH environment variable.
+	Propellor build ... done
+	Pull from central git repository ... done
+	paddy.gpm.stappers.nl has propellor bootstrapped with stack ... ok
+	paddy.gpm.stappers.nl has Operating System (Debian Linux Unstable) X86_64 ... ok
+	debian.local no services started ... ok
+	debian.local has Operating System (Debian Linux Unstable) X86_64 ... ok
+	debian.local sane hostname ... ok
+	debian.local standard sources.list ... ok
+	debian.local apt installed linux-image-amd64 ... ok
+	debian.local grub package installed ... ok
+	debian.local XFCE desktop installed ... ok
+	debian.local apt installed firefox ... ok
+	debian.local en_US.UTF-8 locale selected ... ok
+	fatal: unable to access 'https://git.joeyh.name/git/secret-project.git/': Could not resolve host: git.joeyh.name
+	debian.local has propellor bootstrapped with stack ... ok
+	debian.local Propellor bootstrapped ... failed
+	debian.local user installer in group audio ... ok
+	debian.local user installer in group cdrom ... ok
+	debian.local user installer in group dip ... ok
+	debian.local user installer in group floppy ... ok
+	debian.local user installer in group video ... ok
+	debian.local user installer in group plugdev ... ok
+	debian.local user installer in group netdev ... ok
+	debian.local user installer in group scanner ... ok
+	debian.local user installer in group lpadmin ... ok
+	debian.local has desktop user installer and not has desktop user user ... done
+	debian.local autostart installer UI ... ok
+	debian.local apt installed rsync ... ok
+	debian.local cache cleaned ... ok
+	paddy.gpm.stappers.nl built disk image /srv/installer.vmdk ... failed
+	paddy.gpm.stappers.nl overall ... failed
+	Shared connection to paddy.gpm.stappers.nl closed.
+	propellor: remote propellor failed
+	$ 
+
+How to avoid connecting to git.joeyh.name during build?
+
+"""]]

removed
diff --git a/doc/forum/secret-project_deliverable/comment_14_7296343b6f1d2906127ed138c64f82c6._comment b/doc/forum/secret-project_deliverable/comment_14_7296343b6f1d2906127ed138c64f82c6._comment
deleted file mode 100644
index 75cb4292..00000000
--- a/doc/forum/secret-project_deliverable/comment_14_7296343b6f1d2906127ed138c64f82c6._comment
+++ /dev/null
@@ -1,77 +0,0 @@
-[[!comment format=mdwn
- username="stappers@eb96885816da287c29f6f699999434d532149234"
- nickname="stappers"
- avatar="http://cdn.libravatar.org/avatar/bf33450acf6fc2a17a8b4e6fc7749c65"
- subject="central git repository git.joeyh.name"
- date="2018-01-07T22:05:10Z"
- content="""
-I got my copy of `secret-project` by
-
-
-	$ propellor
-	Pull from central git repository ... done
-	Copying from /home/stappers/src/secret-project/.stack-work/install/x86_64-linux-nopie/lts-8.12/8.0.2/bin/propellor-config to /home/stappers/src/secret-project/.built/propellor-config
-	
-	Copied executables to /home/stappers/src/secret-project/.built:
-	- propellor-config
-	
-	Warning: Installation path /home/stappers/src/secret-project/.built
-	         not found on the PATH environment variable.
-	Propellor build ... done
-	[master 7d7bc07] propellor spin
-	Git commit ... done
-	error: Cannot access URL https://git.joeyh.name/git/secret-project.git/, return code 22
-	fatal: git-http-push failed
-	error: failed to push some refs to 'https://git.joeyh.name/git/secret-Push to central git repository ... failed
-	project.git'
-	Stop listening request sent.
-	Pull from central git repository ... done
-	Sending privdata (11 bytes) to paddy.gpm.stappers.nl ... done
-	remote: Counting objects: 1, done.        
-	remote: Total 1 (delta 0), reused 0 (delta 0)        
-	Sending git update to paddy.gpm.stappers.nl ... done
-	From .
-	 * branch            HEAD       -> FETCH_HEAD
-	Pull from central git repository ... done
-	Copying from /usr/local/propellor/.stack-work/install/x86_64-linux-nopie/lts-8.12/8.0.2/bin/propellor-config to /usr/local/propellor/.built/propellor-config
-	
-	Copied executables to /usr/local/propellor/.built:
-	- propellor-config
-	
-	Warning: Installation path /usr/local/propellor/.built not found on the PATH environment variable.
-	Propellor build ... done
-	Pull from central git repository ... done
-	paddy.gpm.stappers.nl has propellor bootstrapped with stack ... ok
-	paddy.gpm.stappers.nl has Operating System (Debian Linux Unstable) X86_64 ... ok
-	debian.local no services started ... ok
-	debian.local has Operating System (Debian Linux Unstable) X86_64 ... ok
-	debian.local sane hostname ... ok
-	debian.local standard sources.list ... ok
-	debian.local apt installed linux-image-amd64 ... ok
-	debian.local grub package installed ... ok
-	debian.local XFCE desktop installed ... ok
-	debian.local apt installed firefox ... ok
-	debian.local en_US.UTF-8 locale selected ... ok
-	fatal: unable to access 'https://git.joeyh.name/git/secret-project.git/': Could not resolve host: git.joeyh.name
-	debian.local has propellor bootstrapped with stack ... ok
-	debian.local Propellor bootstrapped ... failed
-	debian.local user installer in group audio ... ok
-	debian.local user installer in group cdrom ... ok
-	debian.local user installer in group dip ... ok
-	debian.local user installer in group floppy ... ok
-	debian.local user installer in group video ... ok
-	debian.local user installer in group plugdev ... ok
-	debian.local user installer in group netdev ... ok
-	debian.local user installer in group scanner ... ok
-	debian.local user installer in group lpadmin ... ok
-	debian.local has desktop user installer and not has desktop user user ... done
-	debian.local autostart installer UI ... ok
-	debian.local apt installed rsync ... ok
-	debian.local cache cleaned ... ok
-	paddy.gpm.stappers.nl built disk image /srv/installer.vmdk ... failed
-	paddy.gpm.stappers.nl overall ... failed
-	Shared connection to paddy.gpm.stappers.nl closed.
-	propellor: remote propellor failed
-	$ 
-
-"""]]

Added a comment: central git repository git.joeyh.name
diff --git a/doc/forum/secret-project_deliverable/comment_14_7296343b6f1d2906127ed138c64f82c6._comment b/doc/forum/secret-project_deliverable/comment_14_7296343b6f1d2906127ed138c64f82c6._comment
new file mode 100644
index 00000000..75cb4292
--- /dev/null
+++ b/doc/forum/secret-project_deliverable/comment_14_7296343b6f1d2906127ed138c64f82c6._comment
@@ -0,0 +1,77 @@
+[[!comment format=mdwn
+ username="stappers@eb96885816da287c29f6f699999434d532149234"
+ nickname="stappers"
+ avatar="http://cdn.libravatar.org/avatar/bf33450acf6fc2a17a8b4e6fc7749c65"
+ subject="central git repository git.joeyh.name"
+ date="2018-01-07T22:05:10Z"
+ content="""
+I got my copy of `secret-project` by
+
+
+	$ propellor
+	Pull from central git repository ... done
+	Copying from /home/stappers/src/secret-project/.stack-work/install/x86_64-linux-nopie/lts-8.12/8.0.2/bin/propellor-config to /home/stappers/src/secret-project/.built/propellor-config
+	
+	Copied executables to /home/stappers/src/secret-project/.built:
+	- propellor-config
+	
+	Warning: Installation path /home/stappers/src/secret-project/.built
+	         not found on the PATH environment variable.
+	Propellor build ... done
+	[master 7d7bc07] propellor spin
+	Git commit ... done
+	error: Cannot access URL https://git.joeyh.name/git/secret-project.git/, return code 22
+	fatal: git-http-push failed
+	error: failed to push some refs to 'https://git.joeyh.name/git/secret-Push to central git repository ... failed
+	project.git'
+	Stop listening request sent.
+	Pull from central git repository ... done
+	Sending privdata (11 bytes) to paddy.gpm.stappers.nl ... done
+	remote: Counting objects: 1, done.        
+	remote: Total 1 (delta 0), reused 0 (delta 0)        
+	Sending git update to paddy.gpm.stappers.nl ... done
+	From .
+	 * branch            HEAD       -> FETCH_HEAD
+	Pull from central git repository ... done
+	Copying from /usr/local/propellor/.stack-work/install/x86_64-linux-nopie/lts-8.12/8.0.2/bin/propellor-config to /usr/local/propellor/.built/propellor-config
+	
+	Copied executables to /usr/local/propellor/.built:
+	- propellor-config
+	
+	Warning: Installation path /usr/local/propellor/.built not found on the PATH environment variable.
+	Propellor build ... done
+	Pull from central git repository ... done
+	paddy.gpm.stappers.nl has propellor bootstrapped with stack ... ok
+	paddy.gpm.stappers.nl has Operating System (Debian Linux Unstable) X86_64 ... ok
+	debian.local no services started ... ok
+	debian.local has Operating System (Debian Linux Unstable) X86_64 ... ok
+	debian.local sane hostname ... ok
+	debian.local standard sources.list ... ok
+	debian.local apt installed linux-image-amd64 ... ok
+	debian.local grub package installed ... ok
+	debian.local XFCE desktop installed ... ok
+	debian.local apt installed firefox ... ok
+	debian.local en_US.UTF-8 locale selected ... ok
+	fatal: unable to access 'https://git.joeyh.name/git/secret-project.git/': Could not resolve host: git.joeyh.name
+	debian.local has propellor bootstrapped with stack ... ok
+	debian.local Propellor bootstrapped ... failed
+	debian.local user installer in group audio ... ok
+	debian.local user installer in group cdrom ... ok
+	debian.local user installer in group dip ... ok
+	debian.local user installer in group floppy ... ok
+	debian.local user installer in group video ... ok
+	debian.local user installer in group plugdev ... ok
+	debian.local user installer in group netdev ... ok
+	debian.local user installer in group scanner ... ok
+	debian.local user installer in group lpadmin ... ok
+	debian.local has desktop user installer and not has desktop user user ... done
+	debian.local autostart installer UI ... ok
+	debian.local apt installed rsync ... ok
+	debian.local cache cleaned ... ok
+	paddy.gpm.stappers.nl built disk image /srv/installer.vmdk ... failed
+	paddy.gpm.stappers.nl overall ... failed
+	Shared connection to paddy.gpm.stappers.nl closed.
+	propellor: remote propellor failed
+	$ 
+
+"""]]

PTUUID
diff --git a/doc/todo/removable_drive_partitioning_and_install.mdwn b/doc/todo/removable_drive_partitioning_and_install.mdwn
index ac270109..e88673c3 100644
--- a/doc/todo/removable_drive_partitioning_and_install.mdwn
+++ b/doc/todo/removable_drive_partitioning_and_install.mdwn
@@ -25,12 +25,29 @@ Open design questions:
 
   Question: When using microsd card adapter, does the serial number pass
   through so different microsds can be distinguished?
+
   > Checked this, and two microsd card adapters from different
   > manufacturers with different microsd cards have the same by-id.
   > Those must have no serial number..
   > 
   > Also, a USB SD/microSD reader had the same by-id for multiple cards.
 
+  > > For disks with a MBR, there's a disk identifier / volume id, 
+  > > which should uniquely identify that disk,
+  > > as long as propellor does not overwrite the MBR when imaging it.
+  > > And, GPT has a similar disk GUID.
+  > >
+  > > /dev/disk/by-partuuid exposes this. Some documentation suggests
+  > > it's GPT-only, but my laptop is not GPT and its MBR disk identifier
+  > > shows up there. Oddly, that points to /dev/sda1 and not /dev/sda.
+  > >
+  > > blkid can also display it, as the PTUUID, which works for
+  > > both GPT and MBT.
+  > > --[[Joey]]
+
+	root@darkstar:/home/joey>blkid /dev/sda
+	/dev/sda: PTUUID="d0497bc6" PTTYPE="dos"
+
 * Should an already imaged drive be updated incrementally or re-imaged?
   Seems both cases would be useful, the former especially for incrementally
   configuring it, the latter to bring it up from a clean state.

update
diff --git a/doc/todo/removable_drive_partitioning_and_install.mdwn b/doc/todo/removable_drive_partitioning_and_install.mdwn
index 891c3b92..ac270109 100644
--- a/doc/todo/removable_drive_partitioning_and_install.mdwn
+++ b/doc/todo/removable_drive_partitioning_and_install.mdwn
@@ -28,6 +28,8 @@ Open design questions:
   > Checked this, and two microsd card adapters from different
   > manufacturers with different microsd cards have the same by-id.
   > Those must have no serial number..
+  > 
+  > Also, a USB SD/microSD reader had the same by-id for multiple cards.
 
 * Should an already imaged drive be updated incrementally or re-imaged?
   Seems both cases would be useful, the former especially for incrementally

changes to allow GPT BIOS boot partitions
* Parted: Allow partitions to have no filesystem, for eg, GPT BIOS boot
partitions. (API change)
* Added rawPartition to PartSpec, for specifying partitions with no
filesystem.
* Added BiosGrubFlag to PartFlag.
Note that man parted does not list the "bios_boot" flag, but I found it in
its html documentation. Other flags may also be missing.
This commit was sponsored by Boyd Stephen Smith Jr. on Patreon.
diff --git a/debian/changelog b/debian/changelog
index 8923b94a..4545bcd1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,13 @@
-propellor (5.2.1) UNRELEASED; urgency=medium
+propellor (5.3.0) UNRELEASED; urgency=medium
 
   * Avoid bogus warning about new upstream version when /usr/bin/propellor
     is run on a Debian system, but ~/.propellor was not cloned from the
     Debian git bundle.
+  * Parted: Allow partitions to have no filesystem, for eg, GPT BIOS boot
+    partitions. (API change)
+  * Added rawPartition to PartSpec, for specifying partitions with no
+    filesystem.
+  * Added BiosGrubFlag to PartFlag.
 
  -- Joey Hess <id@joeyh.name>  Tue, 02 Jan 2018 13:06:45 -0400
 
diff --git a/doc/forum/imageBuiltFor_mount_points_not_automatically_created/comment_18_adea3a8a65cf954a5244bbb47a1636e4._comment b/doc/forum/imageBuiltFor_mount_points_not_automatically_created/comment_18_adea3a8a65cf954a5244bbb47a1636e4._comment
new file mode 100644
index 00000000..8a9a380e
--- /dev/null
+++ b/doc/forum/imageBuiltFor_mount_points_not_automatically_created/comment_18_adea3a8a65cf954a5244bbb47a1636e4._comment
@@ -0,0 +1,26 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 18"""
+ date="2018-01-06T17:51:05Z"
+ content="""
+I don't know much about GPT boot stuff. I found mention of a BIOS boot
+partition for GPT here:
+
+<https://help.ubuntu.com/community/DiskSpace>
+
+So, 1 mb partition with no filesystem and a "bios_grub" flag.
+
+Propellor's partitioning DSL will need to be extended in order to
+support that. Currently, `Partition` has a `Fs` that is one of the common
+filesystems or swap. Now we need no filesystem, so either add a NoFs to Fs,
+or change it to use `Maybe Fs`. I chose the latter, because with NoFs,
+Partition.formatted would be a no-op, which would be kinda surprising.
+
+I've made a commit adding all the stuff you should need, but I have not
+tested making a BIOS boot partition with it. Should look
+something like this:
+
+	& hasPartition (rawPartition (MegaBytes 1) `setFlag` BiosGrubFlag)
+
+If you get it working, it would be good to add an example to propellor's docs.
+"""]]
diff --git a/src/Propellor/Property/DiskImage.hs b/src/Propellor/Property/DiskImage.hs
index 24459476..289de151 100644
--- a/src/Propellor/Property/DiskImage.hs
+++ b/src/Propellor/Property/DiskImage.hs
@@ -420,7 +420,7 @@ imageFinalized final img mnts mntopts devs (PartTable _ _ parts) =
 	orderedmntsdevs = sortBy (compare `on` fst) $ zip mnts (zip mntopts devs)
 
 	swaps = map (SwapPartition . partitionLoopDev . snd) $
-		filter ((== LinuxSwap) . partFs . fst) $
+		filter ((== Just LinuxSwap) . partFs . fst) $
 			zip parts devs
 
 	mountall top = forM_ orderedmntsdevs $ \(mp, (mopts, loopdev)) -> case mp of
diff --git a/src/Propellor/Property/DiskImage/PartSpec.hs b/src/Propellor/Property/DiskImage/PartSpec.hs
index 942cfa3e..b78e4280 100644
--- a/src/Propellor/Property/DiskImage/PartSpec.hs
+++ b/src/Propellor/Property/DiskImage/PartSpec.hs
@@ -9,6 +9,7 @@ module Propellor.Property.DiskImage.PartSpec (
 	partition,
 	-- * PartSpec combinators
 	swapPartition,
+	rawPartition,
 	mountedAt,
 	addFreeSpace,
 	setSize,
@@ -48,11 +49,15 @@ import Data.Ord
 -- The partition is not mounted anywhere by default; use the combinators
 -- below to configure it.
 partition :: Monoid t => Fs -> PartSpec t
-partition fs = (Nothing, mempty, mkPartition fs, mempty)
+partition fs = (Nothing, mempty, mkPartition (Just fs), mempty)
 
 -- | Specifies a swap partition of a given size.
 swapPartition :: Monoid t => PartSize -> PartSpec t
-swapPartition sz = (Nothing, mempty, const (mkPartition LinuxSwap sz), mempty)
+swapPartition sz = (Nothing, mempty, const (mkPartition (Just LinuxSwap) sz), mempty)
+
+-- | Specifies a partition without any filesystem, of a given size.
+rawPartition :: Monoid t => PartSize -> PartSpec t
+rawPartition sz = (Nothing, mempty, const (mkPartition Nothing sz), mempty)
 
 -- | Specifies where to mount a partition.
 mountedAt :: PartSpec t -> MountPoint -> PartSpec t
diff --git a/src/Propellor/Property/Installer/Target.hs b/src/Propellor/Property/Installer/Target.hs
index 62ec4082..80e660ad 100644
--- a/src/Propellor/Property/Installer/Target.hs
+++ b/src/Propellor/Property/Installer/Target.hs
@@ -246,10 +246,10 @@ fstabLists userinput (TargetPartTable _ partspecs) = setup <!> doNothing
 	
 	partitions = map (\(mp, _, mkpart, _) -> (mp, mkpart mempty)) partspecs
 	mnts = mapMaybe fst $
-		filter (\(_, p) -> partFs p /= LinuxSwap) partitions
+		filter (\(_, p) -> partFs p /= Just LinuxSwap && partFs p /= Nothing) partitions
 	swaps targetdev = 
 		map (Fstab.SwapPartition . diskPartition targetdev . snd) $
-			filter (\((_, p), _) -> partFs p == LinuxSwap)
+			filter (\((_, p), _) -> partFs p == Just LinuxSwap)
 				(zip partitions partNums)
 
 -- | Make the target bootable using whatever bootloader is installed on it.
diff --git a/src/Propellor/Property/Parted.hs b/src/Propellor/Property/Parted.hs
index 97cf815e..81b84972 100644
--- a/src/Propellor/Property/Parted.hs
+++ b/src/Propellor/Property/Parted.hs
@@ -62,8 +62,10 @@ partitioned eep disk parttable@(PartTable _ _ parts) = property' desc $ \w -> do
   where
 	desc = disk ++ " partitioned"
 	formatl devs = combineProperties desc (toProps $ map format (zip parts devs))
-	format (p, dev) = Partition.formatted' (partMkFsOpts p)
-		Partition.YesReallyFormatPartition (partFs p) dev
+	format (p, dev) = case partFs p of
+		Just fs -> Partition.formatted' (partMkFsOpts p)
+			Partition.YesReallyFormatPartition fs dev
+		Nothing -> doNothing
 
 -- | Gets the total size of the disk specified by the partition table.
 partTableSize :: PartTable -> ByteSize
@@ -81,12 +83,12 @@ calcPartedParamsSize (PartTable tabletype alignment parts) =
 		, pval f
 		, pval b
 		]
-	mkpart partnum startpos endpos p =
-		[ "mkpart"
-		, pval (partType p)
-		, pval (partFs p)
-		, partposexact startpos
-		, partposfuzzy endpos
+	mkpart partnum startpos endpos p = catMaybes
+		[ Just "mkpart"
+		, Just $ pval (partType p)
+		, fmap pval (partFs p)
+		, Just $ partposexact startpos
+		, Just $ partposfuzzy endpos
 		] ++ case partName p of
 			Just n -> ["name", show partnum, n]
 			Nothing -> []
diff --git a/src/Propellor/Property/Parted/Types.hs b/src/Propellor/Property/Parted/Types.hs
index e5c62739..cfd8760d 100644
--- a/src/Propellor/Property/Parted/Types.hs
+++ b/src/Propellor/Property/Parted/Types.hs
@@ -31,7 +31,7 @@ instance Monoid PartTable where
 data Partition = Partition
 	{ partType :: PartType
 	, partSize :: PartSize
-	, partFs :: Partition.Fs
+	, partFs :: Maybe Partition.Fs
 	, partMkFsOpts :: Partition.MkfsOpts
 	, partFlags :: [(PartFlag, Bool)] -- ^ flags can be set or unset (parted may set some flags by default)
 	, partName :: Maybe String -- ^ optional name for partition (only works for GPT, PC98, MAC)
@@ -39,7 +39,7 @@ data Partition = Partition
 	deriving (Show)
 
 -- | Makes a Partition with defaults for non-important values.
-mkPartition :: Partition.Fs -> PartSize -> Partition
+mkPartition :: Maybe Partition.Fs -> PartSize -> Partition
 mkPartition fs sz = Partition
 	{ partType = Primary
 	, partSize = sz
@@ -105,7 +105,7 @@ fromAlignment :: Alignment -> ByteSize
 fromAlignment (Alignment n) = n
 
 -- | Flags that can be set on a partition.
-data PartFlag = BootFlag | RootFlag | SwapFlag | HiddenFlag | RaidFlag | LvmFlag | LbaFlag | LegacyBootFlag | IrstFlag | EspFlag | PaloFlag
+data PartFlag = BootFlag | RootFlag | SwapFlag | HiddenFlag | RaidFlag | LvmFlag | LbaFlag | LegacyBootFlag | IrstFlag | EspFlag | PaloFlag | BiosGrubFlag
 	deriving (Show)
 
 instance PartedVal PartFlag where
@@ -120,6 +120,7 @@ instance PartedVal PartFlag where
 	pval IrstFlag = "irst"
 	pval EspFlag = "esp"
 	pval PaloFlag = "palo"
+	pval BiosGrubFlag = "bios_grub"
 
 instance PartedVal Bool where
 	pval True = "on"