Recent changes to this wiki:

update
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index c442c977..9c5ee1aa 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -58,6 +58,10 @@ Waiting on concurrent-output reaching Debian stable.
 > > > >
 > > > > So, propellor will embed the old concurrent-output until
 > > > > process-1.6 is in debian oldstable, and then revert
-> > > > [[!commit ]] and version propellor's dep on process,
+> > > > [[!commit 9c08fa24f2e2bf07413b151656c373d873de7298]] and version propellor's dep on process,
 > > > > and then, finally, once concurrent-output 1.10.12 is in oldstable
 > > > > propellor can stop embedding it. --[[Joey]]
+> > > > 
+> > > > > process-1.6 is in ghc-8.2.2, and oldstable (buster) has 8.4.4, so
+> > > > > the above reversion can be done now, as long as it's ok to break
+> > > > > support for oldoldstable (stretch). --[[Joey]]

close
diff --git a/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn
index b3a3cd90..3cca98a8 100644
--- a/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn
+++ b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn
@@ -27,3 +27,5 @@ It looks like ghc in Debian unstable is defaulting to new style cabal builds whi
 I think the simplest fix is to replace `cabal build` with `cabal v1-build` in `Propellor.Bootstrap.buildCommand`?
 
 --spwhitton
+
+> [[done]] --[[Joey]]
diff --git a/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_2_af71e9431b4f980c3d4adc4dbab3ea8e._comment b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_2_af71e9431b4f980c3d4adc4dbab3ea8e._comment
new file mode 100644
index 00000000..acc47e50
--- /dev/null
+++ b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_2_af71e9431b4f980c3d4adc4dbab3ea8e._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2021-10-21T02:25:10Z"
+ content="""
+Finally tested this, it works.
+"""]]

add news item for propellor 5.13
diff --git a/doc/news/version_5.13.mdwn b/doc/news/version_5.13.mdwn
new file mode 100644
index 00000000..7619e70f
--- /dev/null
+++ b/doc/news/version_5.13.mdwn
@@ -0,0 +1,11 @@
+propellor 5.13 released with [[!toggle text="these changes"]]
+[[!toggleable text="""  * Network: Added support for network interfaces with several address
+    stanzas, eg ipv4 and ipv6.
+    Thanks, Nicolas Schodet
+  * Sudo.enabledFor: Deal with new @includedir syntax in sudoers file.
+  * Apt.securityUpdates: Stop generating testing-security lines, as
+    testing-security is unused per debian documentation.
+  * Utility.HumanNumber: Fix rounding bug that could result in
+    sometimes quite wrong values, eg "1.1 GB" when the input value was a
+    few bytes less than 2 GB. Properties in Ccache and Journald that
+    used it to generate config files were affected by this bug."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.9.1.mdwn b/doc/news/version_5.9.1.mdwn
deleted file mode 100644
index dd7bcd5e..00000000
--- a/doc/news/version_5.9.1.mdwn
+++ /dev/null
@@ -1,11 +0,0 @@
-propellor 5.9.1 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Apt: Debian has changed the name of the suite for testing security updates
-     from testing to testing-security.
-   * Apt: Also the suite for stable releases from bullseye on will be
-     suffixed with "-security".
-   * Apt.update: Pass --allow-releaseinfo-change when updating Unstable
-     or Testing, so that code name changes that happen in those suites
-     during a stable release don't prevent updating the rolling suites.
-   * Systemd.machined: Fix a bug that caused the systemd-container package
-     to not be installed when used with Debian buster."""]]
\ No newline at end of file

diff --git a/doc/forum/Problem_with_boolSystem_and_download.mdwn b/doc/forum/Problem_with_boolSystem_and_download.mdwn
new file mode 100644
index 00000000..b261e045
--- /dev/null
+++ b/doc/forum/Problem_with_boolSystem_and_download.mdwn
@@ -0,0 +1,20 @@
+Hello,
+
+To settup a control system for a RAID interface, I have to install a binary from downloading on internet.
+I am using the function downlaod that I copied over from deboostrap (src/Propellor/Property/Debootstrap.hs):
+
+    download :: Url -> FilePath -> IO Bool
+    download url dest = anyM id
+                    [ boolSystem "curl" [Param "-o", File dest, Param url]
+                    , boolSystem "wget" [Param "-O", File dest, Param url]
+                    ]
+
+As I read it, it should try to download using first `curl`, then `wget`. On this system, `curl` is not installed (but `wget` is). When the property is run I get the following warning :
+
+    ** warning: curl: createProcess: runInteractiveProcess: exec: does not exist (No such file or directory)
+
+Clearly indicating that it does not manage to download using `curl (expected), but then, instead of trying with `wget` it fails with message :
+
+    download ... ... failed
+
+I understand that the `anyM` is interupted before running the second element of the command list. I suspexct that `boolSystem` is not returning `false` when `curl` does not exist, but rather throwing some kind of exception (interupting the anyM tentatives).

Network: Added support for network interfaces with several address stanzas, eg ipv4 and ipv6. Thanks, Nicolas Schodet
diff --git a/debian/changelog b/debian/changelog
index 7579f0d7..84e010b3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+propellor (5.13) UNRELEASED; urgency=medium
+
+  * Network: Added support for network interfaces with several address
+    stanzas, eg ipv4 and ipv6.
+    Thanks, Nicolas Schodet
+
+ -- Joey Hess <id@joeyh.name>  Sat, 02 Jan 2021 11:39:47 -0400
+
 propellor (5.12) unstable; urgency=medium
 
   * Worked around a situation where ghc uses insane amounts of memory
diff --git a/doc/todo/Support_for_several_interfaces_stanzas.mdwn b/doc/todo/Support_for_several_interfaces_stanzas.mdwn
index 1d425064..0dba7f5d 100644
--- a/doc/todo/Support_for_several_interfaces_stanzas.mdwn
+++ b/doc/todo/Support_for_several_interfaces_stanzas.mdwn
@@ -9,3 +9,5 @@ should contains something like this:
 
 I made a patch for Network to allow this, please pull the network-stanzas branch at
 http://git.ni.fr.eu.org/nicolas/propellor.git.
+
+> Great, I've applied this. [[done]] --[[Joey]]

diff --git a/doc/todo/Support_for_several_interfaces_stanzas.mdwn b/doc/todo/Support_for_several_interfaces_stanzas.mdwn
new file mode 100644
index 00000000..1d425064
--- /dev/null
+++ b/doc/todo/Support_for_several_interfaces_stanzas.mdwn
@@ -0,0 +1,11 @@
+When configuring both IPv4 and IPv6 for an interface, the interfaces files
+should contains something like this:
+
+    auto eth0
+    iface eth0 inet static
+        address 192.168.1.1
+    iface eth0 inet6 static
+        address fdb2:c09e:ee01:1:1
+
+I made a patch for Network to allow this, please pull the network-stanzas branch at
+http://git.ni.fr.eu.org/nicolas/propellor.git.

Added a comment
diff --git a/doc/forum/Error_trying_to_remove_a_key/comment_1_8afc2bb09299381c119635e07d76d4e4._comment b/doc/forum/Error_trying_to_remove_a_key/comment_1_8afc2bb09299381c119635e07d76d4e4._comment
new file mode 100644
index 00000000..bb400cf9
--- /dev/null
+++ b/doc/forum/Error_trying_to_remove_a_key/comment_1_8afc2bb09299381c119635e07d76d4e4._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 1"
+ date="2020-12-19T21:46:21Z"
+ content="""
+Workaround: move the secret key elsewhere, then remove the key from the propellor keyring.
+
+I tried with `--disable-dirmngr` with no success.
+"""]]

diff --git a/doc/forum/propellor:_--init_offers_to_use_revoked_GPG_key.mdwn b/doc/forum/propellor:_--init_offers_to_use_revoked_GPG_key.mdwn
new file mode 100644
index 00000000..5e95898d
--- /dev/null
+++ b/doc/forum/propellor:_--init_offers_to_use_revoked_GPG_key.mdwn
@@ -0,0 +1,30 @@
+Hi,
+
+Using the Debian stable package (which downloaded and built the most recent version), `propellor --init` offered to use an expired GPG key. Details are below.
+
+Thanks for another great piece of software, and thanks for using Haskell!
+
+Kind regards,
+Felix Lechner
+
+* * *
+
+    Propellor build ... done
+    
+    Great! Propellor is bootstrapped.
+    
+    ------------------------------------------------------------------------------
+    
+    Propellor can use gpg to encrypt private data about the systems it manages,
+    and to sign git commits.
+    
+    I see you have several gpg keys:
+    ...
+       5   Felix Lechner <felix.lechner@gmail.com>  (keyid 6C0CC7F6ED41E279)
+    Which of your gpg keys should propellor use? [1|2|3|4|5] 
+
+but also (please note the `revoked` indicators)
+
+    sec   dsa1024/0x6C0CC7F6ED41E279 2005-12-07 [SCA] [revoked: 2009-08-24]
+          Key fingerprint = FF3A 9F1A EF4D 24A0 56A8  1026 6C0C C7F6 ED41 E279
+    uid                   [ revoked] Felix Lechner <felix.lechner@gmail.com>

add news item for propellor 5.12
diff --git a/doc/news/version_5.12.mdwn b/doc/news/version_5.12.mdwn
new file mode 100644
index 00000000..3d664ec1
--- /dev/null
+++ b/doc/news/version_5.12.mdwn
@@ -0,0 +1,14 @@
+propellor 5.12 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Worked around a situation where ghc uses insane amounts of memory
+     displaying an error message about a property of a host having the
+     wrong number of arguments.
+   * Added libghc-type-errors-dev to debian/control recommends, and
+     install it if available when bootstrapping propellor.
+   * Borg: add UseUmask to BorgRepoOpt.
+     Thanks, Nicolas Schodet
+   * Borg: use "{now}" instead of $(date ...)
+     Thanks, Nicolas Schodet
+   * Makefile: Deal with cabal change that made sdist
+     not output tarball to stdout.
+     Thanks, Sean Whitton"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.9.0.mdwn b/doc/news/version_5.9.0.mdwn
deleted file mode 100644
index 160b1187..00000000
--- a/doc/news/version_5.9.0.mdwn
+++ /dev/null
@@ -1,26 +0,0 @@
-propellor 5.9.0 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Added custom type error messages when Properties don't combine due to
-     conflicting MetaTypes.
-   * Added custom type error messages for ensureProperty and tightenTargets.
-   * Note that those changes made ghc 8.0.1 in a few cases unable to infer
-     types when ensureProperty or tightenTargets is used, while later ghc
-     versions had no difficulty. If this affects building your properties,
-     adding a type annotation to the code will work around the problem.
-   * Added custom type error messages displayed when type inference
-     fails when using ensureProperty and tightenTargets, that suggest
-     adding a type annotation.
-   * Use the type-errors library to detect when the type checker gets stuck
-     unable to reduce type-level operations on MetaTypes, and avoid
-     displaying massive error messages.
-   * But, since type-errors is a new library not available in eg Debian
-     yet, added a WithTypeErrors build flag. When the library is not
-     available, cabal will automatically disable that build flag,
-     and it will build without the type-errors library.
-   * EnsurePropertyAllowed, TightenTargetsAllowed, and CheckCombinable
-     types have changed to Constraint.
-     (API change)
-   * Try harder to avoid displaying an excessive amount of type error
-     messages when many properties have been combined in a props list.
-   * Libvirt.installed: install libvirt-daemon-system
-     Thanks, David Bremner"""]]
\ No newline at end of file

diff --git a/doc/todo/specify_partition_table_offset.mdwn b/doc/todo/specify_partition_table_offset.mdwn
new file mode 100644
index 00000000..c2a8e65b
--- /dev/null
+++ b/doc/todo/specify_partition_table_offset.mdwn
@@ -0,0 +1,19 @@
+I was trying to use propellor to build an image for a RockPro64 board.
+
+It'd be convenient if there was an easier way to specify where on the disk a partition should start.
+
+The board seems to assume a specific partition layout that's difficult to do with propellor commands.
+
+See http://opensource.rock-chips.com/wiki_Partitions for the official layout.
+
+And a community built image for the RockPro64's table looks like this:
+
+    Number  Start   End     Size    Type     File system  Flags
+     1      16.8MB  83.9MB  67.1MB  primary  fat32        boot, lba
+     2      134MB   5377MB  5243MB  primary  ext4         boot
+
+While the one I generated with propellor (that doesn't work) looks like:
+
+    Number  Start   End     Size    File system  Name     Flags
+     1      4194kB  273MB   268MB   ext2         primary  boot, esp
+     2      273MB   1854MB  1581MB  ext4         primary

Worked around a situation where ghc uses insane amounts of memory displaying an error message about a property of a host having the wrong number of arguments
This is suboptimal, and I hope ghc improves eventually.
But it's a lot better than using all available memory.
This commit was sponsored by Svenne Krap on Patreon.
diff --git a/debian/changelog b/debian/changelog
index f2505f06..de1914c2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 propellor (5.12) UNRELEASED; urgency=medium
 
+  * Worked around a situation where ghc uses insane amounts of memory
+    displaying an error message about a property of a host having the
+    wrong number of arguments.
   * Added libghc-type-errors-dev to debian/control recommends, and
     install it if available when bootstrapping propellor.
   * Borg: add UseUmask to BorgRepoOpt.
diff --git a/doc/todo/avoid_ghc_memory_blow_up_for_huge_metatypes_error_messages.mdwn b/doc/todo/avoid_ghc_memory_blow_up_for_huge_metatypes_error_messages.mdwn
new file mode 100644
index 00000000..d6812b89
--- /dev/null
+++ b/doc/todo/avoid_ghc_memory_blow_up_for_huge_metatypes_error_messages.mdwn
@@ -0,0 +1,127 @@
+Some simple mistakes in config.hs can make ghc use gigabytes of memory,
+apparently just to display a huge type error message.
+
+For example, add this to the beginning of
+a Host that has a few dozen other properties after it:
+
+	& Apt.setSourcesListD [] -- missing a parameter
+
+The size of the ghc error output doubles with each added property.
+With 7 it is 518 lines, with 8, 1030 lines. Once it's up to 100000 lines or
+so, it's already using almost a gigabyte of memory.
+
+The error message looks like this (when built with -f-WithTypeErrors):
+
+	executables/propellor-config.hs:175:42: error:
+	    • Cannot combine Properties:
+	        Property HasInfo + Debian
+	        Property Propellor.Types.MetaTypes.PrettyPrintMetaTypes y0
+	...
+	executables/propellor-config.hs:175:42: error:
+	    • Cannot combine Properties:
+	        Property Propellor.Types.MetaTypes.PrettyPrintMetaTypes
+	                   (Propellor.Types.MetaTypes.Concat
+	                      (Data.Type.Bool.If
+	                         (Propellor.Types.MetaTypes.Elem
+	                            'Propellor.Types.MetaTypes.WithInfo
+	                            (Propellor.Types.MetaTypes.NonTargets y0))
+	                         (Propellor.Types.MetaTypes.NonTargets y0)
+	                         ('Propellor.Types.MetaTypes.WithInfo
+	                            : Propellor.Types.MetaTypes.NonTargets y0))
+	                      (Data.Type.Bool.If
+	                         (Propellor.Types.MetaTypes.Elem
+	                            ('Propellor.Types.MetaTypes.Targeting 'OSDebian)
+	                            (Propellor.Types.MetaTypes.Targets y0))
+	                         '[ 'Propellor.Types.MetaTypes.Targeting 'OSDebian]
+	                         '[]))
+	        Property Debian + Buntish
+	...
+	executables/propellor-config.hs:175:42: error:
+	    • Cannot combine Properties:
+	        Property Propellor.Types.MetaTypes.PrettyPrintMetaTypes
+	                   (Propellor.Types.MetaTypes.Concat
+	                      (Propellor.Types.MetaTypes.Union
+	                         (Propellor.Types.MetaTypes.NonTargets
+	                            (Propellor.Types.MetaTypes.Concat
+	                               (Data.Type.Bool.If
+	                                  (Propellor.Types.MetaTypes.Elem
+	                                     'Propellor.Types.MetaTypes.WithInfo
+	                                     (Propellor.Types.MetaTypes.NonTargets y0))
+	                                  (Propellor.Types.MetaTypes.NonTargets y0)
+	                                  ('Propellor.Types.MetaTypes.WithInfo
+	                                     : Propellor.Types.MetaTypes.NonTargets y0))
+	                               (Data.Type.Bool.If
+	                                  (Propellor.Types.MetaTypes.Elem
+	                                     ('Propellor.Types.MetaTypes.Targeting 'OSDebian)
+	                                     (Propellor.Types.MetaTypes.Targets y0))
+	                                  '[ 'Propellor.Types.MetaTypes.Targeting 'OSDebian]
+	                                  '[])))
+	                         '[])
+	                      (Propellor.Types.MetaTypes.Intersect
+	                         (Propellor.Types.MetaTypes.Targets
+	                            (Propellor.Types.MetaTypes.Concat
+	                               (Data.Type.Bool.If
+	                                  (Propellor.Types.MetaTypes.Elem
+	                                     'Propellor.Types.MetaTypes.WithInfo
+	                                     (Propellor.Types.MetaTypes.NonTargets y0))
+	                                  (Propellor.Types.MetaTypes.NonTargets y0)
+	                                  ('Propellor.Types.MetaTypes.WithInfo
+	                                     : Propellor.Types.MetaTypes.NonTargets y0))
+	                               (Data.Type.Bool.If
+	                                  (Propellor.Types.MetaTypes.Elem
+	                                     ('Propellor.Types.MetaTypes.Targeting 'OSDebian)
+	                                     (Propellor.Types.MetaTypes.Targets y0))
+	                                  '[ 'Propellor.Types.MetaTypes.Targeting 'OSDebian]
+	                                  '[])))
+	                         '[ 'Propellor.Types.MetaTypes.Targeting 'OSDebian,
+	                            'Propellor.Types.MetaTypes.Targeting 'OSBuntish]))
+	        Property Debian + Buntish
+
+Since the type checker is getting stuck it pretty-prints the type level
+expression it was trying to solve, all expanded out, so this can get
+arbitrarily huge.
+
+This really seems like a ghc bug, and may be worth filing? But maybe propellor
+could also avoid it. Perhaps there's some way to write the MetaTypes code
+that avoids this.
+
+Hmm, the "Cannot combine properties" custom type message includes the types
+of the two properties in question. I tried leaving those out, and the error
+message is no longer huge. (But also not comprehensible in other cases.)
+Here's how that change affected memory use:
+
+	-50.50user 4.79system 0:59.28elapsed 93%CPU (0avgtext+0avgdata 2010848maxresident)k
+	+8.70user 0.72system 0:09.41elapsed 100%CPU (0avgtext+0avgdata 964804maxresident)k
+
+Wow! (900 mb or so is what it usually takes to build my config, so there's
+no excess memory use at all really after that change.)
+
+So there are changes to propellor that basically solve this, looks like.
+Question is, how to solve it without eliminating nice things like
+
+	    • Cannot combine Properties:
+	        Property HasInfo + Debian
+	        Property HasInfo + FreeBSD
+
+WithTypeErrors tries to detect just that case, making that message
+check if they're stuck, and not display them. That works as far
+as preventing displaying massive type errors, but ghc still
+uses too much memory despite not displaying them. Here's the
+memory use when it's enabled:
+
+	20.48user 1.36system 0:21.96elapsed 99%CPU (0avgtext+0avgdata 1942220maxresident)k
+
+I think what's probably going on is, WithTypeErrors uses IsStuck, which
+causes ghc to do an equivilant amount of buffering as displaying the type would.
+
+Well, I can't see a way to keep the nice display of metatypes in the non-stuck
+case, while avoiding blowup in the stuck case. But on the other hand,
+it's pretty unusual to actually try to use a FreeBSD on a Debian system
+when adding properties to a host. The metatypes are really more useful
+when programming properties, to eg, avoid using Apt.installed inside
+some property that's LinuxLike and so also needs an implementation for 
+non-Debian.
+
+So, ok, we'll skip displaying the metatypes when (&) is used to combine
+properties eg in a Host definition, but display it when properties are combined
+in other ways. [[done]] --[[Joey]]
diff --git a/propellor.cabal b/propellor.cabal
index e46adc40..29e6ecd4 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -36,7 +36,7 @@ Description:
  It is configured using haskell.
 
 Flag WithTypeErrors
-  Description: Build with type-errors library for better error messages
+  Description: Build with type-errors library for better error messages and less memory use
 
 Library
   Default-Language: Haskell98
diff --git a/src/Propellor/Types/MetaTypes.hs b/src/Propellor/Types/MetaTypes.hs
index 055338af..7cef578e 100644
--- a/src/Propellor/Types/MetaTypes.hs
+++ b/src/Propellor/Types/MetaTypes.hs
@@ -169,10 +169,10 @@ type family CheckCombinableNote (list1 :: [a]) (list2 :: [a]) (note :: ErrorMess
 				('Just ('Text "(" ':<>: note ':<>: 'Text ")"))
 			)
 
--- Checking IfStuck is to avoid massive and useless error message leaking 
--- type families from this module.
 type family CannotCombine (list1 :: [a]) (list2 :: [a]) (note :: Maybe ErrorMessage) :: Constraint where
-	CannotCombine list1 list2 note = 
+	-- Checking IfStuck is to avoid ugly error
+	-- message leaking type families from this module.
+	CannotCombine list1 list2 'Nothing = 
 		IfStuck list1
 			(IfStuck list2
 				(DelayError (CannotCombineMessage UnknownType UnknownType UnknownTypeNote))
@@ -180,8 +180,21 @@ type family CannotCombine (list1 :: [a]) (list2 :: [a]) (note :: Maybe ErrorMess
 			)
 			(IfStuck list2
 				(DelayError (CannotCombineMessage (PrettyPrintMetaTypes list1) UnknownType UnknownTypeNote))
-				(DelayErrorFcf (CannotCombineMessage (PrettyPrintMetaTypes list1) (PrettyPrintMetaTypes list2) note))
+				(DelayErrorFcf (CannotCombineMessage (PrettyPrintMetaTypes list1) (PrettyPrintMetaTypes list2) 'Nothing))
 			)
+	-- When there's a note, don't display the MetaTypes at all.
+	-- This is because the note is used when eg, combining properties
+	-- in a host with (&), and in that case, it's likely that the
+	-- problem resulted in the type checker getting stuck, and that
+	-- displaying the MetaTypes would involve a massive error messsage.
+	-- Displaying, or even checking IfStuck in that case can result in
+	-- huge amounts of memory being used by ghc. So, avoid it, and let
+	-- the note point the user in the right direction to fixing their
+	-- mistake.
+	CannotCombine list1 list2 ('Just note) = 
+		TypeError ('Text "Cannot combine two Properties."
+			':$$: 'Text "(They may have conflicting MetaTypes, or the wrong number of arguments.)"
+			':$$: note)
 
 type family UnknownType :: ErrorMessage where
 	UnknownType = 'Text "<unknown>"

merged nicolas/borg-umask
diff --git a/debian/changelog b/debian/changelog
index 849d132d..f2505f06 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,10 @@ propellor (5.12) UNRELEASED; urgency=medium
 
   * Added libghc-type-errors-dev to debian/control recommends, and
     install it if available when bootstrapping propellor.
+  * Borg: add UseUmask to BorgRepoOpt.
+    Thanks, Nicolas Schodet
+  * Borg: use "{now}" instead of $(date ...)
+    Thanks, Nicolas Schodet
 
  -- Joey Hess <id@joeyh.name>  Thu, 27 Aug 2020 20:57:48 -0400
 
diff --git a/doc/todo/Add_Borg.UseUmask.mdwn b/doc/todo/Add_Borg.UseUmask.mdwn
index 64ca8b83..74284c2d 100644
--- a/doc/todo/Add_Borg.UseUmask.mdwn
+++ b/doc/todo/Add_Borg.UseUmask.mdwn
@@ -7,3 +7,5 @@ Please fetch branch `borg-umask` at `http://git.ni.fr.eu.org/nicolas/propellor.g
 As a side change, I use `{now}` instead of a call to `$(date …)`, I think it's more idiomatic for borg usage.
 
 Tested with stretch and buster.
+
+> [[merged|done]] thanks for the contribution. --[[Joey]]

Added a comment
diff --git a/doc/todo/spin_without_remote_compilation/comment_9_7f8f6e688efeb9a454a3f82777c2743b._comment b/doc/todo/spin_without_remote_compilation/comment_9_7f8f6e688efeb9a454a3f82777c2743b._comment
new file mode 100644
index 00000000..f2db3de5
--- /dev/null
+++ b/doc/todo/spin_without_remote_compilation/comment_9_7f8f6e688efeb9a454a3f82777c2743b._comment
@@ -0,0 +1,38 @@
+[[!comment format=mdwn
+ username="jsza"
+ avatar="http://cdn.libravatar.org/avatar/72c6bc8c0cdfb0fff175e90c3b036415"
+ subject="comment 9"
+ date="2020-08-24T13:06:47Z"
+ content="""
+Hi, I'm trying to spin using the `Precompiled.precompiled` property from the `precompiled`, branch after having merged master. The first time trying to spin after adding the property, this error occurs:
+
+    > ./propellor --spin host_redacted
+    Build profile: -w ghc-8.8.4 -O1
+    In order, the following will be built (use -v for more details):
+     - propellor-5.11 (exe:propellor-config) (file executables/propellor-config.hs changed)
+    Preprocessing executable 'propellor-config' for propellor-5.11..
+    Building executable 'propellor-config' for propellor-5.11..
+    [1 of 1] Compiling Main             ( executables/propellor-config.hs, /home/jayess/propellor/dist-newstyle/build/x86_64-linux/ghc-8.8.4/propellor-5.11/x/propellor-config/build/propellor-config/propellor-config-
+    tmp/Main.o )
+    Linking /home/jayess/propellor/dist-newstyle/build/x86_64-linux/ghc-8.8.4/propellor-5.11/x/propellor-config/build/propellor-config/propellor-config ...
+    Propellor build ... done
+    <git push output snipped>
+    ldd: bin/propellor: No such file or directory
+    propellor: user error (ldd [\"bin/propellor\"] exited 1)
+
+
+Subsequent spin attempts produce this error:
+
+    > ./propellor --spin us4.tempus.xyz
+    Up to date
+    Propellor build ... done
+    <git push output snipped>
+    cp: cannot stat '/home/jayess/propellor/propellor (deleted)': No such file or directory
+    ** error: failed copying in propellor
+    propellor: Cannot continue!
+    CallStack (from HasCallStack):
+      error, called at src/Propellor/Message.hs:143:9 in propellor-5.11-inplace:Propellor.Message
+
+I think `Propellor.Spin.sendPrecompiled` might itself be broken, but I can't quite wrap my head around what's going on here. Any ideas? I'm using `cabal 3.0.0.0` in Debian Unstable.
+
+"""]]

Added a comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_6_c526880fa0d866511c0ffecc6f90fcdf._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_6_c526880fa0d866511c0ffecc6f90fcdf._comment
new file mode 100644
index 00000000..fa241e4b
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_6_c526880fa0d866511c0ffecc6f90fcdf._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="comment 6"
+ date="2020-08-23T02:22:06Z"
+ content="""
+I confirmed that privdata is being transmitted, but that my test file is not. The resulting `/usr/local/propellor/privdata/local` file is not obviously corrupted, but does not contain the string \"/root/foo\". The file \"/root/foo\" also does not show as used anywhere in the output of `propellor --list-fields`. I'm not sure if that is surprising or not.
+"""]]

Added a comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_5_2678027d2a3cf08cd977495d0b0afe91._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_5_2678027d2a3cf08cd977495d0b0afe91._comment
new file mode 100644
index 00000000..dde10ae4
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_5_2678027d2a3cf08cd977495d0b0afe91._comment
@@ -0,0 +1,30 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="comment 5"
+ date="2020-08-22T20:13:07Z"
+ content="""
+In answer to my own question, it's not related to the content.
+Here we can see a PrivFile has content:
+[[!format text \"\"\"
+╭─ convex:~/.propellor 
+╰─ (git)-[master]-% propellor --dump 'PrivFile \"/root/foo\"' 'any'
+[2020-08-22 16:57:32 ADT] command line:  Dump (PrivFile \"/root/foo\") (Context \"any\")
+[2020-08-22 16:57:32 ADT] read: git [\"config\",\"gpg.program\"]
+[2020-08-22 16:57:32 ADT] process done ExitFailure 1
+[2020-08-22 16:57:32 ADT] chat: gpg [\"--decrypt\",\"privdata/privdata.gpg\"]
+gpg: encrypted with 4096-bit RSA key, ID 70E3C0DE87068451, created 2019-06-08
+      \"David Bremner <bremner@debian.org>\"
+[2020-08-22 16:57:33 ADT] process done ExitSuccess
+sekrit
+\"\"\"]]
+On the other hand, when running `propellor --spin convex.local` I get
+[[!format text \"\"\"
+** warning: Missing privdata PrivFile \"/root/foo\" (for any)
+Fix this by running:
+  propellor --set 'PrivFile \"/root/foo\"' 'any' \
+    < /root/foo
+\"\"\"]]
+
+I tried with a different workstation, spinning itself, and the same machine as above (\"convex\"), with the same results.
+"""]]

Added a comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_4_4a0432687efa5b83e4cfefecdb355188._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_4_4a0432687efa5b83e4cfefecdb355188._comment
new file mode 100644
index 00000000..a2688611
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_4_4a0432687efa5b83e4cfefecdb355188._comment
@@ -0,0 +1,26 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="comment 4"
+ date="2020-08-22T17:02:41Z"
+ content="""
+OK, I belatedly see what you mean. It's not relevant if the remote privdata.gpg blob matches or not, since iiuc, only the local one is used by --spin.
+
+I'm having a similar issue with `Property.Gpg.keyImported`.
+
+[[!format text \"\"\"
+** warning: Missing privdata GpgKey (for 815B63982A79F8E7C72786C4762B57BB784206AD)
+Fix this by running:
+  propellor --set 'GpgKey' '815B63982A79F8E7C72786C4762B57BB784206AD' \
+    < (Either a gpg public key, exported with gpg --export -a, or a gpg private key, exported with gpg --export-secret-key -a)
+
+cs2613 root has gpg key \"815B63982A79F8E7C72786C4762B57BB784206AD\" ... failed
+** warning: Missing privdata GpgKey (for 7A18807F100A4570C59684207E4E65C8720B706B)
+Fix this by running:
+  propellor --set 'GpgKey' '7A18807F100A4570C59684207E4E65C8720B706B' \
+    < (Either a gpg public key, exported with gpg --export -a, or a gpg private key, exported with gpg --export-secret-key -a)
+\"\"\"]]
+
+Of course I did what propellor suggests, but it doesn't seem to make a difference.  Is it possible gpg armoured text is being treated specially as privdata?
+
+"""]]

Added a comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_3_51eff7a4898830a1adaa30da2b311c41._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_3_51eff7a4898830a1adaa30da2b311c41._comment
new file mode 100644
index 00000000..2e948dd0
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_3_51eff7a4898830a1adaa30da2b311c41._comment
@@ -0,0 +1,23 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="comment 3"
+ date="2020-08-22T15:08:16Z"
+ content="""
+In this special case I don't really need privData, I worked around it by running `gpg`.
+I'm not sure if my usecase is common enough to warrant extending `Propellor.Property.Gpg`
+
+[[!format haskell \"\"\"
+  & Cmd.cmdProperty \"gpg\" [ \"--output\"
+                          , debugMeKeyFile
+                          , \"--batch\"
+                          , \"--yes\"
+                          , \"--export\"
+                          , \"7A18807F100A4570C59684207E4E65C8720B706B\"
+                          ]
+  `changesFile` debugMeKeyFile
+  `requires` rootGpg
+
+\"\"\"]]
+
+"""]]

Added a comment
diff --git a/doc/todo/Add_Borg.UseUmask/comment_2_a26137bda29948fa501c8a52b8df673c._comment b/doc/todo/Add_Borg.UseUmask/comment_2_a26137bda29948fa501c8a52b8df673c._comment
new file mode 100644
index 00000000..9e0d8453
--- /dev/null
+++ b/doc/todo/Add_Borg.UseUmask/comment_2_a26137bda29948fa501c8a52b8df673c._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 2"
+ date="2020-08-22T13:23:01Z"
+ content="""
+Branch is updated.
+
+I also rebased on 5.11.
+"""]]

Added a comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_2_be582d804ba16e6acd3998eaf3eadb56._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_2_be582d804ba16e6acd3998eaf3eadb56._comment
new file mode 100644
index 00000000..bffa29c1
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_2_be582d804ba16e6acd3998eaf3eadb56._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="comment 2"
+ date="2020-08-21T23:51:40Z"
+ content="""
+In this case it's both the same host, but I don't think that's important. I'm just saying that propellor --dump verifies the local copy has the privdata, and I verified by checksums that the remote (host being managed) privdata blob is the same.
+"""]]

comment
diff --git a/doc/todo/Add_Borg.UseUmask/comment_1_461d217284ff2442d2485b59776826f6._comment b/doc/todo/Add_Borg.UseUmask/comment_1_461d217284ff2442d2485b59776826f6._comment
new file mode 100644
index 00000000..58e5c7c8
--- /dev/null
+++ b/doc/todo/Add_Borg.UseUmask/comment_1_461d217284ff2442d2485b59776826f6._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-08-20T16:58:14Z"
+ content="""
+I checked and there was no justification given for the use of date rather
+than {now} ... Perhaps it predated that?
+
+The only difference between the two is the use of date for some reason
+included nanaosecond precision. Otherwise the format is the same.
+
+I have no objection to making that change, but I think it needs to be done
+in a separate commit, rather than in passing.
+
+Also, I think `UseUmask Int` could be `UseUmask FileMode`. At least
+FileMode is used in some other parts of propellor that deal with umasks.
+"""]]

comment
diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_1_87df80585805b5558264afae3e8afdcc._comment b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_1_87df80585805b5558264afae3e8afdcc._comment
new file mode 100644
index 00000000..d8069651
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey/comment_1_87df80585805b5558264afae3e8afdcc._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-08-20T16:44:27Z"
+ content="""
+I think there could be some confusion here about where you run the
+propellor command to set the privdata.
+
+I always run those commands locally, not on the host being managed by
+propellor. --spin decrypts it and copies the parts a host needs to the
+host.
+"""]]

diff --git a/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey.mdwn b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey.mdwn
new file mode 100644
index 00000000..1ddec6d9
--- /dev/null
+++ b/doc/forum/propellor_can__39__t_find_privdata_for_gpg_pubkey.mdwn
@@ -0,0 +1,44 @@
+I have the following property for one of my hosts:
+
+[[!format haskell """
+ File.hasPrivContent "/usr/share/debug-me/keyring/a_CS2613_prof.gpg"  anyContext
+"""]]
+
+Unsurprisingly, the first time I run `propellor --spin my-host` I get
+
+[[!format text """
+** warning: Missing privdata PrivFile "/usr/share/debug-me/keyring/a_CS2613_prof.gpg" (for any)
+Fix this by running:
+  propellor --set 'PrivFile "/usr/share/debug-me/keyring/a_CS2613_prof.gpg"' 'any' \
+    < /usr/share/debug-me/keyring/a_CS2613_prof.gpg
+"""]]
+
+I cut and paste the suggested lines (after previously copying the file into place manually, but it doesn't seem to change anything. On subsequent runs I get the same thing.
+
+if I run `propellor --dump  'PrivFile "/usr/share/debug-me/keyring/a_CS2613_prof.gpg"' 'any' | gpg` I get
+[[!format text """
+gpg: WARNING: no command supplied.  Trying to guess what you mean ...
+[2020-08-20 10:03:07 ADT] command line:  Dump (PrivFile "/usr/share/debug-me/keyring/a_CS2613_prof.gpg") (Context "any")
+[2020-08-20 10:03:07 ADT] read: git ["config","gpg.program"]
+[2020-08-20 10:03:07 ADT] process done ExitFailure 1
+[2020-08-20 10:03:07 ADT] chat: gpg ["--decrypt","privdata/privdata.gpg"]
+gpg: encrypted with 4096-bit RSA key, ID 70E3C0DE87068451, created 2019-06-08
+      "David Bremner <bremner@debian.org>"
+[2020-08-20 10:03:08 ADT] process done ExitSuccess
+pub   rsa4096 2014-09-22 [SC]
+      7A18807F100A4570C59684207E4E65C8720B706B
+uid           David Bremner <bremner@unb.ca>
+uid           David Bremner <david@tethera.net>
+uid           David Bremner <bremner@debian.org>
+sub   rsa4096 2014-09-22 [E] [expired: 2020-07-23]
+sub   rsa3072 2017-07-24 [S] [expired: 2020-07-23]
+sub   rsa4096 2017-07-24 [A] [expired: 2020-07-23]
+sub   rsa4096 2019-06-08 [S] [expires: 2021-06-07]
+sub   rsa4096 2019-06-08 [E] [expires: 2021-06-07]
+sub   rsa4096 2019-06-08 [A] [expires: 2021-06-07]
+"""]]
+
+I understand that the propellor run is using a different copy of privdata, but I verified the checksums match between my user propellor install and the one in /usr/local/propellor.
+
+Other uses of `privFileContent` with anyContext work fine on the same host.
+ 

Fix backticks
diff --git a/doc/todo/Add_Borg.UseUmask.mdwn b/doc/todo/Add_Borg.UseUmask.mdwn
index 66012314..64ca8b83 100644
--- a/doc/todo/Add_Borg.UseUmask.mdwn
+++ b/doc/todo/Add_Borg.UseUmask.mdwn
@@ -4,6 +4,6 @@ Here is again a change for Borg to allow to give the --umask option on each borg
 
 Please fetch branch `borg-umask` at `http://git.ni.fr.eu.org/nicolas/propellor.git`.
 
-As a side change, I use '{now}' instead of a call to `$(date …)`, I think it's more idiomatic for borg usage.
+As a side change, I use `{now}` instead of a call to `$(date …)`, I think it's more idiomatic for borg usage.
 
 Tested with stretch and buster.

diff --git a/doc/todo/Add_Borg.UseUmask.mdwn b/doc/todo/Add_Borg.UseUmask.mdwn
new file mode 100644
index 00000000..66012314
--- /dev/null
+++ b/doc/todo/Add_Borg.UseUmask.mdwn
@@ -0,0 +1,9 @@
+Hello,
+
+Here is again a change for Borg to allow to give the --umask option on each borg invocation.
+
+Please fetch branch `borg-umask` at `http://git.ni.fr.eu.org/nicolas/propellor.git`.
+
+As a side change, I use '{now}' instead of a call to `$(date …)`, I think it's more idiomatic for borg usage.
+
+Tested with stretch and buster.

Added a comment: problems with worms.
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_9_5119af0e60acf5590194f970f5be1424._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_9_5119af0e60acf5590194f970f5be1424._comment
new file mode 100644
index 00000000..61612b82
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_9_5119af0e60acf5590194f970f5be1424._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="problems with worms."
+ date="2020-08-15T14:18:25Z"
+ content="""
+Dangling is the wrong word. I had a symlink pointing to an old build of propellor.
+"""]]

Added a comment
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_5_a5dea814e88aa90959f41a500806270f._comment b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_5_a5dea814e88aa90959f41a500806270f._comment
new file mode 100644
index 00000000..a1898304
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_5_a5dea814e88aa90959f41a500806270f._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 5"
+ date="2020-08-14T21:11:56Z"
+ content="""
+Actually I have no idea how to implement the privdata for init, restored and backup in a sane way, so I will let this challenge for someone else :)
+
+Thanks for the merge.
+"""]]

add news item for propellor 5.11
diff --git a/doc/news/version_5.11.mdwn b/doc/news/version_5.11.mdwn
new file mode 100644
index 00000000..9dcef85d
--- /dev/null
+++ b/doc/news/version_5.11.mdwn
@@ -0,0 +1,13 @@
+propellor 5.11 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Fix display of concurrent output from processes when using
+     Propellor.Property.Conductor.
+     (Reversion introduced in version 5.5.0.)
+   * Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
+   * Makefile: Fix build with cabal 3.x.
+   * Borg.restored: Fix restoration, which has apparently never worked,
+     at least back to borg 1.0.9.
+     Thanks, Nicolas Schodet.
+   * Borg.init: Added the now required encryption type parameter.
+     Thanks, Nicolas Schodet.
+     (API change)"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.8.0.mdwn b/doc/news/version_5.8.0.mdwn
deleted file mode 100644
index a00c611a..00000000
--- a/doc/news/version_5.8.0.mdwn
+++ /dev/null
@@ -1,18 +0,0 @@
-propellor 5.8.0 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Fix bug in File.containsShellSetting that replaced whole shell conffile
-     content with the setting if the file did not previously contain a line
-     setting the key to some value.
-   * Removed inChroot, instead use hasContainerCapability FilesystemContained.
-     (API change)
-   * Hostname: Properties that used to not do anything in a systemd or
-     docker container will now change the container's hostname,
-     since it's namespaced.
-   * Add User.ownsWithPrimaryGroup
-     Thanks, Sean Whitton
-   * Ssh.userKeys, Ssh.userKeyAt: Create .ssh directory when it does not yet
-     exist.
-   * Ssh.userKeyAt: When a relative filepath is provided, it's put inside
-     the user's .ssh directory.
-   * Fix Git.pulled always reporting a change.
-     Thanks, Sean Whitton"""]]
\ No newline at end of file

update
diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_5_43c2450a8858fde866e5f9570d371d80._comment b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_5_43c2450a8858fde866e5f9570d371d80._comment
new file mode 100644
index 00000000..b3086ec1
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_5_43c2450a8858fde866e5f9570d371d80._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 5"""
+ date="2020-08-14T19:57:07Z"
+ content="""
+On second thought, there may be other changes in concurrent-output
+after 1c330fa3814baadf23c1934a8014c91a3251234a that depend on that change.
+I'm not sure, and don't want to find out by breaking it in propellor.
+So, I've reverted this change and will wait the necessary several years.
+"""]]
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 48dd829e..c442c977 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -50,3 +50,14 @@ Waiting on concurrent-output reaching Debian stable.
 > > > I've updated the embedded concurrent-output copy, and it should
 > > > be kept up-to-date as concurrent-output changes, to avoid more
 > > > such reversions. --[[Joey]]
+
+> > > > Unforunately, the embedded concurrent-output copy had to be
+> > > > downgraded again, because it turns out the new version
+> > > > of concurrent-output depends on process-1.6, while propellor
+> > > > neeeds to also work with older versions.
+> > > >
+> > > > So, propellor will embed the old concurrent-output until
+> > > > process-1.6 is in debian oldstable, and then revert
+> > > > [[!commit ]] and version propellor's dep on process,
+> > > > and then, finally, once concurrent-output 1.10.12 is in oldstable
+> > > > propellor can stop embedding it. --[[Joey]]

analysis and followup q to bremner
diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_4_c4c75ff6c06fbb3de5b4c23e5ba2fd1e._comment b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_4_c4c75ff6c06fbb3de5b4c23e5ba2fd1e._comment
new file mode 100644
index 00000000..22ad0b9b
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_4_c4c75ff6c06fbb3de5b4c23e5ba2fd1e._comment
@@ -0,0 +1,42 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2020-08-14T17:06:46Z"
+ content="""
+So the relevant change in that commit, I think, is that
+waitForProcessConcurrent used to do its own locking,
+and would sometimes not even call waitForProcess, but instead
+waitAny. And now it just calls waitForProcess.
+
+That change comes from concurrent-output commit 
+1c330fa3814baadf23c1934a8014c91a3251234a
+Which removed a workaround for
+https://github.com/haskell/process/issues/46 and added
+a depend on `process (>= 1.6)` which fixed its bug.
+
+Propellor does not depend on any particular version of process,
+so it's exposed to the old bug.
+
+But, David, is your system really using an older version of process to
+build propellor?
+(Bearing in mind that the system might ship with a newer version but cabal
+may have chosen to use an older version for whatever reason.)
+Probably the easiest way to check is, edit propellor.cabal,
+make it depend on `process (>= 1.6)`, and rebuild and see if you still have
+the problem.
+
+Anyway, we can either revert 1c330fa3814baadf23c1934a8014c91a3251234a in
+propellor, or revert the whole 162e1d4e82e24f0fe3e2bd3114e4366ddb1062c0
+but I'd really rather not do that because it's been stuck on the old
+version of concurrent-output forever. 
+
+Or, it propellor could depend on the fixed process. process-1.6
+was bundled with ghc-8.2.2. That works back to debian stable, but not
+oldstable, which is still a supported target of propellor.
+
+I guess, if we can confirm the old version of process is really the issue,
+I'm leaning toward reverting 1c330fa3814baadf23c1934a8014c91a3251234a,
+until the far-future time when we emerge blinking from the oldstable stasis
+chamber and propellor can finally depend on concurrent-output rather than
+bundling it.
+"""]]

comment
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_8_913968893edfc56501aada3b2cda8ee2._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_8_913968893edfc56501aada3b2cda8ee2._comment
new file mode 100644
index 00000000..2fdd3d51
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_8_913968893edfc56501aada3b2cda8ee2._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 8"""
+ date="2020-08-14T17:02:55Z"
+ content="""
+Hmm, it overwrites /usr/local/propellor with:
+
+	rename safetycopy "propellor"
+
+That is safe against dangling symlinks. The safetycopy is created
+using `cp -pfL` which also seems safe against dangling symlinks
+(or symlinks pointing to files, though not to directories).
+"""]]

Added a comment: why make clean?
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_7_62e68fd2a14ea23e983fcb6ed3ad536c._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_7_62e68fd2a14ea23e983fcb6ed3ad536c._comment
new file mode 100644
index 00000000..04cc475e
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_7_62e68fd2a14ea23e983fcb6ed3ad536c._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="why make clean?"
+ date="2020-08-14T16:59:44Z"
+ content="""
+I _think_ the problem was the existing dangling \"propellor\" symlink. But I could well be confused.
+"""]]

merged nicolas/borg-fixes
diff --git a/debian/changelog b/debian/changelog
index 24bbf641..e9d6411d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,16 @@
-propellor (5.10.3) UNRELEASED; urgency=medium
+propellor (5.11) UNRELEASED; urgency=medium
 
   * Fix display of concurrent output from processes when using
     Propellor.Property.Conductor.
     (Reversion introduced in version 5.5.0.)
   * Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
   * Makefile: Fix build with cabal 3.x.
+  * Borg.restored: Fix restoration, which has apparently never worked,
+    at least back to borg 1.0.9.
+    Thanks, Nicolas Schodet.
+  * Borg.init: Added the now required encryption type parameter.
+    Thanks, Nicolas Schodet.
+    (API change)
 
  -- Joey Hess <id@joeyh.name>  Fri, 05 Jun 2020 11:26:21 -0400
 
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_4_7685b1c27b0873b9149bc761f4e734af._comment b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_4_7685b1c27b0873b9149bc761f4e734af._comment
new file mode 100644
index 00000000..71ce0ac4
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_4_7685b1c27b0873b9149bc761f4e734af._comment
@@ -0,0 +1,19 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2020-08-14T16:44:43Z"
+ content="""
+I've merged your branch, thanks.
+
+It does seem to me that Borg.init could do the privdata lookup itself, and
+set `BORG_PASSPHRASE`. Otherwise the user is currently left with no
+indication of how to do that, except for the commit message
+[[!commit afab5b2f0b4e06a5c41f064d10f65ead063ab5af]].
+
+And, for BorgEncRepokey and BorgEncKeyfile, wouldn't backup and restore
+also need the passphrase to be provided?
+
+(I don't think these questions need to delay releasing propellor with your
+fixes, since AFAICS your changes won't impact anything that worked with
+propellor before.)
+"""]]

Added a comment: fix / workaround
diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_3_2ea2ebe0e9fe836ad1f1a7e142f77309._comment b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_3_2ea2ebe0e9fe836ad1f1a7e142f77309._comment
new file mode 100644
index 00000000..14f4afe7
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_3_2ea2ebe0e9fe836ad1f1a7e142f77309._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="fix / workaround"
+ date="2020-08-14T16:57:22Z"
+ content="""
+based on a suggestion by joeyh, I reverted 162e1d4e82e24f0fe3e2bd3114e4366ddb1062c0 and this seems to have made the problem go away.
+"""]]

comment
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_6_00f48f55d8a48a7799d81d40bfe11921._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_6_00f48f55d8a48a7799d81d40bfe11921._comment
new file mode 100644
index 00000000..2fa6ef19
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_6_00f48f55d8a48a7799d81d40bfe11921._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 6"""
+ date="2020-08-14T16:31:36Z"
+ content="""
+I'm curious why you needed to make clean. AFAIK the new cabal will ignore
+any cruft left by the old version and should just do a from scratch build
+on its own.
+
+Indeed, one of my hosts managed by propellor has both
+/usr/local/propellor/dist and dist-newstyle, and is building successfully
+in the latter directory.
+"""]]

Added a comment: addendum
diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_2_eb46e45efa0f40dbbc0a7471002eb97d._comment b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_2_eb46e45efa0f40dbbc0a7471002eb97d._comment
new file mode 100644
index 00000000..3ed165d4
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_2_eb46e45efa0f40dbbc0a7471002eb97d._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="addendum"
+ date="2020-08-14T14:32:59Z"
+ content="""
+Actually it seems a bit random as to whether I get the longwinded or the concise failure. Out of about 10 tries, I get the longer run maybe 3 times.
+"""]]

Added a comment: variation on the theme.
diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_1_6271f4830c2a5bcc2bf296c32630bcba._comment b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_1_6271f4830c2a5bcc2bf296c32630bcba._comment
new file mode 100644
index 00000000..d400839b
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__/comment_1_6271f4830c2a5bcc2bf296c32630bcba._comment
@@ -0,0 +1,28 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="variation on the theme."
+ date="2020-08-14T14:30:52Z"
+ content="""
+Today for some reason I had one run produce more output, with many repeats of the same warning. It seems to be more than a warning, since the corresponding properties fail. I have rebooted the VM, in case there was some transient resource exhaustion problem.  Successive runs of /usr/local/bin/propellor_cronjob stop very early as in my original report. 
+
+ [[!format text \"\"\"
+lotus.casa.cs.unb.ca apt installed etckeeper apt-transport-https ... ok
+lotus.casa.cs.unb.ca unattended upgrades true ... failed
+lotus.casa.cs.unb.ca replace /etc/apt/apt.conf.d/20-propellor-auto-upgrades ... ok
+lotus.casa.cs.unb.ca git repo at /etc/ config setting user.email set to root@tethera.net ... ok
+** warning: waitForProcess: does not exist (No child processes)
+lotus.casa.cs.unb.ca git repo at /etc/ config setting user.name set to Root ... ok
+lotus.casa.cs.unb.ca ssh installed ... ok
+lotus.casa.cs.unb.ca ssh config: PermitRootLogin without-password ... ok
+lotus.casa.cs.unb.ca ssh config: PasswordAuthentication no ... done
+lotus.casa.cs.unb.ca root has authorized_keys ... failed
+** warning: waitForProcess: does not exist (No child processes)
+lotus.casa.cs.unb.ca root has authorized_keys ... failed
+** warning: waitForProcess: does not exist (No child processes)
+** warning: waitForProcess: does not exist (No child processes)
+lotus.casa.cs.unb.ca root has authorized_keys ... failed
+\"\"\"]]
+
+
+"""]]

diff --git a/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__.mdwn b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__.mdwn
new file mode 100644
index 00000000..c2bc154a
--- /dev/null
+++ b/doc/forum/propellor:_waitForProcess:_does_not_exist___40__No_child_processes__41__.mdwn
@@ -0,0 +1 @@
+An s390x running Ubuntu Bionic has starting failing with the message in the subject when I run propellor. Any ideas what might be going on there? It seems to be right after it fetches from the central git repo.

Added a comment: Same issues now on Debian testing
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_5_c627ddd43a68235e749b3025b2b6a51a._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_5_c627ddd43a68235e749b3025b2b6a51a._comment
new file mode 100644
index 00000000..cccac0fe
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_5_c627ddd43a68235e749b3025b2b6a51a._comment
@@ -0,0 +1,18 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="Same issues now on Debian testing"
+ date="2020-08-12T17:22:31Z"
+ content="""
+I had to 
+
+- merge from joeyh's master branch
+- cd /usr/local/propellor
+- sudo make clean
+- sudo make
+
+in order to get things going.
+
+I would not be surprised at all to learn there is an easier way (perhaps just blowing away /usr/local/propellor)
+
+"""]]

Added a comment: Branch updated
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_3_c605e8c4b6e13fb1a5168ad34c3c7f46._comment b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_3_c605e8c4b6e13fb1a5168ad34c3c7f46._comment
new file mode 100644
index 00000000..81fb2234
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_3_c605e8c4b6e13fb1a5168ad34c3c7f46._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="Branch updated"
+ date="2020-08-10T21:41:11Z"
+ content="""
+Hello, I updated my branch with:
+
+- a different commit message with a withPrivData example,
+- a fix for --glob-archive and --last not supported on borg 1.0.9,
+- a warning message if no archive is found.
+
+Not sure if it was clear: the restored function did not work either on borg 1.0.9 before my changes.
+
+Tested on buster and stretch.
+"""]]

Added a comment
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_2_0a595f3481c37280bf3d9d9545b2e954._comment b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_2_0a595f3481c37280bf3d9d9545b2e954._comment
new file mode 100644
index 00000000..0cd6f1a7
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_2_0a595f3481c37280bf3d9d9545b2e954._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 2"
+ date="2020-08-01T14:58:33Z"
+ content="""
+HEAD was pointing to a non-existant master branch, sorry about that.
+
+I will try to fix the other issues, thanks for the review.
+"""]]

comment
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_1_4a662d7ab4f49a914718ca6e6f69ee86._comment b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_1_4a662d7ab4f49a914718ca6e6f69ee86._comment
new file mode 100644
index 00000000..7c5d7eb5
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored/comment_1_4a662d7ab4f49a914718ca6e6f69ee86._comment
@@ -0,0 +1,29 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-07-31T15:11:20Z"
+ content="""
+pull failed
+
+	joey@darkstar:~/src/propellor>git fetch http://git.ni.fr.eu.org/nicolas/propellor.git
+	fatal: Couldn't find remote ref HEAD
+
+I wonder if perhaps you forgot to run `git update-server-info`?
+Or possibly this is just not an url that actually points to the raw git
+repo, it looks like a gitweb installation and gitweb does not serve git
+repos IIRC.
+
+Hardcoding `BORG_PASSPHRASE` into a propellor configuration does not seem
+good. It could use `withPrivData` to get the passphrase.
+
+If `latestArchive` didn't work, it should probably display a
+`warningMessage` rather than just failing with no indication why.
+
+There is the small problem that borg 1.0.9 is in debian oldstable and if
+someone were using propellor with it, which is supported, the changes
+to extraction would break that. Not as bad as extraction currently being
+broken for everyone with a current version of borg though! But,
+it would be easy to at least detect the old version and refuse to use it to
+restore. Either by borg --version or by using withOS and to match against
+the debian version, like Propellor.Property.Systemd.machined does.
+"""]]

Please pull Borg fix
diff --git a/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored.mdwn b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored.mdwn
new file mode 100644
index 00000000..08d5cf86
--- /dev/null
+++ b/doc/todo/Fix_Borg.init_on_recent_borg_versions__44___fix_Borg.restored.mdwn
@@ -0,0 +1,11 @@
+Recent versions of Borg require the `--encryption` option to initialize a repository.
+
+Also, `borg extract` needs an archive name and it extracts the backup in the current directory.
+
+I have made a fix for this, please pull the `borg-fixes` branch at `http://git.ni.fr.eu.org/nicolas/propellor.git`.
+
+Tested with borg version 1.1.9.
+
+My haskell level is still not that great, I would love to get comments on my code.
+
+Thanks.

Added a comment
diff --git a/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning/comment_1_2b0f428151a6d338250c44549791395f._comment b/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning/comment_1_2b0f428151a6d338250c44549791395f._comment
new file mode 100644
index 00000000..7e1c0a5d
--- /dev/null
+++ b/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning/comment_1_2b0f428151a6d338250c44549791395f._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="sravikumar@b98554d12f31e17b71dd07098f122792ca8837ce"
+ nickname="sravikumar"
+ avatar="http://cdn.libravatar.org/avatar/227f208e95d449decbc71eccc658cdbe"
+ subject="comment 1"
+ date="2020-07-10T20:04:47Z"
+ content="""
+Resolved the issue by adding the gpg signing key again to propellor with
+
+```
+propellor --add-key SIGNING_KEY_ID
+```
+"""]]

diff --git a/doc/forum/Error_trying_to_remove_a_key.mdwn b/doc/forum/Error_trying_to_remove_a_key.mdwn
new file mode 100644
index 00000000..252e507f
--- /dev/null
+++ b/doc/forum/Error_trying_to_remove_a_key.mdwn
@@ -0,0 +1,8 @@
+I try to remove a key from my propellor repository, but it fails:
+
+    % propellor --rm-key 41EED9A677C20D87
+    gpg: there is a secret key for public key "41EED9A677C20D87"!
+    gpg: use option "--delete-secret-keys" to delete it first.
+    removing key from propellor's keyring ... failed
+
+I believe gpg gets access to my secret keys using the agent now, it no longer use direct access.

todo
diff --git a/doc/todo/cabal_new-build_cruft.mdwn b/doc/todo/cabal_new-build_cruft.mdwn
new file mode 100644
index 00000000..586e9fde
--- /dev/null
+++ b/doc/todo/cabal_new-build_cruft.mdwn
@@ -0,0 +1,17 @@
+cabal new-build (now the default with recent cabal versions) stores stuff
+in dist-newstyle, versioned by the ghc version and the package version.
+
+So, as propellor builds itself on a host over and over again,
+and the host is upgraded and propellor is upgraded, dist-newstyle will
+accumulate cruft used by old builds.
+
+cabal clean can remove it of course, but then it won't update the build
+incrementally.
+
+What would be good is, a way to detect that the versioning has changed,
+and only then run cabal clean. One way to do that, would be when updating
+the propellor symlink to the cabal built binary, compare the old and new
+binary location. If they're not the same, the versioning has changed,
+and so cabal clean and re-build. --[[Joey]]
+
+(Note that stack probably has the same problem too.)

diff --git a/doc/forum/recommendations_for_setting_up__a_Fedora_chroot_on_a_Debian_host.mdwn b/doc/forum/recommendations_for_setting_up__a_Fedora_chroot_on_a_Debian_host.mdwn
new file mode 100644
index 00000000..c12a7556
--- /dev/null
+++ b/doc/forum/recommendations_for_setting_up__a_Fedora_chroot_on_a_Debian_host.mdwn
@@ -0,0 +1,9 @@
+I'd like a way to set up Fedora chroots for testing purposes on my Debian workstations. Currently I use the example from the systemd-nspawn manpage
+[[!format text """
+# machinectl pull-raw --verify=no \
+                 https://download.fedoraproject.org/pub/fedora/linux/releases/31/Cloud/x86_64/images/Fedora-Cloud-Base-31-1.9.x86_64.raw.xz \
+                 Fedora-Cloud-Base-31-1.9.x86-64
+# systemd-nspawn -M Fedora-Cloud-Base-31-1.9.x86-64
+"""]]
+
+If I understand correctly the existing Systemd.container function needs a way to make a chroot.

comment
diff --git a/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_1_b09c0c736838132b7dd69a1c510ff877._comment b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_1_b09c0c736838132b7dd69a1c510ff877._comment
new file mode 100644
index 00000000..0ca694ff
--- /dev/null
+++ b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly/comment_1_b09c0c736838132b7dd69a1c510ff877._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-06-17T22:01:21Z"
+ content="""
+Simplest yes, but also kicking the can down the road as they'll
+presumably remove 1- at some point.
+
+I've implemented new-build support in
+[[!commit 745784f61bdd678e20b1b18743f18d458836a802]].
+Have not actually tested it on bootstrapping a new host yet, but I assume
+it will work barring some dumb typo.
+"""]]

Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
* Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
* Makefile: Fix build with cabal 3.x.
This assumes that, once a new-dist directory is created, the host won't
revert back to using dist. So it always prefers binaries from new-dist
over dist.
This commit was sponsored by LND on Patreon.
diff --git a/.gitignore b/.gitignore
index d9285db3..4e1b918c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,8 @@
 /propellor
 dist/*
+dist-newstyle/*
 tags
+configured
 privdata/local
 privdata/keyring.gpg~
 Setup
@@ -15,4 +17,5 @@ propellor.1
 .cabal-sandbox/
 .dir-locals.el
 cabal.sandbox.config
+cabal.project.local
 *~
diff --git a/Makefile b/Makefile
index 0e4b2ca3..b5d5708b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,35 +1,43 @@
 CABAL?=cabal
 DATE := $(shell dpkg-parsechangelog 2>/dev/null | grep Date | cut -d " " -f2-)
 
-build: tags propellor.1 dist/setup-config
+build: tags propellor.1 configured
 	$(CABAL) build
-	ln -sf dist/build/propellor-config/propellor-config propellor
+	@if [ -d dist-newstyle ]; then \
+		ln -sf $$(find dist-newstyle/ -executable -type f | grep 'build/propellor-config/propellor-config$$') propellor; \
+	else \
+		ln -sf dist/build/propellor-config/propellor-config propellor; \
+	fi
 
 install:
 	install -d $(DESTDIR)/usr/bin $(DESTDIR)/usr/src/propellor
-	install -s dist/build/propellor/propellor $(DESTDIR)/usr/bin/propellor
-	mkdir -p dist/gittmp
-	$(CABAL) sdist
-	cat dist/propellor-*.tar.gz | (cd dist/gittmp && tar zx --strip-components=1)
+	if [ -d dist-newstyle ]; then \
+		install -s $$(find dist-newstyle/ -executable -type f | grep 'build/propellor/propellor$$') $(DESTDIR)/usr/bin/propellor; \
+	else \
+		install -s dist/build/propellor/propellor $(DESTDIR)/usr/bin/propellor; \
+	fi
+	mkdir -p gittmp
+	$(CABAL) sdist -o - | (cd gittmp && tar zx --strip-components=1)
 	# cabal sdist does not preserve symlinks, so copy over file
-	cd dist/gittmp && for f in $$(find -type f); do rm -f $$f; cp -a ../../$$f $$f; done
+	cd gittmp && for f in $$(find -type f); do rm -f $$f; cp -a ../$$f $$f; done
 	# reset mtime on files in git bundle so bundle is reproducible
-	find dist/gittmp -print0 | xargs -0r touch --no-dereference --date="$(DATE)"
+	find gittmp -print0 | xargs -0r touch --no-dereference --date="$(DATE)"
 	export GIT_AUTHOR_NAME=build \
 	&& export GIT_AUTHOR_EMAIL=build@buildhost \
 	&& export GIT_AUTHOR_DATE="$(DATE)" \
 	&& export GIT_COMMITTER_NAME=build \
 	&& export GIT_COMMITTER_EMAIL=build@buildhost \
 	&& export GIT_COMMITTER_DATE="$(DATE)" \
-	&& cd dist/gittmp && git init \
+	&& cd gittmp && git init \
 	&& git add . \
 	&& git commit -q -m "distributed version of propellor" \
 	&& git bundle create $(DESTDIR)/usr/src/propellor/propellor.git master HEAD \
 	&& git show-ref master --hash > $(DESTDIR)/usr/src/propellor/head
-	rm -rf dist/gittmp
+	rm -rf gittmp
 
 clean:
-	rm -rf dist Setup tags propellor propellor.1 privdata/local
+	rm -rf dist dist-newstyle configured Setup \
+		tags propellor propellor.1 privdata/local
 	find . -name \*.o -exec rm {} \;
 	find . -name \*.hi -exec rm {} \;
 
@@ -37,11 +45,12 @@ clean:
 # duplicate tags with Propellor.Property. removed from the start, as we
 # often import qualified by just the module base name.
 tags:
-	find . | grep -v /.git/ | grep -v /tmp/ | grep -v /dist/ | grep -v /doc/ | egrep '\.hs$$' | xargs hothasktags 2>/dev/null | perl -ne 'print; s/Propellor\.Property\.//; print' | sort > tags || true
+	@find . | grep -v /.git/ | grep -v /tmp/ | grep -v dist/ | grep -v /doc/ | egrep '\.hs$$' | xargs hothasktags 2>/dev/null | perl -ne 'print; s/Propellor\.Property\.//; print' | sort > tags || true
 
-dist/setup-config: propellor.cabal
+configured: propellor.cabal
 	@if [ "$(CABAL)" = ./Setup ]; then ghc --make Setup; fi
 	@$(CABAL) configure
+	touch configured
 
 propellor.1: doc/usage.mdwn doc/mdwn2man
 	doc/mdwn2man propellor 1 < doc/usage.mdwn > propellor.1
diff --git a/debian/changelog b/debian/changelog
index b46c4b4e..24bbf641 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ propellor (5.10.3) UNRELEASED; urgency=medium
   * Fix display of concurrent output from processes when using
     Propellor.Property.Conductor.
     (Reversion introduced in version 5.5.0.)
+  * Support bootstrapping to hosts using cabal 3.x, with new-dist directory.
+  * Makefile: Fix build with cabal 3.x.
 
  -- Joey Hess <id@joeyh.name>  Fri, 05 Jun 2020 11:26:21 -0400
 
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_4_294fcbae675879cb81aeb8d37cf3b635._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_4_294fcbae675879cb81aeb8d37cf3b635._comment
new file mode 100644
index 00000000..726067da
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_4_294fcbae675879cb81aeb8d37cf3b635._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2020-06-17T21:33:14Z"
+ content="""
+	cabal install --install-method=symlink --installdir=. exe:propellor --overwrite-policy=always
+
+But, this seems to do a lot of extra work, including generating a tarball
+of all the source code, and possibly building the package again
+unncessarily. And only works with a new enough cabal version.
+
+Ok, I've implemented it using `find`.
+"""]]
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index d772d7c7..0fef92f1 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -81,7 +81,12 @@ buildCommand bs = intercalate " && " (go (getBuilder bs))
 	go Cabal =
 		[ "cabal configure"
 		, "cabal build -j1 propellor-config"
-		, "ln -sf dist/build/propellor-config/propellor-config propellor"
+		, intercalate "; "
+			[ "if [ -d dist-newstyle ]"
+			, "then ln -sf $(find dist-newstyle/ -executable -type f | grep 'build/propellor-config/propellor-config$') propellor"
+			, "else ln -sf dist/build/propellor-config/propellor-config propellor"
+			, "fi"
+			]
 		]
 	go Stack =
 		[ "stack build :propellor-config"

Added a comment: network-manager snippet
diff --git a/doc/forum/DNS_for_LAN/comment_2_bd310b1f5865a2d35502721e138ca091._comment b/doc/forum/DNS_for_LAN/comment_2_bd310b1f5865a2d35502721e138ca091._comment
new file mode 100644
index 00000000..4af921f4
--- /dev/null
+++ b/doc/forum/DNS_for_LAN/comment_2_bd310b1f5865a2d35502721e138ca091._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="network-manager snippet"
+ date="2020-06-11T10:25:10Z"
+ content="""
+[[!format haskell \"\"\"
+File.hasContent \"/etc/NetworkManager/conf.d/mDNS.conf\"  [ \"[connection]\"
+                                                                    , \"connection.mdns=2\"
+                                                                    ]
+          `requires` File.dirExists \"/etc/NetworkManager/conf.d\"
+\"\"\"]]
+
+The `=2` is important if you want the host to actually tell other hosts what it's IP is, and not just query,
+"""]]

Added a comment: prototype
diff --git a/doc/forum/ssh__95__known__95__hosts/comment_1_9447b1382bf54e6f4620bae200a62238._comment b/doc/forum/ssh__95__known__95__hosts/comment_1_9447b1382bf54e6f4620bae200a62238._comment
new file mode 100644
index 00000000..eb52f671
--- /dev/null
+++ b/doc/forum/ssh__95__known__95__hosts/comment_1_9447b1382bf54e6f4620bae200a62238._comment
@@ -0,0 +1,27 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="prototype"
+ date="2020-06-11T01:23:28Z"
+ content="""
+This seems to work for me.  Obviously less hardcoding and code duplication would be nicer.
+
+[[!format haskell \"\"\"
+-- | Puts some host's ssh public key(s), as set using `hostPubKey`
+-- or `hostKey` into /etc/ssh/ssh_known_hosts
+sshKnownHost :: [Host] -> HostName -> Property UnixLike
+sshKnownHost hosts hn  = property' desc $ \w ->
+	go w =<< knownHostLines hosts hn
+  where
+	desc = \" globally known  ssh key for \" ++ hn
+
+	go _ [] = do
+		warningMessage $ \"no configured ssh host keys for \" ++ hn
+		return FailedChange
+	go w ls = do
+		f <- return \"/etc/ssh/ssh_known_hosts\"
+		ensureProperty w $ 
+			f `File.containsLines` ls
+				`requires` File.dirExists (takeDirectory f)
+\"\"\"]]
+"""]]

Added a comment: mDNS is ok
diff --git a/doc/forum/DNS_for_LAN/comment_1_cc8b39a2344a74a32d821c59b499634a._comment b/doc/forum/DNS_for_LAN/comment_1_cc8b39a2344a74a32d821c59b499634a._comment
new file mode 100644
index 00000000..53519ebb
--- /dev/null
+++ b/doc/forum/DNS_for_LAN/comment_1_cc8b39a2344a74a32d821c59b499634a._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="mDNS is ok"
+ date="2020-06-10T23:53:36Z"
+ content="""
+I ended up (finally) enabling mDNS in network-manager and systemd-resolved and it seems work pretty well for my goal of ssh-ing to machines on my LAN.  avahi is the other main mDNS server as far as I know.
+"""]]

yay, back on track to fix this in um ... 3 years
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 5826506e..48dd829e 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -42,3 +42,11 @@ Waiting on concurrent-output reaching Debian stable.
 > > This is really looking like a reversion, or several, in newer
 > > versions of concurrent-output. The code bundled with propellor is
 > > the same as concurrent-output 1.7.4.
+
+> > > I think I've fixed it, concurrent-output (>= 1.10.12 || <= 1.7.4)
+> > > will be needed to avoid the bug. Will be several years until that's
+> > > in debian stable..
+> > > 
+> > > I've updated the embedded concurrent-output copy, and it should
+> > > be kept up-to-date as concurrent-output changes, to avoid more
+> > > such reversions. --[[Joey]]

more
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 2503fe2e..5826506e 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -35,8 +35,10 @@ Waiting on concurrent-output reaching Debian stable.
 > > The former system (kite) had the strange output problem.
 > > 
 > > The latter system (keysafe) seemed ok but crashed at the end with
-> > a STM transaction deadlock. Downgrading to concurrent-output 1.10.6
-> > eliminated that problem.
+> > a STM transaction deadlock. Seemed to only happen when spinning the
+> > host remotely, or not always; I tried to reproduce it running propellor
+> > manually to bisect concurrent-output but without success.
 > > 
 > > This is really looking like a reversion, or several, in newer
-> > versions of concurrent-output. --[[Joey]]
+> > versions of concurrent-output. The code bundled with propellor is
+> > the same as concurrent-output 1.7.4.

meh
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index c3641385..2503fe2e 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -27,3 +27,16 @@ Waiting on concurrent-output reaching Debian stable.
 > from debian. That is a somewhat old version and perhaps it was buggy?
 > However, I have not had any luck reproducing the problem there running
 > readProcess in ghci. --[[Joey]]
+> 
+> > Tried again in 2020, same bugs still happened. On a system running
+> > debian unstable with concurrent-output 1.10.9, and a system running stable that
+> > had cabal installed concurrent-output 1.10.11.
+> > 
+> > The former system (kite) had the strange output problem.
+> > 
+> > The latter system (keysafe) seemed ok but crashed at the end with
+> > a STM transaction deadlock. Downgrading to concurrent-output 1.10.6
+> > eliminated that problem.
+> > 
+> > This is really looking like a reversion, or several, in newer
+> > versions of concurrent-output. --[[Joey]]

Revert "Added dependency on concurrent-output; removed embedded copy."
This reverts commit dbd3ba3400a3097498252097540ffe8075b00833.
Still has the same problem as in 2018!
diff --git a/debian/changelog b/debian/changelog
index 922e481e..b46c4b4e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,7 +3,6 @@ propellor (5.10.3) UNRELEASED; urgency=medium
   * Fix display of concurrent output from processes when using
     Propellor.Property.Conductor.
     (Reversion introduced in version 5.5.0.)
-  * Added dependency on concurrent-output; removed embedded copy.
 
  -- Joey Hess <id@joeyh.name>  Fri, 05 Jun 2020 11:26:21 -0400
 
diff --git a/debian/control b/debian/control
index 8e61fd80..5a46822f 100644
--- a/debian/control
+++ b/debian/control
@@ -14,9 +14,10 @@ Build-Depends:
 	libghc-ifelse-dev,
 	libghc-network-dev,
 	libghc-mtl-dev,
+	libghc-transformers-dev,
 	libghc-exceptions-dev (>= 0.6),
+	libghc-text-dev,
 	libghc-hashable-dev,
-	libghc-concurrent-output-dev,
 Maintainer: Joey Hess <id@joeyh.name>
 Standards-Version: 3.9.8
 Vcs-Git: git://git.joeyh.name/propellor
@@ -36,9 +37,10 @@ Depends: ${misc:Depends}, ${shlibs:Depends},
 	libghc-ifelse-dev,
 	libghc-network-dev,
 	libghc-mtl-dev,
+	libghc-transformers-dev,
 	libghc-exceptions-dev (>= 0.6),
+	libghc-text-dev,
 	libghc-hashable-dev,
-	libghc-concurrent-output-dev,
 	git (>= 2.0),
 Description: property-based host configuration management in haskell
  Propellor ensures that the system it's run in satisfies a list of
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 1bfaab03..c3641385 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -27,5 +27,3 @@ Waiting on concurrent-output reaching Debian stable.
 > from debian. That is a somewhat old version and perhaps it was buggy?
 > However, I have not had any luck reproducing the problem there running
 > readProcess in ghci. --[[Joey]]
-
-> > [[done]] again, hope it sticks this time --[[Joey]]
diff --git a/propellor.cabal b/propellor.cabal
index 93edbb13..4aaf9c0a 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -49,7 +49,7 @@ Library
     base >= 4.9, base < 5,
     directory, filepath, IfElse, process, bytestring, hslogger, split,
     unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
-    time, mtl, exceptions (>= 0.6), hashable, concurrent-output
+    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
   if flag(WithTypeErrors)
     Build-Depends: type-errors
     CPP-Options: -DWITH_TYPE_ERRORS
@@ -233,6 +233,9 @@ Library
     Utility.Tmp.Dir
     Utility.Tuple
     Utility.UserInfo
+    System.Console.Concurrent
+    System.Console.Concurrent.Internal
+    System.Process.Concurrent
     Paths_propellor
 
 Executable propellor-config
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index 66192e36..d772d7c7 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -148,9 +148,12 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, Dep "libghc-ifelse-dev"
 		, Dep "libghc-network-dev"
 		, Dep "libghc-mtl-dev"
+		, Dep "libghc-transformers-dev"
 		, Dep "libghc-exceptions-dev"
+		, Dep "libghc-text-dev"
 		, Dep "libghc-hashable-dev"
-		, Dep "libghc-concurrent-output-dev"
+		-- Deps that are only needed on old systems.
+		, OldDep "libghc-stm-dev"
 		]
 	debdeps Stack =
 		[ Dep "gnupg"
@@ -169,7 +172,10 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, "hs-IfElse"
 		, "hs-network"
 		, "hs-mtl"
+		, "hs-transformers-base"
 		, "hs-exceptions"
+		, "hs-stm"
+		, "hs-text"
 		, "hs-hashable"
 		]
 	fbsddeps Stack =
@@ -190,7 +196,10 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, "haskell-ifelse"
 		, "haskell-network"
 		, "haskell-mtl"
+		, "haskell-transformers-base"
 		, "haskell-exceptions"
+		, "haskell-stm"
+		, "haskell-text"
 		, "haskell-hashable"
 		, "haskell-type-errors"
 		]
diff --git a/src/System/Console/Concurrent.hs b/src/System/Console/Concurrent.hs
new file mode 100644
index 00000000..12447637
--- /dev/null
+++ b/src/System/Console/Concurrent.hs
@@ -0,0 +1,44 @@
+-- | 
+-- Copyright: 2015 Joey Hess <id@joeyh.name>
+-- License: BSD-2-clause
+-- 
+-- Concurrent output handling.
+--
+-- > import Control.Concurrent.Async
+-- > import System.Console.Concurrent
+-- >
+-- > main = withConcurrentOutput $
+-- > 	outputConcurrent "washed the car\n"
+-- > 		`concurrently`
+-- >	outputConcurrent "walked the dog\n"
+-- >		`concurrently`
+-- > 	createProcessConcurrent (proc "ls" [])
+
+{-# LANGUAGE CPP #-}
+
+module System.Console.Concurrent (
+	-- * Concurrent output
+	withConcurrentOutput,
+	Outputable(..),
+	outputConcurrent,
+	errorConcurrent,
+	ConcurrentProcessHandle,
+#ifndef mingw32_HOST_OS
+	createProcessConcurrent,
+#endif
+	waitForProcessConcurrent,
+	createProcessForeground,
+	flushConcurrentOutput,
+	lockOutput,
+	-- * Low level access to the output buffer
+	OutputBuffer,
+	StdHandle(..),
+	bufferOutputSTM,
+	outputBufferWaiterSTM,
+	waitAnyBuffer,
+	waitCompleteLines,
+	emitOutputBuffer,
+) where
+
+import System.Console.Concurrent.Internal
+
diff --git a/src/System/Console/Concurrent/Internal.hs b/src/System/Console/Concurrent/Internal.hs
new file mode 100644
index 00000000..ffe6a9e8
--- /dev/null
+++ b/src/System/Console/Concurrent/Internal.hs
@@ -0,0 +1,546 @@
+{-# LANGUAGE BangPatterns, TypeSynonymInstances, FlexibleInstances, TupleSections #-}
+{-# LANGUAGE CPP #-}
+{-# OPTIONS_GHC -O2 #-}
+{- Building this module with -O0 causes streams not to fuse and too much
+ - memory to be used. -}
+
+-- | 
+-- Copyright: 2015 Joey Hess <id@joeyh.name>
+-- License: BSD-2-clause
+-- 
+-- Concurrent output handling, internals.
+--
+-- May change at any time.
+
+module System.Console.Concurrent.Internal where
+
+import System.IO
+#ifndef mingw32_HOST_OS
+import System.Posix.IO
+#endif
+import System.Directory
+import System.Exit
+import Control.Monad
+import Control.Monad.IO.Class (liftIO, MonadIO)
+import System.IO.Unsafe (unsafePerformIO)
+import Control.Concurrent
+import Control.Concurrent.STM
+import Control.Concurrent.Async
+import Data.Maybe
+import Data.List
+import Data.Monoid

(Diff truncated)
Added dependency on concurrent-output; removed embedded copy.
Trying again what failed in 2018
(commit 02eca2ae4cf51d8e83d94d8359e15ac053451109).
I hope the problem was a broken old version of concurrent-output and that
it will be ok now.
This commit was sponsored by Denis Dzyubenko on Patreon.
diff --git a/debian/changelog b/debian/changelog
index b46c4b4e..922e481e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ propellor (5.10.3) UNRELEASED; urgency=medium
   * Fix display of concurrent output from processes when using
     Propellor.Property.Conductor.
     (Reversion introduced in version 5.5.0.)
+  * Added dependency on concurrent-output; removed embedded copy.
 
  -- Joey Hess <id@joeyh.name>  Fri, 05 Jun 2020 11:26:21 -0400
 
diff --git a/debian/control b/debian/control
index 5a46822f..8e61fd80 100644
--- a/debian/control
+++ b/debian/control
@@ -14,10 +14,9 @@ Build-Depends:
 	libghc-ifelse-dev,
 	libghc-network-dev,
 	libghc-mtl-dev,
-	libghc-transformers-dev,
 	libghc-exceptions-dev (>= 0.6),
-	libghc-text-dev,
 	libghc-hashable-dev,
+	libghc-concurrent-output-dev,
 Maintainer: Joey Hess <id@joeyh.name>
 Standards-Version: 3.9.8
 Vcs-Git: git://git.joeyh.name/propellor
@@ -37,10 +36,9 @@ Depends: ${misc:Depends}, ${shlibs:Depends},
 	libghc-ifelse-dev,
 	libghc-network-dev,
 	libghc-mtl-dev,
-	libghc-transformers-dev,
 	libghc-exceptions-dev (>= 0.6),
-	libghc-text-dev,
 	libghc-hashable-dev,
+	libghc-concurrent-output-dev,
 	git (>= 2.0),
 Description: property-based host configuration management in haskell
  Propellor ensures that the system it's run in satisfies a list of
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index c3641385..1bfaab03 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -27,3 +27,5 @@ Waiting on concurrent-output reaching Debian stable.
 > from debian. That is a somewhat old version and perhaps it was buggy?
 > However, I have not had any luck reproducing the problem there running
 > readProcess in ghci. --[[Joey]]
+
+> > [[done]] again, hope it sticks this time --[[Joey]]
diff --git a/propellor.cabal b/propellor.cabal
index 4aaf9c0a..93edbb13 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -49,7 +49,7 @@ Library
     base >= 4.9, base < 5,
     directory, filepath, IfElse, process, bytestring, hslogger, split,
     unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
-    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
+    time, mtl, exceptions (>= 0.6), hashable, concurrent-output
   if flag(WithTypeErrors)
     Build-Depends: type-errors
     CPP-Options: -DWITH_TYPE_ERRORS
@@ -233,9 +233,6 @@ Library
     Utility.Tmp.Dir
     Utility.Tuple
     Utility.UserInfo
-    System.Console.Concurrent
-    System.Console.Concurrent.Internal
-    System.Process.Concurrent
     Paths_propellor
 
 Executable propellor-config
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index d772d7c7..3621cabb 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -148,12 +148,8 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, Dep "libghc-ifelse-dev"
 		, Dep "libghc-network-dev"
 		, Dep "libghc-mtl-dev"
-		, Dep "libghc-transformers-dev"
 		, Dep "libghc-exceptions-dev"
-		, Dep "libghc-text-dev"
 		, Dep "libghc-hashable-dev"
-		-- Deps that are only needed on old systems.
-		, OldDep "libghc-stm-dev"
 		]
 	debdeps Stack =
 		[ Dep "gnupg"
@@ -172,10 +168,7 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, "hs-IfElse"
 		, "hs-network"
 		, "hs-mtl"
-		, "hs-transformers-base"
 		, "hs-exceptions"
-		, "hs-stm"
-		, "hs-text"
 		, "hs-hashable"
 		]
 	fbsddeps Stack =
@@ -196,10 +189,7 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		, "haskell-ifelse"
 		, "haskell-network"
 		, "haskell-mtl"
-		, "haskell-transformers-base"
 		, "haskell-exceptions"
-		, "haskell-stm"
-		, "haskell-text"
 		, "haskell-hashable"
 		, "haskell-type-errors"
 		]
diff --git a/src/System/Console/Concurrent.hs b/src/System/Console/Concurrent.hs
deleted file mode 100644
index 12447637..00000000
--- a/src/System/Console/Concurrent.hs
+++ /dev/null
@@ -1,44 +0,0 @@
--- | 
--- Copyright: 2015 Joey Hess <id@joeyh.name>
--- License: BSD-2-clause
--- 
--- Concurrent output handling.
---
--- > import Control.Concurrent.Async
--- > import System.Console.Concurrent
--- >
--- > main = withConcurrentOutput $
--- > 	outputConcurrent "washed the car\n"
--- > 		`concurrently`
--- >	outputConcurrent "walked the dog\n"
--- >		`concurrently`
--- > 	createProcessConcurrent (proc "ls" [])
-
-{-# LANGUAGE CPP #-}
-
-module System.Console.Concurrent (
-	-- * Concurrent output
-	withConcurrentOutput,
-	Outputable(..),
-	outputConcurrent,
-	errorConcurrent,
-	ConcurrentProcessHandle,
-#ifndef mingw32_HOST_OS
-	createProcessConcurrent,
-#endif
-	waitForProcessConcurrent,
-	createProcessForeground,
-	flushConcurrentOutput,
-	lockOutput,
-	-- * Low level access to the output buffer
-	OutputBuffer,
-	StdHandle(..),
-	bufferOutputSTM,
-	outputBufferWaiterSTM,
-	waitAnyBuffer,
-	waitCompleteLines,
-	emitOutputBuffer,
-) where
-
-import System.Console.Concurrent.Internal
-
diff --git a/src/System/Console/Concurrent/Internal.hs b/src/System/Console/Concurrent/Internal.hs
deleted file mode 100644
index ffe6a9e8..00000000
--- a/src/System/Console/Concurrent/Internal.hs
+++ /dev/null
@@ -1,546 +0,0 @@
-{-# LANGUAGE BangPatterns, TypeSynonymInstances, FlexibleInstances, TupleSections #-}
-{-# LANGUAGE CPP #-}
-{-# OPTIONS_GHC -O2 #-}
-{- Building this module with -O0 causes streams not to fuse and too much
- - memory to be used. -}
-
--- | 
--- Copyright: 2015 Joey Hess <id@joeyh.name>
--- License: BSD-2-clause
--- 
--- Concurrent output handling, internals.
---
--- May change at any time.
-
-module System.Console.Concurrent.Internal where
-
-import System.IO
-#ifndef mingw32_HOST_OS
-import System.Posix.IO
-#endif
-import System.Directory
-import System.Exit
-import Control.Monad
-import Control.Monad.IO.Class (liftIO, MonadIO)
-import System.IO.Unsafe (unsafePerformIO)
-import Control.Concurrent
-import Control.Concurrent.STM
-import Control.Concurrent.Async
-import Data.Maybe
-import Data.List
-import Data.Monoid
-import qualified System.Process as P

(Diff truncated)
diff --git a/doc/forum/ssh__95__known__95__hosts.mdwn b/doc/forum/ssh__95__known__95__hosts.mdwn
new file mode 100644
index 00000000..94db5996
--- /dev/null
+++ b/doc/forum/ssh__95__known__95__hosts.mdwn
@@ -0,0 +1 @@
+I would find it useful if there was a function similar to Ssh.knownHost that updated /etc/ssh/ssh_known_hosts.  I suppose it just requires parameterizing knownHost in terms of what file to operate on, but I'm still pretty clueless about IO in Haskell.

report bug
diff --git a/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn
new file mode 100644
index 00000000..b3a3cd90
--- /dev/null
+++ b/doc/todo/Default_of_new_style_builds_breaks_Bootstrap.OSOnly.mdwn
@@ -0,0 +1,29 @@
+It looks like ghc in Debian unstable is defaulting to new style cabal builds which bypasses `Bootstrap.bootstrapWith Bootstrap.OSOnly`:
+
+    ...
+    git branch origin/spw3conf gpg signature verified; merging
+    Already up to date.
+    Build profile: -w ghc-8.8.3 -O1
+    In order, the following will be built (use -v for more details):
+     - IfElse-0.85 (lib:IfElse) (requires build)
+     - first-class-families-0.8.0.0 (lib) (requires build)
+     - hsc2hs-0.68.7 (exe:hsc2hs) (requires download & build)
+     - old-locale-1.0.0.7 (lib) (requires build)
+     - syb-0.7.1 (lib) (requires build)
+     - th-abstraction-0.3.2.0 (lib) (requires build)
+     - network-bsd-2.8.1.0 (lib) (requires build)
+     - type-errors-0.2.0.0 (lib) (requires build)
+     - hslogger-1.3.1.0 (lib) (requires build)
+     - propellor-5.10.1 (lib) (first run)
+     - propellor-5.10.1 (exe:propellor-config) (first run)
+    Downloading  hsc2hs-0.68.7
+    Configuring IfElse-0.85...
+    Preprocessing library for IfElse-0.85..
+    Building library for IfElse-0.85..
+    [1 of 1] Compiling Control.Monad.IfElse ( Control/Monad/IfElse.hs, dist/build/Control/Monad/IfElse.o )
+    Downloaded   hsc2hs-0.68.7
+    ...
+
+I think the simplest fix is to replace `cabal build` with `cabal v1-build` in `Propellor.Bootstrap.buildCommand`?
+
+--spwhitton

diff --git a/doc/forum/CUPS_configuration.mdwn b/doc/forum/CUPS_configuration.mdwn
index 335caedc..48e2ff4f 100644
--- a/doc/forum/CUPS_configuration.mdwn
+++ b/doc/forum/CUPS_configuration.mdwn
@@ -1 +1,3 @@
 Any ideas for good ways to manage CUPS config?  /etc/cups/printers.conf starts with `# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING`. I can do the obvious stop / replace / restart, but am curious if anyone has any success stories or pitfalls to relate.
+
+A very quick search suggests using "lpadmin" is the approved way of updating CUPS config. So I guess I can run some Cmd.cmpProperty calls

diff --git a/doc/forum/CUPS_configuration.mdwn b/doc/forum/CUPS_configuration.mdwn
new file mode 100644
index 00000000..335caedc
--- /dev/null
+++ b/doc/forum/CUPS_configuration.mdwn
@@ -0,0 +1 @@
+Any ideas for good ways to manage CUPS config?  /etc/cups/printers.conf starts with `# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING`. I can do the obvious stop / replace / restart, but am curious if anyone has any success stories or pitfalls to relate.

Added a comment: first attempt
diff --git a/doc/todo/Support_for_mirroring_bare_git_repos/comment_1_f8d0ade5f31f85c1db50b3ec6a9a3818._comment b/doc/todo/Support_for_mirroring_bare_git_repos/comment_1_f8d0ade5f31f85c1db50b3ec6a9a3818._comment
new file mode 100644
index 00000000..fb6ff177
--- /dev/null
+++ b/doc/todo/Support_for_mirroring_bare_git_repos/comment_1_f8d0ade5f31f85c1db50b3ec6a9a3818._comment
@@ -0,0 +1,19 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="first attempt"
+ date="2020-05-16T23:44:41Z"
+ content="""
+This isn't very general, but it seems to work
+
+[[!format haskell \"\"\"
+bareMirror :: String -> String -> Property  DebianLike
+bareMirror dir url = propertyList (\"bare mirror of \" ++ url ++ \" in \" ++ dir ) $ props
+  & Git.installed
+  & Git.bareRepo dir (User \"root\") Git.SharedAll
+  & Git.repoConfigured dir (\"remote.origin.url\", url)
+  & Git.repoConfigured dir (\"remote.origin.mirror\", \"true\")
+  & Git.repoConfigured dir (\"remote.origin.fetch\", \"+refs/*:refs/*\")
+  & Cmd.cmdProperty \"git\" [\"-C\", dir, \"fetch\", \"origin\" ] `changesFileContent` (dir </> \"HEAD\")
+\"\"\"]]
+"""]]

diff --git a/doc/todo/Support_for_mirroring_bare_git_repos.mdwn b/doc/todo/Support_for_mirroring_bare_git_repos.mdwn
new file mode 100644
index 00000000..3c5da097
--- /dev/null
+++ b/doc/todo/Support_for_mirroring_bare_git_repos.mdwn
@@ -0,0 +1,2 @@
+Since "git pull" has the potential to fail because of merge problems (this is not theoretical, it happened to me today), I'd prefer to just fetch into a bare repo.
+I don't know the best way to go about this. Maybe a "Git.fetched" function that does not assume a non-bare repo (as Git.cloned currently does). 

add news item for propellor 5.10.2
diff --git a/doc/news/version_5.10.2.mdwn b/doc/news/version_5.10.2.mdwn
new file mode 100644
index 00000000..264b7f60
--- /dev/null
+++ b/doc/news/version_5.10.2.mdwn
@@ -0,0 +1,10 @@
+propellor 5.10.2 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Fix build with ghc 8.6.3.
+     Thanks, Robin Munn
+   * Bootstrap: Fix typo in Arch Linux dependencies.
+     Thanks, Robin Munn
+   * Bootstrap: Add haskell-type-errors package on Arch Linux.
+     Thanks, Robin Munn
+   * Apt.buildDepIn: Run build-dep command in a temporary directory,
+     since it may sometimes not clean up all the files it creates."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.7.0.mdwn b/doc/news/version_5.7.0.mdwn
deleted file mode 100644
index 194a2a6f..00000000
--- a/doc/news/version_5.7.0.mdwn
+++ /dev/null
@@ -1,20 +0,0 @@
-propellor 5.7.0 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Sbuild.built no longer includes Apt.stdSourcesList by default,
-     in order to support non-Debian OS's. (API change)
-     To upgrade: Simply add Sbuild.osDebianStandard to all Sbuild.built
-     calls which have osDebian.
-     Thanks, Sean Whitton
-   * Propellor.Property.PropellorRepo renamed to Propellor.Property.Localdir
-     to widen its scope. (API change)
-   * Added Localdir.removed property.
-     Thanks, Sean Whitton
-   * Sbuild.built uses Localdir.removed to clean up the propellor localdir
-     after it's done running in a schroot.
-     Thanks, Sean Whitton
-   * Cron.runPropellor made revertable. (minor API change)
-     Thanks, Sean Whitton
-   * Added Cron.jobDropped.
-     Thanks, Sean Whitton
-   * Added Utility.FileMode to the modules exported by Propellor.Utilities
-     to propellor library users."""]]
\ No newline at end of file

Fix typo in man page
diff --git a/doc/usage.mdwn b/doc/usage.mdwn
index fb19250e..569637ee 100644
--- a/doc/usage.mdwn
+++ b/doc/usage.mdwn
@@ -141,7 +141,7 @@ and configured in haskell.
 
   If propellor is run in a directory containing a config.hs, it
   assumes that the current directory is a propellor repository, and 
-  uses the configuration from the current directory, rather tnan
+  uses the configuration from the current directory, rather than
   ~/.propellor/ 
 
 # ENVIRONMENT

diff --git a/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning.mdwn b/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning.mdwn
new file mode 100644
index 00000000..48c84b3a
--- /dev/null
+++ b/doc/forum/Branch_not_signed_with_trusted_gpg_key_warning.mdwn
@@ -0,0 +1,79 @@
+When I `propellor --spin HOST`, I started to get this warning:
+
+```
+** warning: git branch origin/master is not signed with a trusted gpg key; refusing to deploy it! (Running with previous configuration instead.)
+```
+
+Here's the relevant output from propellor:
+
+```
+Preprocessing library for propellor-5.9.1..                                                                                                                               
+Building library for propellor-5.9.1..                                                                                                                                    
+Preprocessing executable 'propellor-config' for propellor-5.9.1..                                                                                                         
+Building executable 'propellor-config' for propellor-5.9.1..                                                                                                              
+Propellor build ... done                                                                                                                                                  
+[master ee86ede9] propellor spin                                                                                                                                          
+Git commit ... done                                                                                                                                                       
+Enumerating objects: 1, done.                                                                                                                                             
+Counting objects: 100% (1/1), done.                                                                                                                                       
+Writing objects: 100% (1/1), 869 bytes | 869.00 KiB/s, done.                                                                                                              
+Total 1 (delta 0), reused 0 (delta 0)                                                                                                                                    
+To [redacted].com:sr/propellor.git                                                                                                                      
+   ed5038fa..ee86ede9  master -> master                                                                                                                                  
+Push to central git repository ... done                                                                                                                                  
+gpg: encrypted with 4096-bit RSA key, ID 0x[redacted]0F5, created 2016-09-06                                                                                          
+      "Siddharth Ravikumar <[redacted]@[redacted].com>"                                                                                                                      
+From [redacted].com:sr/propellor                                                                                                                        
+   ed5038fa..ee86ede9  master     -> origin/master                                                                                                                       
+Pull from central git repository ... done                                                                                                                                
+gpg: Signature made Thu Apr  9 09:09:25 2020 EDT                                                                                                                         
+gpg:                using RSA key [redacted]                                                                                               
+gpg: /usr/local/propellor/privdata/trustdb.gpg: trustdb created                                                                                                          
+gpg: Good signature from "Siddharth Ravikumar <[redacted]@[redacted].com>" [expired]                                                                              
+gpg: Note: This key has expired!                                                                                                                                         
+Primary key fingerprint: [redacted]                                                                                              
+gpg: Signature expires Fri Apr  9 09:09:25 2021 EDT                                                                                                                      
+** warning: git branch origin/master is not signed with a trusted gpg key; refusing to deploy it! (Running with previous configuration instead.)                         
+Sending privdata (5352 bytes) to cygnus.[redacted].net ... done                                                                                                        
+From .                                                                                                                                                                   
+ * branch              HEAD       -> FETCH_HEAD                                                                                                                          
+Sending git update to cygnus.[redacted].net ... done                                                                                                                   
+Pull from central git repository ... done                                                                                                                                
+gpg: Signature made Thu Apr  9 09:09:25 2020 EDT                                                                                                                         
+gpg:                using RSA key [redacted]                                                                                               
+gpg: /usr/local/propellor/privdata/trustdb.gpg: trustdb created                                                                                                          
+gpg: Good signature from "Siddharth Ravikumar <[redacted]@[redacted].com>" [expired]                                                                              
+gpg: Note: This key has expired!
+Primary key fingerprint: [redacted]
+gpg: Signature expires Fri Apr  9 09:09:25 2021 EDT
+** warning: git branch origin/master is not signed with a trusted gpg key; refusing to deploy it! (Running with previous configuration instead.)
+Preprocessing library for propellor-5.9.1..
+Building library for propellor-5.9.1..
+Preprocessing executable 'propellor-config' for propellor-5.9.1..
+Building executable 'propellor-config' for propellor-5.9.1..
+Propellor build ... done
+cygnus.[redacted].net has Operating System (Debian Linux (Stable "buster")) X86_64 ... ok
+cygnus.[redacted].net standard sources.list ... ok
+
+```
+
+
+The gpg key in question is not expired and the secret key for it is available on the machine from where I'm doing `propellor --spin`:
+
+
+```
+ gpg --edit-key '[fpr redacted]'
+Secret key is available.
+
+sec  rsa4096/0x[redacted]
+     created: 2016-09-06  expires: 2020-09-02  usage: SC
+     trust: ultimate      validity: ultimate
+ssb  rsa4096/0x[redacted]
+     created: 2016-09-06  expires: 2020-09-02  usage: E
+[ultimate] (1). Siddharth Ravikumar <[redacted]@[redacted].com>
+[ultimate] (2)  Siddharth Ravikumar <[redacted]@[redacted].com>
+
+```
+
+Any idea why I'm getting the warning about the branch not signed with a trusted a gpg key. How should I resolve this issue?
+

diff --git a/doc/forum/DNS_for_LAN.mdwn b/doc/forum/DNS_for_LAN.mdwn
new file mode 100644
index 00000000..da899e9e
--- /dev/null
+++ b/doc/forum/DNS_for_LAN.mdwn
@@ -0,0 +1 @@
+I'd like to setup DNS for hosts on my LAN (mainly for running propellor). I already have dnsmasq installed to support libvirt. Should I just use dnsmasq, or is there some other thing nicely integrated with propellor?

comment
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_3_41d73c97ed105aad773027d64e66cc38._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_3_41d73c97ed105aad773027d64e66cc38._comment
new file mode 100644
index 00000000..f742280f
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_3_41d73c97ed105aad773027d64e66cc38._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2020-02-25T21:22:22Z"
+ content="""
+Ghc 8.8 is fixed thanks to your patch.
+
+I was curious how cabal build failed w/o -dynamic, and found
+this <https://bugs.archlinux.org/task/54563#comment158808>
+which includes a simple change that the archlinux maintainers
+could make if they didh't want this to be a self-inflicted wound
+on their users.
+"""]]

comment
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_2_ee81823a34396b98cda15282019dcafc._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_2_ee81823a34396b98cda15282019dcafc._comment
new file mode 100644
index 00000000..c5b85e05
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_2_ee81823a34396b98cda15282019dcafc._comment
@@ -0,0 +1,30 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2020-02-20T17:47:46Z"
+ content="""
+Seems odd that the way Arch has installed ghc would
+make `cabal install` fail without additional options being added very time.
+That does not strike me as a good decision if it's the case. I guess that
+the -dynamic should only be set on Arch, since only it has inflicted this
+problem on itself.
+
+Would appreciate a patch with the ghc 8.8 fixes.
+
+I would not be surprised if cabal new-build does not provide any good way
+to find out where the executable was put, because after all cabal build
+doesn't either (just it's easier to guess there). Cabal expects a workflow
+where that's followed by cabal install, or cabal run.
+
+This might be one way: `cabal new-install --symlink-bindir=.`  
+But with my older version of cabal, that seems to not actually work,
+indeed I can't get it to install the binaries anywhere. Maybe it does
+work with the newer cabal where new-install is the default.
+
+Needing to detect whether new-build was used or not is an added
+complication.
+
+Best way I've found:
+
+	find dist-newstyle/ -executable -type f |grep 'propellor$'
+"""]]

Added a comment: One more thing
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_1_80326b7fe6ea0f301872a02bb2462a5d._comment b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_1_80326b7fe6ea0f301872a02bb2462a5d._comment
new file mode 100644
index 00000000..5d1fab2d
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails/comment_1_80326b7fe6ea0f301872a02bb2462a5d._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="rmunn@24f62461074e9165181dd6ec6ac66473353a24e9"
+ nickname="rmunn"
+ avatar="http://cdn.libravatar.org/avatar/5fb7a86e278e5b3b427f3b9a3cda71e1"
+ subject="One more thing"
+ date="2020-02-18T04:50:58Z"
+ content="""
+I haven't yet prepared a patch for this, but in src/Propellor/Bootstrap.hs, the `archlinuxdeps Cabal` list of should have `\"haskell-type-errors\"` added to it. That's the name of the Archlinux package for [https://hackage.haskell.org/package/type-errors](https://hackage.haskell.org/package/type-errors). Without that package, Cabal has to download type-errors and its dependencies before building Propellor, but with that package added, Archlinux's package manager can manage that package (and keep it up-to-date) instead.
+
+With that one change, the `archlinuxdeps Cabal` list is complete (at least as of yesterday when I tested it).
+
+I'll prepare a patch for this and submit it to propellor@joeyh.name soon.
+"""]]

Describe three different Haskell issues with bootstrapping on Archlinux
diff --git a/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails.mdwn b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails.mdwn
new file mode 100644
index 00000000..0ff23880
--- /dev/null
+++ b/doc/forum/Bootstrapping_with_Cabal_on_Archlinux_fails.mdwn
@@ -0,0 +1,46 @@
+Bootstrapping Propellor with Cabal is currently failing for me on Archlinux, for several reasons.
+
+## Dynamic linking
+
+The `ghc` package in Archlinux [uses dynamic linking](https://wiki.archlinux.org/index.php/Haskell#Problems_with_linking) for the GHC boot libraries. This means that the `cabal install` and `cabal build` steps in src/Propellor/Bootstrap.hs need the `--ghc-options=-dynamic` option added. I don't know if it's safe to do that for all OSes, or if this is something that Bootstrap.hs will need to do only on Arch.
+
+## GHC 8.8
+
+Archlinux, being a rolling-release distro, has version 8.8.1 of GHC available. This means that once I add the `--ghc-options=-dynamic` option to the `cabal install` and `cabal build` steps, Propellor now fails to build on my Archlinux system with the GHC compiler complaining about src/Propellor/Property/Installer/Target.hs. Specifically, the `UserInput i` line in the definition of `targetInstalled` produces an "Illegal polymorphic type" error:
+
+```
+src/Propellor/Property/Installer/Target.hs:137:12: error:
+    • Illegal polymorphic type:
+        forall metatypes.
+        (Combines
+           (RevertableProperty metatypes metatypes)
+           (RevertableProperty metatypes metatypes),
+         CombinedType
+           (RevertableProperty metatypes metatypes)
+           (RevertableProperty metatypes metatypes)
+         ~ RevertableProperty metatypes metatypes) =>
+        Propellor.Property.Versioned.VerSpec v metatypes
+        -> RevertableProperty metatypes metatypes
+      Perhaps you intended to use RankNTypes
+    • In the expansion of type synonym ‘Propellor.Property.Versioned.VersionedBy’
+      In the expansion of type synonym ‘Versioned’
+      In the type signature:
+        targetInstalled :: UserInput i =>
+                           Versioned v Host
+                           -> v
+                              -> i
+                                 -> TargetPartTable
+                                    -> RevertableProperty (HasInfo + DebianLike) (HasInfo
+                                                                                  + DebianLike)
+    |
+137 |         :: UserInput i 
+    |            ^^^^^^^^^^^^...
+```
+
+This appears to be  due to [stricter type synonym validity-checking in GHC 8.8](https://gitlab.haskell.org/ghc/ghc/wikis/migration/8.8#stricter-type-synonym-validity-checking). I had to add the `RankNTypes`, `TypeFamilies`, and `FlexibleContexts` extensions to Target.hs in order to make GHC 8.8 happy. (That's a minimal set: removing any one of those three produced one of three different compiler errors, which I won't reproduce here for brevity's safe). This appears to be safe on all OSes, since Propellor compiled happily on my laptop, which is running a Buntish variant called Linux Mint (where GHC 8.0.2 is what Apt gave me). (Though do note that I only tested that on Arch and Mint, and didn't do any testing on Debian to see whether GHC 7.x or earlier is still happy with those extensions being present in the source file).
+
+## New-style cabal
+
+Once I added the `--ghc-options=-dynamic` option to Cabal, and added those three extensions to the first line of Target.hs, I was then faced with another error: the `ln -sf` step failed because `dist/build/propellor-config/propellor-config` didn't exist. The version of Cabal that comes with Archlinux has apparently switched to [Nix-style local builds](https://cabal.readthedocs.io/en/latest/nix-local-build-overview.html) as the default action when you run `cabal build`, and the `propellor-config` binary ended up in `/usr/local/propellor/dist-newstyle/build/x86_64-linux/ghc-8.8.1/propellor-5.10.1/x/propellor-config/build/propellor-config/propellor-config`.
+
+This is the point where, not being a Haskell programmer myself, my ability to Google the problem was exhausted. I'm sure there's a way to get Cabal to tell you where it will put the files it's about to build (similar to `stack path --dist-dir`), but at this point, I needed to get back to working on other things. So I punted and just added `& bootstrapWith (Robustly Stack)` to the properties of my Archlinux host. :-) Bootstrapping with Stack was successful, BTW.

Added a comment
diff --git a/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_2_b58e57d9edb7c574ff8a72dbcd24d1b7._comment b/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_2_b58e57d9edb7c574ff8a72dbcd24d1b7._comment
new file mode 100644
index 00000000..9356298b
--- /dev/null
+++ b/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_2_b58e57d9edb7c574ff8a72dbcd24d1b7._comment
@@ -0,0 +1,18 @@
+[[!comment format=mdwn
+ username="https://launchpad.net/~barthelemy"
+ nickname="barthelemy"
+ avatar="http://cdn.libravatar.org/avatar/e99cb15f6029de3225721b3ebdd0233905eb69698e9b229a8c4cc510a4135438"
+ subject="comment 2"
+ date="2020-01-07T00:38:09Z"
+ content="""
+Hi Joey,
+
+thank you for the feedback. I'm glad to know it is supposed to work in those cases.
+It seems freedombox uses btrfs and swapfiles do not work on btrfs partitions. I thus tried with zram (apt get install zram-tools, which set up a 256 MiB swap).
+
+I could then run propellor --spin to the server, it passed.
+Then I rm -rf /usr/local/propellor on server and ran propellor --spin again.
+The build passed again (it took ~75 minute and at some point ghc took 570MiB but it succeedded).
+
+I'm back on track, thank you again!
+"""]]

comment
diff --git a/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_1_fc192587233c3cda7d0f78f67311de49._comment b/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_1_fc192587233c3cda7d0f78f67311de49._comment
new file mode 100644
index 00000000..af019cf6
--- /dev/null
+++ b/doc/forum/using_propellor_on_low_RAM_devices__63__/comment_1_fc192587233c3cda7d0f78f67311de49._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2020-01-04T19:02:08Z"
+ content="""
+500 mb seems a bit higher than typical; my own config.hs (500 lines)
+needs 416 mb to build, and the example config.hs included in propellor
+needs 245 mb.
+
+I typically install swapspace on systems with 1 gb or less and it works
+fine. I think the smallest system I've used propellor with was 500 mb.
+"""]]

diff --git a/doc/forum/using_propellor_on_low_RAM_devices__63__.mdwn b/doc/forum/using_propellor_on_low_RAM_devices__63__.mdwn
new file mode 100644
index 00000000..7bcbd0cc
--- /dev/null
+++ b/doc/forum/using_propellor_on_low_RAM_devices__63__.mdwn
@@ -0,0 +1,18 @@
+I'm trying to use propellor (and to learn haskell!) to manage my laptop and a small server, both running debian stable. 
+
+The server is a lime2 soc [1], with only 1GiB of RAM, and no swap (I think this is the default setup from the freedombox image).
+
+propellor --spin failed when targeting the server: on the server, ghc got killed by the OOM killer.
+
+I then simplified my config.hs and successfully ran "cabal build -j1" from the server.
+At some point during the successful build, ghc was using 400MiB of memory.
+This is 40% of the whole memory, I fear the OOM killer will strike again if I don't change something.
+I'll probably try to enable swap.
+
+Propellor seems designed with embedded devices in mind (eg. with the image builder), I'm surprised it demands that much RAM.
+Am I missing something?
+Do people cross-compile propellor to avoid the issue?
+
+Cheers!
+
+[1] https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXino-LIME2

Added a comment
diff --git a/doc/todo/spin_without_remote_compilation/comment_8_6a7a6a3acce0b0865e2a389e60c46179._comment b/doc/todo/spin_without_remote_compilation/comment_8_6a7a6a3acce0b0865e2a389e60c46179._comment
new file mode 100644
index 00000000..1325399d
--- /dev/null
+++ b/doc/todo/spin_without_remote_compilation/comment_8_6a7a6a3acce0b0865e2a389e60c46179._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="balu"
+ avatar="http://cdn.libravatar.org/avatar/2ec9dd5a234ce82f117bd81d1e44f2cb"
+ subject="comment 8"
+ date="2019-11-27T16:28:41Z"
+ content="""
+I am very interested in having this feature in the debian package of propellor and would like to help. What is missing to accomplish that?
+"""]]

Added a comment
diff --git a/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_3_ab42e31ff116bf56dca6cdff9bba2d29._comment b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_3_ab42e31ff116bf56dca6cdff9bba2d29._comment
new file mode 100644
index 00000000..eb8abfb3
--- /dev/null
+++ b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_3_ab42e31ff116bf56dca6cdff9bba2d29._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="eugen"
+ avatar="http://cdn.libravatar.org/avatar/7e7e5700d7017735fd00c2dfcd3f91e4"
+ subject="comment 3"
+ date="2019-11-21T20:29:20Z"
+ content="""
+Indeed, I can see how etckeeper provides a very easy way to check exactly what has changed to /etc (also) after a propellor spin. When I'm manually editing an /etc file I know what the changes are, but not so when a tool does it for me. So, it's important to verify, for example, that propellor did indeed what I *thought* I told it to do (not sure if propellor has an option to report the /etc changes it did).
+
+By using both etckeeper and propellor, which one do you consider to have the authoritative status (power?) over /etc? Do you still manually edit /etc files?
+"""]]

comment
diff --git a/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_2_41084ce268e4aa667b1c59f8352aa774._comment b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_2_41084ce268e4aa667b1c59f8352aa774._comment
new file mode 100644
index 00000000..84c22a04
--- /dev/null
+++ b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_2_41084ce268e4aa667b1c59f8352aa774._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2019-11-21T15:16:36Z"
+ content="""
+Also, when the propellor configuration is changed, it's very useful to have
+a record of how that change affected the host. While etckeeper's record is
+limited to /etc, that does cover a large percentage of such changes.
+"""]]

comment
diff --git a/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_1_008690e4e3828123a2c47a4b1abc413e._comment b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_1_008690e4e3828123a2c47a4b1abc413e._comment
new file mode 100644
index 00000000..752bbd01
--- /dev/null
+++ b/doc/forum/etckeeper_made_obsolete_by_propellor__63__/comment_1_008690e4e3828123a2c47a4b1abc413e._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2019-11-21T14:57:57Z"
+ content="""
+I use both. To be fully described by the propellor configuration, it would
+need to pin the system to a specific version of every package installed on
+it, and that's generally not practical because there are new security
+updates all the time. It's useful to have etckeeper keeping track of
+changes made to configuration during upgrades.
+
+I do find etckeeper generally less useful on those type of systems, but it
+still more than pays for itself.
+"""]]

diff --git a/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn b/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn
index b35d49c9..ea605ef4 100644
--- a/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn
+++ b/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn
@@ -1 +1,2 @@
 I'm still learning about these two programs.  I haven't use them yet, but I will (at least propellor). It seems to me there exists a bit of functionality overlapping between them: propellor's config file might be enough to describe all your changes you want to /etc for a host..? In this case, etckeeper would appear to be useful just as a "change log".. What's your thoughts on this? Do you use both propellor and etckeeper?
+-- eugen

diff --git a/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn b/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn
new file mode 100644
index 00000000..b35d49c9
--- /dev/null
+++ b/doc/forum/etckeeper_made_obsolete_by_propellor__63__.mdwn
@@ -0,0 +1 @@
+I'm still learning about these two programs.  I haven't use them yet, but I will (at least propellor). It seems to me there exists a bit of functionality overlapping between them: propellor's config file might be enough to describe all your changes you want to /etc for a host..? In this case, etckeeper would appear to be useful just as a "change log".. What's your thoughts on this? Do you use both propellor and etckeeper?

add news item for propellor 5.10.1
diff --git a/doc/news/version_5.10.1.mdwn b/doc/news/version_5.10.1.mdwn
new file mode 100644
index 00000000..797664be
--- /dev/null
+++ b/doc/news/version_5.10.1.mdwn
@@ -0,0 +1,15 @@
+propellor 5.10.1 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * [ Joey Hess ]
+   * Localdir.hasOriginUrl: Depend on Git.installed.
+   * Localdir.hasOriginUrl: Type changed from UnixLike to DebianLike
+     because Git.installed is not implemented for other unixes.
+     (API change)
+   * Changed the ChrootBootstrapper type class's buildchroot method
+     to take a Info parameter, instead of Maybe System.
+     (The System can be extracted from the Info.)
+     (API change)
+ * [ Sean Whitton ]
+   * Chroot.{de,}bootstrapped uses the chroot's configured apt proxy and
+     mirror, if these exist, when debootstrapping the chroot.
+   * Rename Sbuild.useHostProxy -&gt; Chroot.useHostProxy. (API change)"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.6.1.mdwn b/doc/news/version_5.6.1.mdwn
deleted file mode 100644
index 739d49f7..00000000
--- a/doc/news/version_5.6.1.mdwn
+++ /dev/null
@@ -1,4 +0,0 @@
-propellor 5.6.1 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * fix Libvirt.hs haddock build
-     Thanks, Sean Whitton"""]]
\ No newline at end of file

close
diff --git a/doc/todo/Debootstrap_module_should_respect_a_configured_Apt.proxy.mdwn b/doc/todo/Debootstrap_module_should_respect_a_configured_Apt.proxy.mdwn
index 8887f438..fc817415 100644
--- a/doc/todo/Debootstrap_module_should_respect_a_configured_Apt.proxy.mdwn
+++ b/doc/todo/Debootstrap_module_should_respect_a_configured_Apt.proxy.mdwn
@@ -27,3 +27,5 @@ so tried on my own
 to my opinion the schroot config file generated by Sbuild property does something wrong.
 
 Cheers
+
+> [[done]]; I merged patches from spwhitton. --[[Joey]]

comment
diff --git a/doc/forum/Conceptual_:_HostName_vs._Domain/comment_1_6a80853161714e19cdae006ec19097fb._comment b/doc/forum/Conceptual_:_HostName_vs._Domain/comment_1_6a80853161714e19cdae006ec19097fb._comment
new file mode 100644
index 00000000..86c38d79
--- /dev/null
+++ b/doc/forum/Conceptual_:_HostName_vs._Domain/comment_1_6a80853161714e19cdae006ec19097fb._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2019-11-11T17:26:24Z"
+ content="""
+I think LetsEncrypt's use of Domain is intentional; a certificate is for a
+domain and you can't get one for eg a bare IP address or an unqualified
+hostname.
+
+AFAICS, Domain is a FQDN.
+
+(Propellor.Property.Hostname has to deal with details of /etc/hosts,
+but it does not actually use the Domain type anywhere.)
+
+More generally, it's common for a propellor module to have some
+`type Foo = String` that's only used to make parameters more self-documenting
+and doesn't have any particular meaning beyond whatever string a Property might
+use. One shouldn't worry if two modules have data types that seem to
+overlap in content when that's all they're used for. Of course it's nicer to
+have less stringy data types, via ADTs or smart constructors, when possible.
+"""]]

comment
diff --git a/doc/forum/Setting_altenative___63__/comment_1_cc9f01e46e6cc2940382309cd17b3575._comment b/doc/forum/Setting_altenative___63__/comment_1_cc9f01e46e6cc2940382309cd17b3575._comment
new file mode 100644
index 00000000..741326f6
--- /dev/null
+++ b/doc/forum/Setting_altenative___63__/comment_1_cc9f01e46e6cc2940382309cd17b3575._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2019-11-11T17:23:24Z"
+ content="""
+There is not. I'd welcome a property submission.
+"""]]

diff --git a/doc/forum/Setting_altenative___63__.mdwn b/doc/forum/Setting_altenative___63__.mdwn
new file mode 100644
index 00000000..b40d1fe0
--- /dev/null
+++ b/doc/forum/Setting_altenative___63__.mdwn
@@ -0,0 +1,7 @@
+Everything is in the title : is there a property to ensure that the 'alternative' is set in a given way ?
+
+I guess the simplest otherwise would be to use a `Cmd` to do it (through usage of `update-alternative`), but I am wondering if there is already a property to do that…
+
+Thanks in advance,
+
+Serge

diff --git a/doc/forum/Conceptual_:_HostName_vs._Domain.mdwn b/doc/forum/Conceptual_:_HostName_vs._Domain.mdwn
new file mode 100644
index 00000000..334c9d82
--- /dev/null
+++ b/doc/forum/Conceptual_:_HostName_vs._Domain.mdwn
@@ -0,0 +1,22 @@
+Hello,
+
+Writing properties, I often hesitate between using types `HostName` or `Domain` for the FQDN of a machine.
+This is not 'very important' since both are "just" `String`, but the type carries semantics and I'd rather keep consistent (helps understanding the code better).
+
+Here are the docs :
+
+http://hackage.haskell.org/package/propellor-5.9.1/docs/Propellor-Types-OS.html#t:HostName
+http://hackage.haskell.org/package/propellor-5.9.1/docs/Propellor-Types-Dns.html#t:Domain
+
+So `HostName` documentation to me looks like really corresponding to a machine's FQDN, but may also be the IP of the machine.
+Conversely `Domain` is not documented (in its module) but it is used in the 'domain part of the FQDN' in some modules; eg. in Propellor/Property/Hostname.hs
+Even clearer is the `Propellor.Property.DNS` module in which I clearly understand the choice of `Domain` vs. `HostName`.
+
+Still it seems to me that sometimes one sees `Domain` where a `HostName` would be expected. One such example is in `LetsEncrypt`
+Maybe I am just to confused by a few places where `Domain` is used while I would (maybe wrongly) expect `HostName` ?
+
+What am I missing ?
+
+Cheers,
+
+Serge.

Added a comment: Using noServices to configure apache before running it...
diff --git a/doc/forum/installing_apt_packages_without_running_new_services/comment_2_b819efe3a4f00f1b9993d5a31e65f2e9._comment b/doc/forum/installing_apt_packages_without_running_new_services/comment_2_b819efe3a4f00f1b9993d5a31e65f2e9._comment
new file mode 100644
index 00000000..467e55cf
--- /dev/null
+++ b/doc/forum/installing_apt_packages_without_running_new_services/comment_2_b819efe3a4f00f1b9993d5a31e65f2e9._comment
@@ -0,0 +1,99 @@
+[[!comment format=mdwn
+ username="serge1cohen"
+ avatar="http://cdn.libravatar.org/avatar/df873622c2eeb5b34222b7af0d47abd0"
+ subject="Using noServices to configure apache before running it..."
+ date="2019-10-31T22:56:56Z"
+ content="""
+Hello there,
+
+I was typically in this situation : starting an apache server on a specific IP (the other IPs of the machine -on port 80- are used by other server processes), in particular to be able to get a certificate from let's encrypt.
+
+When using :
+
+    micro_apache :: Domain -> String -> FilePath -> Property DebianLike
+    micro_apache fqdn ip dr = combineProperties \"Setting a micro apache server running only for interface\" $ props
+    	& Apache.installed
+    	& File.hasContent \"/etc/apache2/ports.conf\" [(\"Listen \" ++ ip ++ \":80\")]
+    	& Apache.siteDisabled \"000-default\"
+    	& Apache.siteEnabled fqdn
+    		[ \"<VirtualHost \" ++ ip ++ \":80>\"
+    		, \"ServerName \" ++ fqdn ++ \":80\"
+    		, \"DocumentRoot \" ++ dr
+    		, \"ErrorLog /var/log/apache2/\" ++ fqdn ++ \"_error.log\"
+    		, \"LogLevel warn\"
+    		, \"CustomLog /var/log/apache2/\" ++ fqdn ++ \"_access.log combined\"
+    		, \"ServerSignature On\"
+    		, \"</VirtualHost>\"
+    		]
+    	& Apache.restarted
+    	& Apache.reloaded
+
+The property is problematic (the initial 'Apache.installed' starts the apache server listening to ALL IPs). 
+But at least at the end it seems that I get a 'running' service :
+
+    root@d4:~# systemctl status apache2.service 
+    ● apache2.service - The Apache HTTP Server
+       Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
+       Active: active (running) since Thu 2019-10-31 16:59:41 CET; 17min ago
+
+
+
+To avoid the transient service wrongly configured (it also messes up with the server serving port 80 on another IP) case I tried :
+
+    micro_apache :: Domain -> String -> FilePath -> Property (HasInfo + DebianLike)
+    micro_apache fqdn ip dr = combineProperties \"Setting a micro apache server running only for interface\" $ props
+      	& ( Apache.installed `requires` Service.noServices ) -- => Needs to change type to Property (HasInfo + DebianLike)
+    	& File.hasContent \"/etc/apache2/ports.conf\" [(\"Listen \" ++ ip ++ \":80\")]
+    	& Apache.siteDisabled \"000-default\"
+    	& Apache.siteEnabled fqdn
+    		[ \"<VirtualHost \" ++ ip ++ \":80>\"
+    		, \"ServerName \" ++ fqdn ++ \":80\"
+    		, \"DocumentRoot \" ++ dr
+    		, \"ErrorLog /var/log/apache2/\" ++ fqdn ++ \"_error.log\"
+    		, \"LogLevel warn\"
+    		, \"CustomLog /var/log/apache2/\" ++ fqdn ++ \"_access.log combined\"
+    		, \"ServerSignature On\"
+    		, \"</VirtualHost>\"
+    		]
+      	& ( revert Service.noServices `before` Apache.restarted ) -- => Needs to change type to Property (HasInfo + DebianLike)
+
+But then the configuration leads to having apache in an \"ghost state\", neither started nor stopped :
+
+    root@d4:~# systemctl status apache2
+    ● apache2.service - The Apache HTTP Server
+       Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
+       Active: inactive (dead)
+         Docs: https://httpd.apache.org/docs/2.4/
+
+Which leads to an unavailable http service, and as a consequence to a failure in ACME / let's encrypt.
+Indeed it seems that the service is started using the 'old' Service system. The nice thing is that this makes it possible to use the 'noServices' property. The problem is that the systemd module is in a state not working anymore with 'Service'.
+
+Finally I had to mix the 'noServices' property with a couple of 'Systemd' properties so that the server is properly restarted once the configuration is correct. This leads to a bit longer property but at least it works :
+
+    micro_apache :: Domain -> String -> FilePath -> Property (HasInfo + DebianLike)
+    micro_apache fqdn ip dr = combineProperties \"Setting a micro apache server running only for interface\" $ props
+      	& ( Apache.installed `requires` Service.noServices ) -- => Needs to change type to Property (HasInfo + DebianLike)
+    	& Systemd.stopped \"apache2\"  -- 'clean' of the systemd module 
+    	& File.hasContent \"/etc/apache2/ports.conf\" [(\"Listen \" ++ ip ++ \":80\")]
+    	& Apache.siteDisabled \"000-default\"
+    	& Apache.siteEnabled fqdn
+    		[ \"<VirtualHost \" ++ ip ++ \":80>\"
+    		, \"ServerName \" ++ fqdn ++ \":80\"
+    		, \"DocumentRoot \" ++ dr
+    		, \"ErrorLog /var/log/apache2/\" ++ fqdn ++ \"_error.log\"
+    		, \"LogLevel warn\"
+    		, \"CustomLog /var/log/apache2/\" ++ fqdn ++ \"_access.log combined\"
+    		, \"ServerSignature On\"
+    		, \"</VirtualHost>\"
+    		]
+      	& ( revert Service.noServices  -- => Needs to change type to Property (HasInfo + DebianLike)
+    		`before` Systemd.running \"apache2\" ) -- restarting through systemd
+
+With this done, it seems to work.
+
+Notice, however, that if apache was completely avoiding the 'old service' system, then we could not even benefit from the 'noService' in the first place. Would there be another solution to reach the same result ?
+
+Hope this might help
+
+Serge.
+"""]]

comment
diff --git a/doc/forum/isCopyOf_does_not_work_on_nfs_filesystem/comment_1_b1ffea063d9928889df17d9a8f3e8a5d._comment b/doc/forum/isCopyOf_does_not_work_on_nfs_filesystem/comment_1_b1ffea063d9928889df17d9a8f3e8a5d._comment
new file mode 100644
index 00000000..935b23b9
--- /dev/null
+++ b/doc/forum/isCopyOf_does_not_work_on_nfs_filesystem/comment_1_b1ffea063d9928889df17d9a8f3e8a5d._comment
@@ -0,0 +1,22 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2019-10-01T14:06:35Z"
+ content="""
+Your NFS server must have root squash enabled then. So any propellor
+properties that try to set the owner will fail (File.ownerGroup).
+
+It's entirely reasonable for properties to need to set the owner of a file.
+Many properties make files owned by a specific user and having them
+squashed to "nobody" would break their purpose.
+
+There's only one property in propellor that currently uses File.isCopyOf,
+and that property is in fact installing a user's configuration file, which
+needs to be owned by that user. So changing that property's behavior is
+out.
+
+So your options are, disable the NFS root squash, or avoid using propellor
+properties that set file ownership. If you wanted to make a variant of
+isCopyOf that didn't preserve permissions, we could perhaps look at adding
+that to propellor.
+"""]]

diff --git a/doc/forum/isCopyOf_does_not_work_on_nfs_filesystem.mdwn b/doc/forum/isCopyOf_does_not_work_on_nfs_filesystem.mdwn
new file mode 100644
index 00000000..dff1fdc4
--- /dev/null
+++ b/doc/forum/isCopyOf_does_not_work_on_nfs_filesystem.mdwn
@@ -0,0 +1,25 @@
+Hello, I try to copy a vm image to a directory like this
+
+    & "/nfs/share-temp/panbox-rel.img" `File.isCopyOf` panboxName
+
+
+but when I run this, I get this error message
+
+    sixs3.exp.synchrotron-soleil.fr /root/vm/panbox-rel.img owner picca:grp-instrumentation ... done
+    cp: failed to preserve ownership for '/nfs/share-temp/panbox-rel.img.propellor-new~': Operation not permitted
+    ** error: cp failed
+    ** warning: Cannot continue!
+    CallStack (from HasCallStack):
+      error, called at src/Propellor/Message.hs:143:9 in propellor-5.6.0-GGUJL7KihFnDmzjFSP3dov:Propellor.Message
+    sixs3.exp.synchrotron-soleil.fr /nfs/share-temp/panbox-rel.img is copy of /root/vm/panbox-rel.img ... failed
+
+I understand thaht it is not possible to use cp --preserve... on the nfs system.
+
+So is seems that Propellor miss a copyFile whcih is usable also on nfs system :).
+what is the best way to solve this problem.
+
+I can copy the file without the preserve flag.
+
+Cheers
+
+Fred

Problem report regarding unprivileged systemd-nspawn containers
diff --git a/doc/forum/Unprivileged_containers_break_propellor.mdwn b/doc/forum/Unprivileged_containers_break_propellor.mdwn
new file mode 100644
index 00000000..0cb02c9b
--- /dev/null
+++ b/doc/forum/Unprivileged_containers_break_propellor.mdwn
@@ -0,0 +1,53 @@
+When trying to set up an unprivileged nspawn container, e.g., like shown below, propellor breaks, as it bind-mounts the `/usr/local/propellor` directory from the host, which leads to broken UIDs when seen from inside the container. I'm assuming `propellChroot` in `src/Propellor/Property/Chroot.hs` is the code that's responsible. Unfortunately, I'm not very firm in Haskell, so I'm not sure I can solve this in reasonable time, but I'll give it a shot.
+
+
+Example config:
+
+```
+rec0 :: Systemd.Container
+rec0 =  Systemd.debContainer "rec0" $ props
+        & Systemd.containerCfg "--network-veth"
+        & Systemd.containerCfg "-U"
+        & osDebian (Stable "buster") X86_64
+        & Apt.stdSourcesList
+        & Apt.installed ["pdns-recursor"] `requires` Systemd.running Systemd.networkd
+```
+
+This is the relevant output from a spin that includes the above container definition:
+
+```
+rec0 has container configuration --network-veth ... ok
+rec0 has container configuration -U ... ok
+rec0 has Operating System (Debian Linux (Stable "buster")) X86_64 ... ok
+rec0 standard sources.list ... ok
+Failed to connect to bus: Operation not permitted
+rec0 apt removed cron ifupdown rsyslog iptables isc-dhcp-client ... ok
+rec0 apt installed pdns-recursor ... failed
+propy nspawned rec0 ... failed
+propy overall ... failed
+```
+
+I figured out the (likely) cause like this:
+
+```
+$ findmnt /var/lib/container/rec0/usr/local/propellor
+TARGET                                      SOURCE                                     FSTYPE OPTIONS
+/var/lib/container/rec0/usr/local/propellor /dev/mapper/sys-root[/usr/local/propellor] ext4   rw,relatime,errors=remount-ro
+$ ls -l /var/lib/container/rec0/usr/local/propellor/dist/build/propellor-config/
+total 12272
+drwxr-xr-x 2 vu-rec0-0 vg-rec0-0    4096 Sep 24 01:19 autogen
+-rwxr-xr-x 1 root      root      6279024 Sep 24 03:16 propellor-config
+-rwxr-xr-x 1 root      root      6279024 Sep 24 03:16 propellor-config.built
+drwxr-xr-x 2 vu-rec0-0 vg-rec0-0    4096 Sep 24 03:16 propellor-config-tmp
+```
+
+I have `libnss-mymachines` setup, so the high UID/GID allocated by systemd show up with symbolic names. From inside the container, the root-owned files will show up as `nobody`:
+
+```
+# ls -l /usr/local/propellor/dist/build/propellor-config/
+total 12272
+drwxr-xr-x 2 root   root       4096 Sep 24 01:19 autogen
+-rwxr-xr-x 1 nobody nogroup 6279024 Sep 24 03:16 propellor-config
+drwxr-xr-x 2 root   root       4096 Sep 24 03:16 propellor-config-tmp
+-rwxr-xr-x 1 nobody nogroup 6279024 Sep 24 03:16 propellor-config.built
+```

chef needs to go away, my little bit to help
diff --git a/doc/README.mdwn b/doc/README.mdwn
index 76d05255..e2d51e68 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -26,7 +26,7 @@ and
 and
 [Docker](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Docker.html), etc.
 
-There is no special language as used in puppet, chef, ansible, etc.. just
+There is no special language as used in puppet, ansible, etc.. just
 the full power of Haskell. Hopefully that power can be put to good use in
 making declarative properties that are powerful, nicely idempotent, and
 easy to adapt to a system's special needs!

Added a comment: Works !
diff --git a/doc/forum/Combining_properties_with_HasInfo_and_another_without_HasInfo/comment_2_152c6b9d0ac402c374d9cfaf9ef14904._comment b/doc/forum/Combining_properties_with_HasInfo_and_another_without_HasInfo/comment_2_152c6b9d0ac402c374d9cfaf9ef14904._comment
new file mode 100644
index 00000000..ef6658a2
--- /dev/null
+++ b/doc/forum/Combining_properties_with_HasInfo_and_another_without_HasInfo/comment_2_152c6b9d0ac402c374d9cfaf9ef14904._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="serge1cohen"
+ avatar="http://cdn.libravatar.org/avatar/df873622c2eeb5b34222b7af0d47abd0"
+ subject="Works !"
+ date="2019-09-16T16:50:42Z"
+ content="""
+Hi again,
+
+I have just commuted all HasInfo and Debian (to have HasInfo first) and all works !
+Cool, thanks !
+
+Serge.
+"""]]

response
diff --git a/doc/forum/Combining_properties_with_HasInfo_and_another_without_HasInfo/comment_1_6e0f5ebebe81a632dccafb97cfe49e70._comment b/doc/forum/Combining_properties_with_HasInfo_and_another_without_HasInfo/comment_1_6e0f5ebebe81a632dccafb97cfe49e70._comment
new file mode 100644
index 00000000..04eb0f2b
--- /dev/null
+++ b/doc/forum/Combining_properties_with_HasInfo_and_another_without_HasInfo/comment_1_6e0f5ebebe81a632dccafb97cfe49e70._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2019-09-16T15:07:56Z"
+ content="""
+The problem is that you have "Debian + HasInfo" and the compiler expects
+"HasInfo + Debian". If you swap the order it will compile.
+
+Internally these types are represented as type-level lists, eg
+`[Debian, HasInfo]`. Unfortunately list items are ordered.
+What's needed is a type-level set. Using
+<http://hackage.haskell.org/package/type-level-sets>
+or something like it would avoid the problem, and is planned eventually.
+(But not yet, it [affects compile performance](https://github.com/dorchard/type-level-sets/issues/17)
+and [actually still depends on list ordering](https://github.com/dorchard/type-level-sets/issues/5).)
+
+In the meantime, there's a de-facto standard ordering of the items in a
+Property's metatypes list, and using some other ordering will result
+in this problem. If you let ghc infer the type of a property, the result
+will always use the standard ordering.
+"""]]