Recent changes to this wiki:

Split mailname property out of Hostname.sane
Since bad mailname guesses can lead to ugly surprises. (API change)
Kept it in the Hostname module for easy discoverability, and similar to
Hostname.searchDomain it sets a value based on the hostname so makes sense
to keep it in that module.
Didn't implement the mailname equivilant of Hostname.setTo, because it's
trivial to write the mailname file with a custom value if desired.
This commit was sponsored by John Pellman on Patreon.
diff --git a/debian/changelog b/debian/changelog
index 1da97c15..080884ab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
-propellor (5.4.2) UNRELEASED; urgency=medium
+propellor (5.5.0) UNRELEASED; urgency=medium
 
   * letsencrypt': Pass --expand to support expanding the list of domains
+  * Split mailname property out of Hostname.sane, since bad mailname
+    guesses can lead to ugly surprises. (API change)
 
  -- Joey Hess <id@joeyh.name>  Thu, 09 Aug 2018 10:54:41 -0400
 
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_6_3c962f6aeff10726ae469ca7f48ab34c._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_6_3c962f6aeff10726ae469ca7f48ab34c._comment
new file mode 100644
index 00000000..f9666ca1
--- /dev/null
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_6_3c962f6aeff10726ae469ca7f48ab34c._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 6"""
+ date="2018-08-19T17:22:18Z"
+ content="""
+Ok, did that.
+"""]]
diff --git a/joeyconfig.hs b/joeyconfig.hs
index 4b9fb785..05c93346 100644
--- a/joeyconfig.hs
+++ b/joeyconfig.hs
@@ -66,6 +66,7 @@ darkstar = host "darkstar.kitenet.net" $ props
 	& osDebian Unstable X86_64
 	& ipv6 "2001:4830:1600:187::2"
 	& Hostname.sane
+	& Hostname.mailname
 	& Apt.serviceInstalledRunning "swapspace"
 	& Laptop.powertopAutoTuneOnBoot
 	& Laptop.trimSSD
@@ -461,6 +462,7 @@ keysafe :: Host
 keysafe = host "keysafe.joeyh.name" $ props
 	& ipv4 "139.59.17.168"
 	& Hostname.sane
+	& Hostname.mailname
 	& osDebian (Stable "stretch") X86_64
 	& Apt.stdSourcesList `onChange` Apt.upgrade
 	& Apt.unattendedUpgrades
@@ -565,6 +567,7 @@ standardSystemUnhardened :: DebianSuite -> Architecture -> Motd -> Property (Has
 standardSystemUnhardened suite arch motd = propertyList "standard system" $ props
 	& osDebian suite arch
 	& Hostname.sane
+	& Hostname.mailname
 	& Hostname.searchDomain
 	& Locale.available "en_US.UTF-8"
 	& File.hasContent "/etc/motd" ("":motd++[""])
diff --git a/propellor.cabal b/propellor.cabal
index 26c05a1d..904a8f64 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -1,5 +1,5 @@
 Name: propellor
-Version: 5.4.1
+Version: 5.5.0
 Cabal-Version: 1.20
 License: BSD2
 Maintainer: Joey Hess <id@joeyh.name>
diff --git a/src/Propellor/Property/HostingProvider/CloudAtCost.hs b/src/Propellor/Property/HostingProvider/CloudAtCost.hs
index 48c19572..839aa14e 100644
--- a/src/Propellor/Property/HostingProvider/CloudAtCost.hs
+++ b/src/Propellor/Property/HostingProvider/CloudAtCost.hs
@@ -13,6 +13,7 @@ import qualified Propellor.Property.User as User
 decruft :: Property DebianLike
 decruft = propertyList "cloudatcost cleanup" $ props
 	& Hostname.sane
+	& Hostname.mailname
 	& grubbugfix
 	& nukecruft
   where
diff --git a/src/Propellor/Property/Hostname.hs b/src/Propellor/Property/Hostname.hs
index 1eb9d690..0ece92a8 100644
--- a/src/Propellor/Property/Hostname.hs
+++ b/src/Propellor/Property/Hostname.hs
@@ -14,8 +14,6 @@ import Data.List
 -- (However, when used inside a chroot, avoids setting the current hostname
 -- as that would impact the system outside the chroot.)
 --
--- Configures </etc/mailname> with the domain part of the hostname.
---
 -- </etc/hosts> is also configured, with an entry for 127.0.1.1, which is
 -- standard at least on Debian to set the FDQN.
 --
@@ -46,8 +44,6 @@ setTo' extractdomain hn = combineProperties desc $ toProps
 	, check (not <$> inChroot) $
 		cmdProperty "hostname" [basehost]
 			`assume` NoChange
-	, "/etc/mailname" `File.hasContent`
-		[if null domain then hn else domain]
 	]
   where
 	desc = "hostname " ++ hn
@@ -85,6 +81,19 @@ searchDomain' extractdomain = property' desc $ \w ->
 			| "search " `isPrefixOf` l = False
 			| otherwise = True
 
+-- Configures </etc/mailname> with the domain part of the hostname of the
+-- `Host` it's used in.
+mailname :: Property UnixLike
+mailname = mailname' extractDomain
+
+mailname' :: ExtractDomain -> Property UnixLike
+mailname' extractdomain = property' ("mailname set from hostname") $ \w ->
+	ensureProperty w . go =<< asks hostName
+  where
+	go mn = "/etc/mailname" `File.hasContent` [if null mn' then mn else mn']
+	  where
+	 	mn' = extractdomain mn
+
 -- | Function to extract the domain name from a HostName.
 type ExtractDomain = HostName -> String
 
diff --git a/src/Propellor/Property/Installer/Target.hs b/src/Propellor/Property/Installer/Target.hs
index 8c865143..c6889dc5 100644
--- a/src/Propellor/Property/Installer/Target.hs
+++ b/src/Propellor/Property/Installer/Target.hs
@@ -24,6 +24,7 @@
 -- > seed ver = host "debian.local" $ props
 -- > 	& osDebian Unstable X86_64
 -- > 	& Hostname.sane
+-- >	& Hostname.mailname
 -- > 	& Apt.stdSourcesList
 -- > 	& Apt.installed ["linux-image-amd64"]
 -- > 	& Grub.installed PC
diff --git a/src/Propellor/Property/OS.hs b/src/Propellor/Property/OS.hs
index c31bef7b..503f303d 100644
--- a/src/Propellor/Property/OS.hs
+++ b/src/Propellor/Property/OS.hs
@@ -58,6 +58,7 @@ import Control.Exception (throw)
 -- >        -- , oldOsRemoved (Confirmed "foo.example.com")
 -- >        ]
 -- > & Hostname.sane
+-- > & Hostname.mailname
 -- > & Apt.installed ["linux-image-amd64"]
 -- > & Apt.installed ["ssh"]
 -- > & User.hasSomePassword "root"

Added a comment
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_8_39bead6f61bd8e458bf8eaf992757e62._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_8_39bead6f61bd8e458bf8eaf992757e62._comment
new file mode 100644
index 00000000..776e3fba
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_8_39bead6f61bd8e458bf8eaf992757e62._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 8"
+ date="2018-08-18T14:19:42Z"
+ content="""
+I tested printing out the encoding after changing it to make sure it was UTF-8, and it is, but the privdata is somehow still corrupt. Could the problem have something to do with writing out the privdata instead?
+"""]]

Added a comment
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_5_b4c1265f881e96d999528d8a433176cc._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_5_b4c1265f881e96d999528d8a433176cc._comment
new file mode 100644
index 00000000..0f1ba25c
--- /dev/null
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_5_b4c1265f881e96d999528d8a433176cc._comment
@@ -0,0 +1,24 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 5"
+ date="2018-08-17T14:36:19Z"
+ content="""
+I worked around the problem in the following way:
+
+    module Propellor.Property.SiteSpecific.SPW.Hostname (sane) where
+
+    import Propellor.Base
+    import qualified Propellor.Property.Hostname as Hostname
+
+    sane :: Property UnixLike
+    sane = Hostname.sane' id
+
+> How about we add a separate mailname property and make Hostname.sane not touch the mailname. mailname could take a Maybe and guess based on the hostname when Nothing is specified.
+
+This seems reasonable.  `Hostname.sane` is often wanted but `Mailname.sane` will be wanted only occasionally, so it makes sense for them to be separate properties.
+
+> Or, the mailname property could only set Info, and Hostname.sane use that info when set and guess when not. But, I suspect that would not have avoided your email-losing misconfiguration from happening in the first place.
+
+This wouldn't be much different from my workaround, indeed.
+"""]]

followup
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_7_959c8da37727c46436c5905bc6fabd88._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_7_959c8da37727c46436c5905bc6fabd88._comment
new file mode 100644
index 00000000..a0fefc17
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_7_959c8da37727c46436c5905bc6fabd88._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 7"""
+ date="2018-08-16T15:37:48Z"
+ content="""
+Since `update` receives the changes to propellor's source code,
+it would have been running the old code at that point. You
+probably need to spin a second time to test your changes to that function.
+"""]]

followup
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_4_2c90ee4cd4fe54299ce9742c28730b9a._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_4_2c90ee4cd4fe54299ce9742c28730b9a._comment
new file mode 100644
index 00000000..b67a80d8
--- /dev/null
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_4_2c90ee4cd4fe54299ce9742c28730b9a._comment
@@ -0,0 +1,18 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2018-08-16T15:23:09Z"
+ content="""
+I notice that the property is certianly wrong for domains such as
+"foo.org.uk". And I don't want to build in the list of exceptions needed to
+properly deal with those.
+
+How about we add a separate mailname property and make Hostname.sane not
+touch the mailname. mailname could take a Maybe and guess based on the
+hostname when Nothing is specified.
+
+Or, the mailname property could only set Info, and Hostname.sane
+use that info when set and guess when not. But, I suspect that would not
+have avoided your email-losing misconfiguration from happening in the first
+place.
+"""]]

Added a comment
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_6_ce746457c2a7654a090885ad960eb983._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_6_ce746457c2a7654a090885ad960eb983._comment
new file mode 100644
index 00000000..01748242
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_6_ce746457c2a7654a090885ad960eb983._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 6"
+ date="2018-08-16T15:35:27Z"
+ content="""
+The `hSetEncoding stdin utf8` in `update` doesn't seem to work unfortunately, not sure why not.
+"""]]

response
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_5_f12c57263372437edbcdfe89cd69b95d._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_5_f12c57263372437edbcdfe89cd69b95d._comment
new file mode 100644
index 00000000..51f25ecc
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_5_f12c57263372437edbcdfe89cd69b95d._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 5"""
+ date="2018-08-16T15:12:58Z"
+ content="""
+Ah, good debugging!
+
+The code that runs on the remote side is Propellor.Spin.update,
+and it uses Propellor.Protocol.req which reads from stdin. So,
+I think that putting `hSetEncoding stdin utf8` in the update function
+may fix it for you.
+
+If so, the real fix will involve making propellor force utf8 on both sides
+of its protocol, because the spin might be run in some other locale too.
+(Or chainging to a binary protocol that doesn't suffer 
+from encoding mismatch problems, if someone is ambitious!)
+"""]]

Added a comment
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_4_7f6773e21b9bb62961b0c291d0f8b7d0._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_4_7f6773e21b9bb62961b0c291d0f8b7d0._comment
new file mode 100644
index 00000000..733f7d33
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_4_7f6773e21b9bb62961b0c291d0f8b7d0._comment
@@ -0,0 +1,20 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 4"
+ date="2018-08-16T13:12:35Z"
+ content="""
+Err, this patch:
+
+    --- a/src/Propellor/Spin.hs
+    +++ b/src/Propellor/Spin.hs
+    @@ -181,6 +181,8 @@
+     -- running the updateServer
+     update :: Maybe HostName -> IO ()
+     update forhost = do
+    +       hPrint stderr =<< hGetEncoding stdin
+    +       hSetEncoding stdin utf8
+            whenM hasGitRepo $
+                    req NeedRepoUrl repoUrlMarker setRepoUrl
+
+"""]]

Added a comment
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_3_c51e4ae44dc6401af54f109f2cb70995._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_3_c51e4ae44dc6401af54f109f2cb70995._comment
new file mode 100644
index 00000000..05b5956b
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_3_c51e4ae44dc6401af54f109f2cb70995._comment
@@ -0,0 +1,23 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 3"
+ date="2018-08-15T19:15:21Z"
+ content="""
+I tried this patch:
+
+```
+--- a/src/Propellor/Spin.hs
++++ b/src/Propellor/Spin.hs
+@@ -181,6 +181,8 @@ getSshTarget target hst
+ -- running the updateServer
+ update :: Maybe HostName -> IO ()
+ update forhost = do
++       hPrint stderr =<< hGetEncoding stdin
++       hSetEncoding stdin utf8
+        whenM hasGitRepo $
+                req NeedRepoUrl repoUrlMarker setRepoUrl
+```
+
+I get `Just ANSI_X3.4-1968` from the remote side but unfortunately the corruption persists.
+"""]]

Added a comment
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_2_2a4f3ddcc92f0cf8be2472d2a45e69cc._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_2_2a4f3ddcc92f0cf8be2472d2a45e69cc._comment
new file mode 100644
index 00000000..d4d596d8
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_2_2a4f3ddcc92f0cf8be2472d2a45e69cc._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 2"
+ date="2018-08-15T18:53:03Z"
+ content="""
+I get `Just UTF-8` in both cases and the corruption is not fixed. I think the problem may be on the _receiving_ side? On macOS my `$LC_CTYPE` is set to `\"UTF-8\"` which is passed through by SSH but is an invalid locale on Linux. Running `env LC_CTYPE=C.UTF-8 ./propellor --spin blah` fixes the corruption.
+"""]]

response
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_1_0443c1dc8f7a74864c2a981740992ee4._comment b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_1_0443c1dc8f7a74864c2a981740992ee4._comment
new file mode 100644
index 00000000..3b047d9d
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS/comment_1_0443c1dc8f7a74864c2a981740992ee4._comment
@@ -0,0 +1,27 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-08-14T21:33:55Z"
+ content="""
+Sounds like a problem with sendPrivData, which writes it to a Handle that's 
+connected to propellor on the host being spun.
+
+Handles have an associated encoding, which comes from the locale settings.
+The char8 TextEncoding sounds like what you describe (code point modulo
+256). hSetEncoding can change it.
+
+Here's a patch you could try that prints out the encoding in use and tries
+to force utf8.
+
+	--- a/src/Propellor/Spin.hs
+	+++ b/src/Propellor/Spin.hs
+	@@ -252,6 +252,8 @@ sendRepoUrl hst toh = sendMarked toh repoUrlMarker =<< geturl
+	
+	 sendPrivData :: HostName -> Handle -> PrivMap -> IO ()
+	 sendPrivData hn toh privdata = void $ actionMessage msg $ do
+	+	hPutStrLn stderr . show =<< hGetEncoding toh
+	+	hSetEncoding toh utf8
+ 		sendMarked toh privDataMarker d
+	 	return True
+	   where
+"""]]

Fix another typo
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
index 2cc827b1..d4df4bac 100644
--- a/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
@@ -1 +1 @@
-I recently added a binary file as privdata (installed with `File.hasPrivContent`). When I `propellor --dump` the property on either Linux or macOS, the contents is correct. Spinning from Linux also works, but spinning from macOS installs a corrupt version of the file. The corruption looks like every valid UTF-8 sequence has been replaced with a single byte which is the lowest byte of the Unicode codepoint encoded by the sequence, so this must have something to do with encodings, but from staring at the source code I can't figure out what. The data from `--dump` is not corrupted which seems especially strange.
+I recently added a binary file as privdata (installed with `File.hasPrivContent`). When I `propellor --dump` the privdata on either Linux or macOS, the contents is correct. Spinning from Linux also works, but spinning from macOS installs a corrupt version of the file. The corruption looks like every valid UTF-8 sequence has been replaced with a single byte which is the lowest byte of the Unicode codepoint encoded by the sequence, so this must have something to do with encodings, but from staring at the source code I can't figure out what. The data from `--dump` is not corrupted which seems especially strange.

Fix typo
diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
index e3e6e0f9..2cc827b1 100644
--- a/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
@@ -1 +1 @@
-I recently added a binary file as privdata (installed with `File.hasPrivContents`). When I `propellor --dump` the property on either Linux or macOS, the contents is correct. Spinning from Linux also works, but spinning from macOS installs a corrupt version of the file. The corruption looks like every valid UTF-8 sequence has been replaced with a single byte which is the lowest byte of the Unicode codepoint encoded by the sequence, so this must have something to do with encodings, but from staring at the source code I can't figure out what. The data from `--dump` is not corrupted which seems especially strange.
+I recently added a binary file as privdata (installed with `File.hasPrivContent`). When I `propellor --dump` the property on either Linux or macOS, the contents is correct. Spinning from Linux also works, but spinning from macOS installs a corrupt version of the file. The corruption looks like every valid UTF-8 sequence has been replaced with a single byte which is the lowest byte of the Unicode codepoint encoded by the sequence, so this must have something to do with encodings, but from staring at the source code I can't figure out what. The data from `--dump` is not corrupted which seems especially strange.

diff --git a/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
new file mode 100644
index 00000000..e3e6e0f9
--- /dev/null
+++ b/doc/forum/Privdata_corrupted_when_spinning_from_macOS.mdwn
@@ -0,0 +1 @@
+I recently added a binary file as privdata (installed with `File.hasPrivContents`). When I `propellor --dump` the property on either Linux or macOS, the contents is correct. Spinning from Linux also works, but spinning from macOS installs a corrupt version of the file. The corruption looks like every valid UTF-8 sequence has been replaced with a single byte which is the lowest byte of the Unicode codepoint encoded by the sequence, so this must have something to do with encodings, but from staring at the source code I can't figure out what. The data from `--dump` is not corrupted which seems especially strange.

fix sequence
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_3_d82e10087205a4b2896e4fd07032643d._comment
similarity index 91%
rename from doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment
rename to doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_3_d82e10087205a4b2896e4fd07032643d._comment
index 24c0efcf..df002711 100644
--- a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_3_d82e10087205a4b2896e4fd07032643d._comment
@@ -1,6 +1,6 @@
 [[!comment format=mdwn
  username="joey"
- subject="""comment 2"""
+ subject="""comment 3"""
  date="2018-08-10T14:56:07Z"
  content="""
 I have probably generalized too much from my own use case then, where

followup
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment
new file mode 100644
index 00000000..24c0efcf
--- /dev/null
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_d82e10087205a4b2896e4fd07032643d._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2018-08-10T14:56:07Z"
+ content="""
+I have probably generalized too much from my own use case then, where
+I always have foo.example.com as the full hostname, but want mail to be
+sent with example.com as the name.
+"""]]

Added a comment
diff --git a/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_ac8e2bdd7bd16058f46ef8352df09700._comment b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_ac8e2bdd7bd16058f46ef8352df09700._comment
new file mode 100644
index 00000000..3cdfaeaa
--- /dev/null
+++ b/doc/forum/mailname_set_by_Propellor.Property.Hostname.sane/comment_2_ac8e2bdd7bd16058f46ef8352df09700._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 2"
+ date="2018-08-10T10:36:35Z"
+ content="""
+Could you explain why it's right to not use the full hostname, please?
+
+Careless use of `Hostname.sane` on my part recently broke my mail sending setup.  I discovered that I am relying on /etc/mailname containing the full hostname, but maybe I should not be doing that.
+"""]]

letsencrypt': Pass --expand to support expanding the list of domains
diff --git a/debian/changelog b/debian/changelog
index 171cd8fe..1da97c15 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+propellor (5.4.2) UNRELEASED; urgency=medium
+
+  * letsencrypt': Pass --expand to support expanding the list of domains
+
+ -- Joey Hess <id@joeyh.name>  Thu, 09 Aug 2018 10:54:41 -0400
+
 propellor (5.4.1) unstable; urgency=medium
 
   * Modernized and simplified the MetaTypes implementation now that
diff --git a/doc/forum/Certbot_cert_expanding/comment_2_2a16c69729cff4262c9a37b264c60ae0._comment b/doc/forum/Certbot_cert_expanding/comment_2_2a16c69729cff4262c9a37b264c60ae0._comment
new file mode 100644
index 00000000..8aba068a
--- /dev/null
+++ b/doc/forum/Certbot_cert_expanding/comment_2_2a16c69729cff4262c9a37b264c60ae0._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2018-08-09T14:55:33Z"
+ content="""
+Ok, patched it in.
+"""]]
diff --git a/src/Propellor/Property/LetsEncrypt.hs b/src/Propellor/Property/LetsEncrypt.hs
index 9e4898dd..99c23715 100644
--- a/src/Propellor/Property/LetsEncrypt.hs
+++ b/src/Propellor/Property/LetsEncrypt.hs
@@ -77,6 +77,9 @@ letsEncrypt' (AgreeTOS memail) domain domains webroot =
 		, "--text"
 		, "--noninteractive"
 		, "--keep-until-expiring"
+		-- The list of domains may be changed, adding more, so
+		-- always request expansion.
+		, "--expand"
 		] ++ map (\d -> "--domain="++d) alldomains
 
 	getstats = mapM statcertfiles alldomains

Added a comment
diff --git a/doc/forum/Certbot_cert_expanding/comment_2_a4ca6b57c77651936c7f74f730f832e7._comment b/doc/forum/Certbot_cert_expanding/comment_2_a4ca6b57c77651936c7f74f730f832e7._comment
new file mode 100644
index 00000000..f1af3dca
--- /dev/null
+++ b/doc/forum/Certbot_cert_expanding/comment_2_a4ca6b57c77651936c7f74f730f832e7._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="mithrandi"
+ avatar="http://cdn.libravatar.org/avatar/869963bdf99b541c9f0bbfb04b0320f1"
+ subject="comment 2"
+ date="2018-08-09T13:18:37Z"
+ content="""
+I have now tested this and it works fine.
+"""]]

add news item for propellor 5.4.1
diff --git a/doc/news/version_5.3.3.mdwn b/doc/news/version_5.3.3.mdwn
deleted file mode 100644
index 18f80d5f..00000000
--- a/doc/news/version_5.3.3.mdwn
+++ /dev/null
@@ -1,8 +0,0 @@
-propellor 5.3.3 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Warn again about new upstream version when ~/.propellor was cloned from the
-     Debian git bundle using an older version of propellor that set up an
-     upstream remote.
-   * Avoid crashing if initial fetch from origin fails when spinning a host.
-   * Added Propllor.Property.Openssl module contributed by contributed by
-     Félix Sipma."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.4.1.mdwn b/doc/news/version_5.4.1.mdwn
new file mode 100644
index 00000000..ebb0e261
--- /dev/null
+++ b/doc/news/version_5.4.1.mdwn
@@ -0,0 +1,14 @@
+propellor 5.4.1 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Modernized and simplified the MetaTypes implementation now that
+     compatability with ghc 7 is no longer needed.
+   * Use git verify-commit to verify gpg signatures, rather than the old
+     method of parsing git log output. Needs git 2.0.
+   * Added ConfFile.containsShellSetting, ConfFile.lacksShellSetting,
+     and EtcDefault.set properties. Thanks, Sean Whitton
+   * Dns: Support TXT values longer than bind's maximum string length
+     of 255 bytes. Thanks, rsiddharth.
+   * Docker and HostingProvider.CloudAtCost modules are not being
+     maintained, so marked them as such.
+     Seeking a maintainer for the Docker module; I anticipate
+     removing the CloudAtCost module in the next API bump."""]]
\ No newline at end of file

response
diff --git a/doc/forum/Certbot_cert_expanding/comment_1_1f6b33d757294b69172a9b59b2c0ea4f._comment b/doc/forum/Certbot_cert_expanding/comment_1_1f6b33d757294b69172a9b59b2c0ea4f._comment
new file mode 100644
index 00000000..fb7354d1
--- /dev/null
+++ b/doc/forum/Certbot_cert_expanding/comment_1_1f6b33d757294b69172a9b59b2c0ea4f._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-07-31T14:25:34Z"
+ content="""
+Makes sense. The man page says:
+
+            --expand              If an existing certificate is a strict subset of the
+                                  requested names, always expand and replace it with the
+                                  additional names. (default: Ask)
+
+Which reads like it will not change behavior in other cases. 
+Still, it would be good for someone to test it before the change is
+made to propellor..
+"""]]

diff --git a/doc/forum/Certbot_cert_expanding.mdwn b/doc/forum/Certbot_cert_expanding.mdwn
index db67cbf3..90be60d6 100644
--- a/doc/forum/Certbot_cert_expanding.mdwn
+++ b/doc/forum/Certbot_cert_expanding.mdwn
@@ -1,14 +1,16 @@
 When adding a name to the list for a `letsEncrypt` property, certbot fails thusly:
 
-Saving debug log to /var/log/letsencrypt/letsencrypt.log
-Plugins selected: Authenticator webroot, Installer None
-Missing command line flag or config entry for this setting:
-You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/fusionapp.com.conf)
+    Saving debug log to /var/log/letsencrypt/letsencrypt.log
+    Plugins selected: Authenticator webroot, Installer None
+    Missing command line flag or config entry for this setting:
+    You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/…)
 
-It contains these names: fusionapp.com, bn.fusionapp.com, bz-entropy.fusionapp.com, bz-ext.fusionapp.com, bz.fusionapp.com, entropy.fusionapp.com, prod.fusionapp.com
+    It contains these names: …
 
-You requested these names for the new certificate: fusionapp.com, entropy.fusionapp.com, bz-entropy.fusionapp.com, bz-ext.fusionapp.com, prod.fusionapp.com, bz.fusionapp.com, bn.fusionapp.com, entropy.fusiontest.net.
+    You requested these names for the new certificate: …
 
-Do you want to expand and replace this existing certificate with the new certificate?
+    Do you want to expand and replace this existing certificate with the new certificate?
 
-(You can set this with the --expand flag)
+    (You can set this with the --expand flag)
+
+I think maybe Propellor should always pass --expand? I haven't tested if that works correctly when not changing the names.

diff --git a/doc/forum/Certbot_cert_expanding.mdwn b/doc/forum/Certbot_cert_expanding.mdwn
new file mode 100644
index 00000000..db67cbf3
--- /dev/null
+++ b/doc/forum/Certbot_cert_expanding.mdwn
@@ -0,0 +1,14 @@
+When adding a name to the list for a `letsEncrypt` property, certbot fails thusly:
+
+Saving debug log to /var/log/letsencrypt/letsencrypt.log
+Plugins selected: Authenticator webroot, Installer None
+Missing command line flag or config entry for this setting:
+You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/fusionapp.com.conf)
+
+It contains these names: fusionapp.com, bn.fusionapp.com, bz-entropy.fusionapp.com, bz-ext.fusionapp.com, bz.fusionapp.com, entropy.fusionapp.com, prod.fusionapp.com
+
+You requested these names for the new certificate: fusionapp.com, entropy.fusionapp.com, bz-entropy.fusionapp.com, bz-ext.fusionapp.com, prod.fusionapp.com, bz.fusionapp.com, bn.fusionapp.com, entropy.fusiontest.net.
+
+Do you want to expand and replace this existing certificate with the new certificate?
+
+(You can set this with the --expand flag)

inverted
diff --git a/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment b/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment
index 24ad2c45..f4ff3615 100644
--- a/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment
+++ b/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment
@@ -10,9 +10,9 @@ so is `debootstrapTheChrootAndPackIntoQcow2File`,
 so to check if the disk image exists, you'll instead
 want to use the `check` combinator. Something like:
 
-	& check (doesFileExist "/path/to/image.qcow2")
-		debootstrapTheChrootAndPackIntoQcow2File theHost
 	& check (not <$> doesFileExist "/path/to/image.qcow2")
+		debootstrapTheChrootAndPackIntoQcow2File theHost
+	& check (doesFileExist "/path/to/image.qcow2")
 		conducts [theHost] `requires` KVM.booted theHost
 
 Perhaps the redundancy in that can be reduced with a new combinator

response
diff --git a/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment b/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment
new file mode 100644
index 00000000..24ad2c45
--- /dev/null
+++ b/doc/todo/support_for_libvirt_KVM_VMs/comment_1_c73740e45387fe817280b55bb0e32c12._comment
@@ -0,0 +1,29 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-07-20T15:54:17Z"
+ content="""
+That seems like a good plan to me, and nice use of the Conductor module.
+
+Of course, `conducts` is a Property, not an IO action and presumably
+so is `debootstrapTheChrootAndPackIntoQcow2File`,
+so to check if the disk image exists, you'll instead
+want to use the `check` combinator. Something like:
+
+	& check (doesFileExist "/path/to/image.qcow2")
+		debootstrapTheChrootAndPackIntoQcow2File theHost
+	& check (not <$> doesFileExist "/path/to/image.qcow2")
+		conducts [theHost] `requires` KVM.booted theHost
+
+Perhaps the redundancy in that can be reduced with a new combinator
+that chooses which action to run.
+
+You may want to also delete the chroot once the disk image is built.
+
+There could also be a minor gotcha with the Conductor module trying to
+conduct the VM before it's gotten set up yet, at worst this would make
+propellor display a warning.
+
+Let me know if you need help with this, 
+although I will next be available on July 30th.
+"""]]

post TODO for feedback
diff --git a/doc/todo/support_for_libvirt_KVM_VMs.mdwn b/doc/todo/support_for_libvirt_KVM_VMs.mdwn
new file mode 100644
index 00000000..529cf721
--- /dev/null
+++ b/doc/todo/support_for_libvirt_KVM_VMs.mdwn
@@ -0,0 +1,27 @@
+I've been thinking about how to add support for libvirt VMs to
+propellor.  TTBOMK setting up the VMs is a matter of creating some
+files in /etc, so that part is straightforward; might not want very
+much abstraction in propellor at all.  The interesting part is
+creating the corresponding disk images.
+
+I first thought that I could just extend propellor's existing support
+for generating disk images by debootstrapping in a chroot and then
+generating an image based on that chroot.  It would just be a matter
+of using `.qcow2` images rather than `.img`.  But the problem with
+this is that once the VM is in use, propellor should not just be
+overwriting the `.qcow2` file.  So something different is needed.
+
+What I have in mind is a conditional property that works something
+like this:
+
+    ifM ( doesFileExist "/path/to/image.qcow2"
+        , debootstrapTheChrootAndPackIntoQcow2File theHost
+        , conducts [theHost] `requires` KVM.booted theHost
+        )
+
+where `theHost :: Host` and either the user's libvirt config or some
+property somewhere ensures it can be SSHed to from localhost.
+
+Does this seem like the right approach?
+
+--spwhitton

two unmaintained modules
diff --git a/debian/changelog b/debian/changelog
index 8d9179e4..659bd8d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,10 @@ propellor (5.4.1) UNRELEASED; urgency=medium
     method of parsing git log output. Needs git 2.0.
   * Added ConfFile.containsShellSetting, ConfFile.lacksShellSetting,
     and EtcDefault.set properties. Thanks, Sean Whitton
+  * Docker and HostingProvider.CloudAtCost modules are not being
+    maintained, so marked them as such, including build-time warnings. 
+    Seeking a maintainer for the Docker module; I anticipate
+    removing the CloudAtCost module in the next API bump.
 
  -- Joey Hess <id@joeyh.name>  Fri, 18 May 2018 10:25:05 -0400
 
diff --git a/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment b/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
index 6f06f87f..bf75470b 100644
--- a/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
+++ b/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
@@ -4,8 +4,9 @@
  date="2018-06-13T14:32:43Z"
  content="""
 I can't see any docker-engine package in any version of Debian. Unstable
-still has a docker.io, though testing does not. It looks like perhaps
-docker was not included in the last stable release, though I am not sure.
+still has a docker.io, though testing does not (update: it does now; the
+docker package also recently got updated to a more current version).
+Docker was not included in the last stable release.
 
 I have not used docker in quite some time. I use systemd-nspawn containers
 which are much easier to build and maintain. So, it may make sense to
diff --git a/doc/todo/Outdated_Docker_Package__63__/comment_2_8da1d2a1a6e6569a2197ab867665dad1._comment b/doc/todo/Outdated_Docker_Package__63__/comment_2_8da1d2a1a6e6569a2197ab867665dad1._comment
new file mode 100644
index 00000000..e0f14b92
--- /dev/null
+++ b/doc/todo/Outdated_Docker_Package__63__/comment_2_8da1d2a1a6e6569a2197ab867665dad1._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2018-07-11T16:01:37Z"
+ content="""
+Marked the module as unmaintained. If you would like to take over
+maintanance of it, just send me patches putting your name in the maintainer
+slot etc.
+"""]]
diff --git a/joeyconfig.hs b/joeyconfig.hs
index 0d971b03..7541c78b 100644
--- a/joeyconfig.hs
+++ b/joeyconfig.hs
@@ -33,7 +33,6 @@ import qualified Propellor.Property.Systemd as Systemd
 import qualified Propellor.Property.Journald as Journald
 import qualified Propellor.Property.Fail2Ban as Fail2Ban
 import qualified Propellor.Property.Laptop as Laptop
-import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost
 import qualified Propellor.Property.HostingProvider.Linode as Linode
 import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean
 import qualified Propellor.Property.SiteSpecific.GitHome as GitHome
@@ -101,7 +100,6 @@ clam = host "clam.kitenet.net" $ props
 		["Unreliable server. Anything here may be lost at any time!" ]
 	& ipv4 "64.137.164.186"
 
-	& CloudAtCost.decruft
 	& User.hasPassword (User "root")
 	& Ssh.hostKeys hostContext
 		[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAI3WUq0RaigLlcUivgNG4sXpso2ORZkMvfqKz6zkc60L6dpxvWDNmZVEH8hEjxRSYG07NehcuOgQqeyFnS++xw1hdeGjf37JqCUH49i02lra3Zxv8oPpRxyeqe5MmuzUJhlWvBdlc3O/nqZ4bTUfnxMzSYWyy6++s/BpSHttZplNAAAAFQC1DE0vzgVeNAv9smHLObQWZFe2VQAAAIBECtpJry3GC8NVTFsTHDGWksluoFPIbKiZUFFztZGdM0AO2VwAbiJ6Au6M3VddGFANgTlni6d2/9yS919zO90TaFoIjywZeXhxE2CSuRfU7sx2hqDBk73jlycem/ER0sanFhzpHVpwmLfWneTXImWyq37vhAxatJANOtbj81vQ3AAAAIBV3lcyTT9xWg1Q4vERJbvyF8mCliwZmnIPa7ohveKkxlcgUk5d6dnaqFfjVaiXBPN3Qd08WXoQ/a9k3chBPT9nW2vWgzzM8l36j2MbHLmaxGwevAc9+vx4MXqvnGHzd2ex950mC33ct3j0fzMZlO6vqEsgD4CYmiASxhfefj+JCQ==")
diff --git a/src/Propellor/Property/Docker.hs b/src/Propellor/Property/Docker.hs
index 66418253..522aecd9 100644
--- a/src/Propellor/Property/Docker.hs
+++ b/src/Propellor/Property/Docker.hs
@@ -1,11 +1,14 @@
 {-# LANGUAGE FlexibleContexts, TypeSynonymInstances, FlexibleInstances, TypeFamilies #-}
 
--- | Docker support for propellor
+-- | Maintainer: currently unmaintained; your name here!
+--
+-- Docker support for propellor
 --
 -- The existance of a docker container is just another Property of a system,
 -- which propellor can set up. See config.hs for an example.
 
-module Propellor.Property.Docker (
+module Propellor.Property.Docker
+	{-# WARNING "This module does not have a maintainer. It might not work right anymore. If you use it, please consider becoming its maintainer." #-} (
 	-- * Host properties
 	installed,
 	configured,
diff --git a/src/Propellor/Property/HostingProvider/CloudAtCost.hs b/src/Propellor/Property/HostingProvider/CloudAtCost.hs
index 5c4788e2..48c19572 100644
--- a/src/Propellor/Property/HostingProvider/CloudAtCost.hs
+++ b/src/Propellor/Property/HostingProvider/CloudAtCost.hs
@@ -1,4 +1,8 @@
-module Propellor.Property.HostingProvider.CloudAtCost where
+-- | Maintainer: currently unmaintained; your name here!
+
+module Propellor.Property.HostingProvider.CloudAtCost
+	{-# WARNING "This module does not have a maintainer. It might not work right anymore. If you use it, please consider becoming its maintainer." #-}
+	where
 
 import Propellor.Base
 import qualified Propellor.Property.Hostname as Hostname

response
diff --git a/doc/forum/Separation_of_data_and_code/comment_1_0ba5dff744eeba857ab7fadfad883b13._comment b/doc/forum/Separation_of_data_and_code/comment_1_0ba5dff744eeba857ab7fadfad883b13._comment
new file mode 100644
index 00000000..ae50a008
--- /dev/null
+++ b/doc/forum/Separation_of_data_and_code/comment_1_0ba5dff744eeba857ab7fadfad883b13._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-07-06T20:19:27Z"
+ content="""
+I was going to write something asserting that it's entirely data,
+and not code, though typed data expressed in a programming language.
+
+However, I think it's better to say that this code/data distinction is
+much less a useful distinction that commonly thought, one that things,
+especially in the configuration management space often chafe under (see
+all the turing complete ill-specified languages built on top of what
+started out as some pure data format that are in use by almost every other
+configuration management tool), and that Propellor is an attempt to
+move in a more useful and less ridigly defined direction.
+"""]]

diff --git a/doc/forum/Separation_of_data_and_code.mdwn b/doc/forum/Separation_of_data_and_code.mdwn
new file mode 100644
index 00000000..3a09a237
--- /dev/null
+++ b/doc/forum/Separation_of_data_and_code.mdwn
@@ -0,0 +1,11 @@
+I'm using Fedora for the desktop and CentOS on my server. I have many software packages to install. I store them in shell scripts, with lines like this:
+
+    yum -y install vim-common vim-enhanced gvim vim-X11 # the latter for clipboard support
+
+I'm thinking about some more elaborate way to do that (to put some packages to specific hosts and groups). Propellor seems an interesting tool for that, but when I see an [example configuration file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs), it looks like this is a mixture of data and logic, which is considered [not a very good practice](https://softwareengineering.stackexchange.com/questions/229479/how-did-separation-of-code-and-data-become-a-practice).
+
+I know that Haskell itself is a very declarative language (in the sense it's not imperative), but still I have this feeling of a mixture of code with constants. What do you think of that?
+
+Is there a way to cleanly store names of packages (with comments and some configuration options (e.g. on what hosts they should be used)) in one place and use propellor's logic to install them in another place? 
+
+I understand that the power of propellor is to `do` things apart of just enumerating them, but I think that this separation could be useful.

Dns: Support TXT values longer than bind's maximum string length of 255 bytes. Thanks, rsiddharth.
diff --git a/debian/changelog b/debian/changelog
index 8d9179e4..bad0cad2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ propellor (5.4.1) UNRELEASED; urgency=medium
     method of parsing git log output. Needs git 2.0.
   * Added ConfFile.containsShellSetting, ConfFile.lacksShellSetting,
     and EtcDefault.set properties. Thanks, Sean Whitton
+  * Dns: Support TXT values longer than bind's maximum string length
+    of 255 bytes. Thanks, rsiddharth.
 
  -- Joey Hess <id@joeyh.name>  Fri, 18 May 2018 10:25:05 -0400
 
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_3_00f57bb6a54dee0dfbb799babf72a827._comment b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_3_00f57bb6a54dee0dfbb799babf72a827._comment
new file mode 100644
index 00000000..8809f999
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_3_00f57bb6a54dee0dfbb799babf72a827._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2018-06-24T15:21:29Z"
+ content="""
+Looks good to me, merged.
+"""]]

Add s user page.
diff --git a/doc/user/s.mdwn b/doc/user/s.mdwn
new file mode 100644
index 00000000..08ef7bc8
--- /dev/null
+++ b/doc/user/s.mdwn
@@ -0,0 +1,3 @@
+s [propels some computers][1] using propellor.
+
+[1]: https://git.ricketyspace.net/propellor/tree/config.hs

Added a comment
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_2_ccd261bdc9615b7490ec0f6824f35e19._comment b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_2_ccd261bdc9615b7490ec0f6824f35e19._comment
new file mode 100644
index 00000000..3fbd389f
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_2_ccd261bdc9615b7490ec0f6824f35e19._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="s@aa9ff9ce06b08acfd2a93ebd342ce6879430fbdd"
+ nickname="s"
+ avatar="http://cdn.libravatar.org/avatar/81bf27f8b35011d1846711fa37a5588f"
+ subject="comment 2"
+ date="2018-06-24T14:58:53Z"
+ content="""
+joeyh, Thanks for the feedback.
+
+I updated the definition of `TXT`'s `rValue` according to your suggestion and removed the `MTXT` record -- [patch][patch].
+
+I would like to get the patch merged into upstream, let me know if I've to refactor it.
+
+[patch]: https://ricketyspace.net/file/0001-update-rValue-of-Dns-TXT-record-type.patch
+"""]]

update link 2
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
index 69a62b59..e6f2b478 100644
--- a/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
@@ -16,4 +16,4 @@ I'm [currently using this recipe][2] to provision the DKIM TXT record.
 I want to know if there is a better way to do this without having to add the MTXT record type?
 
 [1]: https://ricketyspace.net/file/0001-add-MTXT-record-type-to-Propellor.Types.DNS.Record.patch
-[2]: https://git.ricketyspace.net/propellor/tree/config.hs#n722
+[2]: https://git.ricketyspace.net/propellor/tree/config.hs?id=67f47e5a23e8c7814014ea58f2dbc9f7c58ede3a#n722

response
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_3_14b6968853d30a2054cc675c6005f29f._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_3_14b6968853d30a2054cc675c6005f29f._comment
new file mode 100644
index 00000000..b566f3c5
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_3_14b6968853d30a2054cc675c6005f29f._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 3"""
+ date="2018-06-23T19:13:59Z"
+ content="""
+Well, cabal files can have flags that enable additional dependencies, but
+using them complicates testing the program since you have to try building
+it with different combinations of flags. And deploying propellor with the
+desired flags turned on would be an additional complication.
+
+I feel that additional libraries that depend on propellor and the sql
+library and provide properties is a better approach. The user can easily
+add the dependency to their ~/.propellor/config.cabal, and the necessary
+dependencies will be automatically installed when propellor is deploying
+itself to a new host.
+"""]]

response
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_1_b97c158ae4e3abb6e4c90a2c91e0c207._comment b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_1_b97c158ae4e3abb6e4c90a2c91e0c207._comment
new file mode 100644
index 00000000..5595af19
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records/comment_1_b97c158ae4e3abb6e4c90a2c91e0c207._comment
@@ -0,0 +1,25 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-06-23T18:42:32Z"
+ content="""
+It seems that the limit is 255 characters, and this
+limit applies to any string in a bind zone file,
+rather than being a maximim line length. A single line can contain multiple
+such strings, although there's probably a maximum line length somewhere 
+too, so using parens to extend across multiple lines is wise.
+
+The values inside the parens are concacenated together, no newline is added
+to the string that bind builds up from them AFAICS.
+
+So it seems your code is stripping out the newlines from the TXT value.
+Which probably doesn't matter for DKIM public key material,
+and I don't think that bind zone files support multiline strings anyway.
+But a single line could be too long and splitting on newlines would not
+help then.
+
+So, I think the thing to do would be to make `rValue` break TXT
+strings into substrings no longer than 255 characters. Then you don't
+need a new constructor, and long SSHFP etc records could also be handled
+that way.
+"""]]

Added a comment
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_2_e18fc448f51478617e5b2b9b05ce4a0f._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_2_e18fc448f51478617e5b2b9b05ce4a0f._comment
new file mode 100644
index 00000000..74654902
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_2_e18fc448f51478617e5b2b9b05ce4a0f._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="Nicolas.Schodet"
+ avatar="http://cdn.libravatar.org/avatar/0d7ec808ec329d04ee9a93c0da3c0089"
+ subject="comment 2"
+ date="2018-06-19T18:56:28Z"
+ content="""
+I am looking for a solution which could be integrated to propellor. Is it possible to include those additional libraries in propellor sources and have them included in the build on demand? I am not very familiar with the haskell build systems.
+
+About generated passwords, a nice solution would be to do it in PrivData.  The user would provide a salt as the private data and it would be combined to context to generate a password.  I can try find how this could be done.
+"""]]

New post - DNS - Support for Multiline TXT records.
diff --git a/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
new file mode 100644
index 00000000..69a62b59
--- /dev/null
+++ b/doc/forum/DNS_-_Support_for_Multiline_TXT_records.mdwn
@@ -0,0 +1,19 @@
+bind9 has a limit on the number of characters in a single line TXT record. I was unable to provision the DKIM TXT record using propellor due to this limit.
+
+I added a new MTXT record type to `Propellor.Types.DNS.Record` ([patch][1]).
+
+MTXT creates a multiline TXT record. It splits the record's text (say
+"long string...\n...xyz") at `'\n'` and creates a TXT record of the
+form:
+
+
+    domain IN      TXT     ( "long string..."
+            "...xyz" )
+
+
+I'm [currently using this recipe][2] to provision the DKIM TXT record.
+
+I want to know if there is a better way to do this without having to add the MTXT record type?
+
+[1]: https://ricketyspace.net/file/0001-add-MTXT-record-type-to-Propellor.Types.DNS.Record.patch
+[2]: https://git.ricketyspace.net/propellor/tree/config.hs#n722

add shortcuts page so !commit works
I think none of the default shortcuts were being used, and I trimmed the
list down
diff --git a/doc/shortcuts.mdwn b/doc/shortcuts.mdwn
new file mode 100644
index 00000000..9c8b7605
--- /dev/null
+++ b/doc/shortcuts.mdwn
@@ -0,0 +1,12 @@
+[[!if test="enabled(shortcut)"
+     then="This wiki has shortcuts **enabled**."
+     else="This wiki has shortcuts **disabled**."]]
+
+This page controls what shortcut links the wiki supports.
+
+* [[!shortcut name=debbug url="http://bugs.debian.org/%S" desc="Debian bug #%s"]]
+* [[!shortcut name=iki url="http://ikiwiki.info/%S/"]]
+* [[!shortcut name=rfc url="https://www.ietf.org/rfc/rfc%s.txt" desc="RFC %s"]]
+* [[!shortcut name=cve url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=%s"]]
+* [[!shortcut name=hackage url="http://hackage.haskell.org/package/%s"]]
+* [[!shortcut name=commit url="http://source.propellor.branchable.com/?p=source.git;a=commitdiff;h=%s"]]

improve docs
diff --git a/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment b/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment
index 7649e95e..4869922e 100644
--- a/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment
+++ b/doc/forum/Supported_OS/comment_1_f324bed708305e2667bd00f80544dd90._comment
@@ -1,23 +1,43 @@
 [[!comment format=mdwn
  username="joey"
- subject="""comment 1"""
+ subject="""supported OS's and how to add more"""
  date="2014-12-07T15:58:03Z"
  content="""
-I have heard of propellor being used on OSX. Probably that user wrote their
-own code for OSX specific stuff.
+Propellor supports Debian and its derivatives, as well as FreeBSD and
+ArchLinux. See
+<http://hackage.haskell.org/package/propellor-5.4.0/docs/Propellor-Types-OS.html>
 
-Propellor properites can be parameterized by OS. Currently it has support
-for Debian and some untested support for *buntu. A property can be parameterized
-like this:
+Propellor keeps track of what OS's each property supports, as part of the
+type of the propery. So for example, it has separate properties for Debian
+and for FreeBSD that keep the OS's upgraded using their respective
+package managers:
 
-	foo :: Property
-	foo = property "foo" withOS desc $ \o -> case o of
-	                (Just (System (Debian _) _)) -> ensureProperty fooDebian
-	                (Just (System (Buntish _) _)) -> ensureProperty fooBuntu
+	Apt.upgraded :: Property DebianLike
+	
+	Pkg.upgraded :: Property FreeBSD
 
-The first step for adding a new OS will be to modify <http://hackage.haskell.org/package/propellor/docs/Propellor-Types-OS.html>.
-Compilation will then warn about all OS parameterized properties that
-need to be updated to support your added OS, and it can be taken from there.
+Properties can be combined using `pickOS` to make a property that works
+on multiple OS's:
 
-I'll accept reasonable patches to support other OS's.
+	upgraded :: Property (DebianLike + FreeBSD)
+	upgraded = Apt.upgraded `pickOS` Pkg.upgraded
+
+The `withOS` function lets a single property do different things for
+different OS versions as well as different OS's.
+
+The ArchLinux and FreeBSD ports were done by propellor users,
+and both are good examples of the scope of the changes involved in making
+propellor support a new OS. 
+
+Here are Zihao Wang's commits for ArchLinux support:
+
+* add types for Arch Linux [[!commit 442fa3706de3d7329552c78d314b5a8f653ca65d]]
+* bootstrap propellor using Pacman [[!commit 44f7f7f1c3014586fd574ba1d10a1063204850a7]]
+* add properties for Pacman [[!commit 5b946ea4e32657f64771f3e2ef8bc865afc4c1fc]]
+* add ArchLinux support to specific properties
+  [[!commit 92168164943dcf033682b9f9a26f81beb3c537f4]]
+  [[!commit 0b936d63931baa9cda6b243cf643ad1c71ce5c0b]]
+  [[!commit f95e4fc7dccb9691b8185166c44f83ce884463dc]]
+* fixed type of a property that wrongly claimed to support any Linux but actually
+  only supported DebianLike [[!commit 7781c8098f45481ac03c5ede989614eb8411a6aa]]
 """]]
diff --git a/doc/forum/Supported_OS/comment_2_4fcaadea6d57e4bf127fd28720e3ba20._comment b/doc/forum/Supported_OS/comment_2_4fcaadea6d57e4bf127fd28720e3ba20._comment
deleted file mode 100644
index 07c12d0b..00000000
--- a/doc/forum/Supported_OS/comment_2_4fcaadea6d57e4bf127fd28720e3ba20._comment
+++ /dev/null
@@ -1,7 +0,0 @@
-[[!comment format=mdwn
- username="joey"
- subject="""comment 2"""
- date="2016-03-08T01:48:35Z"
- content="""
-Propellor just got support for [[FreeBSD]]!
-"""]]
diff --git a/doc/forum/Supported_OS/comment_3_f2924708a819b962ba7ed690019601ed._comment b/doc/forum/Supported_OS/comment_3_f2924708a819b962ba7ed690019601ed._comment
deleted file mode 100644
index c03f6cd9..00000000
--- a/doc/forum/Supported_OS/comment_3_f2924708a819b962ba7ed690019601ed._comment
+++ /dev/null
@@ -1,7 +0,0 @@
-[[!comment format=mdwn
- username="joey"
- subject="""Arch too!"""
- date="2017-02-04T21:30:26Z"
- content="""
-Propellor just got support for Arch Linux!
-"""]]

response
diff --git a/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment b/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
new file mode 100644
index 00000000..6f06f87f
--- /dev/null
+++ b/doc/todo/Outdated_Docker_Package__63__/comment_1_408c060bcec73880502655c333a2ea40._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-06-13T14:32:43Z"
+ content="""
+I can't see any docker-engine package in any version of Debian. Unstable
+still has a docker.io, though testing does not. It looks like perhaps
+docker was not included in the last stable release, though I am not sure.
+
+I have not used docker in quite some time. I use systemd-nspawn containers
+which are much easier to build and maintain. So, it may make sense to
+either mark the docker module in propellor as unmaintained, or find someone
+else to maintain it.
+"""]]

diff --git a/doc/todo/Outdated_Docker_Package__63__.mdwn b/doc/todo/Outdated_Docker_Package__63__.mdwn
new file mode 100644
index 00000000..9564bbc8
--- /dev/null
+++ b/doc/todo/Outdated_Docker_Package__63__.mdwn
@@ -0,0 +1,9 @@
+G'day Joey.
+
+In [Docker.hs, line 73](https://git.joeyh.name/index.cgi/propellor.git/tree/src/Propellor/Property/Docker.hs?h=5.4.0#n73), docker.io is listed as the package to be installed.
+
+Docker.installed currently fails for me on Stretch with:
+
+    E: Package 'docker.io' has no installation candidate
+
+Unless I'm mistaken, from Stretch this is now replaced by "docker-engine".

response
diff --git a/doc/forum/Adding_support_for_a_SQL_server/comment_1_6dc3fa35fb61bd53a5f5c88ea5bdbb45._comment b/doc/forum/Adding_support_for_a_SQL_server/comment_1_6dc3fa35fb61bd53a5f5c88ea5bdbb45._comment
new file mode 100644
index 00000000..5376b576
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server/comment_1_6dc3fa35fb61bd53a5f5c88ea5bdbb45._comment
@@ -0,0 +1,19 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-06-12T14:38:22Z"
+ content="""
+We want to avoid adding heavy dependencies to propellor since that makes
+propellor more expensive to bootstrap and adds a point of failure.
+
+But, it should be easy enough to add dependencies to your own 
+~/.propellor/config.cabal and write your properties using them. It would
+also be fine to have additional libraries of propellor properties extending
+propellor.
+
+As for crypto hashes, it's certianly general enough to consider adding to
+propellor, but it's also striking that propellor has mostly avoided needing
+any hashes (except for some small uses of hashable and one place that
+shells out to sha1). If there's a general purpose property that uses a
+crypto hash, we could talk about adding it.
+"""]]

creating Adding support for a SQL server
diff --git a/doc/forum/Adding_support_for_a_SQL_server.mdwn b/doc/forum/Adding_support_for_a_SQL_server.mdwn
new file mode 100644
index 00000000..00ec42ad
--- /dev/null
+++ b/doc/forum/Adding_support_for_a_SQL_server.mdwn
@@ -0,0 +1,17 @@
+Hello,
+
+I would like to add support for MySQL/MariaDB and I have some questions about it.
+
+I suppose the nicest way to do it would be to use some haskell binding and to
+connect directly to the server from propellor.  However, this would add a
+dependency to build it.  Is it acceptable?
+
+Another solution is to use a command line client and parse its output, but the
+SQL syntax is so strange that I fear this will be painful.
+
+Another question is about password generation as I will need many passwords, I
+would like to generate them using a crypto hash of a secret combined with a
+public part in the propellor config.  Do you have a suggestion to compute this
+hash?  I think a dependency on a hash library is easier to accept.
+
+Thanks.

add news item for propellor 5.4.0
diff --git a/doc/news/version_5.3.2.mdwn b/doc/news/version_5.3.2.mdwn
deleted file mode 100644
index cd16116e..00000000
--- a/doc/news/version_5.3.2.mdwn
+++ /dev/null
@@ -1,10 +0,0 @@
-propellor 5.3.2 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Added Propellor.Property.Atomic, which can make a non-atomic property
-     that operates on a directory into an atomic property.
-     (Inspired by Vaibhav Sagar's talk on Functional Devops in a
-     Dysfunctional World at LCA 2018.)
-   * Added Git.pulled.
-   * Systemd.machined: Install systemd-container on Debian
-     stretch.
-     Thanks, Sean Whitton"""]]
\ No newline at end of file
diff --git a/doc/news/version_5.4.0.mdwn b/doc/news/version_5.4.0.mdwn
new file mode 100644
index 00000000..e63f8c6c
--- /dev/null
+++ b/doc/news/version_5.4.0.mdwn
@@ -0,0 +1,13 @@
+propellor 5.4.0 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * [ Sean Whitton ]
+   * Apt.installedBackport replaced with Apt.backportInstalled.  (API change)
+     The old property would install dependencies from backports even when
+     the versions in stable satisfy the requested backport's dependencies.
+     The new property installs only the listed packages from backports;
+     all other dependencies come from stable.
+     So in some cases, you may need to list additional backports to install,
+     that would not have needed to be listed before. Due to this behavior
+     change the property has been renamed so uses of it will be checked.
+   * Restic.installed: stop trying to install a backport on jessie, because no
+     such backport exists."""]]
\ No newline at end of file

add missing close paren
diff --git a/doc/README.mdwn b/doc/README.mdwn
index 69b34e2d..88726a6d 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG)
+[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG))

fix link
diff --git a/doc/README.mdwn b/doc/README.mdwn
index c1550d23..69b34e2d 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])
+[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG)

add news item for propellor 5.3.6
diff --git a/doc/news/version_5.3.1.mdwn b/doc/news/version_5.3.1.mdwn
deleted file mode 100644
index 4f660270..00000000
--- a/doc/news/version_5.3.1.mdwn
+++ /dev/null
@@ -1,5 +0,0 @@
-propellor 5.3.1 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Last release mistakenly contained my personal branch not master.
-   * contrib/post-merge-hook documentation updated to recommend also using
-     it as a post-checkout hook, to avoid such problems."""]]
\ No newline at end of file
diff --git a/doc/news/version_5.3.6.mdwn b/doc/news/version_5.3.6.mdwn
new file mode 100644
index 00000000..7a7a417e
--- /dev/null
+++ b/doc/news/version_5.3.6.mdwn
@@ -0,0 +1,13 @@
+propellor 5.3.6 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Fix build with ghc 8.4, which broke due to the Semigroup Monoid change.
+   * Dropped support for building propellor with ghc 7 (as in debian
+     oldstable), to avoid needing to depend on the semigroups transitional
+     package, but also because it's just too old to be worth supporting.
+   * stack.yaml: Updated to lts-9.21.
+   * Make Schroot.overlaysInTmpfs revertable
+     Thanks, Sean Whitton
+   * Update shim each time propellor is run in a container, to deal with
+     library version changes.
+   * Unbound: Added support for various DNS record types.
+     Thanks, Félix Sipma."""]]
\ No newline at end of file

fix link
diff --git a/doc/README.mdwn b/doc/README.mdwn
index df1b8ada..c1550d23 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[try this|http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])
+[try this](http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])

markdown
diff --git a/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
index 76c11464..ef3f4dad 100644
--- a/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
+++ b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
@@ -6,8 +6,8 @@
 I don't think you need to use a different name for your config file, unless
 it somehow makes things easier for you.
 
-It's fine to use Utility.* like that, but do note that there's no guaranteed 
+It's fine to use `Utility.*` like that, but do note that there's no guaranteed 
 API stability for those. OTOH, if you might later contribute some
-properties built using Utility.* back to propellor, it certianly makes
+properties built using `Utility.*` back to propellor, it certianly makes
 sense to use those.
 """]]

comment
diff --git a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config/comment_1_5039acea906faba7a0b33094028a475f._comment b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config/comment_1_5039acea906faba7a0b33094028a475f._comment
new file mode 100644
index 00000000..b4b924ac
--- /dev/null
+++ b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config/comment_1_5039acea906faba7a0b33094028a475f._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-05-03T16:46:45Z"
+ content="""
+Agreed on all points, also there are some 
+`File.containsLine` properties for /etc/default files elsewhere that
+don't necessarily work correctly if a later line changes the value,
+that could be converted to use this new property.
+
+Your name ideas sound fine to me.
+"""]]

remove badly placed and redundant comment
diff --git a/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
new file mode 100644
index 00000000..76c11464
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_4_916f29264dbb8060ce4c1cd559aa028f._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2018-05-03T16:30:15Z"
+ content="""
+I don't think you need to use a different name for your config file, unless
+it somehow makes things easier for you.
+
+It's fine to use Utility.* like that, but do note that there's no guaranteed 
+API stability for those. OTOH, if you might later contribute some
+properties built using Utility.* back to propellor, it certianly makes
+sense to use those.
+"""]]

Added a comment
diff --git a/doc/forum/5.3.5_import_errors/comment_3_a4774959fd93039d49196e7cff232089._comment b/doc/forum/5.3.5_import_errors/comment_3_a4774959fd93039d49196e7cff232089._comment
new file mode 100644
index 00000000..c861f1cc
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_3_a4774959fd93039d49196e7cff232089._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 3"
+ date="2018-05-01T07:07:54Z"
+ content="""
+* Do you think that I should use a dedicated config-soleil.hs file instead of the config.hs file ?
+
+* I use the combinesModes in order to set the right mode.
+
+    +rra :: Property UnixLike
+    +rra = fetch `onChange` execmode
+    +    where
+    +      fetch :: Property UnixLike
+    +      fetch = property \"install rra scripts\"
+    +              (liftIO $ toResult <$> download \"https://archives.eyrie.org/software/devel/backport\" \"/usr/local/bin/backport\")
+    +
+    +      execmode :: Property UnixLike
+    +      execmode = File.mode \"/usr/local/bin/backport\" (combineModes (ownerWriteMode:readModes ++ executeModes))
+
+"""]]

notes on failed attempt to migrate
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 347ea9e5..c3641385 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -7,3 +7,23 @@ Waiting on concurrent-output reaching Debian stable.
 > supporting the current oldstable, I believe.. --[[Joey]]
 
 [[!tag user/joey]]
+
+> This was attempted again in 2018 and had to be reverted
+> in [[!commit b6ac64737b59e74d4aa2d889690e8fab3772d2c6]].
+> 
+> The strange output I was seeing is the first line 
+> of "apt-cache policy apache2" (but not subsequent lines)
+> and the ssh-keygen command run by `genSSHFP'`
+
+> Propellor also misbehaved in some other ways likely due to not seeing
+> the command output it expected. In particular Git.cloned must have
+> failed to see an origin url in git config output, because it nuked and
+> re-cloned a git repo (losing data).
+> 
+> So, it seems that readProcess was somehow leaking output to the console
+> and also likely not providing it to the caller. 
+> 
+> The affected system had libghc-concurrent-output-dev 1.10.5-1 installed
+> from debian. That is a somewhat old version and perhaps it was buggy?
+> However, I have not had any luck reproducing the problem there running
+> readProcess in ghci. --[[Joey]]

Added a comment
diff --git a/doc/forum/5.3.5_errors_building_with_Stack/comment_2_be534b87de24660fb8565c2916ddefb5._comment b/doc/forum/5.3.5_errors_building_with_Stack/comment_2_be534b87de24660fb8565c2916ddefb5._comment
new file mode 100644
index 00000000..43e83fb7
--- /dev/null
+++ b/doc/forum/5.3.5_errors_building_with_Stack/comment_2_be534b87de24660fb8565c2916ddefb5._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="jsza"
+ avatar="http://cdn.libravatar.org/avatar/72c6bc8c0cdfb0fff175e90c3b036415"
+ subject="comment 2"
+ date="2018-04-30T14:27:19Z"
+ content="""
+Nice, thank you! Can confirm that it's now working for me.
+
+I'd also just like to say that using Propellor to manage our eleven or so TF2 game servers has been an absolute pleasure and a time saver.
+
+Thanks for all the work you've put into making Propellor so awesome.
+"""]]

responses
diff --git a/doc/forum/5.3.5_errors_building_with_Stack/comment_1_bf0296c4293a52b4533a9465795366e4._comment b/doc/forum/5.3.5_errors_building_with_Stack/comment_1_bf0296c4293a52b4533a9465795366e4._comment
new file mode 100644
index 00000000..03121a74
--- /dev/null
+++ b/doc/forum/5.3.5_errors_building_with_Stack/comment_1_bf0296c4293a52b4533a9465795366e4._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-04-30T13:23:47Z"
+ content="""
+Think I've fixed this now.
+"""]]
diff --git a/doc/forum/5.3.5_import_errors/comment_2_32d521dad51ada52e98c9540ab97add6._comment b/doc/forum/5.3.5_import_errors/comment_2_32d521dad51ada52e98c9540ab97add6._comment
new file mode 100644
index 00000000..6edd05d7
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_2_32d521dad51ada52e98c9540ab97add6._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2018-04-30T13:24:30Z"
+ content="""
+Seems this must be caused by [[!commit d8d2faece72eabd18c2ff303e5fb63c3a69961f6]]
+
+And I guess you've modified the config.hs in propellor
+for your own systems?
+
+You will indeed need to add dependencies to the cabal stanza for
+propellor-config.
+
+I think that you may be able to add Other-Modules: Utility.FileMode
+to the cabal stanza for propellor-config and get access to the unexported
+module that way. Not 100% sure.
+
+I'm curious: Is there part of propellor's published modules that made you
+need something from Utility.FileMode to use it, or were you writing your
+own property and happened to use something from Utility.FileMode?
+"""]]

Revert "Added dependency on concurrent-output; removed embedded copy."
This reverts commit 02eca2ae4cf51d8e83d94d8359e15ac053451109.
This seems to have broken propellor badly, in testing I'm seeing it
crash at the end of a run with "thread blocked indefinitely in an STM
transaction" and also during the run it printed out some odd output
like:
apache2:
apache2:
dummy IN SSHFP 4 1 35df80973f5877e4041f1b70947385eb2f6a0822
dummy IN SSHFP 4 2 3a0bb426e76eebc5c56e3b0f1428aa9d18539e9621bf8f9e3b7f56a4e7d81c85
Which seems like it might be output of commands that
propellor is supposed to be reading?
Seems likely that there's a bug or two that have crept
into then concurrent-output library since the version embedded in
propellor.
diff --git a/debian/changelog b/debian/changelog
index 42871285..9308a7bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,7 +4,6 @@ propellor (5.3.6) UNRELEASED; urgency=medium
   * Dropped support for building propellor with ghc 7 (as in debian
     oldstable), to avoid needing to depend on the semigroups transitional
     package, but also because it's just too old to be worth supporting.
-  * Added dependency on concurrent-output; removed embedded copy.
   * stack.yaml: Updated to lts-9.21.
 
  -- Joey Hess <id@joeyh.name>  Mon, 23 Apr 2018 13:12:25 -0400
diff --git a/debian/control b/debian/control
index 77bd7eae..5a041c90 100644
--- a/debian/control
+++ b/debian/control
@@ -6,17 +6,19 @@ Build-Depends:
 	git,
 	ghc (>= 7.6),
 	cabal-install,
-	libghc-ansi-terminal-dev,
 	libghc-async-dev,
-	libghc-concurrent-output-dev,
-	libghc-exceptions-dev (>= 0.6),
-	libghc-hashable-dev,
+	libghc-split-dev,
 	libghc-hslogger-dev,
+	libghc-unix-compat-dev,
+	libghc-ansi-terminal-dev,
 	libghc-ifelse-dev,
-	libghc-mtl-dev,
 	libghc-network-dev,
-	libghc-split-dev,
-	libghc-unix-compat-dev,
+	libghc-mtl-dev,
+	libghc-transformers-dev,
+	libghc-exceptions-dev (>= 0.6),
+	libghc-stm-dev,
+	libghc-text-dev,
+	libghc-hashable-dev,
 Maintainer: Joey Hess <id@joeyh.name>
 Standards-Version: 3.9.8
 Vcs-Git: git://git.joeyh.name/propellor
@@ -28,17 +30,19 @@ Section: admin
 Depends: ${misc:Depends}, ${shlibs:Depends},
 	ghc (>= 7.4),
 	cabal-install,
-	libghc-ansi-terminal-dev,
 	libghc-async-dev,
-	libghc-concurrent-output-dev,
-	libghc-exceptions-dev (>= 0.6),
-	libghc-hashable-dev,
+	libghc-split-dev,
 	libghc-hslogger-dev,
+	libghc-unix-compat-dev,
+	libghc-ansi-terminal-dev,
 	libghc-ifelse-dev,
-	libghc-mtl-dev,
 	libghc-network-dev,
-	libghc-split-dev,
-	libghc-unix-compat-dev,
+	libghc-mtl-dev,
+	libghc-transformers-dev,
+	libghc-exceptions-dev (>= 0.6),
+	libghc-stm-dev,
+	libghc-text-dev,
+	libghc-hashable-dev,
 	git,
 Description: property-based host configuration management in haskell
  Propellor ensures that the system it's run in satisfies a list of
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index ddf074f9..347ea9e5 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -5,9 +5,5 @@ Waiting on concurrent-output reaching Debian stable.
 
 > Well, it's in stable now. Not in oldstable yet, and propellor is still
 > supporting the current oldstable, I believe.. --[[Joey]]
-> >
-> > not anymore; dropping it now.
-
-[[done]]
 
 [[!tag user/joey]]
diff --git a/propellor.cabal b/propellor.cabal
index cf9fe7ce..a5b8c8a3 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -42,31 +42,14 @@ Library
     GHC-Options: -fno-warn-redundant-constraints
   Default-Extensions: TypeOperators
   Hs-Source-Dirs: src
-  -- propellor needs to support the ghc shipped in Debian stable,
-  -- and also only depends on packages in Debian stable.
-  -- 
-  -- When updating dependencies here, also update the lists in
-  -- Propellor.Bootstrap
   Build-Depends:
-    ansi-terminal,
-    async,
+    -- propellor needs to support the ghc shipped in Debian stable,
+    -- and also only depends on packages in Debian stable.
     base >= 4.9, base < 5,
-    bytestring,
-    concurrent-output,
-    containers (>= 0.5),
-    directory,
-    exceptions (>= 0.6),
-    filepath,
-    hashable,
-    hslogger,
-    IfElse,
-    mtl,
-    network,
-    process,
-    split,
-    time,
-    unix,
-    unix-compat
+    directory, filepath, IfElse, process, bytestring, hslogger, split,
+    unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
+    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
+
   Exposed-Modules:
     Propellor
     Propellor.Base
@@ -240,6 +223,9 @@ Library
     Utility.Tmp
     Utility.Tuple
     Utility.UserInfo
+    System.Console.Concurrent
+    System.Console.Concurrent.Internal
+    System.Process.Concurrent
     Paths_propellor
 
 Executable propellor-config
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index a8713535..04f23f85 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -138,17 +138,19 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		-- Below are the same deps listed in debian/control.
 		, "ghc"
 		, "cabal-install"
-		, "libghc-ansi-terminal-dev"
 		, "libghc-async-dev"
-		, "libghc-concurrent-output-dev"
-		, "libghc-exceptions-dev"
-		, "libghc-hashable-dev"
+		, "libghc-split-dev"
 		, "libghc-hslogger-dev"
+		, "libghc-unix-compat-dev"
+		, "libghc-ansi-terminal-dev"
 		, "libghc-ifelse-dev"
-		, "libghc-mtl-dev"
 		, "libghc-network-dev"
-		, "libghc-split-dev"
-		, "libghc-unix-compat-dev"
+		, "libghc-mtl-dev"
+		, "libghc-transformers-dev"
+		, "libghc-exceptions-dev"
+		, "libghc-stm-dev"
+		, "libghc-text-dev"
+		, "libghc-hashable-dev"
 		]
 	debdeps Stack =
 		[ "gnupg"
@@ -159,16 +161,19 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		[ "gnupg"
 		, "ghc"
 		, "hs-cabal-install"
-		, "hs-ansi-terminal"
 		, "hs-async"
-		, "hs-exceptions"
-		, "hs-hashable"
+		, "hs-split"
 		, "hs-hslogger"
+		, "hs-unix-compat"
+		, "hs-ansi-terminal"
 		, "hs-IfElse"
-		, "hs-mtl"
 		, "hs-network"
-		, "hs-split"
-		, "hs-unix-compat"
+		, "hs-mtl"
+		, "hs-transformers-base"
+		, "hs-exceptions"
+		, "hs-stm"
+		, "hs-text"
+		, "hs-hashable"
 		]
 	fbsddeps Stack =
 		[ "gnupg"
@@ -179,17 +184,20 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		[ "gnupg"
 		, "ghc"
 		, "cabal-install"
-		, "haskell-hackage-security"
-		, "haskell-ansi-terminal"
 		, "haskell-async"

(Diff truncated)
signature
diff --git a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
index 6a97f8fb..16c791cd 100644
--- a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
+++ b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
@@ -13,3 +13,5 @@ Notes:
 * The use of a tuple for the last two parameters ensures that the property can be used infix.
 
 * I think this property should deduplicate the config key after setting it.  I.e. after uncommenting and modifying ANACRON_RUN_ON_BATTERY_POWER it should remove any further ANACRON_RUN_ON_BATTERY_POWER settings further down the config.  This allows a seamless transition from just using File.containsLine to add to the end of the file.
+
+--spwhitton

we should factor out code in Grub.configured
diff --git a/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
new file mode 100644
index 00000000..6a97f8fb
--- /dev/null
+++ b/doc/todo/factor_out_Grub.configured_for_any___47__etc__47__default_config.mdwn
@@ -0,0 +1,15 @@
+It would be useful to have a property to set key value pairs in /etc/default configs.  The code is in Grub.configured.  I have not written a patch yet because I am not sure what the module should be called.  Possibilities are:
+
+    & EtcDefault.set "anacron" "ANACRON_RUN_ON_BATTERY_POWER" "no"
+
+or maybe
+
+    & ConfFile.hasShellSetting "/etc/default/anacron" ("ANACRON_RUN_ON_BATTERY_POWER", "no")
+
+Or possibly both of these, with the former implemented in terms of the latter.
+
+Notes:
+
+* The use of a tuple for the last two parameters ensures that the property can be used infix.
+
+* I think this property should deduplicate the config key after setting it.  I.e. after uncommenting and modifying ANACRON_RUN_ON_BATTERY_POWER it should remove any further ANACRON_RUN_ON_BATTERY_POWER settings further down the config.  This allows a seamless transition from just using File.containsLine to add to the end of the file.

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_15_35822590f6eeab15f6d1b25ac2bcbba7._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_15_35822590f6eeab15f6d1b25ac2bcbba7._comment
new file mode 100644
index 00000000..70e31058
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_15_35822590f6eeab15f6d1b25ac2bcbba7._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 15"
+ date="2018-04-29T16:06:12Z"
+ content="""
+Hello,
+
+--allow-unrelated-history is your friend :)
+"""]]

Added a comment
diff --git a/doc/forum/5.3.5_import_errors/comment_1_13d5f4cc224ad25ab3f1c78061ff4423._comment b/doc/forum/5.3.5_import_errors/comment_1_13d5f4cc224ad25ab3f1c78061ff4423._comment
new file mode 100644
index 00000000..e06e4683
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors/comment_1_13d5f4cc224ad25ab3f1c78061ff4423._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 1"
+ date="2018-04-29T16:05:18Z"
+ content="""
+I solved my problem by creating a SiteSpecific module directly in the library part of Propellor
+"""]]

diff --git a/doc/forum/5.3.5_import_errors.mdwn b/doc/forum/5.3.5_import_errors.mdwn
new file mode 100644
index 00000000..f69934f2
--- /dev/null
+++ b/doc/forum/5.3.5_import_errors.mdwn
@@ -0,0 +1,35 @@
+Hello, with the new 5.3.5 version,I have these errors now.
+
+At least for the two first I know that I need to add the dependencies to the executable.
+but for the last one, I do not know how to proceed properly.
+
+Cheers
+
+
+    Building executable 'propellor-config' for propellor-5.3.5..
+    [1 of 1] Compiling Main             ( executables/propellor-config.hs, dist/build/propellor-config/propellor-config-tmp/Main.o )
+
+    executables/propellor-config.hs:14:1-25: error:
+        Could not find module ‘System.Posix.Files’
+        Perhaps you meant System.Posix.Types (from base-4.10.1.0)
+        Use -v to see a list of the files searched for.
+       |
+    14 | import System.Posix.Files
+       | ^^^^^^^^^^^^^^^^^^^^^^^^^
+
+    executables/propellor-config.hs:15:1-66: error:
+        Could not find module ‘System.FilePath.Posix’
+        Use -v to see a list of the files searched for.
+       |
+    15 | import System.FilePath.Posix ((</>), dropExtension, takeDirectory)
+       | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+    executables/propellor-config.hs:28:1-23: error:
+        Could not find module ‘Utility.FileMode’
+        it is a hidden module in the package ‘propellor-5.3.5’
+        Use -v to see a list of the files searched for.
+       |
+    28 | import Utility.FileMode
+       | ^^^^^^^^^^^^^^^^^^^^^^^
+
+    HsCompilation exited abnormally with code 1 at Sun Apr 29 09:35:08

diff --git a/doc/forum/5.3.5_errors_building_with_Stack.mdwn b/doc/forum/5.3.5_errors_building_with_Stack.mdwn
index e612579d..bdda6bca 100644
--- a/doc/forum/5.3.5_errors_building_with_Stack.mdwn
+++ b/doc/forum/5.3.5_errors_building_with_Stack.mdwn
@@ -1,6 +1,6 @@
 I'm able to reproduce the following with a freshly cloned Propellor:
 
->    stack build
+    > stack build
     propellor-5.3.5: build (lib + exe)
     Preprocessing library propellor-5.3.5...
     [ 43 of 171] Compiling Propellor.Types  ( src/Propellor/Types.hs, .stack-work/dist/x86_64-linux-nopie/Cabal-1.24.2.0/build/Propellor/Types.o )

diff --git a/doc/forum/5.3.5_errors_building_with_Stack.mdwn b/doc/forum/5.3.5_errors_building_with_Stack.mdwn
new file mode 100644
index 00000000..e612579d
--- /dev/null
+++ b/doc/forum/5.3.5_errors_building_with_Stack.mdwn
@@ -0,0 +1,38 @@
+I'm able to reproduce the following with a freshly cloned Propellor:
+
+>    stack build
+    propellor-5.3.5: build (lib + exe)
+    Preprocessing library propellor-5.3.5...
+    [ 43 of 171] Compiling Propellor.Types  ( src/Propellor/Types.hs, .stack-work/dist/x86_64-linux-nopie/Cabal-1.24.2.0/build/Propellor/Types.o )
+
+    /home/jayess/code/propellor/src/Propellor/Types.hs:251:37: error:
+        • Could not deduce (Monoid (Property setupmetatypes))
+            arising from a use of ‘<>’
+          from the context: (Sem.Semigroup (Property setupmetatypes),
+                             Sem.Semigroup (Property undometatypes))
+            bound by the instance declaration
+            at src/Propellor/Types.hs:(245,9)-(248,74)
+        • In the first argument of ‘RevertableProperty’, namely
+            ‘(s1 <> s2)’
+          In the expression: RevertableProperty (s1 <> s2) (u2 <> u1)
+          In an equation for ‘<>’:
+              (RevertableProperty s1 u1) <> (RevertableProperty s2 u2)
+                = RevertableProperty (s1 <> s2) (u2 <> u1)
+
+    /home/jayess/code/propellor/src/Propellor/Types.hs:251:48: error:
+        • Could not deduce (Monoid (Property undometatypes))
+            arising from a use of ‘<>’
+          from the context: (Sem.Semigroup (Property setupmetatypes),
+                             Sem.Semigroup (Property undometatypes))
+            bound by the instance declaration
+            at src/Propellor/Types.hs:(245,9)-(248,74)
+        • In the second argument of ‘RevertableProperty’, namely
+            ‘(u2 <> u1)’
+          In the expression: RevertableProperty (s1 <> s2) (u2 <> u1)
+          In an equation for ‘<>’:
+              (RevertableProperty s1 u1) <> (RevertableProperty s2 u2)
+                = RevertableProperty (s1 <> s2) (u2 <> u1)
+
+    --  While building package propellor-5.3.5 using:
+          /home/jayess/.stack/setup-exe-cache/x86_64-linux-nopie/Cabal-simple_mPHDZzAJ_1.24.2.0_ghc-8.0.2 --builddir=.stack-work/dist/x86_64-linux-nopie/Cabal-1.24.2.0 build lib:propellor exe:propellor exe:propellor-config --ghc-options " -ddump-hi -ddump-to-file"
+        Process exited with code: ExitFailure 1

Added dependency on concurrent-output; removed embedded copy.
Removed deps on transformers, text, stm. Updated debian/control and
Propellor.Bootstrap accordingly. Sorted the lists of deps to make it easier
to keep them in sync.
This commit was sponsored by Nick Daly on Patreon.
diff --git a/debian/changelog b/debian/changelog
index cb8ed552..729eed4f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ propellor (5.3.6) UNRELEASED; urgency=medium
   * Dropped support for building propellor with ghc 7 (as in debian
     oldstable), to avoid needing to depend on the semigroups transitional
     package, but also because it's just too old to be worth supporting.
+  * Added dependency on concurrent-output; removed embedded copy.
 
  -- Joey Hess <id@joeyh.name>  Mon, 23 Apr 2018 13:12:25 -0400
 
diff --git a/debian/control b/debian/control
index 5a041c90..77bd7eae 100644
--- a/debian/control
+++ b/debian/control
@@ -6,19 +6,17 @@ Build-Depends:
 	git,
 	ghc (>= 7.6),
 	cabal-install,
+	libghc-ansi-terminal-dev,
 	libghc-async-dev,
-	libghc-split-dev,
+	libghc-concurrent-output-dev,
+	libghc-exceptions-dev (>= 0.6),
+	libghc-hashable-dev,
 	libghc-hslogger-dev,
-	libghc-unix-compat-dev,
-	libghc-ansi-terminal-dev,
 	libghc-ifelse-dev,
-	libghc-network-dev,
 	libghc-mtl-dev,
-	libghc-transformers-dev,
-	libghc-exceptions-dev (>= 0.6),
-	libghc-stm-dev,
-	libghc-text-dev,
-	libghc-hashable-dev,
+	libghc-network-dev,
+	libghc-split-dev,
+	libghc-unix-compat-dev,
 Maintainer: Joey Hess <id@joeyh.name>
 Standards-Version: 3.9.8
 Vcs-Git: git://git.joeyh.name/propellor
@@ -30,19 +28,17 @@ Section: admin
 Depends: ${misc:Depends}, ${shlibs:Depends},
 	ghc (>= 7.4),
 	cabal-install,
+	libghc-ansi-terminal-dev,
 	libghc-async-dev,
-	libghc-split-dev,
+	libghc-concurrent-output-dev,
+	libghc-exceptions-dev (>= 0.6),
+	libghc-hashable-dev,
 	libghc-hslogger-dev,
-	libghc-unix-compat-dev,
-	libghc-ansi-terminal-dev,
 	libghc-ifelse-dev,
-	libghc-network-dev,
 	libghc-mtl-dev,
-	libghc-transformers-dev,
-	libghc-exceptions-dev (>= 0.6),
-	libghc-stm-dev,
-	libghc-text-dev,
-	libghc-hashable-dev,
+	libghc-network-dev,
+	libghc-split-dev,
+	libghc-unix-compat-dev,
 	git,
 Description: property-based host configuration management in haskell
  Propellor ensures that the system it's run in satisfies a list of
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index 347ea9e5..ddf074f9 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -5,5 +5,9 @@ Waiting on concurrent-output reaching Debian stable.
 
 > Well, it's in stable now. Not in oldstable yet, and propellor is still
 > supporting the current oldstable, I believe.. --[[Joey]]
+> >
+> > not anymore; dropping it now.
+
+[[done]]
 
 [[!tag user/joey]]
diff --git a/propellor.cabal b/propellor.cabal
index a5b8c8a3..cf9fe7ce 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -42,14 +42,31 @@ Library
     GHC-Options: -fno-warn-redundant-constraints
   Default-Extensions: TypeOperators
   Hs-Source-Dirs: src
+  -- propellor needs to support the ghc shipped in Debian stable,
+  -- and also only depends on packages in Debian stable.
+  -- 
+  -- When updating dependencies here, also update the lists in
+  -- Propellor.Bootstrap
   Build-Depends:
-    -- propellor needs to support the ghc shipped in Debian stable,
-    -- and also only depends on packages in Debian stable.
+    ansi-terminal,
+    async,
     base >= 4.9, base < 5,
-    directory, filepath, IfElse, process, bytestring, hslogger, split,
-    unix, unix-compat, ansi-terminal, containers (>= 0.5), network, async,
-    time, mtl, transformers, exceptions (>= 0.6), stm, text, hashable
-
+    bytestring,
+    concurrent-output,
+    containers (>= 0.5),
+    directory,
+    exceptions (>= 0.6),
+    filepath,
+    hashable,
+    hslogger,
+    IfElse,
+    mtl,
+    network,
+    process,
+    split,
+    time,
+    unix,
+    unix-compat
   Exposed-Modules:
     Propellor
     Propellor.Base
@@ -223,9 +240,6 @@ Library
     Utility.Tmp
     Utility.Tuple
     Utility.UserInfo
-    System.Console.Concurrent
-    System.Console.Concurrent.Internal
-    System.Process.Concurrent
     Paths_propellor
 
 Executable propellor-config
diff --git a/src/Propellor/Bootstrap.hs b/src/Propellor/Bootstrap.hs
index 04f23f85..a8713535 100644
--- a/src/Propellor/Bootstrap.hs
+++ b/src/Propellor/Bootstrap.hs
@@ -138,19 +138,17 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		-- Below are the same deps listed in debian/control.
 		, "ghc"
 		, "cabal-install"
+		, "libghc-ansi-terminal-dev"
 		, "libghc-async-dev"
-		, "libghc-split-dev"
+		, "libghc-concurrent-output-dev"
+		, "libghc-exceptions-dev"
+		, "libghc-hashable-dev"
 		, "libghc-hslogger-dev"
-		, "libghc-unix-compat-dev"
-		, "libghc-ansi-terminal-dev"
 		, "libghc-ifelse-dev"
-		, "libghc-network-dev"
 		, "libghc-mtl-dev"
-		, "libghc-transformers-dev"
-		, "libghc-exceptions-dev"
-		, "libghc-stm-dev"
-		, "libghc-text-dev"
-		, "libghc-hashable-dev"
+		, "libghc-network-dev"
+		, "libghc-split-dev"
+		, "libghc-unix-compat-dev"
 		]
 	debdeps Stack =
 		[ "gnupg"
@@ -161,19 +159,16 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		[ "gnupg"
 		, "ghc"
 		, "hs-cabal-install"
+		, "hs-ansi-terminal"
 		, "hs-async"
-		, "hs-split"
+		, "hs-exceptions"
+		, "hs-hashable"
 		, "hs-hslogger"
-		, "hs-unix-compat"
-		, "hs-ansi-terminal"
 		, "hs-IfElse"
-		, "hs-network"
 		, "hs-mtl"
-		, "hs-transformers-base"
-		, "hs-exceptions"
-		, "hs-stm"
-		, "hs-text"
-		, "hs-hashable"
+		, "hs-network"
+		, "hs-split"
+		, "hs-unix-compat"
 		]
 	fbsddeps Stack =
 		[ "gnupg"
@@ -184,20 +179,17 @@ depsCommand bs msys = "( " ++ intercalate " ; " (go bs) ++ ") || true"
 		[ "gnupg"
 		, "ghc"
 		, "cabal-install"
-		, "haskell-async"
-		, "haskell-split"
-		, "haskell-hslogger"

(Diff truncated)
update
diff --git a/doc/todo/depend_on_concurrent-output.mdwn b/doc/todo/depend_on_concurrent-output.mdwn
index cf985166..347ea9e5 100644
--- a/doc/todo/depend_on_concurrent-output.mdwn
+++ b/doc/todo/depend_on_concurrent-output.mdwn
@@ -3,4 +3,7 @@ should be converted to a dependency.
 
 Waiting on concurrent-output reaching Debian stable.
 
+> Well, it's in stable now. Not in oldstable yet, and propellor is still
+> supporting the current oldstable, I believe.. --[[Joey]]
+
 [[!tag user/joey]]

add news item for propellor 5.3.5
diff --git a/doc/news/version_5.3.5.mdwn b/doc/news/version_5.3.5.mdwn
new file mode 100644
index 00000000..a7da0f0c
--- /dev/null
+++ b/doc/news/version_5.3.5.mdwn
@@ -0,0 +1,7 @@
+propellor 5.3.5 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Apt.stdSourcesList now adds stable-updates suite
+     Thanks, Sean Whitton
+   * Significantly increased propellor build speed when your config.hs
+     is in a fork of the propellor repository, by avoiding redundant builds
+     of propellor library."""]]
\ No newline at end of file

diff --git a/doc/forum/Problem_with_getting_started.mdwn b/doc/forum/Problem_with_getting_started.mdwn
index 4d750553..f929c3b3 100644
--- a/doc/forum/Problem_with_getting_started.mdwn
+++ b/doc/forum/Problem_with_getting_started.mdwn
@@ -3,25 +3,29 @@ Hello, I hope this is the right place to ask for help.
 I am new to Haskell and Propellor; just want to give it a try. I have been using ansible but now looking for an alternative.
 
 I did the following steps:
-- install propellor on control machine with: `stack install propellor`
-- `propellor --init`
-- create a minimal config.hs file, which does nothing:
-```
-abc :: Host
-abc = host "abc" $ props
-	& osDebian (Stable "stretch") X86_64
-```
-
-when I run `propellor --spin abc`, it ended with the last following:
-.
-.
-Installed propellor-5.3.4
-Resolving dependencies...
-Configuring config-0...
-Preprocessing executable 'propellor-config' for config-0...
-cabal: can't find source for config in .
-sh: 1: ./propellor: not found
-propellor: user error (ssh <long text>
+
+* install propellor on control machine with: `stack install propellor`
+
+* `propellor --init`
+
+* create a minimal config.hs file, which does nothing:
+
+        abc :: Host
+        abc = host "abc" $ props
+            & osDebian (Stable "stretch") X86_64
+
+
+when I run `propellor --spin abc`, it ended with the following message:
+
+    .
+    .
+    Installed propellor-5.3.4
+    Resolving dependencies...
+    Configuring config-0...
+    Preprocessing executable 'propellor-config' for config-0...
+    cabal: can't find source for config in .
+    sh: 1: ./propellor: not found
+    propellor: user error (ssh <long text>
 
 Can someone give me a hint how to process further?
 

diff --git a/doc/forum/Problem_with_getting_started.mdwn b/doc/forum/Problem_with_getting_started.mdwn
index 6c438b6e..4d750553 100644
--- a/doc/forum/Problem_with_getting_started.mdwn
+++ b/doc/forum/Problem_with_getting_started.mdwn
@@ -5,12 +5,12 @@ I am new to Haskell and Propellor; just want to give it a try. I have been using
 I did the following steps:
 - install propellor on control machine with: `stack install propellor`
 - `propellor --init`
-- create a minimal config.hs file, which does nothing
-
+- create a minimal config.hs file, which does nothing:
+```
 abc :: Host
 abc = host "abc" $ props
 	& osDebian (Stable "stretch") X86_64
-
+```
 
 when I run `propellor --spin abc`, it ended with the last following:
 .

diff --git a/doc/forum/Problem_with_getting_started.mdwn b/doc/forum/Problem_with_getting_started.mdwn
new file mode 100644
index 00000000..6c438b6e
--- /dev/null
+++ b/doc/forum/Problem_with_getting_started.mdwn
@@ -0,0 +1,30 @@
+Hello, I hope this is the right place to ask for help.
+
+I am new to Haskell and Propellor; just want to give it a try. I have been using ansible but now looking for an alternative.
+
+I did the following steps:
+- install propellor on control machine with: `stack install propellor`
+- `propellor --init`
+- create a minimal config.hs file, which does nothing
+
+abc :: Host
+abc = host "abc" $ props
+	& osDebian (Stable "stretch") X86_64
+
+
+when I run `propellor --spin abc`, it ended with the last following:
+.
+.
+Installed propellor-5.3.4
+Resolving dependencies...
+Configuring config-0...
+Preprocessing executable 'propellor-config' for config-0...
+cabal: can't find source for config in .
+sh: 1: ./propellor: not found
+propellor: user error (ssh <long text>
+
+Can someone give me a hint how to process further?
+
+Regards,
+Tony
+

Added a comment
diff --git a/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_2_db1e5b7fcb324d5beb4429945f026096._comment b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_2_db1e5b7fcb324d5beb4429945f026096._comment
new file mode 100644
index 00000000..ab80fbc6
--- /dev/null
+++ b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_2_db1e5b7fcb324d5beb4429945f026096._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="gueux"
+ avatar="http://cdn.libravatar.org/avatar/2982bac2c2cd94ab3860efb189deafc8"
+ subject="comment 2"
+ date="2018-04-05T10:41:02Z"
+ content="""
+The same we get from using http://deb.debian.org/debian instead of http://ftp.debian.org/debian : redundancy, avoiding overloading security.debian.org, ...
+"""]]

response
diff --git a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment
new file mode 100644
index 00000000..b2124dd7
--- /dev/null
+++ b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-04-03T22:39:14Z"
+ content="""
+Mostly I point people at my [personal propellor config file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs)
+which is quite big, but demos a lot of propellor's features. And unlike
+an artificial example, it's always tested and working.
+"""]]

fix urls for change from gitweb to cgit
diff --git a/doc/FreeBSD.mdwn b/doc/FreeBSD.mdwn
index 47b9c65b..ca340163 100644
--- a/doc/FreeBSD.mdwn
+++ b/doc/FreeBSD.mdwn
@@ -6,5 +6,5 @@ additional porting to support FreeBSD. Such properties have types like
 `Property DebianLike`. The type checker will detect and reject attempts
 to combine such properties with `Property FreeBSD`.
 
-[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=config-freebsd.hs)
+[Sample config file](https://git.joeyh.name/index.cgi/propellor.git/tree/config-freebsd.hs)
 which configures a FreeBSD system, as well as a Linux one.
diff --git a/doc/index.mdwn b/doc/index.mdwn
index 1e3af9dd..264a6f48 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -4,7 +4,7 @@
 [[Download]]  
 [API documentation](http://hackage.haskell.org/package/propellor)  
 [[Other Documentation|documentation]]
-[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=joeyconfig.hs)  
+[Sample config file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs)  
 [[Security]]  
 [[Todo]]  
 [[Forum]]  

Added a comment
diff --git a/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment
new file mode 100644
index 00000000..8565ee93
--- /dev/null
+++ b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 1"
+ date="2018-04-03T00:20:41Z"
+ content="""
+What would that achieve?
+"""]]

diff --git a/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn b/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn
new file mode 100644
index 00000000..a918a402
--- /dev/null
+++ b/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn
@@ -0,0 +1 @@
+Maybe we could use deb.debian.org/debian-security instead of security.debian.org in Apt properties. What do you think about this?

diff --git a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
index b34fbcce..c3260c1c 100644
--- a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
+++ b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
@@ -1,6 +1,3 @@
 Hello,
 
 where can I find practical, working examples on how to use Propellor? For example, how to use Propellor to setup a LAMP debian or ubuntu server.
-
-Regards,
-Thanh

diff --git a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
new file mode 100644
index 00000000..b34fbcce
--- /dev/null
+++ b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
@@ -0,0 +1,6 @@
+Hello,
+
+where can I find practical, working examples on how to use Propellor? For example, how to use Propellor to setup a LAMP debian or ubuntu server.
+
+Regards,
+Thanh

add news item for propellor 5.3.4
diff --git a/doc/news/version_5.3.4.mdwn b/doc/news/version_5.3.4.mdwn
new file mode 100644
index 00000000..09358138
--- /dev/null
+++ b/doc/news/version_5.3.4.mdwn
@@ -0,0 +1,8 @@
+propellor 5.3.4 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Apt.trustsKey: Use apt-key to add key rather than manually driving gpg,
+     which seems to not work anymore.
+     Thanks, Russell Sim.
+   * Firewall: Reorder iptables parameters that are order
+     dependant to make --to-dest and --to-source work.
+     Thanks, Russell Sim"""]]
\ No newline at end of file

don't use ikiwiki link in readme
diff --git a/doc/README.mdwn b/doc/README.mdwn
index 8bdb6c83..df1b8ada 100644
--- a/doc/README.mdwn
+++ b/doc/README.mdwn
@@ -56,4 +56,4 @@ see [configuration for the Haskell newbie](https://propellor.branchable.com/hask
 7. Write some neat new properties and send patches!
 
 (Want to get your feet wet with propellor before plunging in?
-[[try this|forum/Simple_quickstart_without_git__44___SSH__44___GPG]])
+[try this|http://propellor.branchable.com/forum/Simple_quickstart_without_git__44___SSH__44___GPG])

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment
new file mode 100644
index 00000000..c5427cd7
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment
@@ -0,0 +1,35 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 14"
+ date="2018-03-04T10:41:01Z"
+ content="""
+Hello, sorry to bother you with this BUT :))
+
+Now I have the right message which explain how to upgrade my .propellor
+(sorry for the french)
+
+    picca@mordor:~$ propellor
+    Fusion automatique de src/Propellor/Property/Systemd.hs
+    Fusion automatique de src/Propellor/Property/SiteSpecific/JoeySites.hs
+    Fusion automatique de src/Propellor/Property/Git.hs
+    Fusion automatique de src/Propellor/Git/VerifiedBranch.hs
+    Fusion automatique de src/Propellor/Git.hs
+    Fusion automatique de src/Propellor/EnsureProperty.hs
+    Fusion automatique de src/Propellor/DotDir.hs
+    Fusion automatique de propellor.cabal
+    Fusion automatique de joeyconfig.hs
+    Fusion automatique de doc/README.mdwn
+    Fusion automatique de debian/changelog
+    ** warning: ** Your ~/.propellor/ is out of date..
+       A newer upstream version is available in /usr/src/propellor/propellor.git
+       To merge it, run: git merge upstream/master
+
+but when I try to do the merge, I get this error message
+
+    picca@mordor:~/.propellor$ LANG=C git merge upstream/master
+    fatal: refusing to merge unrelated histories
+
+How can I help to solve this issue ?
+
+"""]]

Apt.trustsKey: Use apt-key to add key rather than manually driving gpg, which seems to not work anymore.
Thanks, Russell Sim.
diff --git a/debian/changelog b/debian/changelog
index b081d04f..92581607 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+propellor (5.3.4) UNRELEASED; urgency=medium
+
+  * Apt.trustsKey: Use apt-key to add key rather than manually driving gpg,
+    which seems to not work anymore.
+    Thanks, Russell Sim.
+
+ -- Joey Hess <id@joeyh.name>  Thu, 01 Mar 2018 18:25:04 -0400
+
 propellor (5.3.3) unstable; urgency=medium
 
   * Warn again about new upstream version when ~/.propellor was cloned from the
diff --git a/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment
new file mode 100644
index 00000000..b1f82b19
--- /dev/null
+++ b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-03-01T22:20:54Z"
+ content="""
+I added trustsKey in 2014, but my current config is not using
+it for anything, so it seems likely it's bitrotted in some way.
+And there's no rationalle documented for why it manually drives gpg.
+
+I've applied your change to use apt-key.
+
+I wonder if the nukeFile of the "gpg dropping" is actually needed
+anymore?
+"""]]
diff --git a/src/Propellor/Property/Apt.hs b/src/Propellor/Property/Apt.hs
index d44b5c38..7275205a 100644
--- a/src/Propellor/Property/Apt.hs
+++ b/src/Propellor/Property/Apt.hs
@@ -447,7 +447,7 @@ trustsKey k = trustsKey' k <!> untrustKey k
 trustsKey' :: AptKey -> Property DebianLike
 trustsKey' k = check (not <$> doesFileExist f) $ property desc $ makeChange $ do
 	withHandle StdinHandle createProcessSuccess
-		(proc "gpg" ["--no-default-keyring", "--keyring", f, "--import", "-"]) $ \h -> do
+		(proc "apt-key" ["--keyring", f, "add", "-"]) $ \h -> do
 			hPutStr h (pubkey k)
 			hClose h
 	nukeFile $ f ++ "~" -- gpg dropping

Added a comment: LUKS desired ;-)
diff --git a/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment
new file mode 100644
index 00000000..93248324
--- /dev/null
+++ b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ username="dominik"
+ avatar="http://cdn.libravatar.org/avatar/41b0caab63708c0b81d8aeda611afad5"
+ subject="LUKS desired ;-)"
+ date="2018-03-01T11:40:27Z"
+ content="""
+I'd love to use LUKS partitions in Propeller.
+
+Thanks Joey.
+
+"""]]

diff --git a/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn b/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn
new file mode 100644
index 00000000..3c0853db
--- /dev/null
+++ b/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn
@@ -0,0 +1,90 @@
+I've been hitting a problem when importing APT keys on a debian stretch VM. I'm using a property like
+
+    mybox :: Host
+    mybox = host "henry1.home" $ props
+      & osDebian (Stable "stretch") X86_64
+      & Apt.stdSourcesList
+      & Apt.unattendedUpgrades
+      & installKubernetes
+
+
+    installKubernetes :: Property DebianLike
+    installKubernetes = Apt.installed ["kubelet", "kubeadm", "kubectl"]
+      `requires` Apt.setSourcesListD ["deb http://apt.kubernetes.io/ kubernetes-xenial main"] "google-cloud"
+      `requires` Apt.trustsKey googleKey
+
+    googleKey :: Apt.AptKey
+    googleKey =
+      Apt.AptKey "google-key" $ unlines
+      [ "-----BEGIN PGP PUBLIC KEY BLOCK-----"
+      , ""
+      , "mQENBFUd6rIBCAD6mhKRHDn3UrCeLDp7U5IE7AhhrOCPpqGF7mfTemZYHf/5Jdjx"
+      , "cOxoSFlK7zwmFr3lVqJ+tJ9L1wd1K6P7RrtaNwCiZyeNPf/Y86AJ5NJwBe0VD0xH"
+      , "TXzPNTqRSByVYtdN94NoltXUYFAAPZYQls0x0nUD1hLMlOlC2HdTPrD1PMCnYq/N"
+      , "uL/Vk8sWrcUt4DIS+0RDQ8tKKe5PSV0+PnmaJvdF5CKawhh0qGTklS2MXTyKFoqj"
+      , "XgYDfY2EodI9ogT/LGr9Lm/+u4OFPvmN9VN6UG+s0DgJjWvpbmuHL/ZIRwMEn/tp"
+      , "uneaLTO7h1dCrXC849PiJ8wSkGzBnuJQUbXnABEBAAG0QEdvb2dsZSBDbG91ZCBQ"
+      , "YWNrYWdlcyBBdXRvbWF0aWMgU2lnbmluZyBLZXkgPGdjLXRlYW1AZ29vZ2xlLmNv"
+      , "bT6JAT4EEwECACgFAlUd6rICGy8FCQWjmoAGCwkIBwMCBhUIAgkKCwQWAgMBAh4B"
+      , "AheAAAoJEDdGwginMXsPcLcIAKi2yNhJMbu4zWQ2tM/rJFovazcY28MF2rDWGOnc"
+      , "9giHXOH0/BoMBcd8rw0lgjmOosBdM2JT0HWZIxC/Gdt7NSRA0WOlJe04u82/o3OH"
+      , "WDgTdm9MS42noSP0mvNzNALBbQnlZHU0kvt3sV1YsnrxljoIuvxKWLLwren/GVsh"
+      , "FLPwONjw3f9Fan6GWxJyn/dkX3OSUGaduzcygw51vksBQiUZLCD2Tlxyr9NvkZYT"
+      , "qiaWW78L6regvATsLc9L/dQUiSMQZIK6NglmHE+cuSaoK0H4ruNKeTiQUw/EGFaL"
+      , "ecay6Qy/s3Hk7K0QLd+gl0hZ1w1VzIeXLo2BRlqnjOYFX4A="
+      , "=HVTm"
+      , "-----END PGP PUBLIC KEY BLOCK-----"
+      ]
+
+
+the import works fine, but the packages fail to install because the key isn't valid, i can list the key
+
+    root@henry1:~# apt-key list | grep -A 6 google-key
+    Warning: apt-key output should not be parsed (stdout is not a terminal)
+    /etc/apt/trusted.gpg.d/google-key.gpg
+    -------------------------------------
+    pub   rsa2048 2015-04-03 [SCEA] [expires: 2018-04-02]
+          D0BC 747F D8CA F711 7500  D6FA 3746 C208 A731 7B0F
+    uid           [ unknown] Google Cloud Packages Automatic Signing Key <gc-team@google.com>
+
+
+but i can't export it. I've tried the gpg command listed in the Apt.trustsKey function and running it locally (on the vm) with a local file doesn't work either.
+
+    root@henry1:~# apt-key export D6FA3746A7317B0F
+    gpg: [don't know]: invalid packet (ctb=00)
+    gpg: WARNING: nothing exported
+    gpg: key export failed: Invalid packet
+
+
+Gpg version info
+
+    root@henry1:~# gpg --version
+    gpg (GnuPG) 2.1.18
+    libgcrypt 1.7.6-beta
+    Copyright (C) 2017 Free Software Foundation, Inc.
+    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
+    This is free software: you are free to change and redistribute it.
+    There is NO WARRANTY, to the extent permitted by law.
+    
+    Home: /root/.gnupg
+    Supported algorithms:
+    Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
+    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
+            CAMELLIA128, CAMELLIA192, CAMELLIA256
+    Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
+    Compression: Uncompressed, ZIP, ZLIB, BZIP2
+
+I ended up changing the Apt.trustsKey command to a version which uses apt-key and everything works now
+
+    trustsKey' :: AptKey -> Property DebianLike
+    trustsKey' k = check (not <$> doesFileExist f) $ property desc $ makeChange $ do
+    	withHandle StdinHandle createProcessSuccess
+    		(proc "apt-key" ["--keyring", f, "add", "-"]) $ \h -> do
+    			hPutStr h (pubkey k)
+    			hClose h
+    	nukeFile $ f ++ "~" -- gpg dropping
+      where
+    	desc = "apt trusts key " ++ keyname k
+    	f = aptKeyFile k
+
+Any thoughts as to why this wouldn't be working?  Would it be reasonable to change this command upstream?

add news item for propellor 5.3.3
diff --git a/doc/news/version_5.3.3.mdwn b/doc/news/version_5.3.3.mdwn
new file mode 100644
index 00000000..18f80d5f
--- /dev/null
+++ b/doc/news/version_5.3.3.mdwn
@@ -0,0 +1,8 @@
+propellor 5.3.3 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Warn again about new upstream version when ~/.propellor was cloned from the
+     Debian git bundle using an older version of propellor that set up an
+     upstream remote.
+   * Avoid crashing if initial fetch from origin fails when spinning a host.
+   * Added Propllor.Property.Openssl module contributed by contributed by
+     Félix Sipma."""]]
\ No newline at end of file

Added a comment
diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_2_7b1f28e3eeb7f181f5715863bc836bb7._comment b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_2_7b1f28e3eeb7f181f5715863bc836bb7._comment
new file mode 100644
index 00000000..5cb2fc0b
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_2_7b1f28e3eeb7f181f5715863bc836bb7._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="gueux"
+ avatar="http://cdn.libravatar.org/avatar/2982bac2c2cd94ab3860efb189deafc8"
+ subject="comment 2"
+ date="2018-02-23T13:16:09Z"
+ content="""
+I don't want my central repo to be accessible to anyone, but I still want to push there and use it for some of my hosts. Anyway, your fix works great, thanks!
+"""]]

Avoid crashing if initial fetch from origin fails when spinning a host.
diff --git a/debian/changelog b/debian/changelog
index 55ca5a93..bc7a4a69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ propellor (5.3.3) UNRELEASED; urgency=medium
   * Warn again about new upstream version when ~/.propellor was cloned from the
     Debian git bundle using an older version of propellor that set up an
     upstream remote.
+  * Avoid crashing if initial fetch from origin fails when spinning a host.
 
  -- Joey Hess <id@joeyh.name>  Mon, 19 Feb 2018 12:44:24 -0400
 
diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_1_be4533d304096f431ac8d35bbf990dab._comment b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_1_be4533d304096f431ac8d35bbf990dab._comment
new file mode 100644
index 00000000..e79fabfb
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_1_be4533d304096f431ac8d35bbf990dab._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-02-22T15:34:07Z"
+ content="""
+--spin has always pushed/pulled from origin, if there is
+a central git repository.
+
+It's an optional thing though, since the update is pushed directly to the
+host it spins too.
+
+I've improved the code to avoid this particular crash..
+"""]]
diff --git a/src/Propellor/Git/VerifiedBranch.hs b/src/Propellor/Git/VerifiedBranch.hs
index 51fcb573..df607bd2 100644
--- a/src/Propellor/Git/VerifiedBranch.hs
+++ b/src/Propellor/Git/VerifiedBranch.hs
@@ -30,12 +30,17 @@ verifyOriginBranch originbranch = do
 -- Returns True if HEAD is changed by fetching and merging from origin.
 fetchOrigin :: IO Bool
 fetchOrigin = do
+	fetched <- actionMessage "Pull from central git repository" $
+		boolSystem "git" [Param "fetch"]
+	if fetched
+		then mergeOrigin
+		else return False
+
+mergeOrigin :: IO Bool
+mergeOrigin = do
 	branchref <- getCurrentBranch
 	let originbranch = "origin" </> branchref
 
-	void $ actionMessage "Pull from central git repository" $
-		boolSystem "git" [Param "fetch"]
-
 	oldsha <- getCurrentGitSha1 branchref
 
 	keyring <- privDataKeyring

diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__.mdwn b/doc/forum/--spin_tries_to_pull_from_central_repository__63__.mdwn
new file mode 100644
index 00000000..5bd97367
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__.mdwn
@@ -0,0 +1,28 @@
+Did something changed recently concerning `--spin`? It seems like I can't use it without a central repo anymore...
+
+
+    $ ./propellor --spin server
+    Preprocessing executable 'propellor-config' for propellor-5.3.2...
+    Propellor build ... done
+    [master cabbc1b4e] propellor spin
+    Git commit ... done
+    Counting objects: 1, done.
+    Writing objects: 100% (1/1), 860 bytes | 860.00 KiB/s, done.
+    Total 1 (delta 0), reused 0 (delta 0)
+    To example.org:/var/lib/git/private/propellor.git
+       8c8c1b2f6..cabbc1b4e  master -> master
+    Push to central git repository ... done
+    gpg: encrypted with 4096-bit RSA key, ID EC0B9FA927E29C5C, created 2013-01-29
+          "Félix Sipma <felix.sipma@riseup.net>"
+    Host key verification failed.
+    fatal: Could not read from remote repository.
+    
+    Please make sure you have the correct access rights
+    and the repository exists.
+    Pull from central git repository ... failed
+    fatal: ambiguous argument 'origin/master': unknown revision or path not in the working tree.
+    Use '--' to separate paths from revisions, like this:
+    'git <command> [<revision>...] -- [<file>...]'
+    propellor: user error (git ["log","-n","1","--format=%G?","origin/master"] exited 128)
+    propellor: user error (ssh ["-o","ControlPath=/home/example/.ssh/propellor/server.example.org.sock","-o","ControlMaster=auto","-o","ControlPersist=yes","root@server.example.org","sh -c 'rm -rf /usr/local/propellor-precompiled ; if [ ! -d /usr/local/propellor/.git ] ; then (if ! git --version >/dev/null 2>&1; then apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -qq --no-install-recommends --no-upgrade -y install git; fi && echo STATUSNeedGitClone) || echo STATUSNeedPrecompiled ; else cd /usr/local/propellor && if ! cabal configure >/dev/null 2>&1; then ( apt-get update ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install gnupg ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install ghc ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install cabal-install ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-async-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-split-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-hslogger-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-unix-compat-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-ansi-terminal-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-ifelse-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-network-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-mtl-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-transformers-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-exceptions-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-stm-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-text-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-hashable-dev) || true; fi&& if ! test -x ./propellor; then cabal configure && cabal build -j1 propellor-config && ln -sf dist/build/propellor-config/propellor-config propellor; fi;if test -x ./propellor && ! ./propellor --check; then cabal clean && cabal configure && cabal build -j1 propellor-config && ln -sf dist/build/propellor-config/propellor-config propellor; fi && ./propellor --boot server.example.org ; fi'"] exited 1)
+    

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_13_a3039c7e86f85af4ff44bdbcd7b46313._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_13_a3039c7e86f85af4ff44bdbcd7b46313._comment
new file mode 100644
index 00000000..39feff2e
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_13_a3039c7e86f85af4ff44bdbcd7b46313._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 13"
+ date="2018-02-20T05:58:48Z"
+ content="""
+Thanks a lot joey,
+
+and you are right, I am fund of your works :).
+
+Cheers.
+"""]]

Warn again about new upstream version when ~/.propellor was cloned from the Debian git bundle using an older version of propellor that set up an upstream remote.
This commit was sponsored by Jake Vosloo on Patreon.
diff --git a/debian/changelog b/debian/changelog
index 3515497b..55ca5a93 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+propellor (5.3.3) UNRELEASED; urgency=medium
+
+  * Warn again about new upstream version when ~/.propellor was cloned from the
+    Debian git bundle using an older version of propellor that set up an
+    upstream remote.
+
+ -- Joey Hess <id@joeyh.name>  Mon, 19 Feb 2018 12:44:24 -0400
+
 propellor (5.3.2) unstable; urgency=medium
 
   * Added Propellor.Property.Atomic, which can make a non-atomic property
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_12_aea497eeecb077659db3f1dfb1e5f289._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_12_aea497eeecb077659db3f1dfb1e5f289._comment
new file mode 100644
index 00000000..90d0ba2c
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_12_aea497eeecb077659db3f1dfb1e5f289._comment
@@ -0,0 +1,20 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 12"""
+ date="2018-02-19T15:48:21Z"
+ content="""
+What propellor --init sets up, when you select the clone option
+and the Debian package is installed, is no remote
+defined, but a remotes/upsteam/master tracking branch.
+
+So not normally this:
+
+    upstream        /usr/src/propellor/propellor.git (fetch)
+
+Aha! The very first revision of propellor --init
+*did* set up an upstream remote pointing at the distrepo. At some point
+that changed to the above described behavior. You're bitten by being an
+early adopter.
+
+I've adjusted the logic to handle that case.
+"""]]
diff --git a/src/Propellor/DotDir.hs b/src/Propellor/DotDir.hs
index 17eb095a..39c111f6 100644
--- a/src/Propellor/DotDir.hs
+++ b/src/Propellor/DotDir.hs
@@ -387,16 +387,17 @@ checkRepoUpToDate = whenM (gitbundleavail <&&> dotpropellorpopulated) $ do
 -- into the user's repository, as if fetching from a upstream remote,
 -- yielding a new upstream/master branch.
 --
--- If there's no upstream/master, the user is not using the distrepo,
--- so do nothing. And, if there's a remote named "upstream", the user
--- must have set that up and is not using the distrepo, so do nothing.
+-- If there's no upstream/master, or the repo is not using the distrepo,
+-- do nothing.
 updateUpstreamMaster :: String -> IO ()
-updateUpstreamMaster newref = unlessM (hasRemote "upstream") $ do
+updateUpstreamMaster newref = do
 	changeWorkingDirectory =<< dotPropellor
-	go =<< catchMaybeIO getoldrev
+	v <- getoldrev
+	case v of
+		Nothing -> return ()
+		Just oldref -> go oldref
   where
-	go Nothing = return ()
-	go (Just oldref) = do
+	go oldref = do
 		let tmprepo = ".git/propellordisttmp"
 		let cleantmprepo = void $ catchMaybeIO $ removeDirectoryRecursive tmprepo
 		cleantmprepo
@@ -421,13 +422,37 @@ updateUpstreamMaster newref = unlessM (hasRemote "upstream") $ do
 		cleantmprepo
 		warnoutofdate True
 
-	getoldrev = takeWhile (/= '\n')
-		<$> readProcess "git" ["show-ref", upstreambranch, "--hash"]
-
 	git = run "git"
 	run cmd ps = unlessM (boolSystem cmd (map Param ps)) $
 		error $ "Failed to run " ++ cmd ++ " " ++ show ps
 
+	-- Get ref that the upstreambranch points to, only when
+	-- the distrepo is being used.
+	getoldrev = do
+		mrev <- catchMaybeIO $ takeWhile (/= '\n')
+			<$> readProcess "git" ["show-ref", upstreambranch, "--hash"]
+		print mrev
+		case mrev of
+			Just _ -> do
+				-- Normally there will be no upstream
+				-- remote when the distrepo is used.
+				-- Older versions of propellor set up
+				-- an upstream remote pointing at the 
+				-- distrepo.
+				ifM (hasRemote "upstream")
+					( do
+						v <- remoteUrl "upstream"
+						print ("remote url", v)
+						return $ case v of
+							Just rurl | rurl == distrepo -> mrev
+							_ -> Nothing
+					, return mrev
+					)
+			Nothing -> return mrev
+
+-- And, if there's a remote named "upstream"
+-- that does not point at the distrepo, the user must have set that up
+-- and is not using the distrepo, so do nothing.
 warnoutofdate :: Bool -> IO ()
 warnoutofdate havebranch = do
 	warningMessage ("** Your ~/.propellor/ is out of date..")
diff --git a/src/Propellor/Git.hs b/src/Propellor/Git.hs
index 10b88ddd..c446f67a 100644
--- a/src/Propellor/Git.hs
+++ b/src/Propellor/Git.hs
@@ -30,6 +30,10 @@ hasRemote remotename = catchDefaultIO False $ do
 	rs <- lines <$> readProcess "git" ["remote"]
 	return $ remotename `elem` rs
 
+remoteUrl :: String -> IO (Maybe String)
+remoteUrl remotename = catchDefaultIO Nothing $ headMaybe . lines
+	<$> readProcess "git" ["config", "remote." ++ remotename ++ ".url"]
+
 hasGitRepo :: IO Bool
 hasGitRepo = doesFileExist ".git/HEAD"
 

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_11_67fe9f07dd726f890cf1c7956cbb1d86._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_11_67fe9f07dd726f890cf1c7956cbb1d86._comment
new file mode 100644
index 00000000..106d993f
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_11_67fe9f07dd726f890cf1c7956cbb1d86._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 11"
+ date="2018-02-19T06:31:32Z"
+ content="""
+Yes sir :)
+
+    picca@mordor:~/.propellor$ git remote -v
+    deploy  https://salsa.debian.org/picca/propellor.git (fetch)
+    deploy  https://salsa.debian.org/picca/propellor.git (push)
+    origin  git@salsa.debian.org:picca/propellor.git (fetch)
+    origin  git@salsa.debian.org:picca/propellor.git (push)
+    upstream        /usr/src/propellor/propellor.git (fetch)
+    upstream        /usr/src/propellor/propellor.git (push)
+
+"""]]

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_10_8d27d1de5e891160c3e881bd1230829f._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_10_8d27d1de5e891160c3e881bd1230829f._comment
new file mode 100644
index 00000000..25d6ff1e
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_10_8d27d1de5e891160c3e881bd1230829f._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 10"
+ date="2018-02-18T21:35:23Z"
+ content="""
+Do you have a git remote named 'upstream'?
+"""]]

Added a comment
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_9_f6d40ae7c03a9d94cfe8e16f11264622._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_9_f6d40ae7c03a9d94cfe8e16f11264622._comment
new file mode 100644
index 00000000..492f40e1
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_9_f6d40ae7c03a9d94cfe8e16f11264622._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 9"
+ date="2018-02-18T19:10:32Z"
+ content="""
+Hello, I think that my problem is related to this one.
+
+I have a repository created from the Debian package and which is from the 5.1.0 version.
+I just upgrade the package to 5.3.1 and now I do not have the message explaining that a new upstream version is available.
+So I do not know how to upgrade my current repository.
+
+Before, I just had to do
+
+    git merge upstream/master
+
+And now ?
+
+
+thanks for your help
+"""]]

add news item for propellor 5.3.2
diff --git a/doc/news/version_5.3.2.mdwn b/doc/news/version_5.3.2.mdwn
new file mode 100644
index 00000000..cd16116e
--- /dev/null
+++ b/doc/news/version_5.3.2.mdwn
@@ -0,0 +1,10 @@
+propellor 5.3.2 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Added Propellor.Property.Atomic, which can make a non-atomic property
+     that operates on a directory into an atomic property.
+     (Inspired by Vaibhav Sagar's talk on Functional Devops in a
+     Dysfunctional World at LCA 2018.)
+   * Added Git.pulled.
+   * Systemd.machined: Install systemd-container on Debian
+     stretch.
+     Thanks, Sean Whitton"""]]
\ No newline at end of file

comment
diff --git a/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_1_62fc297972ab5be50b9cb8cd3aa269c0._comment b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_1_62fc297972ab5be50b9cb8cd3aa269c0._comment
new file mode 100644
index 00000000..0962459f
--- /dev/null
+++ b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_1_62fc297972ab5be50b9cb8cd3aa269c0._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-02-06T15:37:45Z"
+ content="""
+Not aware of anyone using propellor for that yet.
+
+Propellor's LVM module would probably be a decent starting point for
+implementing dm-crypt support.
+
+Key/passwords could certianly be managed with propellor's privdata
+interface. Whether it makes sense to do so for security is probably up to
+the individual user, since privdata can be decrypted with your gpg private
+key, which you might not want to equate to access to your encrypted volume.
+Also, privdata is stored on the host that uses it in unencrypted form
+protected only by file permissions.
+"""]]