Merge tag '1.20170520'

tagging package debug-me version 1.20170520

# gpg: Signature made Sat 20 May 2017 22:31:39 BST
# gpg:                using RSA key 28A500C35207EAB72F6C0F25DB12DB0FF05F8F38
# gpg: Good signature from "Joey Hess <joeyh@joeyh.name>" [full]
# Primary key fingerprint: E85A 5F63 B31D 24C1 EBF0  D81C C910 D922 2512 E3C7
#      Subkey fingerprint: 28A5 00C3 5207 EAB7 2F6C  0F25 DB12 DB0F F05F 8F38

22 files changed, 289 insertions, 35 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 65f54c2..65142bc 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,19 @@
+debug-me (1.20170520) unstable; urgency=medium
+
+  * debug-me is available in Debian unstable.
+  * gpg keyrings in /usr/share/debug-me/ will be checked
+    to see if a connecting person is a known developer of software
+    installed on the system, and so implicitly trusted already.
+    Software packages/projects can install keyrings to that location.
+    (Thanks to Sean Whitton for the idea.)
+  * make install installs /usr/share/debug-me/a_debug-me_developer.gpg,
+    which contains the key of Joey Hess. (stack and cabal installs don't
+    include this file because they typically don't install system-wide)
+  * debug-me.cabal: Added dependency on time.
+  * stack.yaml: Update to new posix-pty version.
+
+ -- Joey Hess <id@joeyh.name>  Sat, 20 May 2017 17:13:11 -0400
+
 debug-me (1.20170509) unstable; urgency=medium
 
   * Server: Use "postmaster" as default --from-email address
diff --git a/ControlWindow.hs b/ControlWindow.hs
index c5a6be9..bd79d0f 100644
--- a/ControlWindow.hs
+++ b/ControlWindow.hs
@@ -15,6 +15,7 @@ import ControlSocket
 import VirtualTerminal
 import Gpg
 import Gpg.Wot
+import Gpg.Keyring
 import Output
 
 import System.IO
@@ -163,6 +164,8 @@ askToAllow ochan promptchan responsechan k@(GpgSigned pk _ _) = do
 			ws <- downloadWotStats gpgkeyid
 			putStrLn $ unlines $ map sanitizeForDisplay $
 				describeWot ws ss
+			mapM_ (putStrLn . keyringToDeveloperDesc ws)
+				=<< findKeyringsContaining gpgkeyid
 			promptconnect
   where
 	promptconnect :: IO ()
diff --git a/Crypto.hs b/Crypto.hs
index efc754f..2fe27e0 100644
--- a/Crypto.hs
+++ b/Crypto.hs
@@ -31,7 +31,7 @@ class Signed t where
 instance Hashable a => Signed (Activity a) where
 	getSignature = activitySignature
 	hashExceptSignature (Activity a mpa mpe mt _s) = hash $
-		Tagged "Activity" [hash a, hash mpa, hash mpe, hash mt]
+		Tagged "Activity" [hash a, hashOfMaybeUnsafe mpa, hashOfMaybeUnsafe mpe, hash mt]
 
 instance Signed Control where
 	getSignature = controlSignature
diff --git a/Gpg/Keyring.hs b/Gpg/Keyring.hs
new file mode 100644
index 0000000..a0fa242
--- /dev/null
+++ b/Gpg/Keyring.hs
@@ -0,0 +1,73 @@
+{- Copyright 2017 Joey Hess <id@joeyh.name>
+ -
+ - Licensed under the GNU AGPL version 3 or higher.
+ -}
+
+-- | Gpg keyrings for debug-me
+
+module Gpg.Keyring where
+
+import Gpg
+import qualified Gpg.Wot
+
+import System.FilePath
+import Data.Char
+import System.Directory
+import Data.Time.Clock
+import Data.Time.Format
+import System.Process
+import System.Exit
+
+keyringDir :: FilePath
+keyringDir = "/usr/share/debug-me/keyring"
+
+data Keyring = Keyring FilePath UTCTime
+
+keyringToDeveloperDesc :: Maybe (Gpg.Wot.WotStats) -> Keyring -> String
+keyringToDeveloperDesc mws (Keyring f mtime) =
+	name ++ " is " ++ desc ++ " \t(as of " ++ showtime mtime ++ ")"
+  where
+	name = maybe "This person" Gpg.Wot.wotStatName mws
+	desc = map sanitize $ dropExtension $ takeFileName f
+	sanitize '_' = ' '
+	sanitize c
+		| isAlphaNum c || c `elem` "-+" = c
+		| otherwise = '?'
+	showtime = formatTime defaultTimeLocale "%c"
+
+findKeyringsContaining :: GpgKeyId -> IO [Keyring]
+findKeyringsContaining k = 
+	go [] . map (keyringDir </>) =<< getDirectoryContents keyringDir
+  where
+	go c [] = return c
+	go c (f:fs) = do
+		isfile <- doesFileExist f
+		if isfile && takeExtension f == ".gpg"
+			then do
+				inkeyring <- isInKeyring k f
+				if inkeyring
+					then do
+						mtime <- getModificationTime f
+						let keyring = Keyring f mtime
+						go (keyring : c) fs
+					else go c fs
+			else go c fs
+
+-- | Check if the gpg key is included in the keyring file.
+--
+-- Similar to gpgv, this does not check if the key is revoked or expired,
+-- only if it's included in the keyring.
+isInKeyring :: GpgKeyId -> FilePath -> IO Bool
+isInKeyring (GpgKeyId k) f = do
+	-- gpg assumes non-absolute keyring files are relative to ~/.gnupg/
+	absf <- makeAbsolute f
+	let p = proc "gpg"
+		-- Avoid reading any keyrings except the specified one.
+		[ "--no-options"
+		, "--no-default-keyring"
+		, "--no-auto-check-trustdb"
+		, "--keyring", absf
+		, "--list-key", k
+		]
+	(exitcode, _, _) <- readCreateProcessWithExitCode p ""
+	return (exitcode == ExitSuccess)
diff --git a/Gpg/Wot.hs b/Gpg/Wot.hs
index b29ccc7..2a6d541 100644
--- a/Gpg/Wot.hs
+++ b/Gpg/Wot.hs
@@ -107,7 +107,7 @@ describeWot (Just ws) (StrongSetAnalysis ss)
 		, theirname ++ " is probably a real person."
 		]
   where
-	theirname = stripEmail (uid (key ws))
+	theirname = wotStatName ws
 	sigs = cross_sigs ws ++ other_sigs ws
 	bestconnectedsigs = sortOn rank sigs
 describeWot Nothing _ =
@@ -115,5 +115,8 @@ describeWot Nothing _ =
 	, "Their identity cannot be verified!"
 	]
 
+wotStatName :: WotStats -> String
+wotStatName ws = stripEmail (uid (key ws))
+
 stripEmail :: String -> String
 stripEmail = unwords . takeWhile (not . ("<" `isPrefixOf`)) . words
diff --git a/Hash.hs b/Hash.hs
index a76e0b4..cb90c85 100644
--- a/Hash.hs
+++ b/Hash.hs
@@ -41,7 +41,7 @@ instance Hashable a => Hashable (Tagged a) where
 
 instance Hashable a => Hashable (Activity a) where
 	hash (Activity a mps mpe mt s) = hash $ Tagged "Activity"
-		[hash a, hash mps, hash mpe, hash mt, hash s]
+		[hash a, hashOfMaybeUnsafe mps, hashOfMaybeUnsafe mpe, hash mt, hash s]
 
 instance Hashable Entered where
 	hash v = hash $ Tagged "Entered"
@@ -52,7 +52,7 @@ instance Hashable Seen where
 
 instance Hashable ControlAction where
 	hash (EnteredRejected h1 h2) = hash $ Tagged "EnteredRejected"
-		[hash h1, hash h2]
+		[hash h1, hashOfMaybeUnsafe h2]
 	hash (SessionKey pk v) = hash $ Tagged "SessionKey" [hash pk, hash v]
 	hash (SessionKeyAccepted pk) = hash $ Tagged "SessionKeyAccepted" pk
 	hash (SessionKeyRejected pk) = hash $ Tagged "SessionKeyRejected" pk
@@ -83,10 +83,21 @@ instance Hashable ElapsedTime where
 instance Hashable [Hash] where
 	hash = hash . B.concat . map (val . hashValue)
 
--- | Hash empty string for Nothing
+-- | Hash a Maybe Hash, such that 
+--   hash Nothing /= hash (Just (hash (mempty :: B.ByteString)))
 instance Hashable (Maybe Hash) where
-	hash Nothing = hash ()
-	hash (Just v) = hash v
-
-instance Hashable () where
-	hash () = hash (mempty :: B.ByteString)
+	hash (Just v) = hash (val (hashValue v))
+	hash Nothing = hash (mempty :: B.ByteString)
+
+-- | Hash a Maybe Hash using the Hash value as-is, or the hash of the empty
+-- string for Nothing.
+--
+-- Note that this is only safe to use when the input value can't possibly
+-- itself be the hash of an empty string. For example, the hash of an
+-- Activity is safe, because it's the hash of a non-empty string.
+--
+-- This is only used to avoid breaking backwards compatability; the
+-- above instance for Maybe Hash should be used for anything new.
+hashOfMaybeUnsafe :: Maybe Hash -> Hash
+hashOfMaybeUnsafe (Just v) = hash v
+hashOfMaybeUnsafe Nothing = hash (mempty :: B.ByteString)
diff --git a/Makefile b/Makefile
index 3244942..01eaad3 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,9 @@ install-files: debug-me install-mans
 	install -m 0755 debug-me.init $(DESTDIR)$(PREFIX)/etc/init.d/debug-me
 	install -d $(DESTDIR)$(PREFIX)/etc/default
 	install -m 0644 debug-me.default $(DESTDIR)$(PREFIX)/etc/default/debug-me
+	install -d $(DESTDIR)$(PREFIX)/usr/share/debug-me/keyring
+	install -m 0655 developer-keyring.gpg \
+		$(DESTDIR)$(PREFIX)/usr/share/debug-me/keyring/a_debug-me_developer.gpg
 
 install-mans:
 	install -d $(DESTDIR)$(PREFIX)/usr/share/man/man1
diff --git a/debug-me.1 b/debug-me.1
index a0e108a..251e636 100644
--- a/debug-me.1
+++ b/debug-me.1
@@ -14,13 +14,16 @@ problem. Making your problem their problem gets it fixed fast.
 A debug-me session is logged and signed with the developer's GnuPG 
 key, producing a chain of evidence of what they saw and what they did. 
 So the developer's good reputation is leveraged to make debug-me secure.
+If you trust a developer to ship software to your computer,
+you can trust them to debug-me.
 .PP
 When you start debug-me without any options, it will connect to a debug-me
 server, and print out an url that you can give to the developer to get
 them connected to you. Then debug-me will show you their GnuPG key and who
-has signed it. If the developer has a good reputation, you can proceed
-to let them type into your console in a debug-me session. Once the
-session is done, the debug-me server will email you the signed
+has signed it, and will let you know if they are a known developer
+of software on your computer. If the developer has a good reputation, you
+can proceed to let them type into your console in a debug-me session. Once
+the session is done, the debug-me server will email you the signed
 evidence of what the developer did in the session.
 .PP
 It's a good idea to watch the debug-me session. The developer should be
@@ -101,6 +104,10 @@ exits.
 .IP "~/.debug-me/log/remote/"
 When using debug-me to connect to a remote session, the session will be
 logged to here.
+.UP "/usr/share/debug-me/keyring/*.gpg"
+When verifying a developer's gpg key, debug-me checks if it's listed in 
+the keyrings in this directory, which can be provided by software installed
+on the computer.
 .SH SEE ALSO
 <https://debug-me.branchable.com/>
 .PP
diff --git a/debug-me.cabal b/debug-me.cabal
index 10b184e..aa8f0fe 100644
--- a/debug-me.cabal
+++ b/debug-me.cabal
@@ -1,5 +1,5 @@
 Name: debug-me
-Version: 1.20170509
+Version: 1.20170510
 Cabal-Version: >= 1.8
 Maintainer: Joey Hess <joey@kitenet.net>
 Author: Joey Hess
@@ -20,13 +20,16 @@ Description:
  A debug-me session is logged and signed with the developer's GnuPG
  key, producing a chain of evidence of what they saw and what they did.
  So the developer's good reputation is leveraged to make debug-me secure.
+ If you trust a developer to ship software to your computer,
+ you can trust them to debug-me.
  .
  When you start debug-me without any options, it will connect to a debug-me
  server, and print out an url that you can give to the developer to get
  them connected to you. Then debug-me will show you their GnuPG key and who
- has signed it. If the developer has a good reputation, you can proceed
- to let them type into your console in a debug-me session. Once the
- session is done, the debug-me server will email you the signed
+ has signed it, and will let you know if they are a known developer
+ of software on your computer. If the developer has a good reputation,
+ you can proceed to let them type into your console in a debug-me session.
+ Once the session is done, the debug-me server will email you the signed
  evidence of what the developer did in the session.
  . 
  If the developer did do something bad, you'd have proof that they cannot
@@ -40,6 +43,7 @@ Extra-Source-Files:
   debug-me.service
   debug-me.init
   debug-me.default
+  developer-keyring.gpg
 
 Executable debug-me
   Main-Is: debug-me.hs
@@ -81,6 +85,7 @@ Executable debug-me
     , utf8-string (>= 1.0)
     , network-uri (>= 2.6)
     , mime-mail (>= 0.4)
+    , time (>= 1.6)
   Other-Modules:
     ControlWindow
     ControlSocket
@@ -90,6 +95,7 @@ Executable debug-me
     Graphviz
     Gpg
     Gpg.Wot
+    Gpg.Keyring
     Hash
     JSON
     Log
@@ -109,6 +115,7 @@ Executable debug-me
     SessionID
     Types
     Val
+    Verify
     VirtualTerminal
     WebSockets
 
diff --git a/developer-keyring.gpg b/developer-keyring.gpg
new file mode 100644
index 0000000..9ca0ee1
--- /dev/null
+++ b/developer-keyring.gpg
diff --git a/doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn b/doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn
new file mode 100644
index 0000000..fcf38e3
--- /dev/null
+++ b/doc/bugs/Update_to_posix-pty_0.2.1.1.mdwn
@@ -0,0 +1,3 @@
+Latest version of posix-pty fixes support for musl. Would it be possible to bump the dependency version & cut a new release?
+
+> [[done]] --[[Joey]]
diff --git a/doc/bugs/Update_to_posix-pty_0.2.1.1/comment_1_fb0d1b1adfbe02e168d94bf80a254da8._comment b/doc/bugs/Update_to_posix-pty_0.2.1.1/comment_1_fb0d1b1adfbe02e168d94bf80a254da8._comment
new file mode 100644
index 0000000..4c0940d
--- /dev/null
+++ b/doc/bugs/Update_to_posix-pty_0.2.1.1/comment_1_fb0d1b1adfbe02e168d94bf80a254da8._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2017-05-20T17:46:23Z"
+ content="""
+You must mean in the stack.yaml because the cabal file has no upper bound.
+
+I've bumped the version in stack.yaml, will release maybe this weekend,
+but ping if it goes to long before a release.
+"""]]
diff --git a/doc/faq.mdwn b/doc/faq.mdwn
index c9b46ea..6884ec0 100644
--- a/doc/faq.mdwn
+++ b/doc/faq.mdwn
@@ -6,20 +6,28 @@
 
 #### Should I let John Doe connect to my debug-me session? I don't know that guy.
 
-When a developer connects to your debug-me session, it will display
-their GnuPG key, and the number of people who have signed it. It will
-also list the names of some of those people (the best connected ones).
-
-If the developer of software you use is connecting to debug-me,
-their software documentation might say what their GnuPG key is. Then you
-can simply check that the GnuPG key ids match.
+When a developer connects to your debug-me session, debug-me will display
+their GnuPG key, and information about it, including
+the number of people who have signed it. It will also list the names
+of some of those people (the best connected ones).
+
+Suppose you're using Debian, and debug-me says "John Doe is a Debian
+developer". Then it's probably safe to let this person connect,
+because you already trust this guy implicitly, since you're using software
+he develops.
+
+How does debug-me know that John Doe is a Debian developer? It's checked
+that his gpg key is in the keyring at
+`/usr/share/debug-me/keyring/a_Debian_developer.gpg`, which is provided by
+Debian. Other software projects that are installed on your computer can
+also put keyrings in that directory, and then debug-me will be able to
+tell then a developer of a project is connecting.
 
 If debug-me says that "John Doe is probably a real person", it means
 that he's connected to the strong set of the GnuPG web of trust.
 Other people, who certianly are real, have verified his identity.
-So even if you don't know his name, it can be safe to let him connect.
-
-But it's a gut call. If in doubt, don't let the developer connect.
+So even if you don't know his name, it can be safe to let him connect,
+but if in doubt, don't let him.
 
 If debug-me says "identity cannot be verified!", it means that the GnuPG
 key couldn't be downloaded at all, or the developer is not connected to the
@@ -67,6 +75,18 @@ Here's a quick checklist:
 * Include your GnuPG key id in your project's documentation, so users
   will know which key is yours. It also helps to sign git tags,
   tarballs, git commits, etc with your key.
+* Make your software package install a gpg keyring of its developers to
+  /usr/share/debug-me/keyring/.
+  
+  A file there named "a_Foo_developer.gpg"
+  will make debug-me tell the user that "Your Name is a Foo developer." 
+  when you connect to their debug-me session, and so the user will be more
+  likely to trust you and let you connect.
+
+  For example:
+  
+  	gpg --export-options export-minimal --export C910D9222512E3C7 > a_Foo_developer.gpg
+
 * When a user has a bug that you need more information to reproduce and
   understand, ask if they'll use debug-me.
 
diff --git a/doc/index.mdwn b/doc/index.mdwn
index 84bc344..14fec93 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -20,19 +20,21 @@ problem. Making your problem their problem gets it fixed fast.
 A debug-me session is logged and signed with the developer's GnuPG key,
 producing a [[chain of evidence|evidence]] of what they saw and what they
 did. So the developer's good reputation is leveraged to make debug-me
-secure.
+secure. If you trust a developer to ship software to your computer,
+you can trust them to debug-me.
 
 When you start debug-me without any options, it will connect to a debug-me
 [[server|servers]], and print out an url that you can give to the developer
-to get them connected to you. Then debug-me will show you their GnuPG key
-and who has signed it. If the developer has a good reputation, you can
+to get them connected to you. Then debug-me will show you their GnuPG key,
+who has signed it, and will let you know if they are a known developer
+of software on your computer. If the developer has a good reputation, you can
 proceed to let them type into your console in a debug-me session. Once the
 session is done, the debug-me server will email you the signed evidence of
 what the developer did in the session.
 
 If the developer did do something bad, you'd have proof that they cannot
 be trusted, which you can share with the world. Knowing that is the case
-will keep most developers honest.
+will keep developers honest.
 
 <video controls width=400 title="debug-me demo" src="https://downloads.kitenet.net/videos/debug-me/debug-me-demo.webm"></video>
 <video controls width=400 title="debug-me logs" src="https://downloads.kitenet.net/videos/debug-me/debug-me-logs.webm"></video>
diff --git a/doc/install.mdwn b/doc/install.mdwn
index 2f8d24f..f6b1dc7 100644
--- a/doc/install.mdwn
+++ b/doc/install.mdwn
@@ -7,6 +7,10 @@ To use:
 	tar xf debug-me-standalone-amd64.tar.gz
 	debug-me/debug-me
 
+## Distributions
+
+Debian 10 or later or Ubuntu 17.10 or later: `apt-get install debug-me`
+
 ## building from source
 
 Clone debug-me's git repository from <git://debug-me.branchable.com/>
diff --git a/doc/news/version_1.20170509.mdwn b/doc/news/version_1.20170509.mdwn
new file mode 100644
index 0000000..7ec6d4b
--- /dev/null
+++ b/doc/news/version_1.20170509.mdwn
@@ -0,0 +1,11 @@
+debug-me 1.20170509 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Server: Use "postmaster" as default --from-email address
+     rather than "unknown@server".
+   * Server: DEBUG\_ME\_FROM\_EMAIL can be used to specify the --from-email.
+     This is used in debug-me.default to encourage configuring it.
+     Thanks, Sean Whitton.
+   * Avoid crash when --use-server is given an url that does not
+     include a path.
+   * Fix bug that prevented creating ~/.debug-me/log/remote/
+     when ~/.debug-me/ didn't already exist."""]]
\ No newline at end of file
diff --git a/doc/protocol/comment_4_6c6cd957b3e4db5b77f87b13c4e35e6b._comment b/doc/protocol/comment_4_6c6cd957b3e4db5b77f87b13c4e35e6b._comment
new file mode 100644
index 0000000..ed1bb32
--- /dev/null
+++ b/doc/protocol/comment_4_6c6cd957b3e4db5b77f87b13c4e35e6b._comment
@@ -0,0 +1,35 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 4"""
+ date="2017-05-20T17:53:29Z"
+ content="""
+So the problem comes from the hash
+"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
+-- if that's intended to be a `Maybe Hash` that's the hash of a `ByteString`,
+we can't tell if it was produced by hashing `Nothing`, or hashing 
+`Just (mempty :: ByteString)`
+
+Double hashing would avoid this ambiguity, but it does also break backwards
+compatability of the debug-me protocol and logs. It's still early enough to
+perhaps do that without a great deal of bother, but it's not desirable.
+
+debug-me does not appear to be actually affected by this currently. The only
+`Maybe Hash` in debug-me is used for a hash of values of type `Activity`
+and `Entered`, not the hash of a `ByteString`. So, as far as the debug-me
+protocol goes, the above hash value is unambiguously the hash of `Nothing`;
+there's no `Activity` or `Entered` that hashes to that value. 
+(Barring of course, a cryptographic hash collision which would need SHA2
+to be broken to be exploited.)
+
+So, I'd like to clean this up, to avoid any problems creeping in if
+a `Maybe Hash` got used for the hash of a `ByteString`. But, I don't feel
+it's worth breaking backwards compatibility for.
+
+(I tried adding a phantom type to Hash, so the instance could be only
+for `Maybe (Hash Activity)`, but quickly ran into several complications.)
+
+What I've done is fixed the instance to work like you suggested,
+but kept the old function as `hashOfMaybeUnsafe` and used it where
+necessary. This way, anything new will use the fixed instance and we don't
+break back-compat.
+"""]]
diff --git a/doc/servers.mdwn b/doc/servers.mdwn
index ed7176c..571eb36 100644
--- a/doc/servers.mdwn
+++ b/doc/servers.mdwn
@@ -10,9 +10,8 @@ Your server needs to have a working mail transport agent so it can email
 logs to debug-me users.
 
 The debug-me source package includes an init script and a systemd service
-file. Running "make install" as root will install everything. Distribution
-packages of debug-me might put the server stuff in a separate package than
-the main debug-me package.
+file. Running "make install" as root will install everything.  Or on Debian 10 or
+later or Ubuntu 17.10 or later, `apt-get install debug-me-server`.
 
 debug-me has a server list built into it of servers it uses. To get your
 server added to the list, file a [[todo]] item with the url for your server,
diff --git a/doc/todo/use_distribution_keyrings.mdwn b/doc/todo/use_distribution_keyrings.mdwn
new file mode 100644
index 0000000..be4492e
--- /dev/null
+++ b/doc/todo/use_distribution_keyrings.mdwn
@@ -0,0 +1,10 @@
+In addition to the web-of-trust checking debug-me already does, it could also inform the user whether keys are present in distribution keyrings, such as `/usr/share/keyrings/debian-keyring.gpg`.  This would be especially relevant when it is distribution issues that are to be debugged with debug-me: the person connecting is also capable of pushing updates to the usre's machine.
+
+Example output: `Sean Whitton is an official Debian Developer (information accurate as of YYYY-MM-DD)` where the date comes from the version of the `debian-keyring` package.
+
+Distribution packagers of debug-me could add the keyrings to be checked in this way to a configuration file, or possibly just hardcode them somewhere in debug-me's source.
+
+--spwhitton
+
+> [[done]]; you'll need to include the symlinks to the debian keyring
+> in the keysafe.deb. --[[Joey]]
diff --git a/doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment b/doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment
new file mode 100644
index 0000000..3270c33
--- /dev/null
+++ b/doc/todo/use_distribution_keyrings/comment_1_e383699dbed1890a16e3dfa80bd60905._comment
@@ -0,0 +1,28 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2017-05-20T17:33:53Z"
+ content="""
+Very good idea!
+
+I suppose all it needs is a list of keyrings to check, and if it finds a
+key there, it can say "John Doe is a Debian developer" rather than the current
+"John Doe is probably a real person".
+
+This could be extended beyond distributions; individual software programs
+could also ship keyrings with their developer(s).
+
+So, how about rather than a hardcoded distro-specific list of keyrings,
+make debug-me look in /usr/share/debug-me/keyring/$project.gpg
+There could be an accompnying file $project.desc that describes the
+relationship to the project that being in their keyring entails. Eg,
+"Relationship: Debian developer" in debian.desc.
+
+In the debian package of debug-me, you could then symlink
+/usr/share/keyrings/debian-keyring.gpg to the debug-me keyring directory.
+
+The only risk is that some shady software project ships a keyring with a
+.desc file that contains "Debian developer", so debug-me will claim a bogus
+key is the key of a debian developer. But if a debug-me user is using such
+shady software, it's probably rooted their computer already..
+"""]]
diff --git a/doc/todo/use_distribution_keyrings/comment_2_43e012511d2fc39d78789541482928b7._comment b/doc/todo/use_distribution_keyrings/comment_2_43e012511d2fc39d78789541482928b7._comment
new file mode 100644
index 0000000..8145e47
--- /dev/null
+++ b/doc/todo/use_distribution_keyrings/comment_2_43e012511d2fc39d78789541482928b7._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2017-05-20T21:10:36Z"
+ content="""
+Simplified that sligtly. The keyring filename can describe the
+relationship, eg "a_Debian_developer.gpg". The mtime of the keyring will be
+displayed so the user knows how up-to-date it is.
+"""]]
diff --git a/stack.yaml b/stack.yaml
index 784d3fe..abbdc98 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -2,6 +2,6 @@ packages:
 - '.'
 resolver: lts-8.12
 extra-deps:
-- posix-pty-0.2.1
+- posix-pty-0.2.1.1
 - websockets-0.11.1.0
 explicit-setup-deps: