diff --git a/Propellor/CmdLine.hs b/Propellor/CmdLine.hs
index 2ab83f3..c3576b9 100644
--- a/Propellor/CmdLine.hs
+++ b/Propellor/CmdLine.hs
@@ -186,7 +186,7 @@ spin host = do
 
 sendGitClone :: HostName -> String -> IO ()
 sendGitClone host url = void $ actionMessage ("Pushing git repository to " ++ host) $
-	withTmpFile "gitbundle" $ \tmp _ -> allM id
+	withTmpFile "propellor.git." $ \tmp _ -> allM id
 		-- TODO: ssh connection caching, or better push method
 		-- with less connections.
 		[ boolSystem "git" [Param "bundle", Param "create", File tmp, Param "HEAD"]
diff --git a/README b/README
index 99bc000..a568d0f 100644
--- a/README
+++ b/README
@@ -26,6 +26,14 @@ of which classes and share which configuration. It might be nice to use
 reclass[1], but then again a host is configured using simply haskell code,
 and so it's easy to factor out things like classes of hosts as desired.
 
+## security
+
+Propellor's security model is that the hosts it's used to deploy are
+untrusted, and that the central git repository server is untrusted.
+
+The only trusted machine is the laptop where you run propellor --spin
+to connect to a remote host.
+
 ## bootstrapping and private data
 
 To bootstrap propellor on a new host, use: propellor --spin $host
@@ -47,6 +55,8 @@ in such a file, use: propellor --set $host $field
 The field name will be something like 'Password "root"'; see PrivData.hs
 for available fields.
 
+
+
 ## using git://... securely
 
 It's often easiest for a remote host to use a git:// or http://
diff --git a/propellor.cabal b/propellor.cabal
index c350261..9843da5 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -28,7 +28,7 @@ Executable propellor
   GHC-Options: -Wall
   Build-Depends: MissingH, directory, filepath, base >= 4.5, base < 5, 
    IfElse, process, bytestring, hslogger, unix-compat, ansi-terminal,
-   containers, base64-bytestring
+   containers
 
   if (! os(windows))
     Build-Depends: unix