diff --git a/NEWS b/NEWS
index 7e07d7b9e6f115bab0bad782e4673e77c934f9f5..b59f96060484be7979964df4140df3a17c1ca0f6 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,73 @@
+release/005.000 (2016-11-21)
+
+    This release has a number of breaking changes.
+
+    [duo] base::duo has been completely reworked into a type plus a common 
+    class.  Clients which use Duo for their own purposes should create an 
+    instance of base::duo::config, which will create a Duo PAM config file for 
+    them to use.  See README.duo for more information.
+
+    [ipmi] A complete rework of base::ipmi.      The base::noipmi class no 
+    longer exists.  Instead, IPMI support should be disabled by setting 
+    base::ipmi::ensure to "absent".  IPMI kernel modules, and ipmievd, should 
+    still be automatically disabled on virtual systems, even when
+    "ensure => present"; in those cases, the IPMI client tools will still be 
+    installed.  Code has been updated for Debian 8 and Ubuntu 16.04.
+
+    [os/debian] All aptitude operations are now performed in a new phase, 
+    called "aptitude".  The "aptitude" phase is configured to run before 
+    "main".
+
+    Clients which rely on aptitude being up-to-date must no longer
+    "require => Exec['aptitude update']".  The nature of Puppet phases will 
+    ensure that aptitude is already updated.
+
+    Clients installing their own custom sources are advised to move all of that 
+    into separate classes, and to put those classes into a new phase of their 
+    own.  This new phase should "require => Phase['aptitude']" and
+    "before => Phase['main']", to ensure proper execution sequencing.
+
+    [os/debian] Add two Hiera-configurable parameters to base::os::debian::apt:
+
+    * apt_cache_notin_tmp.  If true, use a different directory to store package 
+    scripts that need to be run during package install/upgrade.
+
+    * apt_cache_tmp_dir.  When apt_cache_notin_tmp is true, this is the 
+    directory to use for package scripts.
+
+    [postfix/sender] A new type: base::postfix::sender.  This is similar to
+    base::postfix::recipient, except it is used to rewrite sender addresses 
+    instead of recipient addresses.
+
+    It is suggested that clients use base::postfix::sender to ensure that 
+    emails sent 'from' "root@stanford.edu" or "root@hostname.stanford.edu" are 
+    instead being sent 'from' either "noreply@stanford.edu" or 
+    "shared-mailbox@stanford.edu".
+
+    [ssh] A fairly large rework of SSH code.  Support has been added for 
+    treating "alternate accounts" (.root, .admin, root., and admin.) the same 
+    as root.  Code has also been updated to account for changes to base::duo.  
+    Support has also been added to completely disable password authentication.  
+    Support for Ed25519 keys is also included (though disabled by default).  
+    Finally, pam_afs is now configurable: It can be disabled on systems that do 
+    not use AFS.
+
+    See README.ssh for more information on how to use the code.
+
+    [sudo] Complete rework of base::sudo, including configurable support for 
+    Duo.  Anyone in the "sudo" or "wheel" group gets sudo access.  If Duo is 
+    enabled, anyone on a specified list is able to sudo without a password, but 
+    with a two-step run.  Fail-secure is supported, as is using the GECOS field 
+    to specify the username that Puppet should actually use.
+
+    See README.sudo for more information on how to use the code.
+
+    [syslog] Some fixes for Ubuntu.
+
+    [os/debian] Fix the $PATH used by aptitude.
+
+    [puppetclient] Fix a filter-syslog regex error.
+
 release/004.063 (2016-10-17)
 
     [ipmi] EL package requires (like EL6, EL7 only has available OpenIPMI,