Recent changes to this wiki:

diff --git a/doc/setup/byhand/discussion.mdwn b/doc/setup/byhand/discussion.mdwn
index 6fc931a..deb79a8 100644
--- a/doc/setup/byhand/discussion.mdwn
+++ b/doc/setup/byhand/discussion.mdwn
@@ -18,3 +18,5 @@ One possible thing is security: Is it just a precaution or would anyone with "wr
 > to commit directly to the VCS, would be able to replace it. That breaks ikiwiki's
 > security model, because replacing the setup file is sufficient to achieve
 > arbitrary code execution as the user running the CGI and VCS hooks. --[[smcv]]
+
+>> Thanks. After all found it here: [[security]]. Now I wonder if I always use a file from the master branch, while limiting users to staging, it might fly...

apache on fedora and suid bit
diff --git a/doc/tips/dot_cgi.mdwn b/doc/tips/dot_cgi.mdwn
index 3fc4048..8667fed 100644
--- a/doc/tips/dot_cgi.mdwn
+++ b/doc/tips/dot_cgi.mdwn
@@ -45,6 +45,8 @@ configuration changes should work anywhere.
 
 	ErrorDocument 404 /cgi-bin/ikiwiki.cgi
 
+* On Fedora (and RHEL, CentOS, and derivatives) you may need to change CGI mode from `06755` to `755` as suid/sgid bit is prohibited by `suexec`. ([Bug 1341568](https://bugzilla.redhat.com/show_bug.cgi?id=1341658))
+
 ## lighttpd
 
 Here is how to enable cgi on [lighttpd](http://www.lighttpd.net/) and

yes, not committing the setup file to the same VCS is a security thing
diff --git a/doc/setup/byhand/discussion.mdwn b/doc/setup/byhand/discussion.mdwn
index 4d009f2..6fc931a 100644
--- a/doc/setup/byhand/discussion.mdwn
+++ b/doc/setup/byhand/discussion.mdwn
@@ -13,3 +13,8 @@ The page says *"Note that this file should **not** be put in your wiki's directo
 One possible thing is security: Is it just a precaution or would anyone with "write" access to wiki be able to replace the file?
 
  --[[Martian]]
+
+> Anyone with the ability to delete/replace attachments via the web UI, or the ability
+> to commit directly to the VCS, would be able to replace it. That breaks ikiwiki's
+> security model, because replacing the setup file is sufficient to achieve
+> arbitrary code execution as the user running the CGI and VCS hooks. --[[smcv]]

Why not putting setup file in git?
diff --git a/doc/setup/byhand/discussion.mdwn b/doc/setup/byhand/discussion.mdwn
index 9419767..4d009f2 100644
--- a/doc/setup/byhand/discussion.mdwn
+++ b/doc/setup/byhand/discussion.mdwn
@@ -5,3 +5,11 @@ What directory is the 'working copy'? There can be two interpretations: the curr
 > copies of all the versioned files, and whatever VCS-specific cruft that
 > entails. So, a working copy is everything you get when you `git clone`
 > a repository. --[[Joey]]
+
+-------------------
+
+The page says *"Note that this file should **not** be put in your wiki's directory with the rest of the files."* Why is that?
+
+One possible thing is security: Is it just a precaution or would anyone with "write" access to wiki be able to replace the file?
+
+ --[[Martian]]

Added a comment
diff --git a/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page/comment_2_c6cd4450fea32e08474e90edf4dd99b9._comment b/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page/comment_2_c6cd4450fea32e08474e90edf4dd99b9._comment
new file mode 100644
index 0000000..376d3a6
--- /dev/null
+++ b/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page/comment_2_c6cd4450fea32e08474e90edf4dd99b9._comment
@@ -0,0 +1,44 @@
+[[!comment format=mdwn
+ username="https://me.yahoo.com/zoredache#d4929"
+ nickname="Zoredache"
+ subject="comment 2"
+ date="2016-06-20T19:38:40Z"
+ content="""
+> If there are any error or warning messages, they'd be in your web server's error log
+
+No obvious errors in the log.  When I attempt to attach something, all I see is some stuff from git, that I seem to see with every modification.
+
+    [Mon Jun 20 12:32:29.322642 2016] [cgi:error] [pid 35431] [client 10.2.4.243:51566] AH01215: To /srv/www/notes.example.org/wiki/wiki.git, referer: https://notes.example.org/wikicgi/ikiwiki.cgi
+    [Mon Jun 20 12:32:29.322688 2016] [cgi:error] [pid 35431] [client 10.2.4.243:51566] AH01215:    3afefec..a6ad76c  master -> master, referer: https://notes.example.org/wikicgi/ikiwiki.cgi
+
+> What version of ikiwiki are you using?, Which OS distribution?
+
+I am seeing the same results on a couple systems of various configs.  The newest version is running on a Debian Jessie system with the backports ikiwiki.
+
+    # apt-cache policy ikiwiki
+    ikiwiki:
+      Installed: 3.20160509~bpo8+1
+      Candidate: 3.20160509~bpo8+1
+      Package pin: 3.20160509~bpo8+1
+      Version table:
+     *** 3.20160509~bpo8+1 600
+            100 http://httpredir.debian.org/debian/ jessie-backports/main amd64 Packages
+            100 /var/lib/dpkg/status
+
+> What version of CGI.pm?
+
+    # head -2 /usr/share/perl/5.20.2/CGI.pm 
+    package CGI;
+    require 5.008001;
+    # dpkg -S /usr/share/perl/5.20.2/CGI.pm
+    perl-modules: /usr/share/perl/5.20.2/CGI.pm
+    # apt-cache policy perl-modules
+    perl-modules:
+      Installed: 5.20.2-3+deb8u5
+      Candidate: 5.20.2-3+deb8u5
+      Version table:
+     *** 5.20.2-3+deb8u5 0
+            500 http://httpredir.debian.org/debian/ jessie/main amd64 Packages
+            100 /var/lib/dpkg/status
+
+"""]]

diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index d79bc63..a26c0e5 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -217,3 +217,4 @@ Personal sites and blogs
 * [Mídia Capoeira](https://capoeira.li/blog/) - independent journalism initiative
 * [Sean Whitton's personal website](http://spwhitton.name/)
 * [Matto's personal website](https://box.matto.nl)
+* [Rob Sayers' personal website](http://www.robsayers.com)

Link to a work-in-progress plugin
diff --git a/doc/users/spalax.mdwn b/doc/users/spalax.mdwn
index a9a030c..d9e9c5f 100644
--- a/doc/users/spalax.mdwn
+++ b/doc/users/spalax.mdwn
@@ -13,6 +13,7 @@ I wrote and maintain a few plugins, which are available here: [[https://atelier.
 I have a few things in mind. Their status is something between *I will implement it someday* to *maybe someone could need this* or *I will need it if I implement this killer website I have in mind*.
 
 * [[plugins/contrib/htaccessmanager]]: Create a cgi page to manage a htaccess file.
+* [[forum/Questions_about_a_new_plugin]]
 
 
 # Contact

Added a comment: More thought about the `pageversion` plugin
diff --git a/doc/forum/Questions_about_a_new_plugin/comment_4_5ca8289d6f9d22dfcc4db92e3635bb18._comment b/doc/forum/Questions_about_a_new_plugin/comment_4_5ca8289d6f9d22dfcc4db92e3635bb18._comment
new file mode 100644
index 0000000..63d38dd
--- /dev/null
+++ b/doc/forum/Questions_about_a_new_plugin/comment_4_5ca8289d6f9d22dfcc4db92e3635bb18._comment
@@ -0,0 +1,35 @@
+[[!comment format=mdwn
+ username="spalax"
+ subject="More thought about the `pageversion` plugin"
+ date="2016-06-14T15:36:32Z"
+ content="""
+I like your idea of a pagespec:
+
+    # index.mdwn - assume ... is a glob that matches sismologie but not its subpages
+    [[!report pages=\"first-trail-member(...)\"]]
+
+What I have in mind now, assuming that my website have the following structure:
+
+    $ tree
+    ├── blog.mdwn
+    └── blog
+        ├── bar.mdwn
+        ├── bar
+        │   ├── 20151108.mdwn
+        │   └── 20160413.mdwn
+        ├── foo.mdwn
+        └── foo
+            ├── 20160103.mdwn
+            └── 20160605.mdwn
+
+I can have a plugin that implements:
+
+- a directive ``[[!versionof parent]]`` in every *actual* article (`bar/20151108.mdwn`, `bar/20160413`, `foo/20160103`, `foo/20160605`) which does two things:
+  - it registers the pages as being a version of its parent page;
+  - it displays a text ``Other versions of this article: ...``.
+- a pagespec function ``latestversion``, so that the ``blog.mdwn`` page can list the last version of each article using something like ``[[!report pages=\"*/* and latestversion()]]``;
+- a directive ``[[!redir_to_latest_version]]`` (or a nicer, shorter name) in *'meta'* articles (`foo.mdwn`, `bar.mdwn`), which redirects the page to the latest version of the article (so that ``http://example.com/blog/foo`` redirects to ``http://example.com/blog/foo/20160605`` (the latest version of ``foo``)).
+
+Anyway, thank you very much: it may not be the definitive form yet, but it is already much more clean than it was at the beginning.
+
+"""]]

Added a comment: more info required
diff --git a/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page/comment_1_58867ff018717ff56f362060c38b1aeb._comment b/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page/comment_1_58867ff018717ff56f362060c38b1aeb._comment
new file mode 100644
index 0000000..48f086b
--- /dev/null
+++ b/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page/comment_1_58867ff018717ff56f362060c38b1aeb._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="smcv"
+ subject="more info required"
+ date="2016-06-11T12:17:14Z"
+ content="""
+If there are any error or warning messages, they'd be in your web server's
+error log, for example `/var/log/apache2/error.log` in the default Apache
+configuration on Debian or Ubuntu.
+
+What version of ikiwiki are you using?
+
+Which OS distribution?
+
+What version of CGI.pm?
+"""]]

Added a comment
diff --git a/doc/forum/Questions_about_a_new_plugin/comment_3_4426af9c9bc164b5e0a9c60cb812a445._comment b/doc/forum/Questions_about_a_new_plugin/comment_3_4426af9c9bc164b5e0a9c60cb812a445._comment
new file mode 100644
index 0000000..143ae56
--- /dev/null
+++ b/doc/forum/Questions_about_a_new_plugin/comment_3_4426af9c9bc164b5e0a9c60cb812a445._comment
@@ -0,0 +1,33 @@
+[[!comment format=mdwn
+ username="smcv"
+ subject="comment 3"
+ date="2016-06-11T12:14:21Z"
+ content="""
+> It references the relative latest page (.../sismologie and not .../sismologie/20150819), and needs to access the meta information, fields and tags.
+
+I think this might be the right place to \"cut the knot\": instead of indirecting
+through the \"latest\" page, why not something like this? (this is pseudocode
+describing a hypothetical plugin, not something you can do right now):
+
+    # index.mdwn
+    [[!report pages=\"newest(sismologie/*)\" ...]]
+
+Or you could keep the indirection but make it explicit, without introducing
+copying:
+
+    # sismologie.mdwn
+    [[!inline pages=\"./*\" trail=\"yes\" sort=\"age\"]]
+
+    # index.mdwn - assume ... is a glob that matches sismologie but not its subpages
+    [[!report pages=\"first-trail-member(...)\"]]
+
+(`first-trail-member` doesn't exist, but it could.)
+
+Or maybe a distinct data structure:
+
+    # sismologie.mdwn
+    [[!versions pages=\"./*\"]]
+
+    # index.mdwn - assume ... is a glob that matches sismologie but not its subpages
+    [[!report pages=\"version-of(...)\"]]
+"""]]

Added a comment: More information
diff --git a/doc/forum/Questions_about_a_new_plugin/comment_2_d9787194e5b1420f2400da8e023ed228._comment b/doc/forum/Questions_about_a_new_plugin/comment_2_d9787194e5b1420f2400da8e023ed228._comment
new file mode 100644
index 0000000..8fe2505
--- /dev/null
+++ b/doc/forum/Questions_about_a_new_plugin/comment_2_d9787194e5b1420f2400da8e023ed228._comment
@@ -0,0 +1,33 @@
+[[!comment format=mdwn
+ username="spalax"
+ subject="More information"
+ date="2016-06-10T18:58:08Z"
+ content="""
+>    [[!if test=\"doc/* and created_after(.)\" all=\"no\"
+>      then=\"\"\"[[!template id=\"note\" text=\"[Newer versions are available|doc]\"]]\"\"\"]]
+
+I like that!
+
+> Why not ask us about your real use-case, in case it turns out that it doesn't match exactly after putting more thought into it? :-)
+
+Good point: I explained what I wanted; I did not explain why.
+
+
+The reason I want the metadata, fields and tags to be copied from the last subpage to the main page is to inline them.
+
+On my professional website (I am a math teacher), I have [a page list](http://paternault.fr/pedago) where I list some activities I do in class. For instance, [I describe here](http://paternault.fr/pedago/sismologie/20150110) how I got my students to learn statistics by debunking a psychic's claim. However, I greatly improved this the following year, and published a [new version of the same article](http://paternault.fr/pedago/sismologie/20150819/).
+
+So far I have three pages: ``.../sismologie/20150110`` and ``.../sismologie/20150819`` (the *actual* articles), and ``.../sismologie/`` (which should reflect the latest article). I want:
+
+- both articles to be available;
+- only the latest one to be visible on the [page list](http://paternault.fr/pedago) (not to highlight outdated articles).
+
+The [page list](http://paternault.fr/pedago) is generated using [the report directive](https://framagit.org/lpaternault/www/blob/bbe26353eda6a6c95c207fb635134765e70ac637/www/pedago.mdwn#L51-55) (from the [[report plugin|plugins/contrib/report]]). It references the relative latest page (``.../sismologie`` and not ``.../sismologie/20150819``), and needs to access the meta information, fields and tags.
+
+Right now, what I do is [copying \"by hand\"](https://framagit.org/lpaternault/www/blob/bbe26353eda6a6c95c207fb635134765e70ac637/www/pedago/sismologie.mdwn#L1-9) the [meta information of the latest article](https://framagit.org/lpaternault/www/blob/bbe26353eda6a6c95c207fb635134765e70ac637/www/pedago/sismologie/20150819.mdwn#L1-4), which can be error prone, and is tedious to keep up to date. I am thinking about the page version plugin I described earlier not to repeat myself.
+
+Sorry for the long post… I hope it is clear enough…
+
+[[Louis|spalax]]
+
+"""]]

diff --git a/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page.mdwn b/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page.mdwn
index 6a278c5..bc5c064 100644
--- a/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page.mdwn
+++ b/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page.mdwn
@@ -6,8 +6,6 @@ On the web server the attachment is at `$srcdir/.ikiwiki/attachments/MiscNotes/d
 
 Is this expected?  Is my file being rejected for some reason?  It is about 100k, which is under the value required by the `allowed_attachments`.  Is there some error logs somewhere that I look at to see more information about why this is failing?
 
-Chris
-
 
     # wiki.setup
     ...

diff --git a/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page.mdwn b/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page.mdwn
new file mode 100644
index 0000000..6a278c5
--- /dev/null
+++ b/doc/forum/Attachment_file_doesn__39__t_get_attached_to_page.mdwn
@@ -0,0 +1,51 @@
+I am trying to use the attachment plugin, but it isn't working the way I expect.
+
+I attempted to add a PDF as an attachment `dns_example.pdf` to a example_page (https://notes.example.org/wiki/MiscNotes/dns_docs_page).  The upload appears to happen, I can click the insert links button and links will be inserted into the page.  When I click the save-page button, the attachment does not appear to be attached.  No errors are displayed.
+
+On the web server the attachment is at `$srcdir/.ikiwiki/attachments/MiscNotes/dns_docs_page/dns_example.pdf`, but doesn't get copied over to the `$destdir` folder at all.  I would expect that it should have been moved to `$srcdir/MiscNotes/dns_docs_page/dns_example.pdf` and added to the git repo, and then copied over to `$destdir`.  Am I missing some setting in my configuration or something?
+
+Is this expected?  Is my file being rejected for some reason?  It is about 100k, which is under the value required by the `allowed_attachments`.  Is there some error logs somewhere that I look at to see more information about why this is failing?
+
+Chris
+
+
+    # wiki.setup
+    ...
+    # where the source of the wiki is located
+    srcdir: /srv/www/notes.example.org/wiki/wiki.wc
+    # where to build the wiki
+    destdir: /srv/www/notes.example.org/wiki/www
+    # base url to the wiki
+    url: https://notes.example.org/wiki
+    # url to the ikiwiki.cgi
+    cgiurl: https://notes.example.org/wikicgi/ikiwiki.cgi
+    # filename of cgi wrapper to generate
+    cgi_wrapper: /srv/www/notes.example.org/wiki/cgi/ikiwiki.cgi
+    # mode for cgi_wrapper (can safely be made suid)
+    cgi_wrappermode: 06755
+    # rcs backend to use
+    rcs: git
+    # plugins to add to the default configuration
+    add_plugins:
+    - httpauth
+    - pagestats
+    - attachment
+    - 404
+    - table
+    - tag
+    - map
+    - search
+    - repolist
+    - brokenlinks
+    - orphans
+    - autoindex
+    - meta
+    - img
+    - txt
+    - template
+    - theme
+    ...
+    # attachment plugin
+    # enhanced PageSpec specifying what attachments are allowed
+    allowed_attachments: maxsize(15mb)
+

new user: www.s4-ausbau.de
diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index 0decaa3..d79bc63 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -97,13 +97,14 @@ Projects & Organizations
 * [[CAS Libres|http://cas-libres.poivron.org]] - A French feminist radio program.
 * [[Les Barricades|http://barricades.int.eu.org]] - A French socialist choir (CSS has been adapted from the one of [[Grésille|http://www.gresille.org]]).
 * [DKØTU Amateur Radio Station](http://www.dk0tu.de), TU Berlin
-* [[Plan A|http://www.plan-a-muenchen.de/]] - A proposal for improvement of the urban public transport in Munich (by PRO BAHN, Bund Naturschutz and others)
+* [[Plan A|http://www.plan-a-muenchen.de/]] - A proposal for improvement of the urban public transport in Munich (by [[PRO BAHN|http://www.pro-bahn.de/]], Bund Naturschutz and others)
 * [[Smuxi IRC Client|https://smuxi.im/]] - powerful IRC client for GNOME
 * [[hplusroadmap|http://diyhpl.us/wiki/]] - a community for open source hardware, do-it-yourself biohacking and practical transhumanism
 * [[OpenAFS|http://wiki.openafs.org]] - an open-source, cross-platform distributed file system
 * [Copyleft.org](http://copyleft.org/)
 * [Hacklab Independência](https://hi.ato.br) - radical tech collective
 * [Piratas XYZ](http://piratas.xyz) - one of [pirate party of brazil](http://partidopirata.org)'s sites
+* [Bürgerinitiative S4-Ausbau](https://www.s4-ausbau.de/) - A initative in the larger munich area to improve the public transport line S4
 
 Personal sites and blogs
 ========================

Added a comment: I'm not so sure that copying metadata is desirable
diff --git a/doc/forum/Questions_about_a_new_plugin/comment_1_52f30b2d89d9223fd367603534d06435._comment b/doc/forum/Questions_about_a_new_plugin/comment_1_52f30b2d89d9223fd367603534d06435._comment
new file mode 100644
index 0000000..0a9d861
--- /dev/null
+++ b/doc/forum/Questions_about_a_new_plugin/comment_1_52f30b2d89d9223fd367603534d06435._comment
@@ -0,0 +1,59 @@
+[[!comment format=mdwn
+ username="smcv"
+ subject="I'm not so sure that copying metadata is desirable"
+ date="2016-06-09T15:09:30Z"
+ content="""
+I'm not so sure that copying metadata around is the right solution to the
+use case that you outlined. If you do that, then `/doc/v2.0/` and `/doc/` will
+be indistinguishable anywhere that pages are listed by their metadata - it's as
+though you'd copied the text content of `doc/v2.0.mdwn` into `doc.mdwn`. For
+example, if it's tagged `readme`, then a list of pages matching `tagged(readme)`
+will have two apparently identical entries, one of which is `/doc/` and the other
+is `/doc/v2.0/`.
+
+Why not do this instead?
+
+```
+# doc/v2.0.mdwn
+[[!tag readme]]
+[[!meta title=\"Foobar documentation, version 2.0\"]]
+
+[[!if test=\"doc/* and created_after(.)\" all=\"no\"
+  then=\"\"\"[[!template id=\"note\" text=\"[Newer versions are available|doc]\"]]\"\"\"]]
+
+Here is new documentation about Foobar.
+
+# doc/v1.0.mdwn
+[[!tag readme]]
+[[!meta title=\"Foobar documentation, version 1.0\"]]
+
+[[!if test=\"doc/* and created_after(.)\" all=\"no\"
+  then=\"\"\"[[!template id=\"note\" text=\"[Newer versions are available|doc]\"]]\"\"\"]]
+
+Here is documentation about Foobar.
+
+# doc.mdwn
+[[!meta title=\"Foobar documentation\"]]
+[[!inline pages=\"doc/*\" limit=\"1\" sort=\"age\" feeds=\"no\" actions=\"no\" raw=\"yes\"]]
+
+Older versions:
+
+[[!inline pages=\"doc/*\" skip=\"1\" archive=\"yes\"]]
+```
+
+... or even (with a bit of new code)
+
+```
+# doc.mdwn
+[[!meta redir_first_match=\"doc/*\" sort=\"age\"]]
+```
+
+In real life you'd probably want to use a special `[[!template]]` for the link
+to the latest version, so that it's easier to make them all consistent, but
+for those examples I'm just using the standard [[templates/note]] and some markup.
+
+> this is not my usecase, but it matches exactly
+
+Why not ask us about your real use-case, in case it turns out that it *doesn't*
+match exactly after putting more thought into it? :-)
+"""]]

Questions about a new plugin
diff --git a/doc/forum/Questions_about_a_new_plugin.mdwn b/doc/forum/Questions_about_a_new_plugin.mdwn
new file mode 100644
index 0000000..970c103
--- /dev/null
+++ b/doc/forum/Questions_about_a_new_plugin.mdwn
@@ -0,0 +1,41 @@
+Hello,
+I have a plugin in mind, but before starting to write some code, I come to you to see if something similar already exists, or if there is an easier way to do it.
+
+# What I want
+
+I want to be able to have several versions of the same page. For instance (this is not my usecase, but it matches exactly), let's say I am developping a software, with several versions published, and I want:
+
+* the latest documentation to be available at ``http://example.com/doc``;
+* the documentation for previous (or current version, with permanent URL) available at ``http://example.com/doc/v2_0``.
+
+What I am thinking about is:
+
+* my wiki has the documentation written in pages `doc/v1_0.mdwn`, `doc/v2_0.mdwn`, and so on;
+* the `doc.mdwn` page contains nothing but code to copy metadata from the latest `doc/*mdwn` page, that is: [[plugins/meta]] information, [[plugins/tag]], and [[plugins/contrib/ymlfront]].
+
+# What I have in mind
+
+What I have in mind is a plugin providing a directive ``pageversion`` such that the `doc.mdwn` page contains only:
+
+    [[!pageversion pages="doc/* and !doc/*/*"]]
+
+This would grab the latest documentation page, copy its content, and copy meta information, tags and fields.
+
+# How to do it
+
+I see two ways to do it, but both have big drawbacks.
+
+* I could, in the ``preprocess`` function of the plugin, copy the *interesting* part of the ``%pagestate`` global variable. In pseudo-code, something like:
+
+      $pagestate{doc}{meta} = $pagestate{doc/v2_0}{meta};
+      $pagestate{doc}{fields} = $pagestate{doc/v2_0}{fields};
+      $pagestate{doc}{tags} = $pagestate{doc/v2_0}{tags}; # This one definitely would not work, but it is pseudo-code
+
+  I fear that some necessary side effects would not occur. For instance, setting date using the [[plugins/meta]] plugin [sets the page creation time at a deeper level](http://source.ikiwiki.branchable.com/?p=source.git;a=blob;f=IkiWiki/Plugin/meta.pm;h=ea099f955ac1c486cdd2baf6636e330a8eae569c;hb=HEAD#l154). Copying ``%pagestate`` would bypass this.
+
+* I could, in the ``preprocess`` function, call the ``preprocess`` function for those three plugins. But this would mean guessing what the original directive arguments were, which can be tricky.
+
+# My questions
+
+* Does something similar already exist?
+* Do you have any better idea about how to do it?

Added a comment: cool!
diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_10_600daf7b0498f4fccd06b8852c4ac776._comment b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_10_600daf7b0498f4fccd06b8852c4ac776._comment
new file mode 100644
index 0000000..1cbf36d
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_10_600daf7b0498f4fccd06b8852c4ac776._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="http://schmonz.livejournal.com/"
+ subject="cool!"
+ date="2016-06-07T15:14:00Z"
+ content="""
+Glad it's fixed. Enjoy :-)
+"""]]

Added a comment
diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_9_4e6a50817e6df952001407b84a3ccc9b._comment b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_9_4e6a50817e6df952001407b84a3ccc9b._comment
new file mode 100644
index 0000000..1967f8d
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_9_4e6a50817e6df952001407b84a3ccc9b._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="openmedi"
+ subject="comment 9"
+ date="2016-06-07T13:55:27Z"
+ content="""
+>\"What's in your $PATH?\"
+
+This question helped me to solve the problem! I had the order wrong. First came brew, then the os, then pkgsrc. Now the right perl is found and with it imagemagick.
+"""]]

Added a comment: ok
diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_8_2829ff122d902050c512cdead7a1aabd._comment b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_8_2829ff122d902050c512cdead7a1aabd._comment
new file mode 100644
index 0000000..6b3745c
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_8_2829ff122d902050c512cdead7a1aabd._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="http://schmonz.livejournal.com/"
+ subject="ok"
+ date="2016-06-07T12:39:41Z"
+ content="""
+I see. Yeah, `pkgin` should work fine too. (Since ikiwiki also depends on perl, if you installed ikiwiki first, you'd get perl that way just as well.)
+
+What's in your `$PATH`? When you get that in-page error, how are you running ikiwiki?
+"""]]

Added a comment
diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_7_2ebb00a20c9b2f664fd133568f8af281._comment b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_7_2ebb00a20c9b2f664fd133568f8af281._comment
new file mode 100644
index 0000000..164bb3a
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_7_2ebb00a20c9b2f664fd133568f8af281._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="openmedi"
+ subject="comment 7"
+ date="2016-06-07T11:23:41Z"
+ content="""
+Oh and as regards to the part that fails: If I try to use the img directive, [this is the inline error I see when browsing to the page where the picture should be.](http://imgur.com/oCe0NyM)
+
+\[\[!img Error: Image::Magick is not installed]]
+"""]]

Added a comment
diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_6_1ed093f9dde0f785c07d73d25413d6ee._comment b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_6_1ed093f9dde0f785c07d73d25413d6ee._comment
new file mode 100644
index 0000000..fd9ed11
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_6_1ed093f9dde0f785c07d73d25413d6ee._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="openmedi"
+ subject="comment 6"
+ date="2016-06-07T11:19:47Z"
+ content="""
+Hm. Maybe the problem is more that I don't understand what needs to happen to make imagemagick available for ikiwiki. I though it would be enough to install imagemagick and have my prefered perl in the path, but that seems not to be the case? I'm, also not sure what \"`cd www/ikiwiki && make install` automatically brings in Perl\" means. Aren't we installing ikiwiki etc. through pkgsrc with `sudo pkgin -y install ikiwiki`? Am I mistaken that you suggesting building ikiwiki myself? Sorry, if I'm getting things wrong.
+
+What I though would need to happen:
+
+1. [update to the latest branch of joyent pkgsrc](http://pkgsrc.joyent.com/install-on-osx/)
+1. sudo pkgin -y update
+1. sudo pkgin -y full-upgrade
+1. sudo pkgin -y install p5-PerlMagick (this installs all the dependencies, including a useable perl, I thought)
+1. sudo pkgin -y install ikiwiki
+
+This is wrong/not enough?
+"""]]

Add required packages
diff --git a/doc/plugins/contrib/datetime_cmp.mdwn b/doc/plugins/contrib/datetime_cmp.mdwn
index ba35b37..47eaffa 100644
--- a/doc/plugins/contrib/datetime_cmp.mdwn
+++ b/doc/plugins/contrib/datetime_cmp.mdwn
@@ -11,6 +11,8 @@ creation or modification times.
 It also sets the date of the next modification of the page on relevant date, so
 that the page will be rebuilt if the condition changes.
 
+It requires the DateTime::Format::Duration perl module (on Debian : ``apt-get install libdatetime-format-duration-perl``).
+
 ## List of functions
 
 The list of functions is given by the following regexp:

Added a comment: what didn't work with pkgsrc?
diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_5_d2abd6f58de45faa3cdee6059a319c2d._comment b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_5_d2abd6f58de45faa3cdee6059a319c2d._comment
new file mode 100644
index 0000000..fc2e9af
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_5_d2abd6f58de45faa3cdee6059a319c2d._comment
@@ -0,0 +1,15 @@
+[[!comment format=mdwn
+ username="http://schmonz.livejournal.com/"
+ subject="what didn't work with pkgsrc?"
+ date="2016-06-06T12:17:22Z"
+ content="""
+I use the `img` plugin on my site. ikiwiki, perl, and imagemagick are all installed from pkgsrc on my laptop (OS X 10.11.5) and server (NetBSD 7.0.1). As the pkgsrc package maintainer for ikiwiki, if something's broken for you, I'd like to fix it.
+
+`cd www/ikiwiki && make install` automatically brings in Perl as one of many runtime dependencies. (Usually it's the most recent stable perl, though at the moment it's still 5.22.2. I'm a little surprised we're not already on 5.24.0.)
+
+If you define `PKG_OPTIONS.ikiwiki+=imagemagick` in `/etc/mk.conf`, then installing ikiwiki will also automatically bring in ImageMagick and its Perl bindings.
+
+If you don't define that option, you can install them yourself with `cd graphics/p5-PerlMagick && make install`.
+
+What have you tried? What happened when you tried?
+"""]]

Added a comment
diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_4_0d978e28ad3ec9708e3bd108eb9b3e34._comment b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_4_0d978e28ad3ec9708e3bd108eb9b3e34._comment
new file mode 100644
index 0000000..101d7e9
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_4_0d978e28ad3ec9708e3bd108eb9b3e34._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="openmedi"
+ subject="comment 4"
+ date="2016-06-06T11:08:43Z"
+ content="""
+Since ikiwiki is not part of homebrew, getting everything from homebrew is not an option. And the other way around - installing all from pkgsrc - didn't work either. Any other suggestions?
+"""]]

Update plugins/contrib/compile documentation
diff --git a/doc/plugins/contrib/compile.mdwn b/doc/plugins/contrib/compile.mdwn
index 320d972..d3139e9 100644
--- a/doc/plugins/contrib/compile.mdwn
+++ b/doc/plugins/contrib/compile.mdwn
@@ -106,7 +106,7 @@ using python-like string formatting, and described in the setup options section.
   advertised).
 - `template`: Name of the template to use (if set, the `source` option is
   irrelevant).
-- `var_*`: Any argument with a name starting with ``var_`` is transmitted to the template. For instance, if directive has argument ``var_foo=bar``, then the template will have a variable named ``foo``, and ``<TMPL_VAR FOO>`` will be replaced by ``bar``.
+- `var_*`: Any argument with a name starting with ``var_`` is transmitted to the command and template. For instance, if directive has argument ``var_foo=bar``, then string ``%{foo}s`` in the command will be replaced by ``bar``, and the template will have a variable named ``foo``, and ``<TMPL_VAR FOO>`` will be replaced by ``bar``.
 
 ### Extensions
 

diff --git a/doc/forum/Archive_with_sub-titles.mdwn b/doc/forum/Archive_with_sub-titles.mdwn
new file mode 100644
index 0000000..f5dd02d
--- /dev/null
+++ b/doc/forum/Archive_with_sub-titles.mdwn
@@ -0,0 +1,9 @@
+Hi,
+
+I try to make an (archive-)page of blog entries with subtitles per years, as e.g. on 
+[http://www.pro-bahn.de/muenchen/presse/alle.html](http://www.pro-bahn.de/muenchen/presse/alle.html)
+
+What would be the best way to do that?
+
+
+Andi

refer to openid delegation
diff --git a/doc/plugins/openid.mdwn b/doc/plugins/openid.mdwn
index 82c23fc..4c8e0d3 100644
--- a/doc/plugins/openid.mdwn
+++ b/doc/plugins/openid.mdwn
@@ -35,3 +35,14 @@ certain setups.
 
 See [[plugins/openid/troubleshooting]] for a number of issues that may
 need to be addressed when setting up ikiwiki to accept OpenID logins reliably.
+
+## delegation
+
+This plugin does not take care of doing the "server" part of the
+OpenID protocol, only the "client" part. In other words, it allows
+users to login to your site through OpenID, but is not in itself an
+OpenID provider.
+
+It is possible, however, to use your Ikiwiki site as a delegation
+point to another OpenID provider. For this, use the
+[[ikiwiki/directive/meta/]] directive with the `openid` parameter.

Added a comment
diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_3_f52851a5b40c2d50aba95796a9b053a8._comment b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_3_f52851a5b40c2d50aba95796a9b053a8._comment
new file mode 100644
index 0000000..52c8d5e
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_3_f52851a5b40c2d50aba95796a9b053a8._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="smcv"
+ subject="comment 3"
+ date="2016-06-03T06:26:02Z"
+ content="""
+Either that, or get all the layers of this stack from Homebrew. Mixing two sources
+of non-OS-provided add-ons seems unlikely to work without specially configuring
+one of them to look in the other's installation directory.
+"""]]

add freedombox as a kind of ikiwiki hosting service
diff --git a/doc/ikiwikiusers.mdwn b/doc/ikiwikiusers.mdwn
index 2ce5f88..0decaa3 100644
--- a/doc/ikiwikiusers.mdwn
+++ b/doc/ikiwikiusers.mdwn
@@ -14,10 +14,11 @@ Ikiwiki Hosting
 ===============
 
 [[!table data="""
-Name                                         | Ikiwiki Configuration                                                             | Costs
-[Branchable](http://branchable.com/)         | Open configuration with [ikiwiki-hosting](http://ikiwiki-hosting.branchable.com/) | Free for free software, otherwise involves fees
-[Piny.be](http://piny.be/)                   | Restricted configuration with [Piny](http://piny.be/piny-code/)                   | Free for non-profit purposes (including open source projects); commercial activity disallowed.
-[FairlyStable.org](http://fairlystable.org/) | Restricted configuration with [Piny](http://piny.be/piny-code/)                   | Free for small projects, otherwise involves fees
+Name                                              | Ikiwiki Configuration                                                             | Costs
+[Branchable](http://branchable.com/)              | Open configuration with [ikiwiki-hosting](http://ikiwiki-hosting.branchable.com/) | Free for free software, otherwise involves fees
+[Piny.be](http://piny.be/)                        | Restricted configuration with [Piny](http://piny.be/piny-code/)                   | Free for non-profit purposes (including open source projects); commercial activity disallowed.
+[FairlyStable.org](http://fairlystable.org/)      | Restricted configuration with [Piny](http://piny.be/piny-code/)                   | Free for small projects, otherwise involves fees
+[FreedomBox](https://wiki.debian.org/FreedomBox/) | Web configuration with Plinth                                                     | Runs on your home's private cloud server
 """]]
 
 Projects & Organizations

Added a comment: why not keep using pkgsrc?
diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_2_de1a9589776de198ded1d437ebe0b09c._comment b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_2_de1a9589776de198ded1d437ebe0b09c._comment
new file mode 100644
index 0000000..f40dccc
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_2_de1a9589776de198ded1d437ebe0b09c._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="http://schmonz.livejournal.com/"
+ subject="why not keep using pkgsrc?"
+ date="2016-06-03T01:53:22Z"
+ content="""
+Wouldn't it be simpler, if you're already getting ikiwiki from pkgsrc, to also get ImageMagick and Perl from pkgsrc? If for some reason you don't want that, could you explain why not? --[[schmonz]]
+"""]]

Added a comment
diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_1_e48ac42dac04a00c42faa5766410f92b._comment b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_1_e48ac42dac04a00c42faa5766410f92b._comment
new file mode 100644
index 0000000..faa78b9
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick/comment_1_e48ac42dac04a00c42faa5766410f92b._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="openmedi"
+ subject="comment 1"
+ date="2016-06-02T18:18:40Z"
+ content="""
+[This issue I created with the homebrew people might be helpful.](https://github.com/Homebrew/homebrew-core/issues/1620)
+"""]]

diff --git a/doc/forum/ikiwiki_can__39__t_find_imagemagick.mdwn b/doc/forum/ikiwiki_can__39__t_find_imagemagick.mdwn
new file mode 100644
index 0000000..d3133e9
--- /dev/null
+++ b/doc/forum/ikiwiki_can__39__t_find_imagemagick.mdwn
@@ -0,0 +1 @@
+I am unable to get ikiwiki to find imagemagick. I want to use homebrew to have imagemagick as well as perl in a recent version, but it seems that ikiwiki is unable to locate these installs. ikiwiki itself has been installed via pkgsrc. I'm on OSx 10.11.4.

More about security
diff --git a/doc/plugins/contrib/bibtex2html/discussion.mdwn b/doc/plugins/contrib/bibtex2html/discussion.mdwn
index 8668692..3e4207e 100644
--- a/doc/plugins/contrib/bibtex2html/discussion.mdwn
+++ b/doc/plugins/contrib/bibtex2html/discussion.mdwn
@@ -112,6 +112,10 @@ Right now, it is not possible for the [[plugins/contrib/compile]] plugin to rend
 >>>> which prevents (?) shell injections. This adds the burden of manipulating
 >>>> arrays instead of strings, but security should be improved.
 >>>>
+>>>> But none of those ideas solve the problems you mentionned, being that
+>>>> external commands can do nasty things (the `-oclobberfile` option of
+>>>> `bibtex2html`) or contain bugs (like ImageMagick).
+>>>>
 >>>> If we want to merge this plugin and compile, I think a better idea than the one
 >>>> I proposed at the beginning of the discussion would be to provide two different
 >>>> directives: a `\[[!compile "foo.bar"]]` would compile the file and render it as a

More thought about "bibtex2html" and "compile"
diff --git a/doc/plugins/contrib/bibtex2html/discussion.mdwn b/doc/plugins/contrib/bibtex2html/discussion.mdwn
index ac05a29..8668692 100644
--- a/doc/plugins/contrib/bibtex2html/discussion.mdwn
+++ b/doc/plugins/contrib/bibtex2html/discussion.mdwn
@@ -97,3 +97,38 @@ Right now, it is not possible for the [[plugins/contrib/compile]] plugin to rend
 >>> A clever admin can certainly find out about such a command and
 >>> having a way for that admin to easily hook that into ikiwiki would
 >>> be a powerful tool, with all that implies.  --[[anarcat]]
+
+>>>> Concerning the ability to run arbitrary commands, a [[discussion was
+>>>> started|https://ikiwiki.info/plugins/contrib/compile/discussion/]] by someone
+>>>> who wanted a secure version of this plugin. The idea I had (which has some
+>>>> similarities with what is being discussed here) was to provide a
+>>>> `compile_secure` boolean option to restrict what the user can do (if
+>>>> false, users can run arbitrary commands; if true, users can only run a set of
+>>>> predefined commands). However, since [[fr33domlover]], who started the
+>>>> discussion, did not answer, nothing was implemented.
+>>>>
+>>>> Concerning arbitrary commands, I do not know Perl, but I think it can run
+>>>> commands using something similar to [exec](http://linux.die.net/man/3/exec),
+>>>> which prevents (?) shell injections. This adds the burden of manipulating
+>>>> arrays instead of strings, but security should be improved.
+>>>>
+>>>> If we want to merge this plugin and compile, I think a better idea than the one
+>>>> I proposed at the beginning of the discussion would be to provide two different
+>>>> directives: a `\[[!compile "foo.bar"]]` would compile the file and render it as a
+>>>> link to the compiled file (what the compile plugin does right now), while
+>>>> `\[[!render "foo.bar"]]` would compile the file,
+>>>> and render its content in the current page (whath the bibtex2html plugin
+>>>> does). In fact, providing this
+>>>> `\[[!render ...]]` directive (without the security considerations) seems
+>>>> easy enough to implement, and I might implement it some day (soon, if it
+>>>> solves [[anarcat]] problem and closes the discussion).
+>>>>
+>>>> While I am really happy to see that my plugin sparks some interest, I fear I
+>>>> won't be able to implement what is discussed here, apart from the quick
+>>>> feature I mentionned in the previous paragraph (I have a baby at home, I am
+>>>> moving to another city in a few weeks, and the only code I ever wrote in Perl
+>>>> was to contribute to IkiWiki). However, you have my blessing for making
+>>>> whatever you want with my code: contribute, write a version 2 of it, write a
+>>>> new plugin that makes it obsolete, copy the good ideas and dump the rest, etc.
+>>>>
+>>>> --[[Louis|spalax]]

link to discussion
diff --git a/doc/plugins/contrib/compile.mdwn b/doc/plugins/contrib/compile.mdwn
index 7a3f585..320d972 100644
--- a/doc/plugins/contrib/compile.mdwn
+++ b/doc/plugins/contrib/compile.mdwn
@@ -42,7 +42,8 @@ A simpler implementation, that only runs a predefined set of commands, may be
 simpler to implement than auditing this whole plugin. For example, the
 [[bibtex2html]] module performs a similar task than the compile module, but
 hardcodes the command used and doesn't call it with `/bin/sh -c`. It could be
-expanded to cover more commands.
+expanded to cover more commands. See this
+[[plugins/contrib/bibtex2html/discussion/]] for a followup on this idea.
 
 ## Rationale
 

expand on the exec idea
diff --git a/doc/plugins/contrib/bibtex2html/discussion.mdwn b/doc/plugins/contrib/bibtex2html/discussion.mdwn
index 60fccff..ac05a29 100644
--- a/doc/plugins/contrib/bibtex2html/discussion.mdwn
+++ b/doc/plugins/contrib/bibtex2html/discussion.mdwn
@@ -35,3 +35,65 @@ Right now, it is not possible for the [[plugins/contrib/compile]] plugin to rend
 >> individual vulnerabilities there involved ImageMagick and GraphicsMagick
 >> running arbitrary shell pipelines from delegates.xml that turned out not
 >> to be hardened against invocation by a hostile user. --[[smcv]]
+
+>>> The `exec` plugin would definitely not be marked as "safe": it
+>>> allows wiki administrators to execute arbitrary code as the wiki
+>>> user.
+>>>
+>>> That said, I believe it is possible to craft a configuration that
+>>> *would* be safe to use for *users* in general. Of course, we can't
+>>> exclude foot-shooting here: if an admin misconfigures the plugin,
+>>> they can introduce new attack vectors. But default and sample
+>>> configurations should be secure.
+>>>
+>>> It is with that model in mind that I wrote the bibtex2html plugin: it doesn't
+>>> use the shell to execute bibtex2html:
+>>>
+>>> [[!format perl """my @bibtex_cmd = (qw[bibtex2html -noheader -nofooter -nobibsource -nodoc -q -o -], $near); open(PIPE, "-|", @bibtex_cmd) || error "can't open pipe to @bibtex_cmd: $!";"""]]
+>>>
+>>> I specifically tried to address that case, to make sure users
+>>> can't execute arbitrary code even if the plugin is enabled.
+>>>
+>>> Still: it is tricky! The above pipeline could *still* be
+>>> vulnerable to certain attacks if bibtex2html does some dangerous
+>>> stuff on its own. For example, it could call other executables
+>>> with the shell without checking arguments, and then the filename
+>>> would be expanded into hostile shell commands. Even worse and
+>>> trickier, the filename could be something like `-oclobberfile` and
+>>> one file would be destroyed!
+>>>
+>>> bibtex2html is probably vulnerable to such an attack right now. We
+>>> should check attachments for weird filenames and restrict what is
+>>> allowed to upload and pass to the plugin.
+>>>
+>>> In case you haven't reviewed the [[compile]] plugin in detail,
+>>> what struck me as an interesting model is the way it allows admin
+>>> to configure extensions to pipeline mappings. What I had in mind
+>>> was something like this:
+>>>
+>>>     exec_pipelines:
+>>>     - bib: 'bibtex2html -o- %s'
+>>>     - svg: 'inkscape -o- %s'
+>>>     - tex:
+>>>       - 'pdflatex %s'
+>>>       - 'bibtex %s'
+>>>       - 'pdflatex %s'
+>>>       - 'pdflatex %s'
+>>>
+>>> (forgive my YAML cluelessness, the idea above is to define a hash
+>>> of extension -> (command) mapping.) The command would be broken up
+>>> on spaces into an array and the `%s` element would be replaced by
+>>> the source file, which would be forbidden to use shell
+>>> metacharacters, including prefixed dashes. I believe such a plugin
+>>> could be crafted to be secure with proper configuration
+>>>
+>>> Of course, it's better if there's a native plugin for
+>>> everything. For bibtex, we need to use Text::Bibtex, for
+>>> example. But that basically means rewriting bibtex2html in Perl,
+>>> which not something any user can do easily. And it's an even worse
+>>> problems for documents like Word spreadsheets or Latex
+>>> documents. Only the native commands can do the right thing.
+>>>
+>>> A clever admin can certainly find out about such a command and
+>>> having a way for that admin to easily hook that into ikiwiki would
+>>> be a powerful tool, with all that implies.  --[[anarcat]]

a list of arbitrary shell delegates, what could possibly go wrong?
diff --git a/doc/plugins/contrib/bibtex2html/discussion.mdwn b/doc/plugins/contrib/bibtex2html/discussion.mdwn
index 3fad876..60fccff 100644
--- a/doc/plugins/contrib/bibtex2html/discussion.mdwn
+++ b/doc/plugins/contrib/bibtex2html/discussion.mdwn
@@ -9,3 +9,29 @@ Right now, it is not possible for the [[plugins/contrib/compile]] plugin to rend
 -- [[Louis|spalax]] (author of [[plugins/contrib/compile]])
 
 > Interesting! I am thinking of writing a simpler plugin (maybe called "exec") that would be a merge of the two approaches. There would be an `htmlize` hook to render arbitrary page extensions (based on the configuration) into anything with predefined pipelines. Then a `preprocess` hook would allo directives to inject links to documents or simply inline them like bibtex2html does. The plugin could be secure insofar as the pipelines configured are secure as well. Should that be merged in compile or be a separate plugin? --[[anarcat]]
+
+>> This "arbitrary executable" stuff scares me, and I'm not going to merge anything
+>> like that without a relatively paranoid review. As a result, it could take a while.
+>>
+>> At some point when I have more time and energy I should try to write down what
+>> ikiwiki's security model is. The short version is that the plugins shipped
+>> with ikiwiki should never let wiki editors execute arbitrary code, even if they
+>> have direct VCS access or can alter "safe"-flagged setup options. The ability to
+>> alter non-"safe" setup options is equivalent to access to the uid running the
+>> wiki, and so is the ability to alter the plugins that the wiki uses.
+>>
+>> Defining pipelines or compilation commands in the setup file does not
+>> *directly* contradict that, because the setup option would not be flagged
+>> as safe, but it does provide an easy way to cause a huge
+>> increase in attack surface, particularly when shell scripts are known to
+>> be a difficult thing to write securely. If people want arbitrary compilation,
+>> Perl or XML-RPC (e.g. Python) plugins are probably safer (even if they call
+>> external commands with `IPC::Run` or `subprocess`!), and they would mean that
+>> the authors of the arbitrary-compilation code can't have any illusions about
+>> "oh, this isn't all that security-sensitive, I'm just writing an
+>> ad-hoc command".
+>>
+>> I hope that ImageTragick is still fresh in everyone's minds - many of the
+>> individual vulnerabilities there involved ImageMagick and GraphicsMagick
+>> running arbitrary shell pipelines from delegates.xml that turned out not
+>> to be hardened against invocation by a hostile user. --[[smcv]]

answer: an exec plugin?
diff --git a/doc/plugins/contrib/bibtex2html/discussion.mdwn b/doc/plugins/contrib/bibtex2html/discussion.mdwn
index 9191e46..3fad876 100644
--- a/doc/plugins/contrib/bibtex2html/discussion.mdwn
+++ b/doc/plugins/contrib/bibtex2html/discussion.mdwn
@@ -7,3 +7,5 @@ I do not think that the [[plugins/contrib/compile]] plugin can replace the [[plu
 Right now, it is not possible for the [[plugins/contrib/compile]] plugin to render the *content* of the compiled document. This could be done by providing a `DESTCONTENT` template variable, containing the content of the compiled document. This should not be hard to implement.
 
 -- [[Louis|spalax]] (author of [[plugins/contrib/compile]])
+
+> Interesting! I am thinking of writing a simpler plugin (maybe called "exec") that would be a merge of the two approaches. There would be an `htmlize` hook to render arbitrary page extensions (based on the configuration) into anything with predefined pipelines. Then a `preprocess` hook would allo directives to inject links to documents or simply inline them like bibtex2html does. The plugin could be secure insofar as the pipelines configured are secure as well. Should that be merged in compile or be a separate plugin? --[[anarcat]]

tagging htmlizing
diff --git a/doc/plugins/contrib/bibtex2html.mdwn b/doc/plugins/contrib/bibtex2html.mdwn
index 0fad121..fc30343 100644
--- a/doc/plugins/contrib/bibtex2html.mdwn
+++ b/doc/plugins/contrib/bibtex2html.mdwn
@@ -1,4 +1,5 @@
 [[!template id=plugin name=bibtex2html author="[[anarcat]]"]]
+[[!tag type/format]]
 
 Trivial plugin to implement [[todo/BibTeX]] support simply using [bibtex2html](https://www.lri.fr/~filliatr/bibtex2html/). It only takes a `bib` file as an argument and dumps whatever bibtex2html returns for it, so it shows *all* the entries, something that is not really possible with the existing [[bibtex]] plugin, as that one requires you to explicitly state every citation you want to show.
 
@@ -56,6 +57,8 @@ sub bibtex2html {
 1;
 """]]
 
+This could be extended to process `.bib` files directly as source files instead of injecting them in the HTML like this.
+
 The plugin is generic enough that it could be abstracted to do more than just `bibtex2html`, in a manner similar to the [[compile]] plugin. Unfortunately, the [[compile]] plugin gives too much power to the user providing input to the wiki, which can modify even the commands being run in the directives. There is therefore some room here to make generic preprocessor or even htmlize plugin that would take a hash of `extension` -> `command` configuration to turn (say) `.bib` or `.tex` files into HTML or PDF or whatever you fancy.
 
 Obviously, this very plugin should have been implemented with Text::Bibtex because forking to `bibtex2html` is expensive. Yet I haven't found a way to do what this plugin does with the existing [[bibtex]] module. [[bibtex]] could of course be extended and then render this plugin obsolete, but I have found it simpler to just reuse an existing working rendered than rewrite my own in Perl. --[[anarcat]]

expand on the compile review and future work
diff --git a/doc/plugins/contrib/bibtex2html.mdwn b/doc/plugins/contrib/bibtex2html.mdwn
index f5efd93..0fad121 100644
--- a/doc/plugins/contrib/bibtex2html.mdwn
+++ b/doc/plugins/contrib/bibtex2html.mdwn
@@ -56,6 +56,6 @@ sub bibtex2html {
 1;
 """]]
 
-The plugin is generic enough that I wonder if there's a level of abstraction that exists here that I have missed. If not it would be interesting to add. Update: that tool is the [[compile]] plugin, darn it. I guess the next step here is to review that plugin and figure out how to do exactly this with just the `compile` configuration. Yet this works for me now so I'm unlikely to do that in the short term.
+The plugin is generic enough that it could be abstracted to do more than just `bibtex2html`, in a manner similar to the [[compile]] plugin. Unfortunately, the [[compile]] plugin gives too much power to the user providing input to the wiki, which can modify even the commands being run in the directives. There is therefore some room here to make generic preprocessor or even htmlize plugin that would take a hash of `extension` -> `command` configuration to turn (say) `.bib` or `.tex` files into HTML or PDF or whatever you fancy.
 
-Obviously, this should be implemented through Text::Bibtex as forking is expensive. Yet I haven't found a way to do what this plugin does with the existing [[bibtex]] module. [[bibtex]] could of course be extended and then render this plugin obsolete, but I have found it simpler to just reuse an existing working rendered than rewrite my own in Perl. --[[anarcat]]
+Obviously, this very plugin should have been implemented with Text::Bibtex because forking to `bibtex2html` is expensive. Yet I haven't found a way to do what this plugin does with the existing [[bibtex]] module. [[bibtex]] could of course be extended and then render this plugin obsolete, but I have found it simpler to just reuse an existing working rendered than rewrite my own in Perl. --[[anarcat]]

move comment at the end
diff --git a/doc/plugins/contrib/bibtex2html.mdwn b/doc/plugins/contrib/bibtex2html.mdwn
index 5432ea3..f5efd93 100644
--- a/doc/plugins/contrib/bibtex2html.mdwn
+++ b/doc/plugins/contrib/bibtex2html.mdwn
@@ -4,8 +4,6 @@ Trivial plugin to implement [[todo/BibTeX]] support simply using [bibtex2html](h
 
 It is hopefully secure enough, but I have still marked it as unsafe because I am worried about parameter expansion in bibtex calls from bibtex2html that wouldn't escape those characters properly. The pipeline is called safely, but certain `-flags` could be maliciously added to the filenames somehow.
 
-The plugin is generic enough that I wonder if there's a level of abstraction that exists here that I have missed. If not it would be interesting to add. Update: that tool is the [[compile]] plugin, darn it. I guess the next step here is to review that plugin and figure out how to do exactly this with just the `compile` configuration. Yet this works for me now so I'm unlikely to do that in the short term.
-
 [[!format perl """
 #!/usr/bin/perl
 package IkiWiki::Plugin::bibtex2html;
@@ -58,4 +56,6 @@ sub bibtex2html {
 1;
 """]]
 
+The plugin is generic enough that I wonder if there's a level of abstraction that exists here that I have missed. If not it would be interesting to add. Update: that tool is the [[compile]] plugin, darn it. I guess the next step here is to review that plugin and figure out how to do exactly this with just the `compile` configuration. Yet this works for me now so I'm unlikely to do that in the short term.
+
 Obviously, this should be implemented through Text::Bibtex as forking is expensive. Yet I haven't found a way to do what this plugin does with the existing [[bibtex]] module. [[bibtex]] could of course be extended and then render this plugin obsolete, but I have found it simpler to just reuse an existing working rendered than rewrite my own in Perl. --[[anarcat]]

small security review and suggestions
diff --git a/doc/plugins/contrib/compile.mdwn b/doc/plugins/contrib/compile.mdwn
index 7527f26..7a3f585 100644
--- a/doc/plugins/contrib/compile.mdwn
+++ b/doc/plugins/contrib/compile.mdwn
@@ -21,7 +21,9 @@ Some important security notice.
 - This plugins allows user to execute arbitrary commands when compiling the
   wiki.  Use at your own risk. If you use Ikiwiki as a static web site compiler
   (and not a wiki), and you are the only one to compile the wiki, there is no
-  risk.
+  risk. If you *do* allow untrusted users to edit or comment on the wiki, they
+  can use the `compile` directives to execute completely arbitrary code, regardless
+  of configuration safeguards you may put.
 
 - Source files are published, wheter option `source` is true or not. If
   `source` is false, source may not be *advertised*, but it is still available
@@ -30,6 +32,18 @@ Some important security notice.
   do not use this plugin if you do not want to publish your source files
     (sorry: I designed this plugin to publish free stuff).
 
+The plugin could be modified to only allow commands to be modified from the
+configuration and it would be safer to use. However, it would still be vulnerable
+to command injection attacks because it uses `qx()` command expansion, which
+runs commands through `/bin/sh -c`. A thorough security review would be in order
+before this should be considered secure running on untrusted input.
+
+A simpler implementation, that only runs a predefined set of commands, may be
+simpler to implement than auditing this whole plugin. For example, the
+[[bibtex2html]] module performs a similar task than the compile module, but
+hardcodes the command used and doesn't call it with `/bin/sh -c`. It could be
+expanded to cover more commands.
+
 ## Rationale
 
 I want to publish some latex files, both source (`.tex`) and compiled (`.pdf`)

more home pages
diff --git a/doc/users/anarcat.mdwn b/doc/users/anarcat.mdwn
index 2bd50c7..38976c3 100644
--- a/doc/users/anarcat.mdwn
+++ b/doc/users/anarcat.mdwn
@@ -1,4 +1,4 @@
-See <https://wiki.koumbit.net/TheAnarcat>
+See <https://anarc.at/>. I have home pages like this on tons of other wikis including [MoinMoin](https://moinmo.in/TheAnarcat), [Wikipedia](https://en.wikipedia.org/wiki/User:TheAnarcat) and [Koumbit](https://wiki.koumbit.net/TheAnarcat).
 
 [[!toc]]
 

Remark on anarcat's remark
diff --git a/doc/plugins/contrib/bibtex2html/discussion.mdwn b/doc/plugins/contrib/bibtex2html/discussion.mdwn
new file mode 100644
index 0000000..9191e46
--- /dev/null
+++ b/doc/plugins/contrib/bibtex2html/discussion.mdwn
@@ -0,0 +1,9 @@
+# [[plugins/contrib/bibtex2html]] and [[plugins/contrib/compile]] plugins
+
+*Answer to [[anarcat]] mentionning [[plugins/contrib/compile]] in the [[plugins/contrib/bibtex2html]] documentation.*
+
+I do not think that the [[plugins/contrib/compile]] plugin can replace the [[plugins/contrib/bibtex2html]] plugin right now: the [[plugins/contrib/compile]] plugin compiles a document, and renders *an HTML link to* the compiled document, whereas (if I am not wrong), the [[plugins/contrib/bibtex2html]] plugin compiles a document, and renders *the content of* the compiled document (which happens to be some HTML code).
+
+Right now, it is not possible for the [[plugins/contrib/compile]] plugin to render the *content* of the compiled document. This could be done by providing a `DESTCONTENT` template variable, containing the content of the compiled document. This should not be hard to implement.
+
+-- [[Louis|spalax]] (author of [[plugins/contrib/compile]])

compile could have done this as well
diff --git a/doc/plugins/contrib/bibtex2html.mdwn b/doc/plugins/contrib/bibtex2html.mdwn
index eff016d..5432ea3 100644
--- a/doc/plugins/contrib/bibtex2html.mdwn
+++ b/doc/plugins/contrib/bibtex2html.mdwn
@@ -4,7 +4,7 @@ Trivial plugin to implement [[todo/BibTeX]] support simply using [bibtex2html](h
 
 It is hopefully secure enough, but I have still marked it as unsafe because I am worried about parameter expansion in bibtex calls from bibtex2html that wouldn't escape those characters properly. The pipeline is called safely, but certain `-flags` could be maliciously added to the filenames somehow.
 
-The plugin is generic enough that I wonder if there's a level of abstraction that exists here that I have missed. If not it would be interesting to add.
+The plugin is generic enough that I wonder if there's a level of abstraction that exists here that I have missed. If not it would be interesting to add. Update: that tool is the [[compile]] plugin, darn it. I guess the next step here is to review that plugin and figure out how to do exactly this with just the `compile` configuration. Yet this works for me now so I'm unlikely to do that in the short term.
 
 [[!format perl """
 #!/usr/bin/perl

oops, forgot some changes
diff --git a/doc/plugins/contrib/bibtex2html.mdwn b/doc/plugins/contrib/bibtex2html.mdwn
index b2e95a2..eff016d 100644
--- a/doc/plugins/contrib/bibtex2html.mdwn
+++ b/doc/plugins/contrib/bibtex2html.mdwn
@@ -1,6 +1,8 @@
 [[!template id=plugin name=bibtex2html author="[[anarcat]]"]]
 
-Trivial plugin to implement [[todo/BibTeX]] support simply using [bibtex2html](https://www.lri.fr/~filliatr/bibtex2html/). It is hopefully secure enough, but I have still marked it as unsafe because I am worried about parameter expansion in bibtex calls from bibtex2html that wouldn't escape those characters properly. The pipeline is called safely, but certain `-flags` could be maliciously added to the filenames somehow.
+Trivial plugin to implement [[todo/BibTeX]] support simply using [bibtex2html](https://www.lri.fr/~filliatr/bibtex2html/). It only takes a `bib` file as an argument and dumps whatever bibtex2html returns for it, so it shows *all* the entries, something that is not really possible with the existing [[bibtex]] plugin, as that one requires you to explicitly state every citation you want to show.
+
+It is hopefully secure enough, but I have still marked it as unsafe because I am worried about parameter expansion in bibtex calls from bibtex2html that wouldn't escape those characters properly. The pipeline is called safely, but certain `-flags` could be maliciously added to the filenames somehow.
 
 The plugin is generic enough that I wonder if there's a level of abstraction that exists here that I have missed. If not it would be interesting to add.
 
@@ -43,7 +45,7 @@ sub bibtex2html {
     }
     add_depends($params{page}, $near);
     $near = srcfile($near);
-    my @bibtex_cmd = (qw[bibtex2html -charset utf-8 -noheader -nofooter -nobibsource -nodoc -q -o -], $near);
+    my @bibtex_cmd = (qw[bibtex2html -noheader -nofooter -nobibsource -nodoc -q -o -], $near);
     
     open(PIPE, "-|", @bibtex_cmd)
         || error "can't open pipe to @bibtex_cmd: $!";
@@ -55,3 +57,5 @@ sub bibtex2html {
 
 1;
 """]]
+
+Obviously, this should be implemented through Text::Bibtex as forking is expensive. Yet I haven't found a way to do what this plugin does with the existing [[bibtex]] module. [[bibtex]] could of course be extended and then render this plugin obsolete, but I have found it simpler to just reuse an existing working rendered than rewrite my own in Perl. --[[anarcat]]

bibtex2html plugin
diff --git a/doc/plugins/contrib/bibtex2html.mdwn b/doc/plugins/contrib/bibtex2html.mdwn
new file mode 100644
index 0000000..b2e95a2
--- /dev/null
+++ b/doc/plugins/contrib/bibtex2html.mdwn
@@ -0,0 +1,57 @@
+[[!template id=plugin name=bibtex2html author="[[anarcat]]"]]
+
+Trivial plugin to implement [[todo/BibTeX]] support simply using [bibtex2html](https://www.lri.fr/~filliatr/bibtex2html/). It is hopefully secure enough, but I have still marked it as unsafe because I am worried about parameter expansion in bibtex calls from bibtex2html that wouldn't escape those characters properly. The pipeline is called safely, but certain `-flags` could be maliciously added to the filenames somehow.
+
+The plugin is generic enough that I wonder if there's a level of abstraction that exists here that I have missed. If not it would be interesting to add.
+
+[[!format perl """
+#!/usr/bin/perl
+package IkiWiki::Plugin::bibtex2html;
+use warnings;
+use strict;
+use IkiWiki 3.00;
+use open qw{:utf8 :std};
+
+sub import {
+	hook(type => "getsetup", id => "bibtex2html",  call => \&getsetup);
+	hook(type => "preprocess", id => "bibtex2html", call => \&bibtex2html);
+}
+
+sub getsetup () {
+	return
+		plugin => {
+			safe => 0,
+			rebuild => undef,
+                        section => "core",
+		},
+}
+
+sub bibtex2html {
+    my %params=@_;
+
+    # check the files exist
+    my $file=shift;
+    if (! defined $file) {
+        error sprintf(gettext('file parameter is required'));
+    }
+    my $near = bestlink($params{page}, $file);
+    if (! $near) {
+        error sprintf(gettext('cannot find bestlink for "%s"'), $file);
+    }
+    if (! exists $pagesources{$near}) {
+        error sprintf(gettext('cannot find file "%s"'), $near);
+    }
+    add_depends($params{page}, $near);
+    $near = srcfile($near);
+    my @bibtex_cmd = (qw[bibtex2html -charset utf-8 -noheader -nofooter -nobibsource -nodoc -q -o -], $near);
+    
+    open(PIPE, "-|", @bibtex_cmd)
+        || error "can't open pipe to @bibtex_cmd: $!";
+    my $html = join("", <PIPE>);
+    close PIPE;
+    debug "ran @bibtex_cmd: $html";
+    return "<div class=\"bibtex2html\">$html<!-- The above was generated with @bibtex_cmd--></div>";
+}
+
+1;
+"""]]

Added a comment
diff --git a/doc/forum/table_plugin_and_Markdown_side_effects_on_data/comment_2_81648e1ac2dbe2bc72c9d216f3add6bd._comment b/doc/forum/table_plugin_and_Markdown_side_effects_on_data/comment_2_81648e1ac2dbe2bc72c9d216f3add6bd._comment
new file mode 100644
index 0000000..13bf2d6
--- /dev/null
+++ b/doc/forum/table_plugin_and_Markdown_side_effects_on_data/comment_2_81648e1ac2dbe2bc72c9d216f3add6bd._comment
@@ -0,0 +1,7 @@
+[[!comment format=mdwn
+ username="pdurbin"
+ subject="comment 2"
+ date="2016-05-30T11:24:42Z"
+ content="""
+Well, it's already easy to turn off htmlization and preprocessing of cell contents as Markdown by renaming the file with the table directive (which references my TSV file) from \"foo.mdwn\" to \"foo.wiki\" but when I do that the URLs in the TSV file are no longer turned into clickable links. My hack of not processing certain Markdown syntax, such as ignoring \"#\" when it's at the beginning of a cell, is more what I want. Actually, making links clickable is the only Markdown processing of my data that I want.
+"""]]

comment
diff --git a/doc/forum/table_plugin_and_Markdown_side_effects_on_data/comment_1_eb64f21d919b6d40a5f158683779e03f._comment b/doc/forum/table_plugin_and_Markdown_side_effects_on_data/comment_1_eb64f21d919b6d40a5f158683779e03f._comment
new file mode 100644
index 0000000..ace732b
--- /dev/null
+++ b/doc/forum/table_plugin_and_Markdown_side_effects_on_data/comment_1_eb64f21d919b6d40a5f158683779e03f._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2016-05-29T19:32:58Z"
+ content="""
+It'd be fine to add a parameter like raw=yes to the table directive to turn
+off htmlization and preprocessing of cell contents.
+"""]]

start discussion on table plugin and Markdown side effects on data
diff --git a/doc/forum/table_plugin_and_Markdown_side_effects_on_data.mdwn b/doc/forum/table_plugin_and_Markdown_side_effects_on_data.mdwn
new file mode 100644
index 0000000..1b09b8e
--- /dev/null
+++ b/doc/forum/table_plugin_and_Markdown_side_effects_on_data.mdwn
@@ -0,0 +1 @@
+I'm running 3.20130904.1ubuntu1 on Ubuntu 14.04 and have a slight problem with the [[plugins/table]] plugin because my TSV file contains cells that start with a "#" (IRC channel names) and the "#" is replaced with an `<h1>` tag. For now I decided to [hack my local installation of ikiwiki](https://github.com/pdurbin/wiki/commit/6addbf7) to replace "#" with the equivalent HTML entity, but I'd be curious to hear some discussion on this problem. I like having my TSV go through the Markdown rendering so that the URLs in the TSV are turned into clickable links. <http://wiki.greptilian.com/haunts> is where you can see me using the table plugin. The hack is in place so that the cells that start with "#" are not turned into `<h1>` tags. I don't particularly want to change my TSV data itself since I want to treat it as data and not introduce HTML entities or some other hacks in the data itself. I guess I just want some more flexibility from the table plugin on how the data is processed as Markdown. Any thoughts on all of this? -- [[users/pdurbin]]

diff --git a/doc/sandbox/discussion.mdwn b/doc/sandbox/discussion.mdwn
index ec651a5..d6a3766 100644
--- a/doc/sandbox/discussion.mdwn
+++ b/doc/sandbox/discussion.mdwn
@@ -5,3 +5,5 @@ Whilst discussing Ikiwiki on IRC, someone pointed out that "This is the SandBox,
 > `nofollow` configuration, so edits to that wiki aren't archived
 > in ikiwiki's git history forever; perhaps with a cron job to
 > reset the sandbox every few days? --[[smcv]]
+
+I've no idea what the hell you guys are talking about. I don't give a shit. I'm just trying out ikiwiki :) 

diff --git a/doc/sandbox.mdwn b/doc/sandbox.mdwn
index 038412d..d7f866c 100644
--- a/doc/sandbox.mdwn
+++ b/doc/sandbox.mdwn
@@ -1,3 +1,7 @@
+###Is this a heading? 
+
+Sure it is. 
+
 Nope my friend.
 
 <<<<<<< HEAD

diff --git a/doc/sandbox/pagestats.mdwn b/doc/sandbox/pagestats.mdwn
index 022e771..45beda9 100644
--- a/doc/sandbox/pagestats.mdwn
+++ b/doc/sandbox/pagestats.mdwn
@@ -1,5 +1,3 @@
-[[tagging]] should be in this list, since it is tagged 'branches':
-
-Everything tagged foo:
+[[tagging]] should be in this list, since it is tagged 'foo':
 
 [[!inline pages="tagged(foo)" archive="yes"]]

diff --git a/doc/sandbox/pagestats.mdwn b/doc/sandbox/pagestats.mdwn
new file mode 100644
index 0000000..022e771
--- /dev/null
+++ b/doc/sandbox/pagestats.mdwn
@@ -0,0 +1,5 @@
+[[tagging]] should be in this list, since it is tagged 'branches':
+
+Everything tagged foo:
+
+[[!inline pages="tagged(foo)" archive="yes"]]

diff --git a/doc/sandbox/tagging.mdwn b/doc/sandbox/tagging.mdwn
index 4467f0a..39a3355 100644
--- a/doc/sandbox/tagging.mdwn
+++ b/doc/sandbox/tagging.mdwn
@@ -1,5 +1,5 @@
 [[!tag foo]]
 
-I'm linking to [[patch]] but I have a taglink to [[!taglink branches]]. I also have a hidden *foo* tag.
+I'm linking to [[patch]] but I have a taglink to [[!taglink branches]]. I also have a hidden *foo* tag. I link to the non-existing page [[bar]].
 
 \[[!inline pages="tagged(branches)" archive="yes"]]

diff --git a/doc/sandbox/tagging.mdwn b/doc/sandbox/tagging.mdwn
index 1dda39a..4467f0a 100644
--- a/doc/sandbox/tagging.mdwn
+++ b/doc/sandbox/tagging.mdwn
@@ -1,3 +1,5 @@
-I'm linking to [[patch]] but I have a taglink to [[!taglink branches]].
+[[!tag foo]]
 
-[[!inline pages="tagged(branches)" archive="yes"]]
+I'm linking to [[patch]] but I have a taglink to [[!taglink branches]]. I also have a hidden *foo* tag.
+
+\[[!inline pages="tagged(branches)" archive="yes"]]

diff --git a/doc/sandbox/tagging.mdwn b/doc/sandbox/tagging.mdwn
index 5fdb9ce..1dda39a 100644
--- a/doc/sandbox/tagging.mdwn
+++ b/doc/sandbox/tagging.mdwn
@@ -1 +1,3 @@
 I'm linking to [[patch]] but I have a taglink to [[!taglink branches]].
+
+[[!inline pages="tagged(branches)" archive="yes"]]

diff --git a/doc/sandbox/tagging.mdwn b/doc/sandbox/tagging.mdwn
new file mode 100644
index 0000000..5fdb9ce
--- /dev/null
+++ b/doc/sandbox/tagging.mdwn
@@ -0,0 +1 @@
+I'm linking to [[patch]] but I have a taglink to [[!taglink branches]].

fix system calls
diff --git a/doc/plugins/contrib/irker.mdwn b/doc/plugins/contrib/irker.mdwn
index bbc24e5..603ee0d 100644
--- a/doc/plugins/contrib/irker.mdwn
+++ b/doc/plugins/contrib/irker.mdwn
@@ -108,14 +108,14 @@ sub genwrapper() {
             symlink($config{'irker_hook'}, $repo . '/hooks/post-receive') || error('failed to symlink: $!');
         }
         my $channels = join(",", @{$config{'irker_channels'}});
-        exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $channels);
-        exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $config{'wikiname'});
+        system { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $channels);
+        system { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $config{'wikiname'});
         if ($config{'irker_template'}) {
             exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $config{'irker_template'});
         }
     }
     else {
-        exec { 'git' } ('config', '-C', $repo, 'config', '--remove-section', 'irker');
+        system { 'git' } ('config', '-C', $repo, 'config', '--remove-section', 'irker');
         if (-l $repo . '/hooks/post-receive' && 
             readlink($repo . '/hooks/post-receive') =~ m/irkerhook/) {
             unlink($repo . '/hooks/post-receive');

No, this page is not C++ source code.
This reverts commit c35ab1e75394bd15788bd2479ad11f70c543ce78
diff --git a/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.cpp b/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.cpp
deleted file mode 100644
index 657b86b..0000000
--- a/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.cpp
+++ /dev/null
@@ -1,126 +0,0 @@
-since my latest jessie upgrade here, charsets are all broken when editing a page. the page i'm trying to edit is [this wishlist](http://anarc.at/wishlist/), and it used to work fine. now, instead of:
-
-`Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah right):`
-
-... as we see in the rendered body right now, when i edit the page i see:
-
-`Voici des choses que vous pouvez m'acheter si vous �tes le P�re Nowel (yeah right):`
-
-... a typical double-encoding nightmare. The actual binary data is this for the word "Père" according to `hd`:
-
-~~~~
-anarcat@marcos:ikiwiki$ echo "Père" | hd
-00000000  50 c3 a8 72 65 0a                                 |P..re.|
-00000006
-anarcat@marcos:ikiwiki$ echo "P�re" | hd
-00000000  50 ef bf bd 72 65 0a                              |P...re.|
-00000007
-~~~~
-
-> I don't know what that is, but it isn't the usual double-UTF-8 encoding:
->
->     >>> u'è'.encode('utf-8')
->     '\xc3\xa8'
->     >>> u'è'.encode('utf-8').decode('latin-1').encode('utf-8')
->     '\xc3\x83\xc2\xa8'
->
-> A packet capture of the incorrect HTTP request/response headers and body
-> might be enlightening? --[[smcv]]
->
-> > Here are the headers according to chromium:
-> > 
-> > ~~~~
-> > GET /ikiwiki.cgi?do=edit&page=wishlist HTTP/1.1
-> > Host: anarc.at
-> > Connection: keep-alive
-> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
-> > User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
-> > Referer: http://anarc.at/wishlist/
-> > Accept-Encoding: gzip,deflate,sdch
-> > Accept-Language: fr,en-US;q=0.8,en;q=0.6
-> > Cookie: openid_provider=openid; ikiwiki_session_anarcat=XXXXXXXXXXXXXXXXXXXXXXX
-> > 
-> > HTTP/1.1 200 OK
-> > Date: Mon, 08 Sep 2014 21:22:24 GMT
-> > Server: Apache/2.4.10 (Debian)
-> > Set-Cookie: ikiwiki_session_anarcat=XXXXXXXXXXXXXXXXXXXXXXX; path=/; HttpOnly
-> > Vary: Accept-Encoding
-> > Content-Encoding: gzip
-> > Content-Length: 4093
-> > Keep-Alive: timeout=5, max=100
-> > Connection: Keep-Alive
-> > Content-Type: text/html; charset=utf-8
-> > ~~~~
-> > 
-> > ... which seem fairly normal... getting more data than this is a little inconvenient since the data is gzip-encoded and i'm kind of lazy extracting that from the stream. Chromium does seem to auto-detect it as utf8 according to the menus however... not sure what's going on here. I would focus on the following error however, since it's clearly emanating from the CGI... --[[anarcat]]
-
-Clicking on the Cancel button yields the following warning:
-
-~~~~
-Error: Cannot decode string with wide characters at /usr/lib/x86_64-linux-gnu/perl/5.20/Encode.pm line 215.
-~~~~
-
-> Looks as though you might be able to get a Python-style backtrace for this
-> by setting `$Carp::Verbose = 1`.
->
-> The error is that we're taking some string (which string? only a backtrace
-> would tell you) that is already flagged as Unicode, and trying to decode
-> it from byte-blob to Unicode again, analogous to this Python:
->
->     some_bytes.decode('utf-8').decode('utf-8')
->
-> --[[smcv]]
-> > 
-> > I couldn't figure out where to set that Carp thing - it doesn't work simply by setting it in /usr/bin/ikiwiki - so i am not sure how to use this. However, with some debugging code in Encode.pm, i was able to find a case of double-encoding - in the left menu, for example, which is the source of the Encode.pm crash.
-> > 
-> > It seems that some unicode semantics changed in Perl 5.20, or more precisely, in Encode.pm 2.53, according to [this](https://code.activestate.com/lists/perl-unicode/3314/). 5.20 does have significant Unicode changes, but I am not sure they are related (see [perldelta](https://metacpan.org/pod/distribution/perl/pod/perldelta.pod)). Doing more archeology, it seems that Encode.pm is indeed where the problem started, all the way back in [commit 8005a82](https://github.com/dankogai/p5-encode/commit/8005a82d8aa83024d72b14e66d9eb97d82029eeb#diff-f3330aa405ffb7e3fec2395c1fc953ac) (august 2013), taken from [pull request #11](https://github.com/dankogai/p5-encode/pull/11) which expressively forbids double-decoding, in effect failing like python does in the above example you gave (Perl used to silently succeed instead, a rather big change if you ask me).
-> > 
-> > So stepping back, it seems that this would be a bug in Ikiwiki. It could be in any of those places:
-> > 
-> > ~~~~
-> > anarcat@marcos:ikiwiki$ grep -r decode_utf8 IkiWiki* | wc -l
-> > 31
-> > ~~~~
-> > 
-> > Now the fun part is to determine which one should be turned off... or should we duplicate the logic that was removed in decode_utf8, or make a safe_decode_utf8 for ourselves? --[[anarcat]]
-
-The apache logs yield:
-
-~~~~
-[Mon Sep 08 16:17:43.995827 2014] [cgi:error] [pid 2609] [client 192.168.0.3:47445] AH01215: Died at /usr/share/perl5/IkiWiki/CGI.pm line 467., referer: http://anarc.at/ikiwiki.cgi?do=edit&page=wishlist
-~~~~
-
-Interestingly enough, I can't reproduce the bug here (at least in this page). Also, editing the page through git works fine.
-
-I had put ikiwiki on hold during the last upgrade, so it was upgraded separately. The bug happens both with 3.20140613 and 3.20140831. The major thing that happened today is the upgrade from perl 5.18 to 5.20. Here's the output of `egrep '[0-9] (remove|purge|install|upgrade)' /var/log/dpkg.log | pastebinit -b paste.debian.net` to give an idea of what was upgraded today:
-
-http://paste.debian.net/plain/119944
-
-This is a major bug which should probably be fixed before jessie, yet i can't seem to find a severity statement in reportbug that would justify blocking the release based on this - unless we consider non-english speakers as "most" users (i don't know the demographics well enough). It certainly makes ikiwiki completely unusable for my users that operate on the web interface in french... --[[anarcat]]
-
-Note that on this one page, i can't even get the textarea to display and i immediately get `Error: Cannot decode string with wide characters at /usr/lib/x86_64-linux-gnu/perl/5.20/Encode.pm line 215`: http://anarc.at/ikiwiki.cgi?do=edit&page=hardware%2Fserver%2Fmarcos.
-
-Also note that this is the same as [[forum/"Error: cannot decode string with wide characters" on Mageia Linux x86-64 Cauldron]], I believe. The backtrace I get here is:
-
-~~~~
-Error: Cannot decode string with wide characters at /usr/lib/x86_64-linux-gnu/perl/5.20/Encode.pm line 215. Encode::decode_utf8("**Menu**\x{d}\x{a}\x{d}\x{a} * [[\x{fffd} propos|index]]\x{d}\x{a} * [[Logiciels|software]]"...)
-called at /usr/share/perl5/IkiWiki/CGI.pm line 117 IkiWiki::decode_form_utf8(CGI::FormBuilder=HASH(0x2ad63b8))
-called at /usr/share/perl5/IkiWiki/Plugin/editpage.pm line 90 IkiWiki::cgi_editpage(CGI=HASH(0xd514f8), CGI::Session=HASH(0x27797e0))
-called at /usr/share/perl5/IkiWiki/CGI.pm line 443 IkiWiki::__ANON__(CODE(0xfaa460))
-called at /usr/share/perl5/IkiWiki.pm line 2101 IkiWiki::run_hooks("sessioncgi", CODE(0x2520138))
-called at /usr/share/perl5/IkiWiki/CGI.pm line 443 IkiWiki::cgi()
-called at /usr/bin/ikiwiki line 192 eval {...}
-called at /usr/bin/ikiwiki line 192 IkiWiki::main()
-called at /usr/bin/ikiwiki line 231
-~~~~
-
-so this would explain the error on cancel, but doesn't explain the weird encoding i get when editing the page... <sigh>...
-
-... and that leads me to this crazy patch which fixes all the above issue, by avoiding double-decoding... go figure that shit out...
-
-[[!template  id=gitbranch branch=anarcat/dev/safe_unicode author="[[anarcat]]"]] 
-
-> [[Looks good to me|users/smcv/ready]] although I'm not sure how valuable
-> the `$] < 5.02 || ` test is - I'd be tempted to just call `is_utf8`. --[[smcv]]
-
->> [[merged|done]] --[[smcv]]
diff --git a/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.mdwn b/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.mdwn
new file mode 100644
index 0000000..657b86b
--- /dev/null
+++ b/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.mdwn
@@ -0,0 +1,126 @@
+since my latest jessie upgrade here, charsets are all broken when editing a page. the page i'm trying to edit is [this wishlist](http://anarc.at/wishlist/), and it used to work fine. now, instead of:
+
+`Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah right):`
+
+... as we see in the rendered body right now, when i edit the page i see:
+
+`Voici des choses que vous pouvez m'acheter si vous �tes le P�re Nowel (yeah right):`
+
+... a typical double-encoding nightmare. The actual binary data is this for the word "Père" according to `hd`:
+
+~~~~
+anarcat@marcos:ikiwiki$ echo "Père" | hd
+00000000  50 c3 a8 72 65 0a                                 |P..re.|
+00000006
+anarcat@marcos:ikiwiki$ echo "P�re" | hd
+00000000  50 ef bf bd 72 65 0a                              |P...re.|
+00000007
+~~~~
+
+> I don't know what that is, but it isn't the usual double-UTF-8 encoding:
+>
+>     >>> u'è'.encode('utf-8')
+>     '\xc3\xa8'
+>     >>> u'è'.encode('utf-8').decode('latin-1').encode('utf-8')
+>     '\xc3\x83\xc2\xa8'
+>
+> A packet capture of the incorrect HTTP request/response headers and body
+> might be enlightening? --[[smcv]]
+>
+> > Here are the headers according to chromium:
+> > 
+> > ~~~~
+> > GET /ikiwiki.cgi?do=edit&page=wishlist HTTP/1.1
+> > Host: anarc.at
+> > Connection: keep-alive
+> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+> > User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
+> > Referer: http://anarc.at/wishlist/
+> > Accept-Encoding: gzip,deflate,sdch
+> > Accept-Language: fr,en-US;q=0.8,en;q=0.6
+> > Cookie: openid_provider=openid; ikiwiki_session_anarcat=XXXXXXXXXXXXXXXXXXXXXXX
+> > 
+> > HTTP/1.1 200 OK
+> > Date: Mon, 08 Sep 2014 21:22:24 GMT
+> > Server: Apache/2.4.10 (Debian)
+> > Set-Cookie: ikiwiki_session_anarcat=XXXXXXXXXXXXXXXXXXXXXXX; path=/; HttpOnly
+> > Vary: Accept-Encoding
+> > Content-Encoding: gzip
+> > Content-Length: 4093
+> > Keep-Alive: timeout=5, max=100
+> > Connection: Keep-Alive
+> > Content-Type: text/html; charset=utf-8
+> > ~~~~
+> > 
+> > ... which seem fairly normal... getting more data than this is a little inconvenient since the data is gzip-encoded and i'm kind of lazy extracting that from the stream. Chromium does seem to auto-detect it as utf8 according to the menus however... not sure what's going on here. I would focus on the following error however, since it's clearly emanating from the CGI... --[[anarcat]]
+
+Clicking on the Cancel button yields the following warning:
+
+~~~~
+Error: Cannot decode string with wide characters at /usr/lib/x86_64-linux-gnu/perl/5.20/Encode.pm line 215.
+~~~~
+

(Diff truncated)
This reverts commit cfc5d5d9ed1a5c76212fecd592639aaa3de9b784
diff --git a/doc/index.c b/doc/index.c
deleted file mode 100644
index e0e4016..0000000
--- a/doc/index.c
+++ /dev/null
@@ -1,37 +0,0 @@
-[[!template id=links]]
-
-Ikiwiki is a **wiki compiler**. It converts wiki pages into HTML pages
-suitable for publishing on a website. Ikiwiki stores pages and history in a
-[[revision_control_system|rcs]] such as [[Subversion|rcs/svn]] or [[rcs/Git]].
-There are many other [[features]], including support for
-[[blogging|blog]] and [[podcasting|podcast]], as well as a large
-array of [[plugins]].
-
-Alternatively, think of ikiwiki as a particularly flexible static
-site generator with some dynamic features.
-
-
-
-## using ikiwiki
-
-[[Setup]] has a tutorial for setting up ikiwiki, or you can read the
-[[man_page|usage]]. There are some [[examples]] of things you can do
-with ikiwiki, and some [[tips]].  Basic documentation for ikiwiki plugins
-and syntax is provided [[here|ikiwiki]]. The [[forum]] is open for
-discussions.
-
-All wikis are supposed to have a [[sandbox]], so this one does too.
-
-This site generally runs the latest release of ikiwiki; currently, it runs
-ikiwiki [[!version ]].
-
-## developer resources
-
-The [[RoadMap]] describes where the project is going.
-[[Bugs]], [[TODO]] items, [[wishlist]] items, and [[patches|patch]]
-can be submitted and tracked using this wiki.
-
-Ikiwiki is developed by [[Joey]] and many contributors,
-and is [[FreeSoftware]].
-
-
diff --git a/doc/index.mdwn b/doc/index.mdwn
new file mode 100644
index 0000000..e0e4016
--- /dev/null
+++ b/doc/index.mdwn
@@ -0,0 +1,37 @@
+[[!template id=links]]
+
+Ikiwiki is a **wiki compiler**. It converts wiki pages into HTML pages
+suitable for publishing on a website. Ikiwiki stores pages and history in a
+[[revision_control_system|rcs]] such as [[Subversion|rcs/svn]] or [[rcs/Git]].
+There are many other [[features]], including support for
+[[blogging|blog]] and [[podcasting|podcast]], as well as a large
+array of [[plugins]].
+
+Alternatively, think of ikiwiki as a particularly flexible static
+site generator with some dynamic features.
+
+
+
+## using ikiwiki
+
+[[Setup]] has a tutorial for setting up ikiwiki, or you can read the
+[[man_page|usage]]. There are some [[examples]] of things you can do
+with ikiwiki, and some [[tips]].  Basic documentation for ikiwiki plugins
+and syntax is provided [[here|ikiwiki]]. The [[forum]] is open for
+discussions.
+
+All wikis are supposed to have a [[sandbox]], so this one does too.
+
+This site generally runs the latest release of ikiwiki; currently, it runs
+ikiwiki [[!version ]].
+
+## developer resources
+
+The [[RoadMap]] describes where the project is going.
+[[Bugs]], [[TODO]] items, [[wishlist]] items, and [[patches|patch]]
+can be submitted and tracked using this wiki.
+
+Ikiwiki is developed by [[Joey]] and many contributors,
+and is [[FreeSoftware]].
+
+

rename bugs/garbled_non-ascii_characters_in_body_in_web_interface.mdwn to bugs/garbled_non-ascii_characters_in_body_in_web_interface.cpp
diff --git a/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.cpp b/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.cpp
new file mode 100644
index 0000000..657b86b
--- /dev/null
+++ b/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.cpp
@@ -0,0 +1,126 @@
+since my latest jessie upgrade here, charsets are all broken when editing a page. the page i'm trying to edit is [this wishlist](http://anarc.at/wishlist/), and it used to work fine. now, instead of:
+
+`Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah right):`
+
+... as we see in the rendered body right now, when i edit the page i see:
+
+`Voici des choses que vous pouvez m'acheter si vous �tes le P�re Nowel (yeah right):`
+
+... a typical double-encoding nightmare. The actual binary data is this for the word "Père" according to `hd`:
+
+~~~~
+anarcat@marcos:ikiwiki$ echo "Père" | hd
+00000000  50 c3 a8 72 65 0a                                 |P..re.|
+00000006
+anarcat@marcos:ikiwiki$ echo "P�re" | hd
+00000000  50 ef bf bd 72 65 0a                              |P...re.|
+00000007
+~~~~
+
+> I don't know what that is, but it isn't the usual double-UTF-8 encoding:
+>
+>     >>> u'è'.encode('utf-8')
+>     '\xc3\xa8'
+>     >>> u'è'.encode('utf-8').decode('latin-1').encode('utf-8')
+>     '\xc3\x83\xc2\xa8'
+>
+> A packet capture of the incorrect HTTP request/response headers and body
+> might be enlightening? --[[smcv]]
+>
+> > Here are the headers according to chromium:
+> > 
+> > ~~~~
+> > GET /ikiwiki.cgi?do=edit&page=wishlist HTTP/1.1
+> > Host: anarc.at
+> > Connection: keep-alive
+> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+> > User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
+> > Referer: http://anarc.at/wishlist/
+> > Accept-Encoding: gzip,deflate,sdch
+> > Accept-Language: fr,en-US;q=0.8,en;q=0.6
+> > Cookie: openid_provider=openid; ikiwiki_session_anarcat=XXXXXXXXXXXXXXXXXXXXXXX
+> > 
+> > HTTP/1.1 200 OK
+> > Date: Mon, 08 Sep 2014 21:22:24 GMT
+> > Server: Apache/2.4.10 (Debian)
+> > Set-Cookie: ikiwiki_session_anarcat=XXXXXXXXXXXXXXXXXXXXXXX; path=/; HttpOnly
+> > Vary: Accept-Encoding
+> > Content-Encoding: gzip
+> > Content-Length: 4093
+> > Keep-Alive: timeout=5, max=100
+> > Connection: Keep-Alive
+> > Content-Type: text/html; charset=utf-8
+> > ~~~~
+> > 
+> > ... which seem fairly normal... getting more data than this is a little inconvenient since the data is gzip-encoded and i'm kind of lazy extracting that from the stream. Chromium does seem to auto-detect it as utf8 according to the menus however... not sure what's going on here. I would focus on the following error however, since it's clearly emanating from the CGI... --[[anarcat]]
+
+Clicking on the Cancel button yields the following warning:
+
+~~~~
+Error: Cannot decode string with wide characters at /usr/lib/x86_64-linux-gnu/perl/5.20/Encode.pm line 215.
+~~~~
+
+> Looks as though you might be able to get a Python-style backtrace for this
+> by setting `$Carp::Verbose = 1`.
+>
+> The error is that we're taking some string (which string? only a backtrace
+> would tell you) that is already flagged as Unicode, and trying to decode
+> it from byte-blob to Unicode again, analogous to this Python:
+>
+>     some_bytes.decode('utf-8').decode('utf-8')
+>
+> --[[smcv]]
+> > 
+> > I couldn't figure out where to set that Carp thing - it doesn't work simply by setting it in /usr/bin/ikiwiki - so i am not sure how to use this. However, with some debugging code in Encode.pm, i was able to find a case of double-encoding - in the left menu, for example, which is the source of the Encode.pm crash.
+> > 
+> > It seems that some unicode semantics changed in Perl 5.20, or more precisely, in Encode.pm 2.53, according to [this](https://code.activestate.com/lists/perl-unicode/3314/). 5.20 does have significant Unicode changes, but I am not sure they are related (see [perldelta](https://metacpan.org/pod/distribution/perl/pod/perldelta.pod)). Doing more archeology, it seems that Encode.pm is indeed where the problem started, all the way back in [commit 8005a82](https://github.com/dankogai/p5-encode/commit/8005a82d8aa83024d72b14e66d9eb97d82029eeb#diff-f3330aa405ffb7e3fec2395c1fc953ac) (august 2013), taken from [pull request #11](https://github.com/dankogai/p5-encode/pull/11) which expressively forbids double-decoding, in effect failing like python does in the above example you gave (Perl used to silently succeed instead, a rather big change if you ask me).
+> > 
+> > So stepping back, it seems that this would be a bug in Ikiwiki. It could be in any of those places:
+> > 
+> > ~~~~
+> > anarcat@marcos:ikiwiki$ grep -r decode_utf8 IkiWiki* | wc -l
+> > 31
+> > ~~~~
+> > 
+> > Now the fun part is to determine which one should be turned off... or should we duplicate the logic that was removed in decode_utf8, or make a safe_decode_utf8 for ourselves? --[[anarcat]]
+
+The apache logs yield:
+
+~~~~
+[Mon Sep 08 16:17:43.995827 2014] [cgi:error] [pid 2609] [client 192.168.0.3:47445] AH01215: Died at /usr/share/perl5/IkiWiki/CGI.pm line 467., referer: http://anarc.at/ikiwiki.cgi?do=edit&page=wishlist
+~~~~
+
+Interestingly enough, I can't reproduce the bug here (at least in this page). Also, editing the page through git works fine.
+
+I had put ikiwiki on hold during the last upgrade, so it was upgraded separately. The bug happens both with 3.20140613 and 3.20140831. The major thing that happened today is the upgrade from perl 5.18 to 5.20. Here's the output of `egrep '[0-9] (remove|purge|install|upgrade)' /var/log/dpkg.log | pastebinit -b paste.debian.net` to give an idea of what was upgraded today:
+
+http://paste.debian.net/plain/119944
+
+This is a major bug which should probably be fixed before jessie, yet i can't seem to find a severity statement in reportbug that would justify blocking the release based on this - unless we consider non-english speakers as "most" users (i don't know the demographics well enough). It certainly makes ikiwiki completely unusable for my users that operate on the web interface in french... --[[anarcat]]
+
+Note that on this one page, i can't even get the textarea to display and i immediately get `Error: Cannot decode string with wide characters at /usr/lib/x86_64-linux-gnu/perl/5.20/Encode.pm line 215`: http://anarc.at/ikiwiki.cgi?do=edit&page=hardware%2Fserver%2Fmarcos.
+
+Also note that this is the same as [[forum/"Error: cannot decode string with wide characters" on Mageia Linux x86-64 Cauldron]], I believe. The backtrace I get here is:
+
+~~~~
+Error: Cannot decode string with wide characters at /usr/lib/x86_64-linux-gnu/perl/5.20/Encode.pm line 215. Encode::decode_utf8("**Menu**\x{d}\x{a}\x{d}\x{a} * [[\x{fffd} propos|index]]\x{d}\x{a} * [[Logiciels|software]]"...)
+called at /usr/share/perl5/IkiWiki/CGI.pm line 117 IkiWiki::decode_form_utf8(CGI::FormBuilder=HASH(0x2ad63b8))
+called at /usr/share/perl5/IkiWiki/Plugin/editpage.pm line 90 IkiWiki::cgi_editpage(CGI=HASH(0xd514f8), CGI::Session=HASH(0x27797e0))
+called at /usr/share/perl5/IkiWiki/CGI.pm line 443 IkiWiki::__ANON__(CODE(0xfaa460))
+called at /usr/share/perl5/IkiWiki.pm line 2101 IkiWiki::run_hooks("sessioncgi", CODE(0x2520138))
+called at /usr/share/perl5/IkiWiki/CGI.pm line 443 IkiWiki::cgi()
+called at /usr/bin/ikiwiki line 192 eval {...}
+called at /usr/bin/ikiwiki line 192 IkiWiki::main()
+called at /usr/bin/ikiwiki line 231
+~~~~
+
+so this would explain the error on cancel, but doesn't explain the weird encoding i get when editing the page... <sigh>...
+
+... and that leads me to this crazy patch which fixes all the above issue, by avoiding double-decoding... go figure that shit out...
+
+[[!template  id=gitbranch branch=anarcat/dev/safe_unicode author="[[anarcat]]"]] 
+
+> [[Looks good to me|users/smcv/ready]] although I'm not sure how valuable
+> the `$] < 5.02 || ` test is - I'd be tempted to just call `is_utf8`. --[[smcv]]
+
+>> [[merged|done]] --[[smcv]]
diff --git a/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.mdwn b/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.mdwn
deleted file mode 100644
index 657b86b..0000000
--- a/doc/bugs/garbled_non-ascii_characters_in_body_in_web_interface.mdwn
+++ /dev/null
@@ -1,126 +0,0 @@
-since my latest jessie upgrade here, charsets are all broken when editing a page. the page i'm trying to edit is [this wishlist](http://anarc.at/wishlist/), and it used to work fine. now, instead of:
-
-`Voici des choses que vous pouvez m'acheter si vous êtes le Père Nowel (yeah right):`
-
-... as we see in the rendered body right now, when i edit the page i see:
-
-`Voici des choses que vous pouvez m'acheter si vous �tes le P�re Nowel (yeah right):`
-
-... a typical double-encoding nightmare. The actual binary data is this for the word "Père" according to `hd`:
-
-~~~~
-anarcat@marcos:ikiwiki$ echo "Père" | hd
-00000000  50 c3 a8 72 65 0a                                 |P..re.|
-00000006
-anarcat@marcos:ikiwiki$ echo "P�re" | hd
-00000000  50 ef bf bd 72 65 0a                              |P...re.|
-00000007
-~~~~
-
-> I don't know what that is, but it isn't the usual double-UTF-8 encoding:
->
->     >>> u'è'.encode('utf-8')
->     '\xc3\xa8'
->     >>> u'è'.encode('utf-8').decode('latin-1').encode('utf-8')
->     '\xc3\x83\xc2\xa8'
->
-> A packet capture of the incorrect HTTP request/response headers and body
-> might be enlightening? --[[smcv]]
->
-> > Here are the headers according to chromium:
-> > 
-> > ~~~~
-> > GET /ikiwiki.cgi?do=edit&page=wishlist HTTP/1.1
-> > Host: anarc.at
-> > Connection: keep-alive
-> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
-> > User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
-> > Referer: http://anarc.at/wishlist/
-> > Accept-Encoding: gzip,deflate,sdch
-> > Accept-Language: fr,en-US;q=0.8,en;q=0.6
-> > Cookie: openid_provider=openid; ikiwiki_session_anarcat=XXXXXXXXXXXXXXXXXXXXXXX
-> > 
-> > HTTP/1.1 200 OK
-> > Date: Mon, 08 Sep 2014 21:22:24 GMT
-> > Server: Apache/2.4.10 (Debian)
-> > Set-Cookie: ikiwiki_session_anarcat=XXXXXXXXXXXXXXXXXXXXXXX; path=/; HttpOnly
-> > Vary: Accept-Encoding
-> > Content-Encoding: gzip
-> > Content-Length: 4093
-> > Keep-Alive: timeout=5, max=100
-> > Connection: Keep-Alive
-> > Content-Type: text/html; charset=utf-8
-> > ~~~~
-> > 
-> > ... which seem fairly normal... getting more data than this is a little inconvenient since the data is gzip-encoded and i'm kind of lazy extracting that from the stream. Chromium does seem to auto-detect it as utf8 according to the menus however... not sure what's going on here. I would focus on the following error however, since it's clearly emanating from the CGI... --[[anarcat]]
-
-Clicking on the Cancel button yields the following warning:
-
-~~~~
-Error: Cannot decode string with wide characters at /usr/lib/x86_64-linux-gnu/perl/5.20/Encode.pm line 215.
-~~~~
-

(Diff truncated)
rename index.mdwn to index.c
diff --git a/doc/index.c b/doc/index.c
new file mode 100644
index 0000000..e0e4016
--- /dev/null
+++ b/doc/index.c
@@ -0,0 +1,37 @@
+[[!template id=links]]
+
+Ikiwiki is a **wiki compiler**. It converts wiki pages into HTML pages
+suitable for publishing on a website. Ikiwiki stores pages and history in a
+[[revision_control_system|rcs]] such as [[Subversion|rcs/svn]] or [[rcs/Git]].
+There are many other [[features]], including support for
+[[blogging|blog]] and [[podcasting|podcast]], as well as a large
+array of [[plugins]].
+
+Alternatively, think of ikiwiki as a particularly flexible static
+site generator with some dynamic features.
+
+
+
+## using ikiwiki
+
+[[Setup]] has a tutorial for setting up ikiwiki, or you can read the
+[[man_page|usage]]. There are some [[examples]] of things you can do
+with ikiwiki, and some [[tips]].  Basic documentation for ikiwiki plugins
+and syntax is provided [[here|ikiwiki]]. The [[forum]] is open for
+discussions.
+
+All wikis are supposed to have a [[sandbox]], so this one does too.
+
+This site generally runs the latest release of ikiwiki; currently, it runs
+ikiwiki [[!version ]].
+
+## developer resources
+
+The [[RoadMap]] describes where the project is going.
+[[Bugs]], [[TODO]] items, [[wishlist]] items, and [[patches|patch]]
+can be submitted and tracked using this wiki.
+
+Ikiwiki is developed by [[Joey]] and many contributors,
+and is [[FreeSoftware]].
+
+
diff --git a/doc/index.mdwn b/doc/index.mdwn
deleted file mode 100644
index e0e4016..0000000
--- a/doc/index.mdwn
+++ /dev/null
@@ -1,37 +0,0 @@
-[[!template id=links]]
-
-Ikiwiki is a **wiki compiler**. It converts wiki pages into HTML pages
-suitable for publishing on a website. Ikiwiki stores pages and history in a
-[[revision_control_system|rcs]] such as [[Subversion|rcs/svn]] or [[rcs/Git]].
-There are many other [[features]], including support for
-[[blogging|blog]] and [[podcasting|podcast]], as well as a large
-array of [[plugins]].
-
-Alternatively, think of ikiwiki as a particularly flexible static
-site generator with some dynamic features.
-
-
-
-## using ikiwiki
-
-[[Setup]] has a tutorial for setting up ikiwiki, or you can read the
-[[man_page|usage]]. There are some [[examples]] of things you can do
-with ikiwiki, and some [[tips]].  Basic documentation for ikiwiki plugins
-and syntax is provided [[here|ikiwiki]]. The [[forum]] is open for
-discussions.
-
-All wikis are supposed to have a [[sandbox]], so this one does too.
-
-This site generally runs the latest release of ikiwiki; currently, it runs
-ikiwiki [[!version ]].
-
-## developer resources
-
-The [[RoadMap]] describes where the project is going.
-[[Bugs]], [[TODO]] items, [[wishlist]] items, and [[patches|patch]]
-can be submitted and tracked using this wiki.
-
-Ikiwiki is developed by [[Joey]] and many contributors,
-and is [[FreeSoftware]].
-
-

diff --git a/doc/tips/monitor_page_changes_through_IRC.mdwn b/doc/tips/monitor_page_changes_through_IRC.mdwn
index d1b6113..94f0944 100644
--- a/doc/tips/monitor_page_changes_through_IRC.mdwn
+++ b/doc/tips/monitor_page_changes_through_IRC.mdwn
@@ -17,6 +17,10 @@ there are basically two alternatives now:
 * [KGB](https://kgb.alioth.debian.org/) - a Perl script that has been running at Debian since 2009
 * [irker](http://www.catb.org/esr/irker/) - a Python script whipped up by ESR in the fall of CIA.vc (~2011), ignoring the existing KGB bot
 
-KGB is harder to setup ([tutorial](https://www.donarmstrong.com/posts/switching_to_kgb/)), as it , but more reliable than irker, in my experience. I built the [[plugins/contrib/irker]] plugin to automatically configure notifications with irker. --[[anarcat]]
+KGB is harder to setup ([tutorial](https://www.donarmstrong.com/posts/switching_to_kgb/)), as it , but more reliable than irker, in my experience.
+
+I built the [[plugins/contrib/irker]] plugin to automatically configure notifications with irker. I chose irker because it could be configured per wiki, without having to touch a central configuration as would be required for KGB.--[[anarcat]]
+
+There is also a public service named [Notifico](http://n.tkte.ch/) that aims to replace the defunct [CIA.vc](http://cia.vc/) but it still requires server-side software configuration, so I think it is worth it. Same for [Pursuivant](https://martinsandsmark.wordpress.com/2012/11/20/irc-commit-notifications/). There is also a plethora of commercial notification services which are obviously not covered here.
 
 See also [[todo/ikibot]] for another bot idea.

revert test edit
This reverts commit 4a8bf62f44738fcc6c49d24295d9668bb247a88f
diff --git a/doc/ikiwiki/formatting.mdwn b/doc/ikiwiki/formatting.mdwn
index f809fff..befbce9 100644
--- a/doc/ikiwiki/formatting.mdwn
+++ b/doc/ikiwiki/formatting.mdwn
@@ -10,9 +10,6 @@ Leave blank lines between paragraphs.
 You can *\*emphasise\** or **\*\*strongly emphasise\*\*** text by placing it
 in single or double asterisks.
 
------
-**Open-source software** may be developed in a *collaborative* public manner.
----
 To create a list, start each line with an asterisk:
 
 * "* this is my list"

diff --git a/doc/ikiwiki/formatting.mdwn b/doc/ikiwiki/formatting.mdwn
index befbce9..f809fff 100644
--- a/doc/ikiwiki/formatting.mdwn
+++ b/doc/ikiwiki/formatting.mdwn
@@ -10,6 +10,9 @@ Leave blank lines between paragraphs.
 You can *\*emphasise\** or **\*\*strongly emphasise\*\*** text by placing it
 in single or double asterisks.
 
+-----
+**Open-source software** may be developed in a *collaborative* public manner.
+---
 To create a list, start each line with an asterisk:
 
 * "* this is my list"

Revert vandalism
diff --git a/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn b/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
index a669413..f4f2f26 100644
--- a/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
+++ b/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
@@ -26,6 +26,10 @@ The `moderatedcomments` plugins is **not** enabled
 
 The `anonok` plugin is **not** enabled
 
+> What are your complete `add_plugins` and `disable_plugins` options?
+> Which version of ikiwiki are you running? Are you using any third-party
+> plugins or patches? --[[smcv]]
+
 ---
 
 ## Steps
@@ -57,3 +61,12 @@ For [this particular installation](https://dev.iikb.xyz), that's not the case.
 ## Question
 
 Is there a session file or something to logout this phantom user?
+
+> See [[tips/inside_dot_ikiwiki]]. `.ikiwiki/userdb` is a Perl Storable file;
+> there are instructions for inspecting it on that page. `.ikiwiki/sessions.db`
+> is most likely a Berkeley DB file.
+>
+> I would be interested to see the contents of these two files and the complete
+> `.setup` file. I would also be interested to see a tarball of the entire
+> wiki source directory, if it isn't excessively large. If you'd be willing to
+> share them, please contact <mailto:smcv@debian.org>. --[[smcv]]
diff --git a/doc/bugs/password_reset_failure.mdwn b/doc/bugs/password_reset_failure.mdwn
new file mode 100644
index 0000000..1e40981
--- /dev/null
+++ b/doc/bugs/password_reset_failure.mdwn
@@ -0,0 +1,22 @@
+I can't seem to do a password reset on this wiki. I am writing this
+through the anonymous git push interface (phew for that!).
+
+I have tried three times now to reset my password through the user
+interface - my account name is [[anarcat]], and when i do the password
+reset, I get a token. I go visit the website, set a passphrase, click
+`Save Preferences` and I end up on a login form. I enter my
+passphrase, click `Login` and I get the error:
+
+    1 error(s) were encountered with your submission. Please correct the fields highlighted below.
+    
+    Name
+    [anarcat]
+    
+    Password
+    [*************] Invalid entry
+
+`Password` is highlighted.
+
+Even if I leave the password there (my cleartext password is in the
+login form by default after the password reset, which is strange), it
+still gives me that error. -- [[anarcat]]
diff --git a/doc/plugins/contrib/irker.mdwn b/doc/plugins/contrib/irker.mdwn
new file mode 100644
index 0000000..bbc24e5
--- /dev/null
+++ b/doc/plugins/contrib/irker.mdwn
@@ -0,0 +1,128 @@
+[[!template id=plugin name=irker author="[[anarcat]]"]]
+[[!tag type/special-purpose]]
+
+This plugin will configure your wiki to send IRC notifications using the [irker](http://www.catb.org/esr/irker/) notification bot.
+
+It is fairly simple and requires no configuration but installation of the irker package. For template configuration, patches from [Debian bug #824512](https://bugs.debian.org/824512) are necessary.
+
+[[!format perl """
+package IkiWiki::Plugin::irker;
+
+use warnings;
+use strict;
+use IkiWiki 3.00;
+
+sub import {
+    hook(type => "getsetup", id => "irker", call => \&getsetup);
+    hook(type => "checkconfig", id => "branchable", call => \&checkconfig,
+         first => 1);
+    hook(type => "genwrapper", id => "irker", call => \&genwrapper,
+         last => 1);
+}
+
+sub getsetup() {
+	return
+		plugin => {
+			safe => 0,
+			rebuild => undef,
+			section => "core",
+		},
+		irker_channels => {
+			type => "string",
+			example => ['ircs://irc.example.com/example'],
+			description => "IRC channels to send notifications to",
+			safe => 1,
+			rebuild => 0,
+		},
+		irker_template => {
+			type => "string",
+			example => "'%(bold)s%(project)s:%(reset)s %(green)s%(author)s%(reset)s %(repo)s:%(yellow)s%(branch)s%(reset)s * %(bold)s%(rev)s%(reset)s / %(bold)s%(files)s%(reset)s: %(logmsg)s %(brown)s%(url)s%(reset)s",
+			description => "Template to use for messages. Only supported with patch from https://bugs.debian.org/824512",
+			safe => 1,
+			rebuild => 0,
+		},
+		irker_hook => {
+			type => "string",
+			example => "irkerhook-git",
+			description => 'Hook to setup for notifications, will look in $PATH if File::Which is available, otherwise use absolute path.',
+			safe => 1,
+			rebuild => 0,
+		},
+}
+
+sub checkconfig {
+    use URI; # ikiwiki Depends on it
+    foreach my $channel (@{$config{'irker_channels'}}) {
+        my $uri = URI->new( $channel );
+        # inspired by http://stackoverflow.com/a/2599378/1174784
+        # and http://stackoverflow.com/a/4953329/1174784
+        if (!$uri->scheme || $uri->path =~ m/^([#&]?[^\x07\x2C\s]{,200})/) {
+            error("$channel is not a valid IRC channel URI");
+        }
+    }
+    # check if hook exists
+    if (-x $config{irker_hook}) {
+        # shortcut: already configured
+        return;
+    }
+    eval q{use File::Which};
+    # check with which, i available
+    if (!$@) {
+        my $hook;
+        if (!defined $config{'irker_hook'}) {
+            $config{'irker_hook'} = 'irkerhook-git';
+        }
+        $hook = which($config{'irker_hook'});
+        if (defined $hook) {
+            $config{'irker_hook'} = $hook;
+        }
+        else {
+            error("irker hook '$config{irker_hook}' not found in PATH");
+        }
+    }
+    if (!-x $config{irker_hook}) {
+        error("irker hook '$config{irker_hook}' not executable");
+    }
+}
+
+# Parses git_wrapper to find out where the git repository is.
+# cargo-culted from branchable.pm
+sub find_git_repository {
+	if ($config{rcs} eq 'git' &&
+	    $config{git_wrapper}=~m!^(.*)/hooks/post-update$!) {
+		return $1;
+	}
+	else {
+		return undef;
+	}
+}
+
+# setup the hook symlink and git configuration
+sub genwrapper() {
+    my $repo=find_git_repository();
+    if (defined $repo && defined $config{'irker_channels'}) {
+        if (!-l $repo . '/hooks/post-receive') {
+            if (-e $repo . '/hooks/post-receive') {
+                error('post-receive hook exists and is not a symlink, failed to setup hook');
+            }
+            symlink($config{'irker_hook'}, $repo . '/hooks/post-receive') || error('failed to symlink: $!');
+        }
+        my $channels = join(",", @{$config{'irker_channels'}});
+        exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $channels);
+        exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $config{'wikiname'});
+        if ($config{'irker_template'}) {
+            exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $config{'irker_template'});
+        }
+    }
+    else {
+        exec { 'git' } ('config', '-C', $repo, 'config', '--remove-section', 'irker');
+        if (-l $repo . '/hooks/post-receive' && 
+            readlink($repo . '/hooks/post-receive') =~ m/irkerhook/) {
+            unlink($repo . '/hooks/post-receive');
+        }
+    }
+    return "";
+}
+
+1
+"""]]
diff --git a/doc/tips/monitor_page_changes_through_IRC.mdwn b/doc/tips/monitor_page_changes_through_IRC.mdwn
index b958b89..d1b6113 100644
--- a/doc/tips/monitor_page_changes_through_IRC.mdwn
+++ b/doc/tips/monitor_page_changes_through_IRC.mdwn
@@ -17,6 +17,6 @@ there are basically two alternatives now:
 * [KGB](https://kgb.alioth.debian.org/) - a Perl script that has been running at Debian since 2009
 * [irker](http://www.catb.org/esr/irker/) - a Python script whipped up by ESR in the fall of CIA.vc (~2011), ignoring the existing KGB bot
 
-KGB is harder to setup ([tutorial](https://www.donarmstrong.com/posts/switching_to_kgb/)), as it , but more reliable than irker, in my experience. --[[anarcat]]
+KGB is harder to setup ([tutorial](https://www.donarmstrong.com/posts/switching_to_kgb/)), as it , but more reliable than irker, in my experience. I built the [[plugins/contrib/irker]] plugin to automatically configure notifications with irker. --[[anarcat]]

(Diff truncated)
This reverts commit 855a7b5c6cabdd095253da8a3ff89f769d657b27
diff --git a/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn b/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
index f4f2f26..a669413 100644
--- a/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
+++ b/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
@@ -26,10 +26,6 @@ The `moderatedcomments` plugins is **not** enabled
 
 The `anonok` plugin is **not** enabled
 
-> What are your complete `add_plugins` and `disable_plugins` options?
-> Which version of ikiwiki are you running? Are you using any third-party
-> plugins or patches? --[[smcv]]
-
 ---
 
 ## Steps
@@ -61,12 +57,3 @@ For [this particular installation](https://dev.iikb.xyz), that's not the case.
 ## Question
 
 Is there a session file or something to logout this phantom user?
-
-> See [[tips/inside_dot_ikiwiki]]. `.ikiwiki/userdb` is a Perl Storable file;
-> there are instructions for inspecting it on that page. `.ikiwiki/sessions.db`
-> is most likely a Berkeley DB file.
->
-> I would be interested to see the contents of these two files and the complete
-> `.setup` file. I would also be interested to see a tarball of the entire
-> wiki source directory, if it isn't excessively large. If you'd be willing to
-> share them, please contact <mailto:smcv@debian.org>. --[[smcv]]

This reverts commit 2d1615c340407cd21ba478449ea1444bb46432ca
diff --git a/doc/bugs/password_reset_failure.mdwn b/doc/bugs/password_reset_failure.mdwn
deleted file mode 100644
index 1e40981..0000000
--- a/doc/bugs/password_reset_failure.mdwn
+++ /dev/null
@@ -1,22 +0,0 @@
-I can't seem to do a password reset on this wiki. I am writing this
-through the anonymous git push interface (phew for that!).
-
-I have tried three times now to reset my password through the user
-interface - my account name is [[anarcat]], and when i do the password
-reset, I get a token. I go visit the website, set a passphrase, click
-`Save Preferences` and I end up on a login form. I enter my
-passphrase, click `Login` and I get the error:
-
-    1 error(s) were encountered with your submission. Please correct the fields highlighted below.
-    
-    Name
-    [anarcat]
-    
-    Password
-    [*************] Invalid entry
-
-`Password` is highlighted.
-
-Even if I leave the password there (my cleartext password is in the
-login form by default after the password reset, which is strange), it
-still gives me that error. -- [[anarcat]]

This reverts commit 01eeb89d59cc3d88712f6559acdaa51328756729
diff --git a/doc/plugins/contrib/irker.mdwn b/doc/plugins/contrib/irker.mdwn
deleted file mode 100644
index bbc24e5..0000000
--- a/doc/plugins/contrib/irker.mdwn
+++ /dev/null
@@ -1,128 +0,0 @@
-[[!template id=plugin name=irker author="[[anarcat]]"]]
-[[!tag type/special-purpose]]
-
-This plugin will configure your wiki to send IRC notifications using the [irker](http://www.catb.org/esr/irker/) notification bot.
-
-It is fairly simple and requires no configuration but installation of the irker package. For template configuration, patches from [Debian bug #824512](https://bugs.debian.org/824512) are necessary.
-
-[[!format perl """
-package IkiWiki::Plugin::irker;
-
-use warnings;
-use strict;
-use IkiWiki 3.00;
-
-sub import {
-    hook(type => "getsetup", id => "irker", call => \&getsetup);
-    hook(type => "checkconfig", id => "branchable", call => \&checkconfig,
-         first => 1);
-    hook(type => "genwrapper", id => "irker", call => \&genwrapper,
-         last => 1);
-}
-
-sub getsetup() {
-	return
-		plugin => {
-			safe => 0,
-			rebuild => undef,
-			section => "core",
-		},
-		irker_channels => {
-			type => "string",
-			example => ['ircs://irc.example.com/example'],
-			description => "IRC channels to send notifications to",
-			safe => 1,
-			rebuild => 0,
-		},
-		irker_template => {
-			type => "string",
-			example => "'%(bold)s%(project)s:%(reset)s %(green)s%(author)s%(reset)s %(repo)s:%(yellow)s%(branch)s%(reset)s * %(bold)s%(rev)s%(reset)s / %(bold)s%(files)s%(reset)s: %(logmsg)s %(brown)s%(url)s%(reset)s",
-			description => "Template to use for messages. Only supported with patch from https://bugs.debian.org/824512",
-			safe => 1,
-			rebuild => 0,
-		},
-		irker_hook => {
-			type => "string",
-			example => "irkerhook-git",
-			description => 'Hook to setup for notifications, will look in $PATH if File::Which is available, otherwise use absolute path.',
-			safe => 1,
-			rebuild => 0,
-		},
-}
-
-sub checkconfig {
-    use URI; # ikiwiki Depends on it
-    foreach my $channel (@{$config{'irker_channels'}}) {
-        my $uri = URI->new( $channel );
-        # inspired by http://stackoverflow.com/a/2599378/1174784
-        # and http://stackoverflow.com/a/4953329/1174784
-        if (!$uri->scheme || $uri->path =~ m/^([#&]?[^\x07\x2C\s]{,200})/) {
-            error("$channel is not a valid IRC channel URI");
-        }
-    }
-    # check if hook exists
-    if (-x $config{irker_hook}) {
-        # shortcut: already configured
-        return;
-    }
-    eval q{use File::Which};
-    # check with which, i available
-    if (!$@) {
-        my $hook;
-        if (!defined $config{'irker_hook'}) {
-            $config{'irker_hook'} = 'irkerhook-git';
-        }
-        $hook = which($config{'irker_hook'});
-        if (defined $hook) {
-            $config{'irker_hook'} = $hook;
-        }
-        else {
-            error("irker hook '$config{irker_hook}' not found in PATH");
-        }
-    }
-    if (!-x $config{irker_hook}) {
-        error("irker hook '$config{irker_hook}' not executable");
-    }
-}
-
-# Parses git_wrapper to find out where the git repository is.
-# cargo-culted from branchable.pm
-sub find_git_repository {
-	if ($config{rcs} eq 'git' &&
-	    $config{git_wrapper}=~m!^(.*)/hooks/post-update$!) {
-		return $1;
-	}
-	else {
-		return undef;
-	}
-}
-
-# setup the hook symlink and git configuration
-sub genwrapper() {
-    my $repo=find_git_repository();
-    if (defined $repo && defined $config{'irker_channels'}) {
-        if (!-l $repo . '/hooks/post-receive') {
-            if (-e $repo . '/hooks/post-receive') {
-                error('post-receive hook exists and is not a symlink, failed to setup hook');
-            }
-            symlink($config{'irker_hook'}, $repo . '/hooks/post-receive') || error('failed to symlink: $!');
-        }
-        my $channels = join(",", @{$config{'irker_channels'}});
-        exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $channels);
-        exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $config{'wikiname'});
-        if ($config{'irker_template'}) {
-            exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $config{'irker_template'});
-        }
-    }
-    else {
-        exec { 'git' } ('config', '-C', $repo, 'config', '--remove-section', 'irker');
-        if (-l $repo . '/hooks/post-receive' && 
-            readlink($repo . '/hooks/post-receive') =~ m/irkerhook/) {
-            unlink($repo . '/hooks/post-receive');
-        }
-    }
-    return "";
-}
-
-1
-"""]]

This reverts commit bda4eba674ee46289cccaf8e89ee9edde1dcba1e
diff --git a/doc/tips/monitor_page_changes_through_IRC.mdwn b/doc/tips/monitor_page_changes_through_IRC.mdwn
index d1b6113..b958b89 100644
--- a/doc/tips/monitor_page_changes_through_IRC.mdwn
+++ b/doc/tips/monitor_page_changes_through_IRC.mdwn
@@ -17,6 +17,6 @@ there are basically two alternatives now:
 * [KGB](https://kgb.alioth.debian.org/) - a Perl script that has been running at Debian since 2009
 * [irker](http://www.catb.org/esr/irker/) - a Python script whipped up by ESR in the fall of CIA.vc (~2011), ignoring the existing KGB bot
 
-KGB is harder to setup ([tutorial](https://www.donarmstrong.com/posts/switching_to_kgb/)), as it , but more reliable than irker, in my experience. I built the [[plugins/contrib/irker]] plugin to automatically configure notifications with irker. --[[anarcat]]
+KGB is harder to setup ([tutorial](https://www.donarmstrong.com/posts/switching_to_kgb/)), as it , but more reliable than irker, in my experience. --[[anarcat]]
 
 See also [[todo/ikibot]] for another bot idea.

and we have a bot
diff --git a/doc/tips/monitor_page_changes_through_IRC.mdwn b/doc/tips/monitor_page_changes_through_IRC.mdwn
index b958b89..d1b6113 100644
--- a/doc/tips/monitor_page_changes_through_IRC.mdwn
+++ b/doc/tips/monitor_page_changes_through_IRC.mdwn
@@ -17,6 +17,6 @@ there are basically two alternatives now:
 * [KGB](https://kgb.alioth.debian.org/) - a Perl script that has been running at Debian since 2009
 * [irker](http://www.catb.org/esr/irker/) - a Python script whipped up by ESR in the fall of CIA.vc (~2011), ignoring the existing KGB bot
 
-KGB is harder to setup ([tutorial](https://www.donarmstrong.com/posts/switching_to_kgb/)), as it , but more reliable than irker, in my experience. --[[anarcat]]
+KGB is harder to setup ([tutorial](https://www.donarmstrong.com/posts/switching_to_kgb/)), as it , but more reliable than irker, in my experience. I built the [[plugins/contrib/irker]] plugin to automatically configure notifications with irker. --[[anarcat]]
 
 See also [[todo/ikibot]] for another bot idea.

little irc integration plugin
diff --git a/doc/plugins/contrib/irker.mdwn b/doc/plugins/contrib/irker.mdwn
new file mode 100644
index 0000000..bbc24e5
--- /dev/null
+++ b/doc/plugins/contrib/irker.mdwn
@@ -0,0 +1,128 @@
+[[!template id=plugin name=irker author="[[anarcat]]"]]
+[[!tag type/special-purpose]]
+
+This plugin will configure your wiki to send IRC notifications using the [irker](http://www.catb.org/esr/irker/) notification bot.
+
+It is fairly simple and requires no configuration but installation of the irker package. For template configuration, patches from [Debian bug #824512](https://bugs.debian.org/824512) are necessary.
+
+[[!format perl """
+package IkiWiki::Plugin::irker;
+
+use warnings;
+use strict;
+use IkiWiki 3.00;
+
+sub import {
+    hook(type => "getsetup", id => "irker", call => \&getsetup);
+    hook(type => "checkconfig", id => "branchable", call => \&checkconfig,
+         first => 1);
+    hook(type => "genwrapper", id => "irker", call => \&genwrapper,
+         last => 1);
+}
+
+sub getsetup() {
+	return
+		plugin => {
+			safe => 0,
+			rebuild => undef,
+			section => "core",
+		},
+		irker_channels => {
+			type => "string",
+			example => ['ircs://irc.example.com/example'],
+			description => "IRC channels to send notifications to",
+			safe => 1,
+			rebuild => 0,
+		},
+		irker_template => {
+			type => "string",
+			example => "'%(bold)s%(project)s:%(reset)s %(green)s%(author)s%(reset)s %(repo)s:%(yellow)s%(branch)s%(reset)s * %(bold)s%(rev)s%(reset)s / %(bold)s%(files)s%(reset)s: %(logmsg)s %(brown)s%(url)s%(reset)s",
+			description => "Template to use for messages. Only supported with patch from https://bugs.debian.org/824512",
+			safe => 1,
+			rebuild => 0,
+		},
+		irker_hook => {
+			type => "string",
+			example => "irkerhook-git",
+			description => 'Hook to setup for notifications, will look in $PATH if File::Which is available, otherwise use absolute path.',
+			safe => 1,
+			rebuild => 0,
+		},
+}
+
+sub checkconfig {
+    use URI; # ikiwiki Depends on it
+    foreach my $channel (@{$config{'irker_channels'}}) {
+        my $uri = URI->new( $channel );
+        # inspired by http://stackoverflow.com/a/2599378/1174784
+        # and http://stackoverflow.com/a/4953329/1174784
+        if (!$uri->scheme || $uri->path =~ m/^([#&]?[^\x07\x2C\s]{,200})/) {
+            error("$channel is not a valid IRC channel URI");
+        }
+    }
+    # check if hook exists
+    if (-x $config{irker_hook}) {
+        # shortcut: already configured
+        return;
+    }
+    eval q{use File::Which};
+    # check with which, i available
+    if (!$@) {
+        my $hook;
+        if (!defined $config{'irker_hook'}) {
+            $config{'irker_hook'} = 'irkerhook-git';
+        }
+        $hook = which($config{'irker_hook'});
+        if (defined $hook) {
+            $config{'irker_hook'} = $hook;
+        }
+        else {
+            error("irker hook '$config{irker_hook}' not found in PATH");
+        }
+    }
+    if (!-x $config{irker_hook}) {
+        error("irker hook '$config{irker_hook}' not executable");
+    }
+}
+
+# Parses git_wrapper to find out where the git repository is.
+# cargo-culted from branchable.pm
+sub find_git_repository {
+	if ($config{rcs} eq 'git' &&
+	    $config{git_wrapper}=~m!^(.*)/hooks/post-update$!) {
+		return $1;
+	}
+	else {
+		return undef;
+	}
+}
+
+# setup the hook symlink and git configuration
+sub genwrapper() {
+    my $repo=find_git_repository();
+    if (defined $repo && defined $config{'irker_channels'}) {
+        if (!-l $repo . '/hooks/post-receive') {
+            if (-e $repo . '/hooks/post-receive') {
+                error('post-receive hook exists and is not a symlink, failed to setup hook');
+            }
+            symlink($config{'irker_hook'}, $repo . '/hooks/post-receive') || error('failed to symlink: $!');
+        }
+        my $channels = join(",", @{$config{'irker_channels'}});
+        exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $channels);
+        exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $config{'wikiname'});
+        if ($config{'irker_template'}) {
+            exec { 'git' } ('config', '-C', $repo, 'config', 'irker.channels', $config{'irker_template'});
+        }
+    }
+    else {
+        exec { 'git' } ('config', '-C', $repo, 'config', '--remove-section', 'irker');
+        if (-l $repo . '/hooks/post-receive' && 
+            readlink($repo . '/hooks/post-receive') =~ m/irkerhook/) {
+            unlink($repo . '/hooks/post-receive');
+        }
+    }
+    return "";
+}
+
+1
+"""]]

add details on bot setup
diff --git a/doc/tips/monitor_page_changes_through_IRC.mdwn b/doc/tips/monitor_page_changes_through_IRC.mdwn
index 3c5d17e..b958b89 100644
--- a/doc/tips/monitor_page_changes_through_IRC.mdwn
+++ b/doc/tips/monitor_page_changes_through_IRC.mdwn
@@ -9,3 +9,14 @@ the workaround I found so far was to join the `#ikiwiki` channel on freenode, an
 this will watch for any change to this page. -- [[anarcat]]
 
 hello anarcat, I'm editing your page! -- [[micah]]
+
+obviously, the above assumes that the wiki is already configured to send notifications on IRC when commits are done through the git repository. there are multiple ways of doing that, which somewhat fall outside the scope of Ikiwiki itself, since you should really learn how to do this elsewhere. All you need to know is that the hook needs to be in `repository.git/hooks/post-receive` file.
+
+there are basically two alternatives now:
+
+* [KGB](https://kgb.alioth.debian.org/) - a Perl script that has been running at Debian since 2009
+* [irker](http://www.catb.org/esr/irker/) - a Python script whipped up by ESR in the fall of CIA.vc (~2011), ignoring the existing KGB bot
+
+KGB is harder to setup ([tutorial](https://www.donarmstrong.com/posts/switching_to_kgb/)), as it , but more reliable than irker, in my experience. --[[anarcat]]
+
+See also [[todo/ikibot]] for another bot idea.

mention that the CVE-2016-4561 fix was backported
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 594b721..055e1d0 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -514,12 +514,17 @@ CGI error messages did not escape HTML meta-characters, potentially
 allowing an attacker to carry out cross-site scripting by directing a
 user to a URL that would result in a crafted ikiwiki error message. This
 was discovered on 4 May by the ikiwiki developers, and the fixed version
-3.20160506 was released on 6 May. An upgrade is recommended for sites using
+3.20160506 was released on 6 May. The same fixes were backported to Debian
+8 "jessie" in version 3.20141016.3. A backport to Debian 7 "wheezy" is
+in progress.
+
+An upgrade is recommended for sites using
 the CGI. ([[!cve CVE-2016-4561]], OVE-20160505-0012)
 
 ## ImageMagick CVE-2016–3714 ("ImageTragick")
 
-ikiwiki 3.20160506 attempts to mitigate [[!cve CVE-2016-3714]] and any
+ikiwiki 3.20160506 and 3.20141016.3 attempt to mitigate
+[[!cve CVE-2016-3714]], and any
 future ImageMagick vulnerabilities that resemble it, by restricting the
 image formats that the [[ikiwiki/directive/img]] directive is willing to
 resize. An upgrade is recommended for sites where an untrusted user is

Clarifying
diff --git a/doc/todo/merge_bootstrap_branch.mdwn b/doc/todo/merge_bootstrap_branch.mdwn
index e2fb5f3..34a4a1f 100644
--- a/doc/todo/merge_bootstrap_branch.mdwn
+++ b/doc/todo/merge_bootstrap_branch.mdwn
@@ -25,6 +25,7 @@ except when the bootstrap theme is enabled.
 >> As for not tampering with template files, the only way I found to
 >> work around this is to rename the desired bootstrap classes to the
 >> ones that the default ikiwiki template wants (toc, map, etc.).
->> [see for yourself](https://notabug.org/iikb/ikiwiki-theme-bootstrap/commit/7f30630b6255336a34b14f70f2a674e15cd797a0) - don't mind the red parts.
+>> What this means is copying css code from `bootstrap.css` to the `styles.css`.
+>> [See for yourself](https://notabug.org/iikb/ikiwiki-theme-bootstrap/commit/7f30630b6255336a34b14f70f2a674e15cd797a0) - don't mind the red parts.
 >> This is tedious and boring, it's easier to tamper with template files
 >> than to rewrite bootstrap by copying and pasting it. --[[desci]]

Adding info regarding bootstrap classes
diff --git a/doc/todo/merge_bootstrap_branch.mdwn b/doc/todo/merge_bootstrap_branch.mdwn
index ee42bf5..e2fb5f3 100644
--- a/doc/todo/merge_bootstrap_branch.mdwn
+++ b/doc/todo/merge_bootstrap_branch.mdwn
@@ -21,3 +21,10 @@ except when the bootstrap theme is enabled.
 >
 > My work on bootstrap also involved some changes to the base templates,
 > not sure there is a way to work around that. --[[anarcat]]
+
+>> As for not tampering with template files, the only way I found to
+>> work around this is to rename the desired bootstrap classes to the
+>> ones that the default ikiwiki template wants (toc, map, etc.).
+>> [see for yourself](https://notabug.org/iikb/ikiwiki-theme-bootstrap/commit/7f30630b6255336a34b14f70f2a674e15cd797a0) - don't mind the red parts.
+>> This is tedious and boring, it's easier to tamper with template files
+>> than to rewrite bootstrap by copying and pasting it. --[[desci]]

Adding sites
diff --git a/doc/users/desci.mdwn b/doc/users/desci.mdwn
index dce4ea4..e2ebefd 100644
--- a/doc/users/desci.mdwn
+++ b/doc/users/desci.mdwn
@@ -1,24 +1,25 @@
-# Personal information
+## Personal information
 
 <https://desci.xyz>
 
 ---
 
-# Ikiwiki Plugins
+## Ikiwiki Plugins
 
 A plugin to add facebook spyware to your ikiwiki: [[plugins/contrib/opengraph/]]
 
 ---
 
-# Ikiwiki Themes
+## Ikiwiki Themes
 
 A theme to add [bootstrap 3](https://getbootstrap.com) to ikiwiki without overhauling the installation: [[forum/bootstrap_theme]]
 
 ---
 
-# Ikiwiki Sites
+## Ikiwiki Sites
 
-## Currently online:
+### Currently online:
 
-* <https://dev.iikb.org>
-* <https://dev.iikb.xyz> (proxy_pass)
+* <https://iikb.org> - <https://iikb.xyz> (alternative domain)
+* <https://piratas.xyz> - <https://partidopirata.xyz> (alternative domain)
+* <https://sul.partidopirata.xyz>

thanks!
diff --git a/doc/bugs/tag_missing_for_3.20141016.3.mdwn b/doc/bugs/tag_missing_for_3.20141016.3.mdwn
index bc67268..3e3c879 100644
--- a/doc/bugs/tag_missing_for_3.20141016.3.mdwn
+++ b/doc/bugs/tag_missing_for_3.20141016.3.mdwn
@@ -5,3 +5,8 @@ There is no tag for the Debian release numbered: 3.20141016.3. it *seems* like i
 > different suites since Friday, three of which need someone else's
 > approval before they're finalized, so please excuse delays to the
 > peripheral stuff like tags and release notes. --[[smcv]]
+
+> > Hey, no problem at all. :) Thanks so much for taking care of all this
+> > it is much appreciated. I didn't mean to put pressure at all here,
+> > I just thought it was forgotten. Sorry if it was misunderstood! 
+> > --[[anarcat]]

tag added
diff --git a/doc/bugs/tag_missing_for_3.20141016.3.mdwn b/doc/bugs/tag_missing_for_3.20141016.3.mdwn
index 5c71f51..bc67268 100644
--- a/doc/bugs/tag_missing_for_3.20141016.3.mdwn
+++ b/doc/bugs/tag_missing_for_3.20141016.3.mdwn
@@ -1 +1,7 @@
 There is no tag for the Debian release numbered: 3.20141016.3. it *seems* like it should be the head of the debian-jessie branch (51b4083). I can't seem to push the tag myself. --[[anarcat]]
+
+> [[Now pushed|done]]. I didn't want to tag 3.20141016.3 while there was a chance
+> that I'd have to redo it. So far I've prepared four security releases for
+> different suites since Friday, three of which need someone else's
+> approval before they're finalized, so please excuse delays to the
+> peripheral stuff like tags and release notes. --[[smcv]]

thanks!
diff --git a/doc/todo/git-annex_support.mdwn b/doc/todo/git-annex_support.mdwn
index 6659714..c49cab4 100644
--- a/doc/todo/git-annex_support.mdwn
+++ b/doc/todo/git-annex_support.mdwn
@@ -238,3 +238,7 @@ This [[patch]] still applies - anything else I should be doing here to try to ge
 > queue, but at right now I'm still trying to deal with mitigating
 > CVE-2016-3714, and the last thing I want to do is merge new security
 > risks. --[[smcv]]
+
+> > No problem at all, glad that you still have that in the queue, and I hope
+> > my work was somewhat useful in pushing this forward! Thanks for taking
+> > care of the Imagetragick situation... :/ --[[anarcat]]

sorry, one day I'll review this, but this is not that day
diff --git a/doc/todo/git-annex_support.mdwn b/doc/todo/git-annex_support.mdwn
index b2828c9..6659714 100644
--- a/doc/todo/git-annex_support.mdwn
+++ b/doc/todo/git-annex_support.mdwn
@@ -231,3 +231,10 @@ add_plugins:
 > <del>...aaaand this doesn't work anymore. :( i could have sworn this was working minutes ago, but for some reason the annexed files get skipped again now. :(</del> Sorry for the noise, the annex repo wasn't in direct mode - the above works! --[[anarcat]]
 
 This [[patch]] still applies - anything else I should be doing here to try to get this fixed? A summary maybe? --[[anarcat]]
+
+> Sorry, I don't have the mental bandwidth at the moment to work through the
+> implications of this change. I know you want this feature, I know it's an
+> attractive solution to several use cases, and git annex support is in the
+> queue, but at right now I'm still trying to deal with mitigating
+> CVE-2016-3714, and the last thing I want to do is merge new security
+> risks. --[[smcv]]

still using this in production, would welcome feedback
diff --git a/doc/todo/git-annex_support.mdwn b/doc/todo/git-annex_support.mdwn
index 342319c..b2828c9 100644
--- a/doc/todo/git-annex_support.mdwn
+++ b/doc/todo/git-annex_support.mdwn
@@ -229,3 +229,5 @@ add_plugins:
 ... and the `ikiwiki-hosting` patch mentionned earlier to allow git-annex-shell to run at all. Also, the `--shared` option will [make git-annex use hardlinks itself between the two repos](https://git-annex.branchable.com/todo/wishlist:_use_hardlinks_for_local_clones/), so the files will be available for download as well. --[[anarcat]]
 
 > <del>...aaaand this doesn't work anymore. :( i could have sworn this was working minutes ago, but for some reason the annexed files get skipped again now. :(</del> Sorry for the noise, the annex repo wasn't in direct mode - the above works! --[[anarcat]]
+
+This [[patch]] still applies - anything else I should be doing here to try to get this fixed? A summary maybe? --[[anarcat]]

dropping this.
diff --git a/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn b/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn
index 48b046b..c0610af 100644
--- a/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn
+++ b/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn
@@ -109,3 +109,5 @@ Any other ideas? --[[anarcat]]
 >>>>>> But the problem is that is a separate feature request, which should be filed as a
 >>>>>> separate [[wishlist]] item. What I am describing above is an actual *bug* that should be fixed regardless of
 >>>>>> the color you want that poney to be. :p -- [[anarcat]]
+
+Considering the doom and death surrounding OpenID these days, I think I'll just give up on this patch for now, especially given how little acceptance it has found here. So [[done]]. --[[anarcat]]

diff --git a/doc/bugs/tag_missing_for_3.20141016.3.mdwn b/doc/bugs/tag_missing_for_3.20141016.3.mdwn
new file mode 100644
index 0000000..5c71f51
--- /dev/null
+++ b/doc/bugs/tag_missing_for_3.20141016.3.mdwn
@@ -0,0 +1 @@
+There is no tag for the Debian release numbered: 3.20141016.3. it *seems* like it should be the head of the debian-jessie branch (51b4083). I can't seem to push the tag myself. --[[anarcat]]

Add CVE reference
diff --git a/doc/news/version_3.20160506.mdwn b/doc/news/version_3.20160506.mdwn
index 331a48b..6800a30 100644
--- a/doc/news/version_3.20160506.mdwn
+++ b/doc/news/version_3.20160506.mdwn
@@ -22,7 +22,7 @@ ikiwiki 3.20160506 released with [[!toggle text="these changes"]]
 [[!toggleable text="""
  * [ [[Simon McVittie|smcv]] ]
    * HTML-escape error messages, in one case avoiding potential cross-site
-     scripting (OVE-20160505-0012)
+     scripting ([[!cve CVE-2016-4561]], OVE-20160505-0012)
    * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
      - img: force common Web formats to be interpreted according to extension,
        so that "allowed\_attachments: '*.jpg'" does what one might expect
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 6d4841f..594b721 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -515,7 +515,7 @@ allowing an attacker to carry out cross-site scripting by directing a
 user to a URL that would result in a crafted ikiwiki error message. This
 was discovered on 4 May by the ikiwiki developers, and the fixed version
 3.20160506 was released on 6 May. An upgrade is recommended for sites using
-the CGI.
+the CGI. ([[!cve CVE-2016-4561]], OVE-20160505-0012)
 
 ## ImageMagick CVE-2016–3714 ("ImageTragick")
 

respond
diff --git a/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn b/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
index a669413..f4f2f26 100644
--- a/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
+++ b/doc/bugs/Anon_edit_caused_lock_out_on_entire_site_.mdwn
@@ -26,6 +26,10 @@ The `moderatedcomments` plugins is **not** enabled
 
 The `anonok` plugin is **not** enabled
 
+> What are your complete `add_plugins` and `disable_plugins` options?
+> Which version of ikiwiki are you running? Are you using any third-party
+> plugins or patches? --[[smcv]]
+
 ---
 
 ## Steps
@@ -57,3 +61,12 @@ For [this particular installation](https://dev.iikb.xyz), that's not the case.
 ## Question
 
 Is there a session file or something to logout this phantom user?
+
+> See [[tips/inside_dot_ikiwiki]]. `.ikiwiki/userdb` is a Perl Storable file;
+> there are instructions for inspecting it on that page. `.ikiwiki/sessions.db`
+> is most likely a Berkeley DB file.
+>
+> I would be interested to see the contents of these two files and the complete
+> `.setup` file. I would also be interested to see a tarball of the entire
+> wiki source directory, if it isn't excessively large. If you'd be willing to
+> share them, please contact <mailto:smcv@debian.org>. --[[smcv]]

use intended filename
diff --git a/doc/bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn b/doc/bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn
deleted file mode 100644
index abe704f..0000000
--- a/doc/bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn
+++ /dev/null
@@ -1,3 +0,0 @@
-BUG: Creating pages starting with dash(es) in the CGI doesn't add/commit them automatically to the GIT backend repository. This is fixed in the forked repository at <https://github.com/wagnerflo/ikiwiki> in commit [6b0ae40](https://github.com/wagnerflo/ikiwiki/commit/6b0ae40d109c58ae5ca098496ac30c7ef0074131).
-
-> Joey merged your patch back in March, and it is in today's release. [[done]] --[[smcv]]
diff --git a/doc/bugs/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn b/doc/bugs/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn
new file mode 100644
index 0000000..abe704f
--- /dev/null
+++ b/doc/bugs/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn
@@ -0,0 +1,3 @@
+BUG: Creating pages starting with dash(es) in the CGI doesn't add/commit them automatically to the GIT backend repository. This is fixed in the forked repository at <https://github.com/wagnerflo/ikiwiki> in commit [6b0ae40](https://github.com/wagnerflo/ikiwiki/commit/6b0ae40d109c58ae5ca098496ac30c7ef0074131).
+
+> Joey merged your patch back in March, and it is in today's release. [[done]] --[[smcv]]

escape directive properly; add paragraph breaks
diff --git a/doc/news/version_3.20160506.mdwn b/doc/news/version_3.20160506.mdwn
index 650588c..331a48b 100644
--- a/doc/news/version_3.20160506.mdwn
+++ b/doc/news/version_3.20160506.mdwn
@@ -1,15 +1,19 @@
 News for ikiwiki 3.20160506:
 
    To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities,
-   the `[[!img]]` directive is now restricted to these common web formats by
+   the `\[[!img]]` directive is now restricted to these common web formats by
    default:
+
    * JPEG (`.jpg`, `.jpeg`)
    * PNG (`.png`)
    * GIF (`.gif`)
    * SVG (`.svg`)
+
    (In particular, by default resizing PDF files is no longer allowed.)
+
    Additionally, resized SVG files are displayed in the browser as SVG
    instead of being converted to PNG.
+
    If all users who can attach images are fully trusted, this restriction
    can be removed with the new img\_allowed\_formats setup option.
    See [[ikiwiki/directive/img]] for more details.

rename todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn to bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn
diff --git a/doc/bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn b/doc/bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn
new file mode 100644
index 0000000..abe704f
--- /dev/null
+++ b/doc/bugs/Correctly_handle_filenames_starting_with_a_dash_in_add/rm/mv.mdwn
@@ -0,0 +1,3 @@
+BUG: Creating pages starting with dash(es) in the CGI doesn't add/commit them automatically to the GIT backend repository. This is fixed in the forked repository at <https://github.com/wagnerflo/ikiwiki> in commit [6b0ae40](https://github.com/wagnerflo/ikiwiki/commit/6b0ae40d109c58ae5ca098496ac30c7ef0074131).
+
+> Joey merged your patch back in March, and it is in today's release. [[done]] --[[smcv]]
diff --git a/doc/todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn b/doc/todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn
deleted file mode 100644
index abe704f..0000000
--- a/doc/todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn
+++ /dev/null
@@ -1,3 +0,0 @@
-BUG: Creating pages starting with dash(es) in the CGI doesn't add/commit them automatically to the GIT backend repository. This is fixed in the forked repository at <https://github.com/wagnerflo/ikiwiki> in commit [6b0ae40](https://github.com/wagnerflo/ikiwiki/commit/6b0ae40d109c58ae5ca098496ac30c7ef0074131).
-
-> Joey merged your patch back in March, and it is in today's release. [[done]] --[[smcv]]

already fixed
diff --git a/doc/todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn b/doc/todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn
index 5a34035..abe704f 100644
--- a/doc/todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn
+++ b/doc/todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn
@@ -1 +1,3 @@
 BUG: Creating pages starting with dash(es) in the CGI doesn't add/commit them automatically to the GIT backend repository. This is fixed in the forked repository at <https://github.com/wagnerflo/ikiwiki> in commit [6b0ae40](https://github.com/wagnerflo/ikiwiki/commit/6b0ae40d109c58ae5ca098496ac30c7ef0074131).
+
+> Joey merged your patch back in March, and it is in today's release. [[done]] --[[smcv]]

Announce 3.20160506
diff --git a/doc/news/version_3.20150107.mdwn b/doc/news/version_3.20150107.mdwn
deleted file mode 100644
index 7cae042..0000000
--- a/doc/news/version_3.20150107.mdwn
+++ /dev/null
@@ -1,44 +0,0 @@
-ikiwiki 3.20150107 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-  [ [[Joey Hess|joey]] ]
-
-  * Added ikiwiki-comment program.
-  * Add missing build-depends on `libcgi-formbuilder-perl`, needed for
-    `t/relativity.t`
-  * openid: Stop suppressing the email field on the Preferences page.
-  * Set Debian package maintainer to Simon McVittie as I'm retiring from
-    Debian.
-
-  [ [[Simon McVittie|smcv]] ]
-
-  * calendar: add `calendar_autocreate` option, with which `ikiwiki --refresh`
-    can mostly supersede the `ikiwiki-calendar` command.
-    Thanks, Louis Paternault
-  * search: add more classes as a hook for CSS. Thanks, sajolida
-  * core: generate HTML5 by default, but keep avoiding new elements
-    like `<section>` that require specific browser support unless `html5` is
-    set to 1.
-  * Tell mobile browsers to draw our pages in a device-sized viewport,
-    not an 800-1000px viewport designed to emulate a desktop/laptop browser.
-  * Add new `responsive_layout` option which can be set to 0 if your custom
-    CSS only works in a large viewport.
-  * style.css, actiontabs, blueview, goldtype, monochrome: adjust layout
-    below 600px ("responsive layout") so that horizontal scrolling is not
-    needed on smartphone browsers or other small viewports.
-  * core: new `libdirs` option alongside `libdir`. Thanks, Louis Paternault
-
-  [ [[Amitai Schlair|schmonz]] ]
-
-  * core: log a debug message before waiting for the lock.
-    Thanks, Mark Jason Dominus
-  * build: in po/Makefile, use the same `$(MAKE)` as the rest of the build.
-    Thanks, ttw
-  * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
-    Closes: [[!debbug 774441]]
-
-  [ [[Joey Hess|joey]] ]
-
-  * po: If msgmerge falls over on a problem po file, print a warning
-    message, but don't let this problem crash ikiwiki entirely.
-"""]]
-[[!meta date="2015-01-07 10:24:25 +0000"]]
diff --git a/doc/news/version_3.20160506.mdwn b/doc/news/version_3.20160506.mdwn
new file mode 100644
index 0000000..650588c
--- /dev/null
+++ b/doc/news/version_3.20160506.mdwn
@@ -0,0 +1,45 @@
+News for ikiwiki 3.20160506:
+
+   To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities,
+   the `[[!img]]` directive is now restricted to these common web formats by
+   default:
+   * JPEG (`.jpg`, `.jpeg`)
+   * PNG (`.png`)
+   * GIF (`.gif`)
+   * SVG (`.svg`)
+   (In particular, by default resizing PDF files is no longer allowed.)
+   Additionally, resized SVG files are displayed in the browser as SVG
+   instead of being converted to PNG.
+   If all users who can attach images are fully trusted, this restriction
+   can be removed with the new img\_allowed\_formats setup option.
+   See [[ikiwiki/directive/img]] for more details.
+
+ikiwiki 3.20160506 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * [ [[Simon McVittie|smcv]] ]
+   * HTML-escape error messages, in one case avoiding potential cross-site
+     scripting (OVE-20160505-0012)
+   * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
+     - img: force common Web formats to be interpreted according to extension,
+       so that "allowed\_attachments: '*.jpg'" does what one might expect
+     - img: restrict to JPEG, PNG and GIF images by default, again mitigating
+       CVE-2016-3714 and similar vulnerabilities
+     - img: check that the magic number matches what we would expect from
+       the extension before giving common formats to ImageMagick
+   * d/control: use https for Homepage
+   * d/control: add Vcs-Browser
+ * [ [[Joey Hess|joey]] ]
+   * img: Add back support for SVG images, bypassing ImageMagick and
+     simply passing the SVG through to the browser, which is supported by all
+     commonly used browsers these days.
+     SVG scaling by img directives has subtly changed; where before
+     size=wxh would preserve aspect ratio, this cannot be done when passing
+     them through and so specifying both a width and height can change
+     the SVG's aspect ratio.
+   * loginselector: When only openid and emailauth are enabled, but
+     passwordauth is not, avoid showing a "Other" box which opens an
+     empty form.
+ * [ [[Amitai Schlair|schmonz]] ]
+   * mdwn: Process .md like .mdwn, but disallow web creation.
+ * [ Florian Wagner ]
+   * git: Correctly handle filenames starting with a dash in add/rm/mv."""]]

diff --git a/doc/todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn b/doc/todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn
new file mode 100644
index 0000000..5a34035
--- /dev/null
+++ b/doc/todo/Correctly_handle_filenames_starting_with_a_dash_in_add__47__rm__47__mv.mdwn
@@ -0,0 +1 @@
+BUG: Creating pages starting with dash(es) in the CGI doesn't add/commit them automatically to the GIT backend repository. This is fixed in the forked repository at <https://github.com/wagnerflo/ikiwiki> in commit [6b0ae40](https://github.com/wagnerflo/ikiwiki/commit/6b0ae40d109c58ae5ca098496ac30c7ef0074131).

Document the security fixes in this release
diff --git a/debian/NEWS b/debian/NEWS
index b2753c6..66b2b42 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,27 @@
+ikiwiki (3.20160506) UNRELEASED; urgency=medium
+
+  To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities,
+  the [[!img]] directive is now restricted to these common web formats by
+  default:
+
+  * JPEG (.jpg, .jpeg)
+  * PNG (.png)
+  * GIF (.gif)
+  * SVG (.svg)
+
+  (In particular, by default resizing PDF files is no longer allowed.)
+
+  Additionally, resized SVG files are displayed in the browser as SVG
+  instead of being converted to PNG.
+
+  If all users who can attach images are fully trusted, this restriction
+  can be removed with the new img_allowed_formats setup option.
+  See <https://ikiwiki.info/ikiwiki/directive/img/>
+  or <file:///usr/share/doc/ikiwiki/html/ikiwiki/directive/img.html> for
+  more details.
+
+ -- Simon McVittie <smcv@debian.org>  Fri, 06 May 2016 07:07:29 +0100
+
 ikiwiki (3.20150610) unstable; urgency=low
 
   The new "emailauth" plugin allows users to authenticate using an email
diff --git a/doc/ikiwiki/directive/img.mdwn b/doc/ikiwiki/directive/img.mdwn
index fa3b40f..a940a44 100644
--- a/doc/ikiwiki/directive/img.mdwn
+++ b/doc/ikiwiki/directive/img.mdwn
@@ -41,4 +41,27 @@ the page, unless overridden. Useful when including many images on a page.
 	\[[!img photo2.jpg]]
 	\[[!img photo3.jpg size=200x600]]
 
+## format support
+
+By default, the `img` directive only supports a few common web formats:
+
+* PNG (`.png`)
+* JPEG (`.jpg` or `.jpeg`)
+* GIF (`.gif`)
+* SVG (`.svg`)
+
+These additional formats can be enabled with the `img_allowed_formats`
+[[!iki setup]] option, but are disabled by default for better
+[[!iki security]]:
+
+* PDF (`.pdf`)
+* `everything` (accepts any file supported by ImageMagick: make sure
+  that only completely trusted users can
+  [[upload attachments|ikiwiki/pagespec/attachment]])
+
+For example, a wiki where only `admin()` users can upload attachments might
+use:
+
+    img_allowed_formats: [png, jpeg, gif, svg, pdf]
+
 [[!meta robots="noindex, follow"]]
diff --git a/doc/security.mdwn b/doc/security.mdwn
index d5a0266..6d4841f 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -178,7 +178,8 @@ the same standards as the rest of ikiwiki, but with that said, here are
 some security notes for them.
 
 * The [[plugins/img]] plugin assumes that imagemagick/perlmagick are secure
-  from malformed image attacks. Imagemagick has had security holes in the
+  from malformed image attacks for at least the formats listed in
+  `img_allowed_formats`. Imagemagick has had security holes in the
   past. To be able to exploit such a hole, a user would need to be able to
   upload images to the wiki.
 
@@ -506,3 +507,22 @@ The hole was reported on March 24th, a fix was developed on March 27th,
 and the fixed version 3.20150329 was released on the 29th. A fix was backported
 to Debian jessie as version 3.20141016.2 and to Debian wheezy as version
 3.20120629.2. An upgrade is recommended for sites using CGI and openid.
+
+## XSS via error messages
+
+CGI error messages did not escape HTML meta-characters, potentially
+allowing an attacker to carry out cross-site scripting by directing a
+user to a URL that would result in a crafted ikiwiki error message. This
+was discovered on 4 May by the ikiwiki developers, and the fixed version
+3.20160506 was released on 6 May. An upgrade is recommended for sites using
+the CGI.
+
+## ImageMagick CVE-2016–3714 ("ImageTragick")
+
+ikiwiki 3.20160506 attempts to mitigate [[!cve CVE-2016-3714]] and any
+future ImageMagick vulnerabilities that resemble it, by restricting the
+image formats that the [[ikiwiki/directive/img]] directive is willing to
+resize. An upgrade is recommended for sites where an untrusted user is
+able to attach images. Upgrading ImageMagick to a version where
+CVE-2016-3714 has been fixed is also recommended, but at the time of
+writing no such version is available.

Do not recommend mimetype(image/*)
Not all image file types are safe for general use: in particular,
image/svg+xml is known to be vulnerable to CVE-2016-3714 under some
ImageMagick configurations.
diff --git a/doc/ikiwiki/pagespec/attachment.mdwn b/doc/ikiwiki/pagespec/attachment.mdwn
index fa2bc58..868fb23 100644
--- a/doc/ikiwiki/pagespec/attachment.mdwn
+++ b/doc/ikiwiki/pagespec/attachment.mdwn
@@ -12,7 +12,7 @@ while allowing larger mp3 files to be uploaded by joey into a specific
 directory, and check all attachments for viruses, something like this could be
 used:
   
-	virusfree() and ((user(joey) and podcast/*.mp3 and mimetype(audio/mpeg) and maxsize(15mb)) or (mimetype(image/*) and maxsize(50kb)))
+	virusfree() and ((user(joey) and podcast/*.mp3 and mimetype(audio/mpeg) and maxsize(15mb)) or ((mimetype(image/jpeg) or mimetype(image/png)) and maxsize(50kb)))
 
 The regular [[ikiwiki/PageSpec]] syntax is expanded with the following
 additional tests:

img: Add back support for SVG images, bypassing ImageMagick and simply passing the SVG through to the browser
SVG scaling by img directives has subtly changed; where before size=wxh
would preserve aspect ratio, this cannot be done when passing them through
and so specifying both a width and height can change the SVG's aspect
ratio.
(This patch looks significantly more complex than it was, because a large
block of code had to be indented.)
[smcv: drop trailing whitespace, fix some spelling]
diff --git a/IkiWiki/Plugin/img.pm b/IkiWiki/Plugin/img.pm
index ed2e935..494fe23 100644
--- a/IkiWiki/Plugin/img.pm
+++ b/IkiWiki/Plugin/img.pm
@@ -23,8 +23,8 @@ sub getsetup () {
 		},
 		img_allowed_formats => {
 			type => "string",
-			default => [qw(jpeg png gif)],
-			description => "Image formats to process (jpeg, png, gif, pdf, svg or 'everything' to accept all)",
+			default => [qw(jpeg png gif svg)],
+			description => "Image formats to process (jpeg, png, gif, svg, pdf or 'everything' to accept all)",
 			# ImageMagick has had arbitrary code execution flaws,
 			# and the whole delegates mechanism is scary from
 			# that perspective
@@ -36,7 +36,7 @@ sub getsetup () {
 sub allowed {
 	my $format = shift;
 	my $allowed = $config{img_allowed_formats};
-	$allowed = ['jpeg', 'png'] unless defined $allowed && @$allowed;
+	$allowed = ['jpeg', 'png', 'gif', 'svg'] unless defined $allowed && @$allowed;
 
 	foreach my $a (@$allowed) {
 		return 1 if $a eq $format || $a eq 'everything';
@@ -131,17 +131,7 @@ sub preprocess (@) {
 	error sprintf(gettext("%s image processing disabled in img_allowed_formats configuration"), $format ? $format : "\"$extension\"") unless allowed($format ? $format : "everything");
 
 	# Try harder to protect ImageMagick from itself
-	if ($format eq 'svg') {
-		my $content;
-		read($in, $content, 5) or error sprintf(gettext("failed to read %s: %s"), $file, $!);
-		# This is an over-simplification, but ?xml is the check that
-		# ImageMagick uses. We also accept <svg for the simplest
-		# possible SVGs.
-		if ($content !~ m/^(.\?xml|<svg)/is) {
-			error sprintf(gettext("\"%s\" does not seem to be a valid %s file"), $file, $format);
-		}
-	}
-	elsif ($magic) {
+	if (defined $magic) {
 		my $content;
 		read($in, $content, length $magic) or error sprintf(gettext("failed to read %s: %s"), $file, $!);
 		if ($magic ne $content) {
@@ -149,94 +139,112 @@ sub preprocess (@) {
 		}
 	}
 
-	my $issvg = $base=~s/\.svg$/.png/i;
 	my $ispdf = $base=~s/\.pdf$/.png/i;
 	my $pagenumber = exists($params{pagenumber}) ? int($params{pagenumber}) : 0;
 	if ($pagenumber != 0) {
 		$base = "p$pagenumber-$base";
 	}
 
-	eval q{use Image::Magick};
-	error gettext("Image::Magick is not installed") if $@;
-	my $im = Image::Magick->new();
 	my $imglink;
 	my $imgdatalink;
-	my $r = $im->Read("$format:$srcfile\[$pagenumber]");
-	error sprintf(gettext("failed to read %s: %s"), $file, $r) if $r;
+	my ($dwidth, $dheight);
 
-	if (! defined $im->Get("width") || ! defined $im->Get("height")) {
-		error sprintf(gettext("failed to get dimensions of %s"), $file);
+	my ($w, $h);
+	if ($params{size} ne 'full') {
+		($w, $h) = ($params{size} =~ /^(\d*)x(\d*)$/);
 	}
 
-	my ($dwidth, $dheight);
+	if ($format eq 'svg') {
+		# svg images are not scaled using ImageMagick because the
+		# pipeline is complex. Instead, the image size is simply
+		# set to the provided values.
+		#
+		# Aspect ratio will be preserved automatically when
+		# only a width or only a height is specified.
+		# When both are specified, aspect ratio will not be
+		# preserved.
+		$imglink = $file;
+		$dwidth = $w if length $w;
+		$dheight = $h if length $h;
+	}
+	else {
+		eval q{use Image::Magick};
+		error gettext("Image::Magick is not installed") if $@;
+		my $im = Image::Magick->new();
+		my $r = $im->Read("$format:$srcfile\[$pagenumber]");
+		error sprintf(gettext("failed to read %s: %s"), $file, $r) if $r;
+
+		if (! defined $im->Get("width") || ! defined $im->Get("height")) {
+			error sprintf(gettext("failed to get dimensions of %s"), $file);
+		}
 
-	if ($params{size} eq 'full') {
-		$dwidth = $im->Get("width");
-		$dheight = $im->Get("height");
-	} else {
-		my ($w, $h) = ($params{size} =~ /^(\d*)x(\d*)$/);
-		error sprintf(gettext('wrong size format "%s" (should be WxH)'), $params{size})
-			unless (defined $w && defined $h &&
-			        (length $w || length $h));
-
-		if ($im->Get("width") == 0 || $im->Get("height") == 0) {
-			($dwidth, $dheight)=(0, 0);
-		} elsif (! length $w || (length $h && $im->Get("height")*$w > $h * $im->Get("width"))) {
-			# using height because only height is given or ...
-			# because original image is more portrait than $w/$h
-			# ... slimness of $im > $h/w
-			# ... $im->Get("height")/$im->Get("width") > $h/$w
-			# ... $im->Get("height")*$w > $h * $im->Get("width")
-
-			$dheight=$h;
-			$dwidth=$h / $im->Get("height") * $im->Get("width");
-		} else { # (! length $h) or $w is what determines the resized size
-			$dwidth=$w;
-			$dheight=$w / $im->Get("width") * $im->Get("height");
+		if (! length $w && ! length $h) {
+			$dwidth = $im->Get("width");
+			$dheight = $im->Get("height");
+		} else {
+			error sprintf(gettext('wrong size format "%s" (should be WxH)'), $params{size})
+				unless (defined $w && defined $h &&
+				        (length $w || length $h));
+
+			if ($im->Get("width") == 0 || $im->Get("height") == 0) {
+				($dwidth, $dheight)=(0, 0);
+			} elsif (! length $w || (length $h && $im->Get("height")*$w > $h * $im->Get("width"))) {
+				# using height because only height is given or ...
+				# because original image is more portrait than $w/$h
+				# ... slimness of $im > $h/w
+				# ... $im->Get("height")/$im->Get("width") > $h/$w
+				# ... $im->Get("height")*$w > $h * $im->Get("width")
+
+				$dheight=$h;
+				$dwidth=$h / $im->Get("height") * $im->Get("width");
+			} else { # (! length $h) or $w is what determines the resized size
+				$dwidth=$w;
+				$dheight=$w / $im->Get("width") * $im->Get("height");
+			}
 		}
-	}
 
-	if ($dwidth < $im->Get("width") || $ispdf) {
-		# resize down, or resize to pixels at all
+		if ($dwidth < $im->Get("width") || $ispdf) {
+			# resize down, or resize to pixels at all
 
-		my $outfile = "$config{destdir}/$dir/$params{size}-$base";
-		$imglink = "$dir/$params{size}-$base";
+			my $outfile = "$config{destdir}/$dir/$params{size}-$base";
+			$imglink = "$dir/$params{size}-$base";
 
-		will_render($params{page}, $imglink);
+			will_render($params{page}, $imglink);
 
-		if (-e $outfile && (-M $srcfile >= -M $outfile)) {
-			$im = Image::Magick->new;
-			$r = $im->Read($outfile);
-			error sprintf(gettext("failed to read %s: %s"), $outfile, $r) if $r;
-		}
-		else {
-			$r = $im->Resize(geometry => "${dwidth}x${dheight}");
-			error sprintf(gettext("failed to resize: %s"), $r) if $r;
-
-			$im->set(($issvg || $ispdf) ? (magick => 'png') : ());
-			my @blob = $im->ImageToBlob();
-			# don't actually write resized file in preview mode;
-			# rely on width and height settings
-			if (! $params{preview}) {
-				writefile($imglink, $config{destdir}, $blob[0], 1);
+			if (-e $outfile && (-M $srcfile >= -M $outfile)) {
+				$im = Image::Magick->new;
+				$r = $im->Read($outfile);
+				error sprintf(gettext("failed to read %s: %s"), $outfile, $r) if $r;
 			}
 			else {
-				eval q{use MIME::Base64};
-				error($@) if $@;
-				$imgdatalink = "data:image/".$im->Get("magick").";base64,".encode_base64($blob[0]);
+				$r = $im->Resize(geometry => "${dwidth}x${dheight}");
+				error sprintf(gettext("failed to resize: %s"), $r) if $r;
+
+				$im->set($ispdf ? (magick => 'png') : ());
+				my @blob = $im->ImageToBlob();
+				# don't actually write resized file in preview mode;
+				# rely on width and height settings
+				if (! $params{preview}) {
+					writefile($imglink, $config{destdir}, $blob[0], 1);
+				}
+				else {
+					eval q{use MIME::Base64};
+					error($@) if $@;
+					$imgdatalink = "data:image/".$im->Get("magick").";base64,".encode_base64($blob[0]);
+				}
 			}
+
+			# always get the true size of the resized image (it could be
+			# that imagemagick did its calculations differently)

(Diff truncated)
all good
diff --git a/doc/bugs/footnotes-look-weird.mdwn b/doc/bugs/footnotes-look-weird.mdwn
index d085e9b..be1e5d5 100644
--- a/doc/bugs/footnotes-look-weird.mdwn
+++ b/doc/bugs/footnotes-look-weird.mdwn
@@ -90,7 +90,9 @@ screen readers), as detailed in [this Stack Overflow discussion][].
 >>> headers) or likely to trigger by mistake (typographic quotes and
 >>> [[maybe alpha lists|forum/"S."_gets_replace_by_"a."_in_my_ikiwiki]]).
 >>> --[[smcv]]
->>
+>>>
+>>>> Makes perfect sense to me. --[[anarcat]]
+>>>
 >> For example, to enable footnotes, one needs to call Discount like this:
 >> 
 >>       Text::Markdown::Discount::markdown($text, Text::Markdown::Discount::MKD_EXTRA_FOOTNOTE())
@@ -117,6 +119,9 @@ screen readers), as detailed in [this Stack Overflow discussion][].
 >>> `a.footnote` if the HTML produced by some other htmlize hook was
 >>> `<sup><a class="footnote" ...>[1]</a></sup>` for instance.
 >>> But they're probably harmless.
+>>>
+>>>> Alright, your call. :) At least this bug will be available as a workaround
+>>>> for others that stumble upon the same problem! :) --[[anarcat]]
 
 Note that I also make the bottom `<div>` small as well so that it has
 less weight than the rest of the text. -- [[anarcat]]

diff --git a/doc/bugs/footnotes-look-weird.mdwn b/doc/bugs/footnotes-look-weird.mdwn
index 7ea9f24..d085e9b 100644
--- a/doc/bugs/footnotes-look-weird.mdwn
+++ b/doc/bugs/footnotes-look-weird.mdwn
@@ -76,6 +76,21 @@ screen readers), as detailed in [this Stack Overflow discussion][].
 >> are enabled in their configuration, but I understand that makes the
 >> configuration more complicated and error-prone.
 >>
+>>> Discount enables enough features by default that adding footnotes doesn't
+>>> seem bad to me. I'm also tempted by something like
+>>>
+>>> ```
+>>> mdwn_enable: [footnotes]
+>>> mdwn_disable: [alphalist, superscript]
+>>> ```
+>>>
+>>> where the default for anything that was neither specifically enabled
+>>> nor specifically disabled would be to enable everything that we don't
+>>> think is a poor fit for the processing model (pandoc-style document
+>>> headers) or likely to trigger by mistake (typographic quotes and
+>>> [[maybe alpha lists|forum/"S."_gets_replace_by_"a."_in_my_ikiwiki]]).
+>>> --[[smcv]]
+>>
 >> For example, to enable footnotes, one needs to call Discount like this:
 >> 
 >>       Text::Markdown::Discount::markdown($text, Text::Markdown::Discount::MKD_EXTRA_FOOTNOTE())
@@ -90,6 +105,18 @@ screen readers), as detailed in [this Stack Overflow discussion][].
 >>
 >> In the meantime, wouldn't it be better to have some styling here to
 >> workaround the problem in MMD?
+>>
+>>> Honestly, I'd rather have ikiwiki's level of support for the non-preferred
+>>> Markdown implementation be: if you are stuck on a platform with no C compiler
+>>> or Perl headers, you can use the pure-Perl Markdown flavours, and they
+>>> will sort of mostly work (but might not look great).
+>>>
+>>> I'm a little concerned that styling these rather generically-named classes
+>>> might interfere with the implementations of footnotes in other Markdown
+>>> implementations, or indeed non-Markdown - I wouldn't want to style
+>>> `a.footnote` if the HTML produced by some other htmlize hook was
+>>> `<sup><a class="footnote" ...>[1]</a></sup>` for instance.
+>>> But they're probably harmless.
 
 Note that I also make the bottom `<div>` small as well so that it has
 less weight than the rest of the text. -- [[anarcat]]