diff --git a/docs/Dockerfile b/docs/Dockerfile
index 44128086..8fa63a33 100644
--- a/docs/Dockerfile
+++ b/docs/Dockerfile
@@ -1,18 +1,9 @@
-FROM docs/base:latest
+FROM docs/base:oss
 MAINTAINER Mary Anthony <mary@docker.com> (@moxiegirl)
 
-RUN svn checkout https://github.com/docker/docker/trunk/docs /docs/content/engine
-RUN svn checkout https://github.com/docker/compose/trunk/docs /docs/content/compose
-RUN svn checkout https://github.com/docker/swarm/trunk/docs /docs/content/swarm
-RUN svn checkout https://github.com/docker/machine/trunk/docs /docs/content/machine
-RUN svn checkout https://github.com/docker/notary/trunk/docs /docs/content/notary
-RUN svn checkout https://github.com/docker/kitematic/trunk/docs /docs/content/kitematic
-RUN svn checkout https://github.com/docker/toolbox/trunk/docs /docs/content/toolbox
-RUN svn checkout https://github.com/docker/opensource/trunk/docs /docs/content/opensource
-
 ENV PROJECT=registry
 
 # To get the git info for this repo
 COPY . /src
-
+RUN rm -r /docs/content/$PROJECT/
 COPY . /docs/content/$PROJECT/
diff --git a/docs/nginx.md b/docs/nginx.md
index 17b92f44..361a1063 100644
--- a/docs/nginx.md
+++ b/docs/nginx.md
@@ -76,7 +76,7 @@ events {
 }
 
 http {
-  
+
   upstream docker-registry {
     server registry:5000;
   }
@@ -98,34 +98,34 @@ http {
     # SSL
     ssl_certificate /etc/nginx/conf.d/domain.crt;
     ssl_certificate_key /etc/nginx/conf.d/domain.key;
-  
+
     # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
     ssl_protocols TLSv1.1 TLSv1.2;
     ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;
-  
+
     # disable any limits to avoid HTTP 413 for large image uploads
     client_max_body_size 0;
-  
+
     # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
     chunked_transfer_encoding on;
-  
+
     location /v2/ {
       # Do not allow connections from docker 1.5 and earlier
       # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
       if (\$http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*\$" ) {
         return 404;
       }
-  
+
       # To add basic authentication to v2 use auth_basic setting.
       auth_basic "Registry realm";
       auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
-  
+
       ## If $docker_distribution_api_version is empty, the header will not be added.
       ## See the map directive above where this variable is defined.
       add_header 'Docker-Distribution-Api-Version' \$docker_distribution_api_version always;
-  
+
       proxy_pass                          http://docker-registry;
       proxy_set_header  Host              \$http_host;   # required for docker client's sake
       proxy_set_header  X-Real-IP         \$remote_addr; # pass on real client's IP
@@ -182,7 +182,7 @@ Now, start your stack:
 
 Login with a "push" authorized user (using `testuser` and `testpassword`), then tag and push your first image:
 
-    docker login -p=testuser -u=testpassword -e=root@example.ch myregistrydomain.com:5043
+    docker login -u=testuser -p=testpassword -e=root@example.ch myregistrydomain.com:5043
     docker tag ubuntu myregistrydomain.com:5043/test
     docker push myregistrydomain.com:5043/test
     docker pull myregistrydomain.com:5043/test
diff --git a/docs/spec/api.md b/docs/spec/api.md
index fc074ffb..56e9242c 100644
--- a/docs/spec/api.md
+++ b/docs/spec/api.md
@@ -618,26 +618,6 @@ The "digest" parameter must be included with the PUT request. Please see the
 [_Completed Upload_](#completed-upload) section for details on the parameters
 and expected responses.
 
-Additionally, the upload can be completed with a single `POST` request to
-the uploads endpoint, including the "size" and "digest" parameters:
-
-```
-POST /v2/<name>/blobs/uploads/?digest=<digest>
-Content-Length: <size of layer>
-Content-Type: application/octet-stream
-
-<Layer Binary Data>
-```
-
-On the registry service, this should allocate a download, accept and verify
-the data and return the same  response as the final chunk of an upload. If the
-POST request fails collecting the data in any way, the registry should attempt
-to return an error response to the client with the `Location` header providing
-a place to continue the download.
-
-The single `POST` method is provided for convenience and most clients should
-implement `POST` + `PUT` to support reliable resume of uploads.
-
 ##### Chunked Upload
 
 To carry out an upload of a chunk, the client can specify a range header and
diff --git a/docs/spec/api.md.tmpl b/docs/spec/api.md.tmpl
index 1a879ba0..1a9e9f89 100644
--- a/docs/spec/api.md.tmpl
+++ b/docs/spec/api.md.tmpl
@@ -618,26 +618,6 @@ The "digest" parameter must be included with the PUT request. Please see the
 [_Completed Upload_](#completed-upload) section for details on the parameters
 and expected responses.
 
-Additionally, the upload can be completed with a single `POST` request to
-the uploads endpoint, including the "size" and "digest" parameters:
-
-```
-POST /v2/<name>/blobs/uploads/?digest=<digest>
-Content-Length: <size of layer>
-Content-Type: application/octet-stream
-
-<Layer Binary Data>
-```
-
-On the registry service, this should allocate a download, accept and verify
-the data and return the same  response as the final chunk of an upload. If the
-POST request fails collecting the data in any way, the registry should attempt
-to return an error response to the client with the `Location` header providing
-a place to continue the download.
-
-The single `POST` method is provided for convenience and most clients should
-implement `POST` + `PUT` to support reliable resume of uploads.
-
 ##### Chunked Upload
 
 To carry out an upload of a chunk, the client can specify a range header and
diff --git a/docs/spec/auth/jwt.md b/docs/spec/auth/jwt.md
index f627b17a..87de62af 100644
--- a/docs/spec/auth/jwt.md
+++ b/docs/spec/auth/jwt.md
@@ -69,8 +69,17 @@ Token has 3 main parts:
 
     The header of a JSON Web Token is a standard JOSE header. The "typ" field
     will be "JWT" and it will also contain the "alg" which identifies the
-    signing algorithm used to produce the signature. It will also usually have
-    a "kid" field, the ID of the key which was used to sign the token.
+    signing algorithm used to produce the signature. It also must have a "kid"
+    field, representing the ID of the key which was used to sign the token.
+
+    The "kid" field has to be in a libtrust fingerprint compatible format.
+    Such a format can be generated by following steps:
+
+    1.  Take the DER encoded public key which the JWT token was signed against.
+
+    2.  Create a SHA256 hash out of it and truncate to 240bits.
+
+    3.  Split the result into 12 base32 encoded groups with `:` as delimiter.
 
     Here is an example JOSE Header for a JSON Web Token (formatted with
     whitespace for readability):
diff --git a/docs/spec/auth/scope.md b/docs/spec/auth/scope.md
index 76e6f8cf..e626b6e1 100644
--- a/docs/spec/auth/scope.md
+++ b/docs/spec/auth/scope.md
@@ -56,7 +56,7 @@ it.
 The resource name represent the name which identifies a resource for a resource
 provider. A resource is identified by this name and the provided resource type.
 An example of a resource name would be the name component of an image tag, such
-as "samalba/myapp".
+as "samalba/myapp" or "hostname/samalba/myapp".
 
 ### Resource Actions
 
@@ -83,16 +83,24 @@ scopes.
 scope                   := resourcescope [ ' ' resourcescope ]*
 resourcescope           := resourcetype  ":" resourcename  ":" action [ ',' action ]*
 resourcetype            := /[a-z]*/
-resourcename            := component [ '/' component ]*
+resourcename            := [ hostname '/' ] component [ '/' component ]*
+hostname                := hostcomponent ['.' hostcomponent]* [':' port-number]
+hostcomponent           := /([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])/
+port-number             := /[0-9]+/
 action                  := /[a-z]*/
 component               := alpha-numeric [ separator alpha-numeric ]*
 alpha-numeric           := /[a-z0-9]+/
 separator               := /[_.]|__|[-]*/
 ```
 Full reference grammar is defined
-(here)[https://godoc.org/github.com/docker/distribution/reference]. Currently
-the scope name grammar is a subset of the reference grammar without support
-for hostnames.
+[here](https://godoc.org/github.com/docker/distribution/reference). Currently
+the scope name grammar is a subset of the reference grammar.
+
+> **NOTE:** that the `resourcename` may contain one `:` due to a possible port
+> number in the hostname component of the `resourcename`, so a naive
+> implementation that interprets the first three `:`-delimited tokens of a
+> `scope` to be the `resourcetype`, `resourcename`, and a list of `action`
+> would be insufficient.
 
 ## Resource Provider Use
 
diff --git a/docs/storage-drivers/s3.md b/docs/storage-drivers/s3.md
index 2a7aa9f5..d78fc988 100644
--- a/docs/storage-drivers/s3.md
+++ b/docs/storage-drivers/s3.md
@@ -198,7 +198,7 @@ The following IAM permissions are required by the registry for push and pull.  S
         "Action": [
           "s3:ListBucket",
           "s3:GetBucketLocation",
-          "s3:ListBucketMultipartUploads",
+          "s3:ListBucketMultipartUploads"
         ],
         "Resource": "arn:aws:s3:::mybucket"
       },