diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -4,6 +4,9 @@ about: Create a report to help us improve
 
 ---
 
+<!-- ⚠️⚠️ Do Not Delete This! bug_report_template ⚠️⚠️ -->
+<!-- Please search existing issues to avoid creating duplicates. -->
+
 ### Describe the bug
 <!-- A clear and concise description of what the bug is -->
 

diff --git a/.gitpod.yml b/.gitpod.yml
@@ -1,4 +1,4 @@
-image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:gpl-update-docs.6
+image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:cw-supervisor-execve-ring3.25
 workspaceLocation: gitpod/gitpod-ws.theia-workspace
 checkoutLocation: gitpod
 ports:

diff --git a/.werft/build.js b/.werft/build.js
@@ -31,6 +31,13 @@ async function build(context, version) {
      * Prepare
      */
     werft.phase("prepare");
+
+    const werftImg = shell.exec("cat .werft/build.yaml | grep dev-environment").trim().split(": ")[1];
+    const devImg = shell.exec("yq r .gitpod.yml image").trim();
+    if (werftImg !== devImg) {
+        werft.fail('prep', `Werft job image (${werftImg}) and Gitpod dev image (${devImg}) do not match`);
+    }
+
     let buildConfig = context.Annotations || {};
     try {
         exec(`gcloud auth activate-service-account --key-file "${GCLOUD_SERVICE_ACCOUNT_PATH}"`);
@@ -49,6 +56,7 @@ async function build(context, version) {
     const dynamicCPULimits = "dynamic-cpu-limits" in buildConfig;
     const withInstaller = "with-installer" in buildConfig || masterBuild;
     const noPreview = "no-preview" in buildConfig || publishRelease;
+    const registryFacadeHandover = "registry-facade-handover" in buildConfig;
     werft.log("job config", JSON.stringify({
         buildConfig,
         version,
@@ -60,6 +68,7 @@ async function build(context, version) {
         workspaceFeatureFlags,
         dynamicCPULimits,
         noPreview,
+        registryFacadeHandover,
     }));
 
     /**
@@ -71,7 +80,7 @@ async function build(context, version) {
         "HTTP_PROXY": "http://dev-http-cache:3129",
         "HTTPS_PROXY": "http://dev-http-cache:3129",
     };
-    const imageRepo = publishRelease ? "eu.gcr.io/gitpod-io/self-hosted" : "eu.gcr.io/gitpod-core-dev/build";
+    const imageRepo = publishRelease ? "gcr.io/gitpod-io/self-hosted" : "eu.gcr.io/gitpod-core-dev/build";
 
     exec(`leeway vet --ignore-warnings`);
     exec(`leeway build --werft=true -c ${cacheLevel} ${dontTest ? '--dont-test':''} -Dversion=${version} -DimageRepoBase=eu.gcr.io/gitpod-core-dev/dev dev:all`, buildEnv);
@@ -83,7 +92,8 @@ async function build(context, version) {
     }
     exec(`leeway build --werft=true -Dversion=${version} -DremoveSources=false -DimageRepoBase=${imageRepo}`, buildEnv);
     if (publishRelease) {
-        publishHelmChart("eu.gcr.io/gitpod-io/self-hosted");
+        publishHelmChart("gcr.io/gitpod-io/self-hosted");
+        exec(`leeway run --werft=true install/installer:publish-as-latest -Dversion=${version} -DimageRepoBase=${imageRepo}`)
         exec(`gcloud auth activate-service-account --key-file "${GCLOUD_SERVICE_ACCOUNT_PATH}"`);
     }
     // gitTag(`build/${version}`);
@@ -103,15 +113,15 @@ async function build(context, version) {
         werft.phase("deploy", "not deploying");
         console.log("no-preview or publish-release is set");
     } else {
-        await deployToDev(version, previewWithHttps, workspaceFeatureFlags, dynamicCPULimits);
+        await deployToDev(version, previewWithHttps, workspaceFeatureFlags, dynamicCPULimits, registryFacadeHandover);
     }
 }
 
 
 /**
  * Deploy dev
  */
-async function deployToDev(version, previewWithHttps, workspaceFeatureFlags, dynamicCPULimits) {
+async function deployToDev(version, previewWithHttps, workspaceFeatureFlags, dynamicCPULimits, registryFacadeHandover) {
     werft.phase("deploy", "deploying to dev");
     const destname = version.split(".")[0];
     const namespace = `staging-${destname}`;
@@ -145,7 +155,7 @@ async function deployToDev(version, previewWithHttps, workspaceFeatureFlags, dyn
 
     werft.log("secret", "copy secret into namespace")
     try {
-        const auth = exec(`echo -n "_json_key:$(kubectl get secret gcp-sa-registry-auth --namespace=keys --export -o yaml \
+        const auth = exec(`echo -n "_json_key:$(kubectl get secret gcp-sa-registry-auth --namespace=keys -o yaml \
                         | yq r - data['.dockerconfigjson'] \
                         | base64 -d)" | base64 -w 0`, {silent: true}).stdout.trim();
         fs.writeFileSync("chart/gcp-sa-registry-auth",
@@ -163,7 +173,7 @@ async function deployToDev(version, previewWithHttps, workspaceFeatureFlags, dyn
 
     werft.log("authProviders", "copy authProviders")
     try {
-        exec(`kubectl get secret preview-envs-authproviders --namespace=keys --export -o yaml \
+        exec(`kubectl get secret preview-envs-authproviders --namespace=keys -o yaml \
                 | yq r - data.authProviders \
                 | base64 -d -w 0 \
                 > authProviders`, {silent: true}).stdout.trim();
@@ -186,7 +196,7 @@ async function deployToDev(version, previewWithHttps, workspaceFeatureFlags, dyn
         exec(`/usr/local/bin/helm3 delete jaeger-${destname} || echo jaeger-${destname} was not installed yet`, {slice: 'predeploy cleanup'});
 
         let objs = [];
-        ["ws-scheduler", "node-daemon", "cluster", "workspace", "jaeger", "jaeger-agent", "ws-sync", "ws-manager-node", "ws-daemon"].forEach(comp => 
+        ["ws-scheduler", "node-daemon", "cluster", "workspace", "jaeger", "jaeger-agent", "ws-sync", "ws-manager-node", "ws-daemon", "registry-facade"].forEach(comp => 
             ["ClusterRole", "ClusterRoleBinding", "PodSecurityPolicy"].forEach(kind =>
                 shell
                     .exec(`kubectl get ${kind} -l component=${comp} --no-headers -o=custom-columns=:metadata.name | grep ${namespace}-ns`)
@@ -231,6 +241,11 @@ async function deployToDev(version, previewWithHttps, workspaceFeatureFlags, dyn
     if (dynamicCPULimits) {
         flags+=` -f ../.werft/values.variant.cpuLimits.yaml`;
     }
+    if (registryFacadeHandover) {
+        flags+=` --set components.registryFacade.handover.enabled=true`;
+        flags+=` --set components.registryFacade.handover.socket=/var/lib/gitpod/registry-facade-${namespace}`;
+    }
+
     // const pathToVersions = `${shell.pwd().toString()}/versions.yaml`;
     // if (fs.existsSync(pathToVersions)) {
     //     flags+=` -f ${pathToVersions}`;
@@ -303,7 +318,11 @@ async function issueAndInstallCertficate(namespace, domain) {
 
     werft.log('certificate', `copying certificate from "certs/${namespace}" to "${namespace}/proxy-config-certificates"`);
     // certmanager is configured to create a secret in the namespace "certs" with the name "${namespace}".
-    exec(`kubectl get secret ${namespace} --namespace=certs --export -o yaml \
+    exec(`kubectl get secret ${namespace} --namespace=certs -o yaml \
+        | yq d - 'metadata.namespace' \
+        | yq d - 'metadata.uid' \
+        | yq d - 'metadata.resourceVersion' \
+        | yq d - 'metadata.creationTimestamp' \
         | sed 's/${namespace}/proxy-config-certificates/g' \
         | kubectl apply --namespace=${namespace} -f -`);
 }

diff --git a/.werft/build.yaml b/.werft/build.yaml
@@ -30,7 +30,7 @@ pod:
     - name: MYSQL_TCP_PORT
       value: 23306
   - name: build
-    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:as-add-golangci-lint.6
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:cw-supervisor-execve-ring3.25
     workingDir: /workspace
     imagePullPolicy: Always
     volumeMounts:

diff --git a/.werft/wipe-devstaging.yaml b/.werft/wipe-devstaging.yaml
@@ -14,7 +14,7 @@ pod:
       secretName: gcp-sa-gitpod-dev-deployer
   containers:
   - name: wipe-devstaging
-    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:as-add-golangci-lint.6
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:cw-supervisor-execve-ring3.25
     workingDir: /workspace
     imagePullPolicy: Always
     volumeMounts:

diff --git a/README.md b/README.md
@@ -50,6 +50,14 @@ The issue tracker is used for tracking **bug reports** and **feature requests**
 
 You can upvote [popular feature requests](https://github.com/gitpod-io/gitpod/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc) or [create a new one](https://github.com/gitpod-io/gitpod/issues/new?template=feature_request.md).
 
+## Development Process
+
+We work with quarterly roadmaps in monthly iterations.
+
+ - [Development Process](https://www.notion.so/gitpod/Development-Process-2b105f72847440ec8f4a1d87ac25801b)
+ - [Product Roadmap](https://www.notion.so/gitpod/Product-Roadmap-b9b5eac0a15147ac8d2dd25cf0519203)
+ - [Architectural Roadmap](https://www.notion.so/gitpod/Architecture-Roadmap-4669b58fc9cc45488a0a094d2a596886)
+
 ## Related Projects
 
 During the development of Gitpod we also developed some our own infrastructure tooling to make development easier and more efficient.

diff --git a/chart/config/proxy/vhost.server.conf b/chart/config/proxy/vhost.server.conf
@@ -110,7 +110,7 @@ server {
     #  - (webview-|browser-)?+          foreign content prefix including UUID (optional). This must be possesive (?+) to not confuse "webview-8000-a1231-..." with a valid UUID
     #  - (?<wsid>[a-z][0-9a-z\-]+)      workspace Id or blobserve
     #  - \.ws(-[a-z0-9]+)?              workspace base domain
-    server_name ~^(webview-|browser-)?+(?<wsid>[a-z][0-9a-z\-]+)\.ws(-[a-z0-9]+)?\.${PROXY_DOMAIN_REGEX}$;
+    server_name ~^(webview-|browser-)?+(?<wsid>[a-z0-9][0-9a-z\-]+)\.ws(-[a-z0-9]+)?\.${PROXY_DOMAIN_REGEX}$;
 
 {{- if $useHttps }}
     {{- if eq .Values.ingressMode "pathAndHost" }}
@@ -133,7 +133,7 @@ server {
     #  - (?<wsid>[a-z][0-9a-z\-]+)      workspace Id
     #  - \.ws(-[a-z0-9]+)?              workspace base domain
     # "" needed because of {} (nginx syntax wart)
-    server_name "~^(webview-|browser-)?+(?<port>[0-9]{2,5})-(?<wsid>[a-z][0-9a-z\-]+)\.ws(-[a-z0-9]+)?\.${PROXY_DOMAIN_REGEX}$";
+    server_name "~^(webview-|browser-)?+(?<port>[0-9]{2,5})-(?<wsid>[a-z0-9][0-9a-z\-]+)\.ws(-[a-z0-9]+)?\.${PROXY_DOMAIN_REGEX}$";
 
 {{- if $useHttps }}
     {{- if eq .Values.ingressMode "pathAndHost" }}

diff --git a/chart/templates/cluster-restricted-root-podsecuritypolicy.yaml b/chart/templates/cluster-restricted-root-podsecuritypolicy.yaml
@@ -39,7 +39,8 @@ spec:
     - 'secret'
     - 'emptyDir'
     - 'persistentVolumeClaim'
-  hostNetwork: false
+    - 'hostPath'
+  hostNetwork: true
   hostIPC: false
   hostPID: false
   hostPorts: 

diff --git a/chart/templates/registry-facade-clusterrole.yaml b/chart/templates/registry-facade-clusterrole.yaml
@@ -0,0 +1,20 @@
+# Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ if .Values.installPodSecurityPolicies -}}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: {{ .Release.Namespace }}-ns-registry-facade
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: cluster
+    kind: clusterrole
+    stage: {{ .Values.installation.stage }}
+rules:
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames:
+    - {{ .Release.Namespace }}-ns-registry-facade
+{{- end -}}
diff --git a/chart/templates/registry-facade-configmap.yaml b/chart/templates/registry-facade-configmap.yaml
@@ -17,7 +17,11 @@ data:
     {
         {{ if .Values.components.workspace.pullSecret.secretName -}}"dockerAuth": "/mnt/pull-secret.json",{{- end }}
         "registry": {
+            {{- if $comp.handover.enabled }}
+            "port": {{ $comp.ports.registry.servicePort }},
+            {{- else }}
             "port": {{ $comp.ports.registry.containerPort }},
+            {{- end }}
             {{- if (or .Values.certificatesSecret.secretName $comp.certificatesSecret.secretName) }}
             {{- if (or .Values.certificatesSecret.certManager $comp.certificatesSecret.certManager) }}
             "tls": {
@@ -45,7 +49,11 @@ data:
                     "ref": "{{ template "gitpod.comp.imageFull" (dict "root" . "gp" $.Values "comp" .Values.components.workspace.dockerUp) }}",
                     "type": "image"
                 }
-            ]
+            ],
+            "handover": {
+                "enabled": {{ $comp.handover.enabled }},
+                "sockets": "/mnt/handover"
+            }
         },
         "pprofAddr": ":6060",
         "prometheusAddr": ":9500"

diff --git a/chart/templates/registry-facade-daemonset.yaml b/chart/templates/registry-facade-daemonset.yaml
@@ -38,6 +38,24 @@ spec:
     spec:
 {{ include "gitpod.workspaceAffinity" $this | indent 6 }}
       serviceAccountName: registry-facade
+{{- if $comp.handover.enabled }}
+      initContainers:
+      - name: handover-ownership
+        image: {{ template "gitpod.comp.imageFull" $this }}
+        command:
+        - "/bin/sh"
+        - "-c"
+        - "chown -R 1000:1000 /mnt/handover"
+        volumeMounts:
+        - name: handover
+          mountPath: "/mnt/handover"
+        securityContext:
+          privileged: false
+          runAsUser: 0
+{{- end }}
+      {{- if $comp.handover.enabled }}
+      hostNetwork: true
+      {{- end }}
       containers:
       - name: registry-facade
         image: {{ template "gitpod.comp.imageFull" $this }}
@@ -46,21 +64,30 @@ spec:
 {{ include "gitpod.container.resources" $this | indent 8 }}
         ports:
         - name: registry
+          {{- if $comp.handover.enabled }}
+          # if hostNetwork == true then containerPort == hostPort
+          containerPort: {{ $comp.ports.registry.servicePort }}
+          {{- else }}
           containerPort: {{ $comp.ports.registry.containerPort }}
           hostPort: {{ $comp.ports.registry.servicePort }}
         - name: metrics
           containerPort: 9500
+          {{- end }}
         securityContext:
           privileged: false
           runAsUser: 1000
 {{ include "gitpod.container.defaultEnv" $this | indent 8 }}
 {{ include "gitpod.container.tracingEnv" $this | indent 8 }}
         volumeMounts:
+        - name: cache
+          mountPath: "/mnt/cache"
         - name: config
           mountPath: "/mnt/config"
           readOnly: true
-        - name: cache
-          mountPath: "/mnt/cache"
+        {{- if $comp.handover.enabled }}
+        - name: handover
+          mountPath: "/mnt/handover"
+        {{- end }}
         {{- if .Values.components.workspace.pullSecret.secretName }}
         - name: pull-secret
           mountPath: /mnt/pull-secret.json
@@ -76,6 +103,12 @@ spec:
       - name: config
         configMap:
           name: {{ template "gitpod.comp.configMap" $this }}
+      {{- if $comp.handover.enabled }}
+      - name: handover
+        hostPath:
+          path: {{ $comp.handover.socket | quote }}
+          type: DirectoryOrCreate
+      {{- end }}
       {{- if .Values.components.workspace.pullSecret.secretName }}
       - name: pull-secret
         secret:

diff --git a/chart/templates/registry-facade-podsecuritypolicy.yaml b/chart/templates/registry-facade-podsecuritypolicy.yaml
@@ -0,0 +1,65 @@
+# Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+# Licensed under the MIT License. See License-MIT.txt in the project root for license information.
+
+{{ if .Values.installPodSecurityPolicies -}}
+# Taken from the examples here:
+# Examples: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example-policies
+# File: https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/policy/restricted-psp.yaml
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ .Release.Namespace }}-ns-registry-facade
+  labels:
+    app: {{ template "gitpod.fullname" . }}
+    component: cluster
+    kind: podsecuritypolicy
+    stage: {{ .Values.installation.stage }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+spec:
+  #####
+  # The nginx master process (currently?) runs as root, thus we have to turn some safe things off
+  #####
+  ### TODO root proxy
+  # privileged: false
+  # # Required to prevent escalations to root.
+  # allowPrivilegeEscalation: false
+  # # This is redundant with non-root + disallow privilege escalation,
+  # # but we can provide it for defense in depth.
+  # requiredDropCapabilities:
+  #   - ALL
+  ### TODO root proxy
+  # Allow core volume types.
+  volumes:
+    - 'configMap'
+    - 'secret'
+    - 'emptyDir'
+    - 'hostPath'
+  hostNetwork: true
+  hostIPC: false
+  hostPID: false
+  hostPorts: 
+  - min: 30000
+    max: 33000
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      # Forbid adding the root group.
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  {{- end -}}
diff --git a/chart/templates/registry-facade-rolebinding.yaml b/chart/templates/registry-facade-rolebinding.yaml
@@ -15,5 +15,5 @@ subjects:
   name: registry-facade
 roleRef:
   kind: ClusterRole
-  name: {{ .Release.Namespace }}-ns-psp:restricted-root-user
+  name: {{ .Release.Namespace }}-ns-registry-facade
   apiGroup: rbac.authorization.k8s.io