diff --git a/.gitignore b/.gitignore
index a0b72fa..71dd0db 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@
 /python-cjdns-0.1.tar.gz
 /cjdns-v20.5.tar.gz
 /cjdns-v20.6.tar.gz
+/cjdns-v20.7.tar.gz
diff --git a/cjdns.genconf.patch b/cjdns.genconf.patch
index 940fd29..e30349d 100644
--- a/cjdns.genconf.patch
+++ b/cjdns.genconf.patch
@@ -1,16 +1,16 @@
 diff -up ./client/cjdroute2.c.genconf ./client/cjdroute2.c
---- ./client/cjdroute2.c.genconf	2019-05-02 04:02:32.000000000 -0400
-+++ ./client/cjdroute2.c	2019-05-08 12:14:53.146838389 -0400
-@@ -336,7 +336,7 @@ static int genconf(struct Random* rand,
-            "        // and ETHInterface will be unable to hot-add new interfaces\n"
-            "        // Use { \"setuser\": 0 } to disable.\n"
-            "        // Default: enabled with keepNetAdmin\n"
--           "        { \"setuser\": \"nobody\", \"keepNetAdmin\": 1 },\n"
-+           "        { \"setuser\": \"cjdns\", \"keepNetAdmin\": 1 },\n"
-            "\n"
+--- ./client/cjdroute2.c.genconf	2020-06-23 08:37:44.000000000 -0400
++++ ./client/cjdroute2.c	2020-07-01 13:48:09.041257042 -0400
+@@ -359,7 +359,7 @@ static int genconf(struct Allocator* all
+            if (Defined(android) || Defined(darwin)) {
+     printf("        { \"setuser\": 0 },\n");
+            } else {
+-    printf("        { \"setuser\": \"nobody\", \"keepNetAdmin\": 1 },\n");
++    printf("        { \"setuser\": \"cjdns\", \"keepNetAdmin\": 1 },\n");
+            }
+     printf("\n"
             "        // Chroot changes the filesystem root directory which cjdns sees, blocking it\n"
-            "        // from accessing files outside of the chroot sandbox, if the user does not\n"
-@@ -348,7 +348,7 @@ static int genconf(struct Random* rand,
+@@ -372,7 +372,7 @@ static int genconf(struct Allocator* all
            }
            else {
      printf("        // Default: enabled (using \"/var/run\")\n"
diff --git a/cjdns.selinux.patch b/cjdns.selinux.patch
index b274924..8248b18 100644
--- a/cjdns.selinux.patch
+++ b/cjdns.selinux.patch
@@ -1,6 +1,6 @@
 diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
---- ./contrib/selinux/cjdns.te.selinux	2019-05-02 04:02:32.000000000 -0400
-+++ ./contrib/selinux/cjdns.te	2019-08-15 22:23:18.807845457 -0400
+--- ./contrib/selinux/cjdns.te.selinux	2020-06-23 08:37:44.000000000 -0400
++++ ./contrib/selinux/cjdns.te	2020-07-01 19:34:24.473531348 -0400
 @@ -7,8 +7,9 @@ require {
  	type port_t;
  	type unreserved_port_t;
@@ -12,7 +12,7 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
  }
  
  type cjdns_t;
-@@ -17,24 +18,26 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
+@@ -17,27 +18,29 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
  
  #============= cjdns_t ==============
  # Let master process run further restricted subprocess
@@ -44,4 +44,8 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
 -
  # management API
  allow cjdns_t self:unix_stream_socket connectto;
- allow cjdns_t tmp_t:sock_file { write create unlink };
+-allow cjdns_t tmp_t:sock_file { write create unlink };
++allow cjdns_t tmp_t:sock_file { write create unlink getattr };
+ allow cjdns_t tmp_t:dir { write remove_name add_name };
+ allow cjdns_t urandom_device_t:chr_file { read open };
+ 
diff --git a/cjdns.spec b/cjdns.spec
index faeb372..e735584 100644
--- a/cjdns.spec
+++ b/cjdns.spec
@@ -73,7 +73,7 @@
 %global makeman marked-man
 %else
 %global use_marked 0
-%global makeman ../../ronn
+%global makeman pandoc -s -tman
 %endif
 
 # FIXME: Needs dependencies and install www dir someplace reasonable.
@@ -84,8 +84,8 @@
 
 Name:           cjdns
 # major version is cjdns protocol version:
-Version:        20.6
-Release:        3%{?dist}
+Version:        20.7
+Release:        1%{?dist}
 Summary:        The privacy-friendly network without borders
 # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC
 # cnacl is unused except when use_embedded is true
@@ -115,10 +115,6 @@ Patch1: cjdns.el6.patch
 #
 # https://lwn.net/Articles/451985/
 # 
-# On the 2.6.32 kernel used by EL6, the above causes setuid() to fail.
-# This patch sets RLIMIT_NPROC to { 1, 1 } instead, which prevents
-# fork(), but not exec, and calls setgroups() before setuid().
-Patch2:  cjdns.nprocs.patch
 # Change defaults generated by cjdroute --genconf
 Patch4:  cjdns.genconf.patch
 # Patch contributed init scripts to put cjdroute in /usr/sbin and
@@ -129,7 +125,7 @@ Patch6:  cjdns.dyn.patch
 # Patch to use _LINUX_CAPABILITY_3 (cjdns < 18)
 #Patch7:  cjdns.cap3.patch
 # Patch some source files to ignore selected warnings that break gcc6 builds
-Patch8:  cjdns.warnings.patch
+#Patch8:  cjdns.warnings.patch
 # Man pages
 Patch9:  cjdns.man.patch
 # Patch some bugs in nodejs tools
@@ -153,18 +149,16 @@ Patch12: cjdns.sign.patch
 #Patch17: cjdns.s390x.patch
 # patch build to use system libuv
 Patch18: cjdns.libuv.patch
-Patch19: cjdns.fuzz.patch
+#Patch19: cjdns.fuzz.patch
 # patch to use /proc/sys/kernel/random/uuid instead of sysctl before 20.4
 Patch20: cjdns.sysctl.patch
-# Patch ronn to stop using deprecated util.puts and util.debug
-#Patch21: cjdns.puts.patch
 # gcc-10 no longer allows duplicate globals
 Patch22: cjdns.gcc10.patch
 
 %if %{use_marked}
 BuildRequires:  nodejs, nodejs-marked, python3
 %else
-BuildRequires:  nodejs, nodejs-ronn, python3
+BuildRequires:  nodejs, pandoc, python3
 %endif
 
 # Automated package review hates explicit BR on make, but it *is* needed
@@ -288,7 +282,6 @@ Python peer graph tools for cjdns.
 %patch1 -b .el6
 %endif
 
-%patch2 -b .nprocs
 %patch4 -b .genconf
 %patch5 -b .sbin
 
@@ -322,7 +315,7 @@ fi
 %endif
 
 %if !0%{?rhel} || 0%{?rhel} > 6
-%patch8 -b .warnings
+#patch8 -b .warnings
 %endif
 
 %patch9 -b .man
@@ -342,7 +335,7 @@ sed -i -e '/optimizeLevel:/ s/-O0/-O3/' node_build/make.js
 sed -i -e '/optimizeLevel:/ s/-O0/-O3/' node_build/make.js
 %endif
 %endif
-%patch19 -p1 -b .fuzz
+#patch19 -p1 -b .fuzz
 #patch20 -p1 -b .sysctl
 #patch22 -b .gcc10
 
@@ -399,9 +392,9 @@ rm node_build/dependencies/cnacl/node_build/plans/*_AVX_plan.json
 %endif
 
 %if !%{use_marked}
-cp -r /usr/lib/node_modules/ronn node_modules
-#patch21 -p1 -b .puts
-ln -s node_modules/ronn/bin/ronn.js ronn
+for i in contrib/doc/*.md; do
+  sed -i -e'1,1 s/^/% /' -e'1,1 s/--/|/' -e'2,2d' $i
+done
 %endif
 
 # remove hidden files from node_modules/nthen
@@ -482,8 +475,6 @@ install -p publictoip6 privatetopublic mkpasswd makekeys randombytes sybilsim \
         %{buildroot}%{_libexecdir}/cjdns
 rm -f node_modules/nthen/.npmignore
 cp -pr tools node_modules %{buildroot}%{_libexecdir}/cjdns
-# but not local copy of ronn
-rm -rf %{buildroot}%{_libexecdir}/cjdns/node_modules/ronn
 
 %if %{with_admin}
 rm -f contrib/nodejs/admin/.gitignore
@@ -754,6 +745,10 @@ fi
 %{_bindir}/graphStats
 
 %changelog
+* Wed Jul  1 2020 Stuart Gathman <stuart@gathman.org> - 20.7-1
+- New upstream release
+- Use pandoc for manpages
+
 * Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 20.6-3
 - Rebuilt for Python 3.9
 - disable patch for nodejs-ronn, now included in Fedora
diff --git a/sources b/sources
index a1f0a31..4773c62 100644
--- a/sources
+++ b/sources
@@ -2,3 +2,4 @@ SHA512 (cjdns-v20.4.tar.gz) = 5a6bd36b2edd07fa883efa4b14dd8a7ba0189bf43404e27ab6
 SHA512 (python-cjdns-0.1.tar.gz) = f3b7c9afe6bc2f8b0b872cc7fbe9e997657ecf1cbb1f7e8e417099f1265541af919e965be2508a8613f3a2223020ac077473fe48c78f9553dda1a927364bb256
 SHA512 (cjdns-v20.5.tar.gz) = 36ae20182b9e9601ae64630cb0fa96caccbe5279be48520ea8b457a15437da5c9b48a5ae5588bd76ef819efe696b5a582a906a50e4dbe7760bb96fa7d1d63ea3
 SHA512 (cjdns-v20.6.tar.gz) = 34057583f2215899b96f95cc60ba0532aff12834ad2c4b432a6752c811f60ed3d6d33ec82e039b159f090558020faf69c71b373ac33ca9e41b186be0b87c3332
+SHA512 (cjdns-v20.7.tar.gz) = db103e70e3d9f5e4958dcbeed51df358450f9489b6573f9b9eddc1839ee2051fe5180eede894b465e92915fabcb4cb64ce08a41c06450f14de75943879633f25