diff --git a/conf/example.conf b/conf/example.conf
index c197dbc..8ba4919 100644
--- a/conf/example.conf
+++ b/conf/example.conf
@@ -107,11 +107,8 @@ repo    gitolite
 repo    @oss_repos
         R                               =   @all
 
-                # set permissions to all already defined repos
-                # (a repository is defined if it has permission rules
-                # associated, empty "repo" stanza or "@group=..." line is
-                # not enough).  *Please* do see doc/3-faq-tips-etc.mkd for
-                # some important notes on this feature
+                # set permissions to all repos.  *Please* do see
+                # doc/3-faq-tips-etc.mkd for notes on this feature
 repo    @all
         RW+                             =   @admins
 
diff --git a/doc/3-faq-tips-etc.mkd b/doc/3-faq-tips-etc.mkd
index faa3312..01ae889 100644
--- a/doc/3-faq-tips-etc.mkd
+++ b/doc/3-faq-tips-etc.mkd
@@ -126,16 +126,12 @@ seem to hurt anything.  [Update 2009-09-14; this has been fixed in git
 ### `@all` syntax for repos
 
 There *is* a way to use the `@all` syntax for repos also, as described in
-`conf/example.conf`.  However, there is an important difference between this
-and the old `@all` (for users):
+`conf/example.conf`.  However, there are a couple of minor cautions:
 
-  * `@all` for repos is immediately expanded, when found, into the currently
-    known list of repos.  "Currently" means upto this point in the config
-    file, and "known" means having some user with some permissions associated
-    with the repo!
-
-  * This means that if you really want *all* repos, you'd better put this para
-    at the **end** of the config file!
+  * don't use `NAME/` or such restrictions on the special `@all` repo.  Due to
+    the potential for defeating a crucial optimisation and slowing down *all*
+    access, we do not support this.
+  * don't try giving `@all` users some permission for `@all` repos
 
 ### umask setting
 
diff --git a/doc/4-wildcard-repositories.mkd b/doc/4-wildcard-repositories.mkd
index 68dbaa0..a70f239 100644
--- a/doc/4-wildcard-repositories.mkd
+++ b/doc/4-wildcard-repositories.mkd
@@ -185,8 +185,8 @@ allowed to *create* repos matching that pattern.
 In addition, there is also the "expand" command, which takes any regex pattern
 and returns you a list of all wildcard-created repos that you have access to
 which fit that pattern.  And if, as an administrator, you wish to list out
-*every single* repo that your users have created, add this to the *end* of the
-config file:
+*every single* repo that your users have created, add this to your config
+file:
 
     repo @all
         R       =   sitaram     # or whoever you are
diff --git a/hooks/common/update b/hooks/common/update
index f8b5826..d8f610c 100755
--- a/hooks/common/update
+++ b/hooks/common/update
@@ -76,8 +76,9 @@ $perm = '+' if $ref =~ m(refs/tags/) and $oldsha ne ('0' x 40);
 $perm = '+' if $oldsha ne $merge_base;
 
 my @allowed_refs;
-# we want specific perms to override @all, so they come first
+# @all repos: see comments in similar code in check_access
 push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{$ENV{GL_USER}} || [] };
+push @allowed_refs, @ { $repos{'@all'}       {$ENV{GL_USER}} || [] };
 push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
 
 # prepare the list of refs to be checked
@@ -88,6 +89,7 @@ push @allowed_refs, @ { $repos{$ENV{GL_REPO}}{'@all'} || [] };
 # been specified
 
 my @refs = ($ref);      # the first ref to check is the real one
+# because making it work screws up efficiency like no tomorrow...
 if (exists $repos{$ENV{GL_REPO}}{NAME_LIMITS}) {
     # this is special to git -- the hash of an empty tree
     my $empty='4b825dc642cb6eb9a060e54bf8d69288fbee4904';
diff --git a/src/gitolite.pm b/src/gitolite.pm
index 979ca51..e398b09 100644
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -284,9 +284,13 @@ sub report_basic
     system("cat", ($GL_PACKAGE_CONF || "$GL_ADMINDIR/conf") . "/VERSION");
     print "\ryou have the following permissions:\r\n";
     for my $r (sort keys %repos) {
-        my $perm .= ( $repos{$r}{C}{'@all'} ? ' @' : ( $repos{$r}{C}{$user} ? ' C' : '  ' ) );
-        $perm    .= ( $repos{$r}{R}{'@all'} ? ' @' : ( $repos{$r}{R}{$user} ? ' R' : '  ' ) );
-        $perm    .= ( $repos{$r}{W}{'@all'} ? ' @' : ( $repos{$r}{W}{$user} ? ' W' : '  ' ) );
+        # @all repos; meaning of read/write flags:
+        #   @ => @all users are allowed access to this repo
+        # r/w => you        are allowed access to @all repos
+        # R/W => you        are allowed access to this repo
+        my $perm .= ( $repos{$r}{C}{'@all'} ? ' @' :                                     ( $repos{$r}{C}{$user} ? ' C' : '  ' ) );
+        $perm    .= ( $repos{$r}{R}{'@all'} ? ' @' : ( $repos{'@all'}{R}{$user} ? ' r' : ( $repos{$r}{R}{$user} ? ' R' : '  ' )));
+        $perm    .= ( $repos{$r}{W}{'@all'} ? ' @' : ( $repos{'@all'}{W}{$user} ? ' w' : ( $repos{$r}{W}{$user} ? ' W' : '  ' )));
         print "$perm\t$r\r\n" if $perm =~ /\S/;
     }
 }
@@ -333,8 +337,9 @@ sub expand_wild
             $creater = "($creater)";
         }
         my $perm = '  ';
-        $perm .= ( $repos{$actual_repo}{R}{'@all'} ? ' @' : ( $repos{$actual_repo}{R}{$user} ? ' R' : '  ' ) );
-        $perm .= ( $repos{$actual_repo}{W}{'@all'} ? ' @' : ( $repos{$actual_repo}{W}{$user} ? ' W' : '  ' ) );
+        # @all repos; see notes above
+        $perm .= ( $repos{$actual_repo}{R}{'@all'} ? ' @' : ( $repos{'@all'}{R}{$user} ? ' r' : ( $repos{$actual_repo}{R}{$user} ? ' R' : '  ' )));
+        $perm .= ( $repos{$actual_repo}{W}{'@all'} ? ' @' : ( $repos{'@all'}{W}{$user} ? ' w' : ( $repos{$actual_repo}{W}{$user} ? ' W' : '  ' )));
         next if $perm eq '      ';
         print "$perm\t$creater\t$actual_repo\n";
     }
@@ -390,8 +395,11 @@ sub check_access
     # bit, sadly), this code duplicates stuff in the current update hook.
 
     my @allowed_refs;
-    # we want specific perms to override @all, so they come first
+    # user+repo specific perms override everything else, so they come first.
+    # Then perms given to specific user for @all repos, and finally perms
+    # given to @all users for specific repo
     push @allowed_refs, @ { $repos{$repo}{$ENV{GL_USER}} || [] };
+    push @allowed_refs, @ { $repos{'@all'}{$ENV{GL_USER}} || [] };
     push @allowed_refs, @ { $repos{$repo}{'@all'} || [] };
 
     &check_ref(\@allowed_refs, $repo, $ref, $perm);
diff --git a/src/gl-auth-command b/src/gl-auth-command
index a21167b..df04167 100755
--- a/src/gl-auth-command
+++ b/src/gl-auth-command
@@ -188,6 +188,7 @@ my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W');
 
 die "$perm access for $repo DENIED to $user\n"
     unless $repos{$repo}{$perm}{$user}
+        or $repos{'@all'}{$perm}{$user}     # new: access to @all repos
         or $repos{$repo}{$perm}{'@all'};
 
 # ----------------------------------------------------------------------------
diff --git a/src/gl-compile-conf b/src/gl-compile-conf
index 4409e44..ed74722 100755
--- a/src/gl-compile-conf
+++ b/src/gl-compile-conf
@@ -184,9 +184,7 @@ sub parse_conf_file
         {
             # grab the list and expand any @stuff in it
             @repos = split ' ', $1;
-            if (@repos == 1 and $repos[0] eq '@all') {
-                @repos = keys %repos;
-            } else {
+            unless (@repos == 1 and $repos[0] eq '@all') {
                 @repos = expand_list ( @repos );
                 do  { die "$ABRT bad reponame $_\n" unless ($GL_WILDREPOS ? $_ =~ $REPOPATT_PATT : $_ =~ $REPONAME_PATT) } for @repos;
             }