summary refs log tree commit diff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-01-28 07:29:13 -0500
committerMark H Weaver <mhw@netris.org>2016-01-28 07:29:13 -0500
commit593c366bded5d5f6638a3e80edb1c6e473149fce (patch)
treeeb58d26a878a22c79931fd8cfc2479dea28ab0a6
parent133056bd743e4a3d534a4e4ba9ed83dbbfbfbd19 (diff)
parent29a780147d066d5ce218d1fa2678a0a36a1145e3 (diff)
downloadguix-593c366bded5d5f6638a3e80edb1c6e473149fce.tar.gz
Merge branch 'core-updates'
-rw-r--r--gnu-system.am45
-rw-r--r--gnu/packages/attr.scm67
-rw-r--r--gnu/packages/autotools.scm6
-rw-r--r--gnu/packages/backup.scm3
-rw-r--r--gnu/packages/base.scm34
-rw-r--r--gnu/packages/bash.scm33
-rw-r--r--gnu/packages/bdw-gc.scm15
-rw-r--r--gnu/packages/cmake.scm2
-rw-r--r--gnu/packages/commencement.scm155
-rw-r--r--gnu/packages/compression.scm10
-rw-r--r--gnu/packages/cross-base.scm6
-rw-r--r--gnu/packages/databases.scm17
-rw-r--r--gnu/packages/doxygen.scm29
-rw-r--r--gnu/packages/emacs.scm3
-rw-r--r--gnu/packages/file.scm4
-rw-r--r--gnu/packages/flex.scm6
-rw-r--r--gnu/packages/gawk.scm6
-rw-r--r--gnu/packages/gcc.scm63
-rw-r--r--gnu/packages/gettext.scm66
-rw-r--r--gnu/packages/glib.scm4
-rw-r--r--gnu/packages/gnome.scm8
-rw-r--r--gnu/packages/gnupg.scm8
-rw-r--r--gnu/packages/gnuzilla.scm38
-rw-r--r--gnu/packages/guile.scm3
-rw-r--r--gnu/packages/haskell.scm6
-rw-r--r--gnu/packages/image.scm10
-rw-r--r--gnu/packages/language.scm7
-rw-r--r--gnu/packages/ld-wrapper.in66
-rw-r--r--gnu/packages/libffi.scm7
-rw-r--r--gnu/packages/linux.scm73
-rw-r--r--gnu/packages/mail.scm1
-rw-r--r--gnu/packages/multiprecision.scm28
-rw-r--r--gnu/packages/ncurses.scm38
-rw-r--r--gnu/packages/package-management.scm2
-rw-r--r--gnu/packages/patches/automake-regexp-syntax.patch34
-rw-r--r--gnu/packages/patches/doxygen-test.patch4
-rw-r--r--gnu/packages/patches/doxygen-tmake.patch24
-rw-r--r--gnu/packages/patches/emacs-source-date-epoch.patch20
-rw-r--r--gnu/packages/patches/findutils-absolute-paths.patch29
-rw-r--r--gnu/packages/patches/findutils-test-xargs.patch22
-rw-r--r--gnu/packages/patches/flex-bison-tests.patch24
-rw-r--r--gnu/packages/patches/gawk-fts-test.patch51
-rw-r--r--gnu/packages/patches/gnutls-doc-fix.patch546
-rw-r--r--gnu/packages/patches/grep-CVE-2015-1345.patch17
-rw-r--r--gnu/packages/patches/grep-timing-sensitive-test.patch15
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch34
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch33
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch308
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch47
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch51
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch170
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch56
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch48
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch189
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch33
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch183
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch91
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch34
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch83
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch35
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1935.patch77
-rw-r--r--gnu/packages/patches/icecat-bug-1146335-pt1.patch141
-rw-r--r--gnu/packages/patches/icecat-bug-1146335-pt2.patch43
-rw-r--r--gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch73
-rw-r--r--gnu/packages/patches/libarchive-bsdtar-test.patch74
-rw-r--r--gnu/packages/patches/librsvg-tests.patch27
-rw-r--r--gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch107
-rw-r--r--gnu/packages/patches/libtiff-oob-accesses-in-decode.patch171
-rw-r--r--gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch49
-rw-r--r--gnu/packages/patches/perl-CVE-2015-8607.patch68
-rw-r--r--gnu/packages/patches/perl-deterministic-ordering.patch29
-rwxr-xr-x[-rw-r--r--]gnu/packages/patches/perl-module-pluggable-search.patch16
-rw-r--r--gnu/packages/patches/perl-no-build-time.patch26
-rw-r--r--gnu/packages/patches/perl-no-sys-dirs.patch152
-rw-r--r--gnu/packages/patches/perl-source-date-epoch.patch19
-rw-r--r--gnu/packages/patches/procps-make-3.82.patch14
-rw-r--r--gnu/packages/patches/python-2.7-search-paths.patch6
-rw-r--r--gnu/packages/patches/python-3-search-paths.patch6
-rw-r--r--gnu/packages/pcre.scm2
-rw-r--r--gnu/packages/perl.scm120
-rw-r--r--gnu/packages/pkg-config.scm6
-rw-r--r--gnu/packages/plotutils.scm4
-rw-r--r--gnu/packages/pulseaudio.scm11
-rw-r--r--gnu/packages/python.scm4
-rw-r--r--gnu/packages/qt.scm7
-rw-r--r--gnu/packages/ruby.scm176
-rw-r--r--gnu/packages/scheme.scm3
-rw-r--r--gnu/packages/texinfo.scm8
-rw-r--r--gnu/packages/tls.scm24
-rw-r--r--gnu/packages/video.scm2
-rw-r--r--gnu/packages/web.scm56
-rw-r--r--gnu/packages/webkit.scm14
-rw-r--r--guix/build-system/gnu.scm8
-rw-r--r--guix/build/gnu-build-system.scm16
-rw-r--r--guix/build/haskell-build-system.scm99
-rw-r--r--guix/build/python-build-system.scm9
-rw-r--r--guix/build/ruby-build-system.scm13
-rw-r--r--guix/build/utils.scm9
-rw-r--r--guix/search-paths.scm6
-rw-r--r--tests/graph.scm2
100 files changed, 3522 insertions, 1225 deletions
diff --git a/gnu-system.am b/gnu-system.am
index ad59241d2c..ac386355df 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -1,5 +1,5 @@
 # GNU Guix --- Functional package management for GNU
-# Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+# Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 # Copyright © 2013, 2014, 2015, 2016 Andreas Enge <andreas@enge.fr>
 # Copyright © 2013, 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 #
@@ -415,6 +415,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/ath9k-htc-firmware-objcopy.patch		\
   gnu/packages/patches/audacity-fix-ffmpeg-binding.patch	\
   gnu/packages/patches/automake-skip-amhello-tests.patch	\
+  gnu/packages/patches/automake-regexp-syntax.patch		\
   gnu/packages/patches/avahi-localstatedir.patch		\
   gnu/packages/patches/avidemux-install-to-lib.patch		\
   gnu/packages/patches/avrdude-fix-libusb.patch			\
@@ -447,11 +448,11 @@ dist_patch_DATA =						\
   gnu/packages/patches/diffutils-gets-undeclared.patch		\
   gnu/packages/patches/dfu-programmer-fix-libusb.patch		\
   gnu/packages/patches/doxygen-test.patch			\
-  gnu/packages/patches/doxygen-tmake.patch			\
   gnu/packages/patches/duplicity-piped-password.patch		\
   gnu/packages/patches/duplicity-test_selection-tmp.patch	\
   gnu/packages/patches/elfutils-tests-ptrace.patch		\
   gnu/packages/patches/emacs-exec-path.patch			\
+  gnu/packages/patches/emacs-source-date-epoch.patch		\
   gnu/packages/patches/eudev-rules-directory.patch		\
   gnu/packages/patches/evilwm-lost-focus-bug.patch		\
   gnu/packages/patches/expat-CVE-2015-1283.patch		\
@@ -462,13 +463,13 @@ dist_patch_DATA =						\
   gnu/packages/patches/fasthenry-spUtils.patch			\
   gnu/packages/patches/fasthenry-spSolve.patch			\
   gnu/packages/patches/fasthenry-spFactor.patch			\
-  gnu/packages/patches/findutils-absolute-paths.patch		\
   gnu/packages/patches/findutils-localstatedir.patch		\
+  gnu/packages/patches/findutils-test-xargs.patch		\
   gnu/packages/patches/flashrom-use-libftdi1.patch		\
-  gnu/packages/patches/flex-bison-tests.patch			\
   gnu/packages/patches/flint-ldconfig.patch			\
   gnu/packages/patches/fltk-shared-lib-defines.patch		\
   gnu/packages/patches/freeimage-CVE-2015-0852.patch		\
+  gnu/packages/patches/gawk-fts-test.patch			\
   gnu/packages/patches/gawk-shell.patch				\
   gnu/packages/patches/gcc-arm-link-spec-fix.patch		\
   gnu/packages/patches/gcc-cross-environment-variables.patch	\
@@ -485,6 +486,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/glib-tests-timer.patch			\
   gnu/packages/patches/glib-tests-gapplication.patch		\
   gnu/packages/patches/glibc-bootstrap-system.patch		\
+  gnu/packages/patches/glibc-hurd-extern-inline.patch		\
   gnu/packages/patches/glibc-ldd-x86_64.patch			\
   gnu/packages/patches/glibc-locales.patch			\
   gnu/packages/patches/glibc-locale-incompatibility.patch	\
@@ -493,11 +495,10 @@ dist_patch_DATA =						\
   gnu/packages/patches/gmp-arm-asm-nothumb.patch		\
   gnu/packages/patches/gmp-faulty-test.patch			\
   gnu/packages/patches/gnucash-price-quotes-perl.patch		\
-  gnu/packages/patches/gnutls-doc-fix.patch			\
   gnu/packages/patches/gobject-introspection-absolute-shlib-path.patch \
   gnu/packages/patches/gobject-introspection-cc.patch		\
   gnu/packages/patches/gobject-introspection-girepository.patch	\
-  gnu/packages/patches/grep-CVE-2015-1345.patch			\
+  gnu/packages/patches/grep-timing-sensitive-test.patch		\
   gnu/packages/patches/grub-CVE-2015-8370.patch			\
   gnu/packages/patches/grub-gets-undeclared.patch		\
   gnu/packages/patches/grub-freetype.patch			\
@@ -515,7 +516,26 @@ dist_patch_DATA =						\
   gnu/packages/patches/hop-linker-flags.patch			\
   gnu/packages/patches/hydra-automake-1.15.patch		\
   gnu/packages/patches/hydra-disable-darcs-test.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch		\
+  gnu/packages/patches/icecat-CVE-2016-1935.patch		\
   gnu/packages/patches/icecat-avoid-bundled-includes.patch	\
+  gnu/packages/patches/icecat-bug-1146335-pt1.patch		\
+  gnu/packages/patches/icecat-bug-1146335-pt2.patch		\
+  gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch \
   gnu/packages/patches/icu4c-CVE-2014-6585.patch		\
   gnu/packages/patches/icu4c-CVE-2015-1270.patch		\
   gnu/packages/patches/icu4c-CVE-2015-4760.patch		\
@@ -530,6 +550,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/liba52-link-with-libm.patch		\
   gnu/packages/patches/liba52-set-soname.patch			\
   gnu/packages/patches/liba52-use-mtune-not-mcpu.patch		\
+  gnu/packages/patches/libarchive-bsdtar-test.patch		\
   gnu/packages/patches/libarchive-CVE-2013-0211.patch		\
   gnu/packages/patches/libarchive-fix-lzo-test-case.patch	\
   gnu/packages/patches/libarchive-mtree-filename-length-fix.patch \
@@ -545,8 +566,10 @@ dist_patch_DATA =						\
   gnu/packages/patches/libmad-armv7-thumb-pt2.patch		\
   gnu/packages/patches/libmad-frame-length.patch		\
   gnu/packages/patches/libmad-mips-newgcc.patch			\
-  gnu/packages/patches/librsvg-tests.patch			\
   gnu/packages/patches/libtheora-config-guess.patch		\
+  gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \
+  gnu/packages/patches/libtiff-oob-accesses-in-decode.patch	\
+  gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch	\
   gnu/packages/patches/libtool-skip-tests2.patch		\
   gnu/packages/patches/libsndfile-CVE-2014-9496.patch		\
   gnu/packages/patches/libsndfile-CVE-2015-7805.patch		\
@@ -619,20 +642,24 @@ dist_patch_DATA =						\
   gnu/packages/patches/patchelf-rework-for-arm.patch		\
   gnu/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   gnu/packages/patches/patch-hurd-path-max.patch		\
+  gnu/packages/patches/perl-CVE-2015-8607.patch			\
   gnu/packages/patches/perl-autosplit-default-time.patch	\
+  gnu/packages/patches/perl-deterministic-ordering.patch	\
   gnu/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
   gnu/packages/patches/perl-gd-options-passthrough-and-fontconfig.patch \
-  gnu/packages/patches/perl-module-pluggable-search.patch	\
   gnu/packages/patches/perl-net-amazon-s3-moose-warning.patch	\
   gnu/packages/patches/perl-net-ssleay-disable-ede-test.patch	\
+  gnu/packages/patches/perl-no-build-time.patch			\
   gnu/packages/patches/perl-no-sys-dirs.patch			\
+  gnu/packages/patches/perl-module-pluggable-search.patch	\
+  gnu/packages/patches/perl-source-date-epoch.patch		\
   gnu/packages/patches/perl-tk-x11-discover.patch		\
   gnu/packages/patches/pidgin-add-search-path.patch		\
   gnu/packages/patches/pingus-sdl-libs-config.patch		\
+  gnu/packages/patches/plink-1.07-unclobber-i.patch		\
   gnu/packages/patches/plotutils-libpng-jmpbuf.patch		\
   gnu/packages/patches/polkit-drop-test.patch			\
   gnu/packages/patches/portaudio-audacity-compat.patch		\
-  gnu/packages/patches/procps-make-3.82.patch			\
   gnu/packages/patches/pt-scotch-build-parallelism.patch	\
   gnu/packages/patches/pulseaudio-fix-mult-test.patch		\
   gnu/packages/patches/pulseaudio-longer-test-timeout.patch	\
diff --git a/gnu/packages/attr.scm b/gnu/packages/attr.scm
index f4f6c46642..53766af06f 100644
--- a/gnu/packages/attr.scm
+++ b/gnu/packages/attr.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
-;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -28,46 +28,41 @@
 (define-public attr
   (package
     (name "attr")
-    (version "2.4.46")
-    (source
-     (origin
-      (method url-fetch)
-      (uri (string-append "mirror://savannah/attr/attr-"
-                          version ".src.tar.gz"))
-      (sha256
-       (base32
-        "07qf6kb2zk512az481bbnsk9jycn477xpva1a726n5pzlzf9pmnw"))))
+    (version "2.4.47")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://savannah/attr/attr-"
+                                  version ".src.tar.gz"))
+              (sha256
+               (base32
+                "0nd8y0m6awc9ahv0ciiwf8gy54c8d3j51pw9xg7f7cn579jjyxr5"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
-       (alist-cons-after
-        'configure 'patch-makefile-SHELL
-        (lambda _
-          (patch-makefile-SHELL "include/buildmacros"))
-        (alist-replace
-         'install
-         (lambda _
-           (zero? (system* "make"
-                           "install"
-                           "install-lib"
-                           "install-dev")))
+       (modify-phases %standard-phases
+         (add-after 'configure 'patch-makefile-SHELL
+           (lambda _
+             (patch-makefile-SHELL "include/buildmacros")))
+         (replace 'install
+           (lambda _
+             (zero? (system* "make"
+                             "install"
+                             "install-lib"
+                             "install-dev"))))
+         (replace 'check
+           (lambda* (#:key target #:allow-other-keys)
+             ;; Use the right shell.
+             (substitute* "test/run"
+               (("/bin/sh")
+                (which "bash")))
 
-         ;; When building natively, adjust the test cases.
-         ,(if (%current-target-system)
-              '%standard-phases
-              '(alist-replace 'check
-                              (lambda _
-                                ;; Use the right shell.
-                                (substitute* "test/run"
-                                  (("/bin/sh")
-                                   (which "bash")))
+             ;; When building natively, run the tests.
+             (unless target
+               (system* "make" "tests" "-C" "test"))
 
-                                (system* "make" "tests" "-C" "test")
-
-                                ;; XXX: Ignore the test result since this is
-                                ;; dependent on the underlying file system.
-                                #t)
-                              %standard-phases))))))
+             ;; XXX: Ignore the test result since this is
+             ;; dependent on the underlying file system.
+             #t)))))
     (inputs
      ;; Perl is needed to run tests; remove it from cross builds.
      (if (%current-target-system)
diff --git a/gnu/packages/autotools.scm b/gnu/packages/autotools.scm
index 0d9a5b5873..598624ccdc 100644
--- a/gnu/packages/autotools.scm
+++ b/gnu/packages/autotools.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Mathieu Lirzin <mthl@openmailbox.org>
 ;;; Copyright © 2014 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
@@ -195,7 +195,9 @@ output is indexed in many ways to simplify browsing.")
               (base32
                "0dl6vfi2lzz8alnklwxzfz624b95hb1ipjvd3mk177flmddcf24r"))
              (patches
-              (list (search-patch "automake-skip-amhello-tests.patch")))))
+              (map search-patch
+                   '("automake-regexp-syntax.patch"
+                     "automake-skip-amhello-tests.patch")))))
     (build-system gnu-build-system)
     (native-inputs
      `(("autoconf" ,(autoconf-wrapper))
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 40cfc4ee14..aa8ccbce69 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -148,7 +148,8 @@ backups (called chunks) to allow easy burning to CD/DVD.")
        (patches
         (list (search-patch "libarchive-mtree-filename-length-fix.patch")
               (search-patch "libarchive-fix-lzo-test-case.patch")
-              (search-patch "libarchive-CVE-2013-0211.patch")))))
+              (search-patch "libarchive-CVE-2013-0211.patch")
+              (search-patch "libarchive-bsdtar-test.patch")))))
     (build-system gnu-build-system)
     ;; TODO: Add -L/path/to/nettle in libarchive.pc.
     (inputs
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 61eeba3cee..f8ea80b5e7 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -1,10 +1,11 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2014, 2015 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -73,16 +74,18 @@ command-line arguments, multiple languages, and so on.")
 (define-public grep
   (package
    (name "grep")
-   (version "2.21")
+   (version "2.22")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/grep/grep-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1pp5n15qwxrw1pibwjhhgsibyv5cafhamf8lwzjygs6y00fa2i2j"))
-            (patches (list (search-patch "grep-CVE-2015-1345.patch")))))
+              "1srn321x7whlhs5ks36zlcrrmj4iahll8fxwsh1vbz3v04px54fa"))
+            (patches
+             (list (search-patch "grep-timing-sensitive-test.patch")))))
    (build-system gnu-build-system)
+   (native-inputs `(("perl" ,perl)))             ;some of the tests require it
    (synopsis "Print lines matching a pattern")
    (description
      "grep is a tool for finding text inside files.  Text is found by
@@ -206,17 +209,17 @@ interactive means to merge two files.")
 (define-public findutils
   (package
    (name "findutils")
-   (version "4.4.2")
+   (version "4.6.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/findutils/findutils-"
                                 version ".tar.gz"))
             (sha256
              (base32
-              "0amn0bbwqvsvvsh6drfwz20ydc2czk374lzw5kksbh6bf78k4ks3"))
+              "178nn4dl7wbcw499czikirnkniwnx36argdnqgz4ik9i6zvwkm6y"))
             (patches (map search-patch
-                          '("findutils-absolute-paths.patch"
-                            "findutils-localstatedir.patch")))))
+                          '("findutils-localstatedir.patch"
+                            "findutils-test-xargs.patch")))))
    (build-system gnu-build-system)
    (arguments
     `(#:configure-flags (list
@@ -595,6 +598,15 @@ store.")
                          (string-append "#define _PATH_BSHELL \""
                                         bash "/bin/bash\"\n")))
 
+                      ;; Nscd uses __DATE__ and __TIME__ to create a string to
+                      ;; make sure the client and server come from the same
+                      ;; libc.  Use something deterministic instead.
+                      (substitute* "nscd/nscd_stat.c"
+                        (("static const char compilation\\[21\\] =.*$")
+                         (string-append
+                          "static const char compilation[21] = \""
+                          (string-take (basename out) 20) "\";\n")))
+
                       ;; Make sure we don't retain a reference to the
                       ;; bootstrap Perl.
                       (substitute* "malloc/mtrace.pl"
@@ -862,7 +874,7 @@ command.")
 (define-public tzdata
   (package
     (name "tzdata")
-    (version "2015c")
+    (version "2015g")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -870,7 +882,7 @@ command.")
                    version ".tar.gz"))
              (sha256
               (base32
-               "0nin48g5dmkfgckp25bngxchn3sw3yyjss5sq7gs5xspbxgsq3w6"))))
+               "0qb1awqrn3215zd2jikpqnmkzrxwfjf0d3dw2xmnk4c40yzws8xr"))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f
@@ -917,7 +929,7 @@ command.")
                                 version ".tar.gz"))
                           (sha256
                            (base32
-                            "0bplibiy70dvlrhwqzkzxgmg81j6d2kklvjgi2f1g2zz1nkb3vkz"))))))
+                            "1i3y1kzjiz2j62c7vd4wf85983sqk9x9lg3473njvbdz4kph5r0q"))))))
     (home-page "http://www.iana.org/time-zones")
     (synopsis "Database of current and historical time zones")
     (description "The Time Zone Database (often called tz or zoneinfo)
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index bdb5a760f7..15909c7e88 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -92,7 +93,11 @@
    (36 "0z6jbyy70lfdm6d3x0sbazbqdxb3xnpn9bmz7madpvrnbd284pxc")
    (37 "04sqr8zkl6s5fccfvb775ppn3ldij5imria9swc39aq0fkfp1w9k")
    (38 "0rv3g14mpgv8br267bf7rmgqlgwnc4v6g3g8y0sjba571i8amgmd")
-   (39 "1v3l3vkc3g2b6fjycqwlakr8xhiw6bmw6q0zd6bi0m0m4bnxr55b")))
+   (39 "1v3l3vkc3g2b6fjycqwlakr8xhiw6bmw6q0zd6bi0m0m4bnxr55b")
+   (40 "0sypv66vsldmc95gwvf7ylz1k7y37vnvdsjg8ajjr6b2j9mkkfw4")
+   (41 "06ic2gdpbi1afik3wqf9d4vh95if4bz8bmhcgr555621dsb35i2f")
+   (42 "06a90k0p6bqc4wk2dsmapna69124an76xvlnlj3xm497vci968dc")))
+
 (define (download-patches store count)
   "Download COUNT Bash patches into store.  Return a list of
 number/base32-hash tuples, directly usable in the 'patch-series' form."
@@ -143,17 +148,18 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
              ;; guile-bash expect.
              (let ((include (string-append (assoc-ref outputs "include")
                                             "/include/bash"))
+                   (includes "^\\./include/[^/]+\\.h$")
                    (headers "^\\./(builtins/|lib/glob/|lib/tilde/|)[^/]+\\.h$"))
                (mkdir-p include)
                (for-each (lambda (file)
-                           (when ((@ (ice-9 regex) string-match) headers file)
-                             (let ((directory (string-append include "/"
-                                                             (dirname file))))
-                               (mkdir-p directory)
-                               (copy-file file
-                                          (string-append directory "/"
-                                                         (basename file))))))
+                           (when (string-match includes file)
+                             (install-file file include))
+                           (when (string-match headers file)
+                             (install-file file
+                                           (string-append include "/"
+                                                          (dirname file)))))
                          (find-files "." "\\.h$"))
+               (delete-file (string-append include "/" "y.tab.h"))
                #t)))
          (version "4.3"))
     (package
@@ -177,8 +183,9 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
      (build-system gnu-build-system)
 
      (outputs '("out"
-                "include"))                       ;headers used by extensions
-     (native-inputs `(("bison" ,bison)))          ;to rebuild the parser
+                "doc"                         ;1.7 MiB of HTML and extra files
+                "include"))                   ;headers used by extensions
+     (native-inputs `(("bison" ,bison)))      ;to rebuild the parser
      (inputs `(("readline" ,readline)
                ("ncurses" ,ncurses)))             ;TODO: add texinfo
      (arguments
@@ -199,10 +206,14 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
         ;; for now.
         #:tests? #f
 
+        #:modules ((ice-9 regex)
+                   (guix build utils)
+                   (guix build gnu-build-system))
+
         #:phases (modify-phases %standard-phases
                    (add-after 'install 'post-install ,post-install-phase)
                    (add-after 'install 'install-headers
-                              ,install-headers-phase))))
+                     ,install-headers-phase))))
      (synopsis "The GNU Bourne-Again SHell")
      (description
       "Bash is the shell, or command-line interpreter, of the GNU system.  It
diff --git a/gnu/packages/bdw-gc.scm b/gnu/packages/bdw-gc.scm
index f4bbc64569..992a11bac0 100644
--- a/gnu/packages/bdw-gc.scm
+++ b/gnu/packages/bdw-gc.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -39,7 +39,9 @@
    (arguments
     ;; Make it so that we don't rely on /proc.  This is especially useful in
     ;; an initrd run before /proc is mounted.
-    '(#:configure-flags '("CPPFLAGS=-DUSE_LIBC_PRIVATES")))
+    '(#:configure-flags '("CPPFLAGS=-DUSE_LIBC_PRIVATES"
+                          ;; Install gc_cpp.h et al.
+                          "--enable-cplusplus")))
    (outputs '("out" "debug"))
    (synopsis "The Boehm-Demers-Weiser conservative garbage collector
 for C and C++")
@@ -103,11 +105,4 @@ lock-free code, experiment with thread programming paradigms, etc.")
     (inputs `(("libatomic-ops" ,libatomic-ops)))
 
     ;; 'USE_LIBC_PRIVATES' is now the default.
-    (arguments '())))
-
-;;; TODO: Remove this package once libgc is updated from core-updates.
-(define-public libgc-for-c++
-  (package (inherit libgc)
-    (name "libgc-cxx")
-    (arguments
-     '(#:configure-flags '("--enable-cplusplus"))))) ;install gc_cpp.h et al.
+    (arguments '(#:configure-flags '("--enable-cplusplus")))))
diff --git a/gnu/packages/cmake.scm b/gnu/packages/cmake.scm
index 2efce6fd87..d75b9f62ef 100644
--- a/gnu/packages/cmake.scm
+++ b/gnu/packages/cmake.scm
@@ -77,7 +77,7 @@ archive_write_set_format_shar.c"
                     ;; Help cmake's bootstrap process to find system libraries
                     (begin
                       (setenv "CMAKE_LIBRARY_PATH" (getenv "LIBRARY_PATH"))
-                      (setenv "CMAKE_INCLUDE_PATH" (getenv "CPATH"))
+                      (setenv "CMAKE_INCLUDE_PATH" (getenv "C_INCLUDE_PATH"))
                       ;; Get verbose output from failed tests
                       (setenv "CTEST_OUTPUT_ON_FAILURE" "TRUE")))
                   (alist-replace
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 73b27a290a..1928360e2e 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -92,12 +92,15 @@
                                             ,@%bootstrap-inputs)
                                           #:guile %bootstrap-guile)))
      (package (inherit p)
+       (name "diffutils-boot0")
        (arguments `(#:tests? #f         ; the test suite needs diffutils
                     ,@(package-arguments p)))))))
 
 (define findutils-boot0
   (package-with-bootstrap-guile
-   (package-with-explicit-inputs findutils
+   (package-with-explicit-inputs (package
+                                   (inherit findutils)
+                                   (name "findutils-boot0"))
                                  `(("make" ,gnu-make-boot0)
                                    ("diffutils" ,diffutils-boot0) ; for tests
                                    ,@%bootstrap-inputs)
@@ -106,7 +109,9 @@
 
 (define file-boot0
   (package-with-bootstrap-guile
-   (package-with-explicit-inputs file
+   (package-with-explicit-inputs (package
+                                   (inherit file)
+                                   (name "file-boot0"))
                                  `(("make" ,gnu-make-boot0)
                                    ,@%bootstrap-inputs)
                                  (current-source-location)
@@ -204,7 +209,8 @@
                             "--disable-libssp"
                             "--disable-libquadmath"
                             "--disable-decimal-float")
-                      (remove (cut string-match "--enable-languages.*" <>)
+                      (remove (cut string-match
+                                "--(with-system-zlib|enable-languages.*)" <>)
                               ,flags)))
             ((#:phases phases)
              `(alist-cons-after
@@ -230,7 +236,7 @@
                                         (package-full-name lib)
                                         char-set:letter)
                                       ,(package-name lib)))
-                          (list gmp mpfr mpc))))
+                          (list gmp-6.0 mpfr mpc))))
                (alist-cons-after
                 'install 'symlink-libgcc_eh
                 (lambda* (#:key outputs #:allow-other-keys)
@@ -244,7 +250,7 @@
                       (symlink "libgcc.a" "libgcc_eh.a"))))
                 ,phases))))))
 
-     (inputs `(("gmp-source" ,(package-source gmp))
+     (inputs `(("gmp-source" ,(package-source gmp-6.0))
                ("mpfr-source" ,(package-source mpfr))
                ("mpc-source" ,(package-source mpc))
                ("binutils-cross" ,binutils-boot0)
@@ -259,11 +265,25 @@
                                   (package-native-inputs gcc))))))
 
 (define perl-boot0
-  (package-with-bootstrap-guile
-   (package-with-explicit-inputs perl
-                                 %boot0-inputs
-                                 (current-source-location)
-                                 #:guile %bootstrap-guile)))
+  (let ((perl (package
+                (inherit perl)
+                (name "perl-boot0")
+                (arguments
+                 (substitute-keyword-arguments (package-arguments perl)
+                   ((#:phases phases)
+                    `(modify-phases ,phases
+                       ;; Pthread support is missing in the bootstrap compiler
+                       ;; (broken spec file), so disable it.
+                       (add-before 'configure 'disable-pthreads
+                         (lambda _
+                           (substitute* "Configure"
+                             (("^libswanted=(.*)pthread" _ before)
+                              (string-append "libswanted=" before))))))))))))
+   (package-with-bootstrap-guile
+    (package-with-explicit-inputs perl
+                                  %boot0-inputs
+                                  (current-source-location)
+                                  #:guile %bootstrap-guile))))
 
 (define (linux-libre-headers-boot0)
   "Return Linux-Libre header files for the bootstrap environment."
@@ -285,7 +305,7 @@
   ;; Also, use %BOOT0-INPUTS to avoid building Perl once more.
   (let ((texinfo (package (inherit texinfo)
                    (native-inputs '())
-                   (inputs (alist-delete "ncurses" (package-inputs texinfo))))))
+                   (inputs `(("perl" ,perl-boot0))))))
     (package-with-bootstrap-guile
      (package-with-explicit-inputs texinfo %boot0-inputs
                                    (current-source-location)
@@ -409,14 +429,22 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
                                                (current-source-location)
                                                #:guile %bootstrap-guile)))
          (bison (package (inherit bison)
-                  (native-inputs `(("perl" ,perl-boot0)))
                   (propagated-inputs `(("m4" ,m4)))
                   (inputs '())                    ;remove Flex...
-                  (arguments '(#:tests? #f)))))   ;... and thus disable tests
-   (package-with-bootstrap-guile
-    (package-with-explicit-inputs bison %boot0-inputs
-                                  (current-source-location)
-                                  #:guile %bootstrap-guile))))
+                  (arguments
+                   '(#:tests? #f                  ;... and thus disable tests
+
+                     ;; Zero timestamps in liby.a; this must be done
+                     ;; explicitly here because the bootstrap Binutils don't
+                     ;; do that (default is "cru".)
+                     #:make-flags '("ARFLAGS=crD" "RANLIB=ranlib -D"
+                                    "V=1"))))))
+    (package
+      (inherit (package-with-bootstrap-guile
+                (package-with-explicit-inputs bison %boot0-inputs
+                                              (current-source-location)
+                                              #:guile %bootstrap-guile)))
+      (native-inputs `(("perl" ,perl-boot0))))))
 
 (define static-bash-for-glibc
   ;; A statically-linked Bash to be used by GLIBC-FINAL in system(3) & co.
@@ -424,18 +452,19 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
                                   glibc-final-with-bootstrap-bash
                                   (car (assoc-ref %boot1-inputs "bash"))))
          (bash (package (inherit static-bash)
-                 (native-inputs `(("bison" ,bison-boot1)))
                  (arguments
                   `(#:guile ,%bootstrap-guile
-                    ,@(package-arguments static-bash))))))
-    (package-with-bootstrap-guile
-     (package-with-explicit-inputs bash
-                                   `(("gcc" ,gcc)
-                                     ("libc" ,glibc-final-with-bootstrap-bash)
-                                     ,@(fold alist-delete %boot1-inputs
-                                             '("gcc" "libc")))
-                                   (current-source-location)
-                                   #:guile %bootstrap-guile))))
+                    ,@(package-arguments static-bash)))))
+         (inputs `(("gcc" ,gcc)
+                   ("libc" ,glibc-final-with-bootstrap-bash)
+                   ,@(fold alist-delete %boot1-inputs
+                           '("gcc" "libc")))))
+    (package
+      (inherit (package-with-bootstrap-guile
+                (package-with-explicit-inputs bash inputs
+                                              (current-source-location)
+                                              #:guile %bootstrap-guile)))
+      (native-inputs `(("bison" ,bison-boot1))))))
 
 (define gettext-boot0
   ;; A minimal gettext used during bootstrap.
@@ -527,7 +556,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
      (arguments
       `(#:guile ,%bootstrap-guile
         #:implicit-inputs? #f
-
+        #:allowed-references ("out")
         #:out-of-source? #t
         #:phases (alist-cons-before
                   'configure 'chdir
@@ -549,6 +578,25 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
      (propagated-inputs '())
      (synopsis "GNU C++ standard library (intermediate)"))))
 
+(define zlib-final
+  ;; Zlib used by GCC-FINAL.
+  (package-with-bootstrap-guile
+   (package
+     (inherit zlib)
+     (arguments
+      `(#:guile ,%bootstrap-guile
+        #:implicit-inputs? #f
+        #:allowed-references ("out" ,glibc-final)
+        ,@(package-arguments zlib)))
+     (inputs %boot2-inputs))))
+
+(define ld-wrapper-boot3
+  ;; A linker wrapper that uses the bootstrap Guile.
+  (make-ld-wrapper "ld-wrapper-boot3"
+                   #:binutils binutils-final
+                   #:guile %bootstrap-guile
+                   #:bash (car (assoc-ref %boot2-inputs "bash"))))
+
 (define gcc-final
   ;; The final GCC.
   (package (inherit gcc-boot0)
@@ -563,7 +611,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
      `(#:guile ,%bootstrap-guile
        #:implicit-inputs? #f
 
-       #:allowed-references ("out" "lib"
+       #:allowed-references ("out" "lib" ,zlib-final
                              ,glibc-final ,static-bash-for-glibc)
 
        ;; Things like libasan.so and libstdc++.so NEED ld.so for some
@@ -583,18 +631,16 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
                 ((_ rest ...)
                  (loop rest)))))
            ((#:make-flags flags)
-            ;; Since $LIBRARY_PATH and $CPATH are not honored, add the
-            ;; relevant flags.
-            `(cons (string-append "CPPFLAGS=-I"
-                                  (assoc-ref %build-inputs "libstdc++")
-                                  "/include")
-                   (map (lambda (flag)
-                          (if (string-prefix? "LDFLAGS=" flag)
-                              (string-append flag " -L"
-                                             (assoc-ref %build-inputs "libstdc++")
-                                             "/lib")
-                              flag))
-                        ,flags)))
+            ;; Since $LIBRARY_PATH is not honored, add the relevant flags.
+            `(let ((zlib (assoc-ref %build-inputs "zlib")))
+               (map (lambda (flag)
+                      (if (string-prefix? "LDFLAGS=" flag)
+                          (string-append flag " -L"
+                                         (assoc-ref %build-inputs "libstdc++")
+                                         "/lib -L" zlib "/lib -Wl,-rpath="
+                                         zlib "/lib")
+                          flag))
+                    ,flags)))
            ((#:phases phases)
             `(alist-delete 'symlink-libgcc_eh ,phases)))))
 
@@ -606,20 +652,15 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
                      ("static-bash" ,static-bash-for-glibc)
                      ,@(package-native-inputs gcc-boot0)))
 
-    (inputs `(("gmp-source" ,(bootstrap-origin (package-source gmp)))
+    (inputs `(("gmp-source" ,(bootstrap-origin (package-source gmp-6.0)))
               ("mpfr-source" ,(package-source mpfr))
               ("mpc-source" ,(package-source mpc))
+              ("ld-wrapper" ,ld-wrapper-boot3)
               ("binutils" ,binutils-final)
               ("libstdc++" ,libstdc++)
+              ("zlib" ,zlib-final)
               ,@%boot2-inputs))))
 
-(define ld-wrapper-boot3
-  ;; A linker wrapper that uses the bootstrap Guile.
-  (make-ld-wrapper "ld-wrapper-boot3"
-                   #:binutils binutils-final
-                   #:guile %bootstrap-guile
-                   #:bash (car (assoc-ref %boot2-inputs "bash"))))
-
 (define %boot3-inputs
   ;; 4th stage inputs.
   `(("gcc" ,gcc-final)
@@ -629,11 +670,13 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
 (define bash-final
   ;; Link with `-static-libgcc' to make sure we don't retain a reference
   ;; to the bootstrap GCC.
-  (package-with-bootstrap-guile
-   (package-with-explicit-inputs (static-libgcc-package bash)
-                                 %boot3-inputs
-                                 (current-source-location)
-                                 #:guile %bootstrap-guile)))
+  (package
+    (inherit (package-with-bootstrap-guile
+              (package-with-explicit-inputs (static-libgcc-package bash)
+                                            %boot3-inputs
+                                            (current-source-location)
+                                            #:guile %bootstrap-guile)))
+    (native-inputs `(("bison" ,bison-boot1)))))
 
 (define %boot4-inputs
   ;; Now use the final Bash.
@@ -703,7 +746,9 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
   ;; The final grep.  Gzip holds a reference to it (via zgrep), so it must be
   ;; built before gzip.
   (package-with-bootstrap-guile
-   (package-with-explicit-inputs grep
+   (package-with-explicit-inputs (package
+                                   (inherit grep)
+                                   (native-inputs `(("perl" ,perl-boot0))))
                                  %boot5-inputs
                                  (current-source-location)
                                  #:guile guile-final)))
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 0f27fa9410..4a31bf79e2 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -7,7 +7,7 @@
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2015 Jeff Mickey <j@codemac.net>
-;;; Copyright © 2015 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -43,7 +43,7 @@
 (define-public zlib
   (package
     (name "zlib")
-    (version "1.2.7")
+    (version "1.2.8")
     (source
      (origin
       (method url-fetch)
@@ -53,7 +53,7 @@
                                  version ".tar.gz")))
       (sha256
        (base32
-        "1i96gsdvxqb6skp9a58bacf1wxamwi9m9pg4yn7cpf7g7239r77s"))))
+        "039agw5rqvqny92cpkrfn243x2gd4xn13hs3xi6isk55d2vqqr9n"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases (alist-replace
@@ -263,7 +263,7 @@ compressed with pbzip2 can be decompressed with bzip2).")
 (define-public xz
   (package
    (name "xz")
-   (version "5.0.4")
+   (version "5.2.2")
    (source (origin
             (method url-fetch)
             (uri (list (string-append "http://tukaani.org/xz/xz-" version
@@ -272,7 +272,7 @@ compressed with pbzip2 can be decompressed with bzip2).")
                                       version ".tar.gz")))
             (sha256
              (base32
-              "1dl35ca8fdss9z2d6y234gxh24ixq904xksizrjmjr5dimwhax6n"))))
+              "18h2k4jndhzjs8ln3a54qdnfv59y6spxiwh9gpaqniph6iflvpvk"))))
    (build-system gnu-build-system)
    (synopsis "General-purpose data compression")
    (description
diff --git a/gnu/packages/cross-base.scm b/gnu/packages/cross-base.scm
index f947e7aec8..8bd599c25a 100644
--- a/gnu/packages/cross-base.scm
+++ b/gnu/packages/cross-base.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -182,12 +182,14 @@ may be either a libc package or #f.)"
                             (string-append libc "/lib"))
 
                     (let ((cpath   (search-path-as-string->list
-                                    (getenv "CPATH")))
+                                    (getenv "C_INCLUDE_PATH")))
                           (libpath (search-path-as-string->list
                                     (getenv "LIBRARY_PATH"))))
                       (setenv "CPATH"
                               (list->search-path-as-string
                                (remove cross? cpath) ":"))
+                      (for-each unsetenv
+                                '("C_INCLUDE_PATH" "CPLUS_INCLUDE_PATH"))
                       (setenv "LIBRARY_PATH"
                               (list->search-path-as-string
                                (remove cross? libpath) ":"))
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 9945273830..b36f5d8c16 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -6,6 +6,8 @@
 ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
+;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -24,6 +26,7 @@
 
 (define-module (gnu packages databases)
   #:use-module (gnu packages)
+  #:use-module (gnu packages bash)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages language)
   #:use-module (gnu packages linux)
@@ -308,16 +311,18 @@ pictures, sounds, or video.")
 
     ;; Running tests in parallel leads to test failures and crashes in
     ;; torture/utils.
-    (arguments '(#:parallel-tests? #f))
+    (arguments '(#:parallel-tests? #f
+                 #:configure-flags
+                 (list (string-append "--with-bash-headers="
+                                      (assoc-ref %build-inputs "bash:include")
+                                      "/include/bash"))))
 
     (native-inputs `(("emacs" ,emacs-no-x)
                      ("bc" ,bc)
+                     ("bash:include" ,bash "include")
                      ("libuuid", util-linux)))
 
     ;; TODO: Add more optional inputs.
-    ;; FIXME: Our Bash doesn't have development headers (need for the 'readrec'
-    ;; built-in command), but it's not clear how to get them installed.
-    ;; See <https://lists.gnu.org/archive/html/bug-bash/2014-03/msg00125.html>.
     (inputs `(("curl" ,curl)
               ("libgcrypt" ,libgcrypt)
               ("check" ,check)))
@@ -334,7 +339,7 @@ types are supported, as is encryption.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.8.11.1")
+   (version "3.10.0")
    (source (origin
             (method url-fetch)
             ;; TODO: Download from sqlite.org once this bug :
@@ -365,7 +370,7 @@ types are supported, as is encryption.")
                    ))
             (sha256
              (base32
-              "1dnkl4qr1dgaprbyf3jddfiynkhxnin86qabni47wjlc0fnb16gv"))))
+              "0hhhv6si0pyf5i8bv7a71953m0b4gk6s3j2h09caf7vif0njkk23"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
diff --git a/gnu/packages/doxygen.scm b/gnu/packages/doxygen.scm
index 8b1a057724..8245a65c86 100644
--- a/gnu/packages/doxygen.scm
+++ b/gnu/packages/doxygen.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2014, 2016 Andreas Enge <andreas@enge.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -20,7 +20,7 @@
   #:use-module ((guix licenses) #:select (gpl3+))
   #:use-module (guix packages)
   #:use-module (guix download)
-  #:use-module (guix build-system gnu)
+  #:use-module (guix build-system cmake)
   #:use-module (gnu packages)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages flex)
@@ -32,38 +32,23 @@
 (define-public doxygen
   (package
     (name "doxygen")
-    (version "1.8.7")
+    (version "1.8.11")
     (source (origin
              (method url-fetch)
              (uri (string-append "http://ftp.stack.nl/pub/users/dimitri/"
                                  name "-" version ".src.tar.gz"))
              (sha256
               (base32
-               "1ng3dv5fninhfi2fj75ghkr5jwsl653fxv2sxhaswj11x2vcdsn6"))
-             (patches (list (search-patch "doxygen-tmake.patch")
-                            (search-patch "doxygen-test.patch")))))
-    (build-system gnu-build-system)
+               "0ja02pm3fpfhc5dkry00kq8mn141cqvdqqpmms373ncbwi38pl35"))
+             (patches (list (search-patch "doxygen-test.patch")))))
+    (build-system cmake-build-system)
     (native-inputs
      `(("bison" ,bison)
        ("flex" ,flex)
        ("libxml2" ,libxml2) ; provides xmllint for the tests
-       ("perl" ,perl) ; for the tests
        ("python" ,python-2))) ; for creating the documentation
-    (propagated-inputs
-     `(("graphviz" ,graphviz)))
     (arguments
-     `(#:test-target "test"
-       #:phases
-         (alist-replace
-          'configure
-          (lambda* (#:key outputs #:allow-other-keys)
-            (let ((out (assoc-ref outputs "out")))
-              ;; do not pass "--enable-fast-install", which makes the
-              ;; configure process fail
-              (zero? (system*
-                      "./configure"
-                      "--prefix" out))))
-          %standard-phases)))
+     `(#:test-target "tests"))
     (home-page "http://www.stack.nl/~dimitri/doxygen/")
     (synopsis "Generate documentation from annotated sources")
     (description "Doxygen is the de facto standard tool for generating
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index ce599bca66..2b1152a54d 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -70,7 +70,8 @@
              (sha256
               (base32
                "0kn3rzm91qiswi0cql89kbv6mqn27rwsyjfb8xmwy9m5s8fxfiyx"))
-             (patches (list (search-patch "emacs-exec-path.patch")))))
+             (patches (list (search-patch "emacs-exec-path.patch")
+                            (search-patch "emacs-source-date-epoch.patch")))))
     (build-system glib-or-gtk-build-system)
     (arguments
      '(#:phases (modify-phases %standard-phases
diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm
index 161df544de..90e9a70626 100644
--- a/gnu/packages/file.scm
+++ b/gnu/packages/file.scm
@@ -27,14 +27,14 @@
 (define-public file
   (package
    (name "file")
-    (version "5.22")
+    (version "5.25")
     (source (origin
               (method url-fetch)
               (uri (string-append "ftp://ftp.astron.com/pub/file/file-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "02zw14hw3gqlw91w2f2snbirvyrp7r83irvnnkjcb25q9kjaiqy4"))))
+                "1jhfi5mivdnqvry5la5q919l503ahwdwbf3hjhiv97znccakhd9p"))))
    (build-system gnu-build-system)
 
    ;; When cross-compiling, this package depends upon a native install of
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 7988e930e7..f8d5ccd032 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,15 +32,14 @@
 (define flex
   (package
     (name "flex")
-    (version "2.5.37")
+    (version "2.6.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/flex/flex-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0ah5mi4j62b85a9rllv1004mzjb5cd0mn4glvz13p88rpx77pahp"))
-             (patches (list (search-patch "flex-bison-tests.patch")))))
+               "1sdqx63yadindzafrq1w31ajblf9gl1c301g068s20s7bbpi3ri4"))))
     (build-system gnu-build-system)
     (inputs
      (let ((bison-for-tests
diff --git a/gnu/packages/gawk.scm b/gnu/packages/gawk.scm
index 6bfea34667..8f2805cd4b 100644
--- a/gnu/packages/gawk.scm
+++ b/gnu/packages/gawk.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -19,6 +19,7 @@
 
 (define-module (gnu packages gawk)
   #:use-module (guix licenses)
+  #:use-module (gnu packages)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages libsigsegv)
   #:use-module (guix packages)
@@ -34,7 +35,8 @@
             (uri (string-append "mirror://gnu/gawk/gawk-" version
                                 ".tar.xz"))
             (sha256
-             (base32 "09d6pmx6h3i2glafm0jd1v1iyrs03vcyv2rkz12jisii3vlmbkz3"))))
+             (base32 "09d6pmx6h3i2glafm0jd1v1iyrs03vcyv2rkz12jisii3vlmbkz3"))
+            (patches (list (search-patch "gawk-fts-test.patch")))))
    (build-system gnu-build-system)
    (arguments
     `(#:parallel-tests? #f                ; test suite fails in parallel
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index 2848e4343a..832e57bc77 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -99,6 +99,7 @@ where the OS part is overloaded to denote a specific ABI---into GCC
                    '("--enable-plugin"
                      "--enable-languages=c,c++"
                      "--disable-multilib"
+                     "--with-system-zlib"
 
                      ;; No pre-compiled libstdc++ headers, to save space.
                      "--disable-libstdcxx-pch"
@@ -293,8 +294,16 @@ where the OS part is overloaded to denote a specific ABI---into GCC
            %standard-phases))))
 
       (native-search-paths
+       ;; Use the language-specific variables rather than 'CPATH' because they
+       ;; are equivalent to '-isystem' whereas 'CPATH' is equivalent to '-I'.
+       ;; The intent is to allow headers that are in the search path to be
+       ;; treated as "system headers" (headers exempt from warnings) just like
+       ;; the typical /usr/include headers on an FHS system.
        (list (search-path-specification
-              (variable "CPATH")
+              (variable "C_INCLUDE_PATH")
+              (files '("include")))
+             (search-path-specification
+              (variable "CPLUS_INCLUDE_PATH")
               (files '("include")))
              (search-path-specification
               (variable "LIBRARY_PATH")
@@ -408,13 +417,18 @@ using compilers other than GCC."
 (define-public libiberty
   (make-libiberty gcc))
 
-(define* (custom-gcc gcc name languages #:key (separate-lib-output? #t))
-  "Return a custom version of GCC that supports LANGUAGES."
+(define* (custom-gcc gcc name languages
+                     #:optional
+                     (search-paths (package-native-search-paths gcc))
+                     #:key (separate-lib-output? #t))
+  "Return a custom version of GCC that supports LANGUAGES.  Use SEARCH-PATHS
+as the 'native-search-paths' field."
   (package (inherit gcc)
     (name name)
     (outputs (if separate-lib-output?
                  (package-outputs gcc)
                  (delete "lib" (package-outputs gcc))))
+    (native-search-paths search-paths)
     (arguments
      (substitute-keyword-arguments `(#:modules ((guix build gnu-build-system)
                                                 (guix build utils)
@@ -428,20 +442,37 @@ using compilers other than GCC."
                (remove (cut string-match "--enable-languages.*" <>)
                        ,flags)))))))
 
+(define %generic-search-paths
+  ;; This is the language-neutral search path for GCC.  Entries in $CPATH are
+  ;; not considered "system headers", which means GCC can raise warnings for
+  ;; issues in those headers.  'CPATH' is the only one that works for
+  ;; front-ends not in the C family.
+  (list (search-path-specification
+         (variable "CPATH")
+         (files '("include")))
+        (search-path-specification
+         (variable "LIBRARY_PATH")
+         (files '("lib" "lib64")))))
+
 (define-public gfortran-4.8
-  (custom-gcc gcc-4.8 "gfortran" '("fortran")))
+  (custom-gcc gcc-4.8 "gfortran" '("fortran")
+              %generic-search-paths))
 
 (define-public gfortran-4.9
-  (custom-gcc gcc-4.9 "gfortran" '("fortran")))
+  (custom-gcc gcc-4.9 "gfortran" '("fortran")
+              %generic-search-paths))
 
 (define-public gfortran
-  (custom-gcc gcc "gfortran" '("fortran")))
+  (custom-gcc gcc "gfortran" '("fortran")
+              %generic-search-paths))
 
 (define-public gfortran-5
-  (custom-gcc gcc-5 "gfortran" '("fortran")))
+  (custom-gcc gcc-5 "gfortran" '("fortran")
+              %generic-search-paths))
 
 (define-public gccgo-4.8
   (custom-gcc gcc-4.8 "gccgo" '("go")
+              %generic-search-paths
               ;; Suppress the separate "lib" output, because otherwise the
               ;; "lib" and "out" outputs would refer to each other, creating
               ;; a cyclic dependency.  <http://debbugs.gnu.org/18101>
@@ -468,6 +499,8 @@ using compilers other than GCC."
     (native-inputs
      `(("dejagnu" ,dejagnu)
        ,@(package-native-inputs gcc)))
+    (native-search-paths %generic-search-paths)
+
     ;; Suppress the separate "lib" output, because otherwise the
     ;; "lib" and "out" outputs would refer to each other, creating
     ;; a cyclic dependency.  <http://debbugs.gnu.org/18101>
@@ -551,10 +584,22 @@ using compilers other than GCC."
       "1k9lgm3qamf6zy534pa2zwskr8mpiqrngbv1vw9j4y1ghrdyf1lm"))))
 
 (define-public gcc-objc-4.8
-  (custom-gcc gcc-4.8 "gcc-objc" '("objc")))
+  (custom-gcc gcc-4.8 "gcc-objc" '("objc")
+              (list (search-path-specification
+                     (variable "OBJC_INCLUDE_PATH")
+                     (files '("include")))
+                    (search-path-specification
+                     (variable "LIBRARY_PATH")
+                     (files '("lib" "lib64"))))))
 
 (define-public gcc-objc++-4.8
-  (custom-gcc gcc-4.8 "gcc-objc++" '("obj-c++")))
+  (custom-gcc gcc-4.8 "gcc-objc++" '("obj-c++")
+              (list (search-path-specification
+                     (variable "OBJCPLUS_INCLUDE_PATH")
+                     (files '("include")))
+                    (search-path-specification
+                     (variable "LIBRARY_PATH")
+                     (files '("lib" "lib64"))))))
 
 (define (make-libstdc++-doc gcc)
   "Return a package with the libstdc++ documentation for GCC."
diff --git a/gnu/packages/gettext.scm b/gnu/packages/gettext.scm
index 14dedc51b5..7cd1ab73e7 100644
--- a/gnu/packages/gettext.scm
+++ b/gnu/packages/gettext.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -40,50 +41,51 @@
 (define-public gnu-gettext
   (package
     (name "gettext")
-    (version "0.19.6")
+    (version "0.19.7")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/gettext/gettext-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "0pb9vp4ifymvdmc31ks3xxcnfqgzj8shll39czmk8c1splclqjzd"))))
+               "0gy2b2aydj8r0sapadnjw8cmb8j2rynj28d5qs1mfa800njd51jk"))))
     (build-system gnu-build-system)
+    (outputs '("out"
+               "doc"))                            ;8 MiB of HTML
     (inputs
      `(("expat" ,expat)))
     (arguments
-     `(#:phases (alist-cons-before
-                 'check 'patch-tests
-                 (lambda* (#:key inputs #:allow-other-keys)
-                   (let* ((bash (which "sh")))
-                     ;; Some of the files we're patching are
-                     ;; ISO-8859-1-encoded, so choose it as the default
-                     ;; encoding so the byte encoding is preserved.
-                     (with-fluids ((%default-port-encoding #f))
-                       (substitute*
-                           (find-files "gettext-tools/tests"
-                                       "^(lang-sh|msg(exec|filter)-[0-9])")
-                         (("#![[:blank:]]/bin/sh")
-                          (format #f "#!~a" bash)))
+     `(#:phases
+       (modify-phases %standard-phases
+        (add-before 'check 'patch-tests
+         (lambda* (#:key inputs #:allow-other-keys)
+           (let* ((bash (which "sh")))
+             ;; Some of the files we're patching are
+             ;; ISO-8859-1-encoded, so choose it as the default
+             ;; encoding so the byte encoding is preserved.
+             (with-fluids ((%default-port-encoding #f))
+               (substitute*
+                   (find-files "gettext-tools/tests"
+                               "^(lang-sh|msg(exec|filter)-[0-9])")
+                 (("#![[:blank:]]/bin/sh")
+                  (format #f "#!~a" bash)))
 
-                       (substitute* (cons "gettext-tools/src/msginit.c"
-                                          (find-files "gettext-tools/gnulib-tests"
-                                                      "posix_spawn"))
-                         (("/bin/sh")
-                          bash))
+               (substitute* (cons "gettext-tools/src/msginit.c"
+                                  (find-files "gettext-tools/gnulib-tests"
+                                              "posix_spawn"))
+                 (("/bin/sh")
+                  bash))
 
-                       (substitute* "gettext-tools/src/project-id"
-                         (("/bin/pwd")
-                          "pwd")))))
-                 (alist-cons-before
-                  'configure 'link-expat
-                  (lambda _
-                    ;; Gettext defaults to opening expat via dlopen on
-                    ;; "Linux".  Change to link directly.
-                    (substitute* "gettext-tools/configure"
-                      (("LIBEXPAT=\"-ldl\"") "LIBEXPAT=\"-ldl -lexpat\"")
-                      (("LTLIBEXPAT=\"-ldl\"") "LTLIBEXPAT=\"-ldl -lexpat\"")))
-                  %standard-phases))
+               (substitute* "gettext-tools/src/project-id"
+                 (("/bin/pwd")
+                  "pwd"))))))
+        (add-before 'configure 'link-expat
+         (lambda _
+           ;; Gettext defaults to opening expat via dlopen on
+           ;; "Linux".  Change to link directly.
+           (substitute* "gettext-tools/configure"
+             (("LIBEXPAT=\"-ldl\"") "LIBEXPAT=\"-ldl -lexpat\"")
+             (("LTLIBEXPAT=\"-ldl\"") "LTLIBEXPAT=\"-ldl -lexpat\"")))))
 
        ;; When tests fail, we want to know the details.
        #:make-flags '("VERBOSE=yes")))
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 146d3f563b..c5eea22845 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -251,10 +251,10 @@ dynamic loading, and an object system.")
        ("cairo" ,cairo)
        ("flex" ,flex)
        ("glib" ,glib)
-       ("pkg-config" ,pkg-config)
        ("python-2" ,python-2)))
     (native-inputs
-     `(("glib" ,glib "bin")))
+     `(("glib" ,glib "bin")
+       ("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(;; In practice, GIR users will need libffi when using
        ;; gobject-introspection.
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 9ce750ddef..05efe0ba97 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -9,7 +9,7 @@
 ;;; Copyright © 2015 Andy Wingo <wingo@igalia.com>
 ;;; Copyright © 2015 David Hashe <david.hashe@dhashe.com>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
 ;;; Copyright © 2015 Efraim Flashner <efraim@flashner.co.il>
 ;;;
@@ -858,7 +858,7 @@ dealing with different structured file formats.")
 (define-public librsvg
   (package
     (name "librsvg")
-    (version "2.40.11")
+    (version "2.40.13")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -866,9 +866,7 @@ dealing with different structured file formats.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "00ifd9wjjjsw0ybk5j6qs4yyh66jj34hjmggy6dhrgfy8ksw06k1"))
-              (patches
-               (list (search-patch "librsvg-tests.patch")))))
+                "014q7gz6mgfa7pfn0lr13qqv568ad8j1sw9d4vksnpazq0zajvjd"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index c17e64d474..c1a6d75569 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -46,7 +46,7 @@
 (define-public libgpg-error
   (package
     (name "libgpg-error")
-    (version "1.19")
+    (version "1.21")
     (source
      (origin
       (method url-fetch)
@@ -54,7 +54,7 @@
                           version ".tar.bz2"))
       (sha256
        (base32
-        "12wpqhjlsw4iaanifbqm2kich6c7x7lm8a7zhy6x5ifm6c9hw4jk"))))
+        "0kdq2cbnk84fr4jqcv689rlxpbyl6bda2cn6y3ll19v3mlydpnxp"))))
     (build-system gnu-build-system)
     (home-page "http://gnupg.org")
     (synopsis "Library of error values for GnuPG components")
@@ -68,14 +68,14 @@ Daemon and possibly more in the future.")
 (define-public libgcrypt
   (package
     (name "libgcrypt")
-    (version "1.6.3")
+    (version "1.6.4")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0pq2nwfqgggrsh8rk84659d80vfnlkbphwqjwahccd5fjdxr3d21"))))
+               "09k06gs27gxfha07sa9rpf4xh6mvphj9sky7n09ymx75w9zjrg69"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 6fac8ced40..62010dbf6b 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -64,7 +64,12 @@
                    name version ".tar.gz"))
              (sha256
               (base32
-               "1fig2wf4f10v43mqx67y68z6h77sy900d1w0pz9qarrqx57rc7ij"))))
+               "1fig2wf4f10v43mqx67y68z6h77sy900d1w0pz9qarrqx57rc7ij"))
+             (modules '((guix build utils)))
+             (snippet
+              ;; Fix incompatibility with Perl 5.22+.
+              '(substitute* '("js/src/config/milestone.pl")
+                 (("defined\\(@TEMPLATE_FILE)") "@TEMPLATE_FILE")))))
     (build-system gnu-build-system)
     (native-inputs
       `(("perl", perl)
@@ -103,7 +108,12 @@ in C/C++.")
                     name "-" version ".tar.bz2"))
               (sha256
                (base32
-                "1n1phk8r3l8icqrrap4czplnylawa0ddc2cc4cgdz46x3lrkybz6"))))
+                "1n1phk8r3l8icqrrap4czplnylawa0ddc2cc4cgdz46x3lrkybz6"))
+              (modules '((guix build utils)))
+              (snippet
+               ;; Fix incompatibility with Perl 5.22+.
+               '(substitute* '("js/src/config/milestone.pl")
+                  (("defined\\(@TEMPLATE_FILE)") "@TEMPLATE_FILE")))))
     (arguments
      '(#:phases
        (modify-phases %standard-phases
@@ -277,7 +287,27 @@ standards.")
       (sha256
        (base32
         "0m18xyb0rd02yaw9xd5z4bab1wr2599iszzqhm86c134jv5vk6cg"))
-      (patches (map search-patch '("icecat-avoid-bundled-includes.patch")))
+      (patches (map search-patch
+                    '("icecat-avoid-bundled-includes.patch"
+                      "icecat-CVE-2016-1930-pt01.patch"
+                      "icecat-CVE-2016-1930-pt02.patch"
+                      "icecat-CVE-2016-1930-pt03.patch"
+                      "icecat-CVE-2016-1930-pt04.patch"
+                      "icecat-CVE-2016-1930-pt05.patch"
+                      "icecat-CVE-2016-1930-pt06.patch"
+                      "icecat-CVE-2016-1930-pt07.patch"
+                      "icecat-CVE-2016-1930-pt08.patch"
+                      "icecat-CVE-2016-1930-pt09.patch"
+                      "icecat-CVE-2016-1930-pt10.patch"
+                      "icecat-CVE-2016-1930-pt11.patch"
+                      "icecat-CVE-2016-1930-pt12.patch"
+                      "icecat-CVE-2016-1930-pt13.patch"
+                      "icecat-bug-1146335-pt1.patch"
+                      "icecat-bug-1146335-pt2.patch"
+                      "icecat-CVE-2016-1935.patch"
+                      "icecat-CVE-2016-1930-pt14.patch"
+                      "icecat-CVE-2016-1930-pt15.patch"
+                      "icecat-limit-max-buffers-size-for-ANGLE.patch")))
       (modules '((guix build utils)))
       (snippet
        '(begin
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 4be237cd65..861a18fce8 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -174,7 +174,8 @@ without requiring the source code to be rewritten.")
            (files '("share/guile/site/2.0")))
           (search-path-specification
            (variable "GUILE_LOAD_COMPILED_PATH")
-           (files '("share/guile/site/2.0")))))
+           (files '("lib/guile/2.0/ccache"
+                    "share/guile/site/2.0")))))
 
    (synopsis "Scheme implementation intended especially for extensions")
    (description
diff --git a/gnu/packages/haskell.scm b/gnu/packages/haskell.scm
index 843a428dc6..c3e0a6100b 100644
--- a/gnu/packages/haskell.scm
+++ b/gnu/packages/haskell.scm
@@ -243,6 +243,12 @@
                    (string-append ghc-bootstrap-path "/ghc-7.8.4")
                  (zero? (system* "make" "install"))))
              %standard-phases)))))))
+    (native-search-paths (list (search-path-specification
+                                (variable "GHC_PACKAGE_PATH")
+                                (files (list
+                                        (string-append "lib/ghc-" version)))
+                                (file-pattern ".*\\.conf\\.d$")
+                                (file-type 'directory))))
     (home-page "https://www.haskell.org/ghc")
     (synopsis "The Glasgow Haskell Compiler")
     (description
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index d3ed92fde8..bf120f0184 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2014 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
@@ -131,13 +131,17 @@ maximum quality factor.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (version "4.0.5")
+   (version "4.0.6")
    (source (origin
             (method url-fetch)
             (uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-"
                    version ".tar.gz"))
             (sha256 (base32
-                     "171hgy4mylwmvdm7gp6ffjva81m4j56v3fbqsbfl7avzxn1slpp2"))))
+                     "136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd"))
+            (patches (map search-patch
+                          '("libtiff-oob-accesses-in-decode.patch"
+                            "libtiff-oob-write-in-nextdecode.patch"
+                            "libtiff-CVE-2015-8665+CVE-2015-8683.patch")))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                           ;1.3 MiB of HTML documentation
diff --git a/gnu/packages/language.scm b/gnu/packages/language.scm
index b0fa7aa179..6c837948c0 100644
--- a/gnu/packages/language.scm
+++ b/gnu/packages/language.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2015, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -60,6 +60,7 @@ manipulating such numbers.")
         (base32
          "0drzg9a2dkjxgf00n6jg0jzhd8972bh3j4wdnmdxpqi3zmfqhwcy"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Lingua-EN-Inflect")
     (synopsis "Convert singular to plural")
     (description "Lingua::EN::Inflect provides plural inflections,
@@ -224,6 +225,8 @@ Moreira, V. and Huyck, C.")
         (base32
          "12avh2mnnc7llmmshrr5bgb473fvydxnlqrqbl2815mf2dp4pxcg"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-lingua-pt-stemmer" ,perl-lingua-pt-stemmer)
        ("perl-lingua-stem-fr" ,perl-lingua-stem-fr)
@@ -329,6 +332,7 @@ Lingua::Stem::Snowball::Se.")
         (base32
          "0675v45bbsh7vr7kpf36xs2q79g02iq1kmfw22h20xdk4rzqvkqx"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Snowball-Norwegian")
     (synopsis "Porters stemming algorithm for Norwegian")
     (description "Lingua::Stem::Snowball::No is a perl port of the norwegian
@@ -348,6 +352,7 @@ stemmer at http://snowball.tartarus.org.")
         (base32
          "0agwc12jk5kmabnpsplw3wf4ii5w1zb159cpin44x3srb0sr5apg"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Snowball-Swedish")
     (synopsis "Porters stemming algorithm for Swedish")
     (description "Lingua::Stem::Snowball::Se is a perl port of the swedish
diff --git a/gnu/packages/ld-wrapper.in b/gnu/packages/ld-wrapper.in
index c3d6fa1005..c92ed1dcc7 100644
--- a/gnu/packages/ld-wrapper.in
+++ b/gnu/packages/ld-wrapper.in
@@ -137,52 +137,61 @@ exec @GUILE@ -c "(load-compiled \"@SELF@.go\") (apply $main (cdr (command-line))
              (string-every (char-set-union (char-set #\.) char-set:digit)
                            (string-drop file (+ index 3)))))))
 
-(define (library-files-linked args)
-  ;; Return the file names of shared libraries explicitly linked against via
-  ;; `-l' or with an absolute file name in ARGS.
-  (define path+files+args
+(define (library-search-path args)
+  ;; Return the library search path as a list of directory names.  The GNU ld
+  ;; manual notes that "[a]ll `-L' options apply to all `-l' options,
+  ;; regardless of the order in which the options appear", so we must compute
+  ;; the search path independently of the -l options.
+  (let loop ((args args)
+             (path '()))
+    (match args
+      (()
+       (reverse path))
+      (("-L" directory . rest)
+       (loop rest (cons directory path)))
+      ((argument . rest)
+       (if (string-prefix? "-L" argument)         ;augment the search path
+           (loop rest
+                 (cons (string-drop argument 2) path))
+           (loop rest path))))))
+
+(define (library-files-linked args library-path)
+  ;; Return the absolute file names of shared libraries explicitly linked
+  ;; against via `-l' or with an absolute file name in ARGS, looking them up
+  ;; in LIBRARY-PATH.
+  (define files+args
     (fold (lambda (argument result)
             (match result
-              ((library-path library-files
-                             ((and flag
-                                   (or "-dynamic-linker" "-plugin"))
-                              . rest))
+              ((library-files ((and flag
+                                    (or "-dynamic-linker" "-plugin"))
+                               . rest))
                ;; When passed '-dynamic-linker ld.so', ignore 'ld.so'; when
                ;; passed '-plugin liblto_plugin.so', ignore
                ;; 'liblto_plugin.so'.  See <http://bugs.gnu.org/20102>.
-               (list library-path
-                     library-files
+               (list library-files
                      (cons* argument flag rest)))
-              ((library-path library-files previous-args)
-               (cond ((string-prefix? "-L" argument) ;augment the search path
-                      (list (append library-path
-                                    (list (string-drop argument 2)))
-                            library-files
-                            (cons argument previous-args)))
-                     ((string-prefix? "-l" argument) ;add library
+              ((library-files previous-args)
+               (cond ((string-prefix? "-l" argument) ;add library
                       (let* ((lib  (string-append "lib"
                                                   (string-drop argument 2)
                                                   ".so"))
                              (full (search-path library-path lib)))
-                        (list library-path
-                              (if full
+                        (list (if full
                                   (cons full library-files)
                                   library-files)
                               (cons argument previous-args))))
                      ((and (string-prefix? %store-directory argument)
                            (shared-library? argument)) ;add library
-                      (list library-path
-                            (cons argument library-files)
+                      (list (cons argument library-files)
                             (cons argument previous-args)))
                      (else
-                      (list library-path
-                            library-files
+                      (list library-files
                             (cons argument previous-args)))))))
-          (list '() '() '())
+          (list '() '())
           args))
 
-  (match path+files+args
-    ((path files arguments)
+  (match files+args
+    ((files arguments)
      (reverse files))))
 
 (define (rpath-arguments library-files)
@@ -211,10 +220,13 @@ impure library ~s~%"
 
 (define (ld-wrapper . args)
   ;; Invoke the real `ld' with ARGS, augmented with `-rpath' switches.
-  (let* ((libs (library-files-linked args))
+  (let* ((path (library-search-path args))
+         (libs (library-files-linked args path))
          (args (append args (rpath-arguments libs))))
     (when %debug?
       (format (current-error-port)
+              "ld-wrapper: library search path: ~s~%" path)
+      (format (current-error-port)
               "ld-wrapper: libraries linked: ~s~%" libs)
       (format (current-error-port)
               "ld-wrapper: invoking `~a' with ~s~%"
diff --git a/gnu/packages/libffi.scm b/gnu/packages/libffi.scm
index 33e10d6fc2..83af7fde68 100644
--- a/gnu/packages/libffi.scm
+++ b/gnu/packages/libffi.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -29,11 +30,11 @@
          ;; available in $includedir where some users expect them.
          '(lambda* (#:key outputs #:allow-other-keys)
             (define out (assoc-ref outputs "out"))
-            (symlink (string-append out "/lib/libffi-3.1/include")
+            (symlink (string-append out "/lib/libffi-3.2.1/include")
                      (string-append out "/include")))))
    (package
     (name "libffi")
-    (version "3.1")
+    (version "3.2.1")
     (source (origin
              (method url-fetch)
              (uri
@@ -41,7 +42,7 @@
                              name "-" version ".tar.gz"))
              (sha256
               (base32
-               "1sznmrhcswwbyqla9y2ximlkzbxks59wjfs3lh7qf8ayranyxzlp"))))
+               "0dya49bnhianl0r65m65xndz6ls2jn1xngyn72gd28ls3n7bnvnh"))))
     (build-system gnu-build-system)
     (arguments `(#:phases (alist-cons-after 'install 'post-install
                                             ,post-install-phase
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 039e438a94..6500aa51f5 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -436,6 +436,9 @@ providing the system administrator with some help in common tasks.")
     (arguments
      `(#:configure-flags (list "--disable-use-tty-group"
 
+                               ;; Do not build .a files to save 2 MiB.
+                               "--disable-static"
+
                                ;; Install completions where our
                                ;; bash-completion package expects them.
                                (string-append "--with-bashcompletiondir="
@@ -481,62 +484,34 @@ block devices, UUIDs, TTYs, and many other tools.")
 (define-public procps
   (package
     (name "procps")
-    (version "3.2.8")
+    (version "3.3.11")
     (source (origin
-             (method url-fetch)
-             ;; A mirror://sourceforge URI doesn't work, presumably becuase
-             ;; the SourceForge project is misconfigured.
-             (uri (string-append "http://procps.sourceforge.net/procps-"
-                                 version ".tar.gz"))
-             (sha256
-              (base32
-               "0d8mki0q4yamnkk4533kx8mc0jd879573srxhg6r2fs3lkc6iv8i"))
-             (patches (list (search-patch "procps-make-3.82.patch")))))
+              (method url-fetch)
+              (uri (string-append "mirror://sourceforge/procps-ng/Production/"
+                                  "procps-ng-" version ".tar.xz"))
+              (sha256
+               (base32
+                "1va4n0mpsq327ca9dqp4hnrpgs6821rp0f2m0jyc1bfjl9lk2jg9"))))
     (build-system gnu-build-system)
-    (inputs `(("ncurses" ,ncurses)))
     (arguments
      '(#:modules ((guix build utils)
                   (guix build gnu-build-system)
                   (srfi srfi-1)
                   (srfi srfi-26))
-       #:phases (alist-replace
-                 'configure
-                 (lambda* (#:key outputs #:allow-other-keys)
-                   ;; No `configure', just a single Makefile.
-                   (let ((out (assoc-ref outputs "out")))
-                     (substitute* "Makefile"
-                       (("/usr/") "/")
-                       (("--(owner|group) 0") "")
-                       (("ldconfig") "true")
-                       (("^LDFLAGS[[:blank:]]*:=(.*)$" _ value)
-                        ;; Add libproc to the RPATH.
-                        (string-append "LDFLAGS := -Wl,-rpath="
-                                       out "/lib" value))))
-                   (setenv "CC" "gcc"))
-                 (alist-replace
-                  'install
-                  (lambda* (#:key outputs #:allow-other-keys)
-                    (let ((out (assoc-ref outputs "out")))
-                      (and (zero?
-                            (system* "make" "install"
-                                     (string-append "DESTDIR=" out)))
-
-                           ;; Remove commands and man pages redundant with
-                           ;; Coreutils.
-                           (let ((dup (append-map (cut find-files out <>)
-                                                  '("^kill" "^uptime"))))
-                             (for-each delete-file dup)
-                             #t)
-
-                           ;; Sanity check.
-                           (zero?
-                            (system* (string-append out "/bin/ps")
-                                     "--version")))))
-                  %standard-phases))
-
-       ;; What did you expect?  Tests?
-       #:tests? #f))
-    (home-page "http://procps.sourceforge.net/")
+       #:phases
+       (modify-phases %standard-phases
+         (add-after
+          'install 'post-install
+          ;; Remove commands and man pages redudant with
+          ;; Coreutils.
+          (lambda* (#:key outputs #:allow-other-keys)
+            (let* ((out (assoc-ref outputs "out"))
+                   (dup (append-map (cut find-files out <>)
+                                    '("^kill" "^uptime"))))
+              (for-each delete-file dup)
+              #t))))))
+    (inputs `(("ncurses" ,ncurses)))
+    (home-page "https://gitlab.com/procps-ng/procps/")
     (synopsis "Utilities that give information about processes")
     (description
      "Procps is the package that has a bunch of small useful utilities
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 4dc9bdc6e7..d41479e83f 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -765,6 +765,7 @@ mailboxes.  Currently Maildir and IMAP are supported types.")
     (build-system perl-build-system)
     (propagated-inputs
      `(("perl-email-simple" ,perl-email-simple)
+       ("perl-module-pluggable" ,perl-module-pluggable)
        ("perl-mro-compat" ,perl-mro-compat)))
     (home-page "http://search.cpan.org/dist/Email-Abstract")
     (synopsis "Interface to mail representations")
diff --git a/gnu/packages/multiprecision.scm b/gnu/packages/multiprecision.scm
index ee74c03700..ad507706db 100644
--- a/gnu/packages/multiprecision.scm
+++ b/gnu/packages/multiprecision.scm
@@ -30,7 +30,7 @@
 (define-public gmp
   (package
    (name "gmp")
-   (version "6.0.0a")
+   (version "6.1.0")
    (source (origin
             (method url-fetch)
             (uri
@@ -38,14 +38,14 @@
                             version ".tar.xz"))
             (sha256
              (base32
-              "0r5pp27cy7ch3dg5v0rsny8bib1zfvrza6027g2mp5f6v8pd6mli"))
+              "12b9s4jn48gbar6dbs5qrlmljdmnq43xy3ji9yjzic0mwp6dmnk8"))
             (patches (map search-patch
-                          '("gmp-arm-asm-nothumb.patch"
-                            "gmp-faulty-test.patch")))))
+                          '("gmp-faulty-test.patch")))))
    (build-system gnu-build-system)
    (native-inputs `(("m4" ,m4)))
    (outputs '("out" "debug"))
-   (arguments `(#:configure-flags
+   (arguments `(#:parallel-tests? #f ; mpz/reuse fails otherwise
+                #:configure-flags
                 '(;; Build a "fat binary", with routines for several
                   ;; sub-architectures.
                   "--enable-fat"
@@ -60,6 +60,24 @@ cryptography and computational algebra.")
    (license lgpl3+)
    (home-page "http://gmplib.org/")))
 
+(define-public gmp-6.0
+  ;; We keep this one around to bootstrap GCC, to work around a compilation
+  ;; issue on ARM.  See
+  ;; <https://gmplib.org/list-archives/gmp-bugs/2015-December/003848.html>.
+  (package
+    (inherit gmp)
+    (version "6.0.0a")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/gmp/gmp-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "0r5pp27cy7ch3dg5v0rsny8bib1zfvrza6027g2mp5f6v8pd6mli"))
+              (patches (map search-patch
+                            '("gmp-arm-asm-nothumb.patch"
+                              "gmp-faulty-test.patch")))))))
+
 (define-public mpfr
   (package
    (name "mpfr")
diff --git a/gnu/packages/ncurses.scm b/gnu/packages/ncurses.scm
index b7fbfc982d..147033a7e5 100644
--- a/gnu/packages/ncurses.scm
+++ b/gnu/packages/ncurses.scm
@@ -29,16 +29,35 @@
          '(lambda _
             (for-each patch-makefile-SHELL
                       (find-files "." "Makefile.in"))))
+        (configure-phase
+         ;; The 'configure' script does not understand '--docdir', so we must
+         ;; override that and use '--mandir' instead.
+         '(lambda* (#:key build target outputs configure-flags
+                    #:allow-other-keys)
+            (let ((out (assoc-ref outputs "out"))
+                  (doc (assoc-ref outputs "doc")))
+              (zero? (apply system* "./configure"
+                            (string-append "SHELL=" (which "sh"))
+                            (string-append "--build=" build)
+                            (string-append "--prefix=" out)
+                            (string-append "--mandir=" doc "/share/man")
+                            (if target
+                                (cons (string-append "--host=" target)
+                                      configure-flags)
+                                configure-flags))))))
         (remove-shebang-phase
          '(lambda _
             ;; To avoid retaining a reference to the bootstrap Bash via the
-            ;; shebang of the 'ncursesw5-config' script, simply remove that
-            ;; shebang: it'll work just as well without it.
+            ;; shebang of the 'ncursesw6-config' script, simply remove that
+            ;; shebang: it'll work just as well without it.  Likewise, do not
+            ;; retain a reference to the "doc" output.
             (substitute* "misc/ncurses-config.in"
               (("#!@SHELL@")
                "# No shebang here, use /bin/sh!\n")
               (("@SHELL@ \\$0")
-               "$0"))
+               "$0")
+              (("mandir=.*$")
+               "mandir=share/man"))
             #t))
         (post-install-phase
          '(lambda* (#:key outputs #:allow-other-keys)
@@ -79,6 +98,8 @@
                (base32
                 "0q3jck7lna77z5r42f13c4xglc7azd19pxfrjrpgp2yf615w4lgm"))))
      (build-system gnu-build-system)
+     (outputs '("out"
+                "doc"))                          ;1 MiB of man pages
      (arguments
       `(#:configure-flags
         `("--with-shared" "--without-debug" "--enable-widec"
@@ -95,13 +116,18 @@
                           "/lib"))
         #:tests? #f                               ; no "check" target
         #:phases (modify-phases %standard-phases
+                   (replace 'configure ,configure-phase)
                    (add-after 'install 'post-install
-                              ,post-install-phase)
+                     ,post-install-phase)
                    (add-before 'configure 'patch-makefile-SHELL
-                               ,patch-makefile-phase)
+                     ,patch-makefile-phase)
                    (add-after 'unpack 'remove-unneeded-shebang
-                              ,remove-shebang-phase))))
+                     ,remove-shebang-phase))))
      (self-native-input? #t)                      ; for `tic'
+     (native-search-paths
+      (list (search-path-specification
+             (variable "TERMINFO_DIRS")
+             (files '("share/terminfo")))))
      (synopsis "Terminal emulation (termcap, terminfo) library")
      (description
       "GNU Ncurses is a library which provides capabilities to write text to
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index f157d1513b..b85ebece3c 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -340,7 +340,7 @@ symlinks to the files in a common directory such as /usr/local.")
                       (let ((nspr (assoc-ref inputs "nspr"))
                             (nss  (assoc-ref inputs "nss")))
                         (setenv "CPATH"
-                                (string-append (getenv "CPATH") ":"
+                                (string-append (getenv "C_INCLUDE_PATH") ":"
                                                nspr "/include/nspr:"
                                                nss "/include/nss"))
                         (setenv "LIBRARY_PATH"
diff --git a/gnu/packages/patches/automake-regexp-syntax.patch b/gnu/packages/patches/automake-regexp-syntax.patch
new file mode 100644
index 0000000000..2e965c8c50
--- /dev/null
+++ b/gnu/packages/patches/automake-regexp-syntax.patch
@@ -0,0 +1,34 @@
+From <https://lists.gnu.org/archive/html/automake-patches/2015-07/msg00000.html>.
+See also <http://bugs.gnu.org/22372>.
+
+From 34163794a58b5bd91c5d6bd9adf5437571c7a479 Mon Sep 17 00:00:00 2001
+From: Pavel Raiskup <praiskup@redhat.com>
+Date: Tue, 7 Jul 2015 10:54:24 +0200
+Subject: [PATCH] bin/automake: escape '{' in regexp pattern
+
+Based on perlre(1) documentation:
+.. in Perl v5.26, literal uses of a curly bracket will be required
+to be escaped, say by preceding them with a backslash ("\{" ) or
+enclosing them within square brackets ("[{]") ..
+
+References:
+https://bugzilla.redhat.com/1239379
+
+* bin/automake.in (substitute_ac_subst_variables): Escape the
+occurrence of '{' character.
+---
+ bin/automake.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bin/automake.in b/bin/automake.in
+index 0c29184..c294ced 100644
+--- a/bin/automake.in
++++ b/bin/automake.in
+@@ -3898,7 +3898,7 @@ sub substitute_ac_subst_variables_worker
+ sub substitute_ac_subst_variables
+ {
+   my ($text) = @_;
+-  $text =~ s/\${([^ \t=:+{}]+)}/substitute_ac_subst_variables_worker ($1)/ge;
++  $text =~ s/\$\{([^ \t=:+{}]+)}/substitute_ac_subst_variables_worker ($1)/ge;
+   return $text;
+ }
diff --git a/gnu/packages/patches/doxygen-test.patch b/gnu/packages/patches/doxygen-test.patch
index 7a7f4e963f..5ac063adbf 100644
--- a/gnu/packages/patches/doxygen-test.patch
+++ b/gnu/packages/patches/doxygen-test.patch
@@ -31,8 +31,8 @@ diff -u -r doxygen-1.8.7.orig/testing/012/indexpage.xml doxygen-1.8.7/testing/01
      <title>My Project</title>
      <detaileddescription>
 -      <para>See <ref refid="citelist_1CITEREF_knuth79" kindref="member">[1]</ref> for more info. </para>
-+      <para>See <ref refid="citelist_1CITEREF_knuth79" kindref="member">knuth79</ref> for more info. </para>
++      <para>See knuth79 for more info. </para>
      </detaileddescription>
    </compounddef>
  </doxygen>
-Nur in doxygen-1.8.7/testing: test_output_012.
+
diff --git a/gnu/packages/patches/doxygen-tmake.patch b/gnu/packages/patches/doxygen-tmake.patch
deleted file mode 100644
index 3579243702..0000000000
--- a/gnu/packages/patches/doxygen-tmake.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Fix the `check_unix' function, which looks for `/bin/uname' to determine
-whether we're on a Unix-like system.
-Taken from nixpkgs.
-
---- doxygen-1.5.8/tmake/bin/tmake	2008-12-06 14:16:20.000000000 +0100
-+++ doxygen-1.5.8/tmake/bin/tmake	2009-03-05 11:29:55.000000000 +0100
-@@ -234,17 +234,7 @@ sub tmake_verb {
- #
- 
- sub check_unix {
--    my($r);
--    $r = 0;
--    if ( -f "/bin/uname" ) {
--	$r = 1;
--	(-f "\\bin\\uname") && ($r = 0);
--    }
--    if ( -f "/usr/bin/uname" ) {
--	$r = 1;
--	(-f "\\usr\\bin\\uname") && ($r = 0);
--    }
--    return $r;
-+    return 1;
- }
- 
diff --git a/gnu/packages/patches/emacs-source-date-epoch.patch b/gnu/packages/patches/emacs-source-date-epoch.patch
new file mode 100644
index 0000000000..41c03ef514
--- /dev/null
+++ b/gnu/packages/patches/emacs-source-date-epoch.patch
@@ -0,0 +1,20 @@
+Honor SOURCE_DATE_EPOCH variable to avoid non-determinism in generated
+"autoloads" files.
+
+--- a/lisp/emacs-lisp/autoload.el
++++ b/lisp/emacs-lisp/autoload.el
+@@ -378,8 +378,12 @@
+   "Insert the section-header line,
+ which lists the file name and which functions are in it, etc."
+   (insert generate-autoload-section-header)
+-  (prin1 `(autoloads ,autoloads ,load-name ,file ,time)
+-	 outbuf)
++  (let* ((env  (getenv "SOURCE_DATE_EPOCH"))
++         (time (if env
++                   (seconds-to-time (string-to-number env))
++                 time)))
++    (prin1 `(autoloads ,autoloads ,load-name ,file ,time)
++           outbuf))
+   (terpri outbuf)
+   ;; Break that line at spaces, to avoid very long lines.
+   ;; Make each sub-line into a comment.
diff --git a/gnu/packages/patches/findutils-absolute-paths.patch b/gnu/packages/patches/findutils-absolute-paths.patch
deleted file mode 100644
index 96341e281f..0000000000
--- a/gnu/packages/patches/findutils-absolute-paths.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Fix use of LFS-style absolute paths.
-
-Patches from Nixpkgs by Armijn Hemel <armijn@gpl-violations.org>
-and Wouter den Breejen <uu@denbreejen.net>.
-
-diff -ruN findutils-4.2.20/locate/updatedb.sh findutils-4.2.20.new/locate/updatedb.sh
---- findutils-4.2.20/locate/updatedb.sh	2005-01-24 17:12:35.000000000 +0100
-+++ findutils-4.2.20.new/locate/updatedb.sh	2005-08-23 14:37:10.000000000 +0200
-@@ -141,7 +141,7 @@
- : ${code:=${LIBEXECDIR}/@code@}
- 
- 
--PATH=/bin:/usr/bin:${BINDIR}; export PATH
-+PATH=/bin:/usr/bin:${BINDIR}:${PATH}; export PATH
- 
- : ${PRUNEFS="nfs NFS proc afs proc smbfs autofs iso9660 ncpfs coda devpts ftpfs devfs mfs sysfs shfs"}
- 
-diff -Naur findutils-4.2.30/xargs/xargs.c findutils-4.2.30_new/xargs/xargs.c
---- findutils-4.2.30/xargs/xargs.c	2007-02-27 11:21:08.000000000 +0100
-+++ findutils-4.2.30_new/xargs/xargs.c	2007-07-17 19:02:05.000000000 +0200
-@@ -402,7 +402,7 @@
-   int show_limits = 0;			/* --show-limits */
-   int always_run_command = 1;
-   char *input_file = "-"; /* "-" is stdin */
--  char *default_cmd = "/bin/echo";
-+  char *default_cmd = "echo";
-   int (*read_args) PARAMS ((void)) = read_line;
-   void (*act_on_init_result)(void) = noop;
-   int env_too_big = 0;
diff --git a/gnu/packages/patches/findutils-test-xargs.patch b/gnu/packages/patches/findutils-test-xargs.patch
new file mode 100644
index 0000000000..10c7bed28d
--- /dev/null
+++ b/gnu/packages/patches/findutils-test-xargs.patch
@@ -0,0 +1,22 @@
+This test relies on 'xargs' being available in $PATH, which is not
+the case when we build the initial Findutils doing bootstrapping.
+Reported at <https://savannah.gnu.org/bugs/index.php?46786>.
+
+--- findutils-4.6.0/find/testsuite/sv-34976-execdir-fd-leak.sh	2015-12-31 19:37:59.401526288 +0100
++++ findutils-4.6.0/find/testsuite/sv-34976-execdir-fd-leak.sh	2015-12-31 19:38:36.061770693 +0100
+@@ -50,13 +50,14 @@ die() {
+ # Create test files, each 98 in the directories ".", "one" and "two".
+ make_test_data() {
+   d="$1"
++  xargs="`cd ../../xargs; pwd -P`/xargs"
+   (
+     cd "$1" || exit 1
+     mkdir one two || exit 1
+     for i in ${three_to_hundred} ; do
+       printf "./%03d one/%03d two/%03d " $i $i $i
+     done \
+-      | xargs touch || exit 1
++      | "$xargs" touch || exit 1
+   ) \
+   || die "failed to set up the test in ${outdir}"
+ }
diff --git a/gnu/packages/patches/flex-bison-tests.patch b/gnu/packages/patches/flex-bison-tests.patch
deleted file mode 100644
index 0f372f83bf..0000000000
--- a/gnu/packages/patches/flex-bison-tests.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-The `test-bison-yyl{loc,val}' tests fail with "conflicting types for
-'testparse'" because `YYPARSE_PARAM' is undefined; work around that.
-
---- flex-2.5.37/tests/test-bison-yylloc/main.c	2012-11-22 18:17:01.000000000 +0100
-+++ flex-2.5.37/tests/test-bison-yylloc/main.c	2012-11-22 18:17:07.000000000 +0100
-@@ -21,6 +21,7 @@
-  * PURPOSE.
-  */
- 
-+#define YYPARSE_PARAM scanner
- #include "parser.h"
- #include "scanner.h"
- 
-
---- flex-2.5.37/tests/test-bison-yylval/main.c	2012-11-22 18:17:42.000000000 +0100
-+++ flex-2.5.37/tests/test-bison-yylval/main.c	2012-11-22 18:17:49.000000000 +0100
-@@ -21,6 +21,7 @@
-  * PURPOSE.
-  */
- 
-+#define YYPARSE_PARAM scanner
- #include "parser.h"
- #include "scanner.h"
- 
diff --git a/gnu/packages/patches/gawk-fts-test.patch b/gnu/packages/patches/gawk-fts-test.patch
new file mode 100644
index 0000000000..de1f5c431c
--- /dev/null
+++ b/gnu/packages/patches/gawk-fts-test.patch
@@ -0,0 +1,51 @@
+This is upstream commit c9a018c.  We have observed random failures of
+this test on i686 that seem related to load.
+
+2015-05-21         Arnold D. Robbins     <arnold@skeeve.com>
+
+	* fts.awk: Really remove atime from the output. 
+	This avoids spurious failures on heavily loaded systems.
+
+diff --git a/test/fts.awk b/test/fts.awk
+index b1df060..dea5b68 100644
+--- a/test/fts.awk
++++ b/test/fts.awk
+@@ -50,6 +50,11 @@ function sort_traverse(data,	sorted, i)
+ {
+ 	asorti(data, sorted)
+ 	for (i = 1; i in sorted; i++) {
++		# 5/2015: skip for atime, since there can
++		# occasionally be small differences.
++		if (sorted[i] == "atime")
++			continue
++
+ 		indent()
+ 		printf("%s --> %s\n", sorted[i], data[sorted[i]]) > output
+ 	}
+@@ -63,17 +68,20 @@ function traverse(data,         i)
+ 			printf("%s:\n", i) > output
+ 
+ 			Level++
+-			if (("mtime" in data[i]) && ! isarray(data[i][mtime])) {
++			if (("mtime" in data[i]) && ! isarray(data[i]["mtime"])) {
+ 				sort_traverse(data[i])
+ 			} else {
+ 				traverse(data[i])
+ 			}
+ 			Level--
+-		} else if (data[i] != "atime") {
+-			# 4/2015: skip for atime, since there can
+-			# occasionally be small differences.
+-			indent()
+-			printf("%s --> %s\n", i, data[i]) > output
++#		} else {
++#			JUNK = 1
++#			if (i != "atime") {
++#				# 4/2015: skip for atime, since there can
++#				# occasionally be small differences.
++#				indent()
++#				printf("%s --> %s\n", i, data[i]) > output
++#			}
+ 		}
+ 	}
+ }
diff --git a/gnu/packages/patches/gnutls-doc-fix.patch b/gnu/packages/patches/gnutls-doc-fix.patch
deleted file mode 100644
index 170d2468bc..0000000000
--- a/gnu/packages/patches/gnutls-doc-fix.patch
+++ /dev/null
@@ -1,546 +0,0 @@
-diff -ru gnutls-3.4.4/doc/invoke-certtool.texi gnutls-3.4.4.1/doc/invoke-certtool.texi
---- gnutls-3.4.4.1/doc/invoke-certtool.texi	2015-08-10 13:43:52.000000000 -0400
-+++ gnutls-3.4.4/doc/invoke-certtool.texi	2015-07-31 15:44:21.000000000 -0400
-@@ -41,7 +41,97 @@
- 
- @exampleindent 0
- @example
--certtool is unavailable - no --help
-+certtool - GnuTLS certificate tool
-+Usage:  certtool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-+
-+   -d, --debug=num            Enable debugging
-+                                - it must be in the range:
-+                                  0 to 9999
-+   -V, --verbose              More verbose output
-+                                - may appear multiple times
-+       --infile=file          Input file
-+                                - file must pre-exist
-+       --outfile=str          Output file
-+   -s, --generate-self-signed  Generate a self-signed certificate
-+   -c, --generate-certificate  Generate a signed certificate
-+       --generate-proxy       Generates a proxy certificate
-+       --generate-crl         Generate a CRL
-+   -u, --update-certificate   Update a signed certificate
-+   -p, --generate-privkey     Generate a private key
-+   -q, --generate-request     Generate a PKCS #10 certificate request
-+                                - prohibits the option 'infile'
-+   -e, --verify-chain         Verify a PEM encoded certificate chain
-+       --verify               Verify a PEM encoded certificate chain using a trusted list
-+       --verify-crl           Verify a CRL using a trusted list
-+                                - requires the option 'load-ca-certificate'
-+       --generate-dh-params   Generate PKCS #3 encoded Diffie-Hellman parameters
-+       --get-dh-params        Get the included PKCS #3 encoded Diffie-Hellman parameters
-+       --dh-info              Print information PKCS #3 encoded Diffie-Hellman parameters
-+       --load-privkey=str     Loads a private key file
-+       --load-pubkey=str      Loads a public key file
-+       --load-request=str     Loads a certificate request file
-+       --load-certificate=str Loads a certificate file
-+       --load-ca-privkey=str  Loads the certificate authority's private key file
-+       --load-ca-certificate=str Loads the certificate authority's certificate file
-+       --password=str         Password to use
-+       --null-password        Enforce a NULL password
-+       --empty-password       Enforce an empty password
-+       --hex-numbers          Print big number in an easier format to parse
-+       --cprint               In certain operations it prints the information in C-friendly format
-+   -i, --certificate-info     Print information on the given certificate
-+       --certificate-pubkey   Print certificate's public key
-+       --pgp-certificate-info  Print information on the given OpenPGP certificate
-+       --pgp-ring-info        Print information on the given OpenPGP keyring structure
-+   -l, --crl-info             Print information on the given CRL structure
-+       --crq-info             Print information on the given certificate request
-+       --no-crq-extensions    Do not use extensions in certificate requests
-+       --p12-info             Print information on a PKCS #12 structure
-+       --p12-name=str         The PKCS #12 friendly name to use
-+       --p7-info              Print information on a PKCS #7 structure
-+       --smime-to-p7          Convert S/MIME to PKCS #7 structure
-+   -k, --key-info             Print information on a private key
-+       --pgp-key-info         Print information on an OpenPGP private key
-+       --pubkey-info          Print information on a public key
-+       --v1                   Generate an X.509 version 1 certificate (with no extensions)
-+   -!, --to-p12               Generate a PKCS #12 structure
-+                                - requires the option 'load-certificate'
-+   -", --to-p8                Generate a PKCS #8 structure
-+   -8, --pkcs8                Use PKCS #8 format for private keys
-+   -#, --rsa                  Generate RSA key
-+   -$, --dsa                  Generate DSA key
-+   -%, --ecc                  Generate ECC (ECDSA) key
-+   -&, --ecdsa                an alias for the 'ecc' option
-+   -', --hash=str             Hash algorithm to use for signing
-+   -(, --inder                Use DER format for input certificates, private keys, and DH parameters
-+                                - disabled as '--no-inder'
-+   -), --inraw                an alias for the 'inder' option
-+   -*, --outder               Use DER format for output certificates, private keys, and DH parameters
-+                                - disabled as '--no-outder'
-+   -+, --outraw               an alias for the 'outder' option
-+   -,, --bits=num             Specify the number of bits for key generate
-+   --, --curve=str            Specify the curve used for EC key generation
-+   -., --sec-param=str        Specify the security level [low, legacy, medium, high, ultra]
-+   -/, --disable-quick-random  No effect
-+   -0, --template=str         Template file to use for non-interactive operation
-+   -1, --stdout-info          Print information to stdout instead of stderr
-+   -2, --ask-pass             Enable interaction for entering password when in batch mode.
-+   -3, --pkcs-cipher=str      Cipher to use for PKCS #8 and #12 operations
-+   -4, --provider=str         Specify the PKCS #11 provider library
-+   -v, --version[=arg]        output version information and exit
-+   -h, --help                 display extended usage information and exit
-+   -!, --more-help            extended usage information passed thru pager
-+
-+Options are specified by doubled hyphens and their name or by a single
-+hyphen and the flag character.
-+
-+Tool to parse and generate X.509 certificates, requests and private keys.
-+It can be used interactively or non interactively by specifying the
-+template command line option.
-+
-+The tool accepts files or URLs supported by GnuTLS.  In case PIN is
-+required for the URL access you can provide it using the environment
-+variables GNUTLS_PIN and GNUTLS_SO_PIN.
-+
- @end example
- @exampleindent 4
- 
-diff -ru gnutls-3.4.4/doc/invoke-gnutls-cli-debug.texi gnutls-3.4.4.1/doc/invoke-gnutls-cli-debug.texi
---- gnutls-3.4.4.1/doc/invoke-gnutls-cli-debug.texi	2015-08-10 13:43:50.000000000 -0400
-+++ gnutls-3.4.4/doc/invoke-gnutls-cli-debug.texi	2015-07-31 15:44:18.000000000 -0400
-@@ -40,7 +40,34 @@
- 
- @exampleindent 0
- @example
--gnutls-cli-debug is unavailable - no --help
-+gnutls-cli-debug - GnuTLS debug client
-+Usage:  gnutls-cli-debug [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... 
-+
-+   -d, --debug=num            Enable debugging
-+                                - it must be in the range:
-+                                  0 to 9999
-+   -V, --verbose              More verbose output
-+                                - may appear multiple times
-+   -p, --port=num             The port to connect to
-+                                - it must be in the range:
-+                                  0 to 65536
-+       --app-proto=str        The application protocol to be used to obtain the server's certificate
-+(https, ftp, smtp, imap)
-+   -v, --version[=arg]        output version information and exit
-+   -h, --help                 display extended usage information and exit
-+   -!, --more-help            extended usage information passed thru pager
-+
-+Options are specified by doubled hyphens and their name or by a single
-+hyphen and the flag character.
-+Operands and options may be intermixed.  They will be reordered.
-+
-+TLS debug client.  It sets up multiple TLS connections to a server and
-+queries its capabilities.  It was created to assist in debugging GnuTLS,
-+but it might be useful to extract a TLS server's capabilities.  It connects
-+to a TLS server, performs tests and print the server's capabilities.  If
-+called with the `-v' parameter more checks will be performed.  Can be used
-+to check for servers with special needs or bugs.
-+
- @end example
- @exampleindent 4
- 
-diff -ru gnutls-3.4.4/doc/invoke-gnutls-cli.texi gnutls-3.4.4.1/doc/invoke-gnutls-cli.texi
---- gnutls-3.4.4.1/doc/invoke-gnutls-cli.texi	2015-08-10 13:43:49.000000000 -0400
-+++ gnutls-3.4.4/doc/invoke-gnutls-cli.texi	2015-07-31 15:44:17.000000000 -0400
-@@ -36,7 +36,95 @@
- 
- @exampleindent 0
- @example
--gnutls-cli is unavailable - no --help
-+gnutls-cli - GnuTLS client
-+Usage:  gnutls-cli [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [hostname]
-+
-+   -d, --debug=num            Enable debugging
-+                                - it must be in the range:
-+                                  0 to 9999
-+   -V, --verbose              More verbose output
-+                                - may appear multiple times
-+       --tofu                 Enable trust on first use authentication
-+                                - disabled as '--no-tofu'
-+       --strict-tofu          Fail to connect if a known certificate has changed
-+                                - disabled as '--no-strict-tofu'
-+       --dane                 Enable DANE certificate verification (DNSSEC)
-+                                - disabled as '--no-dane'
-+       --local-dns            Use the local DNS server for DNSSEC resolving
-+                                - disabled as '--no-local-dns'
-+       --ca-verification      Disable CA certificate verification
-+                                - disabled as '--no-ca-verification'
-+                                - enabled by default
-+       --ocsp                 Enable OCSP certificate verification
-+                                - disabled as '--no-ocsp'
-+   -r, --resume               Establish a session and resume
-+   -e, --rehandshake          Establish a session and rehandshake
-+   -s, --starttls             Connect, establish a plain session and start TLS
-+       --app-proto=str        an alias for the 'starttls-proto' option
-+       --starttls-proto=str   The application protocol to be used to obtain the server's certificate
-+(https, ftp, smtp, imap)
-+                                - prohibits the option 'starttls'
-+   -u, --udp                  Use DTLS (datagram TLS) over UDP
-+       --mtu=num              Set MTU for datagram TLS
-+                                - it must be in the range:
-+                                  0 to 17000
-+       --crlf                 Send CR LF instead of LF
-+       --x509fmtder           Use DER format for certificates to read from
-+   -f, --fingerprint          Send the openpgp fingerprint, instead of the key
-+       --print-cert           Print peer's certificate in PEM format
-+       --dh-bits=num          The minimum number of bits allowed for DH
-+       --priority=str         Priorities string
-+       --x509cafile=str       Certificate file or PKCS #11 URL to use
-+       --x509crlfile=file     CRL file to use
-+                                - file must pre-exist
-+       --pgpkeyfile=file      PGP Key file to use
-+                                - file must pre-exist
-+       --pgpkeyring=file      PGP Key ring file to use
-+                                - file must pre-exist
-+       --pgpcertfile=file     PGP Public Key (certificate) file to use
-+                                - file must pre-exist
-+       --x509keyfile=str      X.509 key file or PKCS #11 URL to use
-+       --x509certfile=str     X.509 Certificate file or PKCS #11 URL to use
-+       --pgpsubkey=str        PGP subkey to use (hex or auto)
-+       --srpusername=str      SRP username to use
-+       --srppasswd=str        SRP password to use
-+       --pskusername=str      PSK username to use
-+       --pskkey=str           PSK key (in hex) to use
-+   -p, --port=str             The port or service to connect to
-+       --insecure             Don't abort program if server certificate can't be validated
-+       --ranges               Use length-hiding padding to prevent traffic analysis
-+       --benchmark-ciphers    Benchmark individual ciphers
-+       --benchmark-tls-kx     Benchmark TLS key exchange methods
-+       --benchmark-tls-ciphers  Benchmark TLS ciphers
-+   -l, --list                 Print a list of the supported algorithms and modes
-+                                - prohibits the option 'port'
-+       --noticket             Don't allow session tickets
-+   -!, --srtp-profiles=str    Offer SRTP profiles
-+   -", --alpn=str             Application layer protocol
-+                                - may appear multiple times
-+   -b, --heartbeat            Activate heartbeat support
-+   -#, --recordsize=num       The maximum record size to advertize
-+                                - it must be in the range:
-+                                  0 to 4096
-+   -$, --disable-sni          Do not send a Server Name Indication (SNI)
-+   -%, --disable-extensions   Disable all the TLS extensions
-+   -&, --inline-commands      Inline commands of the form ^<cmd>^
-+   -', --inline-commands-prefix=str Change the default delimiter for inline commands.
-+   -(, --provider=file        Specify the PKCS #11 provider library
-+                                - file must pre-exist
-+   -), --fips140-mode         Reports the status of the FIPS140-2 mode in gnutls library
-+   -v, --version[=arg]        output version information and exit
-+   -h, --help                 display extended usage information and exit
-+   -!, --more-help            extended usage information passed thru pager
-+
-+Options are specified by doubled hyphens and their name or by a single
-+hyphen and the flag character.
-+Operands and options may be intermixed.  They will be reordered.
-+
-+Simple client program to set up a TLS connection to some other computer.  It
-+sets up a TLS connection and forwards data from the standard input to the
-+secured socket and vice versa.
-+
- @end example
- @exampleindent 4
- 
-diff -ru gnutls-3.4.4/doc/invoke-gnutls-serv.texi gnutls-3.4.4.1/doc/invoke-gnutls-serv.texi
---- gnutls-3.4.4.1/doc/invoke-gnutls-serv.texi	2015-08-10 13:43:51.000000000 -0400
-+++ gnutls-3.4.4/doc/invoke-gnutls-serv.texi	2015-07-31 15:44:20.000000000 -0400
-@@ -35,7 +35,69 @@
- 
- @exampleindent 0
- @example
--gnutls-serv is unavailable - no --help
-+gnutls-serv - GnuTLS server
-+Usage:  gnutls-serv [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-+
-+   -d, --debug=num            Enable debugging
-+                                - it must be in the range:
-+                                  0 to 9999
-+       --noticket             Don't accept session tickets
-+   -g, --generate             Generate Diffie-Hellman and RSA-export parameters
-+   -q, --quiet                Suppress some messages
-+       --nodb                 Do not use a resumption database
-+       --http                 Act as an HTTP server
-+       --echo                 Act as an Echo server
-+   -u, --udp                  Use DTLS (datagram TLS) over UDP
-+       --mtu=num              Set MTU for datagram TLS
-+                                - it must be in the range:
-+                                  0 to 17000
-+       --srtp-profiles=str    Offer SRTP profiles
-+   -a, --disable-client-cert  Do not request a client certificate
-+   -r, --require-client-cert  Require a client certificate
-+       --verify-client-cert   If a client certificate is sent then verify it.
-+   -b, --heartbeat            Activate heartbeat support
-+       --x509fmtder           Use DER format for certificates to read from
-+       --priority=str         Priorities string
-+       --dhparams=file        DH params file to use
-+                                - file must pre-exist
-+       --x509cafile=str       Certificate file or PKCS #11 URL to use
-+       --x509crlfile=file     CRL file to use
-+                                - file must pre-exist
-+       --pgpkeyfile=file      PGP Key file to use
-+                                - file must pre-exist
-+       --pgpkeyring=file      PGP Key ring file to use
-+                                - file must pre-exist
-+       --pgpcertfile=file     PGP Public Key (certificate) file to use
-+                                - file must pre-exist
-+       --x509keyfile=str      X.509 key file or PKCS #11 URL to use
-+       --x509certfile=str     X.509 Certificate file or PKCS #11 URL to use
-+       --x509dsakeyfile=str   Alternative X.509 key file or PKCS #11 URL to use
-+       --x509dsacertfile=str  Alternative X.509 Certificate file or PKCS #11 URL to use
-+       --x509ecckeyfile=str   Alternative X.509 key file or PKCS #11 URL to use
-+       --x509ecccertfile=str  Alternative X.509 Certificate file or PKCS #11 URL to use
-+       --pgpsubkey=str        PGP subkey to use (hex or auto)
-+       --srppasswd=file       SRP password file to use
-+                                - file must pre-exist
-+       --srppasswdconf=file   SRP password configuration file to use
-+                                - file must pre-exist
-+       --pskpasswd=file       PSK password file to use
-+                                - file must pre-exist
-+       --pskhint=str          PSK identity hint to use
-+       --ocsp-response=file   The OCSP response to send to client
-+                                - file must pre-exist
-+   -p, --port=num             The port to connect to
-+   -l, --list                 Print a list of the supported algorithms and modes
-+       --provider=file        Specify the PKCS #11 provider library
-+                                - file must pre-exist
-+   -v, --version[=arg]        output version information and exit
-+   -h, --help                 display extended usage information and exit
-+   -!, --more-help            extended usage information passed thru pager
-+
-+Options are specified by doubled hyphens and their name or by a single
-+hyphen and the flag character.
-+
-+Server program that listens to incoming TLS connections.
-+
- @end example
- @exampleindent 4
- 
-diff -ru gnutls-3.4.4/doc/invoke-ocsptool.texi gnutls-3.4.4.1/doc/invoke-ocsptool.texi
---- gnutls-3.4.4.1/doc/invoke-ocsptool.texi	2015-08-10 13:43:53.000000000 -0400
-+++ gnutls-3.4.4/doc/invoke-ocsptool.texi	2015-07-31 15:44:22.000000000 -0400
-@@ -37,7 +37,53 @@
- 
- @exampleindent 0
- @example
--ocsptool is unavailable - no --help
-+ocsptool - GnuTLS OCSP tool
-+Usage:  ocsptool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-+
-+   -d, --debug=num            Enable debugging
-+                                - it must be in the range:
-+                                  0 to 9999
-+   -V, --verbose              More verbose output
-+                                - may appear multiple times
-+       --infile=file          Input file
-+                                - file must pre-exist
-+       --outfile=str          Output file
-+       --ask[=arg]            Ask an OCSP/HTTP server on a certificate validity
-+                                - requires these options:
-+                                load-cert
-+                                load-issuer
-+   -e, --verify-response      Verify response
-+   -i, --request-info         Print information on a OCSP request
-+   -j, --response-info        Print information on a OCSP response
-+   -q, --generate-request     Generate an OCSP request
-+       --nonce                Use (or not) a nonce to OCSP request
-+                                - disabled as '--no-nonce'
-+       --load-issuer=file     Read issuer certificate from file
-+                                - file must pre-exist
-+       --load-cert=file       Read certificate to check from file
-+                                - file must pre-exist
-+       --load-trust=file      Read OCSP trust anchors from file
-+                                - prohibits the option 'load-signer'
-+                                - file must pre-exist
-+       --load-signer=file     Read OCSP response signer from file
-+                                - prohibits the option 'load-trust'
-+                                - file must pre-exist
-+       --inder                Use DER format for input certificates and private keys
-+                                - disabled as '--no-inder'
-+   -Q, --load-request=file    Read DER encoded OCSP request from file
-+                                - file must pre-exist
-+   -S, --load-response=file   Read DER encoded OCSP response from file
-+                                - file must pre-exist
-+   -v, --version[=arg]        output version information and exit
-+   -h, --help                 display extended usage information and exit
-+   -!, --more-help            extended usage information passed thru pager
-+
-+Options are specified by doubled hyphens and their name or by a single
-+hyphen and the flag character.
-+
-+Ocsptool is a program that can parse and print information about OCSP
-+requests/responses, generate requests and verify responses.
-+
- @end example
- @exampleindent 4
- 
-diff -ru gnutls-3.4.4/doc/invoke-p11tool.texi gnutls-3.4.4.1/doc/invoke-p11tool.texi
---- gnutls-3.4.4.1/doc/invoke-p11tool.texi	2015-08-10 13:43:58.000000000 -0400
-+++ gnutls-3.4.4/doc/invoke-p11tool.texi	2015-07-31 15:44:26.000000000 -0400
-@@ -45,7 +45,97 @@
- 
- @exampleindent 0
- @example
--p11tool is unavailable - no --help
-+p11tool - GnuTLS PKCS #11 tool
-+Usage:  p11tool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [url]
-+
-+   -d, --debug=num            Enable debugging
-+                                - it must be in the range:
-+                                  0 to 9999
-+       --outfile=str          Output file
-+       --list-tokens          List all available tokens
-+       --export               Export the object specified by the URL
-+       --export-chain         Export the certificate specified by the URL and its chain of trust
-+       --list-mechanisms      List all available mechanisms in a token
-+       --info                 List information on an available object in a token
-+       --list-all             List all available objects in a token
-+       --list-all-certs       List all available certificates in a token
-+       --list-certs           List all certificates that have an associated private key
-+       --list-all-privkeys    List all available private keys in a token
-+       --list-privkeys        an alias for the 'list-all-privkeys' option
-+       --list-keys            an alias for the 'list-all-privkeys' option
-+       --list-all-trusted     List all available certificates marked as trusted
-+       --write                Writes the loaded objects to a PKCS #11 token
-+       --delete               Deletes the objects matching the PKCS #11 URL
-+       --generate-random=num  Generate random data
-+       --generate-rsa         Generate an RSA private-public key pair
-+       --generate-dsa         Generate an RSA private-public key pair
-+       --generate-ecc         Generate an RSA private-public key pair
-+       --export-pubkey        Export the public key for a private key
-+       --label=str            Sets a label for the write operation
-+       --mark-wrap            Marks the generated key to be a wrapping key
-+                                - disabled as '--no-mark-wrap'
-+       --mark-trusted         Marks the object to be written as trusted
-+                                - disabled as '--no-mark-trusted'
-+       --mark-ca              Marks the object to be written as a CA
-+                                - disabled as '--no-mark-ca'
-+       --mark-private         Marks the object to be written as private
-+                                - disabled as '--no-mark-private'
-+                                - enabled by default
-+       --trusted              an alias for the 'mark-trusted' option
-+       --ca                   an alias for the 'mark-ca' option
-+       --private              an alias for the 'mark-private' option
-+                                - enabled by default
-+       --login                Force (user) login to token
-+                                - disabled as '--no-login'
-+       --so-login             Force security officer login to token
-+                                - disabled as '--no-so-login'
-+       --admin-login          an alias for the 'so-login' option
-+       --detailed-url         Print detailed URLs
-+                                - disabled as '--no-detailed-url'
-+   -!, --secret-key=str       Provide a hex encoded secret key
-+   -", --load-privkey=file    Private key file to use
-+                                - file must pre-exist
-+   -#, --load-pubkey=file     Public key file to use
-+                                - file must pre-exist
-+   -$, --load-certificate=file Certificate file to use
-+                                - file must pre-exist
-+   -8, --pkcs8                Use PKCS #8 format for private keys
-+   -%, --bits=num             Specify the number of bits for key generate
-+   -&, --curve=str            Specify the curve used for EC key generation
-+   -', --sec-param=str        Specify the security level
-+   -(, --inder                Use DER/RAW format for input
-+                                - disabled as '--no-inder'
-+   -), --inraw                an alias for the 'inder' option
-+   -*, --outder               Use DER format for output certificates, private keys, and DH parameters
-+                                - disabled as '--no-outder'
-+   -+, --outraw               an alias for the 'outder' option
-+   -,, --initialize           Initializes a PKCS #11 token
-+   --, --set-pin=str          Specify the PIN to use on token initialization
-+   -., --set-so-pin=str       Specify the Security Officer's PIN to use on token initialization
-+   -/, --provider=file        Specify the PKCS #11 provider library
-+                                - file must pre-exist
-+   -0, --batch                Disable all interaction with the tool.  All parameters need to be
-+specified on command line.
-+   -v, --version[=arg]        output version information and exit
-+   -h, --help                 display extended usage information and exit
-+   -!, --more-help            extended usage information passed thru pager
-+
-+Options are specified by doubled hyphens and their name or by a single
-+hyphen and the flag character.
-+Operands and options may be intermixed.  They will be reordered.
-+
-+Program that allows operations on PKCS #11 smart cards and security
-+modules.
-+
-+To use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to
-+be setup.  That is create a .module file in /etc/pkcs11/modules with the
-+contents 'module: /path/to/pkcs11.so'.  Alternatively the configuration
-+file /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of
-+the form 'load=/usr/lib/opensc-pkcs11.so'.
-+
-+You can provide the PIN to be used for the PKCS #11 operations with the
-+environment variables GNUTLS_PIN and GNUTLS_SO_PIN.
-+
- @end example
- @exampleindent 4
- 
-diff -ru gnutls-3.4.4/doc/invoke-psktool.texi gnutls-3.4.4.1/doc/invoke-psktool.texi
---- gnutls-3.4.4.1/doc/invoke-psktool.texi	2015-08-10 13:43:57.000000000 -0400
-+++ gnutls-3.4.4/doc/invoke-psktool.texi	2015-07-31 15:44:25.000000000 -0400
-@@ -36,7 +36,27 @@
- 
- @exampleindent 0
- @example
--psktool is unavailable - no --help
-+psktool - GnuTLS PSK tool
-+Usage:  psktool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-+
-+   -d, --debug=num            Enable debugging
-+                                - it must be in the range:
-+                                  0 to 9999
-+   -s, --keysize=num          specify the key size in bytes
-+                                - it must be in the range:
-+                                  0 to 512
-+   -u, --username=str         specify a username
-+   -p, --passwd=str           specify a password file
-+   -v, --version[=arg]        output version information and exit
-+   -h, --help                 display extended usage information and exit
-+   -!, --more-help            extended usage information passed thru pager
-+
-+Options are specified by doubled hyphens and their name or by a single
-+hyphen and the flag character.
-+
-+Program that generates random keys for use with TLS-PSK.  The keys are
-+stored in hexadecimal format in a key file.
-+
- @end example
- @exampleindent 4
- 
-diff -ru gnutls-3.4.4/doc/invoke-srptool.texi gnutls-3.4.4.1/doc/invoke-srptool.texi
---- gnutls-3.4.4.1/doc/invoke-srptool.texi	2015-08-10 13:43:56.000000000 -0400
-+++ gnutls-3.4.4/doc/invoke-srptool.texi	2015-07-31 15:44:24.000000000 -0400
-@@ -41,7 +41,34 @@
- 
- @exampleindent 0
- @example
--srptool is unavailable - no --help
-+srptool - GnuTLS SRP tool
-+Usage:  srptool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-+
-+   -d, --debug=num            Enable debugging
-+                                - it must be in the range:
-+                                  0 to 9999
-+   -i, --index=num            specify the index of the group parameters in tpasswd.conf to use
-+   -u, --username=str         specify a username
-+   -p, --passwd=str           specify a password file
-+   -s, --salt=num             specify salt size
-+       --verify               just verify the password.
-+   -v, --passwd-conf=str      specify a password conf file.
-+       --create-conf=str      Generate a password configuration file.
-+   -v, --version[=arg]        output version information and exit
-+   -h, --help                 display extended usage information and exit
-+   -!, --more-help            extended usage information passed thru pager
-+
-+Options are specified by doubled hyphens and their name or by a single
-+hyphen and the flag character.
-+
-+Simple program that emulates the programs in the Stanford SRP (Secure
-+Remote Password) libraries using GnuTLS.  It is intended for use in places
-+where you don't expect SRP authentication to be the used for system users.
-+
-+In brief, to use SRP you need to create two files.  These are the password
-+file that holds the users and the verifiers associated with them and the
-+configuration file to hold the group parameters (called tpasswd.conf).
-+
- @end example
- @exampleindent 4
- 
diff --git a/gnu/packages/patches/grep-CVE-2015-1345.patch b/gnu/packages/patches/grep-CVE-2015-1345.patch
deleted file mode 100644
index b0d0c8e5dc..0000000000
--- a/gnu/packages/patches/grep-CVE-2015-1345.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Fix CVE-2015-1345.  From upstream commit
-83a95bd8c8561875b948cadd417c653dbe7ef2e2
-by Yuliy Pisetsky <ypisetsky@fb.com>.
-
-diff --git a/src/kwset.c b/src/kwset.c
-index 4003c8d..376f7c3 100644
---- a/src/kwset.c
-+++ b/src/kwset.c
-@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
-                     if (! tp)
-                       return -1;
-                     tp++;
-+                    if (ep <= tp)
-+                      break;
-                   }
-               }
-           }
diff --git a/gnu/packages/patches/grep-timing-sensitive-test.patch b/gnu/packages/patches/grep-timing-sensitive-test.patch
new file mode 100644
index 0000000000..8cfcc848bc
--- /dev/null
+++ b/gnu/packages/patches/grep-timing-sensitive-test.patch
@@ -0,0 +1,15 @@
+Skip this performance regression test.
+
+The test measures things on the order of 20ms.  On a loaded machine, we
+have seen enough variation that the test would fail.
+
+--- grep-2.22/tests/long-pattern-perf	2016-01-03 12:52:38.491575007 +0100
++++ grep-2.22/tests/long-pattern-perf	2016-01-03 12:53:39.768464687 +0100
+@@ -16,6 +16,7 @@
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ 
++exit 77
+ . "${srcdir=.}/init.sh"; path_prepend_ ../src
+ 
+ fail=0
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch
new file mode 100644
index 0000000000..27768fa1ac
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch
@@ -0,0 +1,34 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/925215cae26f
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233346
+
+# HG changeset patch
+# User Nils Ohlmeier <drno@ohlmeier.org>
+# Date 1451439902 18000
+# Node ID 925215cae26f9c0ccff07ef403a5b3194a4c45c4
+# Parent  ff8e52467d793e935b80bf22a722a71a96fe2d63
+Bug 1233346 - r=ekr a=abillings
+
+diff --git a/media/mtransport/third_party/nICEr/src/stun/addrs.c b/media/mtransport/third_party/nICEr/src/stun/addrs.c
+--- a/media/mtransport/third_party/nICEr/src/stun/addrs.c
++++ b/media/mtransport/third_party/nICEr/src/stun/addrs.c
+@@ -530,16 +530,18 @@ stun_get_win32_addrs(nr_local_addr addrs
+ 
+     for (tmpAddress = AdapterAddresses; tmpAddress != NULL; tmpAddress = tmpAddress->Next) {
+       char *c;
+ 
+       if (tmpAddress->OperStatus != IfOperStatusUp)
+         continue;
+ 
+       snprintf(munged_ifname, IFNAMSIZ, "%S%c", tmpAddress->FriendlyName, 0);
++      munged_ifname[IFNAMSIZ-1] = '\0';
++
+       /* replace spaces with underscores */
+       c = strchr(munged_ifname, ' ');
+       while (c != NULL) {
+         *c = '_';
+          c = strchr(munged_ifname, ' ');
+       }
+       c = strchr(munged_ifname, '.');
+       while (c != NULL) {
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch
new file mode 100644
index 0000000000..fa1804eb82
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch
@@ -0,0 +1,33 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fc78180165a8
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1449117514 -46800
+# Node ID fc78180165a8262c80bbb722ed99b2e0c27b02d0
+# Parent  925215cae26f9c0ccff07ef403a5b3194a4c45c4
+bug 1223670 assert that connected streams have the same graph r=padenot a=abillings
+
+diff --git a/dom/media/MediaStreamGraph.cpp b/dom/media/MediaStreamGraph.cpp
+--- a/dom/media/MediaStreamGraph.cpp
++++ b/dom/media/MediaStreamGraph.cpp
+@@ -2696,16 +2696,17 @@ ProcessedMediaStream::AllocateInputPort(
+       unused << mPort.forget();
+     }
+     virtual void RunDuringShutdown()
+     {
+       Run();
+     }
+     nsRefPtr<MediaInputPort> mPort;
+   };
++  MOZ_ASSERT(aStream->GraphImpl() == GraphImpl());
+   nsRefPtr<MediaInputPort> port = new MediaInputPort(aStream, this, aFlags,
+                                                      aInputNumber, aOutputNumber);
+   port->SetGraphImpl(GraphImpl());
+   GraphImpl()->AppendMessage(new Message(port));
+   return port.forget();
+ }
+ 
+ void
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch
new file mode 100644
index 0000000000..cf0843b8b3
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch
@@ -0,0 +1,308 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f746c38d160e
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1449764754 18000
+# Node ID f746c38d160ea29088c15cacae44f3662befaec5
+# Parent  fc78180165a8262c80bbb722ed99b2e0c27b02d0
+bug 1223670 replace public constructors with fallible factory methods r=baku a=abillings
+
+diff --git a/dom/media/webaudio/AudioContext.cpp b/dom/media/webaudio/AudioContext.cpp
+--- a/dom/media/webaudio/AudioContext.cpp
++++ b/dom/media/webaudio/AudioContext.cpp
+@@ -299,32 +299,29 @@ AudioContext::CreateMediaElementSource(H
+     aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+     return nullptr;
+   }
+ #endif
+   nsRefPtr<DOMMediaStream> stream = aMediaElement.MozCaptureStream(aRv);
+   if (aRv.Failed()) {
+     return nullptr;
+   }
+-  nsRefPtr<MediaElementAudioSourceNode> mediaElementAudioSourceNode =
+-    new MediaElementAudioSourceNode(this, stream);
+-  return mediaElementAudioSourceNode.forget();
++  return MediaElementAudioSourceNode::Create(this, stream, aRv);
+ }
+ 
+ already_AddRefed<MediaStreamAudioSourceNode>
+ AudioContext::CreateMediaStreamSource(DOMMediaStream& aMediaStream,
+                                       ErrorResult& aRv)
+ {
+   if (mIsOffline) {
+     aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+     return nullptr;
+   }
+-  nsRefPtr<MediaStreamAudioSourceNode> mediaStreamAudioSourceNode =
+-    new MediaStreamAudioSourceNode(this, &aMediaStream);
+-  return mediaStreamAudioSourceNode.forget();
++
++  return MediaStreamAudioSourceNode::Create(this, &aMediaStream, aRv);
+ }
+ 
+ already_AddRefed<GainNode>
+ AudioContext::CreateGain()
+ {
+   nsRefPtr<GainNode> gainNode = new GainNode(this);
+   return gainNode.forget();
+ }
+diff --git a/dom/media/webaudio/AudioNode.cpp b/dom/media/webaudio/AudioNode.cpp
+--- a/dom/media/webaudio/AudioNode.cpp
++++ b/dom/media/webaudio/AudioNode.cpp
+@@ -61,34 +61,29 @@ AudioNode::AudioNode(AudioContext* aCont
+                      ChannelInterpretation aChannelInterpretation)
+   : DOMEventTargetHelper(aContext->GetParentObject())
+   , mContext(aContext)
+   , mChannelCount(aChannelCount)
+   , mChannelCountMode(aChannelCountMode)
+   , mChannelInterpretation(aChannelInterpretation)
+   , mId(gId++)
+   , mPassThrough(false)
+-#ifdef DEBUG
+-  , mDemiseNotified(false)
+-#endif
+ {
+   MOZ_ASSERT(aContext);
+   DOMEventTargetHelper::BindToOwner(aContext->GetParentObject());
+   aContext->UpdateNodeCount(1);
+ }
+ 
+ AudioNode::~AudioNode()
+ {
+   MOZ_ASSERT(mInputNodes.IsEmpty());
+   MOZ_ASSERT(mOutputNodes.IsEmpty());
+   MOZ_ASSERT(mOutputParams.IsEmpty());
+-#ifdef DEBUG
+-  MOZ_ASSERT(mDemiseNotified,
++  MOZ_ASSERT(!mStream,
+              "The webaudio-node-demise notification must have been sent");
+-#endif
+   if (mContext) {
+     mContext->UpdateNodeCount(-1);
+   }
+ }
+ 
+ size_t
+ AudioNode::SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const
+ {
+@@ -399,19 +394,16 @@ AudioNode::DestroyMediaStream()
+     mStream = nullptr;
+ 
+     nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
+     if (obs) {
+       nsAutoString id;
+       id.AppendPrintf("%u", mId);
+       obs->NotifyObservers(nullptr, "webaudio-node-demise", id.get());
+     }
+-#ifdef DEBUG
+-    mDemiseNotified = true;
+-#endif
+   }
+ }
+ 
+ void
+ AudioNode::RemoveOutputParam(AudioParam* aParam)
+ {
+   mOutputParams.RemoveElement(aParam);
+ }
+diff --git a/dom/media/webaudio/AudioNode.h b/dom/media/webaudio/AudioNode.h
+--- a/dom/media/webaudio/AudioNode.h
++++ b/dom/media/webaudio/AudioNode.h
+@@ -239,19 +239,14 @@ private:
+   nsTArray<nsRefPtr<AudioParam> > mOutputParams;
+   uint32_t mChannelCount;
+   ChannelCountMode mChannelCountMode;
+   ChannelInterpretation mChannelInterpretation;
+   const uint32_t mId;
+   // Whether the node just passes through its input.  This is a devtools API that
+   // only works for some node types.
+   bool mPassThrough;
+-#ifdef DEBUG
+-  // In debug builds, check to make sure that the node demise notification has
+-  // been properly sent before the node is destroyed.
+-  bool mDemiseNotified;
+-#endif
+ };
+ 
+ }
+ }
+ 
+ #endif
+diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.cpp b/dom/media/webaudio/MediaElementAudioSourceNode.cpp
+--- a/dom/media/webaudio/MediaElementAudioSourceNode.cpp
++++ b/dom/media/webaudio/MediaElementAudioSourceNode.cpp
+@@ -5,22 +5,36 @@
+  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ 
+ #include "MediaElementAudioSourceNode.h"
+ #include "mozilla/dom/MediaElementAudioSourceNodeBinding.h"
+ 
+ namespace mozilla {
+ namespace dom {
+ 
+-MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext,
+-                                                         DOMMediaStream* aStream)
+-  : MediaStreamAudioSourceNode(aContext, aStream)
++MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext)
++  : MediaStreamAudioSourceNode(aContext)
+ {
+ }
+ 
++/* static */ already_AddRefed<MediaElementAudioSourceNode>
++MediaElementAudioSourceNode::Create(AudioContext* aContext,
++                                    DOMMediaStream* aStream, ErrorResult& aRv)
++{
++  nsRefPtr<MediaElementAudioSourceNode> node =
++    new MediaElementAudioSourceNode(aContext);
++
++  node->Init(aStream, aRv);
++  if (aRv.Failed()) {
++    return nullptr;
++  }
++
++  return node.forget();
++}
++
+ JSObject*
+ MediaElementAudioSourceNode::WrapObject(JSContext* aCx)
+ {
+   return MediaElementAudioSourceNodeBinding::Wrap(aCx, this);
+ }
+ 
+ }
+ }
+diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.h b/dom/media/webaudio/MediaElementAudioSourceNode.h
+--- a/dom/media/webaudio/MediaElementAudioSourceNode.h
++++ b/dom/media/webaudio/MediaElementAudioSourceNode.h
+@@ -10,28 +10,30 @@
+ #include "MediaStreamAudioSourceNode.h"
+ 
+ namespace mozilla {
+ namespace dom {
+ 
+ class MediaElementAudioSourceNode : public MediaStreamAudioSourceNode
+ {
+ public:
+-  MediaElementAudioSourceNode(AudioContext* aContext,
+-                              DOMMediaStream* aStream);
++  static already_AddRefed<MediaElementAudioSourceNode>
++  Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv);
+ 
+   virtual JSObject* WrapObject(JSContext* aCx) override;
+ 
+   virtual const char* NodeType() const override
+   {
+     return "MediaElementAudioSourceNode";
+   }
+ 
+   virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override
+   {
+     return aMallocSizeOf(this) + SizeOfExcludingThis(aMallocSizeOf);
+   }
++private:
++  explicit MediaElementAudioSourceNode(AudioContext* aContext);
+ };
+ 
+ }
+ }
+ 
+ #endif
+diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+@@ -25,26 +25,45 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_
+ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
+ 
+ NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(MediaStreamAudioSourceNode)
+ NS_INTERFACE_MAP_END_INHERITING(AudioNode)
+ 
+ NS_IMPL_ADDREF_INHERITED(MediaStreamAudioSourceNode, AudioNode)
+ NS_IMPL_RELEASE_INHERITED(MediaStreamAudioSourceNode, AudioNode)
+ 
+-MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext,
+-                                                       DOMMediaStream* aMediaStream)
++MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext)
+   : AudioNode(aContext,
+               2,
+               ChannelCountMode::Max,
+-              ChannelInterpretation::Speakers),
+-    mInputStream(aMediaStream)
++              ChannelInterpretation::Speakers)
+ {
++}
++
++/* static */ already_AddRefed<MediaStreamAudioSourceNode>
++MediaStreamAudioSourceNode::Create(AudioContext* aContext,
++                                   DOMMediaStream* aStream, ErrorResult& aRv)
++{
++  nsRefPtr<MediaStreamAudioSourceNode> node =
++    new MediaStreamAudioSourceNode(aContext);
++
++  node->Init(aStream, aRv);
++  if (aRv.Failed()) {
++    return nullptr;
++  }
++
++  return node.forget();
++}
++
++void
++MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv)
++{
++  mInputStream = aMediaStream;
+   AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this);
+-  mStream = aContext->Graph()->CreateAudioNodeExternalInputStream(engine);
++  mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine);
+   ProcessedMediaStream* outputStream = static_cast<ProcessedMediaStream*>(mStream.get());
+   mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(),
+                                                MediaInputPort::FLAG_BLOCK_INPUT);
+   mInputStream->AddConsumerToKeepAlive(static_cast<nsIDOMEventTarget*>(this));
+ 
+   PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector
+   mInputStream->AddPrincipalChangeObserver(this);
+ }
+diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.h b/dom/media/webaudio/MediaStreamAudioSourceNode.h
+--- a/dom/media/webaudio/MediaStreamAudioSourceNode.h
++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.h
+@@ -38,17 +38,18 @@ public:
+ private:
+   bool mEnabled;
+ };
+ 
+ class MediaStreamAudioSourceNode : public AudioNode,
+                                    public DOMMediaStream::PrincipalChangeObserver
+ {
+ public:
+-  MediaStreamAudioSourceNode(AudioContext* aContext, DOMMediaStream* aMediaStream);
++  static already_AddRefed<MediaStreamAudioSourceNode>
++  Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv);
+ 
+   NS_DECL_ISUPPORTS_INHERITED
+   NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(MediaStreamAudioSourceNode, AudioNode)
+ 
+   virtual JSObject* WrapObject(JSContext* aCx) override;
+ 
+   virtual void DestroyMediaStream() override;
+ 
+@@ -60,16 +61,18 @@ public:
+   }
+ 
+   virtual size_t SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const override;
+   virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override;
+ 
+   virtual void PrincipalChanged(DOMMediaStream* aMediaStream) override;
+ 
+ protected:
++  explicit MediaStreamAudioSourceNode(AudioContext* aContext);
++  void Init(DOMMediaStream* aMediaStream, ErrorResult& aRv);
+   virtual ~MediaStreamAudioSourceNode();
+ 
+ private:
+   nsRefPtr<MediaInputPort> mInputPort;
+   nsRefPtr<DOMMediaStream> mInputStream;
+ };
+ 
+ }
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch
new file mode 100644
index 0000000000..b212a70d4a
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch
@@ -0,0 +1,47 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/6d43ff33bd55
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1451362442 -46800
+# Node ID 6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c
+# Parent  f746c38d160ea29088c15cacae44f3662befaec5
+bug 1223670 throw not supported when creating a node from a stream with different channel r=baku a=abillings
+
+diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+@@ -51,21 +51,29 @@ MediaStreamAudioSourceNode::Create(Audio
+   }
+ 
+   return node.forget();
+ }
+ 
+ void
+ MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv)
+ {
++  MOZ_ASSERT(aMediaStream);
++  MediaStream* inputStream = aMediaStream->GetStream();
++  MediaStreamGraph* graph = Context()->Graph();
++  if (NS_WARN_IF(graph != inputStream->Graph())) {
++    aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
++    return;
++  }
++
+   mInputStream = aMediaStream;
+   AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this);
+-  mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine);
++  mStream = graph->CreateAudioNodeExternalInputStream(engine);
+   ProcessedMediaStream* outputStream = static_cast<ProcessedMediaStream*>(mStream.get());
+-  mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(),
++  mInputPort = outputStream->AllocateInputPort(inputStream,
+                                                MediaInputPort::FLAG_BLOCK_INPUT);
+   mInputStream->AddConsumerToKeepAlive(static_cast<nsIDOMEventTarget*>(this));
+ 
+   PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector
+   mInputStream->AddPrincipalChangeObserver(this);
+ }
+ 
+ MediaStreamAudioSourceNode::~MediaStreamAudioSourceNode()
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch
new file mode 100644
index 0000000000..3e62c9c5f1
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch
@@ -0,0 +1,51 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4f6e81673f69
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1449145091 -46800
+# Node ID 4f6e81673f6938719c86516606f2fda493e8c23c
+# Parent  6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c
+bug 1223670 make SetMozAudioChannelType() private because the type will not change after construction r=baku a=abillings
+
+diff --git a/dom/media/webaudio/AudioDestinationNode.h b/dom/media/webaudio/AudioDestinationNode.h
+--- a/dom/media/webaudio/AudioDestinationNode.h
++++ b/dom/media/webaudio/AudioDestinationNode.h
+@@ -57,17 +57,16 @@ public:
+   void StartRendering(Promise* aPromise);
+ 
+   void OfflineShutdown();
+ 
+   // nsIDOMEventListener - by proxy
+   NS_IMETHOD HandleEvent(nsIDOMEvent* aEvent) override;
+ 
+   AudioChannel MozAudioChannelType() const;
+-  void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv);
+ 
+   virtual void NotifyMainThreadStateChanged() override;
+   void FireOfflineCompletionEvent();
+ 
+   // An amount that should be added to the MediaStream's current time to
+   // get the AudioContext.currentTime.
+   double ExtraCurrentTime();
+ 
+@@ -86,16 +85,17 @@ public:
+ 
+   void InputMuted(bool aInputMuted);
+   void ResolvePromise(AudioBuffer* aRenderedBuffer);
+ 
+ protected:
+   virtual ~AudioDestinationNode();
+ 
+ private:
++  void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv);
+   bool CheckAudioChannelPermissions(AudioChannel aValue);
+ 
+   void SetCanPlay(bool aCanPlay);
+ 
+   void NotifyStableState();
+   void ScheduleStableStateNotification();
+ 
+   SelfReference<AudioDestinationNode> mOfflineRenderingRef;
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch
new file mode 100644
index 0000000000..ec1f479ee4
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch
@@ -0,0 +1,170 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/93617c30c0df
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230686
+
+# HG changeset patch
+# User Lee Salzman <lsalzman@mozilla.com>
+# Date 1451932822 18000
+# Node ID 93617c30c0df35f719dead526b78649d564f5ac3
+# Parent  4f6e81673f6938719c86516606f2fda493e8c23c
+Bug 1230686 - use RefPtr<DrawTarget>& instead of DrawTarget* to track changes in SurfaceFromElement a=ritu
+
+diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp
+--- a/layout/base/nsLayoutUtils.cpp
++++ b/layout/base/nsLayoutUtils.cpp
+@@ -6494,17 +6494,17 @@ nsLayoutUtils::IsReallyFixedPos(nsIFrame
+   nsIAtom *parentType = aFrame->GetParent()->GetType();
+   return parentType == nsGkAtoms::viewportFrame ||
+          parentType == nsGkAtoms::pageContentFrame;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(nsIImageLoadingContent* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   SurfaceFromElementResult result;
+   nsresult rv;
+ 
+   nsCOMPtr<imgIRequest> imgRequest;
+   rv = aElement->GetRequest(nsIImageLoadingContent::CURRENT_REQUEST,
+                             getter_AddRefs(imgRequest));
+   if (NS_FAILED(rv) || !imgRequest)
+@@ -6586,41 +6586,41 @@ nsLayoutUtils::SurfaceFromElement(nsIIma
+   result.mImageRequest = imgRequest.forget();
+ 
+   return result;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLImageElement *aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   return SurfaceFromElement(static_cast<nsIImageLoadingContent*>(aElement),
+                             aSurfaceFlags, aTarget);
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLCanvasElement* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   SurfaceFromElementResult result;
+ 
+   bool* isPremultiplied = nullptr;
+   if (aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) {
+     isPremultiplied = &result.mIsPremultiplied;
+   }
+ 
+   gfxIntSize size = aElement->GetSize();
+ 
+   result.mSourceSurface = aElement->GetSurfaceSnapshot(isPremultiplied);
+   if (!result.mSourceSurface) {
+      // If the element doesn't have a context then we won't get a snapshot. The canvas spec wants us to not error and just
+      // draw nothing, so return an empty surface.
+-     DrawTarget *ref = aTarget ? aTarget : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
++     DrawTarget *ref = aTarget ? aTarget.get() : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
+      RefPtr<DrawTarget> dt = ref->CreateSimilarDrawTarget(IntSize(size.width, size.height),
+                                                           SurfaceFormat::B8G8R8A8);
+      if (dt) {
+        result.mSourceSurface = dt->Snapshot();
+      }
+   } else if (aTarget) {
+     RefPtr<SourceSurface> opt = aTarget->OptimizeSourceSurface(result.mSourceSurface);
+     if (opt) {
+@@ -6637,17 +6637,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLCa
+   result.mIsWriteOnly = aElement->IsWriteOnly();
+ 
+   return result;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLVideoElement* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   SurfaceFromElementResult result;
+ 
+   NS_WARN_IF_FALSE((aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) == 0, "We can't support non-premultiplied alpha for video!");
+ 
+ #ifdef MOZ_EME
+   if (aElement->ContainsRestrictedContent()) {
+     return result;
+@@ -6689,17 +6689,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLVi
+   result.mIsWriteOnly = false;
+ 
+   return result;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(dom::Element* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   // If it's a <canvas>, we may be able to just grab its internal surface
+   if (HTMLCanvasElement* canvas =
+         HTMLCanvasElement::FromContentOrNull(aElement)) {
+     return SurfaceFromElement(canvas, aSurfaceFlags, aTarget);
+   }
+ 
+   // Maybe it's <video>?
+diff --git a/layout/base/nsLayoutUtils.h b/layout/base/nsLayoutUtils.h
+--- a/layout/base/nsLayoutUtils.h
++++ b/layout/base/nsLayoutUtils.h
+@@ -2018,33 +2018,39 @@ public:
+     bool mIsStillLoading;
+     /* Whether the element used CORS when loading. */
+     bool mCORSUsed;
+     /* Whether the returned image contains premultiplied pixel data */
+     bool mIsPremultiplied;
+   };
+ 
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
++  static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement,
++                                                     uint32_t aSurfaceFlags = 0) {
++    mozilla::RefPtr<DrawTarget> target = nullptr;
++    return SurfaceFromElement(aElement, aSurfaceFlags, target);
++  }
++
+   static SurfaceFromElementResult SurfaceFromElement(nsIImageLoadingContent *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+   // Need an HTMLImageElement overload, because otherwise the
+   // nsIImageLoadingContent and mozilla::dom::Element overloads are ambiguous
+   // for HTMLImageElement.
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLImageElement *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLCanvasElement *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLVideoElement *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+ 
+   /**
+    * When the document is editable by contenteditable attribute of its root
+    * content or body content.
+    *
+    * Be aware, this returns nullptr if it's in designMode.
+    *
+    * For example:
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch
new file mode 100644
index 0000000000..4f349747c0
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch
@@ -0,0 +1,56 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/750e4cfc90f8
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233152
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1451478493 -3600
+# Node ID 750e4cfc90f80df657e44c9c63b1865023d88682
+# Parent  93617c30c0df35f719dead526b78649d564f5ac3
+Bug 1233152 - Use PersistentRooted for ParseTask script and sourceObject. r=terrence a=abillings
+
+diff --git a/js/src/vm/HelperThreads.cpp b/js/src/vm/HelperThreads.cpp
+--- a/js/src/vm/HelperThreads.cpp
++++ b/js/src/vm/HelperThreads.cpp
+@@ -198,17 +198,17 @@ static const JSClass parseTaskGlobalClas
+ 
+ ParseTask::ParseTask(ExclusiveContext* cx, JSObject* exclusiveContextGlobal, JSContext* initCx,
+                      const char16_t* chars, size_t length,
+                      JS::OffThreadCompileCallback callback, void* callbackData)
+   : cx(cx), options(initCx), chars(chars), length(length),
+     alloc(JSRuntime::TEMP_LIFO_ALLOC_PRIMARY_CHUNK_SIZE),
+     exclusiveContextGlobal(initCx, exclusiveContextGlobal),
+     callback(callback), callbackData(callbackData),
+-    script(nullptr), errors(cx), overRecursed(false)
++    script(initCx->runtime(), nullptr), errors(cx), overRecursed(false)
+ {
+ }
+ 
+ bool
+ ParseTask::init(JSContext* cx, const ReadOnlyCompileOptions& options)
+ {
+     if (!this->options.copy(cx, options))
+         return false;
+diff --git a/js/src/vm/HelperThreads.h b/js/src/vm/HelperThreads.h
+--- a/js/src/vm/HelperThreads.h
++++ b/js/src/vm/HelperThreads.h
+@@ -472,17 +472,17 @@ struct ParseTask
+ 
+     // Callback invoked off the main thread when the parse finishes.
+     JS::OffThreadCompileCallback callback;
+     void* callbackData;
+ 
+     // Holds the final script between the invocation of the callback and the
+     // point where FinishOffThreadScript is called, which will destroy the
+     // ParseTask.
+-    JSScript* script;
++    PersistentRootedScript script;
+ 
+     // Any errors or warnings produced during compilation. These are reported
+     // when finishing the script.
+     Vector<frontend::CompileError*> errors;
+     bool overRecursed;
+ 
+     ParseTask(ExclusiveContext* cx, JSObject* exclusiveContextGlobal,
+               JSContext* initCx, const char16_t* chars, size_t length,
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch
new file mode 100644
index 0000000000..406ce1bf2b
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch
@@ -0,0 +1,48 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4444e94a99cb
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1221385
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1451478429 -3600
+# Node ID 4444e94a99cb9b00c0351cc8bf5459739cc036a5
+# Parent  750e4cfc90f80df657e44c9c63b1865023d88682
+Bug 1221385 - Handle OOM during JitRuntime initialization a bit better. r=bhackett a=abillings
+
+diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp
+--- a/js/src/jscompartment.cpp
++++ b/js/src/jscompartment.cpp
+@@ -138,28 +138,20 @@ JSRuntime::createJitRuntime(JSContext* c
+ 
+     // Protect jitRuntime_ from being observed (by InterruptRunningJitCode)
+     // while it is being initialized. Unfortunately, initialization depends on
+     // jitRuntime_ being non-null, so we can't just wait to assign jitRuntime_.
+     JitRuntime::AutoMutateBackedges amb(jrt);
+     jitRuntime_ = jrt;
+ 
+     if (!jitRuntime_->initialize(cx)) {
+-        js_ReportOutOfMemory(cx);
+-
+-        js_delete(jitRuntime_);
+-        jitRuntime_ = nullptr;
+-
+-        JSCompartment* comp = cx->runtime()->atomsCompartment();
+-        if (comp->jitCompartment_) {
+-            js_delete(comp->jitCompartment_);
+-            comp->jitCompartment_ = nullptr;
+-        }
+-
+-        return nullptr;
++        // Handling OOM here is complicated: if we delete jitRuntime_ now, we
++        // will destroy the ExecutableAllocator, even though there may still be
++        // JitCode instances holding references to ExecutablePools.
++        CrashAtUnhandlableOOM("OOM in createJitRuntime");
+     }
+ 
+     return jitRuntime_;
+ }
+ 
+ bool
+ JSCompartment::ensureJitCompartmentExists(JSContext* cx)
+ {
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch
new file mode 100644
index 0000000000..e87b95f729
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch
@@ -0,0 +1,189 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f31d643afd41
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233925
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1452110721 -3600
+# Node ID f31d643afd4159b5422ae5aebcbbea0a088e018e
+# Parent  4444e94a99cb9b00c0351cc8bf5459739cc036a5
+Bug 1233925 - Treat functions with rest more like functions with lazy arguments. r=nbp a=ritu
+
+diff --git a/js/src/jit/BacktrackingAllocator.cpp b/js/src/jit/BacktrackingAllocator.cpp
+--- a/js/src/jit/BacktrackingAllocator.cpp
++++ b/js/src/jit/BacktrackingAllocator.cpp
+@@ -201,20 +201,19 @@ BacktrackingAllocator::tryGroupRegisters
+     // constructor calling convention.
+     if (IsThisSlotDefinition(reg0->def()) || IsThisSlotDefinition(reg1->def())) {
+         if (*reg0->def()->output() != *reg1->def()->output())
+             return true;
+     }
+ 
+     // Registers which might spill to the frame's argument slots can only be
+     // grouped with other such registers if the frame might access those
+-    // arguments through a lazy arguments object.
++    // arguments through a lazy arguments object or rest parameter.
+     if (IsArgumentSlotDefinition(reg0->def()) || IsArgumentSlotDefinition(reg1->def())) {
+-        JSScript* script = graph.mir().entryBlock()->info().script();
+-        if (script && script->argumentsAliasesFormals()) {
++        if (graph.mir().entryBlock()->info().mayReadFrameArgsDirectly()) {
+             if (*reg0->def()->output() != *reg1->def()->output())
+                 return true;
+         }
+     }
+ 
+     VirtualRegisterGroup* group0 = reg0->group(), *group1 = reg1->group();
+ 
+     if (!group0 && group1)
+diff --git a/js/src/jit/CompileInfo.h b/js/src/jit/CompileInfo.h
+--- a/js/src/jit/CompileInfo.h
++++ b/js/src/jit/CompileInfo.h
+@@ -194,16 +194,17 @@ enum AnalysisMode {
+ class CompileInfo
+ {
+   public:
+     CompileInfo(JSScript* script, JSFunction* fun, jsbytecode* osrPc, bool constructing,
+                 AnalysisMode analysisMode, bool scriptNeedsArgsObj,
+                 InlineScriptTree* inlineScriptTree)
+       : script_(script), fun_(fun), osrPc_(osrPc), constructing_(constructing),
+         analysisMode_(analysisMode), scriptNeedsArgsObj_(scriptNeedsArgsObj),
++        mayReadFrameArgsDirectly_(script->mayReadFrameArgsDirectly()),
+         inlineScriptTree_(inlineScriptTree)
+     {
+         MOZ_ASSERT_IF(osrPc, JSOp(*osrPc) == JSOP_LOOPENTRY);
+ 
+         // The function here can flow in from anywhere so look up the canonical
+         // function to ensure that we do not try to embed a nursery pointer in
+         // jit-code. Precisely because it can flow in from anywhere, it's not
+         // guaranteed to be non-lazy. Hence, don't access its script!
+@@ -222,17 +223,17 @@ class CompileInfo
+         fixedLexicalBegin_ = script->fixedLexicalBegin();
+         nstack_ = script->nslots() - script->nfixed();
+         nslots_ = nimplicit_ + nargs_ + nlocals_ + nstack_;
+     }
+ 
+     explicit CompileInfo(unsigned nlocals)
+       : script_(nullptr), fun_(nullptr), osrPc_(nullptr), osrStaticScope_(nullptr),
+         constructing_(false), analysisMode_(Analysis_None), scriptNeedsArgsObj_(false),
+-        inlineScriptTree_(nullptr)
++        mayReadFrameArgsDirectly_(false), inlineScriptTree_(nullptr)
+     {
+         nimplicit_ = 0;
+         nargs_ = 0;
+         nbodyfixed_ = 0;
+         nlocals_ = nlocals;
+         nstack_ = 1;  /* For FunctionCompiler::pushPhiInput/popPhiOutput */
+         nslots_ = nlocals_ + nstack_;
+         fixedLexicalBegin_ = nlocals;
+@@ -539,16 +540,20 @@ class CompileInfo
+             return false;
+ 
+         if (needsArgsObj() && isObservableArgumentSlot(slot))
+             return false;
+ 
+         return true;
+     }
+ 
++    bool mayReadFrameArgsDirectly() const {
++        return mayReadFrameArgsDirectly_;
++    }
++
+   private:
+     unsigned nimplicit_;
+     unsigned nargs_;
+     unsigned nbodyfixed_;
+     unsigned nlocals_;
+     unsigned nstack_;
+     unsigned nslots_;
+     unsigned fixedLexicalBegin_;
+@@ -559,15 +564,17 @@ class CompileInfo
+     bool constructing_;
+     AnalysisMode analysisMode_;
+ 
+     // Whether a script needs an arguments object is unstable over compilation
+     // since the arguments optimization could be marked as failed on the main
+     // thread, so cache a value here and use it throughout for consistency.
+     bool scriptNeedsArgsObj_;
+ 
++    bool mayReadFrameArgsDirectly_;
++
+     InlineScriptTree* inlineScriptTree_;
+ };
+ 
+ } // namespace jit
+ } // namespace js
+ 
+ #endif /* jit_CompileInfo_h */
+diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
+--- a/js/src/jit/JitFrames.cpp
++++ b/js/src/jit/JitFrames.cpp
+@@ -1002,17 +1002,17 @@ MarkThisAndArguments(JSTracer* trc, JitF
+     // formal arguments is taken care of by the frame's safepoint/snapshot,
+     // except when the script's lazy arguments object aliases those formals,
+     // in which case we mark them as well.
+ 
+     size_t nargs = layout->numActualArgs();
+     size_t nformals = 0;
+     if (CalleeTokenIsFunction(layout->calleeToken())) {
+         JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
+-        nformals = fun->nonLazyScript()->argumentsAliasesFormals() ? 0 : fun->nargs();
++        nformals = fun->nonLazyScript()->mayReadFrameArgsDirectly() ? 0 : fun->nargs();
+     }
+ 
+     Value* argv = layout->argv();
+ 
+     // Trace |this|.
+     gc::MarkValueRoot(trc, argv, "ion-thisv");
+ 
+     // Trace actual arguments beyond the formals. Note + 1 for thisv.
+diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
+--- a/js/src/jsscript.cpp
++++ b/js/src/jsscript.cpp
+@@ -3894,16 +3894,22 @@ JSScript::hasLoops()
+     JSTryNote* tnlimit = tn + trynotes()->length;
+     for (; tn < tnlimit; tn++) {
+         if (tn->kind == JSTRY_FOR_IN || tn->kind == JSTRY_LOOP)
+             return true;
+     }
+     return false;
+ }
+ 
++bool
++JSScript::mayReadFrameArgsDirectly()
++{
++    return argumentsHasVarBinding() || (function_ && function_->hasRest());
++}
++
+ static inline void
+ LazyScriptHash(uint32_t lineno, uint32_t column, uint32_t begin, uint32_t end,
+                HashNumber hashes[3])
+ {
+     HashNumber hash = lineno;
+     hash = RotateLeft(hash, 4) ^ column;
+     hash = RotateLeft(hash, 4) ^ begin;
+     hash = RotateLeft(hash, 4) ^ end;
+diff --git a/js/src/jsscript.h b/js/src/jsscript.h
+--- a/js/src/jsscript.h
++++ b/js/src/jsscript.h
+@@ -1397,16 +1397,20 @@ class JSScript : public js::gc::TenuredC
+     }
+     inline void setFunction(JSFunction* fun);
+     /*
+      * De-lazifies the canonical function. Must be called before entering code
+      * that expects the function to be non-lazy.
+      */
+     inline void ensureNonLazyCanonicalFunction(JSContext* cx);
+ 
++    // Returns true if the script may read formal arguments on the stack
++    // directly, via lazy arguments or a rest parameter.
++    bool mayReadFrameArgsDirectly();
++
+     JSFlatString* sourceData(JSContext* cx);
+ 
+     static bool loadSource(JSContext* cx, js::ScriptSource* ss, bool* worked);
+ 
+     void setSourceObject(JSObject* object);
+     JSObject* sourceObject() const {
+         return sourceObject_;
+     }
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch
new file mode 100644
index 0000000000..b92bfa4f4e
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch
@@ -0,0 +1,33 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/debff255c08e
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234571
+
+# HG changeset patch
+# User Randell Jesup <rjesup@jesup.org>
+# Date 1451928471 18000
+# Node ID debff255c08e898be370e307e1e014f5601c20c6
+# Parent  f31d643afd4159b5422ae5aebcbbea0a088e018e
+Bug 1234571 - unregister encoded-frame callback when releasing codec databases. r=pkerr, a=al
+
+diff --git a/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc b/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
+--- a/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
++++ b/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
+@@ -71,16 +71,17 @@ VCMGenericEncoder::VCMGenericEncoder(Vid
+ VCMGenericEncoder::~VCMGenericEncoder()
+ {
+ }
+ 
+ int32_t VCMGenericEncoder::Release()
+ {
+     _bitRate = 0;
+     _frameRate = 0;
++    _encoder.RegisterEncodeCompleteCallback(NULL);
+     _VCMencodedFrameCallback = NULL;
+     return _encoder.Release();
+ }
+ 
+ int32_t
+ VCMGenericEncoder::InitEncode(const VideoCodec* settings,
+                               int32_t numberOfCores,
+                               uint32_t maxPayloadSize)
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch
new file mode 100644
index 0000000000..2e409d961c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch
@@ -0,0 +1,183 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/0f7224441f20
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234280
+
+# HG changeset patch
+# User Benjamin Bouvier <benj@benj.me>
+# Date 1450947090 -3600
+# Node ID 0f7224441f2089001f7934b46ac10cb72d267606
+# Parent  debff255c08e898be370e307e1e014f5601c20c6
+Bug 1234280: Handle oom in CodeGeneratorShared::allocateData; r=jandem, a=sledru
+
+diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
+--- a/js/src/jit/CodeGenerator.cpp
++++ b/js/src/jit/CodeGenerator.cpp
+@@ -7902,17 +7902,19 @@ const VMFunction GetPropertyIC::UpdateIn
+ void
+ CodeGenerator::visitGetPropertyIC(OutOfLineUpdateCache* ool, DataPtr<GetPropertyIC>& ic)
+ {
+     LInstruction* lir = ool->lir();
+ 
+     if (ic->idempotent()) {
+         size_t numLocs;
+         CacheLocationList& cacheLocs = lir->mirRaw()->toGetPropertyCache()->location();
+-        size_t locationBase = addCacheLocations(cacheLocs, &numLocs);
++        size_t locationBase;
++        if (!addCacheLocations(cacheLocs, &numLocs, &locationBase))
++            return;
+         ic->setLocationInfo(locationBase, numLocs);
+     }
+ 
+     saveLive(lir);
+ 
+     pushArg(ic->object());
+     pushArg(Imm32(ool->getCacheIndex()));
+     pushArg(ImmGCPtr(gen->info().script()));
+diff --git a/js/src/jit/shared/CodeGenerator-shared.cpp b/js/src/jit/shared/CodeGenerator-shared.cpp
+--- a/js/src/jit/shared/CodeGenerator-shared.cpp
++++ b/js/src/jit/shared/CodeGenerator-shared.cpp
+@@ -1527,31 +1527,34 @@ CodeGeneratorShared::jumpToBlock(MBasicB
+ 
+         masm.propagateOOM(patchableBackedges_.append(PatchableBackedgeInfo(backedge, mir->lir()->label(), oolEntry)));
+     } else {
+         masm.j(cond, mir->lir()->label());
+     }
+ }
+ #endif
+ 
+-size_t
+-CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs)
++MOZ_WARN_UNUSED_RESULT bool
++CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs,
++                                       size_t* curIndex)
+ {
+     size_t firstIndex = runtimeData_.length();
+     size_t numLocations = 0;
+     for (CacheLocationList::iterator iter = locs.begin(); iter != locs.end(); iter++) {
+         // allocateData() ensures that sizeof(CacheLocation) is word-aligned.
+         // If this changes, we will need to pad to ensure alignment.
+-        size_t curIndex = allocateData(sizeof(CacheLocation));
+-        new (&runtimeData_[curIndex]) CacheLocation(iter->pc, iter->script);
++        if (!allocateData(sizeof(CacheLocation), curIndex))
++            return false;
++        new (&runtimeData_[*curIndex]) CacheLocation(iter->pc, iter->script);
+         numLocations++;
+     }
+     MOZ_ASSERT(numLocations != 0);
+     *numLocs = numLocations;
+-    return firstIndex;
++    *curIndex = firstIndex;
++    return true;
+ }
+ 
+ ReciprocalMulConstants
+ CodeGeneratorShared::computeDivisionConstants(int d) {
+     // In what follows, d is positive and is not a power of 2.
+     MOZ_ASSERT(d > 0 && (d & (d - 1)) != 0);
+ 
+     // Speeding up division by non power-of-2 constants is possible by
+diff --git a/js/src/jit/shared/CodeGenerator-shared.h b/js/src/jit/shared/CodeGenerator-shared.h
+--- a/js/src/jit/shared/CodeGenerator-shared.h
++++ b/js/src/jit/shared/CodeGenerator-shared.h
+@@ -3,16 +3,17 @@
+  * This Source Code Form is subject to the terms of the Mozilla Public
+  * License, v. 2.0. If a copy of the MPL was not distributed with this
+  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ 
+ #ifndef jit_shared_CodeGenerator_shared_h
+ #define jit_shared_CodeGenerator_shared_h
+ 
+ #include "mozilla/Alignment.h"
++#include "mozilla/TypeTraits.h"
+ 
+ #include "jit/JitFrames.h"
+ #include "jit/LIR.h"
+ #include "jit/MacroAssembler.h"
+ #include "jit/MIRGenerator.h"
+ #include "jit/MIRGraph.h"
+ #include "jit/OptimizationTracking.h"
+ #include "jit/Safepoints.h"
+@@ -242,24 +243,16 @@ class CodeGeneratorShared : public LElem
+         return SlotToStackOffset(a->toStackSlot()->slot());
+     }
+ 
+     uint32_t frameSize() const {
+         return frameClass_ == FrameSizeClass::None() ? frameDepth_ : frameClass_.frameSize();
+     }
+ 
+   protected:
+-    // Ensure the cache is an IonCache while expecting the size of the derived
+-    // class. We only need the cache list at GC time. Everyone else can just take
+-    // runtimeData offsets.
+-    size_t allocateCache(const IonCache&, size_t size) {
+-        size_t dataOffset = allocateData(size);
+-        masm.propagateOOM(cacheList_.append(dataOffset));
+-        return dataOffset;
+-    }
+ 
+ #ifdef CHECK_OSIPOINT_REGISTERS
+     void resetOsiPointRegs(LSafepoint* safepoint);
+     bool shouldVerifyOsiPointRegs(LSafepoint* safepoint);
+     void verifyOsiPointRegs(LSafepoint* safepoint);
+ #endif
+ 
+     bool addNativeToBytecodeEntry(const BytecodeSite* site);
+@@ -295,27 +288,33 @@ class CodeGeneratorShared : public LElem
+             return lookup();
+         }
+         T * operator*() {
+             return lookup();
+         }
+     };
+ 
+   protected:
+-
+-    size_t allocateData(size_t size) {
++    MOZ_WARN_UNUSED_RESULT
++    bool allocateData(size_t size, size_t* offset) {
+         MOZ_ASSERT(size % sizeof(void*) == 0);
+-        size_t dataOffset = runtimeData_.length();
++        *offset = runtimeData_.length();
+         masm.propagateOOM(runtimeData_.appendN(0, size));
+-        return dataOffset;
++        return !masm.oom();
+     }
+ 
++    // Ensure the cache is an IonCache while expecting the size of the derived
++    // class. We only need the cache list at GC time. Everyone else can just take
++    // runtimeData offsets.
+     template <typename T>
+     inline size_t allocateCache(const T& cache) {
+-        size_t index = allocateCache(cache, sizeof(mozilla::AlignedStorage2<T>));
++        static_assert(mozilla::IsBaseOf<IonCache, T>::value, "T must inherit from IonCache");
++        size_t index;
++        masm.propagateOOM(allocateData(sizeof(mozilla::AlignedStorage2<T>), &index));
++        masm.propagateOOM(cacheList_.append(index));
+         if (masm.oom())
+             return SIZE_MAX;
+         // Use the copy constructor on the allocated space.
+         MOZ_ASSERT(index == cacheList_.back());
+         new (&runtimeData_[index]) T(cache);
+         return index;
+     }
+ 
+@@ -475,17 +474,17 @@ class CodeGeneratorShared : public LElem
+ 
+     void callVM(const VMFunction& f, LInstruction* ins, const Register* dynStack = nullptr);
+ 
+     template <class ArgSeq, class StoreOutputTo>
+     inline OutOfLineCode* oolCallVM(const VMFunction& fun, LInstruction* ins, const ArgSeq& args,
+                                     const StoreOutputTo& out);
+ 
+     void addCache(LInstruction* lir, size_t cacheIndex);
+-    size_t addCacheLocations(const CacheLocationList& locs, size_t* numLocs);
++    bool addCacheLocations(const CacheLocationList& locs, size_t* numLocs, size_t* offset);
+     ReciprocalMulConstants computeDivisionConstants(int d);
+ 
+   protected:
+     void addOutOfLineCode(OutOfLineCode* code, const MInstruction* mir);
+     void addOutOfLineCode(OutOfLineCode* code, const BytecodeSite* site);
+     bool hasOutOfLineCode() { return !outOfLineCode_.empty(); }
+     bool generateOutOfLineCode();
+ 
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch
new file mode 100644
index 0000000000..7861e24c89
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch
@@ -0,0 +1,91 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8c184c30caa6
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668
+
+# HG changeset patch
+# User L. David Baron <dbaron@dbaron.org>
+# Date 1452248144 -39600
+# Node ID 8c184c30caa6d16f5ec63cce9a77d16f25d2e57e
+# Parent  0f7224441f2089001f7934b46ac10cb72d267606
+Bug 1230668 - Don't use frame when not in composed document.  r=heycam a=sylvestre
+
+diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
+--- a/layout/style/nsComputedDOMStyle.cpp
++++ b/layout/style/nsComputedDOMStyle.cpp
+@@ -421,26 +421,31 @@ nsComputedDOMStyle::GetStyleContextForEl
+ {
+   MOZ_ASSERT(aElement, "NULL element");
+   // If the content has a pres shell, we must use it.  Otherwise we'd
+   // potentially mix rule trees by using the wrong pres shell's style
+   // set.  Using the pres shell from the content also means that any
+   // content that's actually *in* a document will get the style from the
+   // correct document.
+   nsIPresShell *presShell = GetPresShellForContent(aElement);
++  bool inDocWithShell = true;
+   if (!presShell) {
++    inDocWithShell = false;
+     presShell = aPresShell;
+     if (!presShell)
+       return nullptr;
+   }
+ 
+-  // XXX the !aElement->IsHTML(nsGkAtoms::area)

+-  // check is needed due to bug 135040 (to avoid using 

++  // XXX the !aElement->IsHTML(nsGkAtoms::area)
++  // check is needed due to bug 135040 (to avoid using 
+   // mPrimaryFrame). Remove it once that's fixed.
+-  if (!aPseudo && aStyleType == eAll && !aElement->IsHTML(nsGkAtoms::area)) {
++  if (!aPseudo && aStyleType == eAll && inDocWithShell &&
++      !aElement->IsHTML(nsGkAtoms::area)) {
++  if (!aPseudo && aStyleType == eAll && inDocWithShell &&
++      !aElement->IsHTMLElement(nsGkAtoms::area)) {
+     nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
+     if (frame) {
+       nsStyleContext* result = frame->StyleContext();
+       // Don't use the style context if it was influenced by
+       // pseudo-elements, since then it's not the primary style
+       // for this element.
+       if (!result->HasPseudoElementData()) {
+         // this function returns an addrefed style context
+@@ -468,17 +473,18 @@ nsComputedDOMStyle::GetStyleContextForEl
+ 
+   nsRefPtr<nsStyleContext> sc;
+   if (aPseudo) {
+     nsCSSPseudoElements::Type type = nsCSSPseudoElements::GetPseudoType(aPseudo);
+     if (type >= nsCSSPseudoElements::ePseudo_PseudoElementCount) {
+       return nullptr;
+     }
+     nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
+-    Element* pseudoElement = frame ? frame->GetPseudoElement(type) : nullptr;
++    Element* pseudoElement =
++      frame && inDocWithShell ? frame->GetPseudoElement(type) : nullptr;
+     sc = styleSet->ResolvePseudoElementStyle(aElement, type, parentContext,
+                                              pseudoElement);
+   } else {
+     sc = styleSet->ResolveStyleFor(aElement, parentContext);
+   }
+ 
+   if (aStyleType == eDefaultOnly) {
+     // We really only want the user and UA rules.  Filter out the other ones.
+@@ -592,18 +598,18 @@ nsComputedDOMStyle::UpdateCurrentStyleSo
+   mFlushedPendingReflows = aNeedsLayoutFlush;
+ #endif
+ 
+   mPresShell = document->GetShell();
+   if (!mPresShell || !mPresShell->GetPresContext()) {
+     return;
+   }
+ 
+-  // XXX the !mContent->IsHTML(nsGkAtoms::area)

+-  // check is needed due to bug 135040 (to avoid using 

++  // XXX the !mContent->IsHTML(nsGkAtoms::area)
++  // check is needed due to bug 135040 (to avoid using 
+   // mPrimaryFrame). Remove it once that's fixed.
+   if (!mPseudo && mStyleType == eAll && !mContent->IsHTML(nsGkAtoms::area)) {
+     mOuterFrame = mContent->GetPrimaryFrame();
+     mInnerFrame = mOuterFrame;
+     if (mOuterFrame) {
+       nsIAtom* type = mOuterFrame->GetType();
+       if (type == nsGkAtoms::tableOuterFrame) {
+         // If the frame is an outer table frame then we should get the style
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch
new file mode 100644
index 0000000000..0e5825becf
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch
@@ -0,0 +1,34 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fceff80a84a3
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668
+
+# HG changeset patch
+# User Wes Kocher <wkocher@mozilla.com>
+# Date 1452542163 28800
+# Node ID fceff80a84a32b68d02abc00486fe6c7b86d545b
+# Parent  8c184c30caa6d16f5ec63cce9a77d16f25d2e57e
+Fix up some rebase errors in bug 1230668 r=me a=bustage
+
+diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
+--- a/layout/style/nsComputedDOMStyle.cpp
++++ b/layout/style/nsComputedDOMStyle.cpp
+@@ -434,18 +434,16 @@ nsComputedDOMStyle::GetStyleContextForEl
+       return nullptr;
+   }
+ 
+   // XXX the !aElement->IsHTML(nsGkAtoms::area)
+   // check is needed due to bug 135040 (to avoid using 
+   // mPrimaryFrame). Remove it once that's fixed.
+   if (!aPseudo && aStyleType == eAll && inDocWithShell &&
+       !aElement->IsHTML(nsGkAtoms::area)) {
+-  if (!aPseudo && aStyleType == eAll && inDocWithShell &&
+-      !aElement->IsHTMLElement(nsGkAtoms::area)) {
+     nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
+     if (frame) {
+       nsStyleContext* result = frame->StyleContext();
+       // Don't use the style context if it was influenced by
+       // pseudo-elements, since then it's not the primary style
+       // for this element.
+       if (!result->HasPseudoElementData()) {
+         // this function returns an addrefed style context
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch
new file mode 100644
index 0000000000..02c1af1775
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch
@@ -0,0 +1,83 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/94a95291d095
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1224200
+
+# HG changeset patch
+# User Timothy Nikkel <tnikkel@gmail.com>
+# Date 1453303652 -3600
+# Node ID 94a95291d0958439dbed5b7dc99fae59e1318592
+# Parent  999c13acb40e1113306c65925a7d96688339d945
+Bug 1224200 - Allow downscaler to get (and ignore) new input lines after it has finished producing all output lines. r=seth, a=lizzard
+
+diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
+--- a/image/src/Downscaler.cpp
++++ b/image/src/Downscaler.cpp
+@@ -145,43 +145,44 @@ GetFilterOffsetAndLength(UniquePtr<skia:
+                           aFilterLengthOut);
+ }
+ 
+ void
+ Downscaler::CommitRow()
+ {
+   MOZ_ASSERT(mOutputBuffer, "Should have a current frame");
+   MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input");
+-  MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Past end of output");
+ 
+-  int32_t filterOffset = 0;
+-  int32_t filterLength = 0;
+-  GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+-                           &filterOffset, &filterLength);
++  if (mCurrentOutLine < mTargetSize.height) {
++    int32_t filterOffset = 0;
++    int32_t filterLength = 0;
++    GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++                             &filterOffset, &filterLength);
+ 
+-  int32_t inLineToRead = filterOffset + mLinesInBuffer;
+-  MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+-  if (mCurrentInLine == inLineToRead) {
+-    skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+-                               mWindow[mLinesInBuffer++], mHasAlpha,
+-                               /* use_sse2 = */ true);
+-  }
+-
+-  MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
+-             "Writing past end of output");
+-
+-  while (mLinesInBuffer == filterLength) {
+-    DownscaleInputLine();
+-
+-    if (mCurrentOutLine == mTargetSize.height) {
+-      break;  // We're done.
++    int32_t inLineToRead = filterOffset + mLinesInBuffer;
++    MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
++    if (mCurrentInLine == inLineToRead) {
++      skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
++                                 mWindow[mLinesInBuffer++], mHasAlpha,
++                                 /* use_sse2 = */ true);
+     }
+ 
+-    GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+-                             &filterOffset, &filterLength);
++    MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
++               "Writing past end of output");
++
++    while (mLinesInBuffer == filterLength) {
++      DownscaleInputLine();
++
++      if (mCurrentOutLine == mTargetSize.height) {
++        break;  // We're done.
++      }
++
++      GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++                               &filterOffset, &filterLength);
++    }
+   }
+ 
+   mCurrentInLine += 1;
+ }
+ 
+ bool
+ Downscaler::HasInvalidation() const
+ {
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch
new file mode 100644
index 0000000000..9ebf18a5d3
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch
@@ -0,0 +1,35 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/ee68c3dae5f6
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230483
+
+# HG changeset patch
+# User JW Wang <jwwang@mozilla.com>
+# Date 1450698943 -28800
+# Node ID ee68c3dae5f639fdd439f69ef2f724067fce0ea6
+# Parent  762d015e1854c28c213293ac1e9b2ab51cf201f9
+Bug 1230483 - Part 2 - LoadFromSourceChildren() should be queued at most once in an event cycle. r=roc, a=lizzard
+
+diff --git a/dom/html/HTMLMediaElement.cpp b/dom/html/HTMLMediaElement.cpp
+--- a/dom/html/HTMLMediaElement.cpp
++++ b/dom/html/HTMLMediaElement.cpp
+@@ -4033,16 +4033,19 @@ void HTMLMediaElement::NotifyAddedSource
+       mNetworkState == nsIDOMHTMLMediaElement::NETWORK_EMPTY)
+   {
+     QueueSelectResourceTask();
+   }
+ 
+   // A load was paused in the resource selection algorithm, waiting for
+   // a new source child to be added, resume the resource selection algorithm.
+   if (mLoadWaitStatus == WAITING_FOR_SOURCE) {
++    // Rest the flag so we don't queue multiple LoadFromSourceTask() when
++    // multiple <source> are attached in an event loop.
++    mLoadWaitStatus = NOT_WAITING;
+     QueueLoadFromSourceTask();
+   }
+ }
+ 
+ nsIContent* HTMLMediaElement::GetNextSource()
+ {
+   nsCOMPtr<nsIDOMNode> thisDomNode = do_QueryObject(this);
+ 
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1935.patch b/gnu/packages/patches/icecat-CVE-2016-1935.patch
new file mode 100644
index 0000000000..a6db4b9b6a
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1935.patch
@@ -0,0 +1,77 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f9aad6c0253a
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1220450
+
+# HG changeset patch
+# User Jeff Gilbert <jgilbert@mozilla.com>
+# Date 1452570660 28800
+# Node ID f9aad6c0253a3b81699a3d7a05e78615dd814ea3
+# Parent  c47640f24251b48c0bba9d2f0f6ee059eca58362
+Bug 1220450 - Clear length on cache OOM. r=kamidphish, a=ritu
+
+diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
+--- a/dom/canvas/WebGLContextBuffers.cpp
++++ b/dom/canvas/WebGLContextBuffers.cpp
+@@ -185,16 +185,17 @@ WebGLContext::BufferData(GLenum target, 
+ 
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+ 
+     boundBuffer->SetByteLength(size);
+     if (!boundBuffer->ElementArrayCacheBufferData(nullptr, size)) {
++        boundBuffer->SetByteLength(0);
+         return ErrorOutOfMemory("bufferData: out of memory");
+     }
+ }
+ 
+ void
+ WebGLContext::BufferData(GLenum target,
+                          const dom::Nullable<dom::ArrayBuffer>& maybeData,
+                          GLenum usage)
+@@ -234,18 +235,20 @@ WebGLContext::BufferData(GLenum target,
+     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+ 
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+ 
+     boundBuffer->SetByteLength(data.Length());
+-    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
++    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
++        boundBuffer->SetByteLength(0);
+         return ErrorOutOfMemory("bufferData: out of memory");
++    }
+ }
+ 
+ void
+ WebGLContext::BufferData(GLenum target, const dom::ArrayBufferView& data,
+                          GLenum usage)
+ {
+     if (IsContextLost())
+         return;
+@@ -274,18 +277,20 @@ WebGLContext::BufferData(GLenum target, 
+ 
+     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+ 
+     boundBuffer->SetByteLength(data.Length());
+-    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
++    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
++        boundBuffer->SetByteLength(0);
+         return ErrorOutOfMemory("bufferData: out of memory");
++    }
+ }
+ 
+ void
+ WebGLContext::BufferSubData(GLenum target, WebGLsizeiptr byteOffset,
+                             const dom::Nullable<dom::ArrayBuffer>& maybeData)
+ {
+     if (IsContextLost())
+         return;
+
diff --git a/gnu/packages/patches/icecat-bug-1146335-pt1.patch b/gnu/packages/patches/icecat-bug-1146335-pt1.patch
new file mode 100644
index 0000000000..a41e638b2f
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1146335-pt1.patch
@@ -0,0 +1,141 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9d14787bd10e
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1146335
+
+# HG changeset patch
+# User Seth Fowler <mark.seth.fowler@gmail.com>
+# Date 1428627143 25200
+# Node ID 9d14787bd10e6f3013263a2cae0bcc78bebde1db
+# Parent  aaf922ae679685acb5d2b8ffa5f0bf22f1e6987a
+Bug 1146335 (Part 1) - Add assertions and fix style issues in image::Downscaler. r=tn a=lizzard
+
+diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
+--- a/image/src/Downscaler.cpp
++++ b/image/src/Downscaler.cpp
+@@ -72,23 +72,25 @@ Downscaler::BeginFrame(const nsIntSize& 
+   mOutputBuffer = aOutputBuffer;
+   mHasAlpha = aHasAlpha;
+ 
+   ResetForNextProgressivePass();
+   ReleaseWindow();
+ 
+   auto resizeMethod = skia::ImageOperations::RESIZE_LANCZOS3;
+ 
+-  skia::resize::ComputeFilters(resizeMethod, mOriginalSize.width,
+-                               mTargetSize.width, 0,
+-                               mTargetSize.width, mXFilter.get());
++  skia::resize::ComputeFilters(resizeMethod,
++                               mOriginalSize.width, mTargetSize.width,
++                               0, mTargetSize.width,
++                               mXFilter.get());
+ 
+-  skia::resize::ComputeFilters(resizeMethod, mOriginalSize.height,
+-                               mTargetSize.height, 0,
+-                               mTargetSize.height, mYFilter.get());
++  skia::resize::ComputeFilters(resizeMethod,
++                               mOriginalSize.height, mTargetSize.height,
++                               0, mTargetSize.height,
++                               mYFilter.get());
+ 
+   // Allocate the buffer, which contains scanlines of the original image.
+   size_t bufferLen = mOriginalSize.width * sizeof(uint32_t);
+   mRowBuffer = MakeUnique<uint8_t[]>(bufferLen);
+   if (MOZ_UNLIKELY(!mRowBuffer)) {
+     return NS_ERROR_OUT_OF_MEMORY;
+   }
+ 
+@@ -126,39 +128,54 @@ void
+ Downscaler::ResetForNextProgressivePass()
+ {
+   mPrevInvalidatedLine = 0;
+   mCurrentOutLine = 0;
+   mCurrentInLine = 0;
+   mLinesInBuffer = 0;
+ }
+ 
++static void
++GetFilterOffsetAndLength(UniquePtr<skia::ConvolutionFilter1D>& aFilter,
++                         int32_t aOutputImagePosition,
++                         int32_t* aFilterOffsetOut,
++                         int32_t* aFilterLengthOut)
++{
++  MOZ_ASSERT(aOutputImagePosition < aFilter->num_values());
++  aFilter->FilterForValue(aOutputImagePosition,
++                          aFilterOffsetOut,
++                          aFilterLengthOut);
++}
++
+ void
+ Downscaler::CommitRow()
+ {
+   MOZ_ASSERT(mOutputBuffer, "Should have a current frame");
+   MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input");
+   MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Past end of output");
+ 
+   int32_t filterOffset = 0;
+   int32_t filterLength = 0;
+-  mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
++  GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++                           &filterOffset, &filterLength);
+ 
+   int32_t inLineToRead = filterOffset + mLinesInBuffer;
+   MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+   if (mCurrentInLine == inLineToRead) {
+     skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+                                mWindow[mLinesInBuffer++], mHasAlpha,
+                                /* use_sse2 = */ true);
+   }
+ 
+   while (mLinesInBuffer == filterLength &&
+          mCurrentOutLine < mTargetSize.height) {
+     DownscaleInputLine();
+-    mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
++
++    GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++                             &filterOffset, &filterLength);
+   }
+ 
+   mCurrentInLine += 1;
+ }
+ 
+ bool
+ Downscaler::HasInvalidation() const
+ {
+@@ -184,16 +201,17 @@ Downscaler::DownscaleInputLine()
+ {
+   typedef skia::ConvolutionFilter1D::Fixed FilterValue;
+ 
+   MOZ_ASSERT(mOutputBuffer);
+   MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Writing past end of output");
+ 
+   int32_t filterOffset = 0;
+   int32_t filterLength = 0;
++  MOZ_ASSERT(mCurrentOutLine < mYFilter->num_values());
+   auto filterValues =
+     mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
+ 
+   uint8_t* outputLine =
+     &mOutputBuffer[mCurrentOutLine * mTargetSize.width * sizeof(uint32_t)];
+   skia::ConvolveVertically(static_cast<const FilterValue*>(filterValues),
+                            filterLength, mWindow.get(), mXFilter->num_values(),
+                            outputLine, mHasAlpha, /* use_sse2 = */ true);
+@@ -202,17 +220,18 @@ Downscaler::DownscaleInputLine()
+ 
+   if (mCurrentOutLine == mTargetSize.height) {
+     // We're done.
+     return;
+   }
+ 
+   int32_t newFilterOffset = 0;
+   int32_t newFilterLength = 0;
+-  mYFilter->FilterForValue(mCurrentOutLine, &newFilterOffset, &newFilterLength);
++  GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++                           &newFilterOffset, &newFilterLength);
+ 
+   int diff = newFilterOffset - filterOffset;
+   MOZ_ASSERT(diff >= 0, "Moving backwards in the filter?");
+ 
+   // Shift the buffer. We're just moving pointers here, so this is cheap.
+   mLinesInBuffer -= diff;
+   mLinesInBuffer = max(mLinesInBuffer, 0);
+   for (int32_t i = 0; i < mLinesInBuffer; ++i) {
+
diff --git a/gnu/packages/patches/icecat-bug-1146335-pt2.patch b/gnu/packages/patches/icecat-bug-1146335-pt2.patch
new file mode 100644
index 0000000000..240e0cfc66
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1146335-pt2.patch
@@ -0,0 +1,43 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8bfaa27698ca
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1146335
+
+# HG changeset patch
+# User Seth Fowler <mark.seth.fowler@gmail.com>
+# Date 1428627143 25200
+# Node ID 8bfaa27698ca0720d5c9f3910ab7148b38db0625
+# Parent  9d14787bd10e6f3013263a2cae0bcc78bebde1db
+Bug 1146335 (Part 2) - Fix an off-by-one error in image::Downscaler. r=tn a=lizzard
+
+diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
+--- a/image/src/Downscaler.cpp
++++ b/image/src/Downscaler.cpp
+@@ -160,20 +160,26 @@ Downscaler::CommitRow()
+   int32_t inLineToRead = filterOffset + mLinesInBuffer;
+   MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+   if (mCurrentInLine == inLineToRead) {
+     skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+                                mWindow[mLinesInBuffer++], mHasAlpha,
+                                /* use_sse2 = */ true);
+   }
+ 
+-  while (mLinesInBuffer == filterLength &&
+-         mCurrentOutLine < mTargetSize.height) {
++  MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
++             "Writing past end of output");
++
++  while (mLinesInBuffer == filterLength) {
+     DownscaleInputLine();
+ 
++    if (mCurrentOutLine == mTargetSize.height) {
++      break;  // We're done.
++    }
++
+     GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+                              &filterOffset, &filterLength);
+   }
+ 
+   mCurrentInLine += 1;
+ }
+ 
+ bool
+
diff --git a/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch b/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch
new file mode 100644
index 0000000000..5a3a934dba
--- /dev/null
+++ b/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch
@@ -0,0 +1,73 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9632375c6aac
+
+# HG changeset patch
+# User Jeff Gilbert <jdashg@gmail.com>
+# Date 1453320785 28800
+# Node ID 9632375c6aacbf673b996b53231d70b91e480fb5
+# Parent  ee68c3dae5f639fdd439f69ef2f724067fce0ea6
+Limit max buffers size for ANGLE. r=jrmuizel a=lizzard
+
+diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
+--- a/dom/canvas/WebGLContextBuffers.cpp
++++ b/dom/canvas/WebGLContextBuffers.cpp
+@@ -164,16 +164,19 @@ WebGLContext::BufferData(GLenum target, 
+ 
+     if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
+         return;
+ 
+     // careful: WebGLsizeiptr is always 64-bit, but GLsizeiptr is like intptr_t.
+     if (!CheckedInt<GLsizeiptr>(size).isValid())
+         return ErrorOutOfMemory("bufferData: bad size");
+ 
++    if (gl->IsANGLE() && size > UINT32_MAX)
++        return ErrorOutOfMemory("bufferData: size too large");
++
+     WebGLBuffer* boundBuffer = bufferSlot.get();
+ 
+     if (!boundBuffer)
+         return ErrorInvalidOperation("bufferData: no buffer bound!");
+ 
+     UniquePtr<uint8_t> zeroBuffer((uint8_t*)moz_calloc(size, 1));
+     if (!zeroBuffer)
+         return ErrorOutOfMemory("bufferData: out of memory");
+@@ -216,16 +219,19 @@ WebGLContext::BufferData(GLenum target,
+     const dom::ArrayBuffer& data = maybeData.Value();
+     data.ComputeLengthAndData();
+ 
+     // Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr
+     // is like intptr_t.
+     if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
+         return ErrorOutOfMemory("bufferData: bad size");
+ 
++    if (gl->IsANGLE() && data.Length() > UINT32_MAX)
++        return ErrorOutOfMemory("bufferData: size too large");
++
+     if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
+         return;
+ 
+     WebGLBuffer* boundBuffer = bufferSlot.get();
+ 
+     if (!boundBuffer)
+         return ErrorInvalidOperation("bufferData: no buffer bound!");
+ 
+@@ -267,16 +273,19 @@ WebGLContext::BufferData(GLenum target, 
+ 
+     data.ComputeLengthAndData();
+ 
+     // Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr
+     // is like intptr_t.
+     if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
+         return ErrorOutOfMemory("bufferData: bad size");
+ 
++    if (gl->IsANGLE() && data.Length() > UINT32_MAX)
++        return ErrorOutOfMemory("bufferData: size too large");
++
+     InvalidateBufferFetching();
+     MakeContextCurrent();
+ 
+     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+
diff --git a/gnu/packages/patches/libarchive-bsdtar-test.patch b/gnu/packages/patches/libarchive-bsdtar-test.patch
new file mode 100644
index 0000000000..6a533a9a07
--- /dev/null
+++ b/gnu/packages/patches/libarchive-bsdtar-test.patch
@@ -0,0 +1,74 @@
+commit b539b2e597b566fe3c4b49cb61c9eef83e5e052d
+Author: Pavel Raiskup <praiskup@redhat.com>
+Date:   Thu Jun 27 16:01:30 2013 +0200
+
+    Use ustar format in the test_option_b test
+    
+    .. because the ustar archive does not store SELinux context.  As the default
+    format for bsdtar is "restricted pax" (trying to store xattrs and other
+    things by default), the test failed on Fedora because our files have by
+    default SELinux context set.  This results in additional data in tested
+    archive ~> and the test failed because the archive was unexpectedly big:
+    
+     tar/test/test_option_b.c:41: File archive1.tar has size 3072, expected 2048
+    
+    Reviewed by Konrad Kleine <konrad.wilhelm.kleine@gmail.com>
+
+diff --git a/tar/test/test_option_b.c b/tar/test/test_option_b.c
+index be2ae65..6fea474 100644
+--- a/tar/test/test_option_b.c
++++ b/tar/test/test_option_b.c
+@@ -25,8 +25,14 @@
+ #include "test.h"
+ __FBSDID("$FreeBSD$");
+ 
++#define USTAR_OPT " --format=ustar"
++
+ DEFINE_TEST(test_option_b)
+ {
++	char *testprog_ustar = malloc(strlen(testprog) + sizeof(USTAR_OPT) + 1);
++	strcpy(testprog_ustar, testprog);
++	strcat(testprog_ustar, USTAR_OPT);
++
+ 	assertMakeFile("file1", 0644, "file1");
+ 	if (systemf("cat file1 > test_cat.out 2> test_cat.err") != 0) {
+ 		skipping("Platform doesn't have cat");
+@@ -36,7 +42,7 @@ DEFINE_TEST(test_option_b)
+ 	/*
+ 	 * Bsdtar does not pad if the output is going directly to a disk file.
+ 	 */
+-	assertEqualInt(0, systemf("%s -cf archive1.tar file1 >test1.out 2>test1.err", testprog));
++	assertEqualInt(0, systemf("%s -cf archive1.tar file1 >test1.out 2>test1.err", testprog_ustar));
+ 	failure("bsdtar does not pad archives written directly to regular files");
+ 	assertFileSize("archive1.tar", 2048);
+ 	assertEmptyFile("test1.out");
+@@ -46,24 +52,24 @@ DEFINE_TEST(test_option_b)
+ 	 * Bsdtar does pad to the block size if the output is going to a socket.
+ 	 */
+ 	/* Default is -b 20 */
+-	assertEqualInt(0, systemf("%s -cf - file1 2>test2.err | cat >archive2.tar ", testprog));
++	assertEqualInt(0, systemf("%s -cf - file1 2>test2.err | cat >archive2.tar ", testprog_ustar));
+ 	failure("bsdtar does pad archives written to pipes");
+ 	assertFileSize("archive2.tar", 10240);
+ 	assertEmptyFile("test2.err");
+ 
+-	assertEqualInt(0, systemf("%s -cf - -b 20 file1 2>test3.err | cat >archive3.tar ", testprog));
++	assertEqualInt(0, systemf("%s -cf - -b 20 file1 2>test3.err | cat >archive3.tar ", testprog_ustar));
+ 	assertFileSize("archive3.tar", 10240);
+ 	assertEmptyFile("test3.err");
+ 
+-	assertEqualInt(0, systemf("%s -cf - -b 10 file1 2>test4.err | cat >archive4.tar ", testprog));
++	assertEqualInt(0, systemf("%s -cf - -b 10 file1 2>test4.err | cat >archive4.tar ", testprog_ustar));
+ 	assertFileSize("archive4.tar", 5120);
+ 	assertEmptyFile("test4.err");
+ 
+-	assertEqualInt(0, systemf("%s -cf - -b 1 file1 2>test5.err | cat >archive5.tar ", testprog));
++	assertEqualInt(0, systemf("%s -cf - -b 1 file1 2>test5.err | cat >archive5.tar ", testprog_ustar));
+ 	assertFileSize("archive5.tar", 2048);
+ 	assertEmptyFile("test5.err");
+ 
+-	assertEqualInt(0, systemf("%s -cf - -b 8192 file1 2>test6.err | cat >archive6.tar ", testprog));
++	assertEqualInt(0, systemf("%s -cf - -b 8192 file1 2>test6.err | cat >archive6.tar ", testprog_ustar));
+ 	assertFileSize("archive6.tar", 4194304);
+ 	assertEmptyFile("test6.err");
+ 
diff --git a/gnu/packages/patches/librsvg-tests.patch b/gnu/packages/patches/librsvg-tests.patch
deleted file mode 100644
index dc5b94e185..0000000000
--- a/gnu/packages/patches/librsvg-tests.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From e06fc71a57156123e4e50a39957100a651ab632b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= <iyzsong@gmail.com>
-Date: Sat, 17 Oct 2015 10:20:33 +0800
-Subject: [PATCH] tests/styles: Don't duplicate test names.
-
----
- tests/styles.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tests/styles.c b/tests/styles.c
-index d09b1f2..a938835 100644
---- a/tests/styles.c
-+++ b/tests/styles.c
-@@ -97,8 +97,8 @@ static const FixtureData fixtures[] =
-     {"/styles/selectors/2 or more selectors (stroke)", "592207", "styles/bug592207.svg", "#target", "stroke", .expected.color = 0xff0000ff},
-     {"/styles/svg-element-style", "615701", "styles/svg-class.svg", "#svg", "fill", .expected.color = 0xff0000ff},
-     {"/styles/presentation attribute in svg element", "620693", "styles/bug620693.svg", "#svg", "stroke", .expected.color = 0xffff0000},
--    {"/styles/!important", "379629", "styles/bug379629.svg", "#base_shadow", "stroke", .expected.color = 0xffffc0cb /* pink */},
--    {"/styles/!important", "379629", "styles/bug379629.svg", "#base_shadow", "stroke-width", .expected.length = {POINTS_LENGTH(5.), 'i'}},
-+    {"/styles/!important/1", "379629", "styles/bug379629.svg", "#base_shadow", "stroke", .expected.color = 0xffffc0cb /* pink */},
-+    {"/styles/!important/2", "379629", "styles/bug379629.svg", "#base_shadow", "stroke-width", .expected.length = {POINTS_LENGTH(5.), 'i'}},
-     {"/styles/!important/class", "614606", "styles/bug614606.svg", "#path6306", "fill", .expected.color = 0xffff0000 /* red */ },
-     {"/styles/!important/element", "614606", "styles/bug614606.svg", "#path6308", "fill", .expected.color = 0xff000000},
-     {"/styles/!important/#id prior than class", NULL, "styles/important.svg", "#red", "fill", .expected.color = 0xffff0000 },
--- 
-2.5.0
-
diff --git a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
new file mode 100644
index 0000000000..811516dbe9
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
@@ -0,0 +1,107 @@
+2015-12-26  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+	interface in case of unsupported values of SamplesPerPixel/ExtraSamples
+	for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+	TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+	CVE-2015-8683 reported by zzf of Alibaba.
+
+diff -u -r1.93 -r1.94
+--- libtiff/libtiff/tif_getimage.c	22 Nov 2015 15:31:03 -0000	1.93
++++ libtiff/libtiff/tif_getimage.c	26 Dec 2015 17:32:03 -0000	1.94
+@@ -182,20 +182,22 @@
+ 				    "Planarconfiguration", td->td_planarconfig);
+ 				return (0);
+ 			}
+-			if( td->td_samplesperpixel != 3 )
++			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
+             {
+                 sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d",
+-                        "Samples/pixel", td->td_samplesperpixel);
++                        "Sorry, can not handle image with %s=%d, %s=%d",
++                        "Samples/pixel", td->td_samplesperpixel,
++                        "colorchannels", colorchannels);
+                 return 0;
+             }
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
+-            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
++            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
+             {
+                 sprintf(emsg,
+-                        "Sorry, can not handle image with %s=%d and %s=%d",
++                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
+                         "Samples/pixel", td->td_samplesperpixel,
++                        "colorchannels", colorchannels,
+                         "Bits/sample", td->td_bitspersample);
+                 return 0;
+             }
+@@ -255,6 +257,9 @@
+ 	int colorchannels;
+ 	uint16 *red_orig, *green_orig, *blue_orig;
+ 	int n_color;
++	
++	if( !TIFFRGBAImageOK(tif, emsg) )
++		return 0;
+ 
+ 	/* Initialize to normal values */
+ 	img->row_offset = 0;
+@@ -2509,29 +2514,33 @@
+ 		case PHOTOMETRIC_RGB:
+ 			switch (img->bitspersample) {
+ 				case 8:
+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++						img->samplesperpixel >= 4)
+ 						img->put.contig = putRGBAAcontig8bittile;
+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++							 img->samplesperpixel >= 4)
+ 					{
+ 						if (BuildMapUaToAa(img))
+ 							img->put.contig = putRGBUAcontig8bittile;
+ 					}
+-					else
++					else if( img->samplesperpixel >= 3 )
+ 						img->put.contig = putRGBcontig8bittile;
+ 					break;
+ 				case 16:
+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++						img->samplesperpixel >=4 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img))
+ 							img->put.contig = putRGBAAcontig16bittile;
+ 					}
+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++							 img->samplesperpixel >=4 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img) &&
+ 						    BuildMapUaToAa(img))
+ 							img->put.contig = putRGBUAcontig16bittile;
+ 					}
+-					else
++					else if( img->samplesperpixel >=3 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img))
+ 							img->put.contig = putRGBcontig16bittile;
+@@ -2540,7 +2549,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_SEPARATED:
+-			if (buildMap(img)) {
++			if (img->samplesperpixel >=4 && buildMap(img)) {
+ 				if (img->bitspersample == 8) {
+ 					if (!img->Map)
+ 						img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2636,7 +2645,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
+-			if (buildMap(img)) {
++			if (img->samplesperpixel == 3 && buildMap(img)) {
+ 				if (img->bitspersample == 8)
+ 					img->put.contig = initCIELabConversion(img);
+ 				break;
diff --git a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch b/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
new file mode 100644
index 0000000000..3fea745056
--- /dev/null
+++ b/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
@@ -0,0 +1,171 @@
+2015-12-27  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+	functions in non debug builds by replacing assert()s by regular if
+	checks (bugzilla #2522).
+	Fix potential out-of-bound reads in case of short input data.
+
+diff -u -r1.40 -r1.41
+--- libtiff/libtiff/tif_luv.c	21 Jun 2015 01:09:09 -0000	1.40
++++ libtiff/libtiff/tif_luv.c	27 Dec 2015 16:25:11 -0000	1.41
+@@ -1,4 +1,4 @@
+-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
++/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1997 Greg Ward Larson
+@@ -202,7 +202,11 @@
+ 	if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
+ 		tp = (int16*) op;
+ 	else {
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		tp = (int16*) sp->tbuf;
+ 	}
+ 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -211,9 +215,11 @@
+ 	cc = tif->tif_rawcc;
+ 	/* get each byte string */
+ 	for (shft = 2*8; (shft -= 8) >= 0; ) {
+-		for (i = 0; i < npixels && cc > 0; )
++		for (i = 0; i < npixels && cc > 0; ) {
+ 			if (*bp >= 128) {		/* run */
+-				rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++				if( cc < 2 )
++					break;
++				rc = *bp++ + (2-128);
+ 				b = (int16)(*bp++ << shft);
+ 				cc -= 2;
+ 				while (rc-- && i < npixels)
+@@ -223,6 +229,7 @@
+ 				while (--cc && rc-- && i < npixels)
+ 					tp[i++] |= (int16)*bp++ << shft;
+ 			}
++		}
+ 		if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+@@ -268,13 +275,17 @@
+ 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ 		tp = (uint32 *)op;
+ 	else {
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		tp = (uint32 *) sp->tbuf;
+ 	}
+ 	/* copy to array of uint32 */
+ 	bp = (unsigned char*) tif->tif_rawcp;
+ 	cc = tif->tif_rawcc;
+-	for (i = 0; i < npixels && cc > 0; i++) {
++	for (i = 0; i < npixels && cc >= 3; i++) {
+ 		tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
+ 		bp += 3;
+ 		cc -= 3;
+@@ -325,7 +336,11 @@
+ 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ 		tp = (uint32*) op;
+ 	else {
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		tp = (uint32*) sp->tbuf;
+ 	}
+ 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -334,11 +349,13 @@
+ 	cc = tif->tif_rawcc;
+ 	/* get each byte string */
+ 	for (shft = 4*8; (shft -= 8) >= 0; ) {
+-		for (i = 0; i < npixels && cc > 0; )
++		for (i = 0; i < npixels && cc > 0; ) {
+ 			if (*bp >= 128) {		/* run */
++				if( cc < 2 )
++					break;
+ 				rc = *bp++ + (2-128);
+ 				b = (uint32)*bp++ << shft;
+-				cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++				cc -= 2;
+ 				while (rc-- && i < npixels)
+ 					tp[i++] |= b;
+ 			} else {			/* non-run */
+@@ -346,6 +363,7 @@
+ 				while (--cc && rc-- && i < npixels)
+ 					tp[i++] |= (uint32)*bp++ << shft;
+ 			}
++		}
+ 		if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+@@ -413,6 +431,7 @@
+ static int
+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++	static const char module[] = "LogL16Encode";
+ 	LogLuvState* sp = EncoderState(tif);
+ 	int shft;
+ 	tmsize_t i;
+@@ -433,7 +452,11 @@
+ 		tp = (int16*) bp;
+ 	else {
+ 		tp = (int16*) sp->tbuf;
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		(*sp->tfunc)(sp, bp, npixels);
+ 	}
+ 	/* compress each byte string */
+@@ -506,6 +529,7 @@
+ static int
+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++	static const char module[] = "LogLuvEncode24";
+ 	LogLuvState* sp = EncoderState(tif);
+ 	tmsize_t i;
+ 	tmsize_t npixels;
+@@ -521,7 +545,11 @@
+ 		tp = (uint32*) bp;
+ 	else {
+ 		tp = (uint32*) sp->tbuf;
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		(*sp->tfunc)(sp, bp, npixels);
+ 	}
+ 	/* write out encoded pixels */
+@@ -553,6 +581,7 @@
+ static int
+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++	static const char module[] = "LogLuvEncode32";
+ 	LogLuvState* sp = EncoderState(tif);
+ 	int shft;
+ 	tmsize_t i;
+@@ -574,7 +603,11 @@
+ 		tp = (uint32*) bp;
+ 	else {
+ 		tp = (uint32*) sp->tbuf;
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++			TIFFErrorExt(tif->tif_clientdata, module,
++						 "Translation buffer too short");
++			return (0);
++		}
+ 		(*sp->tfunc)(sp, bp, npixels);
+ 	}
+ 	/* compress each byte string */
diff --git a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
new file mode 100644
index 0000000000..50657b667c
--- /dev/null
+++ b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
@@ -0,0 +1,49 @@
+2015-12-27  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
+	triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
+	(bugzilla #2508)
+
+diff -u -r1.16 -r1.18
+--- libtiff/libtiff/tif_next.c	29 Dec 2014 12:09:11 -0000	1.16
++++ libtiff/libtiff/tif_next.c	27 Dec 2015 17:14:52 -0000	1.18
+@@ -1,4 +1,4 @@
+-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
++/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */
+ 
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -37,7 +37,7 @@
+ 	case 0:	op[0]  = (unsigned char) ((v) << 6); break;	\
+ 	case 1:	op[0] |= (v) << 4; break;	\
+ 	case 2:	op[0] |= (v) << 2; break;	\
+-	case 3:	*op++ |= (v);	   break;	\
++	case 3:	*op++ |= (v);	   op_offset++; break;	\
+ 	}					\
+ }
+ 
+@@ -103,6 +103,7 @@
+ 		}
+ 		default: {
+ 			uint32 npixels = 0, grey;
++			tmsize_t op_offset = 0;
+ 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
+             if( isTiled(tif) )
+                 imagewidth = tif->tif_dir.td_tilewidth;
+@@ -122,10 +123,15 @@
+ 				 * bounds, potentially resulting in a security
+ 				 * issue.
+ 				 */
+-				while (n-- > 0 && npixels < imagewidth)
++				while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
+ 					SETPIXEL(op, grey);
+ 				if (npixels >= imagewidth)
+ 					break;
++                if (op_offset >= scanline ) {
++                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
++                        (long) tif->tif_row);
++                    return (0);
++                }
+ 				if (cc == 0)
+ 					goto bad;
+ 				n = *bp++, cc--;
diff --git a/gnu/packages/patches/perl-CVE-2015-8607.patch b/gnu/packages/patches/perl-CVE-2015-8607.patch
new file mode 100644
index 0000000000..4c25d41740
--- /dev/null
+++ b/gnu/packages/patches/perl-CVE-2015-8607.patch
@@ -0,0 +1,68 @@
+From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 15 Dec 2015 10:56:54 +1100
+Subject: ensure File::Spec::canonpath() preserves taint
+
+Previously the unix specific XS implementation of canonpath() would
+return an untainted path when supplied a tainted path.
+
+For the empty string case, newSVpvs() already sets taint as needed on
+its result.
+
+This issue was assigned CVE-2015-8607.
+
+Bug: https://rt.perl.org/Ticket/Display.html?id=126862
+Bug-Debian: https://bugs.debian.org/810719
+Origin: upstream
+Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff
+---
+ dist/PathTools/Cwd.xs    |  1 +
+ dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
+index 9d4dcf0..3d018dc 100644
+--- a/dist/PathTools/Cwd.xs
++++ b/dist/PathTools/Cwd.xs
+@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
+     *o = 0;
+     SvPOK_on(retval);
+     SvCUR_set(retval, o - SvPVX(retval));
++    SvTAINT(retval);
+     return retval;
+ }
+ 
+diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
+index 309b3e5..48f8c5b 100644
+--- a/dist/PathTools/t/taint.t
++++ b/dist/PathTools/t/taint.t
+@@ -12,7 +12,7 @@ use Test::More;
+ BEGIN {
+     plan(
+         ${^TAINT}
+-        ? (tests => 17)
++        ? (tests => 21)
+         : (skip_all => "A perl without taint support")
+     );
+ }
+@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
+ 
+ # Previous versions of Cwd tainted $^O
+ is !tainted($^O), 1, "\$^O should not be tainted";
++
++{
++    # [perl #126862] canonpath() loses taint
++    my $tainted = substr($ENV{PATH}, 0, 0);
++    # yes, getcwd()'s result should be tainted, and is tested above
++    # but be sure
++    ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
++        "canonpath() keeps taint on non-empty string";
++    ok tainted(File::Spec->canonpath($tainted)),
++        "canonpath() keeps taint on empty string";
++
++    (Cwd::getcwd() =~ /^(.*)/);
++    my $untainted = $1;
++    ok !tainted($untainted), "make sure our untainted value is untainted";
++    ok !tainted(File::Spec->canonpath($untainted)),
++        "canonpath() doesn't add taint to untainted string";
++}
diff --git a/gnu/packages/patches/perl-deterministic-ordering.patch b/gnu/packages/patches/perl-deterministic-ordering.patch
new file mode 100644
index 0000000000..92e33ef135
--- /dev/null
+++ b/gnu/packages/patches/perl-deterministic-ordering.patch
@@ -0,0 +1,29 @@
+From <https://bugs.debian.org/801523>.
+
+From c01f602d1926b0671fd2c8d91f7e52c4e4c9fb24 Mon Sep 17 00:00:00 2001
+From: Niko Tyni <ntyni@debian.org>
+Date: Sun, 11 Oct 2015 19:27:56 +0300
+Subject: [PATCH] Sort the list of XS code files when generating RealPPPort.xs
+
+all_files_in_dir() uses readdir() ordering to make the list of
+input files. This can vary between build systems, breaking build
+reproducibility.
+---
+ cpan/Devel-PPPort/PPPort_xs.PL | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cpan/Devel-PPPort/PPPort_xs.PL b/cpan/Devel-PPPort/PPPort_xs.PL
+index 5f18940..149f2fe 100644
+--- a/cpan/Devel-PPPort/PPPort_xs.PL
++++ b/cpan/Devel-PPPort/PPPort_xs.PL
+@@ -38,7 +38,7 @@ END
+ my $file;
+ my $sec;
+ 
+-for $file (all_files_in_dir('parts/inc')) {
++for $file (sort(all_files_in_dir('parts/inc'))) {
+   my $spec = parse_partspec($file);
+ 
+   my $msg = 0;
+-- 
+2.5.1
diff --git a/gnu/packages/patches/perl-module-pluggable-search.patch b/gnu/packages/patches/perl-module-pluggable-search.patch
index bb2a57f7e5..ec51abc35d 100644..100755
--- a/gnu/packages/patches/perl-module-pluggable-search.patch
+++ b/gnu/packages/patches/perl-module-pluggable-search.patch
@@ -1,19 +1,19 @@
-Fix core Perl module Module::Pluggable such that it can find plugins that live
-in symlinked directories.
+Fix Perl module Module::Pluggable such that it can find plugins that live in
+symlinked directories.
 
 Patch borrowed/adapted from Nixpkgs.
 
---- perl-5.16.1/cpan/Module-Pluggable/lib/Module/Pluggable/Object.pm	2015-04-08 23:28:48.120164135 -0500
-+++ perl-5.16.1/cpan/Module-Pluggable/lib/Module/Pluggable/Object.pm	2015-04-08 23:30:27.032166704 -0500
+--- Module-Pluggable-5.2/lib/Module/Pluggable/Object.pm   2015-04-08 23:28:48.120164135 -0500
++++ Module-Pluggable-5.2/lib/Module/Pluggable/Object.pm   2015-04-08 23:30:27.032166704 -0500
 @@ -164,7 +164,7 @@
          my $sp = catdir($dir, (split /::/, $searchpath));
- 
+
          # if it doesn't exist or it's not a dir then skip it
 -        next unless ( -e $sp && -d _ ); # Use the cached stat the second time
 +        next unless ( -e $sp );
- 
+
          my @files = $self->find_files($sp);
- 
+
 @@ -279,7 +279,7 @@
                               (my $path = $File::Find::name) =~ s#^\\./##;
                               push @files, $path;
@@ -22,4 +22,4 @@ Patch borrowed/adapted from Nixpkgs.
 +                      }, "$search_path/." );
      }
      #chdir $cwd;
-     return @files;
+     return @files;
\ No newline at end of file
diff --git a/gnu/packages/patches/perl-no-build-time.patch b/gnu/packages/patches/perl-no-build-time.patch
new file mode 100644
index 0000000000..5d78e8f462
--- /dev/null
+++ b/gnu/packages/patches/perl-no-build-time.patch
@@ -0,0 +1,26 @@
+Do not record the configuration and build time so that builds can be
+reproduced bit-for-bit.
+
+--- perl-5.22.0/Configure	1970-01-01 01:00:00.000000000 +0100
++++ perl-5.22.0/Configure	2015-12-13 00:14:43.148165080 +0100
+@@ -3834,6 +3817,7 @@ esac
+ 
+ : who configured the system
+ cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1`
++cf_time='Thu Jan  1 00:00:01 UTC 1970'
+ case "$cf_by" in
+ "")
+ 	cf_by=`(logname) 2>/dev/null`
+
+--- perl-5.22.0/perl.c	2015-12-13 00:25:30.269156627 +0100
++++ perl-5.22.0/perl.c	2015-12-13 00:25:38.265218175 +0100
+@@ -1795,7 +1795,7 @@ S_Internals_V(pTHX_ CV *cv)
+     PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
+ 			      sizeof(non_bincompat_options) - 1, SVs_TEMP));
+ 
+-#ifdef __DATE__
++#if 0
+ #  ifdef __TIME__
+     PUSHs(Perl_newSVpvn_flags(aTHX_
+ 			      STR_WITH_LEN("Compiled at " __DATE__ " " __TIME__),
+
diff --git a/gnu/packages/patches/perl-no-sys-dirs.patch b/gnu/packages/patches/perl-no-sys-dirs.patch
index 3aba4d7529..da91fef3b4 100644
--- a/gnu/packages/patches/perl-no-sys-dirs.patch
+++ b/gnu/packages/patches/perl-no-sys-dirs.patch
@@ -1,10 +1,10 @@
-Don't long for headers and libraries in "traditional" locations.
+Don't look for headers and libraries in "traditional" locations.
 
 Patch from Nixpkgs by Eelco Dolstra <eelco.dolstra@logicblox.com>.
 
-diff -ru -x '*~' perl-5.14.2-orig/Configure perl-5.14.2/Configure
---- perl-5.14.2-orig/Configure	2011-09-26 11:44:34.000000000 +0200
-+++ perl-5.14.2/Configure	2012-01-20 17:05:23.089223129 +0100
+diff -ru -x '*~' -x '*.rej' perl-5.20.0-orig/Configure perl-5.20.0/Configure
+--- perl-5.20.0-orig/Configure	2014-05-26 15:34:18.000000000 +0200
++++ perl-5.20.0/Configure	2014-06-25 10:43:35.368285986 +0200
 @@ -106,15 +106,7 @@
  fi
  
@@ -22,7 +22,7 @@ diff -ru -x '*~' perl-5.14.2-orig/Configure perl-5.14.2/Configure
  
  for p in $paths
  do
-@@ -1311,8 +1303,7 @@
+@@ -1337,8 +1329,7 @@
  archname=''
  : Possible local include directories to search.
  : Set locincpth to "" in a hint file to defeat local include searches.
@@ -32,8 +32,8 @@ diff -ru -x '*~' perl-5.14.2-orig/Configure perl-5.14.2/Configure
  :
  : no include file wanted by default
  inclwanted=''
-@@ -1328,17 +1319,12 @@
- archobjs=''
+@@ -1349,17 +1340,12 @@
+ 
  libnames=''
  : change the next line if compiling for Xenix/286 on Xenix/386
 -xlibpth='/usr/lib/386 /lib/386'
@@ -53,7 +53,7 @@ diff -ru -x '*~' perl-5.14.2-orig/Configure perl-5.14.2/Configure
  
  : Private path used by Configure to find libraries.  Its value
  : is prepended to libpth. This variable takes care of special
-@@ -1371,8 +1357,6 @@
+@@ -1391,8 +1377,6 @@
  libswanted="$libswanted m crypt sec util c cposix posix ucb bsd BSD"
  : We probably want to search /usr/shlib before most other libraries.
  : This is only used by the lib/ExtUtils/MakeMaker.pm routine extliblist.
@@ -62,27 +62,27 @@ diff -ru -x '*~' perl-5.14.2-orig/Configure perl-5.14.2/Configure
  : Do not use vfork unless overridden by a hint file.
  usevfork=false
  
-@@ -2380,7 +2364,6 @@
+@@ -2446,7 +2430,6 @@
  zip
  "
  pth=`echo $PATH | sed -e "s/$p_/ /g"`
--pth="$pth /lib /usr/lib"
+-pth="$pth $sysroot/lib $sysroot/usr/lib"
  for file in $loclist; do
  	eval xxx=\$$file
  	case "$xxx" in
-@@ -4785,7 +4768,7 @@
+@@ -4936,7 +4919,7 @@
  : Set private lib path
  case "$plibpth" in
  '') if ./mips; then
--		plibpth="$incpath/usr/lib /usr/local/lib /usr/ccs/lib"
-+		plibpth="$incpath/usr/lib"
- 	fi;;
+-	plibpth="$incpath/usr/lib $sysroot/usr/local/lib $sysroot/usr/ccs/lib"
++	plibpth="$incpath/usr/lib"
+     fi;;
  esac
  case "$libpth" in
-@@ -8390,13 +8373,8 @@
+@@ -8600,13 +8583,8 @@
  echo " "
  case "$sysman" in
- '') 
+ '')
 -	syspath='/usr/share/man/man1 /usr/man/man1'
 -	syspath="$syspath /usr/man/mann /usr/man/manl /usr/man/local/man1"
 -	syspath="$syspath /usr/man/u_man/man1"
@@ -95,7 +95,7 @@ diff -ru -x '*~' perl-5.14.2-orig/Configure perl-5.14.2/Configure
  	;;
  esac
  if $test -d "$sysman"; then
-@@ -19721,9 +19699,10 @@
+@@ -19900,9 +19878,10 @@
  case "$full_ar" in
  '') full_ar=$ar ;;
  esac
@@ -107,10 +107,11 @@ diff -ru -x '*~' perl-5.14.2-orig/Configure perl-5.14.2/Configure
  
  : see what type gids are declared as in the kernel
  echo " "
-diff -ru -x '*~' perl-5.14.2-orig/ext/Errno/Errno_pm.PL perl-5.14.2/ext/Errno/Errno_pm.PL
---- perl-5.14.2-orig/ext/Errno/Errno_pm.PL	2011-09-26 11:44:34.000000000 +0200
-+++ perl-5.14.2/ext/Errno/Errno_pm.PL	2012-01-20 17:02:07.938138311 +0100
-@@ -137,11 +137,7 @@
+Only in perl-5.20.0/: Configure.orig
+diff -ru -x '*~' -x '*.rej' perl-5.20.0-orig/ext/Errno/Errno_pm.PL perl-5.20.0/ext/Errno/Errno_pm.PL
+--- perl-5.20.0-orig/ext/Errno/Errno_pm.PL	2014-05-26 15:34:20.000000000 +0200
++++ perl-5.20.0/ext/Errno/Errno_pm.PL	2014-06-25 10:31:24.317970047 +0200
+@@ -126,11 +126,7 @@
  	if ($dep =~ /(\S+errno\.h)/) {
  	     $file{$1} = 1;
  	}
@@ -120,13 +121,14 @@ diff -ru -x '*~' perl-5.14.2-orig/ext/Errno/Errno_pm.PL perl-5.14.2/ext/Errno/Er
 -	      # might be using, say, Intel's icc
 -	     ) {
 +    } elsif (0) {
+     # When cross-compiling we may store a path for gcc's "sysroot" option:
+     my $sysroot = $Config{sysroot} || '';
  	# Some Linuxes have weird errno.hs which generate
- 	# no #file or #line directives
- 	my $linux_errno_h = -e '/usr/include/errno.h' ?
-diff -ru -x '*~' perl-5.14.2-orig/hints/freebsd.sh perl-5.14.2/hints/freebsd.sh
---- perl-5.14.2-orig/hints/freebsd.sh	2011-09-19 15:18:22.000000000 +0200
-+++ perl-5.14.2/hints/freebsd.sh	2012-01-20 17:10:37.267924044 +0100
-@@ -118,21 +118,21 @@
+Only in perl-5.20.0/ext/Errno: Errno_pm.PL.orig
+diff -ru -x '*~' -x '*.rej' perl-5.20.0-orig/hints/freebsd.sh perl-5.20.0/hints/freebsd.sh
+--- perl-5.20.0-orig/hints/freebsd.sh	2014-01-31 22:55:51.000000000 +0100
++++ perl-5.20.0/hints/freebsd.sh	2014-06-25 10:25:53.263964680 +0200
+@@ -119,21 +119,21 @@
          objformat=`/usr/bin/objformat`
          if [ x$objformat = xaout ]; then
              if [ -e /usr/lib/aout ]; then
@@ -154,3 +156,99 @@ diff -ru -x '*~' perl-5.14.2-orig/hints/freebsd.sh perl-5.14.2/hints/freebsd.sh
         ldflags="-Wl,-E "
          lddlflags="-shared "
          cccdlflags='-DPIC -fPIC'
+diff -ru -x '*~' -x '*.rej' perl-5.20.0-orig/hints/linux.sh perl-5.20.0/hints/linux.sh
+--- perl-5.20.0-orig/hints/linux.sh	2014-05-26 15:34:20.000000000 +0200
++++ perl-5.20.0/hints/linux.sh	2014-06-25 10:33:47.354883843 +0200
+@@ -150,25 +150,6 @@
+     ;;
+ esac
+ 
+-# Ubuntu 11.04 (and later, presumably) doesn't keep most libraries
+-# (such as -lm) in /lib or /usr/lib.  So we have to ask gcc to tell us
+-# where to look.  We don't want gcc's own libraries, however, so we
+-# filter those out.
+-# This could be conditional on Unbuntu, but other distributions may
+-# follow suit, and this scheme seems to work even on rather old gcc's.
+-# This unconditionally uses gcc because even if the user is using another
+-# compiler, we still need to find the math library and friends, and I don't
+-# know how other compilers will cope with that situation.
+-# Morever, if the user has their own gcc earlier in $PATH than the system gcc,
+-# we don't want its libraries. So we try to prefer the system gcc
+-# Still, as an escape hatch, allow Configure command line overrides to
+-# plibpth to bypass this check.
+-if [ -x /usr/bin/gcc ] ; then
+-    gcc=/usr/bin/gcc
+-else
+-    gcc=gcc
+-fi
+-
+ case "$plibpth" in
+ '') plibpth=`LANG=C LC_ALL=C $gcc $ccflags $ldflags -print-search-dirs | grep libraries |
+ 	cut -f2- -d= | tr ':' $trnl | grep -v 'gcc' | sed -e 's:/$::'`
+@@ -178,32 +159,6 @@
+     ;;
+ esac
+ 
+-case "$libc" in
+-'')
+-# If you have glibc, then report the version for ./myconfig bug reporting.
+-# (Configure doesn't need to know the specific version since it just uses
+-# gcc to load the library for all tests.)
+-# We don't use __GLIBC__ and  __GLIBC_MINOR__ because they
+-# are insufficiently precise to distinguish things like
+-# libc-2.0.6 and libc-2.0.7.
+-    for p in $plibpth
+-    do
+-        for trylib in libc.so.6 libc.so
+-        do
+-            if $test -e $p/$trylib; then
+-                libc=`ls -l $p/$trylib | awk '{print $NF}'`
+-                if $test "X$libc" != X; then
+-                    break
+-                fi
+-            fi
+-        done
+-        if $test "X$libc" != X; then
+-            break
+-        fi
+-    done
+-    ;;
+-esac
+-
+ # Are we using ELF?  Thanks to Kenneth Albanowski <kjahds@kjahds.com>
+ # for this test.
+ cat >try.c <<'EOM'
+@@ -367,33 +322,6 @@
+ 	;;
+ esac
+ 
+-# SuSE8.2 has /usr/lib/libndbm* which are ld scripts rather than
+-# true libraries. The scripts cause binding against static
+-# version of -lgdbm which is a bad idea. So if we have 'nm'
+-# make sure it can read the file
+-# NI-S 2003/08/07
+-case "$nm" in
+-    '') ;;
+-    *)
+-    for p in $plibpth
+-    do
+-        if $test -r $p/libndbm.so; then
+-            if $nm $p/libndbm.so >/dev/null 2>&1 ; then
+-                echo 'Your shared -lndbm seems to be a real library.'
+-                _libndbm_real=1
+-                break
+-            fi
+-        fi
+-    done
+-    if $test "X$_libndbm_real" = X; then
+-        echo 'Your shared -lndbm is not a real library.'
+-        set `echo X "$libswanted "| sed -e 's/ ndbm / /'`
+-        shift
+-        libswanted="$*"
+-    fi
+-    ;;
+-esac
+-
+ # Linux on Synology.
+ if [ -f /etc/synoinfo.conf -a -d /usr/syno ]; then
+     # Tested on Synology DS213 and DS413
diff --git a/gnu/packages/patches/perl-source-date-epoch.patch b/gnu/packages/patches/perl-source-date-epoch.patch
new file mode 100644
index 0000000000..37330c9537
--- /dev/null
+++ b/gnu/packages/patches/perl-source-date-epoch.patch
@@ -0,0 +1,19 @@
+Adapted from <https://bugs.debian.org/801621>.
+Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable.
+
+--- perl-5.22.0/cpan/podlators/lib/Pod/Man.pm	2015-12-12 22:33:03.321787590 +0100
++++ perl-5.22.0/cpan/podlators/lib/Pod/Man.pm	2015-12-12 22:36:33.367361338 +0100
+@@ -884,7 +884,12 @@ sub devise_date {
+     my ($self) = @_;
+     my $input = $self->source_filename;
+     my $time;
+-    if ($input) {
++
++    if (defined($ENV{SOURCE_DATE_EPOCH}) &&
++        $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
++        $time = $ENV{SOURCE_DATE_EPOCH};
++    }
++    elsif ($input) {
+         $time = (stat $input)[9] || time;
+     } else {
+         $time = time;
diff --git a/gnu/packages/patches/procps-make-3.82.patch b/gnu/packages/patches/procps-make-3.82.patch
deleted file mode 100644
index 7bf53e2ccc..0000000000
--- a/gnu/packages/patches/procps-make-3.82.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Fix compilation with GNU Make 3.82 (patch from Nixpkgs).
-
-diff --git a/Makefile b/Makefile
-index 09fb3ed..59eba16 100644
---- a/Makefile
-+++ b/Makefile
-@@ -174,7 +174,7 @@ INSTALL := $(BINFILES) $(MANFILES)
- # want this rule first, use := on ALL, and ALL not filled in yet
- all: do_all
- 
---include */module.mk
-+-include proc/module.mk ps/module.mk
- 
- do_all:    $(ALL)
diff --git a/gnu/packages/patches/python-2.7-search-paths.patch b/gnu/packages/patches/python-2.7-search-paths.patch
index 6e5339f3a6..ba7235df27 100644
--- a/gnu/packages/patches/python-2.7-search-paths.patch
+++ b/gnu/packages/patches/python-2.7-search-paths.patch
@@ -1,5 +1,5 @@
-Make sure the build system honors CPATH and LIBRARY_PATH when looking for
-headers and libraries.
+Make sure the build system honors C_INCLUDE_PATH and LIBRARY_PATH when
+looking for headers and libraries.
 
 --- Python-2.7.10/setup.py	2015-10-07 18:33:18.125153186 +0200
 +++ Python-2.7.10/setup.py	2015-10-07 18:33:47.497347552 +0200
@@ -9,7 +9,7 @@ headers and libraries.
  
 +        # Always honor these variables.
 +        lib_dirs += os.getenv('LIBRARY_PATH', '').split(os.pathsep)
-+        inc_dirs += os.getenv('CPATH', '').split(os.pathsep)
++        inc_dirs += os.getenv('C_INCLUDE_PATH', '').split(os.pathsep)
 +
          # OSF/1 and Unixware have some stuff in /usr/ccs/lib (like -ldb)
          if host_platform in ['osf1', 'unixware7', 'openunix8']:
diff --git a/gnu/packages/patches/python-3-search-paths.patch b/gnu/packages/patches/python-3-search-paths.patch
index 547feae1b9..7feddb8e30 100644
--- a/gnu/packages/patches/python-3-search-paths.patch
+++ b/gnu/packages/patches/python-3-search-paths.patch
@@ -1,5 +1,5 @@
-Make sure the build system honors CPATH and LIBRARY_PATH when looking for
-headers and libraries.
+Make sure the build system honors C_INCLUDE_PATH and LIBRARY_PATH when
+looking for headers and libraries.
 
 --- setup.py	2015-10-07 23:32:58.891329173 +0200
 +++ setup.py	2015-10-07 23:46:29.653349924 +0200
@@ -13,7 +13,7 @@ headers and libraries.
 -                ]
 -            inc_dirs = self.compiler.include_dirs + ['/usr/include']
 +            lib_dirs = os.getenv('LIBRARY_PATH', '').split(os.pathsep)
-+            inc_dirs = os.getenv('CPATH', '').split(os.pathsep)
++            inc_dirs = os.getenv('C_INCLUDE_PATH', '').split(os.pathsep)
          else:
              lib_dirs = self.compiler.library_dirs[:]
              inc_dirs = self.compiler.include_dirs[:]
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 5d6618a9ec..d2933bbe38 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -42,6 +42,8 @@
              (base32
               "1pvra19ljkr5ky35y2iywjnsckrs9ch2anrf5b0dc91hw8v2vq5r"))))
    (build-system gnu-build-system)
+   (outputs '("out"
+              "doc"))                             ;1.8 MiB of HTML
    (inputs `(("bzip2" ,bzip2)
              ("readline" ,readline)
              ("zlib" ,zlib)))
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 6c0b4d2f6c..0e63aa943e 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -1,9 +1,10 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2015, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Eric Dvorsak <eric@dvorsak.fr>
+;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -37,18 +38,21 @@
   ;; Yeah, Perl...  It is required early in the bootstrap process by Linux.
   (package
     (name "perl")
-    (version "5.16.1")
+    (version "5.22.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "http://www.cpan.org/src/5.0/perl-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "15qxzba3a50c9nik5ydgyfp62x7h9vxxn12yd1jgl93hb1wj96km"))
+               "09wg24w5syyafyv87l6z8pxwz4bjgcdj996bx5844k6m9445sirb"))
              (patches (map search-patch
                            '("perl-no-sys-dirs.patch"
                              "perl-autosplit-default-time.patch"
-                             "perl-module-pluggable-search.patch")))))
+                             "perl-source-date-epoch.patch"
+                             "perl-deterministic-ordering.patch"
+                             "perl-no-build-time.patch"
+                             "perl-CVE-2015-8607.patch")))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f
@@ -60,10 +64,16 @@
             (let ((out  (assoc-ref outputs "out"))
                   (libc (assoc-ref inputs "libc")))
               ;; Use the right path for `pwd'.
-              (substitute* "dist/Cwd/Cwd.pm"
+              (substitute* "dist/PathTools/Cwd.pm"
                 (("/bin/pwd")
                  (which "pwd")))
 
+              ;; Build in GNU89 mode to tolerate C++-style comment in libc's
+              ;; <bits/string3.h>.
+              (substitute* "cflags.SH"
+                (("-std=c89")
+                 "-std=gnu89"))
+
               (zero?
                (system* "./Configure"
                         (string-append "-Dprefix=" out)
@@ -158,6 +168,7 @@ differences.")
         (base32
          "1syyqzy462501kn5ma9gl6xbmcahqcn4qpafhsmpz0nd0x2m4l63"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/aliased")
     (synopsis "Use shorter versions of class names")
     (description "The alias module loads the class you specify and exports
@@ -493,6 +504,8 @@ your class.")
         (base32
          "1lilrjy1s0q5hyr0888kf0ifxjyl2iyk4vxil4jsv0sgh39lkgx5"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-class-accessor" ,perl-class-accessor)))
     (home-page "http://search.cpan.org/dist/Class-Accessor-Chained")
@@ -653,6 +666,7 @@ type for perl.")
         (base32
          "09ifd6v0c94vr20n9yr1dxgcp7hyscqq851szdip7y24bd26nlbc"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Class-Factory-Util")
     (synopsis "Utility methods for factory classes")
     (description "This module exports methods useful for factory classes.")
@@ -911,6 +925,8 @@ as defined by two typical specimens of Perl coders.")
         (base32
          "06n6jn3q3xhk57icwip0ihzqixxav6sgp6rrb35hahj1z748y3vi"))))
     (build-system perl-build-system)
+    (propagated-inputs
+     `(("perl-module-pluggable" ,perl-module-pluggable)))
     (home-page "http://search.cpan.org/dist/Config-Any")
     (synopsis "Load configuration from different file formats")
     (description "Config::Any provides a facility for Perl applications and
@@ -1168,7 +1184,8 @@ indentation and newlines plus sub deparsing.")
          "1hvi92c4h2angryc6pngw7gbm3ysc2jfmyxk2wh9ia4vdwpbs554"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-test-exception" ,perl-test-exception)))
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-test-exception" ,perl-test-exception)))
     (propagated-inputs
      `(("perl-class-accessor-chained" ,perl-class-accessor-chained)))
     (home-page "http://search.cpan.org/dist/Data-Page")
@@ -1346,6 +1363,7 @@ Date::Calc.")
         (base32
          "0zd0wbf91i49753rnf7m1lw197hdl5r97mxy0n43zdmcmhvkb3qq"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (arguments
      ;; Tests would require tzdata for timezone information, but tzdata is in
      ;; (gnu packages base) which would create a circular dependency.  TODO:
@@ -1372,7 +1390,8 @@ time from another, or parsing international times.")
          "0fli1ls298qa8nfki15myxqqqfpxvslxk4j5r3vjk577wfgjrnms"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-test-fatal" ,perl-test-fatal)
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-test-fatal" ,perl-test-fatal)
        ("perl-test-warnings" ,perl-test-warnings)))
     (propagated-inputs
      `(("perl-datetime-locale" ,perl-datetime-locale)
@@ -1399,6 +1418,8 @@ time before its creation (in 1582).")
         (base32
          "1b27699zkj68w5ll9chjhs52vmf39f9via6x5r5844as30qh9zxb"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-datetime" ,perl-datetime)
        ("perl-params-validate" ,perl-params-validate)
@@ -1501,6 +1522,7 @@ to do this without writing reams of structural code.")
        ("perl-datetime-format-builder" ,perl-datetime-format-builder)
        ("perl-datetime-timezone" ,perl-datetime-timezone)
        ("perl-list-moreutils" ,perl-list-moreutils)
+       ("perl-module-pluggable" ,perl-module-pluggable)
        ("perl-test-mocktime" ,perl-test-mocktime)))
     (home-page "http://search.cpan.org/dist/DateTime-Format-Flexible")
     (synopsis "Parse data/time strings")
@@ -1521,6 +1543,8 @@ give it and parse it into a DateTime object.")
         (base32
          "0cvwk7pigj7czsp81z35h7prxvylkrlk2l0kwvq0v72ykx9zc2cb"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-datetime" ,perl-datetime)
        ("perl-datetime-event-ical" ,perl-datetime-event-ical)
@@ -1548,7 +1572,8 @@ order to create the appropriate objects.")
          "1qq3adq1y08d0jlmwk9059s5d39hb26f3zjag099gjjyvs5c8yal"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-module-util" ,perl-module-util)
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-module-util" ,perl-module-util)
        ("perl-test-mocktime" ,perl-test-mocktime)))
     (propagated-inputs
      `(("perl-boolean" ,perl-boolean)
@@ -1605,6 +1630,8 @@ takes a string and a pattern and returns the `DateTime` object associated.")
         (base32
          "175grkrxiv012n6ch3z1sip4zprcili6m5zqi3njdk5c1gdvi8ca"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-list-moreutils" ,perl-list-moreutils)
        ("perl-params-validate" ,perl-params-validate)))
@@ -1707,6 +1734,7 @@ edges (mainly concerning timezone detection and selection).")
         (base32
          "0g71sma9jy0fjm619hcrcsb9spg2y03vjxx36y8k1xpa2553sr7m"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Devel-CheckBin")
     (synopsis "Check that a command is available")
     (description "Devel::CheckBin is a perl module that checks whether a
@@ -1941,6 +1969,7 @@ modules separately and deal with them after the module is done installing.")
                (base32
                 "0dsxic78mxy30qvbbdzfyp501hbkwhnbmafqfxipr0yqfy8f2j5g"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Error")
     (synopsis "OO-ish Error/Exception handling for Perl")
     (description "The Error package provides two interfaces.  Firstly Error
@@ -2120,10 +2149,12 @@ module building modules.")
          "090i265f73jlcl5rv250791vw32j9vvl4nd5abc7myg0klb8109w"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-test-exception" ,perl-test-exception)))
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-test-exception" ,perl-test-exception)))
     (propagated-inputs
      `(("perl-class-load" ,perl-class-load)
        ("perl-list-moreutils" ,perl-list-moreutils)
+       ("perl-module-pluggable" ,perl-module-pluggable)
        ("perl-moose" ,perl-moose)
        ("perl-moosex-params-validate" ,perl-moosex-params-validate)
        ("perl-moosex-semiaffordanceaccessor"
@@ -3064,6 +3095,26 @@ strictly correct manner with ExtUtils::MakeMaker, and will run on any Perl
 installation version 5.005 or newer.")
     (license (package-license perl))))
 
+(define-public perl-module-pluggable
+  (package
+    (name "perl-module-pluggable")
+    (version "5.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://cpan/authors/id/S/SI/SIMONW/"
+                           "Module-Pluggable-" version ".tar.gz"))
+       (sha256
+        (base32
+         "1px6qmszmfc69v36vd8d92av4nkrif6xf4nrj3xv647xwi2svwmk"))
+       (patches (list (search-patch "perl-module-pluggable-search.patch")))))
+    (build-system perl-build-system)
+    (home-page "http://search.cpan.org/dist/Module-Pluggable")
+    (synopsis "Give your Perl module the ability to have plugins")
+    (description "This module provides a simple but extensible way of having
+'plugins' for your Perl module.")
+    (license (package-license perl))))
+
 (define-public perl-module-runtime
   (package
     (name "perl-module-runtime")
@@ -3077,6 +3128,7 @@ installation version 5.005 or newer.")
         (base32
          "19326f094jmjs6mgpwkyisid54k67w34br8yfh0gvaaml87gwi2c"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Module-Runtime")
     (synopsis "Perl runtime module handling")
     (description "The functions exported by this module deal with runtime
@@ -3096,6 +3148,8 @@ handling of Perl modules, which are normally handled at compile time.")
         (base32
          "0pz23ch78lbpn4kdbm04icgsmbr7jvmxwq1p5m4x2pap8qwd0wqg"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-module-runtime" ,perl-module-runtime)
        ("perl-dist-checkconflicts" ,perl-dist-checkconflicts)))
@@ -3302,7 +3356,8 @@ private methods are not.")
          "1nkzvbsiwldmpn6207ns7rinh860djnw098h6cnvywf429rjnz60"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-test-deep" ,perl-test-deep)
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-test-deep" ,perl-test-deep)
        ("perl-test-fatal" ,perl-test-fatal)
        ("perl-test-requires" ,perl-test-requires)
        ("perl-test-trap" ,perl-test-trap)
@@ -3465,6 +3520,7 @@ manually setting up a subclass.")
     (build-system perl-build-system)
     (native-inputs
      `(("perl-cpan-meta-check" ,perl-cpan-meta-check)
+       ("perl-module-build" ,perl-module-build)
        ("perl-moosex-role-withoverloading" ,perl-moosex-role-withoverloading)
        ("perl-test-fatal" ,perl-test-fatal)
        ("perl-test-requires" ,perl-test-requires)))
@@ -3597,7 +3653,8 @@ search for traits and some extra attributes.")
          "1iq90s1f0xbmr194q0mhnp9wxqxwwilkbdml040ibqbqvfiz87yh"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-test-fatal" ,perl-test-fatal)
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-test-fatal" ,perl-test-fatal)
        ("perl-test-requires" ,perl-test-requires)))
     (propagated-inputs
      `(("perl-carp-clan" ,perl-carp-clan)
@@ -3765,7 +3822,8 @@ Perl (back to 5.6.0).")
          "0msggbg2zbixxjq1fda19h0yygavxndfzc4j4pq11nfghmawjsb0"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-test-requires" ,perl-test-requires)))
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-test-requires" ,perl-test-requires)))
     (propagated-inputs
      `(("perl-b-hooks-endofscope" ,perl-b-hooks-endofscope)
        ("perl-namespace-clean" ,perl-namespace-clean)
@@ -4005,7 +4063,8 @@ checking parameters easier.")
          "1wh23i9kkma6493c0q1kvy6wmahd6spg6xm3xbp2ar1iy1xhks5l"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-test-fatal" ,perl-test-fatal)
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-test-fatal" ,perl-test-fatal)
        ("perl-test-requires" ,perl-test-requires)))
     (propagated-inputs
      `(("perl-module-implementation" ,perl-module-implementation)))
@@ -4066,6 +4125,7 @@ up inheritance from those modules at the same time.")
         (base32
          "1viaj8jyshcj135la0kgfgzalaw06xnbsg9h54jx09v1342v69lj"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Path-Class")
     (synopsis "Path specification manipulation")
     (description "Path::Class is a module for manipulation of file and
@@ -4125,6 +4185,7 @@ used for writing documentation for Perl and for Perl modules.")
         (base32
          "0f9p3hx0vqx8zg5v24pz0s4zc8ln100c7c91ks681wq02phqj2v7"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (arguments `(#:tests? #f))          ;TODO: Timezone test failures
     (home-page "http://search.cpan.org/dist/POSIX-strftime-Compiler")
     (synopsis "GNU C library compatible strftime for loggers and servers")
@@ -4168,6 +4229,7 @@ Module::Build project, but has been externalized here for general use.")
         (base32
          "165zcf9lpijdpkx82za0g9rx8ckjnhipmcivdkyzshl8jmp1bl4v"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Readonly")
     (synopsis "Create read-only scalars, arrays, hashes")
     (description "This module provides a facility for creating non-modifiable
@@ -4925,6 +4987,8 @@ structures without getting caught in an infinite loop.")
         (base32
          "0rhs4q6qn64ji06ns7lwl6iiiw3mggvd9xk9nkiqvx1jihbplrbw"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-text-diff" ,perl-text-diff)
        ("perl-capture-tiny" ,perl-capture-tiny)))
@@ -5096,6 +5160,7 @@ you test against long strings.")
        ("perl-test-warn" ,perl-test-warn)
        ("perl-universal-can" ,perl-universal-can)
        ("perl-universal-isa" ,perl-universal-isa)))
+    (arguments `(#:tests? #f))          ;TODO: tests require perl-cgi
     (home-page "http://search.cpan.org/dist/Test-MockObject")
     (synopsis "Emulate troublesome interfaces in Perl")
     (description "Test::MockObject allows you to create objects that conform
@@ -5213,6 +5278,7 @@ as flexible as possible to the tester.")
         (base32
          "1hmwwhabyng4jrnll926b4ab73r40w3pfchlrvs0yx6kh6kwwy14"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Test-Pod")
     (synopsis "Check for POD errors in files")
     (description "Check POD files for errors or warnings in a test file, using
@@ -5357,6 +5423,8 @@ a minimum of effort.")
         (base32
          "05b4zc4087imwphls4yksg4chzx9yavbri301gaxas9kv1yhx13w"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-test-tester" ,perl-test-tester)
        ("perl-data-dump" ,perl-data-dump)))
@@ -5471,7 +5539,8 @@ installed.")
        ("perl-test-directory" ,perl-test-directory)))
     (propagated-inputs
      `(("perl-data-tumbler" ,perl-data-tumbler)
-       ("perl-file-homedir" ,perl-file-homedir)))
+       ("perl-file-homedir" ,perl-file-homedir)
+       ("perl-module-pluggable" ,perl-module-pluggable)))
     (home-page "http://search.cpan.org/dist/Test-WriteVariants")
     (synopsis "Dynamic generation of tests")
     (description "The Test::WriteVariants module provides for the dynamic
@@ -5512,6 +5581,7 @@ support.")
         (base32
          "0a6zkchc0apvzkch6z18cx6h97xfiv50r7n4xhg90x8dvk75qzcs"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Text-Aligner")
     (synopsis "Align text")
     (description "Text::Aligner exports a single function, align(), which is
@@ -5594,6 +5664,7 @@ generally slower on larger files.")
         (base32
          "0lr76wrsj8wcxrq4wi8z1640w4dmdbkznp06q744rg3g0bd238d5"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/Text-Glob")
     (synopsis "Match globbing patterns against text")
     (description "Text::Glob implements glob(3) style matching that can be
@@ -5632,6 +5703,8 @@ you want to do full file globbing use the File::Glob module instead.")
         (base32
          "02c8v38k639r23dgxwgvsy4myjjzvgdb238kpiffsiz25ab3xp5j"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-text-aligner" ,perl-text-aligner)))
     (home-page "http://search.cpan.org/dist/Text-Table")
@@ -5700,6 +5773,7 @@ as exceptions to standard program flow.")
         (base32
           "0mmg9iyh42syal3z1p2pn9airq65yrkfs66cnqs9nz76jy60pfzs"))))
   (build-system perl-build-system)
+  (native-inputs `(("perl-module-build" ,perl-module-build)))
   (home-page "http://search.cpan.org/dist/Tie-IxHash")
   (synopsis "Ordered associative arrays for Perl")
   (description "This Perl module implements Perl hashes that preserve the
@@ -5829,6 +5903,8 @@ time values and formatting dates into ASCII strings.")
         (base32
          "0bwqyg8z98m8cjw1qcm4wg502n225k33j2fp8ywxkgfjdd1zgllv"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-timedate" ,perl-timedate))) ;For Date::Parse
     (home-page "http://search.cpan.org/dist/Time-Mock")
@@ -5875,7 +5951,8 @@ simple n-ary tree.")
          "1g27xl48q1vr7aikhxg4vvcsj1si8allxz59vmnks61wsw4by7vg"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-test-exception" ,perl-test-exception)))
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-test-exception" ,perl-test-exception)))
     (propagated-inputs
      `(("perl-tree-simple" ,perl-tree-simple)
        ("perl-base" ,perl-base)))
@@ -6149,12 +6226,13 @@ MYMETA.yml.")
      `(("perl-cpan-meta" ,perl-cpan-meta)))
     (home-page "http://search.cpan.org/dist/Module-Build")
     (synopsis "Build and install Perl modules")
-    (description "\"Module::Build\" is a system for building, testing, and
-installing Perl modules.  It is meant to be an alternative to
-\"ExtUtils::MakeMaker\".  Developers may alter the behavior of the module
+    (description "@code{Module::Build} is a system for building, testing, and
+installing Perl modules; it used to be part of Perl itself until version 5.22,
+which dropped it.  It is meant to be an alternative to
+@code{ExtUtils::MakeMaker}.  Developers may alter the behavior of the module
 through subclassing in a much more straightforward way than with
-\"MakeMaker\".  It also does not require a \"make\" on your system - most of
-the \"Module::Build\" code is pure-perl and written in a cross-platform way.")
+@code{MakeMaker}.  It also does not require a @command{make} on your
+system---most of the @code{Module::Build} code is pure-Perl.")
     (license (package-license perl))))
 
 (define-public perl-parse-cpan-meta
diff --git a/gnu/packages/pkg-config.scm b/gnu/packages/pkg-config.scm
index dd5120c474..5923395dec 100644
--- a/gnu/packages/pkg-config.scm
+++ b/gnu/packages/pkg-config.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -30,7 +30,7 @@
 (define-public %pkg-config
   (package
    (name "pkg-config")
-   (version "0.28")
+   (version "0.29")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -38,7 +38,7 @@
                   version ".tar.gz"))
             (sha256
              (base32
-              "0igqq5m204w71m11y0nipbdf5apx87hwfll6axs12hn4dqfb6vkb"))))
+              "0sq09a39wj4cxf8l2jvkq067g08ywfma4v6nhprnf351s82pfl68"))))
    (build-system gnu-build-system)
    (arguments `(#:configure-flags '("--with-internal-glib")))
    (native-search-paths
diff --git a/gnu/packages/plotutils.scm b/gnu/packages/plotutils.scm
index 09a2d4f91d..e9a247142d 100644
--- a/gnu/packages/plotutils.scm
+++ b/gnu/packages/plotutils.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -193,7 +193,7 @@ colors, styles, options and details.")
      `(("fftw" ,fftw)
        ("freeglut" ,freeglut)
        ("gsl" ,gsl)
-       ("libgc" ,libgc-for-c++)
+       ("libgc" ,libgc)
        ("python" ,python-2)
        ("readline" ,readline)
        ("zlib" ,zlib)))
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index d5e8aba272..fe976a92f4 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -58,8 +58,9 @@
     (inputs
      `(("libvorbis" ,libvorbis)
        ("libogg" ,libogg)
-       ("flac" ,flac)
-       ("pkg-config" ,pkg-config)))
+       ("flac" ,flac)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
     (home-page "http://www.mega-nerd.com/libsndfile/")
     (synopsis "Reading and writing files containing sampled sound")
     (description
@@ -87,7 +88,8 @@ for reading and writing new sound file formats.")
               (base32
                "01hw5xjbjavh412y63brcslj5hi9wdgkjd3h9csx5rnm8vglpdck"))))
     (build-system gnu-build-system)
-    (inputs `(("pkg-config" ,pkg-config)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("libsndfile" ,libsndfile)
        ("fftw" ,fftw)))
@@ -162,13 +164,14 @@ rates.")
        ("dbus" ,dbus)
        ("glib" ,glib)
        ("intltool" ,intltool)
-       ("pkg-config" ,pkg-config)
        ("m4" ,m4)
        ("libltdl" ,libltdl)
        ("fftwf" ,fftwf)
        ("avahi" ,avahi)
        ("eudev" ,eudev)           ;for the detection of hardware audio devices
        ("check" ,check)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
     (propagated-inputs
      ;; 'libpulse*.la' contain `-lgdbm' and `-lcap', so propagate them.
      `(("libcap" ,libcap)
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 813711a9b6..82a9cfc75e 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -308,7 +308,9 @@ data types.")
     (inputs `(("openssl" ,openssl)
               ("zlib" ,zlib)))))
 
-(define* (wrap-python3 python #:optional (name "python-wrapper"))
+(define* (wrap-python3 python
+                       #:optional
+                       (name (string-append (package-name python) "-wrapper")))
   (package (inherit python)
     (name name)
     (source #f)
diff --git a/gnu/packages/qt.scm b/gnu/packages/qt.scm
index 8f148c9e90..dccc9a2e48 100644
--- a/gnu/packages/qt.scm
+++ b/gnu/packages/qt.scm
@@ -182,7 +182,12 @@ X11 (yet).")
        ("ruby" ,ruby)
        ("which" ,(@ (gnu packages base) which))))
     (arguments
-     `(#:phases
+     `(;; FIXME: Disabling parallel building is a quick hack to avoid the
+       ;; failure described in
+       ;; https://lists.gnu.org/archive/html/guix-devel/2016-01/msg00837.html
+       ;; A more structural fix is needed.
+       #:parallel-build? #f
+       #:phases
          (alist-replace
           'configure
           (lambda* (#:key outputs #:allow-other-keys)
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 97078741cb..fa7c2f7691 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015 David Thompson <davet@gnu.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2015 Ben Woodcroft <donttrustben@gmail.com>
+;;; Copyright © 2015, 2016 Ben Woodcroft <donttrustben@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -46,7 +46,7 @@
 (define-public ruby
   (package
     (name "ruby")
-    (version "2.2.4")
+    (version "2.3.0")
     (source
      (origin
        (method url-fetch)
@@ -55,28 +55,33 @@
                            "/ruby-" version ".tar.xz"))
        (sha256
         (base32
-         "0g3ps4q3iz7wj9m45n8xyxzw8nh29ljdqb87b0f6i0p3853gz2yj"))))
+         "15s0dsb5ynf3d2w5gzawnszq5594fqvapv2y7a0qw16przq5l4kh"))
+       (modules '((guix build utils)))
+       (snippet `(begin
+                   ;; Remove bundled libffi
+                   (delete-file-recursively
+                    (string-append "ext/fiddle/libffi-3.2.1"))
+                   #t))))
     (build-system gnu-build-system)
     (arguments
      `(#:test-target "test"
-       #:parallel-tests? #f
        #:phases
-       (alist-cons-before
-        'configure 'replace-bin-sh
-        (lambda _
-          (substitute* '("Makefile.in"
-                         "ext/pty/pty.c"
-                         "io.c"
-                         "lib/mkmf.rb"
-                         "process.c"
-                         "test/rubygems/test_gem_ext_configure_builder.rb"
-                         "test/rdoc/test_rdoc_parser.rb"
-                         "test/ruby/test_rubyoptions.rb"
-                         "test/ruby/test_process.rb"
-                         "test/ruby/test_system.rb"
-                         "tool/rbinstall.rb")
-            (("/bin/sh") (which "sh"))))
-        %standard-phases)))
+       (modify-phases %standard-phases
+         (add-before 'configure 'replace-bin-sh-and-remove-libffi
+           (lambda _
+             (substitute* '("Makefile.in"
+                            "ext/pty/pty.c"
+                            "io.c"
+                            "lib/mkmf.rb"
+                            "process.c"
+                            "test/rubygems/test_gem_ext_configure_builder.rb"
+                            "test/rdoc/test_rdoc_parser.rb"
+                            "test/ruby/test_rubyoptions.rb"
+                            "test/ruby/test_process.rb"
+                            "test/ruby/test_system.rb"
+                            "tool/rbinstall.rb")
+               (("/bin/sh") (which "sh")))
+             #t)))))
     (inputs
      `(("readline" ,readline)
        ("openssl" ,openssl)
@@ -95,6 +100,25 @@ a focus on simplicity and productivity.")
     (home-page "https://ruby-lang.org")
     (license license:ruby)))
 
+(define-public ruby-2.2
+  (package (inherit ruby)
+    (version "2.2.4")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
+                           (version-major+minor version)
+                           "/ruby-" version ".tar.xz"))
+       (sha256
+        (base32
+         "0g3ps4q3iz7wj9m45n8xyxzw8nh29ljdqb87b0f6i0p3853gz2yj"))
+       (modules '((guix build utils)))
+       (snippet `(begin
+                   ;; Remove bundled libffi
+                   (delete-file-recursively
+                    (string-append "ext/fiddle/libffi-3.2.1"))
+                   #t))))))
+
 (define-public ruby-2.1
   (package (inherit ruby)
     (version "2.1.8")
@@ -1059,13 +1083,13 @@ using Net::HTTP, supporting reconnection and retry according to RFC 2616.")
 (define-public ruby-power-assert
   (package
     (name "ruby-power-assert")
-    (version "0.2.6")
+    (version "0.2.7")
     (source (origin
               (method url-fetch)
               (uri (rubygems-uri "power_assert" version))
               (sha256
                (base32
-                "0gbj379jhnff8rbb6m3kzdm282szjz1a021xzxa38d1bnswj2jx3"))))
+                "0ka6w71lcan4wgf111xi3pcn9ma9lhakv31jg8w007nwzi0xfjbi"))))
     (build-system ruby-build-system)
     (native-inputs
      `(("bundler" ,bundler)))
@@ -1212,15 +1236,18 @@ It allows writing tests, checking results and automated testing in Ruby.")
      `(#:phases
        (modify-phases %standard-phases
          (add-after 'unpack 'add-test-unit-to-search-path
-          (lambda* (#:key inputs #:allow-other-keys)
-            (substitute* "Rakefile"
-              (("t\\.libs << \"test\"" line)
-               (string-append line "; t.libs << \""
-                              (assoc-ref inputs "ruby-test-unit")
-                              "/lib/ruby/gems/2.2.0/gems/test-unit-"
-                              ,(package-version ruby-test-unit)
-                              "/lib\"")))
-            #t)))))
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let* ((test-unit (assoc-ref inputs "ruby-test-unit"))
+                    (test-unit-home (gem-home test-unit
+                                              ,(package-version ruby))))
+               (substitute* "Rakefile"
+                 (("t\\.libs << \"test\"" line)
+                  (string-append line "; t.libs << \""
+                                 test-unit-home
+                                 "/gems/test-unit-"
+                                 ,(package-version ruby-test-unit)
+                                 "/lib\""))))
+             #t)))))
     (native-inputs
      `(("bundler" ,bundler)
        ("ruby-test-unit" ,ruby-test-unit)))
@@ -1274,15 +1301,18 @@ as a base class when writing classes that depend upon
      `(#:phases
        (modify-phases %standard-phases
          (add-after 'unpack 'add-test-unit-to-search-path
-          (lambda* (#:key inputs #:allow-other-keys)
-            (substitute* "Rakefile"
-              (("t\\.libs << \"test\"" line)
-               (string-append line "; t.libs << \""
-                              (assoc-ref inputs "ruby-test-unit")
-                              "/lib/ruby/gems/2.2.0/gems/test-unit-"
-                              ,(package-version ruby-test-unit)
-                              "/lib\"")))
-            #t)))))
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let* ((test-unit (assoc-ref inputs "ruby-test-unit"))
+                    (test-unit-home (gem-home test-unit ,(package-version
+                                                          ruby))))
+               (substitute* "Rakefile"
+                 (("t\\.libs << \"test\"" line)
+                  (string-append line "; t.libs << \""
+                                 test-unit-home
+                                 "/gems/test-unit-"
+                                 ,(package-version ruby-test-unit)
+                                 "/lib\""))))
+             #t)))))
     (propagated-inputs
      `(("ruby-blankslate" ,ruby-blankslate)))
     (native-inputs
@@ -1311,13 +1341,16 @@ knowing anything about the constructor.")
        (modify-phases %standard-phases
          (add-after 'unpack 'add-test-unit-to-search-path
           (lambda* (#:key inputs #:allow-other-keys)
-            (substitute* "Rakefile"
-              (("t\\.libs << \"test\"" line)
-               (string-append line "; t.libs << \""
-                              (assoc-ref inputs "ruby-test-unit")
-                              "/lib/ruby/gems/2.2.0/gems/test-unit-"
-                              ,(package-version ruby-test-unit)
-                              "/lib\"")))
+            (let* ((test-unit (assoc-ref inputs "ruby-test-unit"))
+                   (test-unit-home (gem-home test-unit ,(package-version
+                                                         ruby))))
+              (substitute* "Rakefile"
+                (("t\\.libs << \"test\"" line)
+                 (string-append line "; t.libs << \""
+                                test-unit-home
+                                "/gems/test-unit-"
+                                ,(package-version ruby-test-unit)
+                                "/lib\""))))
             #t)))))
     (propagated-inputs
      `(("ruby-instantiator" ,ruby-instantiator)
@@ -1381,13 +1414,16 @@ conversion to (X)HTML.")
        (modify-phases %standard-phases
          (add-after 'unpack 'add-test-unit-to-search-path
           (lambda* (#:key inputs #:allow-other-keys)
-            (substitute* "Rakefile"
-              (("t\\.libs << 'test'" line)
-               (string-append line "; t.libs << \""
-                              (assoc-ref inputs "ruby-test-unit")
-                              "/lib/ruby/gems/2.2.0/gems/test-unit-"
-                              ,(package-version ruby-test-unit)
-                              "/lib\"")))
+            (let* ((test-unit (assoc-ref inputs "ruby-test-unit"))
+                   (test-unit-home (gem-home test-unit
+                                             ,(package-version ruby))))
+              (substitute* "Rakefile"
+                (("t\\.libs << 'test'" line)
+                 (string-append line "; t.libs << \""
+                                test-unit-home
+                                "/gems/test-unit-"
+                                ,(package-version ruby-test-unit)
+                                "/lib\""))))
             #t))
          (add-before 'check 'use-latest-redcarpet
           (lambda _
@@ -2202,13 +2238,17 @@ development of Ruby gems.")
        (modify-phases %standard-phases
          (add-after 'unpack 'fix-test-include-path
           (lambda* (#:key inputs #:allow-other-keys)
-            (substitute* "Rakefile"
-              (("Hoe\\.add_include_dirs .*")
-               (string-append "Hoe.add_include_dirs \""
-                              (assoc-ref inputs "ruby-minitest-4")
-                              "/lib/ruby/gems/2.2.0/gems/minitest-"
-                              ,(package-version ruby-minitest-4)
-                              "/lib" "\"")))))
+             (let* ((minitest (assoc-ref inputs "ruby-minitest-4"))
+                    (minitest-home (gem-home minitest
+                                             ,(package-version ruby))))
+               (substitute* "Rakefile"
+                 (("Hoe\\.add_include_dirs .*")
+                  (string-append "Hoe.add_include_dirs \""
+                                 minitest-home
+                                 "/gems/minitest-"
+                                 ,(package-version ruby-minitest-4)
+                                 "/lib" "\""))))
+             #t))
          (add-before 'check 'fix-test-assumptions
           (lambda _
             ;; The test output includes the file name, so a couple of tests
@@ -2931,9 +2971,17 @@ features such as filtering and fine grained logging.")
      `(#:test-target "specs"
        #:phases
        (modify-phases %standard-phases
-         (add-before 'check 'set-HOME
-          ;; $HOME needs to be set to somewhere writeable for tests to run
-          (lambda _ (setenv "HOME" "/tmp") #t)))))
+         (add-before 'check 'set-HOME-and-disable-failing-test
+           (lambda _
+             ;; $HOME needs to be set to somewhere writeable for tests to run
+             (setenv "HOME" "/tmp")
+             ;; Disable tests which fails on Ruby 2.3.  See
+             ;; https://github.com/lsegal/yard/issues/927
+             (substitute* "spec/parser/ruby/ruby_parser_spec.rb"
+               (("comment.type.should == :comment") "")
+               (("comment.docstring_hash_flag.should be_true") "")
+               (("comment.docstring.strip.should == .*") ""))
+             #t)))))
     (native-inputs
      `(("ruby-rspec" ,ruby-rspec-2)
        ("ruby-rack" ,ruby-rack)))
diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index aea8b54433..b438c3e90c 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -256,7 +256,8 @@ Scheme and C programs and between Scheme and Java programs.")
                                      "-ldopt -Wl,-rpath," out "/lib")))))
         %standard-phases)
        #:tests? #f))                                ; no test suite
-    (inputs `(("bigloo" ,bigloo)
+    (inputs `(("avahi" ,avahi)
+              ("bigloo" ,bigloo)
               ("which" ,which)))
     (home-page "http://hop.inria.fr/")
     (synopsis "Multi-tier programming language for the Web 2.0")
diff --git a/gnu/packages/texinfo.scm b/gnu/packages/texinfo.scm
index 591fb1f298..bffff788fc 100644
--- a/gnu/packages/texinfo.scm
+++ b/gnu/packages/texinfo.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2015 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2014 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2014, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -43,7 +43,6 @@
     (build-system gnu-build-system)
     (native-inputs `(("procps" ,procps)))  ;one of the tests needs pgrep
     (inputs `(("ncurses" ,ncurses)
-              ("xz" ,xz)
               ("perl" ,perl)))
 
     (native-search-paths
@@ -112,6 +111,11 @@ is on expressing the content semantically, avoiding physical markup commands.")
                '(utime "texi2html.pl" 0 0 0 0))))
     (build-system gnu-build-system)
     (inputs `(("perl" ,perl)))
+    (arguments
+     ;; Tests fail because of warnings on stderr from Perl 5.22.  Adjusting
+     ;; texi2html.pl to avoid the warnings seems non-trivial, so we simply
+     ;; disable the tests.
+     '(#:tests? #f))
     (home-page "http://www.nongnu.org/texi2html/")
     (synopsis "Convert Texinfo to HTML")
     (description
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index f77a246912..a22991c906 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
 ;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -45,7 +46,7 @@
 (define-public libtasn1
   (package
     (name "libtasn1")
-    (version "4.5")
+    (version "4.7")
     (source
      (origin
       (method url-fetch)
@@ -53,13 +54,9 @@
                           version ".tar.gz"))
       (sha256
        (base32
-        "1nhvnznhg2aqfrfjxc8v008hjlzkh5831jsfahqk89qrw7fbbcw9"))))
+        "1j8iixynchziw1y39lnibyl5h81m4p78w3i4f28q2vgwjgf801x4"))))
     (build-system gnu-build-system)
-    (native-inputs `(("perl" ,perl)
-
-                     ;; XXX: For some reason, libtasn1.info wants to be
-                     ;; rebuilt, so we must provide 'makeinfo'.
-                     ("texinfo" ,texinfo)))
+    (native-inputs `(("perl" ,perl)))
     (home-page "http://www.gnu.org/software/libtasn1/")
     (synopsis "ASN.1 library")
     (description
@@ -110,7 +107,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
-    (version "3.4.5")
+    (version "3.4.7")
     (source (origin
              (method url-fetch)
              (uri
@@ -121,8 +118,7 @@ living in the same process.")
                              "/gnutls-" version ".tar.xz"))
              (sha256
               (base32
-               "1bks1zpmhmnkz2v32dd9b44pz6x0a5w4yi9zzwsd0a078vhbi25g"))
-             (patches (list (search-patch "gnutls-doc-fix.patch")))))
+               "0nifi3mr5jhz608pidkp8cjs4vwfj1m2qczsjrgpnp99615rxgn1"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -146,13 +142,6 @@ living in the same process.")
 
        #:phases (modify-phases %standard-phases
                   (add-after
-                   'unpack 'delete-prebuilt-unfixed-info-file
-                   (lambda _
-                     ;; XXX Delete the prebuilt info file, so that it will be
-                     ;; rebuilt with the fixes in gnutls-doc-fix.patch.
-                     (delete-file "doc/gnutls.info")
-                     #t))
-                  (add-after
                    'install 'move-doc
                    (lambda* (#:key outputs #:allow-other-keys)
                      ;; Copy the 4.1 MiB of section 3 man pages to "doc".
@@ -169,7 +158,6 @@ living in the same process.")
                "doc"))                            ;4.1 MiB of man pages
     (native-inputs
      `(("pkg-config" ,pkg-config)
-       ("texinfo" ,texinfo) ; XXX needed only to replace prebuilt, unfixed docs.
        ("which" ,which)))
     (inputs
      `(("guile" ,guile-2.0)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 7206bc5ef2..636f76584d 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1057,7 +1057,7 @@ for use with HTML5 video.")
           (lambda _
             ;; Copy-paste settings from the cmake build system.
             (setenv "CMAKE_LIBRARY_PATH" (getenv "LIBRARY_PATH"))
-            (setenv "CMAKE_INCLUDE_PATH" (getenv "CPATH")))
+            (setenv "CMAKE_INCLUDE_PATH" (getenv "C_INCLUDE_PATH")))
           (alist-replace 'build
             (lambda* (#:key inputs outputs #:allow-other-keys)
               (let*
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index cfee142585..a4f4c021e4 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -1,11 +1,11 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013 Aljosha Papsch <misc@rpapsch.de>
-;;; Copyright © 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
-;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2015, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Eric Dvorsak <eric@dvorsak.fr>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -737,6 +737,7 @@ language known as SASS.")
     (build-system perl-build-system)
     (native-inputs
      `(("perl-http-message" ,perl-http-message)
+       ("perl-module-build" ,perl-module-build)
        ("perl-test-mocktime" ,perl-test-mocktime)
        ("perl-try-tiny" ,perl-try-tiny)
        ("perl-uri" ,perl-uri)))
@@ -1318,6 +1319,7 @@ MIME type directly to the browser, without being processed through Catalyst.")
        ("perl-io-stringy" ,perl-io-stringy)
        ("perl-json-maybexs" ,perl-json-maybexs)
        ("perl-libwww" ,perl-libwww)
+       ("perl-module-pluggable" ,perl-module-pluggable)
        ("perl-moose" ,perl-moose)
        ("perl-moosex-emulate-class-accessor-fast"
         ,perl-moosex-emulate-class-accessor-fast)
@@ -1544,6 +1546,34 @@ application classes.")
 development server with Starman.")
     (license (package-license perl))))
 
+(define-public perl-cgi
+  (package
+    (name "perl-cgi")
+    (version "4.25")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://cpan/authors/id/L/LE/LEEJO/"
+                           "CGI-" version ".tar.gz"))
+       (sha256
+        (base32
+         "06hk9zzvlix1yi95wlkb1ykdxgl6lscm7452gkwr2snsb8iybczg"))))
+    (build-system perl-build-system)
+    (native-inputs
+     `(("perl-test-deep" ,perl-test-deep)
+       ("perl-test-nowarnings" ,perl-test-nowarnings)
+       ("perl-test-warn" ,perl-test-warn)))
+    (propagated-inputs
+     `(("perl-html-parser" ,perl-html-parser)))
+    (home-page "http://search.cpan.org/dist/CGI")
+    (synopsis "Handle Common Gateway Interface requests and responses")
+    (description "CGI.pm is a stable, complete and mature solution for
+processing and preparing HTTP requests and responses.  Major features include
+processing form submissions, file uploads, reading and writing cookies, query
+string generation and manipulation, and processing and preparing HTTP
+headers.")
+    (license (package-license perl))))
+
 (define-public perl-cgi-simple
   (package
     (name "perl-cgi-simple")
@@ -1558,7 +1588,8 @@ development server with Starman.")
          "1nkyb1m1g5r47xykflf68dplanih5p15njv82frbgbsms34kp1sg"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-io-stringy" ,perl-io-stringy))) ;for IO::Scalar
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-io-stringy" ,perl-io-stringy))) ;for IO::Scalar
     (home-page "http://search.cpan.org/dist/CGI-Simple")
     (synopsis "CGI interface that is CGI.pm compliant")
     (description "CGI::Simple provides a relatively lightweight drop in
@@ -1600,6 +1631,8 @@ inputs, in a manner reminiscent of how PHP does.")
         (base32
          "0h6qqdg1yzqkdxp7hqlp0qa7d1y64nilgimxs79dys2ryjfpcknh"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-datetime" ,perl-datetime)
        ("perl-http-date" ,perl-http-date)))
@@ -1694,7 +1727,8 @@ which can be used to parse directory listings.")
                 (search-patch "perl-finance-quote-unuse-mozilla-ca.patch")))))
    (build-system perl-build-system)
    (propagated-inputs
-    `(("perl-datetime" ,perl-datetime)
+    `(("perl-cgi" ,perl-cgi)
+      ("perl-datetime" ,perl-datetime)
       ("perl-html-parser" ,perl-html-parser)
       ("perl-html-tableextract" ,perl-html-tableextract)
       ("perl-html-tree" ,perl-html-tree)
@@ -1841,7 +1875,8 @@ in tables within an HTML document, either as text or encoded element trees.")
          "13qlqbpixw470gnck0xgny8hyjj576m8y24bba2p9ai2lvy76vbx"))))
     (build-system perl-build-system)
     (native-inputs
-     `(("perl-test-fatal" ,perl-test-fatal)))
+     `(("perl-module-build" ,perl-module-build)
+       ("perl-test-fatal" ,perl-test-fatal)))
     (propagated-inputs
      `(("perl-html-parser" ,perl-html-parser)
        ("perl-html-tagset" ,perl-html-tagset)
@@ -1908,6 +1943,8 @@ kinds of HTML parsing operations.")
                (base32
                 "07ahpfgidxsw2yb7y8i7bbr8s64aq6qgq832h9jswmksxbd0l43q"))))
     (build-system perl-build-system)
+    (propagated-inputs
+     `(("perl-cgi" ,perl-cgi)))
     (home-page "http://search.cpan.org/dist/HTML-Template")
     (synopsis "HTML-like templates")
     (description
@@ -2166,6 +2203,8 @@ environment from an HTTP::Request.")
         (base32
          "05klpfkss2a6i5ihmvcm27fyar0f2v4ispg2f49agab3va1gix6g"))))
     (build-system perl-build-system)
+    (propagated-inputs
+     `(("perl-cgi" ,perl-cgi)))
     (arguments
      ;; See the discussion of a related tests issue at
      ;; https://lists.gnu.org/archive/html/guix-devel/2015-01/msg00346.html
@@ -2236,6 +2275,7 @@ algorithm specified in section 8.2.2.1 of the draft standard.")
         (base32
          "0ky20hmln6waipzqikizyw04vpszf70fgpshz7ib8zv8480ri456"))))
     (build-system perl-build-system)
+    (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "http://search.cpan.org/dist/IO-Socket-IP")
     (synopsis "Family-neutral IP socket supporting both IPv4 and IPv6")
     (description "This module provides a protocol-independent way to use IPv4
@@ -2560,6 +2600,8 @@ already set.")
         (base32
          "1hb8dx7i4vs74n0p737wrvpdnnw6argxrjpr6kj6432zabp8325z"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-plack" ,perl-plack)))
     (home-page "http://search.cpan.org/dist/Plack-Middleware-MethodOverride")
@@ -2784,6 +2826,8 @@ and updated by RFC 2732.")
         (base32
          "0czc4h182s7sx3k123m7qlg7yybnwxgh369hap3c3b6xgrglrhy0"))))
     (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
     (propagated-inputs
      `(("perl-uri" ,perl-uri)))
     (home-page "http://search.cpan.org/dist/URI-Find")
@@ -2851,6 +2895,8 @@ library.")
         (base32
          "1zrw8aadhwy48q51x2z2rqlkwf17bya4j4h3hy89mw783j96rmg9"))))
     (build-system perl-build-system)
+    (native-inputs                      ;only for tests
+     `(("perl-cgi" ,perl-cgi)))
     (propagated-inputs
      `(("perl-html-form" ,perl-html-form)
        ("perl-html-parser" ,perl-html-parser)
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index 0706d92c36..f902433786 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -81,7 +81,7 @@
             ;; that it will be in the same directory as gstreamer's header
             ;; files.
             (setenv "CPATH"
-                    (string-append (getenv "CPATH")
+                    (string-append (getenv "C_INCLUDE_PATH")
                                    ":"
                                    (assoc-ref inputs "gst-plugins-base")
                                    "/include/gstreamer-1.0")))))))
@@ -149,6 +149,11 @@ HTML/CSS applications to full-fledged web browsers.")
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f ; no tests
+       ;; FIXME: Disabling parallel building is a quick hack to avoid the
+       ;; failure described in
+       ;; https://lists.gnu.org/archive/html/guix-devel/2016-01/msg00837.html
+       ;; A more structural fix is needed.
+       #:parallel-build? #f
        #:phases (modify-phases %standard-phases
                   (add-after
                    'unpack 'set-gcc
@@ -163,7 +168,12 @@ HTML/CSS applications to full-fledged web browsers.")
   (package (inherit webkitgtk-2.4)
     (name "webkitgtk-gtk2")
     (arguments
-     `(#:configure-flags
+     `(;; FIXME: Disabling parallel building is a quick hack to avoid the
+       ;; failure described in
+       ;; https://lists.gnu.org/archive/html/guix-devel/2016-01/msg00837.html
+       ;; A more structural fix is needed.
+       #:parallel-build? #f
+       #:configure-flags
        '("--enable-webkit2=no"
          "--with-gtk=2.0")
        ,@(package-arguments webkitgtk-2.4)))
diff --git a/guix/build-system/gnu.scm b/guix/build-system/gnu.scm
index 67ae46faed..afd57668e2 100644
--- a/guix/build-system/gnu.scm
+++ b/guix/build-system/gnu.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -284,7 +284,8 @@ standard packages used as implicit inputs of the GNU build system."
                     (parallel-tests? #t)
                     (patch-shebangs? #t)
                     (strip-binaries? #t)
-                    (strip-flags ''("--strip-debug"))
+                    (strip-flags ''("--strip-debug"
+                                    "--enable-deterministic-archives"))
                     (strip-directories ''("lib" "lib64" "libexec"
                                           "bin" "sbin"))
                     (validate-runpath? #t)
@@ -419,7 +420,8 @@ is one of `host' or `target'."
                           (parallel-build? #t) (parallel-tests? #t)
                           (patch-shebangs? #t)
                           (strip-binaries? #t)
-                          (strip-flags ''("--strip-debug"))
+                          (strip-flags ''("--strip-debug"
+                                          "--enable-deterministic-archives"))
                           (strip-directories ''("lib" "lib64" "libexec"
                                                 "bin" "sbin"))
                           (validate-runpath? #t)
diff --git a/guix/build/gnu-build-system.scm b/guix/build/gnu-build-system.scm
index ff7646b22c..2abaa6efdc 100644
--- a/guix/build/gnu-build-system.scm
+++ b/guix/build/gnu-build-system.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -39,6 +39,13 @@
 ;;
 ;; Code:
 
+(define* (set-SOURCE-DATE-EPOCH #:rest _)
+  "Set the 'SOURCE_DATE_EPOCH' environment variable.  This is used by tools
+that incorporate timestamps as a way to tell them to use a fixed timestamp.
+See https://reproducible-builds.org/specs/source-date-epoch/."
+  (setenv "SOURCE_DATE_EPOCH" "1")
+  #t)
+
 (define (first-subdirectory dir)
   "Return the path of the first sub-directory of DIR."
   (file-system-fold (lambda (path stat result)
@@ -329,7 +336,8 @@ makefiles."
                 (objcopy-command (if target
                                      (string-append target "-objcopy")
                                      "objcopy"))
-                (strip-flags '("--strip-debug"))
+                (strip-flags '("--strip-debug"
+                               "--enable-deterministic-archives"))
                 (strip-directories '("lib" "lib64" "libexec"
                                      "bin" "sbin"))
                 #:allow-other-keys)
@@ -367,7 +375,7 @@ makefiles."
     ;; `bfd_fill_in_gnu_debuglink_section' function.)  No reference to
     ;; DEBUG-OUTPUT is kept because bfd keeps only the basename of the debug
     ;; file.
-    (zero? (system* objcopy-command
+    (zero? (system* objcopy-command "--enable-deterministic-archives"
                     (string-append "--add-gnu-debuglink="
                                    (debug-file file))
                     file)))
@@ -548,7 +556,7 @@ DOCUMENTATION-COMPRESSOR-FLAGS."
   ;; Standard build phases, as a list of symbol/procedure pairs.
   (let-syntax ((phases (syntax-rules ()
                          ((_ p ...) `((p . ,p) ...)))))
-    (phases set-paths install-locale unpack
+    (phases set-SOURCE-DATE-EPOCH set-paths install-locale unpack
             patch-usr-bin-file
             patch-source-shebangs configure patch-generated-file-shebangs
             build check install
diff --git a/guix/build/haskell-build-system.scm b/guix/build/haskell-build-system.scm
index 4506e96af9..3afc37e16d 100644
--- a/guix/build/haskell-build-system.scm
+++ b/guix/build/haskell-build-system.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015 Federico Beffa <beffa@fbengineering.ch>
+;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -25,6 +26,7 @@
   #:use-module (ice-9 rdelim)
   #:use-module (ice-9 regex)
   #:use-module (ice-9 match)
+  #:use-module (ice-9 vlist)
   #:export (%standard-phases
             haskell-build))
 
@@ -78,6 +80,7 @@ and parameters ~s~%"
                        (((_ . dir) ...)
                         dir)
                        (_ '())))
+         (ghc-path (getenv "GHC_PACKAGE_PATH"))
          (params (append `(,(string-append "--prefix=" out))
                          `(,(string-append "--libdir=" (or lib out) "/lib"))
                          `(,(string-append "--bindir=" (or bin out) "/bin"))
@@ -97,6 +100,10 @@ and parameters ~s~%"
                              '("--enable-tests")
                              '())
                          configure-flags)))
+    ;; Cabal errors if GHC_PACKAGE_PATH is set during 'configure', so unset
+    ;; and restore it.
+    (unsetenv "GHC_PACKAGE_PATH")
+
     ;; For packages where the Cabal build-type is set to "Configure",
     ;; ./configure will be executed.  In these cases, the following
     ;; environment variable is needed to be able to find the shell executable.
@@ -105,7 +112,9 @@ and parameters ~s~%"
     ;; <https://www.haskell.org/cabal/users-guide/developing-packages.html>.
     (when (file-exists? "configure")
       (setenv "CONFIG_SHELL" "sh"))
-    (run-setuphs "configure" params)))
+    (run-setuphs "configure" params)
+
+    (setenv "GHC_PACKAGE_PATH" ghc-path)))
 
 (define* (build #:rest empty)
   "Build a given Haskell package."
@@ -143,6 +152,12 @@ first match and return the content of the group."
       (format #t
               "Compiler ~a not supported~%" name-version)))))
 
+;;; TODO: Move this to (guix build utils)?
+(define-syntax-rule (with-null-error-port exp)
+  "Evaluate EXP with the error port pointing to the bit bucket."
+  (with-error-to-port (%make-void-port "w")
+    (lambda () exp)))
+
 (define (make-ghc-package-database system inputs outputs)
   "Generate the GHC package database."
   (let* ((haskell  (assoc-ref inputs "haskell"))
@@ -150,44 +165,90 @@ first match and return the content of the group."
                        (((_ . dir) ...)
                         dir)
                        (_ '())))
-         (conf-dirs (search-path-as-list
-                     `(,(string-append "lib/"
-                                       (package-name-version haskell)
-                                       "/package.conf.d"))
-                     input-dirs))
+         ;; Silence 'find-files' (see 'evaluate-search-paths')
+         (conf-dirs (with-null-error-port
+                     (search-path-as-list
+                      `(,(string-append "lib/" (package-name-version haskell)))
+                      input-dirs #:pattern ".*\\.conf.d$")))
          (conf-files (append-map (cut find-files <> "\\.conf$") conf-dirs)))
     (mkdir-p %tmp-db-dir)
     (for-each (lambda (file)
-                (copy-file file
-                           (string-append %tmp-db-dir "/" (basename file))))
+                (let ((dest (string-append %tmp-db-dir "/" (basename file))))
+                  (unless (file-exists? dest)
+                    (copy-file file dest))))
               conf-files)
     (zero? (system* "ghc-pkg"
                     (string-append "--package-db=" %tmp-db-dir)
                     "recache"))))
 
 (define* (register #:key name system inputs outputs #:allow-other-keys)
-  "Generate the compiler registration file for a given Haskell package.  Don't
-generate the cache as it would clash in user profiles."
+  "Generate the compiler registration and binary package database files for a
+given Haskell package."
+
+  (define (conf-depends conf-file)
+    ;; Return a list of pkg-ids from the "depends" field in CONF-FILE
+    (let ((port (open-input-file conf-file))
+          (field-rx (make-regexp "^(.*):")))
+      (let loop ((collecting #f)
+                 (deps '()))
+        (let* ((line (read-line port))
+               (field (and=> (and (not (eof-object? line))
+                                  (regexp-exec field-rx line))
+                             (cut match:substring <> 1))))
+          (cond
+           ((and=> field (cut string=? <> "depends"))
+            ;; The first dependency is listed on the same line as "depends:",
+            ;; so drop those characters.  A line may list more than one .conf.
+            (let ((d (string-tokenize (string-drop line 8))))
+              (loop #t (append d deps))))
+           ((or (eof-object? line) (and collecting field))
+            (begin
+              (close-port port)
+              (reverse! deps)))
+           (collecting
+            (loop #t (append (string-tokenize line) deps)))
+           (else (loop #f deps)))))))
+
+  (define (install-transitive-deps conf-file src dest)
+    ;; Copy .conf files from SRC to DEST for dependencies in CONF-FILE, and
+    ;; their dependencies, etc.
+    (let loop ((seen vlist-null)
+               (lst (conf-depends conf-file)))
+      (match lst
+        (() #t)                         ;done
+        ((id . tail)
+         (if (not (vhash-assoc id seen))
+             (let ((dep-conf  (string-append src  "/" id ".conf"))
+                   (dep-conf* (string-append dest "/" id ".conf")))
+               (copy-file dep-conf dep-conf*) ;XXX: maybe symlink instead?
+               (loop (vhash-cons id #t seen)
+                     (append lst (conf-depends dep-conf))))
+             (loop seen tail))))))
+
   (let* ((out (assoc-ref outputs "out"))
          (haskell  (assoc-ref inputs "haskell"))
          (lib (string-append out "/lib"))
          (config-dir (string-append lib "/"
                                     (package-name-version haskell)
-                                    "/package.conf.d"))
+                                    "/" name ".conf.d"))
          (id-rx (make-regexp "^id: *(.*)$"))
          (config-file (string-append out "/" name ".conf"))
          (params
           (list (string-append "--gen-pkg-config=" config-file))))
     (run-setuphs "register" params)
     ;; The conf file is created only when there is a library to register.
-    (when (file-exists? config-file)
-      (mkdir-p config-dir)
-      (let ((config-file-name+id
-             (call-with-ascii-input-file config-file (cut grep id-rx <>))))
-        (rename-file config-file
-                     (string-append config-dir "/" config-file-name+id
-                                    ".conf"))))
-    #t))
+    (or (not (file-exists? config-file))
+        (begin
+          (mkdir-p config-dir)
+          (let* ((config-file-name+id
+                  (call-with-ascii-input-file config-file (cut grep id-rx <>))))
+            (install-transitive-deps config-file %tmp-db-dir config-dir)
+            (rename-file config-file
+                         (string-append config-dir "/"
+                                        config-file-name+id ".conf"))
+            (zero? (system* "ghc-pkg"
+                            (string-append "--package-db=" config-dir)
+                            "recache")))))))
 
 (define* (check #:key tests? test-target #:allow-other-keys)
   "Run the test suite of a given Haskell package."
diff --git a/guix/build/python-build-system.scm b/guix/build/python-build-system.scm
index 8025b7fec6..9109fb4ac7 100644
--- a/guix/build/python-build-system.scm
+++ b/guix/build/python-build-system.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
@@ -136,18 +136,11 @@ installed with setuptools."
                #t))
     #t))
 
-(define* (set-SOURCE-DATE-EPOCH #:rest _)
-  "Set the 'SOURCE_DATE_EPOCH' environment variable."
-  ;; Use zero as the timestamp in .pyc files so that builds are deterministic.
-  ;; TODO: Remove it when this variable is set in GNU:%STANDARD-PHASES.
-  (setenv "SOURCE_DATE_EPOCH" "1"))
-
 (define %standard-phases
   ;; 'configure' and 'build' phases are not needed.  Everything is done during
   ;; 'install'.
   (modify-phases gnu:%standard-phases
     (add-after 'unpack 'ensure-no-mtimes-pre-1980 ensure-no-mtimes-pre-1980)
-    (add-after 'unpack 'set-SOURCE-DATE-EPOCH set-SOURCE-DATE-EPOCH)
     (delete 'configure)
     (replace 'install install)
     (replace 'check check)
diff --git a/guix/build/ruby-build-system.scm b/guix/build/ruby-build-system.scm
index 6439bf69eb..a4ac3b307c 100644
--- a/guix/build/ruby-build-system.scm
+++ b/guix/build/ruby-build-system.scm
@@ -27,7 +27,8 @@
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
   #:export (%standard-phases
-            ruby-build))
+            ruby-build
+            gem-home))
 
 ;; Commentary:
 ;;
@@ -141,3 +142,13 @@ GEM-FLAGS are passed to the 'gem' invokation, if present."
 (define* (ruby-build #:key inputs (phases %standard-phases)
                      #:allow-other-keys #:rest args)
   (apply gnu:gnu-build #:inputs inputs #:phases phases args))
+
+(define (gem-home store-path ruby-version)
+  "Return a string to the gem home directory in the store given a STORE-PATH
+and the RUBY-VERSION used to build that ruby package"
+  (string-append
+   store-path
+   "/lib/ruby/gems/"
+   (regexp-substitute #f
+                      (string-match "^[0-9]+\\.[0-9]+" ruby-version)
+                      0 ".0")))
diff --git a/guix/build/utils.scm b/guix/build/utils.scm
index e3f9edc5b5..2988193fce 100644
--- a/guix/build/utils.scm
+++ b/guix/build/utils.scm
@@ -385,10 +385,13 @@ for under the directories designated by FILES.  For example:
   (append-map (lambda (input)
                 (append-map (lambda (file)
                               (let ((file (string-append input "/" file)))
-                                ;; XXX: By using 'find-files', we implicitly
-                                ;; assume #:type 'regular.
                                 (if pattern
-                                    (find-files file pattern)
+                                    (find-files file (lambda (file stat)
+                                                       (and stat
+                                                            (eq? type (stat:type stat))
+                                                            ((file-name-predicate pattern) file stat)))
+                                                #:stat stat
+                                                #:directories? #t)
                                     (let ((stat (stat file #f)))
                                       (if (and stat (eq? type (stat:type stat)))
                                           (list file)
diff --git a/guix/search-paths.scm b/guix/search-paths.scm
index 7fd15d440c..7a6fe67959 100644
--- a/guix/search-paths.scm
+++ b/guix/search-paths.scm
@@ -139,12 +139,6 @@ report only settings not already effective."
        (let* ((values (or (and=> (getenv variable)
                                  (cut string-tokenize* <> separator))
                           '()))
-              ;; Add a trailing slash to force symlinks to be treated as
-              ;; directories when 'find-files' traverses them.
-              (files  (if pattern
-                          (map (cut string-append <> "/") files)
-                          files))
-
               ;; XXX: Silence 'find-files' when it stumbles upon non-existent
               ;; directories (see
               ;; <http://lists.gnu.org/archive/html/guix-devel/2015-01/msg00269.html>.)
diff --git a/tests/graph.scm b/tests/graph.scm
index 4f85432d2f..43f7b733f9 100644
--- a/tests/graph.scm
+++ b/tests/graph.scm
@@ -232,7 +232,7 @@ edges."
   (run-with-store %store
     (let ((packages (fold-packages cons '())))
       (mlet %store-monad ((edges (node-edges %package-node-type packages)))
-        (return (and (null? (edges grep))
+        (return (and (null? (edges sed))
                      (lset= eq?
                             (edges guile-2.0)
                             (match (package-direct-inputs guile-2.0)