summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2017-10-06 11:03:27 +0200
committerMarius Bakke <mbakke@fastmail.com>2017-10-06 11:03:27 +0200
commit6a317919cf0f9dbc651a4a41f9ed99c49bf2d543 (patch)
tree9454b6c587b75ee1e3625be64f39cc39a5154db6 /gnu
parent68932812b8f6581dda4bf1896235492f687b7cc9 (diff)
parent8bde6a524e19d2bc9763b84dbf99959faf653bf8 (diff)
downloadguix-6a317919cf0f9dbc651a4a41f9ed99c49bf2d543.tar.gz
Merge branch 'master' into staging
Diffstat (limited to 'gnu')
-rw-r--r--gnu/build/file-systems.scm4
-rw-r--r--gnu/local.mk6
-rw-r--r--gnu/packages/assembly.scm4
-rw-r--r--gnu/packages/benchmark.scm67
-rw-r--r--gnu/packages/curl.scm14
-rw-r--r--gnu/packages/gnome.scm12
-rw-r--r--gnu/packages/golang.scm4
-rw-r--r--gnu/packages/gstreamer.scm4
-rw-r--r--gnu/packages/image.scm15
-rw-r--r--gnu/packages/imagemagick.scm4
-rw-r--r--gnu/packages/maths.scm17
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-12982.patch28
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14040.patch83
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14041.patch25
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14151.patch46
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14152.patch38
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2017-14164.patch89
-rw-r--r--gnu/packages/python.scm33
-rw-r--r--gnu/packages/ssh.scm38
-rw-r--r--gnu/packages/tls.scm6
-rw-r--r--gnu/packages/tor.scm8
-rw-r--r--gnu/system/file-systems.scm6
-rw-r--r--gnu/system/uuid.scm13
23 files changed, 208 insertions, 356 deletions
diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm
index 32885f1d2e..140bcb414b 100644
--- a/gnu/build/file-systems.scm
+++ b/gnu/build/file-systems.scm
@@ -415,12 +415,12 @@ was READ is = to the given value."
   (partition-predicate read-partition-label string=?))
 
 (define partition-uuid-predicate
-  (partition-predicate read-partition-uuid bytevector=?))
+  (partition-predicate read-partition-uuid uuid=?))
 
 (define luks-partition-uuid-predicate
   (partition-predicate
    (partition-field-reader read-luks-header luks-header-uuid)
-   bytevector=?))
+   uuid=?))
 
 (define (find-partition predicate)
   "Return the first partition found that matches PREDICATE, or #f if none
diff --git a/gnu/local.mk b/gnu/local.mk
index 392ca8287f..66a4bc04bc 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -900,12 +900,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/openscenegraph-ffmpeg3.patch             \
   %D%/packages/patches/openexr-missing-samples.patch		\
   %D%/packages/patches/openfoam-4.1-cleanup.patch			\
-  %D%/packages/patches/openjpeg-CVE-2017-12982.patch		\
-  %D%/packages/patches/openjpeg-CVE-2017-14040.patch		\
-  %D%/packages/patches/openjpeg-CVE-2017-14041.patch		\
-  %D%/packages/patches/openjpeg-CVE-2017-14151.patch		\
-  %D%/packages/patches/openjpeg-CVE-2017-14152.patch		\
-  %D%/packages/patches/openjpeg-CVE-2017-14164.patch		\
   %D%/packages/patches/openldap-CVE-2017-9287.patch		\
   %D%/packages/patches/openocd-nrf52.patch			\
   %D%/packages/patches/openssl-runpath.patch			\
diff --git a/gnu/packages/assembly.scm b/gnu/packages/assembly.scm
index 27db8fc559..769e5d2fca 100644
--- a/gnu/packages/assembly.scm
+++ b/gnu/packages/assembly.scm
@@ -103,14 +103,14 @@ debugging information in STABS, DWARF 2, and CodeView 8 formats.")
 (define-public lightning
   (package
     (name "lightning")
-    (version "2.1.0")
+    (version "2.1.2")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/lightning/lightning-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "19j9nwl88k660045s40cbz5zrl1wpd2mcxnnc8qqnnaj311a58qz"))))
+               "0sbs2lm8b9in2m8d52zf0x9gpp40x6r7sl6sha92yq3pr78rwa4v"))))
     (build-system gnu-build-system)
     (native-inputs `(("zlib" ,zlib)))
     (synopsis "Library for generating assembly code at runtime")
diff --git a/gnu/packages/benchmark.scm b/gnu/packages/benchmark.scm
index 136f141d8b..feed7b545b 100644
--- a/gnu/packages/benchmark.scm
+++ b/gnu/packages/benchmark.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016, 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017 Dave Love <fx@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -24,8 +25,10 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages maths)
+  #:use-module (gnu packages mpi)
   #:use-module (gnu packages python)
-  #:use-module (gnu packages storage))
+  #:use-module (gnu packages storage)
+  #:use-module (ice-9 match))
 
 (define-public fio
   (package
@@ -103,3 +106,65 @@ is to write a job file matching the I/O load one wants to simulate.")
     ;; are covered by other licenses.
     (license (list license:gpl2 license:gpl2+ license:bsd-2
                    license:public-domain))))
+
+;; Parameterized in anticipation of m(va)pich support
+(define (imb mpi)
+  (package
+    (name (string-append "imb-" (package-name mpi)))
+    (version "2017.2")
+    (source
+     (origin
+      (method url-fetch)
+      (uri (match (string-split version #\.)
+             ((major minor)
+              (string-append
+               "https://software.intel.com/sites/default/files/managed/76/6c/IMB_"
+               major "_Update" minor ".tgz"))))
+      (sha256 (base32 "11nczxm686rsppmw9gjc2p2sxc0jniv5kv18yxm1lzp5qfh5rqyb"))))
+    (build-system gnu-build-system)
+    (inputs
+     `(("mpi" ,mpi)))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (delete 'check)
+         (replace 'build
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let ((mpi-home (assoc-ref inputs "mpi")))
+               (zero?
+                ;; Not safe for parallel build
+                (system* "make" "-C" "imb/src" "-f" "make_mpich" "SHELL=sh"
+                         (string-append "MPI_HOME=" mpi-home))))))
+         (replace 'install
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (doc (string-append out "/share/doc/" ,name))
+                    (bin (string-append out "/bin")))
+               (with-directory-excursion "imb/src"
+                 (for-each
+                  (lambda (file)
+                    (install-file file bin))
+                  '("IMB-IO" "IMB-EXT" "IMB-MPI1" "IMB-NBC" "IMB-RMA")))
+               (mkdir-p doc)
+               (with-directory-excursion "imb"
+                 (copy-recursively "license" doc)))
+             #t)))))
+    (home-page "https://software.intel.com/en-us/articles/intel-mpi-benchmarks")
+    (synopsis "Intel MPI Benchmarks")
+    (description
+     "This package provides benchmarks for implementations of the @dfn{Message
+Passing Interface} (MPI).  It contains MPI performance measurements for
+point-to-point and global communication, and file, operations for a range of
+message sizes.  The generated benchmark data fully characterize:
+
+@itemize
+@item
+Performance of a cluster system, including node performance, network latency,
+and throughput;
+@item
+Efficiency of the MPI implementation.
+@end itemize")
+    (license license:cpl1.0)))
+
+(define-public imb-openmpi (imb openmpi))
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 9408af70cc..30e03e6c69 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -43,6 +43,7 @@
   (package
    (name "curl")
    (version "7.55.1")
+   (replacement curl-7.56.0)
    (source (origin
             (method url-fetch)
             (uri (string-append "https://curl.haxx.se/download/curl-"
@@ -121,3 +122,16 @@ tunneling, and so on.")
    (license (license:non-copyleft "file://COPYING"
                                   "See COPYING in the distribution."))
    (home-page "https://curl.haxx.se/")))
+
+(define-public curl-7.56.0
+  (package
+    (inherit curl)
+    (version "7.56.0")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (string-append "https://curl.haxx.se/download/curl-"
+                            version ".tar.xz"))
+        (sha256
+         (base32
+          "0wni3zkw7jyrwgwkqnrkf2x2b7c78wsp7p4z6a246hz9l367nhrj"))))))
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index b7410176ee..c5447e2ac0 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -1055,7 +1055,7 @@ API add-ons to make GTK+ widgets OpenGL-capable.")
 (define-public glade3
   (package
     (name "glade")
-    (version "3.20.0")
+    (version "3.20.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -1063,7 +1063,7 @@ API add-ons to make GTK+ widgets OpenGL-capable.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1zhqvhagy0m85p54jfiayfl0v9af7g0lj7glw8sfwh7cbp56vnc2"))))
+                "1pxikhzdzd092d4x3nacf5gfzi3mvhywrhcfqc07xakbsinnfr40"))))
     (build-system glib-or-gtk-build-system)
     (arguments
      `(#:tests? #f ; needs X, GL, and software rendering
@@ -2050,7 +2050,7 @@ editors, IDEs, etc.")
   (package
     (inherit vte)
     (name "vte-ng")
-    (version "0.50.0.a")
+    (version "0.50.1.a")
     (native-inputs
      `(("gtk-doc" ,gtk-doc)
        ("gperf" ,gperf)
@@ -2065,7 +2065,7 @@ editors, IDEs, etc.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0h5ifg6xpix074k445bmnd39mc75llrfkrsr9vw98dxa4rffxrgf"))))
+                "1r70jysdrc7r1vyn3mikpc8hh7rm4lpr0psakj8yssy11p451pja"))))
     (arguments
       `(#:configure-flags '("CXXFLAGS=-Wformat=0")
         #:phases (modify-phases %standard-phases
@@ -2169,7 +2169,7 @@ and RDP protocols.")
 (define-public dconf
   (package
     (name "dconf")
-    (version "0.26.0")
+    (version "0.26.1")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -2178,7 +2178,7 @@ and RDP protocols.")
                     name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1jaqsr1r0grpd25rbsc2v3vb0sc51lia9w31wlqswgqsncp2k0w6"))))
+                "0da587hpiqy8h3pswn1102h4b905x8k6mk3ajpi7kf4kzkvv30ym"))))
     (build-system glib-or-gtk-build-system)
     (inputs
      `(("gtk+" ,gtk+)
diff --git a/gnu/packages/golang.scm b/gnu/packages/golang.scm
index 9f3ccc8f69..b1967b3f1a 100644
--- a/gnu/packages/golang.scm
+++ b/gnu/packages/golang.scm
@@ -204,7 +204,7 @@ sequential processes (CSP) concurrent programming features added.")
   (package
     (inherit go-1.4)
     (name "go")
-    (version "1.9")
+    (version "1.9.1")
     (source
      (origin
        (method url-fetch)
@@ -212,7 +212,7 @@ sequential processes (CSP) concurrent programming features added.")
                            name version ".src.tar.gz"))
        (sha256
         (base32
-         "14z9azh8pk5cwyl2qdk893j68lk0cca7a9b8k2hpn5pd52825ax4"))))
+         "03jmrgqq852wqyphvd8p46i32f72xki3bmylhkxf0kynqyfzqjm8"))))
     (arguments
      (substitute-keyword-arguments (package-arguments go-1.4)
        ((#:phases phases)
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index bc8f75ba12..c308dc9f34 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -280,10 +280,10 @@ developers consider to have good quality code and correct functionality.")
        (modify-phases %standard-phases
          (add-after 'unpack 'patch-openjpeg-reference
            (lambda _
-             ;; Remove hard-coded openjpeg-2.1 path. 2.2 is API- and
+             ;; Remove hard-coded openjpeg-2.2 path. 2.3 is API- and
              ;; ABI-compatible.
              (substitute* "ext/openjpeg/gstopenjpeg.h"
-               (("<openjpeg-2\\.1/") "<openjpeg-2.2/"))
+               (("<openjpeg-2\\.2/") "<openjpeg-2.3/"))
              #t)))))
     (propagated-inputs
      `(("gst-plugins-base" ,gst-plugins-base)))
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index e525c75693..aed4bdd6ec 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -167,7 +167,7 @@ APNG patch provides APNG support to libpng.")
 (define-public libpng-1.2
   (package
     (inherit libpng)
-    (version "1.2.57")
+    (version "1.2.59")
     (source
      (origin
        (method url-fetch)
@@ -180,7 +180,8 @@ APNG patch provides APNG support to libpng.")
                    "ftp://ftp.simplesystems.org/pub/libpng/png/src/history"
                    "/libpng12/libpng-" version ".tar.xz")))
        (sha256
-        (base32 "1n2lrzjkm5jhfg2bs10q398lkwbbx742fi27zgdgx0x23zhj0ihg"))))))
+        (base32
+         "1izw9ybm27llk8531w6h4jp4rk2rxy2s9vil16nwik5dp0amyqxl"))))))
 
 (define-public r-png
   (package
@@ -509,7 +510,7 @@ work.")
 (define-public openjpeg
   (package
     (name "openjpeg")
-    (version "2.2.0")
+    (version "2.3.0")
     (source
       (origin
         (method url-fetch)
@@ -519,13 +520,7 @@ work.")
         (file-name (string-append name "-" version ".tar.gz"))
         (sha256
          (base32
-          "0yvfghxwfm3dcqr9krkw63pcd76hzkknc3fh7bh11s8qlvjvrpbg"))
-        (patches (search-patches "openjpeg-CVE-2017-12982.patch"
-                                 "openjpeg-CVE-2017-14040.patch"
-                                 "openjpeg-CVE-2017-14041.patch"
-                                 "openjpeg-CVE-2017-14151.patch"
-                                 "openjpeg-CVE-2017-14152.patch"
-                                 "openjpeg-CVE-2017-14164.patch"))))
+          "06npqzkg20avnygdwaqpap91r7qpdqgrn39adj2bl8v0pg0qgirx"))))
     (build-system cmake-build-system)
     (arguments
       ;; Trying to run `$ make check' results in a no rule fault.
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 5840ad665a..fabbd707ac 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -46,14 +46,14 @@
     ;; The 7 release series has an incompatible API, while the 6 series is still
     ;; maintained. Don't update to 7 until we've made sure that the ImageMagick
     ;; users are ready for the 7-series API.
-    (version "6.9.9-17")
+    (version "6.9.9-18")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://imagemagick/ImageMagick-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "0y39jcd6358dph51ch5w43sqk9lv079jhgg3l7g5mks6m25f49gz"))))
+               "1d70dvrgcasa3cla4c1dag4mw7vq4jk1nzbd604fk20l0l6xa78j"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--with-frozenpaths" "--without-gcc-arch")
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index 24b62b8f06..4b311c4982 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -19,6 +19,7 @@
 ;;; Copyright © 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2017 Ben Woodcroft <donttrustben@gmail.com>
 ;;; Copyright © 2017 Theodoros Foradis <theodoros@foradis.org>
+;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -1127,7 +1128,7 @@ can solve two kinds of problems:
     (license license:bsd-3)))
 
 ;; For a fully featured Octave, users  are strongly recommended also to install
-;; the following packages: texinfo, less, ghostscript, gnuplot.
+;; the following packages: less, ghostscript, gnuplot.
 (define-public octave
   (package
     (name "octave")
@@ -1159,6 +1160,7 @@ can solve two kinds of problems:
        ("glu" ,glu)
        ("zlib" ,zlib)
        ("curl" ,curl)
+       ("texinfo" ,texinfo)
        ("graphicsmagick" ,graphicsmagick)))
     (native-inputs
      `(("lzip" ,lzip)
@@ -1173,14 +1175,23 @@ can solve two kinds of problems:
        ;; will still run without them, albeit without the features they
        ;; provide.
        ("less" ,less)
-       ("texinfo" ,texinfo)
        ("ghostscript" ,ghostscript)
        ("gnuplot" ,gnuplot)))
     (arguments
      `(#:configure-flags
        (list (string-append "--with-shell="
                             (assoc-ref %build-inputs "bash")
-                            "/bin/sh"))))
+                            "/bin/sh"))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'configure 'configure-makeinfo
+           (lambda* (#:key inputs #:allow-other-keys)
+             (substitute* "libinterp/corefcn/help.cc"
+               (("Vmakeinfo_program = \"makeinfo\"")
+                (string-append "Vmakeinfo_program = \""
+                               (assoc-ref inputs "texinfo")
+                               "/bin/makeinfo\"")))
+             #t)))))
     (home-page "https://www.gnu.org/software/octave/")
     (synopsis "High-level language for numerical computation")
     (description "GNU Octave is a high-level interpreted language that is
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-12982.patch b/gnu/packages/patches/openjpeg-CVE-2017-12982.patch
deleted file mode 100644
index 3929a73570..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-12982.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/21/1
-https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch
-
-From baf0c1ad4572daa89caa3b12985bdd93530f0dd7 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 14 Aug 2017 17:26:58 +0200
-Subject: [PATCH] bmp_read_info_header(): reject bmp files with biBitCount == 0
- (#983)
-
----
- src/bin/jp2/convertbmp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
-index b49e7a080..2715fdf24 100644
---- a/src/bin/jp2/convertbmp.c
-+++ b/src/bin/jp2/convertbmp.c
-@@ -392,6 +392,10 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
- 
-     header->biBitCount  = (OPJ_UINT16)getc(IN);
-     header->biBitCount |= (OPJ_UINT16)((OPJ_UINT32)getc(IN) << 8);
-+    if (header->biBitCount == 0) {
-+        fprintf(stderr, "Error, invalid biBitCount %d\n", 0);
-+        return OPJ_FALSE;
-+    }
- 
-     if (header->biSize >= 40U) {
-         header->biCompression  = (OPJ_UINT32)getc(IN);
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14040.patch b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch
deleted file mode 100644
index bd7473ba0d..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14040.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/28/3
-https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281.patch
-
-From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 17 Aug 2017 11:47:40 +0200
-Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
- fixes unaligned load (#995)
-
----
- src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
- 1 file changed, 27 insertions(+), 12 deletions(-)
-
-diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
-index a4eb81f6a..73dfc8d5f 100644
---- a/src/bin/jp2/convert.c
-+++ b/src/bin/jp2/convert.c
-@@ -580,13 +580,10 @@ struct tga_header {
- };
- #endif /* INFORMATION_ONLY */
- 
--static unsigned short get_ushort(const unsigned char *data)
-+/* Returns a ushort from a little-endian serialized value */
-+static unsigned short get_tga_ushort(const unsigned char *data)
- {
--    unsigned short val = *(const unsigned short *)data;
--#ifdef OPJ_BIG_ENDIAN
--    val = ((val & 0xffU) << 8) | (val >> 8);
--#endif
--    return val;
-+    return data[0] | (data[1] << 8);
- }
- 
- #define TGA_HEADER_SIZE 18
-@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
-     id_len = tga[0];
-     /*cmap_type = tga[1];*/
-     image_type = tga[2];
--    /*cmap_index = get_ushort(&tga[3]);*/
--    cmap_len = get_ushort(&tga[5]);
-+    /*cmap_index = get_tga_ushort(&tga[3]);*/
-+    cmap_len = get_tga_ushort(&tga[5]);
-     cmap_entry_size = tga[7];
- 
- 
- #if 0
--    x_origin = get_ushort(&tga[8]);
--    y_origin = get_ushort(&tga[10]);
-+    x_origin = get_tga_ushort(&tga[8]);
-+    y_origin = get_tga_ushort(&tga[10]);
- #endif
--    image_w = get_ushort(&tga[12]);
--    image_h = get_ushort(&tga[14]);
-+    image_w = get_tga_ushort(&tga[12]);
-+    image_h = get_tga_ushort(&tga[14]);
-     pixel_depth = tga[16];
-     image_desc  = tga[17];
- 
-@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
-         color_space = OPJ_CLRSPC_SRGB;
-     }
- 
-+    /* If the declared file size is > 10 MB, check that the file is big */
-+    /* enough to avoid excessive memory allocations */
-+    if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
-+        char ch;
-+        OPJ_UINT64 expected_file_size =
-+            (OPJ_UINT64)image_width * image_height * numcomps;
-+        long curpos = ftell(f);
-+        if (expected_file_size > (OPJ_UINT64)INT_MAX) {
-+            expected_file_size = (OPJ_UINT64)INT_MAX;
-+        }
-+        fseek(f, (long)expected_file_size - 1, SEEK_SET);
-+        if (fread(&ch, 1, 1, f) != 1) {
-+            fclose(f);
-+            return NULL;
-+        }
-+        fseek(f, curpos, SEEK_SET);
-+    }
-+
-     subsampling_dx = parameters->subsampling_dx;
-     subsampling_dy = parameters->subsampling_dy;
- 
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14041.patch b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch
deleted file mode 100644
index 6e3fccf3c0..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14041.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/28/4
-https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
-
-From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Fri, 18 Aug 2017 13:39:20 +0200
-Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
-
----
- src/bin/jp2/convert.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
-index 5459f7d44..e606c9be7 100644
---- a/src/bin/jp2/convert.c
-+++ b/src/bin/jp2/convert.c
-@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
-     }
- 
-     fseek(f, 0, SEEK_SET);
--    if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
-+    if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
-                &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
-         fclose(f);
-         fprintf(stderr,
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14151.patch b/gnu/packages/patches/openjpeg-CVE-2017-14151.patch
deleted file mode 100644
index 4fcf6af6db..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14151.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
-http://openwall.com/lists/oss-security/2017/09/06/1
-
-From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 14 Aug 2017 17:20:37 +0200
-Subject: [PATCH] Encoder: grow buffer size in
- opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
- opj_mqc_flush (#982)
-
----
- src/lib/openjp2/tcd.c                   | 7 +++++--
- tests/nonregression/test_suite.ctest.in | 2 ++
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
-index 301c7213e..53cdcf64d 100644
---- a/src/lib/openjp2/tcd.c
-+++ b/src/lib/openjp2/tcd.c
-@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
- {
-     OPJ_UINT32 l_data_size;
- 
--    /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
--    l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
-+    /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
-+    /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
-+    /* TODO: is there a theoretical upper-bound for the compressed code */
-+    /* block size ? */
-+    l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
-                                    (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
- 
-     if (l_data_size > p_code_block->data_size) {
-diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
-index aaf40d7d0..ffd964c2a 100644
---- a/tests/nonregression/test_suite.ctest.in
-+++ b/tests/nonregression/test_suite.ctest.in
-@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
- # Same rate as Bretagne2_4.j2k
- opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
- 
-+opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
-+
- # DECODER TEST SUITE
- opj_decompress -i  @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
- opj_decompress -i  @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14152.patch b/gnu/packages/patches/openjpeg-CVE-2017-14152.patch
deleted file mode 100644
index 6c083be123..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14152.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
-http://openwall.com/lists/oss-security/2017/09/06/2
-
-From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Tue, 15 Aug 2017 11:55:58 +0200
-Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
- opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
-
----
- src/lib/openjp2/j2k.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
-index a2521ebbc..54b490a8c 100644
---- a/src/lib/openjp2/j2k.c
-+++ b/src/lib/openjp2/j2k.c
-@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
- 
-     /* Precincts */
-     parameters->csty |= 0x01;
--    parameters->res_spec = parameters->numresolution - 1;
--    for (i = 0; i < parameters->res_spec; i++) {
--        parameters->prcw_init[i] = 256;
--        parameters->prch_init[i] = 256;
-+    if (parameters->numresolution == 1) {
-+        parameters->res_spec = 1;
-+        parameters->prcw_init[0] = 128;
-+        parameters->prch_init[0] = 128;
-+    } else {
-+        parameters->res_spec = parameters->numresolution - 1;
-+        for (i = 0; i < parameters->res_spec; i++) {
-+            parameters->prcw_init[i] = 256;
-+            parameters->prch_init[i] = 256;
-+        }
-     }
- 
-     /* The progression order shall be CPRL */
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14164.patch b/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
deleted file mode 100644
index 2bfc5a6a85..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14164.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a.patch
-http://openwall.com/lists/oss-security/2017/09/06/3
-
-From dcac91b8c72f743bda7dbfa9032356bc8110098a Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Wed, 16 Aug 2017 17:09:10 +0200
-Subject: [PATCH] opj_j2k_write_sot(): fix potential write heap buffer overflow
- (#991)
-
----
- src/lib/openjp2/j2k.c | 25 ++++++++++++++++++++-----
- 1 file changed, 20 insertions(+), 5 deletions(-)
-
-diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
-index 54b490a8c..16915452e 100644
---- a/src/lib/openjp2/j2k.c
-+++ b/src/lib/openjp2/j2k.c
-@@ -832,13 +832,15 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
-  * Writes the SOT marker (Start of tile-part)
-  *
-  * @param       p_j2k            J2K codec.
-- * @param       p_data           FIXME DOC
-- * @param       p_data_written   FIXME DOC
-+ * @param       p_data           Output buffer
-+ * @param       p_total_data_size Output buffer size
-+ * @param       p_data_written   Number of bytes written into stream
-  * @param       p_stream         the stream to write data to.
-  * @param       p_manager        the user event manager.
- */
- static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
-                                   OPJ_BYTE * p_data,
-+                                  OPJ_UINT32 p_total_data_size,
-                                   OPJ_UINT32 * p_data_written,
-                                   const opj_stream_private_t *p_stream,
-                                   opj_event_mgr_t * p_manager);
-@@ -4201,6 +4203,7 @@ static OPJ_BOOL opj_j2k_write_tlm(opj_j2k_t *p_j2k,
- 
- static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
-                                   OPJ_BYTE * p_data,
-+                                  OPJ_UINT32 p_total_data_size,
-                                   OPJ_UINT32 * p_data_written,
-                                   const opj_stream_private_t *p_stream,
-                                   opj_event_mgr_t * p_manager
-@@ -4214,6 +4217,12 @@ static OPJ_BOOL opj_j2k_write_sot(opj_j2k_t *p_j2k,
-     OPJ_UNUSED(p_stream);
-     OPJ_UNUSED(p_manager);
- 
-+    if (p_total_data_size < 12) {
-+        opj_event_msg(p_manager, EVT_ERROR,
-+                      "Not enough bytes in output buffer to write SOT marker\n");
-+        return OPJ_FALSE;
-+    }
-+
-     opj_write_bytes(p_data, J2K_MS_SOT,
-                     2);                                 /* SOT */
-     p_data += 2;
-@@ -11480,7 +11489,8 @@ static OPJ_BOOL opj_j2k_write_first_tile_part(opj_j2k_t *p_j2k,
- 
-     l_current_nb_bytes_written = 0;
-     l_begin_data = p_data;
--    if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
-+    if (! opj_j2k_write_sot(p_j2k, p_data, p_total_data_size,
-+                            &l_current_nb_bytes_written, p_stream,
-                             p_manager)) {
-         return OPJ_FALSE;
-     }
-@@ -11572,7 +11582,10 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
-         l_part_tile_size = 0;
-         l_begin_data = p_data;
- 
--        if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
-+        if (! opj_j2k_write_sot(p_j2k, p_data,
-+                                p_total_data_size,
-+                                &l_current_nb_bytes_written,
-+                                p_stream,
-                                 p_manager)) {
-             return OPJ_FALSE;
-         }
-@@ -11615,7 +11628,9 @@ static OPJ_BOOL opj_j2k_write_all_tile_parts(opj_j2k_t *p_j2k,
-             l_part_tile_size = 0;
-             l_begin_data = p_data;
- 
--            if (! opj_j2k_write_sot(p_j2k, p_data, &l_current_nb_bytes_written, p_stream,
-+            if (! opj_j2k_write_sot(p_j2k, p_data,
-+                                    p_total_data_size,
-+                                    &l_current_nb_bytes_written, p_stream,
-                                     p_manager)) {
-                 return OPJ_FALSE;
-             }
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index b13880e50e..00c9917392 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -3714,24 +3714,27 @@ producing implementations of dynamic languages, emphasizing a clean separation
 between language specification and implementation aspects.")
     (license license:expat)))
 
+;; NOTE: when upgrading numpy please make sure that python-pandas and
+;; python-scipy still build, as these three packages are often used together.
 (define-public python-numpy
   (package
     (name "python-numpy")
-    (version "1.13.1")
+    (version "1.12.0")
     (source
      (origin
        (method url-fetch)
-       (uri (pypi-uri "numpy" version ".zip"))
+       (uri (string-append
+             "https://github.com/numpy/numpy/archive/v" version ".tar.gz"))
+       (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "1fsgkhh1vdkhmlz8vmdgxnj9n9yaanckxxzz9s0b4p08fqvjic69"))))
+         "025d4j4aakcp8w5i5diqh812cbbjgac7jszx1j56ivrbi1i8vv7d"))))
     (build-system python-build-system)
     (inputs
      `(("openblas" ,openblas)
        ("lapack" ,lapack)))
     (native-inputs
-     `(("unzip" ,unzip)
-       ("python-cython" ,python-cython)
+     `(("python-cython" ,python-cython)
        ("python-nose" ,python-nose)
        ("gfortran" ,gfortran)))
     (arguments
@@ -3789,6 +3792,26 @@ capabilities.")
 (define-public python2-numpy
   (package-with-python2 python-numpy))
 
+(define-public python-numpy-next
+  (package (inherit python-numpy)
+    (name "python-numpy-next")
+    (version "1.13.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (pypi-uri "numpy" version ".zip"))
+       (sha256
+        (base32
+         "1fsgkhh1vdkhmlz8vmdgxnj9n9yaanckxxzz9s0b4p08fqvjic69"))))
+    (native-inputs
+     `(("unzip" ,unzip)
+       ("python-cython" ,python-cython)
+       ("python-nose" ,python-nose)
+       ("gfortran" ,gfortran)))))
+
+(define-public python2-numpy-next
+  (package-with-python2 python-numpy-next))
+
 (define-public python-munch
   (package
     (name "python-munch")
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 1dac85d74a..8317f29cd8 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -8,6 +8,7 @@
 ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at>
+;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -603,3 +604,40 @@ monitor it, restarting it as necessary should it die or stop passing traffic.")
      ;; copy of this license in their headers, but there's no separate file
      ;; with that information.
      (license:non-copyleft "file://autossh.c"))))
+
+(define-public pdsh
+  (package
+    (name "pdsh")
+    (version "2.29")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://storage.googleapis.com/"
+                           "google-code-archive-downloads/v2/code.google.com/"
+                           "pdsh/pdsh-" version ".tar.bz2"))
+       (sha256
+        (base32 "1kvzz01fyaxfqmbh53f4ljfsgvxdykh5jyr6fh4f1bw2ywxr1w2p"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags
+       (list "--with-ssh")
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'patch-/bin/sh
+           (lambda _
+             (substitute* '("tests/runtests.sh"
+                            "tests/test-lib.sh"
+                            "tests/test-modules/pcptest.c")
+               (("/bin/sh") (which "bash")))
+             #t)))))
+    (inputs
+     `(("openssh" ,openssh)
+       ("mit-krb5" ,mit-krb5)
+       ("perl" ,perl)))
+    (home-page "https://code.google.com/archive/p/pdsh")
+    (synopsis "Parallel distributed shell")
+    (description "Pdsh is a an efficient, multithreaded remote shell client
+which executes commands on multiple remote hosts in parallel.  Pdsh implements
+dynamically loadable modules for extended functionality such as new remote
+shell services and remote host selection.")
+    (license license:gpl2+)))
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index bb005f3682..075ea7a1c2 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -498,13 +498,13 @@ netcat implementation that supports TLS.")
   (package
     (name "python-acme")
     ;; Remember to update the hash of certbot when updating python-acme.
-    (version "0.18.2")
+    (version "0.19.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "acme" version))
               (sha256
                (base32
-                "1xiy8m7501g5l9kpdmyvyz72nfnl72l19qkrf76fyvby7adzm3ki"))))
+                "08p8w50zciqlhgn3ab0wbbvi1zyg3x37r1gywq0z1allsij3v8hz"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -552,7 +552,7 @@ netcat implementation that supports TLS.")
               (uri (pypi-uri name version))
               (sha256
                (base32
-                "16lw4n7kwnkvh9sz2f97c7ad1wwp33mg5fc332lpy5n17zpfc8h1"))))
+                "0lwxqz3r0fg3dy06fgba1dfs7n6ribc25z0rh5rqbl7mvy8hf8x7"))))
     (build-system python-build-system)
     (arguments
      `(,@(substitute-keyword-arguments (package-arguments python-acme)
diff --git a/gnu/packages/tor.scm b/gnu/packages/tor.scm
index 1dc3e37c39..e44bab54a0 100644
--- a/gnu/packages/tor.scm
+++ b/gnu/packages/tor.scm
@@ -35,6 +35,7 @@
   #:use-module (gnu packages linux)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages pcre)
+  #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages qt)
   #:use-module (gnu packages autotools)
@@ -57,12 +58,15 @@
      `(#:configure-flags (list "--enable-gcc-hardening"
                                "--enable-linker-hardening")))
     (native-inputs
-     `(("python" ,python-2)))  ; for tests
+     `(("pkg-config" ,pkg-config)
+       ("python" ,python-2)))  ; for tests
     (inputs
      `(("zlib" ,zlib)
        ("openssl" ,openssl)
        ("libevent" ,libevent)
-       ("libseccomp", libseccomp)))
+       ("libseccomp" ,libseccomp)
+       ("xz" ,xz)
+       ("zstd" ,zstd)))
     (home-page "https://www.torproject.org/")
     (synopsis "Anonymous network router to improve privacy on the Internet")
     (description
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index 52f16676f5..92f040425d 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -38,6 +38,7 @@
             file-system-check?
             file-system-create-mount-point?
             file-system-dependencies
+            file-system-location
 
             file-system-type-predicate
 
@@ -101,7 +102,10 @@
   (create-mount-point? file-system-create-mount-point? ; Boolean
                        (default #f))
   (dependencies     file-system-dependencies      ; list of <file-system>
-                    (default '())))               ; or <mapped-device>
+                    (default '()))                ; or <mapped-device>
+  (location         file-system-location
+                    (default (current-source-location))
+                    (innate)))
 
 ;; Note: This module is used both on the build side and on the host side.
 ;; Arrange not to pull (guix store) and (guix config) because the latter
diff --git a/gnu/system/uuid.scm b/gnu/system/uuid.scm
index 6470abb8cc..e422e06a6d 100644
--- a/gnu/system/uuid.scm
+++ b/gnu/system/uuid.scm
@@ -29,6 +29,7 @@
             uuid?
             uuid-type
             uuid-bytevector
+            uuid=?
 
             bytevector->uuid
 
@@ -281,3 +282,15 @@ corresponding bytevector; otherwise return #f."
        ((_ . (? procedure? unparse)) (unparse bv))))
     (((? uuid? uuid))
      (uuid->string (uuid-bytevector uuid) (uuid-type uuid)))))
+
+(define uuid=?
+  ;; Return true if A is equal to B, comparing only the actual bits.
+  (match-lambda*
+    (((? bytevector? a) (? bytevector? b))
+     (bytevector=? a b))
+    (((? uuid? a) (? bytevector? b))
+     (bytevector=? (uuid-bytevector a) b))
+    (((? uuid? a) (? uuid? b))
+     (bytevector=? (uuid-bytevector a) (uuid-bytevector b)))
+    ((a b)
+     (uuid=? b a))))