summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--build-aux/build-self.scm11
-rw-r--r--gnu/local.mk30
-rw-r--r--gnu/packages/algebra.scm4
-rw-r--r--gnu/packages/audio.scm2
-rw-r--r--gnu/packages/authentication.scm2
-rw-r--r--gnu/packages/base.scm70
-rw-r--r--gnu/packages/bash.scm8
-rw-r--r--gnu/packages/bdw-gc.scm12
-rw-r--r--gnu/packages/bison.scm19
-rw-r--r--gnu/packages/boost.scm29
-rw-r--r--gnu/packages/bootloaders.scm3
-rw-r--r--gnu/packages/build-tools.scm6
-rw-r--r--gnu/packages/calendar.scm4
-rw-r--r--gnu/packages/check.scm43
-rw-r--r--gnu/packages/chez.scm4
-rw-r--r--gnu/packages/cmake.scm12
-rw-r--r--gnu/packages/commencement.scm15
-rw-r--r--gnu/packages/compression.scm76
-rw-r--r--gnu/packages/cups.scm24
-rw-r--r--gnu/packages/curl.scm21
-rw-r--r--gnu/packages/databases.scm74
-rw-r--r--gnu/packages/disk.scm1
-rw-r--r--gnu/packages/docbook.scm10
-rw-r--r--gnu/packages/documentation.scm15
-rw-r--r--gnu/packages/file.scm5
-rw-r--r--gnu/packages/flex.scm16
-rw-r--r--gnu/packages/fontutils.scm23
-rw-r--r--gnu/packages/freedesktop.scm8
-rw-r--r--gnu/packages/fribidi.scm7
-rw-r--r--gnu/packages/gcal.scm20
-rw-r--r--gnu/packages/gcc.scm25
-rw-r--r--gnu/packages/gd.scm16
-rw-r--r--gnu/packages/ghostscript.scm60
-rw-r--r--gnu/packages/gl.scm6
-rw-r--r--gnu/packages/glib.scm16
-rw-r--r--gnu/packages/gnome.scm32
-rw-r--r--gnu/packages/gnupg.scm41
-rw-r--r--gnu/packages/golang.scm9
-rw-r--r--gnu/packages/gstreamer.scm28
-rw-r--r--gnu/packages/gtk.scm89
-rw-r--r--gnu/packages/guile-wm.scm2
-rw-r--r--gnu/packages/guile.scm39
-rw-r--r--gnu/packages/icu4c.scm20
-rw-r--r--gnu/packages/image.scm65
-rw-r--r--gnu/packages/inkscape.scm21
-rw-r--r--gnu/packages/jemalloc.scm5
-rw-r--r--gnu/packages/kerberos.scm7
-rw-r--r--gnu/packages/libbsd.scm4
-rw-r--r--gnu/packages/libevent.scm26
-rw-r--r--gnu/packages/libffi.scm9
-rw-r--r--gnu/packages/libidn.scm25
-rw-r--r--gnu/packages/libreoffice.scm11
-rw-r--r--gnu/packages/libsigsegv.scm33
-rw-r--r--gnu/packages/libunistring.scm29
-rw-r--r--gnu/packages/linux.scm46
-rw-r--r--gnu/packages/llvm.scm10
-rw-r--r--gnu/packages/lsof.scm7
-rw-r--r--gnu/packages/m4.scm1
-rw-r--r--gnu/packages/make-bootstrap.scm10
-rw-r--r--gnu/packages/maths.scm14
-rw-r--r--gnu/packages/nettle.scm18
-rw-r--r--gnu/packages/node.scm2
-rw-r--r--gnu/packages/openldap.scm4
-rw-r--r--gnu/packages/openstack.scm8
-rw-r--r--gnu/packages/package-management.scm4
-rw-r--r--gnu/packages/patches/binutils-aarch64-symbol-relocation.patch36
-rw-r--r--gnu/packages/patches/cairo-setjmp-wrapper.patch78
-rw-r--r--gnu/packages/patches/clang-3.5-libsanitizer-ustat-fix.patch46
-rw-r--r--gnu/packages/patches/doxygen-gcc-ice.patch25
-rw-r--r--gnu/packages/patches/findutils-gnulib-libio.patch114
-rw-r--r--gnu/packages/patches/findutils-makedev.patch22
-rw-r--r--gnu/packages/patches/freetype-CVE-2018-6942.patch31
-rw-r--r--gnu/packages/patches/gcc-4.9-libsanitizer-ustat.patch37
-rw-r--r--gnu/packages/patches/gcc-libsanitizer-ustat.patch41
-rw-r--r--gnu/packages/patches/gcc-strmov-store-file-names.patch12
-rw-r--r--gnu/packages/patches/ghostscript-runpath.patch18
-rw-r--r--gnu/packages/patches/glibc-2.28-git-fixes.patch248
-rw-r--r--gnu/packages/patches/grub-binutils-compat.patch53
-rw-r--r--gnu/packages/patches/jemalloc-arm-address-bits.patch39
-rw-r--r--gnu/packages/patches/libgcrypt-make-yat2m-reproducible.patch32
-rw-r--r--gnu/packages/patches/libgpg-error-aarch64-logging-fix.patch58
-rw-r--r--gnu/packages/patches/m4-gnulib-libio.patch128
-rw-r--r--gnu/packages/patches/mariadb-gcc-ice.patch24
-rw-r--r--gnu/packages/patches/meson-for-build-rpath.patch6
-rw-r--r--gnu/packages/patches/oath-toolkit-glibc-compat.patch90
-rw-r--r--gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch215
-rw-r--r--gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch50
-rw-r--r--gnu/packages/patches/parted-glibc-compat.patch17
-rw-r--r--gnu/packages/patches/perf-gcc-ice.patch13
-rw-r--r--gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch36
-rw-r--r--gnu/packages/patches/perl-deterministic-ordering.patch6
-rw-r--r--gnu/packages/patches/perl-file-path-CVE-2017-6512.patch173
-rw-r--r--gnu/packages/patches/python-pillow-fix-failing-tests.patchbin112373 -> 0 bytes
-rw-r--r--gnu/packages/patches/python-testtools.patch57
-rw-r--r--gnu/packages/patches/qtbase-glibc-compat.patch50
-rw-r--r--gnu/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch36
-rw-r--r--gnu/packages/patches/texinfo-5-perl-compat.patch19
-rw-r--r--gnu/packages/patches/texinfo-perl-compat.patch51
-rw-r--r--gnu/packages/pcre.scm21
-rw-r--r--gnu/packages/pdf.scm20
-rw-r--r--gnu/packages/perl.scm50
-rw-r--r--gnu/packages/php.scm12
-rw-r--r--gnu/packages/python-crypto.scm4
-rw-r--r--gnu/packages/python-web.scm4
-rw-r--r--gnu/packages/python.scm602
-rw-r--r--gnu/packages/qt.scm4
-rw-r--r--gnu/packages/readline.scm4
-rw-r--r--gnu/packages/samba.scm18
-rw-r--r--gnu/packages/ssh.scm21
-rw-r--r--gnu/packages/statistics.scm4
-rw-r--r--gnu/packages/tcl.scm16
-rw-r--r--gnu/packages/tex.scm126
-rw-r--r--gnu/packages/texinfo.scm2
-rw-r--r--gnu/packages/time.scm19
-rw-r--r--gnu/packages/tls.scm28
-rw-r--r--gnu/packages/web.scm8
-rw-r--r--gnu/packages/xdisorg.scm8
-rw-r--r--gnu/packages/xml.scm20
-rw-r--r--gnu/packages/xorg.scm38
-rw-r--r--guix/build-system/meson.scm1
-rw-r--r--guix/build/gnu-build-system.scm36
-rw-r--r--guix/build/gremlin.scm132
-rw-r--r--guix/build/haskell-build-system.scm43
-rw-r--r--guix/build/meson-build-system.scm58
-rw-r--r--guix/build/python-build-system.scm2
-rw-r--r--guix/build/r-build-system.scm2
-rw-r--r--guix/build/svn.scm2
-rw-r--r--guix/build/utils.scm8
-rw-r--r--guix/gexp.scm136
-rw-r--r--guix/packages.scm10
-rw-r--r--guix/self.scm14
-rw-r--r--tests/gexp.scm6
-rw-r--r--tests/gremlin.scm33
133 files changed, 2531 insertions, 2158 deletions
diff --git a/build-aux/build-self.scm b/build-aux/build-self.scm
index 306b2c6b63..5b281c3bc9 100644
--- a/build-aux/build-self.scm
+++ b/build-aux/build-self.scm
@@ -374,10 +374,15 @@ interface (FFI) of Guile.")
 ;; The procedure below is our return value.
 (define* (build source
                 #:key verbose? (version (date-version-string)) system
-                (guile-version (match ((@ (guile) version))
-                                 ("2.2.2" "2.2.2")
-                                 (_       (effective-version))))
                 (pull-version 0)
+
+                ;; For the standalone Guix, default to Guile 2.2.  For old
+                ;; versions of 'guix pull' (pre-0.15.0), we have to use the
+                ;; same Guile as the current one.
+                (guile-version (if (> pull-version 0)
+                                   "2.2"
+                                   (effective-version)))
+
                 #:allow-other-keys
                 #:rest rest)
   "Return a derivation that unpacks SOURCE into STORE and compiles Scheme
diff --git a/gnu/local.mk b/gnu/local.mk
index 402505e229..1181210da5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -595,13 +595,13 @@ dist_patch_DATA =						\
   %D%/packages/patches/bastet-change-source-of-unordered_set.patch	\
   %D%/packages/patches/bazaar-CVE-2017-14176.patch		\
   %D%/packages/patches/beignet-correct-file-names.patch		\
-  %D%/packages/patches/binutils-aarch64-symbol-relocation.patch	\
   %D%/packages/patches/binutils-loongson-workaround.patch	\
   %D%/packages/patches/blast+-fix-makefile.patch		\
   %D%/packages/patches/boost-fix-icu-build.patch		\
   %D%/packages/patches/borg-respect-storage-quota.patch		\
   %D%/packages/patches/byobu-writable-status.patch		\
   %D%/packages/patches/cairo-CVE-2016-9082.patch			\
+  %D%/packages/patches/cairo-setjmp-wrapper.patch		\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/calibre-use-packaged-feedparser.patch	\
   %D%/packages/patches/catdoc-CVE-2017-11110.patch		\
@@ -613,6 +613,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ceph-skip-unittest_blockdev.patch	\
   %D%/packages/patches/chmlib-inttypes.patch			\
   %D%/packages/patches/clang-3.5-libc-search-path.patch		\
+  %D%/packages/patches/clang-3.5-libsanitizer-ustat-fix.patch	\
   %D%/packages/patches/clang-3.8-libc-search-path.patch		\
   %D%/packages/patches/clang-6.0-libc-search-path.patch		\
   %D%/packages/patches/clang-runtime-asan-build-fixes.patch	\
@@ -651,7 +652,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/doc++-include-directives.patch		\
   %D%/packages/patches/doc++-segfault-fix.patch			\
   %D%/packages/patches/dovecot-trees-support-dovecot-2.3.patch	\
-  %D%/packages/patches/doxygen-gcc-ice.patch			\
   %D%/packages/patches/doxygen-test.patch			\
   %D%/packages/patches/dropbear-CVE-2018-15599.patch		\
   %D%/packages/patches/dvd+rw-tools-add-include.patch 		\
@@ -682,7 +682,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/fcgi-2.4.0-poll.patch			\
   %D%/packages/patches/fifo-map-fix-flags-for-gcc.patch		\
   %D%/packages/patches/fifo-map-remove-catch.hpp.patch		\
+  %D%/packages/patches/findutils-gnulib-libio.patch		\
   %D%/packages/patches/findutils-localstatedir.patch		\
+  %D%/packages/patches/findutils-makedev.patch			\
   %D%/packages/patches/findutils-test-xargs.patch		\
   %D%/packages/patches/flann-cmake-3.11.patch			\
   %D%/packages/patches/flint-ldconfig.patch			\
@@ -692,7 +694,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/freeimage-CVE-2016-5684.patch		\
   %D%/packages/patches/freeimage-fix-build-with-gcc-5.patch	\
   %D%/packages/patches/freeimage-unbundle.patch		\
-  %D%/packages/patches/freetype-CVE-2018-6942.patch		\
   %D%/packages/patches/fuse-overlapping-headers.patch				\
   %D%/packages/patches/gawk-shell.patch				\
   %D%/packages/patches/gcc-arm-bug-71399.patch			\
@@ -702,7 +703,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcc-fix-texi2pod.patch			\
   %D%/packages/patches/gcc-4.8-libsanitizer-fix.patch		\
   %D%/packages/patches/gcc-4.9-libsanitizer-fix.patch		\
+  %D%/packages/patches/gcc-4.9-libsanitizer-ustat.patch		\
   %D%/packages/patches/gcc-libsanitizer-fix.patch		\
+  %D%/packages/patches/gcc-libsanitizer-ustat.patch		\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-strmov-store-file-names.patch	\
   %D%/packages/patches/gcc-4-compile-with-gcc-5.patch		 \
@@ -732,7 +735,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/ghostscript-no-header-id.patch		\
   %D%/packages/patches/ghostscript-no-header-uuid.patch		\
   %D%/packages/patches/ghostscript-no-header-creationdate.patch \
-  %D%/packages/patches/ghostscript-runpath.patch		\
   %D%/packages/patches/giflib-make-reallocarray-private.patch	\
   %D%/packages/patches/glib-networking-ssl-cert-file.patch	\
   %D%/packages/patches/glib-tests-timer.patch			\
@@ -755,6 +757,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/glibc-vectorized-strcspn-guards.patch	\
   %D%/packages/patches/glibc-versioned-locpath.patch		\
   %D%/packages/patches/glibc-2.27-git-fixes.patch		\
+  %D%/packages/patches/glibc-2.28-git-fixes.patch		\
   %D%/packages/patches/glusterfs-use-PATH-instead-of-hardcodes.patch		\
   %D%/packages/patches/glog-gcc-5-demangling.patch		\
   %D%/packages/patches/gmp-arm-asm-nothumb.patch		\
@@ -774,6 +777,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/grep-timing-sensitive-test.patch		\
   %D%/packages/patches/groff-source-date-epoch.patch		\
   %D%/packages/patches/groovy-add-exceptionutilsgenerator.patch	\
+  %D%/packages/patches/grub-binutils-compat.patch		\
   %D%/packages/patches/grub-check-error-efibootmgr.patch	\
   %D%/packages/patches/gsl-test-i686.patch			\
   %D%/packages/patches/gspell-dash-test.patch			\
@@ -832,7 +836,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/java-xerces-bootclasspath.patch	\
   %D%/packages/patches/java-xerces-build_dont_unzip.patch	\
   %D%/packages/patches/java-xerces-xjavac_taskdef.patch	\
-  %D%/packages/patches/jemalloc-arm-address-bits.patch		\
   %D%/packages/patches/jbig2dec-ignore-testtest.patch		\
   %D%/packages/patches/json-glib-fix-tests-32bit.patch		\
   %D%/packages/patches/jq-CVE-2015-8863.patch			\
@@ -877,12 +880,12 @@ dist_patch_DATA =						\
   %D%/packages/patches/libevent-2.1-skip-failing-test.patch	\
   %D%/packages/patches/libexif-CVE-2016-6328.patch		\
   %D%/packages/patches/libexif-CVE-2017-7544.patch		\
+  %D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch	\
   %D%/packages/patches/libgit2-mtime-0.patch			\
   %D%/packages/patches/libgdata-fix-tests.patch			\
   %D%/packages/patches/libgdata-glib-duplicate-tests.patch	\
   %D%/packages/patches/libgnome-encoding.patch			\
   %D%/packages/patches/libgnomeui-utf8.patch			\
-  %D%/packages/patches/libgpg-error-aarch64-logging-fix.patch	\
   %D%/packages/patches/libgxps-CVE-2017-11590.patch		\
   %D%/packages/patches/libffi-3.2.1-complex-alpha.patch		\
   %D%/packages/patches/libjxr-fix-function-signature.patch	\
@@ -944,7 +947,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/mailutils-uninitialized-memory.patch	\
   %D%/packages/patches/make-glibc-compat.patch			\
   %D%/packages/patches/make-impure-dirs.patch			\
-  %D%/packages/patches/mariadb-gcc-ice.patch			\
   %D%/packages/patches/mariadb-client-test-32bit.patch		\
   %D%/packages/patches/mars-install.patch			\
   %D%/packages/patches/mars-sfml-2.3.patch			\
@@ -977,6 +979,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/mupen64plus-video-z64-glew-correct-path.patch    \
   %D%/packages/patches/mutt-store-references.patch		\
   %D%/packages/patches/myrepos-CVE-2018-7032.patch		\
+  %D%/packages/patches/m4-gnulib-libio.patch			\
   %D%/packages/patches/net-tools-bitrot.patch			\
   %D%/packages/patches/netcdf-date-time.patch			\
   %D%/packages/patches/netcdf-tst_h_par.patch			\
@@ -993,6 +996,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/nvi-db4.patch				\
   %D%/packages/patches/nyacc-binary-literals.patch		\
   %D%/packages/patches/nyx-show-header-stats-with-python3.patch	\
+  %D%/packages/patches/oath-toolkit-glibc-compat.patch		\
   %D%/packages/patches/ocaml-bisect-fix-camlp4-in-another-directory.patch	\
   %D%/packages/patches/ocaml-bitstring-fix-configure.patch \
   %D%/packages/patches/ocaml-CVE-2015-8869.patch		\
@@ -1009,8 +1013,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/openocd-nrf52.patch			\
   %D%/packages/patches/opensmtpd-fix-crash.patch		\
   %D%/packages/patches/openssl-runpath.patch			\
-  %D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch	\
-  %D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch	\
   %D%/packages/patches/openssl-1.1-c-rehash-in.patch		\
   %D%/packages/patches/openssl-c-rehash-in.patch		\
   %D%/packages/patches/orpheus-cast-errors-and-includes.patch	\
@@ -1020,13 +1022,11 @@ dist_patch_DATA =						\
   %D%/packages/patches/p7zip-CVE-2016-9296.patch		\
   %D%/packages/patches/p7zip-CVE-2017-17969.patch		\
   %D%/packages/patches/p7zip-remove-unused-code.patch		\
+  %D%/packages/patches/parted-glibc-compat.patch		\
   %D%/packages/patches/patchelf-page-size.patch			\
   %D%/packages/patches/patchelf-rework-for-arm.patch		\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   %D%/packages/patches/patch-hurd-path-max.patch		\
-  %D%/packages/patches/perf-gcc-ice.patch			\
-  %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch	\
-  %D%/packages/patches/perl-file-path-CVE-2017-6512.patch	\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
   %D%/packages/patches/perl-deterministic-ordering.patch	\
   %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
@@ -1086,12 +1086,12 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-fix-tests.patch			\
   %D%/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch \
   %D%/packages/patches/python-networkx2-reproducible-build.patch	\
-  %D%/packages/patches/python-pillow-fix-failing-tests.patch	\
   %D%/packages/patches/python2-rdflib-drop-sparqlwrapper.patch	\
   %D%/packages/patches/python-scikit-learn-fix-test-non-determinism.patch	\
   %D%/packages/patches/python-configobj-setuptools.patch	\
   %D%/packages/patches/python-faker-fix-build-32bit.patch	\
   %D%/packages/patches/python-mox3-python3.6-compat.patch	\
+  %D%/packages/patches/python-testtools.patch			\
   %D%/packages/patches/python-paste-remove-website-test.patch	\
   %D%/packages/patches/python-paste-remove-timing-test.patch	\
   %D%/packages/patches/python-pycrypto-CVE-2013-7459.patch	\
@@ -1103,6 +1103,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-waitress-fix-tests.patch		\
   %D%/packages/patches/qemu-glibc-2.27.patch 			\
   %D%/packages/patches/qt4-ldflags.patch			\
+  %D%/packages/patches/qtbase-glibc-compat.patch		\
   %D%/packages/patches/qtbase-use-TZDIR.patch			\
   %D%/packages/patches/qtscript-disable-tests.patch		\
   %D%/packages/patches/quagga-reproducible-build.patch          \
@@ -1149,6 +1150,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/slim-sigusr1.patch			\
   %D%/packages/patches/slim-reset.patch				\
   %D%/packages/patches/slim-login.patch				\
+  %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch	\
   %D%/packages/patches/sooperlooper-build-with-wx-30.patch 	\
   %D%/packages/patches/soundtouch-CVE-2018-14044-14045.patch 	\
   %D%/packages/patches/soundtouch-CVE-2018-1000223.patch 	\
@@ -1167,6 +1169,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch	\
   %D%/packages/patches/teensy-loader-cli-help.patch		\
   %D%/packages/patches/teeworlds-use-latest-wavpack.patch	\
+  %D%/packages/patches/texinfo-perl-compat.patch		\
+  %D%/packages/patches/texinfo-5-perl-compat.patch		\
   %D%/packages/patches/texi2html-document-encoding.patch	\
   %D%/packages/patches/texi2html-i18n.patch			\
   %D%/packages/patches/thefuck-test-environ.patch		\
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index d8a061b642..45a3da1713 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -528,14 +528,14 @@ a C program.")
 (define-public fftw
   (package
     (name "fftw")
-    (version "3.3.7")
+    (version "3.3.8")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://ftp.fftw.org/pub/fftw/fftw-"
                                  version".tar.gz"))
              (sha256
               (base32
-               "0wsms8narnbhfsa8chdflv2j9hzspvflblnqdn7hw8x5xdzrnq1v"))))
+               "00z3k8fq561wq2khssqg0kallk0504dzlx989x3vvicjdqpjc4v1"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index 69b5d01d6f..8ec69d12a7 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -1779,6 +1779,8 @@ significantly faster and have minimal dependencies.")
     (build-system waf-build-system)
     (arguments
      `(#:tests? #f  ; no check target
+       ;; XXX: The bundled waf does not work with Python 3.7.
+       #:python ,python-2
        #:configure-flags '("--no-plugins")))
     (inputs
      ;; Leaving off cairo and gtk+-2.0 which are needed for example plugins
diff --git a/gnu/packages/authentication.scm b/gnu/packages/authentication.scm
index a58eac9890..68a6459828 100644
--- a/gnu/packages/authentication.scm
+++ b/gnu/packages/authentication.scm
@@ -17,6 +17,7 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (gnu packages authentication)
+  #:use-module (gnu packages)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages pkg-config)
   #:use-module (guix build-system gnu)
@@ -35,6 +36,7 @@
        (method url-fetch)
        (uri (string-append "https://download.savannah.nongnu.org/releases/"
                            name "/" name "-" version ".tar.gz"))
+       (patches (search-patches "oath-toolkit-glibc-compat.patch"))
        (sha256
         (base32 "182ah8vfbg0yhv6mh1b6ap944d0na6x7lpfkwkmzb6jl9gx4cd5h"))))
     (build-system gnu-build-system)
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 4065af0abc..3a1186673e 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -102,6 +102,15 @@ command-line arguments, multiple languages, and so on.")
    (arguments
     `(#:phases
       (modify-phases %standard-phases
+        (add-before 'check 'disable-failing-tests
+          (lambda _
+            ;; These tests are expected to fail due to a glibc bug which has
+            ;; been fixed in 2.28, so they are unexpectedly passing.  They
+            ;; should be fixed for grep versions > 3.1.
+            (substitute* "tests/Makefile.in"
+              (("^[[:blank:]]+backref-alt[[:blank:]]+\\\\") "\\")
+              (("^[[:blank:]]+triple-backref[[:blank:]]+\\\\") "\\"))
+            #t))
         (add-after 'install 'fix-egrep-and-fgrep
           ;; Patch 'egrep' and 'fgrep' to execute 'grep' via its
           ;; absolute file name instead of searching for it in $PATH.
@@ -289,7 +298,9 @@ interactive means to merge two files.")
              (base32
               "178nn4dl7wbcw499czikirnkniwnx36argdnqgz4ik9i6zvwkm6y"))
             (patches (search-patches
+                      "findutils-gnulib-libio.patch"
                       "findutils-localstatedir.patch"
+                      "findutils-makedev.patch"
                       "findutils-test-xargs.patch"))
             (modules '((guix build utils)))
             (snippet
@@ -326,14 +337,14 @@ used to apply commands with arbitrarily long arguments.")
 (define-public coreutils
   (package
    (name "coreutils")
-   (version "8.29")
+   (version "8.30")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/coreutils/coreutils-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0plm1zs9il6bb5mk881qvbghq4glc8ybbgakk2lfzb0w64fgml4j"))))
+              "0mxhw43d4wpqmvg0l4znk1vm10fy92biyh90lzdnqjcic2lb6cg8"))))
    (build-system gnu-build-system)
    (inputs `(("acl"  ,acl)                        ; TODO: add SELinux
              ("gmp"  ,gmp)                        ;bignums in 'expr', yay!
@@ -364,7 +375,17 @@ used to apply commands with arbitrarily long arguments.")
                      (substitute* (find-files "gnulib-tests" "\\.c$")
                        (("/bin/sh") (which "sh")))
                      (substitute* (find-files "tests" "\\.sh$")
-                       (("#!/bin/sh") (which "sh")))
+                       (("#!/bin/sh") (string-append "#!" (which "sh"))))
+                     #t))
+                 (add-before 'check 'disable-broken-test
+                   (lambda _
+                     ;; This test hits the 127 character shebang limit in the build
+                     ;; environment due to the way "env -S" splits arguments into
+                     ;; shebangs.  Note that "env-S-script.sh" works around this
+                     ;; specific issue, but "env-S.pl" is not adjusted for build
+                     ;; environments with long prefixes (/tmp/guix-build-...).
+                     (substitute* "Makefile"
+                       (("^.*tests/misc/env-S.pl.*$") ""))
                      #t)))
 
       ;; Work around a cross-compilation bug whereby libcoreutils.a would
@@ -435,14 +456,14 @@ change.  GNU make offers many powerful extensions over the standard utility.")
 (define-public binutils
   (package
    (name "binutils")
-   (version "2.30")
+   (version "2.31.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/binutils/binutils-"
                                 version ".tar.bz2"))
             (sha256
              (base32
-              "028cklfqaab24glva1ks2aqa1zxa6w6xmc8q34zs1sb7h22dxspg"))
+              "1l34hn1zkmhr1wcrgf0d4z7r3najxnw3cx2y2fk7v55zjlk3ik7z"))
             (patches (search-patches "binutils-loongson-workaround.patch"))))
    (build-system gnu-build-system)
 
@@ -480,17 +501,6 @@ included.")
    (license gpl3+)
    (home-page "https://www.gnu.org/software/binutils/")))
 
-(define-public binutils/fixed
-  ;; TODO: Incorporate this in binutils during the next rebuild cycle.
-  (hidden-package
-   (package
-     (inherit binutils)
-     (source (origin
-               (inherit (package-source binutils))
-               (patches (append (origin-patches (package-source binutils))
-                                (search-patches
-                                 "binutils-aarch64-symbol-relocation.patch"))))))))
-
 (define* (make-ld-wrapper name #:key
                           (target (const #f))
                           binutils
@@ -572,13 +582,13 @@ store.")
    (name "glibc")
    ;; Note: Always use a dot after the minor version since various places rely
    ;; on "version-major+minor" to determine where locales are found.
-   (version "2.27")
+   (version "2.28")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz"))
             (sha256
              (base32
-              "0wpwq7gsm7sd6ysidv0z575ckqdg13cr2njyfgrbgh4f65adwwji"))
+              "10iha5ynvdj5m62vgpgqbq4cwvc2yhyl2w9yyyjgfxmdmx8h145i"))
             (snippet
              ;; Disable 'ldconfig' and /etc/ld.so.cache.  The latter is
              ;; required on LFS distros to avoid loading the distro's libc.so
@@ -590,7 +600,7 @@ store.")
                 #t))
             (modules '((guix build utils)))
             (patches (search-patches "glibc-ldd-x86_64.patch"
-                                     "glibc-2.27-git-fixes.patch"
+                                     "glibc-2.28-git-fixes.patch"
                                      "glibc-hidden-visibility-ldconfig.patch"
                                      "glibc-versioned-locpath.patch"
                                      "glibc-allow-kernel-2.6.32.patch"
@@ -873,25 +883,25 @@ GLIBC/HURD for a Hurd host"
 (define-syntax glibc
   (identifier-syntax (glibc-for-target)))
 
-;; The "next" libc.  Useful for populating locale data before reconfiguring the
-;; entire system on it.  Will be the default in the next rebuild cycle.
-(define-public glibc-2.28
+;; Below are old libc versions, which we use mostly to build locale data in
+;; the old format (which the new libc cannot cope with.)
+
+(define-public glibc-2.27
   (package
     (inherit glibc)
-    (version "2.28")
+    (version "2.27")
     (source (origin
               (inherit (package-source glibc))
               (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz"))
               (sha256
                (base32
-                "10iha5ynvdj5m62vgpgqbq4cwvc2yhyl2w9yyyjgfxmdmx8h145i"))
-              (patches (search-patches "glibc-allow-kernel-2.6.32.patch"
-                                       "glibc-ldd-x86_64.patch"
+                "0wpwq7gsm7sd6ysidv0z575ckqdg13cr2njyfgrbgh4f65adwwji"))
+              (patches (search-patches "glibc-ldd-x86_64.patch"
+                                       "glibc-2.27-git-fixes.patch"
                                        "glibc-hidden-visibility-ldconfig.patch"
-                                       "glibc-versioned-locpath.patch"))))))
-
-;; Below are old libc versions, which we use mostly to build locale data in
-;; the old format (which the new libc cannot cope with.)
+                                       "glibc-versioned-locpath.patch"
+                                       "glibc-allow-kernel-2.6.32.patch"
+                                       "glibc-reinstate-prlimit64-fallback.patch"))))))
 
 (define-public glibc-2.26
   (package
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index 121a459fa6..fb4e3f4be3 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015, 2018 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015, 2017 Leo Famulari <leo@famulari.name>
-;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -79,7 +79,11 @@
    (16 "1cgi1y6mifm8hsgv4avj5ih76535js3qba1sqwbfvp7si76927sh")
    (17 "0w6jpj2giakji1ir83rpkx1y7n7xqppah3j748m6dm38hywr0gvp")
    (18 "1k58h4wxbsg7r4rwhrvzx5hfbapba2nxjysbhh6qp6ki5ys99i2v")
-   (19 "07n1i5610lbs672x1s8g82qn3qfj06s0ip3z80sri0g8vxp0s5r7")))
+   (19 "07n1i5610lbs672x1s8g82qn3qfj06s0ip3z80sri0g8vxp0s5r7")
+   (20 "0b2jk5n1af1vh590qfc52hv65mafb4vl1xv26s8j5a3byb5y4h0q")
+   (21 "1hblcd2xmqqlp0idnavw66570n7m0yv5rbbr873c2gkn982mk3xx")
+   (22 "0yfbjzr79vzjs2hyi5m8iy2b38fq7vikdfa4zqdvjsp36q4iycs5")
+   (23 "1dlism6qdx60nvzj0v7ndr7lfahl4a8zmzckp13hqgdx7xpj7v2g")))
 
 (define (download-patches store count)
   "Download COUNT Bash patches into store.  Return a list of
diff --git a/gnu/packages/bdw-gc.scm b/gnu/packages/bdw-gc.scm
index eba30217da..c7491f845f 100644
--- a/gnu/packages/bdw-gc.scm
+++ b/gnu/packages/bdw-gc.scm
@@ -30,14 +30,14 @@
 (define-public libgc
   (package
    (name "libgc")
-   (version "7.6.4")
+   (version "7.6.6")
    (source (origin
             (method url-fetch)
-            (uri (string-append "http://www.hboehm.info/gc/gc_source/gc-"
-                                version ".tar.gz"))
+            (uri (string-append "https://github.com/ivmai/bdwgc/releases"
+                                "/download/v" version "/gc-" version ".tar.gz"))
             (sha256
              (base32
-              "076dzsqqyxd3nlzs0z277vvhqjp8nv5dqi763s0m90zr6ljiyk5r"))))
+              "1p1r015a7jbpvkkbgzv1y8nxrbbp6dg0mq3ksi6ji0qdz3wfss79"))))
    (build-system gnu-build-system)
    (arguments
     `(#:configure-flags
@@ -91,7 +91,7 @@ C or C++ programs, though that is not its primary goal.")
 (define-public libatomic-ops
   (package
     (name "libatomic-ops")
-    (version "7.6.4")
+    (version "7.6.6")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -99,7 +99,7 @@ C or C++ programs, though that is not its primary goal.")
                     version "/libatomic_ops-" version ".tar.gz"))
               (sha256
                (base32
-                "0knxncsjhbknlyy6lx7ycxhpzfk3sykhvicgxyp0rmsxd1d3v0jv"))))
+                "0x7071z707msvyrv9dmgahd1sghbkw8fpbagvcag6xs8yp2spzlr"))))
     (build-system gnu-build-system)
     (outputs '("out" "debug"))
     (synopsis "Accessing hardware atomic memory update operations")
diff --git a/gnu/packages/bison.scm b/gnu/packages/bison.scm
index 09c6481a16..71de47762d 100644
--- a/gnu/packages/bison.scm
+++ b/gnu/packages/bison.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -29,7 +30,7 @@
 (define-public bison
   (package
     (name "bison")
-    (version "3.0.4")
+    (version "3.0.5")
     (source
      (origin
       (method url-fetch)
@@ -37,10 +38,10 @@
                           version ".tar.xz"))
       (sha256
        (base32
-        "1qbgf6q1n2z17k8g33444m0q68kf3fbiq65q7jlrzpvvj73jh957"))))
+        "0f7kjygrckkx8vas2nm673592jif0a9mw5g8207f6hj6h4pfyp07"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)
-                     ;; m4 is not present in PATH when cross-building
+                     ;; m4 is not present in PATH when cross-building.
                      ("m4" ,m4)))
     (inputs `(("flex" ,flex)))
     (propagated-inputs `(("m4" ,m4)))
@@ -52,15 +53,3 @@ deterministic or generalized LR parser from an annotated, context-free
 grammar.  It is versatile enough to have many applications, from parsers for
 simple tools through complex programming languages.")
     (license gpl3+)))
-
-(define-public bison-2.7
-  (package (inherit bison)
-    (version "2.7")
-    (source
-     (origin
-      (method url-fetch)
-      (uri (string-append "mirror://gnu/bison/bison-"
-                          version ".tar.xz"))
-      (sha256
-       (base32
-        "1zd77ilmpv5mi3kr55jrj6ncqlcnyhpianhrwzak2q28cv2cbn23"))))))
diff --git a/gnu/packages/boost.scm b/gnu/packages/boost.scm
index cf70a29775..897987f71c 100644
--- a/gnu/packages/boost.scm
+++ b/gnu/packages/boost.scm
@@ -9,6 +9,7 @@
 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2018 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -27,6 +28,7 @@
 
 (define-module (gnu packages boost)
   #:use-module ((guix licenses) #:prefix license:)
+  #:use-module (guix utils)
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix git-download)
@@ -43,7 +45,7 @@
 (define-public boost
   (package
     (name "boost")
-    (version "1.66.0")
+    (version "1.68.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -52,7 +54,7 @@
                     ".tar.bz2"))
               (sha256
                (base32
-                "1aaw48cmimsskzgiclwn0iifp62a5iw9cbqrhfari876af1828ap"))
+                "1dyqsr9yb01y0nnjdq9b8q5s2kvhxbayk34832k5cpzn7jy30qbz"))
               (patches (search-patches "boost-fix-icu-build.patch"))))
     (build-system gnu-build-system)
     (inputs `(("icu4c" ,icu4c)
@@ -78,7 +80,6 @@
                    (out (assoc-ref outputs "out")))
                (substitute* '("libs/config/configure"
                               "libs/spirit/classic/phoenix/test/runtest.sh"
-                              "tools/build/doc/bjam.qbk"
                               "tools/build/src/engine/execunix.c"
                               "tools/build/src/engine/Jambase"
                               "tools/build/src/engine/jambase.c")
@@ -100,7 +101,18 @@
                     make-flags)))
          (replace 'install
            (lambda* (#:key make-flags #:allow-other-keys)
-             (apply invoke "./b2" "install" make-flags))))))
+             (apply invoke "./b2" "install" make-flags)))
+         (add-after 'install 'provide-libboost_python
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out")))
+               ;; Boost can build support for both Python 2 and Python 3 since
+               ;; version 1.67.0, and suffixes each library with the Python
+               ;; version.  Many consumers only check for libboost_python
+               ;; however, so we provide it here as suggested in
+               ;; <https://github.com/boostorg/python/issues/203>.
+               (with-directory-excursion (string-append out "/lib")
+                 (symlink "libboost_python27.so" "libboost_python.so"))
+               #t))))))
 
     (home-page "https://www.boost.org")
     (synopsis "Peer-reviewed portable C++ source libraries")
@@ -124,6 +136,15 @@ across a broad spectrum of applications.")
               (sha256
                (base32
                 "1jj1aai5rdmd72g90a3pd8sw9vi32zad46xv5av8fhnr48ir6ykj"))))
+    (arguments (substitute-keyword-arguments (package-arguments boost)
+      ((#:phases phases)
+       `(modify-phases ,phases
+          ;; This was removed after boost-1.67.
+          (add-before 'configure 'more-bin-sh-patching
+            (lambda _
+              (substitute* "tools/build/doc/bjam.qbk"
+                (("/bin/sh") (which "sh")))))
+          (delete 'provide-libboost_python)))))
     (properties '((hidden? . #t)))))
 
 (define-public boost-sync
diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index bce12d324d..8038c18326 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -86,7 +86,8 @@
              (sha256
               (base32
                "03vvdfhdmf16121v7xs8is2krwnv15wpkhkf16a4yf8nsfc3f2w1"))
-             (patches (search-patches "grub-check-error-efibootmgr.patch"))))
+             (patches (search-patches "grub-check-error-efibootmgr.patch"
+                                      "grub-binutils-compat.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases (modify-phases %standard-phases
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index 4fc2d5acf7..8fcf128135 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Corentin Bocquillon <corentin@nybble.fr>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2018 Fis Trivial <ybbs.daans@hotmail.com>
@@ -101,7 +101,7 @@ generate such a compilation database.")
 (define-public meson
   (package
     (name "meson")
-    (version "0.47.1")
+    (version "0.47.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/mesonbuild/meson/"
@@ -109,7 +109,7 @@ generate such a compilation database.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "19mdap2ncvczajx220bd73xmwhd8x906382y18cn9c5syxwxwwyn"))))
+                "1swmycf6p9p0ag6yiywyyri42ffkxxj38r2ic7in24km47cszn4j"))))
     (build-system python-build-system)
     (arguments
      `(;; FIXME: Tests require many additional inputs, a fix for the RUNPATH
diff --git a/gnu/packages/calendar.scm b/gnu/packages/calendar.scm
index c2bbf139c1..24e19b472c 100644
--- a/gnu/packages/calendar.scm
+++ b/gnu/packages/calendar.scm
@@ -48,7 +48,7 @@
 (define-public libical
   (package
     (name "libical")
-    (version "3.0.3")
+    (version "3.0.4")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -56,7 +56,7 @@
                     version "/libical-" version ".tar.gz"))
               (sha256
                (base32
-                "0hcjyf35b8rrvy8xziqxc4imi28mmkixb09gknisvp6jsa5fp4av"))))
+                "0ifisnh42cw5z53hp9p52l3ggc7k877zlqk0n06gdhrk0bhidckj"))))
     (build-system cmake-build-system)
     (arguments
      '(#:tests? #f ; test suite appears broken
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 866fa801c0..1ae6355a93 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -619,14 +619,14 @@ standard library.")
 (define-public python-pytest
   (package
     (name "python-pytest")
-    (version "3.5.0")
+    (version "3.8.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "pytest" version))
        (sha256
         (base32
-         "1q832zd07zak2lyxbycxjydh0jp7y3hvawjqzlvra6aghz8r3r7s"))))
+         "17grcfvd6ggvvqmprwv5y8g319nayam70hr43ssjwj40ws27z858"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -642,9 +642,11 @@ standard library.")
                 (string-append "@pytest.mark.skip"
                                "(reason=\"Assumes that /usr exists.\")\n    "
                                line)))
-             #t)))))
+             #t))
+         (replace 'check (lambda _ (invoke "pytest" "-vv"))))))
     (propagated-inputs
-     `(("python-attrs" ,python-attrs-bootstrap)
+     `(("python-atomicwrites" ,python-atomicwrites)
+       ("python-attrs" ,python-attrs-bootstrap)
        ("python-more-itertools" ,python-more-itertools)
        ("python-pluggy" ,python-pluggy)
        ("python-py" ,python-py)
@@ -655,6 +657,7 @@ standard library.")
        ("python-hypothesis" ,python-hypothesis)
        ("python-nose" ,python-nose)
        ("python-mock" ,python-mock)
+       ("python-pytest" ,python-pytest-bootstrap)
        ("python-setuptools-scm" ,python-setuptools-scm)))
     (home-page "http://pytest.org")
     (synopsis "Python testing library")
@@ -672,6 +675,7 @@ and many external plugins.")
       (inherit pytest)
       (propagated-inputs
        `(("python2-funcsigs" ,python2-funcsigs)
+         ("python2-pathlib2" ,python2-pathlib2)
          ,@(package-propagated-inputs pytest))))))
 
 (define-public python-pytest-bootstrap
@@ -688,19 +692,20 @@ and many external plugins.")
     (package (inherit pytest)
              (propagated-inputs
               `(("python2-funcsigs" ,python2-funcsigs-bootstrap)
+                ("python2-pathlib2" ,python2-pathlib2-bootstrap)
                 ,@(package-propagated-inputs pytest))))))
 
 (define-public python-pytest-cov
   (package
     (name "python-pytest-cov")
-    (version "2.4.0")
+    (version "2.5.1")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "pytest-cov" version))
         (sha256
          (base32
-          "03c2qc42r4bczyw93gd7n0qi1h1jfhw7fnbhi33c3vp1hs81gm2k"))))
+          "0bbfpwdh9k3636bxc88vz9fa7vf4akchgn513ql1vd0xy4n7bah3"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -729,26 +734,15 @@ supports coverage of subprocesses.")
 (define-public python-pytest-runner
   (package
     (name "python-pytest-runner")
-    (version "2.11.1")
+    (version "4.2")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "pytest-runner" version))
        (sha256
         (base32
-         "1cw978kqqcq916b9gfns1qjqvg33c5ail5jhw9054dsynkm32flq"))))
+         "1gkpyphawxz38ni1gdq1fmwyqcg02m7ypzqvv46z06crwdxi2gyj"))))
     (build-system python-build-system)
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         ;; The fancy way of setting the version with setuptools_scm does not
-         ;; seem to work here.
-         (add-after 'unpack 'set-version
-          (lambda _
-            (substitute* "docs/conf.py"
-              (("version = setuptools_scm\\.get_version\\(root='\\.\\.')")
-               (string-append "version = \"" ,version "\"")))
-            #t)))))
     (native-inputs
      `(("python-pytest" ,python-pytest-bootstrap)
        ("python-setuptools-scm" ,python-setuptools-scm)))
@@ -765,14 +759,14 @@ supports coverage of subprocesses.")
 (define-public python-pytest-mock
   (package
     (name "python-pytest-mock")
-    (version "1.6.3")
+    (version "1.10.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "pytest-mock" version))
         (sha256
          (base32
-          "075v7b2wm5f839r1a30n21wfk5rfqp3d05q7zb9jlb2wmxki23cj"))))
+          "1h6lgpmsvs9s8j2s80v06f9f3iaw1n1rc51mbrxk1f12sw4q56nq"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-setuptools-scm" ,python-setuptools-scm)))
@@ -885,7 +879,8 @@ subprocess and see the output as well as any file modifications.")
        (uri (pypi-uri "testtools" version))
        (sha256
         (base32
-         "0n8519lk8aaa91vymz842831181wf7fss98hyllhygi3z1nfq9sq"))))
+         "0n8519lk8aaa91vymz842831181wf7fss98hyllhygi3z1nfq9sq"))
+       (patches (search-patches "python-testtools.patch"))))
     (build-system python-build-system)
     (arguments '(#:tests? #f))
     (propagated-inputs
@@ -1421,13 +1416,13 @@ normally the case.")
 (define-public python-hypothesis
   (package
     (name "python-hypothesis")
-    (version "3.52.0")
+    (version "3.70.3")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "hypothesis" version))
               (sha256
                (base32
-                "0g54cypfi5qj6cgxfr7l1nb41r1cqhhngx4qxn4ga9h720rcsbr8"))))
+                "1rshs1japfmwgar98yrkq4hg4z2q76hlnq7w2n3lfbjnscn1jd9b"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-flake8" ,python-flake8)
diff --git a/gnu/packages/chez.scm b/gnu/packages/chez.scm
index c8e76b8ab4..929e50ee9b 100644
--- a/gnu/packages/chez.scm
+++ b/gnu/packages/chez.scm
@@ -85,6 +85,7 @@
        ("xorg-rgb" ,xorg-rgb)
        ("nanopass" ,nanopass)
        ("zlib" ,zlib)
+       ("zlib:static" ,zlib "static")
        ("stex" ,stex)))
     (native-inputs
      `(("texlive" ,texlive)
@@ -128,6 +129,7 @@
                    (nanopass (assoc-ref inputs "nanopass"))
                    (stex (assoc-ref inputs "stex"))
                    (zlib (assoc-ref inputs "zlib"))
+                   (zlib-static (assoc-ref inputs "zlib:static"))
                    (unpack (assoc-ref %standard-phases 'unpack))
                    (patch-source-shebangs
                     (assoc-ref %standard-phases 'patch-source-shebangs)))
@@ -148,7 +150,7 @@
                  (("\\$\\{Kernel\\}: \\$\\{kernelobj\\} \\.\\./zlib/libz\\.a")
                   "${Kernel}: ${kernelobj}")
                  (("ld ([-a-zA-Z0-9_${} ]+) \\.\\./zlib/libz\\.a" all args)
-                  (string-append "ld " args " " zlib "/lib/libz.a"))
+                  (string-append "ld " args " " zlib-static "/lib/libz.a"))
                  (("\\(cd \\.\\./zlib; ([-a-zA-Z0-9=./ ]+))")
                   (which "true")))
                (substitute* (find-files "mats" "Mf-.*")
diff --git a/gnu/packages/cmake.scm b/gnu/packages/cmake.scm
index 06b1cab82c..5abf087557 100644
--- a/gnu/packages/cmake.scm
+++ b/gnu/packages/cmake.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -43,7 +44,7 @@
 (define-public cmake
   (package
     (name "cmake")
-    (version "3.11.0")
+    (version "3.12.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.cmake.org/files/v"
@@ -51,7 +52,7 @@
                                   "/cmake-" version ".tar.gz"))
               (sha256
                (base32
-                "0sv5k9q6braa8hhw0y3w19avqn0xn5czv5jf5fz5blnlf7ivw4y3"))
+                "19410mxgcyvk5q42phaclb1hz6rl08z4yj8iriq706p5k5bli5qg"))
               (modules '((guix build utils)))
               (snippet
                '(begin
@@ -86,6 +87,13 @@
            " --exclude-regex ^\\(" (string-join skipped-tests "\\|") "\\)$")))
        #:phases
        (modify-phases %standard-phases
+         (add-after 'unpack 'split-package
+           ;; Remove files that have been packaged in other package recipes.
+           (lambda _
+             (delete-file "Auxiliary/cmake-mode.el")
+             (substitute* "Auxiliary/CMakeLists.txt"
+               ((".*cmake-mode.el.*") ""))
+             #t))
          (add-before 'configure 'patch-bin-sh
            (lambda _
              ;; Replace "/bin/sh" by the right path in... a lot of
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 30a0ffcec9..0aa65fe638 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -186,12 +186,25 @@
                     ,cf)))))
      (inputs %boot0-inputs))))
 
+;; Use a "fixed" package source for this early libstdc++ variant so we can
+;; update GCC 4.9 without triggering a full rebuild.
+(define gcc-for-libstdc++
+  (package
+    (inherit gcc-4.9)
+    (source (origin
+              (inherit (package-source gcc-4.9))
+              (patches (search-patches "gcc-4.9-libsanitizer-fix.patch"
+                                       "gcc-arm-bug-71399.patch"
+                                       "gcc-asan-missing-include.patch"
+                                       "gcc-libvtv-runpath.patch"
+                                       "gcc-fix-texi2pod.patch"))))))
+
 (define libstdc++-boot0
   ;; GCC's libcc1 is always built as a shared library (the top-level
   ;; 'Makefile.def' forcefully adds --enable-shared) and thus needs to refer
   ;; to libstdc++.so.  We cannot build libstdc++-5.3 because it relies on
   ;; C++14 features missing in some of our bootstrap compilers.
-  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc-4.9))))
+  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc-for-libstdc++))))
     (package
       (inherit lib)
       (name "libstdc++-boot0")
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 8c940f3036..6ec08136d5 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -85,6 +85,7 @@
        (base32
         "18dighcs333gsvajvvgqp8l4cx7h1x7yx9gd5xacnk80spyykrf3"))))
     (build-system gnu-build-system)
+    (outputs '("out" "static"))
     (arguments
      `(#:phases
        (modify-phases %standard-phases
@@ -99,7 +100,15 @@
                      `((setenv "CHOST" ,(%current-target-system)))
                      '())
                (invoke "./configure"
-                       (string-append "--prefix=" out))))))))
+                       (string-append "--prefix=" out)))))
+         (add-after 'install 'move-static-library
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out"))
+                   (static (assoc-ref outputs "static")))
+               (with-directory-excursion (string-append out "/lib")
+                 (install-file "libz.a" (string-append static "/lib"))
+                 (delete-file "libz.a")
+                 #t)))))))
     (home-page "https://zlib.net/")
     (synopsis "Compression library")
     (description
@@ -216,6 +225,21 @@ adding and extracting files to/from a tar archive.")
     '(#:tests? #f
       #:phases
       (modify-phases %standard-phases
+        (add-after 'unpack 'patch-for-glibc-2.28
+          (lambda _
+            ;; Adjust the bundled gnulib to work with glibc 2.28.  See e.g.
+            ;; "m4-gnulib-libio.patch".  This is a phase rather than patch
+            ;; or snippet to work around <https://bugs.gnu.org/32347>.
+            (substitute* (find-files "lib" "\\.c$")
+              (("#if defined _IO_ftrylockfile")
+               "#if defined _IO_EOF_SEEN"))
+            (substitute* "lib/stdio-impl.h"
+              (("^/\\* BSD stdio derived implementations")
+               (string-append "#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN\n"
+                              "# define _IO_IN_BACKUP 0x100\n"
+                              "#endif\n\n"
+                              "/* BSD stdio derived implementations")))
+            #t))
         (add-after 'unpack 'use-absolute-name-of-gzip
           (lambda* (#:key outputs #:allow-other-keys)
             (substitute* "gunzip.in"
@@ -248,6 +272,7 @@ file; as a result, it is often used in conjunction with \"tar\", resulting in
     (arguments
      `(#:modules ((guix build gnu-build-system)
                   (guix build utils)
+                  (ice-9 ftw)
                   (srfi srfi-1))
        #:phases
        (modify-phases %standard-phases
@@ -276,25 +301,32 @@ file; as a result, it is often used in conjunction with \"tar\", resulting in
              ;; it create all the (un)versioned symlinks, so we handle it here.
              (let* ((out    (assoc-ref outputs "out"))
                     (libdir (string-append out "/lib"))
-                    ;; Find the actual library (e.g. "libbz2.so.1.0.6").
-                    (lib (string-drop
-                          (car (find-files
-                                "."
-                                (lambda (file stat)
-                                  (and (string-prefix? "./libbz2.so" file)
-                                       (eq? 'regular (stat:type stat))))))
-                          2))
-                    (soversion (string-drop lib (string-length "libbz2.so."))))
+                    (soname "libbz2.so")
+                    ;; Locate the built library (e.g. "libbz2.so.1.0.6").
+                    (lib (car (scandir "."
+                                       (lambda (file)
+                                         (and (string-prefix? soname file)
+                                              (eq? 'regular
+                                                   (stat:type (lstat file))))))))
+                    (soversion (string-drop lib (+ 1 (string-length soname)))))
                (install-file lib libdir)
                (with-directory-excursion libdir
                  ;; Create symlinks libbz2.so.1 -> libbz2.so.1.0, etc.
-                 (let loop ((base "libbz2.so")
+                 (let loop ((base soname)
                             (numbers (string-split soversion #\.)))
                    (unless (null? numbers)
                      (let ((so-file (string-append base "." (car numbers))))
                        (symlink so-file base)
                        (loop so-file (cdr numbers))))))
                #t)))
+         (add-after 'install-shared-lib 'move-static-lib
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out"))
+                   (static (assoc-ref outputs "static")))
+               (with-directory-excursion (string-append out "/lib")
+                 (install-file "libbz2.a" (string-append static "/lib"))
+                 (delete-file "libbz2.a")
+                 #t))))
          (add-after 'install-shared-lib 'patch-scripts
            (lambda* (#:key outputs inputs #:allow-other-keys)
              (let* ((out (assoc-ref outputs "out")))
@@ -309,6 +341,7 @@ file; as a result, it is often used in conjunction with \"tar\", resulting in
        ,@(if (%current-target-system)
              '(#:tests? #f)
              '())))
+    (outputs '("out" "static"))
     (synopsis "High-quality data compression program")
     (description
      "bzip2 is a freely available, patent free (see below), high-quality data
@@ -376,7 +409,7 @@ compressed with pbzip2 can be decompressed with bzip2).")
 (define-public xz
   (package
    (name "xz")
-   (version "5.2.3")
+   (version "5.2.4")
    (source (origin
             (method url-fetch)
             (uri (list (string-append "http://tukaani.org/xz/xz-" version
@@ -385,7 +418,7 @@ compressed with pbzip2 can be decompressed with bzip2).")
                                       version ".tar.gz")))
             (sha256
              (base32
-              "1jr8pxnz55ifc8cvp3ivgl79ph9iik5aypsc9cma228aglsqp4ki"))))
+              "0ibi2zsfaz6l756spjwc5rayf4ckgc9hwmy8qinppcyk4svz64mm"))))
    (build-system gnu-build-system)
    (synopsis "General-purpose data compression")
    (description
@@ -1154,14 +1187,15 @@ algorithm within the Numpy framework.")
   (package
     (name "snappy")
     (version "1.1.7")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "https://github.com/google/snappy/archive/"
-                                  version ".tar.gz"))
-              (file-name (string-append "snappy-" version ".tar.gz"))
-              (sha256
-               (base32
-                "1m7rcdqzkys5lspj8jcsaah8w33zh28s771bw0ga2lgzfgl05yix"))))
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/google/snappy/archive/"
+                           version ".tar.gz"))
+       (file-name (string-append "snappy-" version ".tar.gz"))
+       (sha256
+        (base32 "1m7rcdqzkys5lspj8jcsaah8w33zh28s771bw0ga2lgzfgl05yix"))
+       (patches (search-patches "snappy-add-O2-flag-in-CmakeLists.txt.patch"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags '("-DBUILD_SHARED_LIBS=ON")))
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index 81e442eef1..0655e8f393 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -53,7 +53,7 @@
 (define-public cups-filters
   (package
     (name "cups-filters")
-    (version "1.20.1")
+    (version "1.21.0")
     (source(origin
               (method url-fetch)
               (uri
@@ -61,7 +61,7 @@
                               "cups-filters-" version ".tar.xz"))
               (sha256
                (base32
-                "0qix1whz5n4ijnl6d44f1v8nzkpv99wqjyrby8vx6xnpskw5hsxk"))
+                "0fs90xx9i4h8gbpligf5kkh21llv4kf5g3bgfbx4z272xkm7bsfi"))
               (modules '((guix build utils)))
               (snippet
                ;; install backends, banners and filters to cups-filters output
@@ -176,8 +176,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
 (define-public cups-minimal
   (package
     (name "cups-minimal")
-    (replacement cups-minimal-2.2.8)
-    (version "2.2.6")
+    (version "2.2.8")
     (source
      (origin
        (method url-fetch)
@@ -185,7 +184,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
                            version "/cups-" version "-source.tar.gz"))
        (sha256
         (base32
-         "16qn41b84xz6khrr2pa2wdwlqxr29rrrkjfi618gbgdkq9w5ff20"))))
+         "1r7r7b3nqpzc1a9dczqpj2mr8rkcwf01676v11sp4j7w4qfzqs1r"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -237,21 +236,8 @@ describe printer capabilities and features, and a wide variety of generic and
 device-specific programs to convert and print many types of files.")
     (license license:gpl2)))
 
-(define-public cups-minimal-2.2.8
-  (package
-    (inherit cups-minimal)
-    (version "2.2.8")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append "https://github.com/apple/cups/releases/download/v"
-                           version "/cups-" version "-source.tar.gz"))
-       (sha256
-        (base32
-         "1r7r7b3nqpzc1a9dczqpj2mr8rkcwf01676v11sp4j7w4qfzqs1r"))))))
-
 (define-public cups
-  (package/inherit cups-minimal
+  (package (inherit cups-minimal)
     (name "cups")
     (arguments
      `(;; Three tests fail:
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 6d45dc0cc5..b09afe328e 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -50,15 +50,14 @@
 (define-public curl
   (package
    (name "curl")
-   (version "7.59.0")
-   (replacement curl-7.61.1)
+   (version "7.61.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://curl.haxx.se/download/curl-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1z310hrjm2vmbcpkyp81dcmj9rk127zkjyawpy2pah0nz6yslkp4"))))
+              "148qv1f32290r9pwg07mccawihz4srznkzsdwdl2xllvlgb16n9x"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -85,7 +84,8 @@
            (separator #f)                         ;single entry
            (files '("etc/ssl/certs/ca-certificates.crt")))))
    (arguments
-    `(#:configure-flags '("--with-gnutls" "--with-gssapi")
+    `(#:configure-flags '("--with-gnutls" "--with-gssapi"
+                          "--disable-static")
       ;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
       #:phases
       (modify-phases %standard-phases
@@ -141,19 +141,6 @@ tunneling, and so on.")
                                   "See COPYING in the distribution."))
    (home-page "https://curl.haxx.se/")))
 
-(define-public curl-7.61.1
-  (package
-    (inherit curl)
-    (version "7.61.1")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append "https://curl.haxx.se/download/curl-"
-                            version ".tar.xz"))
-        (sha256
-         (base32
-          "148qv1f32290r9pwg07mccawihz4srznkzsdwdl2xllvlgb16n9x"))))))
-
 (define-public kurly
   (package
     (name "kurly")
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 73026c5e66..5e9871699d 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -164,14 +164,14 @@ either single machines or networked clusters.")
 (define-public gdbm
   (package
     (name "gdbm")
-    (version "1.14.1")
+    (version "1.18")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/gdbm/gdbm-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0pxwz3jlwvglq2mrbxvrjgr8pa0aj73p3v9sxmdlj570zw0gzknd"))))
+                "1kimnv12bzjjhaqk4c8w2j6chdj9c6bg21lchaf7abcyfss2r0mq"))))
     (arguments `(#:configure-flags '("--enable-libgdbm-compat")))
     (build-system gnu-build-system)
     (home-page "http://www.gnu.org.ua/software/gdbm")
@@ -621,7 +621,7 @@ Language.")
 (define-public mariadb
   (package
     (name "mariadb")
-    (version "10.1.35")
+    (version "10.1.36")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://downloads.mariadb.org/f/"
@@ -629,14 +629,20 @@ Language.")
                                   name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0k9walaglwmwdwmkq48ir17g98n83vliyyg5wck22rjgxn2xk4cy"))
-              (patches (search-patches "mariadb-gcc-ice.patch"
-                                       "mariadb-client-test-32bit.patch"))
+                "0n5aj76mn9rxc21l2kjmfrg10bmsyy4cic68khjr94iby262wx5d"))
+              (patches (search-patches "mariadb-client-test-32bit.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
                   ;; Delete bundled snappy and xz.
                   (delete-file-recursively "storage/tokudb/PerconaFT/third_party")
+                  (substitute* "storage/tokudb/PerconaFT/CMakeLists.txt"
+                    ;; This file checks that the bundled sources are present and
+                    ;; declares build procedures for them.
+                    (("^include\\(TokuThirdParty\\)") ""))
+                  (substitute* "storage/tokudb/PerconaFT/ft/CMakeLists.txt"
+                    ;; Don't attempt to use the procedures we just removed.
+                    ((" build_lzma build_snappy") ""))
 
                   ;; Preserve CMakeLists.txt for these.
                   (for-each (lambda (file)
@@ -680,7 +686,7 @@ Language.")
          "-DINSTALL_SHAREDIR=share")
        #:phases
        (modify-phases %standard-phases
-         (add-after 'unpack 'unbundle
+         (add-after 'unpack 'fix-pcre-detection
            (lambda _
              ;; The bundled PCRE in MariaDB has a patch that was upstreamed
              ;; in version 8.34.  Unfortunately the upstream patch behaves
@@ -689,16 +695,6 @@ Language.")
              ;; XXX: Consider patching PCRE instead.
              (substitute* "cmake/pcre.cmake"
                ((" OR NOT PCRE_STACK_SIZE_OK") ""))
-
-             (substitute* "storage/tokudb/PerconaFT/ft/CMakeLists.txt"
-               ;; Remove dependency on these CMake targets.
-               ((" build_lzma build_snappy") ""))
-
-             (substitute* "storage/tokudb/PerconaFT/CMakeLists.txt"
-               ;; This file checks that the bundled sources are present and
-               ;; declares build procedures for them.  We don't need that.
-               (("^include\\(TokuThirdParty\\)") ""))
-
              #t))
          (add-after 'unpack 'adjust-tests
            (lambda _
@@ -708,6 +704,7 @@ Language.")
                       ;; See <https://jira.mariadb.org/browse/MDEV-7761>.
                       "main.join_cache"
                       "main.explain_non_select"
+                      "main.stat_tables_innodb"
                       "roles.acl_statistics"
 
                       ;; FIXME: This test fails on i686:
@@ -773,8 +770,8 @@ Language.")
                 (for-each delete-file-recursively
                           '("data" "mysql-test" "sql-bench"
                             "share/man/man1/mysql-test-run.pl.1"))
-                ;; Delete huge mysqltest executables.
-                (for-each delete-file (find-files "bin" "test"))
+                ;; Delete huge and unnecessary executables.
+                (for-each delete-file (find-files "bin" "(test|embedded)"))
                 ;; And static libraries.
                 (for-each delete-file (find-files "lib" "\\.a$")))
               #t))))))
@@ -786,11 +783,13 @@ Language.")
        ("libaio" ,libaio)
        ("libxml2" ,libxml2)
        ("ncurses" ,ncurses)
-       ("openssl" ,openssl)
        ("pcre" ,pcre)
        ("snappy" ,snappy)
        ("xz" ,xz)
        ("zlib" ,zlib)))
+    (propagated-inputs
+     ;; mariadb.pc says -lssl -lcrypto, so propagate it.
+     `(("openssl" ,openssl)))
     ;; The test suite is very resource intensive and can take more than three
     ;; hours on a x86_64 system.  Give slow and busy machines some leeway.
     (properties '((timeout . 64800)))        ;18 hours
@@ -924,7 +923,23 @@ organized in a hash table or B+ tree.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0cdwa4094x3yx7vn98xykvnlp9rngvd58d19vs3vh5hrvggccg93"))))
+                "0cdwa4094x3yx7vn98xykvnlp9rngvd58d19vs3vh5hrvggccg93"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  ;; Adjust the bundled gnulib to work with glibc 2.28.  See e.g.
+                  ;; "m4-gnulib-libio.patch".  This is a phase rather than patch
+                  ;; or snippet to work around <https://bugs.gnu.org/32347>.
+                  (substitute* (find-files "lib" "\\.c$")
+                    (("#if defined _IO_ftrylockfile")
+                     "#if defined _IO_EOF_SEEN"))
+                  (substitute* "lib/stdio-impl.h"
+                    (("^/\\* BSD stdio derived implementations")
+                     (string-append "#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN\n"
+                                    "# define _IO_IN_BACKUP 0x100\n"
+                                    "#endif\n\n"
+                                    "/* BSD stdio derived implementations")))
+                  #t))))
     (build-system gnu-build-system)
 
     ;; Running tests in parallel leads to test failures and crashes in
@@ -1167,7 +1182,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.23.0")
+   (version "3.24.0")
    (source (origin
             (method url-fetch)
             (uri (let ((numeric-version
@@ -1183,7 +1198,7 @@ changes.")
                                   numeric-version ".tar.gz")))
             (sha256
              (base32
-              "0jbf78g3cm5wq77k7sfg8fb6rz44hnp9hs7p5d66fwd000c1lwdp"))))
+              "0jmprv2vpggzhy7ma4ynmv1jzn3pfiwzkld0kkg6hvgvqs44xlfr"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
@@ -1598,7 +1613,7 @@ valid SQL query.")
 (define-public unixodbc
   (package
    (name "unixodbc")
-   (version "2.3.6")
+   (version "2.3.7")
    (source (origin
             (method url-fetch)
             (uri
@@ -1606,7 +1621,7 @@ valid SQL query.")
               "ftp://ftp.unixodbc.org/pub/unixODBC/unixODBC-"
               version ".tar.gz"))
             (sha256
-             (base32 "0sads5b8cmmj526gyjba7ccknl1vbhkslfqshv1yqln08zv3gdl8"))))
+             (base32 "0xry3sg497wly8f7715a7gwkn2k36bcap0mvzjw74jj53yx6kwa5"))))
    (build-system gnu-build-system)
    (synopsis "Data source abstraction library")
    (description "Unixodbc is a library providing an API with which to access
@@ -2233,9 +2248,6 @@ and web services platform functionality.")
      `(("pkg-config" ,pkg-config)))
     (inputs
      `(("mariadb" ,mariadb)
-       ;; FIXME: This should be propagated from MariaDB, but add it here
-       ;; for now to prevent a large rebuild.
-       ("openssl" ,openssl)
        ("zlib" ,zlib)))
     (propagated-inputs
      `(("r-dbi" ,r-dbi)))
@@ -2304,7 +2316,7 @@ Database API 2.0T.")
 (define-public python-sqlalchemy
   (package
     (name "python-sqlalchemy")
-    (version "1.0.12")
+    (version "1.2.11")
     (source
      (origin
       (method url-fetch)
@@ -2312,7 +2324,7 @@ Database API 2.0T.")
                           "SQLAlchemy/SQLAlchemy-" version ".tar.gz"))
       (sha256
        (base32
-        "1l8qclhd0s90w3pvwhi5mjxdwr5j7gw7cjka2fx6f2vqmq7f4yb6"))))
+        "094mmbs4igrxplfyqd59j90jb83ixpbbzqc0w49yw81m82nnjrgg"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-cython" ,python-cython) ;for c extensions
@@ -2322,7 +2334,7 @@ Database API 2.0T.")
      `(#:phases
        (modify-phases %standard-phases
          (replace 'check
-           (lambda _ (zero? (system* "py.test")))))))
+           (lambda _ (invoke "py.test"))))))
     (home-page "http://www.sqlalchemy.org")
     (synopsis "Database abstraction library")
     (description
diff --git a/gnu/packages/disk.scm b/gnu/packages/disk.scm
index 2158da6a81..4c4a3b849f 100644
--- a/gnu/packages/disk.scm
+++ b/gnu/packages/disk.scm
@@ -76,6 +76,7 @@
               (method url-fetch)
               (uri (string-append "mirror://gnu/parted/parted-"
                                   version ".tar.xz"))
+              (patches (search-patches "parted-glibc-compat.patch"))
               (sha256
                (base32
                 "1r3qpg3bhz37mgvp9chsaa3k0csby3vayfvz8ggsqz194af5i2w5"))))
diff --git a/gnu/packages/docbook.scm b/gnu/packages/docbook.scm
index 1c00e56d6d..1e5379b020 100644
--- a/gnu/packages/docbook.scm
+++ b/gnu/packages/docbook.scm
@@ -138,11 +138,15 @@ by no means limited to these applications.)  This package provides XML DTDs.")
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/docbook/docbook-xsl/"
                                   version "/docbook-xsl-" version ".tar.bz2"))
-              ;; Note: If removing all patches, the XZ dependency is no longer needed.
               (patches (search-patches "docbook-xsl-nonrecursive-string-subst.patch"))
               (sha256
                (base32
-                "0s59lihif2fr7rznckxr2kfyrvkirv76r1zvidp9b5mj28p4apvj"))))
+                "0s59lihif2fr7rznckxr2kfyrvkirv76r1zvidp9b5mj28p4apvj"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  (for-each delete-file (find-files "." "\\.jar$"))
+                  #t))))
     (build-system trivial-build-system)
     (arguments
      `(#:builder (let ((name-version (string-append ,name "-" ,version)))
@@ -168,7 +172,7 @@ by no means limited to these applications.)  This package provides XML DTDs.")
                      #t))
        #:modules ((guix build utils))))
     (native-inputs `(("bzip2" ,bzip2)
-                     ("xz" ,xz)
+                     ("xz" ,xz)         ;needed for repacked tarballs
                      ("tar" ,tar)))
     (home-page "http://docbook.org")
     (synopsis "DocBook XSL style sheets for document authoring")
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f533535f03..9425df707c 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -139,23 +139,10 @@ markup) can be customized and extended by the user.")
        ("libxml2" ,libxml2) ; provides xmllint for the tests
        ("python" ,python-2))) ; for creating the documentation
     (inputs
-     `(("bash" ,bash-minimal)
-       ,@(if (string-prefix? "armhf-" (%current-system))
-             `(("gcc-ice-patch" ,@(search-patches "doxygen-gcc-ice.patch")))
-             '())))
+     `(("bash" ,bash-minimal)))
     (arguments
      `(#:test-target "tests"
        #:phases (modify-phases %standard-phases
-                  ;; Work around an ICE that shows up on native compiles for
-                  ;; armhf-linux.
-                  ,@(if (string-prefix? "armhf-" (%current-system))
-                        `((add-after 'unpack 'apply-gcc-patch
-                            (lambda* (#:key inputs #:allow-other-keys)
-                              (let ((patch (assoc-ref inputs "gcc-ice-patch")))
-                                (invoke "patch" "-p1" "--force"
-                                        "--input" patch)))))
-                        '())
-
                   (add-before 'configure 'patch-sh
                               (lambda* (#:key inputs #:allow-other-keys)
                                 (substitute* "src/portable.cpp"
diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm
index 0473c519d5..78f0360c2e 100644
--- a/gnu/packages/file.scm
+++ b/gnu/packages/file.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -28,14 +29,14 @@
 (define-public file
   (package
     (name "file")
-    (version "5.32")
+    (version "5.33")
     (source (origin
               (method url-fetch)
               (uri (string-append "ftp://ftp.astron.com/pub/file/file-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0l1bfa0icng9vdwya00ff48fhvjazi5610ylbhl35qi13d6xqfc6"))))
+                "1iipnwjkag7q04zjkaqic41r9nlw0ml6mhqian6qkkbisb1whlhw"))))
    (build-system gnu-build-system)
 
    ;; When cross-compiling, this package depends upon a native install of
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 29c5c92766..e08b0c13db 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -45,22 +45,10 @@
     (build-system gnu-build-system)
     (inputs
      (let ((bison-for-tests
-            ;; Work around an incompatibility with Bison 3.0:
-            ;; <http://lists.gnu.org/archive/html/bug-bison/2013-09/msg00014.html>.
             (package
               (inherit bison)
-              (version "2.7.1")
-              (source (origin
-                        (method url-fetch)
-                        (uri (string-append
-                              "mirror://gnu/bison/"
-                              "bison-" version ".tar.xz"))
-                        (sha256
-                         (base32
-                          "1yx7isx67sdmyijvihgyra1f59fwdz7sqriginvavfj5yb5ss2dl"))))
-
-              ;; Unlike Bison 3.0, this version did not need Flex for its
-              ;; tests, so it allows us to break the cycle.
+              ;; Disable tests, since they require flex.
+              (arguments '(#:tests? #f))
               (inputs (alist-delete "flex" (package-inputs bison))))))
        `(("bison" ,bison-for-tests)
          ("indent" ,indent))))
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index 09ba9b7e4a..2ff42945d7 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Nils Gillmann <ng0@n0.is>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2018 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -55,15 +56,18 @@
 (define-public freetype
   (package
    (name "freetype")
-   (version "2.9")
+   (version "2.9.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://savannah/freetype/freetype-"
                                 version ".tar.bz2"))
             (sha256 (base32
-                     "12jcdz1in20yaa55izxalg3hm1pf7nydfrzps5bzb4zgihybmzz6"))
-            (patches (search-patches "freetype-CVE-2018-6942.patch"))))
+                     "0kg8w6qyiizlyzh4a8lpzslipcbv96hcg3rqqpnxba8ffbm8g3fv"))))
    (build-system gnu-build-system)
+   (arguments
+    ;; The use of "freetype-config" is deprecated, but other packages still
+    ;; depend on it.
+    `(#:configure-flags (list "--enable-freetype-config")))
    (native-inputs
     `(("pkg-config" ,pkg-config)))
    (propagated-inputs
@@ -286,14 +290,14 @@ fonts to/from the WOFF2 format.")
 (define-public fontconfig
   (package
    (name "fontconfig")
-   (version "2.13.0")
+   (version "2.13.1")
    (source (origin
             (method url-fetch)
             (uri (string-append
                    "https://www.freedesktop.org/software/fontconfig/release/fontconfig-"
                    version ".tar.bz2"))
             (sha256 (base32
-                     "1fgf28zgsqh7x6dw30n6zi9z679gx6dyfyahp55z7dsm454yipci"))))
+                     "0hb700a68kk0ip51wdlnjjc682kvlrmb6q920mzajykdk0mdsmgn"))))
    (build-system gnu-build-system)
    ;; In Requires or Requires.private of fontconfig.pc.
    (propagated-inputs `(("expat" ,expat)
@@ -428,7 +432,7 @@ applications should be.")
 (define-public graphite2
   (package
    (name "graphite2")
-   (version "1.3.11")
+   (version "1.3.12")
    (source
      (origin
        (method url-fetch)
@@ -436,7 +440,7 @@ applications should be.")
                            "download/" version "/" name "-" version ".tgz"))
        (sha256
         (base32
-         "0z5dcgh8r3678awq6fb8igik7xmar5m6z9xxwpkkhradhk8jxfds"))))
+         "1l1940d8fz67jm6a0x8cjb5p2dv48cvz3wcskwa83hamd70k15fd"))))
    (build-system cmake-build-system)
    (native-inputs
     `(("python" ,python-2) ; because of "import imap" in tests
@@ -586,7 +590,10 @@ definitions.")
              ("libxml2"         ,libxml2)
              ("pango"           ,pango)
              ("potrace"         ,potrace)
-             ("python"          ,python-wrapper)
+             ;; FIXME: We use Python 2 here because there is a bug in Python
+             ;; 3.7 that is triggered when Py_Main is called after Py_Init, as
+             ;; is done by fontforge.  This will be fixed in Python 3.7.1.
+             ("python"          ,python-2)
              ("zlib"            ,zlib)))
    (arguments
     '(#:phases
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 5cc2699ad8..8853ce1ceb 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -148,14 +148,14 @@ freedesktop.org project.")
 (define-public libinput
   (package
     (name "libinput")
-    (version "1.11.3")
+    (version "1.12.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://freedesktop.org/software/libinput/"
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "01nb1shnl871d939wgfd7nc9svclcnfjfhlq64b4yns2dvcr24gk"))))
+                "14l6bvgq76ls63qc9c448r435q9xiig0rv8ilx6rnjvlgg64h32p"))))
     (build-system meson-build-system)
     (arguments
      `(#:configure-flags '("-Ddocumentation=false")))
@@ -437,14 +437,14 @@ Python.")
 (define-public wayland
   (package
     (name "wayland")
-    (version "1.15.0")
+    (version "1.16.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://wayland.freedesktop.org/releases/"
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1c5fnys8hi71cnzjv5k7j0r8gx80p0yyqlrpmn06mmarhnxvwgzb"))))
+                "1xajhxad43izq9f7sbww1hlg42nayijy8xnp21kgpk09c6sw4wjf"))))
     (build-system gnu-build-system)
     (arguments
      `(#:parallel-tests? #f))
diff --git a/gnu/packages/fribidi.scm b/gnu/packages/fribidi.scm
index 0368779240..dfd2a77c20 100644
--- a/gnu/packages/fribidi.scm
+++ b/gnu/packages/fribidi.scm
@@ -27,7 +27,7 @@
 (define-public fribidi
   (package
     (name "fribidi")
-    (version "1.0.2")
+    (version "1.0.5")
     (source
       (origin
         (method url-fetch)
@@ -36,11 +36,8 @@
                         "/download/v" version "/fribidi-" version
                          ".tar.bz2"))
         (sha256
-          (base32 "0aw3i1g96axbr96flw4543dvhb8zlgb0w8314ks6cq2g1i9invdx"))))
+          (base32 "1kp4b1hpx2ky20ixgy2xhj5iygfl7ps5k9kglh1z5i7mhykg4r3a"))))
     (build-system gnu-build-system)
-    (arguments
-     `(#:configure-flags
-       (list "--disable-docs")))        ; TODO: enable; requires c2man
     (synopsis "Implementation of the Unicode bidirectional algorithm")
     (description
      "GNU FriBidi is an implementation of the Unicode Bidirectional
diff --git a/gnu/packages/gcal.scm b/gnu/packages/gcal.scm
index 425fa1f9a8..32d3849faa 100644
--- a/gnu/packages/gcal.scm
+++ b/gnu/packages/gcal.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -32,7 +32,23 @@
                                  version ".tar.xz"))
              (sha256
               (base32
-               "1av11zkfirbixn05hyq4xvilin0ncddfjqzc4zd9pviyp506rdci"))))
+               "1av11zkfirbixn05hyq4xvilin0ncddfjqzc4zd9pviyp506rdci"))
+             (modules '((guix build utils)))
+             (snippet
+              '(begin
+                 ;; Adjust the bundled gnulib to work with glibc 2.28.  See e.g.
+                 ;; "m4-gnulib-libio.patch".  This is a phase rather than patch
+                 ;; or snippet to work around <https://bugs.gnu.org/32347>.
+                 (substitute* (find-files "lib" "\\.c$")
+                   (("#if defined _IO_ftrylockfile")
+                    "#if defined _IO_EOF_SEEN"))
+                 (substitute* "lib/stdio-impl.h"
+                   (("^/\\* BSD stdio derived implementations")
+                    (string-append "#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN\n"
+                                   "# define _IO_IN_BACKUP 0x100\n"
+                                   "#endif\n\n"
+                                   "/* BSD stdio derived implementations")))
+                 #t))))
     (build-system gnu-build-system)
     (home-page "https://www.gnu.org/software/gcal/")
     (synopsis "Calculating and printing a wide variety of calendars")
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index 0dd5d64464..8207104174 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -398,6 +398,7 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "14l06m7nvcvb0igkbip58x59w3nq6315k6jcz3wr9ch1rn9d44bc"))
               (patches (search-patches "gcc-4.9-libsanitizer-fix.patch"
+                                       "gcc-4.9-libsanitizer-ustat.patch"
                                        "gcc-arm-bug-71399.patch"
                                        "gcc-asan-missing-include.patch"
                                        "gcc-libvtv-runpath.patch"
@@ -432,6 +433,7 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "11zd1hgzkli3b2v70qsm2hyqppngd4616qc96lmm9zl2kl9yl32k"))
               (patches (search-patches "gcc-arm-bug-71399.patch"
+                                       "gcc-libsanitizer-ustat.patch"
                                        "gcc-strmov-store-file-names.patch"
                                        "gcc-5.0-libvtv-runpath.patch"
                                        "gcc-5-source-date-epoch-1.patch"
@@ -452,7 +454,8 @@ Go.  It also includes runtime support libraries for these languages.")
                      "$OBJDUMP_FOR_TARGET -T"))
                   #t))))
     (inputs
-     `(("isl" ,isl)
+     `(;; GCC5 needs <isl/band.h> which is removed in later versions.
+       ("isl" ,isl-0.18)
        ,@(package-inputs gcc-4.7)))))
 
 (define-public gcc-6
@@ -467,6 +470,7 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "1m0lr7938lw5d773dkvwld90hjlcq2282517d1gwvrfzmwgg42w5"))
               (patches (search-patches "gcc-libsanitizer-fix.patch"
+                                       "gcc-libsanitizer-ustat.patch"
                                        "gcc-strmov-store-file-names.patch"
                                        "gcc-6-source-date-epoch-1.patch"
                                        "gcc-6-source-date-epoch-2.patch"
@@ -511,6 +515,7 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "0p71bij6bfhzyrs8676a8jmpjsfz392s2rg862sdnsk30jpacb43"))
               (patches (search-patches "gcc-strmov-store-file-names.patch"
+                                       "gcc-libsanitizer-ustat.patch"
                                        "gcc-5.0-libvtv-runpath.patch"))))
     (description
      "GCC is the GNU Compiler Collection.  It provides compiler front-ends
@@ -854,7 +859,7 @@ as the 'native-search-paths' field."
 (define-public isl
   (package
     (name "isl")
-    (version "0.18")
+    (version "0.19")
     (source (origin
              (method url-fetch)
              (uri (list (string-append
@@ -865,7 +870,7 @@ as the 'native-search-paths' field."
                                        name "-" version ".tar.gz")))
              (sha256
               (base32
-               "06ybml6llhi4i56q90jnimbcgk1lpcdwhy9nxdxra2hxz3bhz2vb"))))
+               "1n4yz9rj24mv226hqbpw210ifvqkn8dgvpnkzf0s0lkq9zrjd5ym"))))
     (build-system gnu-build-system)
     (inputs `(("gmp" ,gmp)))
     (home-page "http://isl.gforge.inria.fr/")
@@ -883,6 +888,20 @@ reduction, transitive closures on maps (which may encode infinite graphs),
 dependence analysis and bounds on piecewise step-polynomials.")
     (license lgpl2.1+)))
 
+(define-public isl-0.18
+  (package
+    (inherit isl)
+    (version "0.18")
+    (source (origin
+              (method url-fetch)
+              (uri (list (string-append "http://isl.gforge.inria.fr/isl-"
+                                        version ".tar.bz2")
+                         (string-append %gcc-infrastructure
+                                        "isl-" version ".tar.gz")))
+              (sha256
+               (base32
+                "06ybml6llhi4i56q90jnimbcgk1lpcdwhy9nxdxra2hxz3bhz2vb"))))))
+
 (define-public isl-0.11
   (package
     (inherit isl)
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 327a1f1545..1fe69577fd 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -39,7 +39,6 @@
 (define-public gd
   (package
     (name "gd")
-    (replacement gd/fixed)
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
@@ -52,7 +51,10 @@
              (sha256
               (base32
                "0lfy5f241sbv8s3splm2zqiaxv7lxrcshh875xryryk7yk5jqc4c"))
-             (patches (search-patches "gd-fix-tests-on-i686.patch"
+
+             (patches (search-patches "gd-CVE-2018-5711.patch"
+                                      "gd-CVE-2018-1000222.patch"
+                                      "gd-fix-tests-on-i686.patch"
                                       "gd-freetype-test-failure.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -92,16 +94,6 @@ most common applications of GD involve website development.")
                            "See COPYING file in the distribution."))
     (properties '((cpe-name . "libgd")))))
 
-(define-public gd/fixed
-  (hidden-package
-    (package
-      (inherit gd)
-      (source (origin
-                (inherit (package-source gd))
-                (patches (append (origin-patches (package-source gd))
-                                 (search-patches "gd-CVE-2018-5711.patch"
-                                                 "gd-CVE-2018-1000222.patch"))))))))
-
 (define-public perl-gd
   (package
     (name "perl-gd")
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 518e18397b..b46451d94e 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2013, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
-;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
@@ -55,7 +55,7 @@
             (sha256 (base32
                      "083xisy6z01zhm7p7rgk4bx9d6zlr8l20qkfv1g29ylnhgwzvij8"))))
    (build-system gnu-build-system)
-   (inputs `(("libjpeg-8" ,libjpeg-8)
+   (inputs `(("libjpeg" ,libjpeg)
              ("libtiff" ,libtiff)
              ("zlib" ,zlib)))
    (synopsis "Little CMS, a small-footprint colour management engine")
@@ -135,8 +135,7 @@ printing, and psresize, for adjusting page sizes.")
 (define-public ghostscript
   (package
     (name "ghostscript")
-    (replacement ghostscript/fixed)
-    (version "9.23")
+    (version "9.24")
     (source
       (origin
         (method url-fetch)
@@ -146,8 +145,9 @@ printing, and psresize, for adjusting page sizes.")
                             "/ghostscript-" version ".tar.xz"))
         (sha256
          (base32
-          "1ng8d9fm5lza7k1f7ybc791275c07z5hcmpkrl2i226nshkxrkhz"))
-        (patches (search-patches "ghostscript-runpath.patch"
+          "1mk922rnml93w2g42yxiyn8xqanc50cm65irrgh0b6lp4kgifjfl"))
+        (patches (search-patches "ghostscript-CVE-2018-16509.patch"
+                                 "ghostscript-bug-699708.patch"
                                  "ghostscript-no-header-creationdate.patch"
                                  "ghostscript-no-header-id.patch"
                                  "ghostscript-no-header-uuid.patch"))
@@ -166,7 +166,9 @@ printing, and psresize, for adjusting page sizes.")
     (arguments
      `(#:disallowed-references ("doc")
        #:configure-flags
-       (list "--with-system-libtiff"
+       (list (string-append "LDFLAGS=-Wl,-rpath="
+                            (assoc-ref %outputs "out") "/lib")
+             "--with-system-libtiff"
              "LIBS=-lz"
              (string-append "ZLIBDIR="
                             (assoc-ref %build-inputs "zlib") "/include")
@@ -184,6 +186,12 @@ printing, and psresize, for adjusting page sizes.")
                    '()))
        #:phases
        (modify-phases %standard-phases
+        (add-before 'configure 'create-output-directory
+          (lambda* (#:key outputs #:allow-other-keys)
+            ;; The configure script refuses to function if the directory
+            ;; specified as -rpath does not already exist.
+            (mkdir-p (string-append (assoc-ref outputs "out") "/lib"))
+            #t))
         (add-after 'configure 'remove-doc-reference
           (lambda _
             ;; Don't retain a reference to the 'doc' output in 'gs'.
@@ -254,44 +262,6 @@ output file formats and printers.")
     (home-page "https://www.ghostscript.com/")
     (license license:agpl3+)))
 
-(define-public ghostscript/fixed
-  (hidden-package
-    (package
-      (inherit ghostscript)
-      (version "9.24")
-      (source
-        (origin
-          (inherit (package-source ghostscript))
-          (uri (string-append "https://github.com/ArtifexSoftware/"
-                              "ghostpdl-downloads/releases/download/gs"
-                              (string-delete #\. version)
-                              "/ghostscript-" version ".tar.xz"))
-          (sha256
-           (base32
-            "1mk922rnml93w2g42yxiyn8xqanc50cm65irrgh0b6lp4kgifjfl"))
-          (patches (search-patches "ghostscript-CVE-2018-16509.patch"
-                                   "ghostscript-bug-699708.patch"
-                                   "ghostscript-no-header-creationdate.patch"
-                                   "ghostscript-no-header-id.patch"
-                                   "ghostscript-no-header-uuid.patch"))))
-      (arguments
-       (substitute-keyword-arguments (package-arguments ghostscript)
-         ((#:configure-flags flags)
-          ;; Notice that we removed the 'ghostscript-runpath' patch above.
-          ;; The reason is that it conflicts with an upstream change that
-          ;; takes LDFLAGS into account.
-          `(cons (string-append "LDFLAGS=-Wl,-rpath="
-                                (assoc-ref %outputs "out") "/lib")
-                 ,flags))
-         ((#:phases phases)
-          `(modify-phases ,phases
-             (add-before 'configure 'create-output-directory
-               (lambda* (#:key outputs #:allow-other-keys)
-                 ;; Unfortunately the configure script refuses to function if
-                 ;; the directory specified as -rpath does not already exist.
-                 (mkdir-p (string-append (assoc-ref outputs "out") "/lib"))
-                 #t)))))))))
-
 (define-public ghostscript/x
   (package/inherit ghostscript
     (name (string-append (package-name ghostscript) "-with-x"))
diff --git a/gnu/packages/gl.scm b/gnu/packages/gl.scm
index b88fab4929..03c8b497b8 100644
--- a/gnu/packages/gl.scm
+++ b/gnu/packages/gl.scm
@@ -224,7 +224,7 @@ also known as DXTn or DXTC) for Mesa.")
 (define-public mesa
   (package
     (name "mesa")
-    (version "18.1.5")
+    (version "18.1.8")
     (source
       (origin
         (method url-fetch)
@@ -236,7 +236,7 @@ also known as DXTn or DXTC) for Mesa.")
                                   version "/mesa-" version ".tar.xz")))
         (sha256
          (base32
-          "1sldv7l3g6jfx0yn16kvxlik1qiy037lypdqpvsqc0v6lvqydnv9"))
+          "06y28hpynb8w1qagznr85ml48hf8264w4ji6cmvm2fy7x5zyc6xx"))
         (patches
          (search-patches "mesa-skip-disk-cache-test.patch"))))
     (build-system gnu-build-system)
@@ -252,7 +252,7 @@ also known as DXTn or DXTC) for Mesa.")
         ("xorgproto" ,xorgproto)))
     (inputs
       `(("expat" ,expat)
-        ("libelf" ,libelf)    ;required for r600 when using llvm
+        ("libelf" ,elfutils)  ;required for r600 when using llvm
         ("libva" ,(force libva-without-mesa))
         ("libxml2" ,libxml2)
         ;; TODO: Add 'libxml2-python' for OpenGL ES 1.1 and 2.0 support
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 14d2a8b315..8dff95fc70 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -80,7 +80,7 @@
 (define dbus
   (package
     (name "dbus")
-    (version "1.12.6")
+    (version "1.12.10")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -88,7 +88,7 @@
                     version ".tar.gz"))
               (sha256
                (base32
-                "05picaq8j60wlwyi84qvw5liw3nd0cws9va3krnc3pms0wm906v2"))
+                "1xywijmgfad4m3cxp0b4l6kvypwc53ckmhwwzbrc6n32jwj3ssab"))
               (patches (search-patches "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -150,7 +150,7 @@ shared NFS home directories.")
 (define glib
   (package
    (name "glib")
-   (version "2.56.0")
+   (version "2.56.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/"
@@ -158,7 +158,7 @@ shared NFS home directories.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "1iqgi90fmpl3l23jm2iv44qp7hqsxvnv7978s18933bvx4bnxvzc"))
+              "12d738n1wpvrn39zvy9xazg5h6vzyiwsw8z1qibcj09mh4bbsjnn"))
             (patches (search-patches "glib-tests-timer.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"           ; everything
@@ -303,14 +303,14 @@ dynamic loading, and an object system.")
 (define gobject-introspection
   (package
     (name "gobject-introspection")
-    (version "1.56.0")
+    (version "1.56.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnome/sources/"
                    "gobject-introspection/" (version-major+minor version)
                    "/gobject-introspection-" version ".tar.xz"))
              (sha256
-              (base32 "1y50pbn5qqbcv2h9rkz96wvv5jls2gma9bkqjq6wapmaszx5jw0d"))
+              (base32 "0jx2kryjd7l0vl5gb3qp1qjfy3cjiizvcd1snsm7pzwrzz67aa2v"))
              (modules '((guix build utils)))
              (snippet
               '(begin
@@ -598,7 +598,7 @@ useful for C++.")
 (define-public python-pygobject
   (package
     (name "python-pygobject")
-    (version "3.28.2")
+    (version "3.28.3")
     (source
      (origin
        (method url-fetch)
@@ -607,7 +607,7 @@ useful for C++.")
                            "/pygobject-" version ".tar.xz"))
        (sha256
         (base32
-         "1jpjws4v17wv99lbhks0g0152w0f70mnwpdn8ibzzfgw2kykli5c"))))
+         "1c6h3brzlyvzbpdsammnd957azmp6cbzqrd65r400vnh2l8f5lrx"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index de938e4b14..bdf4dfe711 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -124,6 +124,7 @@
   #:use-module (gnu packages ssh)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages gl)
+  #:use-module (gnu packages graphviz)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages spice)
   #:use-module (gnu packages tex)
@@ -940,14 +941,14 @@ guidelines.")
 (define-public shared-mime-info
   (package
     (name "shared-mime-info")
-    (version "1.8")
+    (version "1.9")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://freedesktop.org/~hadess/"
                                  "shared-mime-info-" version ".tar.xz"))
              (sha256
               (base32
-               "1sc96lv9dp1lkvs8dh3ngm3hbjb274d363dl9avhb61il3qmxx9a"))))
+               "10ywzhzg8v1xmb9sz5xbqaci90id38knswigynyl33i29vn360aw"))))
     (build-system gnu-build-system)
     (arguments
      ;; The build system appears not to be parallel-safe.
@@ -1178,7 +1179,7 @@ XML/CSS rendering engine.")
 (define-public libgsf
   (package
     (name "libgsf")
-    (version "1.14.43")
+    (version "1.14.44")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -1186,7 +1187,7 @@ XML/CSS rendering engine.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "05pf3h0dha3s20ddsrljbx7m94qyiqs5igwxx1ql0vlsdlylx50j"))))
+                "1ppzfk3zmmgrg9jh8vc4dacddbfngjslq2wpj94pcr3i0c8dxgk8"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("intltool" ,intltool)
@@ -2036,7 +2037,7 @@ passwords in the GNOME keyring.")
 (define-public vala
   (package
     (name "vala")
-    (version "0.36.3")
+    (version "0.40.9")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -2044,7 +2045,7 @@ passwords in the GNOME keyring.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0706izk9prxqclm7gv4f63diwnlc1llvfl5sc9ghqbgn076lx2mc"))))
+                "0yvaijkpahzz26sa37cyzbj75a9vbcbgvxbqzzb7hbcvfy009zy7"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
@@ -2052,20 +2053,25 @@ passwords in the GNOME keyring.")
          (add-before 'check 'pre-check
                      (lambda _
                        (setenv "CC" "gcc")
+                       (substitute* "valadoc/tests/testrunner.sh"
+                         (("export PKG_CONFIG_PATH=" m)
+                          (string-append m "$PKG_CONFIG_PATH:")))
                        ;; For missing '/etc/machine-id'.
                        (setenv "DBUS_FATAL_WARNINGS" "0")
-                       #t)))
-       ;; Build the Vala API generator
-       #:configure-flags '("--enable-vapigen")))
+                       #t)))))
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("flex" ,flex)
        ("bison" ,bison)
        ("xsltproc" ,libxslt)
+       ("grep" ,grep)
+       ("sed" ,sed)
        ("dbus" ,dbus)                                     ; for dbus tests
        ("gobject-introspection" ,gobject-introspection))) ; for gir tests
+    (inputs
+     `(("graphviz" ,graphviz)))
     (propagated-inputs
-     `(("glib" ,glib))) ; required by libvala-0.26.pc
+     `(("glib" ,glib))) ; required by libvala-0.40.pc
     (home-page "https://live.gnome.org/Vala/")
     (synopsis "Compiler for the GObject type system")
     (description
@@ -5858,7 +5864,7 @@ is complete it provides a graphical representation of each selected folder.")
 (define-public gnome-backgrounds
   (package
     (name "gnome-backgrounds")
-    (version "3.26.2")
+    (version "3.28.0")
     (source
      (origin
        (method url-fetch)
@@ -5867,8 +5873,8 @@ is complete it provides a graphical representation of each selected folder.")
                            name "-" version ".tar.xz"))
        (sha256
         (base32
-         "0kzrh5h0cfby3rhsy31d1w1c0rr3wcc845kv6zibqw1x8v9si2rs"))))
-    (build-system glib-or-gtk-build-system)
+         "1qgim0yhzjgcq172y4vp5hqz4rh1ak38a7pgi6s7dq0wklyrcnxj"))))
+    (build-system meson-build-system)
     (native-inputs
      `(("intltool" ,intltool)))
     (home-page "https://git.gnome.org/browse/gnome-backgrounds")
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index c38fe64200..3d6727bbde 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -73,7 +73,7 @@
 (define-public libgpg-error
   (package
     (name "libgpg-error")
-    (version "1.28")
+    (version "1.32")
     (source
      (origin
       (method url-fetch)
@@ -81,8 +81,7 @@
                           version ".tar.bz2"))
       (sha256
        (base32
-        "0jfsfnh9bxlxiwxws60yah4ybjw2hshmvqp31pri4m4h8ivrbnry"))
-      (patches (search-patches "libgpg-error-aarch64-logging-fix.patch"))))
+        "1jj08ns4sh1hmafqp1giskvdicdz18la516va26jycy27kkwaif3"))))
     (build-system gnu-build-system)
     (home-page "https://gnupg.org")
     (synopsis "Library of error values for GnuPG components")
@@ -95,32 +94,19 @@ Daemon and possibly more in the future.")
     (properties '((ftp-server . "ftp.gnupg.org")
                   (ftp-directory . "/gcrypt/libgpg-error")))))
 
-;; Some packages (e.g. GPGME) require a newer libgpg-error to deal with
-;; error codes from recent GnuPG.  Remove this in the next rebuild cycle.
-(define-public libgpg-error-1.31
-  (package
-    (inherit libgpg-error)
-    (version "1.31")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnupg/libgpg-error/libgpg-error-"
-                                  version ".tar.bz2"))
-              (sha256
-               (base32
-                "1vx4nw6rxh2biy3h8n96fyr86q29h8gjl6837437i51jr4isil20"))))))
-
 (define-public libgcrypt
   (package
-    (replacement libgcrypt/fixed)
     (name "libgcrypt")
-    (version "1.8.2")
+    (version "1.8.3")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "01sca9m8hm6b5v8hmqsfdjhyz013869p1f0fxw9ln52qfnp4q1n8"))))
+               "0z5gs1khzyknyfjr19k8gk4q148s6q987ya85cpn0iv70fz91v36"))
+             (patches
+              (search-patches "libgcrypt-make-yat2m-reproducible.patch"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
@@ -146,19 +132,6 @@ generation.")
     (properties '((ftp-server . "ftp.gnupg.org")
                   (ftp-directory . "/gcrypt/libgcrypt")))))
 
-(define libgcrypt/fixed
-  (package
-    (inherit libgcrypt)
-    (name "libgcrypt")
-    (version "1.8.3")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
-                                 version ".tar.bz2"))
-             (sha256
-              (base32
-               "0z5gs1khzyknyfjr19k8gk4q148s6q987ya85cpn0iv70fz91v36"))))))
-
 (define-public libassuan
   (package
     (name "libassuan")
@@ -407,7 +380,7 @@ libskba (working with X.509 certificates and CMS data).")
      `(("gnupg" ,gnupg)))
     (propagated-inputs
      ;; Needs to be propagated because gpgme.h includes gpg-error.h.
-     `(("libgpg-error" ,libgpg-error-1.31)))
+     `(("libgpg-error" ,libgpg-error)))
     (inputs
      `(("libassuan" ,libassuan)))
     (home-page "https://www.gnupg.org/related_software/gpgme/")
diff --git a/gnu/packages/golang.scm b/gnu/packages/golang.scm
index f14057417d..7c026ff5f0 100644
--- a/gnu/packages/golang.scm
+++ b/gnu/packages/golang.scm
@@ -277,6 +277,15 @@ in the style of communicating sequential processes (@dfn{CSP}).")
                     (string-append
                      "\"-Wl,-rpath=" gcclib "\", \"-lgcc_s\", ")))
 
+                 ;; XXX Commit 65fa2b615b72c1fa61a7 in the Go repo.  We do this
+                 ;; without a patch because ((guix packages) patch-and-repack)
+                 ;; resets file mtimes, and parts of Go's test suite rely on
+                 ;; those timestamps.
+                 ;; <https://github.com/golang/go/issues/26369>
+                 (substitute* "cmd/internal/objfile/elf.go"
+                   (("PT_LOAD")
+                     "PT_LOAD && p.Flags&elf.PF_X != 0"))
+
                  ;; Disable failing tests: these tests attempt to access
                  ;; commands or network resources which are neither available
                  ;; nor necessary for the build to succeed.
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 435c3e5b3a..f43a0fc2f5 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -102,7 +102,7 @@ arrays of data.")
 (define-public gstreamer
   (package
     (name "gstreamer")
-    (version "1.14.2")
+    (version "1.14.3")
     (source
      (origin
       (method url-fetch)
@@ -111,7 +111,7 @@ arrays of data.")
             version ".tar.xz"))
       (sha256
        (base32
-        "029fi3v0vrravysgfwhfkrb3ndg64sjmigbb0iwr7wpkk5r15mjb"))))
+        "0mh4755an4gk0z3ygqhjpdjk0r2cwswbpwfgl0x6qmnln4757bhk"))))
     (build-system gnu-build-system)
     (outputs '("out" "doc"))
     (arguments
@@ -150,7 +150,7 @@ This package provides the core library and elements.")
 (define-public gst-plugins-base
   (package
     (name "gst-plugins-base")
-    (version "1.14.2")
+    (version "1.14.3")
     (source
      (origin
       (method url-fetch)
@@ -158,7 +158,7 @@ This package provides the core library and elements.")
                           name "-" version ".tar.xz"))
       (sha256
        (base32
-        "0z0wy0p0nxxqhsis3n517d6ykldm02g7rca9fhq9kxb9m05yidx4"))))
+        "0lkr1fm3bz21nqq9vi5v74mlxw6dd6i7piw00fhc5zz0dg1ikczh"))))
     (build-system gnu-build-system)
     (outputs '("out" "doc"))
     (propagated-inputs
@@ -209,7 +209,7 @@ for the GStreamer multimedia library.")
 (define-public gst-plugins-good
   (package
     (name "gst-plugins-good")
-    (version "1.14.2")
+    (version "1.14.3")
     (source
      (origin
       (method url-fetch)
@@ -218,7 +218,7 @@ for the GStreamer multimedia library.")
             name "-" version ".tar.xz"))
       (sha256
        (base32
-        "1bfa4n6xhr4v4wga8pv1y00rm1aka498snw6kgszy2w624l5wmy0"))))
+        "0pgzgfqbfp8lz2ns68797xfxdr0cr5rpi93wd1h2grhbmzkbq4ji"))))
     (build-system gnu-build-system)
     (inputs
      `(("aalib" ,aalib)
@@ -271,14 +271,14 @@ developers consider to have good quality code and correct functionality.")
 (define-public gst-plugins-bad
   (package
     (name "gst-plugins-bad")
-    (version "1.14.2")
+    (version "1.14.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://gstreamer.freedesktop.org/src/"
                                   name "/" name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1bqy3dn7q4kdkd4lqznyly8fv854d0hhncv88jk6ai4rf3dbgyil"))))
+                "1mczcna91f3kkk3yv5fkfa8nmqdr9d93aq9z4d8sv18vkiflw8mj"))))
     (outputs '("out" "doc"))
     (build-system gnu-build-system)
     (arguments
@@ -346,7 +346,7 @@ par compared to the rest.")
 (define-public gst-plugins-ugly
   (package
     (name "gst-plugins-ugly")
-    (version "1.14.2")
+    (version "1.14.3")
     (source
      (origin
        (method url-fetch)
@@ -354,7 +354,7 @@ par compared to the rest.")
                            name "/" name "-" version ".tar.xz"))
        (sha256
         (base32
-         "0s9xrz8knfv06fj1nbv3iq4xj7dj4cnzj3xvgb7zs89rv7crgq2m"))))
+         "01i31g5rvw36rjlyi9w24n0g1xa6053d14vaiba6vqpas727z123"))))
     (build-system gnu-build-system)
     (inputs
      `(("gst-plugins-base" ,gst-plugins-base)
@@ -381,7 +381,7 @@ distribution problems in some jurisdictions, e.g. due to patent threats.")
 (define-public gst-libav
   (package
     (name "gst-libav")
-    (version "1.14.2")
+    (version "1.14.3")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -389,7 +389,7 @@ distribution problems in some jurisdictions, e.g. due to patent threats.")
                     name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1pknqpjxq1l3vlprdsmxxwk0lwqa555fqd543k9vphngqlwiqdca"))
+                "0xxnb80yhfa42x4wx1928zydaal35b2mcj0zdcdsv1apnjdm40wv"))
               (modules '((guix build utils)))
               (snippet
                '(begin
@@ -417,7 +417,7 @@ compression formats through the use of the libav library.")
 (define-public python-gst
   (package
     (name "python-gst")
-    (version "1.14.2")
+    (version "1.14.3")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -425,7 +425,7 @@ compression formats through the use of the libav library.")
                     "gst-python-" version ".tar.xz"))
               (sha256
                (base32
-                "08nb011acyvlz48fqh8c084k0dlssz9b7wha7zzk797inidbwh6w"))))
+                "01w3mpimbm8drifhrkvpns79h15kd9h9v0dynr7yb12kjrnfghsg"))))
     (build-system gnu-build-system)
     (arguments
      ;; XXX: Factorize python-sitedir with python-build-system.
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 8c25922c9e..cec10504c5 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -8,7 +8,7 @@
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2015 Andy Wingo <wingo@igalia.com>
 ;;; Copyright © 2015 David Hashe <david.hashe@dhashe.com>
-;;; Copyright © 2015, 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Coypright © 2015, 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Fabian Harfert <fhmgufs@web.de>
 ;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
@@ -112,15 +112,16 @@ tools have full access to view and control running applications.")
 (define-public cairo
   (package
    (name "cairo")
-   (version "1.14.10")
+   (version "1.14.12")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://cairographics.org/releases/cairo-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "02banr0wxckq62nbhc3mqidfdh2q956i2r7w2hd9bjgjb238g1vy"))
-            (patches (search-patches "cairo-CVE-2016-9082.patch"))))
+              "05mzyxkvsfc1annjw2dja8vka01ampp9pp93lg09j8hba06g144c"))
+            (patches (search-patches "cairo-CVE-2016-9082.patch"
+                                     "cairo-setjmp-wrapper.patch"))))
    (build-system gnu-build-system)
    (propagated-inputs
     `(("fontconfig" ,fontconfig)
@@ -178,7 +179,7 @@ affine transformation (scale, rotation, shear, etc.).")
 (define-public harfbuzz
   (package
    (name "harfbuzz")
-   (version "1.7.6")
+   (version "1.8.8")
    (source (origin
              (method url-fetch)
              (uri (string-append "https://www.freedesktop.org/software/"
@@ -186,7 +187,7 @@ affine transformation (scale, rotation, shear, etc.).")
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "16rf7qwgy1gza74v2ws79zdwwb1lpvgz2abwwm8ws9j82cwysyys"))))
+               "1ag3scnm1fcviqgx2p4858y433mr0ndqw6zccnccrqcr9mpcird8"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "bin")) ; 160K, only hb-view depend on cairo
@@ -217,8 +218,7 @@ affine transformation (scale, rotation, shear, etc.).")
 (define-public pango
   (package
    (name "pango")
-   (version "1.42.0")
-   (replacement pango-1.42.4)
+   (version "1.42.4")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/pango/"
@@ -226,18 +226,18 @@ affine transformation (scale, rotation, shear, etc.).")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0illn78nfwpa8y5knh9ir74wa1skc2hi8f3ny19zgpyf7n5dh94r"))))
+              "17bwb7dgbncrfsmchlib03k9n3xaalirb39g3yb43gg8cg6p8aqx"))))
    (build-system gnu-build-system)
    (propagated-inputs
     ;; These are all in Requires or Requires.private of the '.pc' files.
     `(("cairo" ,cairo)
+      ("fribidi" ,fribidi)
       ("fontconfig" ,fontconfig)
       ("freetype" ,freetype)
       ("glib" ,glib)
       ("harfbuzz" ,harfbuzz)))
    (inputs
-    `(("fribidi" ,fribidi)
-      ("zlib" ,zlib)
+    `(("zlib" ,zlib)
 
       ;; Some packages, such as Openbox, expect Pango to be built with the
       ;; optional libxft support.
@@ -254,19 +254,6 @@ used throughout the world.")
    (license license:lgpl2.0+)
    (home-page "https://developer.gnome.org/pango/")))
 
-(define-public pango-1.42.4
-  (package
-    (inherit pango)
-    (version "1.42.4")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnome/sources/pango/"
-                                  (version-major+minor version) "/"
-                                  "pango-" version ".tar.xz"))
-              (sha256
-               (base32
-                "17bwb7dgbncrfsmchlib03k9n3xaalirb39g3yb43gg8cg6p8aqx"))))))
-
 (define-public pangox-compat
   (package
     (name "pangox-compat")
@@ -456,7 +443,7 @@ highlighting and other features typical of a source code editor.")
 (define-public gdk-pixbuf
   (package
    (name "gdk-pixbuf")
-   (version "2.36.12")
+   (version "2.38.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -464,26 +451,39 @@ highlighting and other features typical of a source code editor.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0d534ysa6n9prd17wwzisq7mj6qkhwh8wcf8qgin1ar3hbs5ry7z"))))
-   (build-system gnu-build-system)
+              "0ixfmnxjylx06mjaw116apymwi1a8rnkmkbbvqaxxg2pfwy9fl6x"))))
+   (build-system meson-build-system)
    (arguments
-    '(#:configure-flags '("--with-x11")
+    '(#:configure-flags '("-Dinstalled-tests=false")
       #:phases
       (modify-phases %standard-phases
         (add-after
          'unpack 'disable-failing-tests
          (lambda _
-           (substitute* "tests/Makefile.in"
+           (substitute* "tests/meson.build"
              ;; XXX FIXME: This test fails on armhf machines with:
              ;; SKIP Not enough memory to load bitmap image
              ;; ERROR: cve-2015-4491 - too few tests run (expected 4, got 2)
-             (("cve-2015-4491\\$\\(EXEEXT\\) ") "")
+             ((".*'cve-2015-4491'.*") "")
              ;; XXX FIXME: This test fails with:
              ;; ERROR:pixbuf-jpeg.c:74:test_type9_rotation_exif_tag:
              ;; assertion failed (error == NULL): Data differ
              ;; (gdk-pixbuf-error-quark, 0)
-             (("pixbuf-jpeg\\$\\(EXEEXT\\) ") ""))
-           #t)))))
+             ((".*'pixbuf-jpeg'.*") "")
+             ;; Extend the timeout of the test suite.
+             ;; TODO: Check upstreaming effort:
+             ;; https://gitlab.gnome.org/GNOME/gdk-pixbuf/merge_requests/21
+             (("300") "1800"))
+           #t))
+        (add-before 'configure 'aid-install-script
+          (lambda* (#:key outputs #:allow-other-keys)
+            ;; "build-aux/post-install.sh" invokes `gdk-pixbuf-query-loaders`
+            ;; for updating loader.cache, but it's not on PATH.  Make it use
+            ;; the one we're installing.  XXX: Won't work when cross-compiling.
+            (substitute* "build-aux/post-install.sh"
+              (("gdk-pixbuf-query-loaders" match)
+               (string-append (assoc-ref outputs "out") "/bin/" match)))
+            #t)))))
    (propagated-inputs
     `(;; Required by gdk-pixbuf-2.0.pc
       ("glib" ,glib)
@@ -496,6 +496,7 @@ highlighting and other features typical of a source code editor.")
       ("libx11"  ,libx11)))
    (native-inputs
      `(("pkg-config" ,pkg-config)
+       ("gettext" ,gettext-minimal)
        ("glib" ,glib "bin")                               ; glib-mkenums, etc.
        ("gobject-introspection" ,gobject-introspection))) ; g-ir-compiler, etc.
    (synopsis "GNOME image loading and manipulation library")
@@ -515,7 +516,7 @@ in the GNOME project.")
      `(("librsvg" ,librsvg)
        ,@(package-inputs gdk-pixbuf)))
     (arguments
-     '(#:configure-flags '("--with-x11")
+     '(#:configure-flags '("-Dinstalled-tests=false")
        #:tests? #f ; tested by the gdk-pixbuf package already
        #:phases
        (modify-phases %standard-phases
@@ -584,7 +585,7 @@ is part of the GNOME accessibility project.")
 (define-public at-spi2-atk
   (package
    (name "at-spi2-atk")
-   (version "2.26.1")
+   (version "2.26.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -592,7 +593,7 @@ is part of the GNOME accessibility project.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0x9vc99ni46fg5dzlx67vbw0zqffr24gz8jvbdxbmzyvc5xw5w5l"))))
+              "0vkan52ab9vrkknnv8y4f1cspk8x7xd10qx92xk9ys71p851z2b1"))))
    (build-system gnu-build-system)
    (arguments
     '(#:phases
@@ -685,7 +686,7 @@ application suites.")
    (name "gtk+")
    ;; NOTE: When updating the version of 'gtk+', the hash of 'mate-themes' in
    ;;       mate.scm will also need to be updated.
-   (version "3.22.30")
+   (version "3.24.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -693,7 +694,7 @@ application suites.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0rv5k8fyi2i19k4zncai6vf429s6zy3kncr8vb6f3m034z0sb951"))
+              "1a1jbsh9fg5ykmwrcl3svy7xfvx0b87d314qsx9n483pj8w93s82"))
             (patches (search-patches "gtk3-respect-GUIX_GTK3_PATH.patch"
                                      "gtk3-respect-GUIX_GTK3_IM_MODULE_FILE.patch"))))
    (outputs '("out" "bin" "doc"))
@@ -729,9 +730,9 @@ application suites.")
       ("python-wrapper" ,python-wrapper)
       ;; By using a special xorg-server for GTK+'s tests, we reduce the impact
       ;; of updating xorg-server directly on the master branch.
-      ("xorg-server" ,xorg-server-1.19.3)))
+      ("xorg-server" ,xorg-server-for-tests)))
    (arguments
-    `(#:disallowed-references (,xorg-server-1.19.3)
+    `(#:disallowed-references (,xorg-server-for-tests)
       ;; 47 MiB goes to "out" (24 of which is locale data!), and 26 MiB goes
       ;; to "doc".
       #:configure-flags (list (string-append "--with-html-dir="
@@ -1060,7 +1061,7 @@ toolkit.")
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("glib" ,glib "bin")        ;for 'glib-compile-resources'
-                     ("xorg-server" ,xorg-server-1.19.3)))
+                     ("xorg-server" ,xorg-server-for-tests)))
     (propagated-inputs
      `(("pangomm" ,pangomm)
        ("cairomm" ,cairomm)
@@ -1071,7 +1072,7 @@ toolkit.")
      `(;; XXX: Tests require C++14 or later.  Remove this when the default
        ;; compiler is >= GCC6.
        #:configure-flags '("CXXFLAGS=-std=gnu++14")
-       #:disallowed-references (,xorg-server-1.19.3)
+       #:disallowed-references (,xorg-server-for-tests)
        #:phases (modify-phases %standard-phases
                   (add-before 'check 'run-xvfb
                     (lambda* (#:key inputs #:allow-other-keys)
@@ -1152,7 +1153,7 @@ printing and other features typical of a source code editor.")
 (define-public python-pycairo
   (package
     (name "python-pycairo")
-    (version "1.16.3")
+    (version "1.17.1")
     (source
      (origin
       (method url-fetch)
@@ -1160,7 +1161,7 @@ printing and other features typical of a source code editor.")
                           version "/pycairo-" version ".tar.gz"))
       (sha256
        (base32
-        "1xq1bwhyi5imca5kvd28szh2rdzi8g0kaspwaqgsbczqskjj3csv"))))
+        "165n0g7gp2a0qi8558snvfans17x83jv2lv7bx4vr1rxjbn3a2hg"))))
     (build-system python-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)
@@ -1355,7 +1356,7 @@ and routines to assist in editing internationalized text.")
                      ("check" ,check)
                      ("gettext" ,gettext-minimal)
                      ("glib:bin" ,glib "bin")
-                     ("xorg-server" ,xorg-server-1.19.3)))
+                     ("xorg-server" ,xorg-server-for-tests)))
     ;; Listed in 'Requires.private' of 'girara.pc'.
     (propagated-inputs `(("gtk+" ,gtk+)))
     (arguments
diff --git a/gnu/packages/guile-wm.scm b/gnu/packages/guile-wm.scm
index 364477be72..3755282403 100644
--- a/gnu/packages/guile-wm.scm
+++ b/gnu/packages/guile-wm.scm
@@ -56,7 +56,7 @@
                                            (string-append
                                             "--with-guile-site-ccache-dir="
                                             (assoc-ref %outputs "out")
-                                            "/share/guile/site/2.2"))))
+                                            "/lib/guile/2.2/site-ccache"))))
       (native-inputs `(("pkg-config" ,pkg-config)
                        ("texinfo" ,texinfo)))
       (inputs `(("guile" ,guile-2.2)
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 9e33003375..2d4d8c3218 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -213,8 +213,7 @@ without requiring the source code to be rewritten.")
            (files '("share/guile/site/2.0")))
           (search-path-specification
            (variable "GUILE_LOAD_COMPILED_PATH")
-           (files '("lib/guile/2.0/site-ccache"
-                    "share/guile/site/2.0")))))
+           (files '("lib/guile/2.0/site-ccache")))))
 
    (synopsis "Scheme implementation intended especially for extensions")
    (description
@@ -243,7 +242,7 @@ without requiring the source code to be rewritten.")
 (define-public guile-2.2
   (package (inherit guile-2.0)
     (name "guile")
-    (version "2.2.3")
+    (version "2.2.4")
     (source (origin
               (method url-fetch)
 
@@ -253,7 +252,7 @@ without requiring the source code to be rewritten.")
                                   ".tar.xz"))
               (sha256
                (base32
-                "11j01agvnci2cx32wwpqs9078856yxmvs15gcsz7ganpkj2ahlw3"))
+                "07p3g0v2ba2vlfbfidqzlgbhnzdx46wh2rgc5gszq1mjyx5bks6r"))
               (modules '((guix build utils)))
 
               ;; Remove the pre-built object files.  Instead, build everything
@@ -272,8 +271,7 @@ without requiring the source code to be rewritten.")
             (files '("share/guile/site/2.2")))
            (search-path-specification
             (variable "GUILE_LOAD_COMPILED_PATH")
-            (files '("lib/guile/2.2/site-ccache"
-                     "share/guile/site/2.2")))))
+            (files '("lib/guile/2.2/site-ccache")))))
 
     (arguments
      (if (%current-target-system)
@@ -302,35 +300,6 @@ without requiring the source code to be rewritten.")
                   (max-silent-time . 36000))))) ;10 hours (needed on ARM
                                                 ;  when heavily loaded)
 
-(define-public guile-2.2.2
-  ;; Keep it so that, when 'guix' runs on 2.2.2, 'guix pull' compiles objects
-  ;; with 2.2.2, thereby avoiding the ABI incompatibility issues described in
-  ;; <https://bugs.gnu.org/29570>.
-  (package
-    (inherit guile-2.2)
-    (version "2.2.2")
-    (source (origin
-              (inherit (package-source guile-2.2))
-              (uri (string-append "mirror://gnu/guile/guile-" version
-                                  ".tar.xz"))
-              (sha256
-               (base32
-                "1azm25zcmxif0skxfrp11d2wc89nrzpjaann9yxdw6pvjxhs948w"))))))
-
-(define-public guile-2.2.4
-  ;; This version contains important bug fixes, in particular wrt. to crashes
-  ;; of multi-threaded code as used by 'guix pull' and grafting.
-  (package
-    (inherit guile-2.2)
-    (version "2.2.4")
-    (source (origin
-              (inherit (package-source guile-2.2))
-              (uri (string-append "mirror://gnu/guile/guile-" version
-                                  ".tar.xz"))
-              (sha256
-               (base32
-                "07p3g0v2ba2vlfbfidqzlgbhnzdx46wh2rgc5gszq1mjyx5bks6r"))))))
-
 (define-public guile-next
   ;; This is the upcoming Guile 3.0, with JIT support.
   (let ((commit "6f3357b0df64c4be17e72079864c09a542f1c779")
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index c4d3703794..2d28107e81 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -32,7 +32,7 @@
 (define-public icu4c
   (package
    (name "icu4c")
-   (version "61.1")
+   (version "62.1")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -42,7 +42,7 @@
                   (string-map (lambda (x) (if (char=? x #\.) #\_ x)) version)
                   "-src.tgz"))
             (sha256
-             (base32 "1vxgkx0cyvdy00a9yd5khkx14r5kcndkax2wa99klm52x2dgh1yh"))))
+             (base32 "18ssgnwzzpm1g1fvbm9h1fvryiwxvvn5wc3fdakdsl33cs6qdn9x"))))
    (build-system gnu-build-system)
    (inputs
     `(("perl" ,perl)))
@@ -55,10 +55,24 @@
                     (string-prefix? "mips" s)))
               '("--with-data-packaging=archive")
               '()))
+        ,@(if (string-prefix? "i686" (or (%current-target-system)
+                                         (%current-system)))
+              ;; FIXME: Some tests are failing on i686:
+              ;; <https://unicode-org.atlassian.net/browse/ICU-20080>.
+              '(#:tests? #f)
+              '())
       #:phases
       (modify-phases %standard-phases
         (add-after 'unpack 'chdir-to-source
-          (lambda _ (chdir "source") #t)))))
+          (lambda _ (chdir "source") #t))
+        (add-after 'install 'avoid-coreutils-reference
+          ;; Don't keep a reference to the build tools.
+          (lambda* (#:key outputs #:allow-other-keys)
+            (let ((out (assoc-ref outputs "out")))
+              (substitute* (find-files (string-append out "/lib/icu")
+                                       "\\.inc$")
+                (("INSTALL_CMD=.*/bin/install") "INSTALL_CMD=install"))
+              #t))))))
    (synopsis "International Components for Unicode")
    (description
     "ICU is a set of C/C++ and Java libraries providing Unicode and
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index b367e0799c..1113df1ca6 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -254,13 +254,13 @@ files.  It can compress them as much as 40% losslessly.")
 (define-public libjpeg
   (package
    (name "libjpeg")
-   (version "9b")
+   (version "9c")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://www.ijg.org/files/jpegsrc.v"
                    version ".tar.gz"))
             (sha256 (base32
-                     "0lnhpahgdwlrkd41lx6cr90r199f8mc6ydlh7jznj5klvacd63r4"))))
+                     "08kixcf3a7s9x91174abjnk1xbvj4v8crdc73zi4k9h3jfbm00k5"))))
    (build-system gnu-build-system)
    (synopsis "Library for handling JPEG files")
    (description
@@ -402,7 +402,6 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (replacement libtiff/fixed)
    (version "4.0.9")
    (source
      (origin
@@ -413,7 +412,9 @@ extracting icontainer icon files.")
         (base32
          "1kfg4q01r4mqn7dj63ifhi6pmqzbf4xax6ni6kkk81ri5kndwyvf"))
        (patches (search-patches "libtiff-CVE-2017-9935.patch"
-                                "libtiff-CVE-2017-18013.patch"))))
+                                "libtiff-CVE-2017-18013.patch"
+                                "libtiff-CVE-2018-8905.patch"
+                                "libtiff-CVE-2018-10963.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                           ;1.3 MiB of HTML documentation
@@ -435,17 +436,6 @@ collection of tools for doing simple manipulations of TIFF images.")
                                   "See COPYRIGHT in the distribution."))
    (home-page "http://www.simplesystems.org/libtiff/")))
 
-(define libtiff/fixed
-  (package
-    (inherit libtiff)
-    (source
-      (origin
-        (inherit (package-source libtiff))
-        (patches
-          (append (origin-patches (package-source libtiff))
-                  (search-patches "libtiff-CVE-2018-8905.patch"
-                                  "libtiff-CVE-2018-10963.patch")))))))
-
 (define-public leptonica
   (package
     (name "leptonica")
@@ -503,18 +493,18 @@ arithmetic ops.")
 (define-public jbig2dec
   (package
     (name "jbig2dec")
-    (version "0.14")
-    (replacement jbig2dec-0.15)
-    (source
-      (origin
-        (method url-fetch)
-        (uri
-         (string-append "https://github.com/ArtifexSoftware/ghostpdl-downloads/"
-                        "releases/download/gs922/" name "-" version ".tar.gz"))
-        (sha256
-          (base32 "0k01hp0q4275fj4rbr1gy64svfraw5w7wvwl08yjhvsnpb1rid11"))
-        (patches (search-patches "jbig2dec-ignore-testtest.patch"))))
+    (version "0.15")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/ArtifexSoftware"
+                                  "/ghostpdl-downloads/releases/download"
+                                  "/gs924/" name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0m1qwpbjbirgw2fqznbajdhdhh35d6xa2csr64lpjz735pvimykb"))
+              (patches (search-patches "jbig2dec-ignore-testtest.patch"))))
     (build-system gnu-build-system)
+    (arguments '(#:configure-flags '("--disable-static")))
     (synopsis "Decoder of the JBIG2 image compression format")
     (description
       "JBIG2 is designed for lossy or lossless encoding of 'bilevel' (1-bit
@@ -529,21 +519,6 @@ work.")
     (home-page "https://jbig2dec.com")
     (license license:gpl2+)))
 
-;; This is a bugfix release from an ongoing Ghostscript security audit.
-;; It was released alongside Ghostscript 9.24.
-(define-public jbig2dec-0.15
-  (package
-    (inherit jbig2dec)
-    (version "0.15")
-    (source (origin
-              (inherit (package-source jbig2dec))
-              (uri (string-append "https://github.com/ArtifexSoftware"
-                                  "/ghostpdl-downloads/releases/download/gs924/"
-                                  "jbig2dec-" version ".tar.gz"))
-              (sha256
-               (base32
-                "0m1qwpbjbirgw2fqznbajdhdhh35d6xa2csr64lpjz735pvimykb"))))))
-
 (define-public openjpeg
   (package
     (name "openjpeg")
@@ -850,11 +825,15 @@ graphics image formats like PNG, BMP, JPEG, TIFF and others.")
     `(#:test-target "check"
       #:phases
       (modify-phases %standard-phases
-        ;; See https://github.com/ukoethe/vigra/issues/432
-        (add-after 'unpack 'disable-broken-test
+        (add-after 'unpack 'disable-broken-tests
           (lambda _
+            ;; See https://github.com/ukoethe/vigra/issues/432
             (substitute* "test/fourier/CMakeLists.txt"
               (("VIGRA_ADD_TEST.*") ""))
+            ;; This test fails with Numpy 1.15:
+            ;; <https://github.com/ukoethe/vigra/issues/436>.
+            (substitute* "vigranumpy/test/CMakeLists.txt"
+              (("test1\\.py") ""))
             #t)))
       #:configure-flags
         (list "-Wno-dev" ; suppress developer mode with lots of warnings
diff --git a/gnu/packages/inkscape.scm b/gnu/packages/inkscape.scm
index de9940df1c..1673cc602e 100644
--- a/gnu/packages/inkscape.scm
+++ b/gnu/packages/inkscape.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2014, 2016 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2016, 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
@@ -54,7 +54,24 @@
                                   "inkscape-" version ".tar.bz2"))
               (sha256
                (base32
-                "1chng2yw8dsjxc9gf92aqv7plj11cav8ax321wmakmv5bb09cch6"))))
+                "1chng2yw8dsjxc9gf92aqv7plj11cav8ax321wmakmv5bb09cch6"))
+              (patches
+               (list (origin
+                       (method url-fetch)
+                       (uri (string-append "https://gitlab.com/inkscape/inkscape/commit/"
+                                           "a600c6438fef2f4c06f9a4a7d933d99fb054a973.diff"))
+                       (file-name "inkscape-poppler-compat.patch")
+                       (sha256
+                        (base32
+                         "19dam5vsy571xszgjddl5g0958dmcsv0wvgxidp4bhj2lban222i")))
+                     (origin
+                       (method url-fetch)
+                       (uri (string-append "https://gitlab.com/inkscape/inkscape/commit/"
+                                           "fa1c469aa8c005e07bb8676d72af9f7c16fae3e0.diff"))
+                       (file-name "inkscape-poppler-compat2.patch")
+                       (sha256
+                        (base32
+                         "14k9yrfjz4nx3bz9dk91q74mc0i7rvl2qzkwhcy1br71yqjvngn5")))))))
     (build-system cmake-build-system)
     (inputs
      `(("aspell" ,aspell)
diff --git a/gnu/packages/jemalloc.scm b/gnu/packages/jemalloc.scm
index 5086df7a1b..cb870208e4 100644
--- a/gnu/packages/jemalloc.scm
+++ b/gnu/packages/jemalloc.scm
@@ -32,7 +32,7 @@
 (define-public jemalloc
   (package
     (name "jemalloc")
-    (version "5.0.1")
+    (version "5.1.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -40,8 +40,7 @@
                     version "/jemalloc-" version ".tar.bz2"))
               (sha256
                (base32
-                "1sf3lzgb0y8nnyzmp4zrca3sngdxw3kfh20sna9z03jv74fph528"))
-              (patches (search-patches "jemalloc-arm-address-bits.patch"))))
+                "0s3jpcyhzia8d4k0xyc67is78kg416p9yc3c2f9w6fhhqqffd5jk"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 22d74d32df..508f9c4bd2 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -47,7 +48,7 @@
 (define-public mit-krb5
   (package
     (name "mit-krb5")
-    (version "1.16")
+    (version "1.16.1")
     (source (origin
               (method url-fetch)
               (uri (list
@@ -59,7 +60,7 @@
                                    "/krb5-" version ".tar.gz")))
               (sha256
                (base32
-                "024yjr15ij0qdnay0bcqfpclgfri0qa8iw4r5zdlryxhhdgi5szs"))))
+                "05qis9l93hhxaknbp0a2v5cr24fsy52fqx20aqqcgl1s9qwzwkr1"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("bison" ,bison)
@@ -116,7 +117,7 @@ cryptography.")
      '(;; This is required since we patch some of the build scripts.
        ;; Remove for the next Shishi release after 1.0.2 or when
        ;; removing 'shishi-fix-libgcrypt-detection.patch'.
-       #:configure-flags '("ac_cv_libgcrypt=yes")))
+       #:configure-flags '("ac_cv_libgcrypt=yes" "--disable-static")))
     (native-inputs `(("pkg-config" ,pkg-config)))
     (inputs
      `(("gnutls" ,gnutls)
diff --git a/gnu/packages/libbsd.scm b/gnu/packages/libbsd.scm
index 58b0be872c..a616de70bd 100644
--- a/gnu/packages/libbsd.scm
+++ b/gnu/packages/libbsd.scm
@@ -25,14 +25,14 @@
 (define-public libbsd
   (package
     (name "libbsd")
-    (version "0.8.7")
+    (version "0.9.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://libbsd.freedesktop.org/releases/"
                                   "libbsd-" version ".tar.xz"))
               (sha256
                (base32
-                "0c9bl49zs0xdddcwj5dh0lay9sxi2m1yi74848g8p87mb87g2j7m"))))
+                "1957w2wi7iqar978qlfsm220dwywnrh5m58nrnn9zmi74ds3bn2n"))))
     (build-system gnu-build-system)
     (synopsis "Utility functions from BSD systems")
     (description "This library provides useful functions commonly found on BSD
diff --git a/gnu/packages/libevent.scm b/gnu/packages/libevent.scm
index a7752dc5f0..2de29707ca 100644
--- a/gnu/packages/libevent.scm
+++ b/gnu/packages/libevent.scm
@@ -122,24 +122,17 @@ limited support for fork events.")
 (define-public libuv
   (package
     (name "libuv")
-    (version "1.19.2")
+    (version "1.23.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://dist.libuv.org/dist/v" version
                                   "/libuv-v" version ".tar.gz"))
               (sha256
                (base32
-                "1msk9ac1z69whww88ibrwjqkd1apdla6l77cm2fwy5kigq0z5g3w"))))
+                "09yf7c71n8b80nbsv4lsmq5nqmb0rylhpx3z9jgkv5za9lr6sx6i"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:phases (modify-phases %standard-phases
-                  (add-after 'unpack 'autogen
-                    (lambda _
-                      ;; Fashionable people don't run 'make dist' these days, so
-                      ;; we need to do that ourselves.
-                      (invoke "sh" "autogen.sh"))))
-
-       ;; XXX: Some tests want /dev/tty, attempt to make connections, etc.
+     '(;; XXX: Some tests want /dev/tty, attempt to make connections, etc.
        #:tests? #f))
     (native-inputs `(("autoconf" ,autoconf-wrapper)
                      ("automake" ,automake)
@@ -159,6 +152,19 @@ resolution, asynchronous file system operations, and threading primitives.")
     ;; details.  Documentation is CC-BY 4.0 as of 1.12.0; see 'LICENSE-docs'.
     (license (list expat cc-by4.0))))
 
+;; This version is required for Node versions < 10.
+(define-public libuv-1.19
+  (package
+    (inherit libuv)
+    (version "1.19.2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://dist.libuv.org/dist/v" version
+                                  "/libuv-v" version ".tar.gz"))
+              (sha256
+               (base32
+                "1msk9ac1z69whww88ibrwjqkd1apdla6l77cm2fwy5kigq0z5g3w"))))))
+
 (define-public perl-anyevent
   (package
     (name "perl-anyevent")
diff --git a/gnu/packages/libffi.scm b/gnu/packages/libffi.scm
index 0d54c305b2..d1b910bd07 100644
--- a/gnu/packages/libffi.scm
+++ b/gnu/packages/libffi.scm
@@ -50,7 +50,10 @@
               (patches (search-patches "libffi-3.2.1-complex-alpha.patch"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:phases
+     `(;; Prevent the build system from passing -march and -mtune to the
+       ;; compiler.  See "ax_cc_maxopt.m4" and "ax_gcc_archflag.m4".
+       #:configure-flags '("--enable-portable-binary" "--without-gcc-arch")
+       #:phases
        (modify-phases %standard-phases
          (add-after 'install 'post-install
            (lambda* (#:key outputs #:allow-other-keys)
@@ -79,13 +82,13 @@ conversions for values passed between the two languages.")
 (define-public python-cffi
   (package
     (name "python-cffi")
-    (version "1.11.4")
+    (version "1.11.5")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "cffi" version))
       (sha256
-       (base32 "07fiy4wqg8g08x38r04ydjr8n6g0g74gb8si8b6jhymijalq746z"))))
+       (base32 "1x3lrj928dcxx1k8k9gf3s4s3jwvzv8mc3kkyg1g7c3a1sc1f3z9"))))
     (build-system python-build-system)
     (outputs '("out" "doc"))
     (inputs
diff --git a/gnu/packages/libidn.scm b/gnu/packages/libidn.scm
index 249c3f8458..719a0f0b4b 100644
--- a/gnu/packages/libidn.scm
+++ b/gnu/packages/libidn.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -32,26 +33,18 @@
 (define-public libidn
   (package
    (name "libidn")
-   (version "1.34")
+   (version "1.35")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/libidn/libidn-" version
                                 ".tar.gz"))
             (sha256
              (base32
-              "0g3fzypp0xjcgr90c5cyj57apx1cmy0c6y9lvw2qdcigbyby469p"))
-            (modules '((guix build utils)))
-            (snippet
-             '(begin
-                ;; The gnulib test-lock test is prone to writer starvation
-                ;; with our glibc@2.25, which prefers readers, so disable it.
-                ;; The gnulib commit b20e8afb0b2 should fix this once
-                ;; incorporated here.
-                (substitute* "lib/gltests/Makefile.in"
-                  (("test-lock\\$\\(EXEEXT\\) ") ""))
-                #t))))
+              "07pyy0afqikfq51z5kbzbj9ldbd12mri0zvx0mfv3ds6bc0g26pi"))))
    (build-system gnu-build-system)
-;; FIXME: No Java and C# libraries are currently built.
+   ;; FIXME: No Java and C# libraries are currently built.
+   (arguments
+    `(#:configure-flags '("--disable-static")))
    (synopsis "Internationalized string processing library")
    (description
      "libidn is a library implementing of the Stringprep, Punycode and IDNA
@@ -66,19 +59,21 @@ Java libraries.")
 (define-public libidn2
   (package
     (name "libidn2")
-    (version "2.0.4")
+    (version "2.0.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/libidn/" name "-" version
                                   ".tar.lz"))
               (sha256
                (base32
-                "00f2fyw5kwr9is3cdn5h9arzxp0lnvg0z9bb9zyfs0dq81gaqim4"))))
+                "0s4nkazy1xbs6bbq4farby1xhmhzk5bdclbil5gqdwyzxsgabxqg"))))
     (native-inputs
      `(("lzip" ,lzip)))
     (inputs
      `(("libunistring" ,libunistring)))
     (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--disable-static")))
     (synopsis "Internationalized domain name library for IDNA2008")
     (description "Libidn2 is an internationalized domain library implementing
 the IDNA2008 specifications.   Libidn2 is believed to be a complete IDNA2008
diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm
index e5ab5c5071..9571ba6e7d 100644
--- a/gnu/packages/libreoffice.scm
+++ b/gnu/packages/libreoffice.scm
@@ -318,7 +318,16 @@ working with graphics in the WPG (WordPerfect Graphics) format.")
           ;; During configure, the boost headers are found, but linking
           ;; fails without the following flag.
           (string-append "--with-boost="
-                         (assoc-ref %build-inputs "boost")))))
+                         (assoc-ref %build-inputs "boost")))
+        #:phases (modify-phases %standard-phases
+                   (add-before 'build 'fix-boost-include
+                     (lambda _
+                       ;; This library moved in Boost and the compatibility
+                       ;; redirect is no longer available since version 1.68.0.
+                       (substitute* "src/libcmis/xml-utils.cxx"
+                         (("boost/uuid/sha1.hpp")
+                          "boost/uuid/detail/sha1.hpp"))
+                       #t)))))
     (home-page "https://github.com/tdf/libcmis")
     (synopsis "CMIS client library")
     (description "LibCMIS is a C++ client library for the CMIS interface.  It
diff --git a/gnu/packages/libsigsegv.scm b/gnu/packages/libsigsegv.scm
index 7f63bb26c4..927a12f4cf 100644
--- a/gnu/packages/libsigsegv.scm
+++ b/gnu/packages/libsigsegv.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -38,20 +38,23 @@
    (home-page "https://www.gnu.org/software/libsigsegv/")
    (synopsis "Library for handling page faults")
    (arguments
-    ;; On MIPS, work around this error:
-    ;;
-    ;; In file included from fault-linux-mips-old.h:18:0,
-    ;;    [...]
-    ;; linux-libre-headers-cross-mips64el-linux-gnu-3.3.8/include/asm/sigcontext.h:57:8: error: redefinition of 'struct sigcontext'
-    (if (string-contains (or (%current-target-system) (%current-system))
-                         "mips64el")
-        `(#:phases (modify-phases %standard-phases
-                     (add-before 'configure 'patch-mips-old-h
-                       (lambda _
-                         (substitute* "src/fault-linux-mips-old.h"
-                           (("#include <asm/sigcontext\\.h>") ""))
-                         #t))))
-        '()))
+    `(;; The shared library isn't built by default but some packages need it.
+      #:configure-flags '("--enable-shared")
+
+      ;; On MIPS, work around this error:
+      ;;
+      ;; In file included from fault-linux-mips-old.h:18:0,
+      ;;    [...]
+      ;; linux-libre-headers-cross-mips64el-linux-gnu-3.3.8/include/asm/sigcontext.h:57:8: error: redefinition of 'struct sigcontext'
+      ,@(if (string-contains (or (%current-target-system) (%current-system))
+                             "mips64el")
+            `(#:phases (modify-phases %standard-phases
+                         (add-before 'configure 'patch-mips-old-h
+                           (lambda _
+                             (substitute* "src/fault-linux-mips-old.h"
+                               (("#include <asm/sigcontext\\.h>") ""))
+                             #t))))
+            '())))
    (description
     "GNU libsigsegv is a library to handle page faults, which occur when a
 program tries to access an unavailable region of memory, in user mode.  By
diff --git a/gnu/packages/libunistring.scm b/gnu/packages/libunistring.scm
index 6a3afd4f05..fda839be54 100644
--- a/gnu/packages/libunistring.scm
+++ b/gnu/packages/libunistring.scm
@@ -5,6 +5,8 @@
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
 ;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -32,7 +34,7 @@
 (define-public libunistring
   (package
    (name "libunistring")
-   (version "0.9.9")
+   (version "0.9.10")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -40,24 +42,25 @@
                   version ".tar.xz"))
             (sha256
              (base32
-              "0cx8v6862w7vvacbkcvg49kfx731ckdgaybmzw1zav71zkn97nd4"))
-            (modules '((guix build utils)))
-            (snippet
-             '(begin
-                ;; The gnulib test-lock test is prone to writer starvation
-                ;; with our glibc@2.25, which prefers readers, so disable it.
-                ;; The gnulib commit b20e8afb0b2 should fix this once
-                ;; incorporated here.
-                (substitute* "tests/Makefile.in"
-                  (("test-lock\\$\\(EXEEXT\\) ") ""))
-                #t))))
+              "1mq57h06622m6qc5cv347fc3qk5mj840axw3c0vd7qmnwk1v53zb"))))
    (propagated-inputs (libiconv-if-needed))
+   (outputs '("out" "static"))
    (build-system gnu-build-system)
    (arguments
     ;; Work around parallel build issue whereby C files may be compiled before
     ;; config.h is built: see <http://hydra.gnu.org/build/59381/nixlog/2/raw> and
     ;; <http://lists.openembedded.org/pipermail/openembedded-core/2012-April/059850.html>.
-    '(#:parallel-build? #f))
+    '(#:parallel-build? #f
+      #:phases (modify-phases %standard-phases
+                 (add-after 'install 'move-static-library
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((out (assoc-ref outputs "out"))
+                           (static (assoc-ref outputs "static")))
+                       (with-directory-excursion (string-append out "/lib")
+                         (install-file "libunistring.a"
+                                       (string-append static "/lib"))
+                         (delete-file "libunistring.a")
+                         #t)))))))
    (synopsis "C library for manipulating Unicode strings")
    (description
     "GNU libunistring is a library providing functions to manipulate
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index cd4adf9b6f..83cdd9f012 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -164,13 +164,13 @@ defconfig.  Return the appropriate make target if applicable, otherwise return
 (define-public linux-libre-headers
   (package
     (name "linux-libre-headers")
-    (version "4.14.26")
+    (version "4.14.67")
     (source (origin
              (method url-fetch)
              (uri (linux-libre-urls version))
              (sha256
               (base32
-               "1m2zr17wpasg5riysbaa4g5i492jzr93py2jm088ki818s4a9cm3"))))
+               "050zvdxjy6sc64q75pr1gxsmh49chwav2pwxz8xlif39bvahnrpg"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (arguments
@@ -299,12 +299,6 @@ for ARCH and optionally VARIANT, or #f if there is no such configuration."
                  (or (%current-target-system) (%current-system)))
            ((or "x86_64" "i386")
             `(("gcc" ,gcc-7)))
-           ("arm64"
-            ;; Work around a binutils 2.30 bug where some kernel symbols would
-            ;; be incorrectly marked as relocatable:
-            ;; <https://sourceware.org/bugzilla/show_bug.cgi?id=22764>.
-            `(("ld-wrapper" ,(make-ld-wrapper "ld-wrapper"
-                                              #:binutils binutils/fixed))))
            (_
             '()))
        ,@(match (and configuration-file
@@ -495,17 +489,17 @@ It has been modified to remove all non-free binary blobs.")
 (define-public linux-pam
   (package
     (name "linux-pam")
-    (version "1.3.0")
+    (version "1.3.1")
     (source
      (origin
-      (method url-fetch)
-      (uri (string-append
-            "http://www.linux-pam.org/library/"
-            "Linux-PAM-" version ".tar.bz2"))
-      (sha256
-       (base32
-        "1fyi04d5nsh8ivd0rn2y0z83ylgc0licz7kifbb6xxi2ylgfs6i4"))
-      (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+       (method url-fetch)
+       (uri (string-append
+             "https://github.com/linux-pam/linux-pam/releases/download/v"
+             version "/Linux-PAM-" version ".tar.xz"))
+       (sha256
+        (base32
+         "1nyh9kdi3knhxcbv5v4snya0g3gff0m671lnvqcbygw3rm77mx7g"))
+       (patches (search-patches "linux-pam-no-setfsuid.patch"))))
 
     (build-system gnu-build-system)
     (native-inputs
@@ -587,7 +581,7 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
   (package
     (name "util-linux")
-    (version "2.32")
+    (version "2.32.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/utils/"
@@ -595,7 +589,7 @@ providing the system administrator with some help in common tasks.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0d2758kjll5xqm5fpp3sww1h66aahx161sf2b60jxqv4qymrfwvc"))
+                "1ck7d8srw5szpjq7v0gpmjahnjs6wgqzm311ki4gazww6xx71rl6"))
               (patches (search-patches "util-linux-tests.patch"))
               (modules '((guix build utils)))
               (snippet
@@ -651,7 +645,14 @@ providing the system administrator with some help in common tasks.")
                                      (rename-file file
                                                   (string-append static "/"
                                                                  file)))
-                                   (find-files "lib" "\\.a$")))
+                                   (find-files "lib" "\\.a$"))
+
+                         ;; Remove references to the static library from the '.la'
+                         ;; files so that Libtool does the right thing when both
+                         ;; the shared and static library is available.
+                         (substitute* (find-files "lib" "\\.la$")
+                           (("old_library=.*") "old_library=''\n")))
+
                        #t))))))
     (inputs `(("zlib" ,zlib)
               ("ncurses" ,ncurses)
@@ -2545,9 +2546,7 @@ in a digital read-out.")
   (package
     (name "perf")
     (version (package-version linux-libre))
-    (source (origin
-              (inherit (package-source linux-libre))
-              (patches (search-patches "perf-gcc-ice.patch"))))
+    (source (package-source linux-libre))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
@@ -3310,6 +3309,7 @@ and copy/paste text in the console and in xterm.")
               ("libuuid:static" ,util-linux "static")
               ("lzo" ,lzo)
               ("zlib" ,zlib)
+              ("zlib:static" ,zlib "static")
               ("zstd" ,zstd)))
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("asciidoc" ,asciidoc)
diff --git a/gnu/packages/llvm.scm b/gnu/packages/llvm.scm
index d0791d00cc..54a17be8f4 100644
--- a/gnu/packages/llvm.scm
+++ b/gnu/packages/llvm.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2017 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -270,7 +271,8 @@ code analysis tools.")
    llvm-3.9.1
    "16gc2gdmp5c800qvydrdhsp0bzb97s8wrakl6i8a4lgslnqnf2fk"
    '("clang-runtime-asan-build-fixes.patch"
-     "clang-runtime-esan-build-fixes.patch")))
+     "clang-runtime-esan-build-fixes.patch"
+     "clang-3.5-libsanitizer-ustat-fix.patch")))
 
 (define-public clang-3.9.1
   (clang-from-llvm llvm-3.9.1 clang-runtime-3.9.1
@@ -294,7 +296,8 @@ code analysis tools.")
   (clang-runtime-from-llvm
    llvm-3.8
    "0p0y85c7izndbpg2l816z7z7558axq11d5pwkm4h11sdw7d13w0d"
-   '("clang-runtime-asan-build-fixes.patch")))
+   '("clang-runtime-asan-build-fixes.patch"
+     "clang-3.5-libsanitizer-ustat-fix.patch")))
 
 (define-public clang-3.8
   (clang-from-llvm llvm-3.8 clang-runtime-3.8
@@ -317,7 +320,8 @@ code analysis tools.")
   (clang-runtime-from-llvm
    llvm-3.7
    "10c1mz2q4bdq9bqfgr3dirc6hz1h3sq8573srd5q5lr7m7j6jiwx"
-   '("clang-runtime-asan-build-fixes.patch")))
+   '("clang-runtime-asan-build-fixes.patch"
+     "clang-3.5-libsanitizer-ustat-fix.patch")))
 
 (define-public clang-3.7
   (clang-from-llvm llvm-3.7 clang-runtime-3.7
diff --git a/gnu/packages/lsof.scm b/gnu/packages/lsof.scm
index 8b3ebe2945..311e244608 100644
--- a/gnu/packages/lsof.scm
+++ b/gnu/packages/lsof.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -77,6 +78,12 @@
             #t))
         (add-before 'check 'disable-failing-tests
           (lambda _
+            ;; In libc 2.28, the 'major' and 'minor' macros are provided by
+            ;; <sys/sysmacros.h> only so include it.
+            (substitute* "tests/LTlib.c"
+              (("#ifndef lint")
+               "#include <sys/sysmacros.h>\n\n#ifndef lint"))
+
             (substitute* "tests/Makefile"
               ;; Fails with ‘ERROR!!! client gethostbyaddr() failure’.
               (("(STDTST=.*) LTsock" _ prefix) prefix)
diff --git a/gnu/packages/m4.scm b/gnu/packages/m4.scm
index b223ce91d1..090f5578e3 100644
--- a/gnu/packages/m4.scm
+++ b/gnu/packages/m4.scm
@@ -32,6 +32,7 @@
             (method url-fetch)
             (uri (string-append "mirror://gnu/m4/m4-"
                                 version ".tar.xz"))
+            (patches (search-patches "m4-gnulib-libio.patch"))
             (sha256
              (base32
               "01sfjd5a4waqw83bibvmn522g69qfqvwig9i2qlgy154l1nfihgj"))))
diff --git a/gnu/packages/make-bootstrap.scm b/gnu/packages/make-bootstrap.scm
index 475749bbf6..65d632f64e 100644
--- a/gnu/packages/make-bootstrap.scm
+++ b/gnu/packages/make-bootstrap.scm
@@ -22,7 +22,7 @@
 (define-module (gnu packages make-bootstrap)
   #:use-module (guix utils)
   #:use-module (guix packages)
-  #:use-module (guix licenses)
+  #:use-module ((guix licenses) #:select (gpl3+))
   #:use-module (guix build-system trivial)
   #:use-module (guix build-system gnu)
   #:use-module ((gnu packages) #:select (search-patch))
@@ -34,6 +34,7 @@
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages bdw-gc)
+  #:use-module (gnu packages libunistring)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages multiprecision)
@@ -440,6 +441,9 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                                                    "^gnu-user.*\\.h$"))
                       ((" -lgcc_s}}") "}}"))
                     #t)))))))
+     (inputs
+      `(("zlib:static" ,zlib "static")
+        ,@(package-inputs gcc)))
      (native-inputs
       (if (%current-target-system)
           `(;; When doing a Canadian cross, we need GMP/MPFR/MPC both
@@ -525,6 +529,10 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                   ;; Remove the 'debug' output (see above for the reason.)
                   (outputs (delete "debug" (package-outputs guile-2.2)))
 
+                  (inputs
+                   `(("libunistring:static" ,libunistring "static")
+                     ,@(package-inputs guile-2.2)))
+
                   (propagated-inputs
                    `(("bdw-gc" ,libgc)
                      ,@(alist-delete "bdw-gc"
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index d4128f55c4..0df197c659 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -321,15 +321,15 @@ enough to be used effectively as a scientific calculator.")
 (define-public double-conversion
   (package
     (name "double-conversion")
-    (version "3.0.0")
+    (version "3.1.0")
     (home-page "https://github.com/google/double-conversion")
     (source (origin
-              (method url-fetch)
-              (uri (string-append home-page "/archive/v" version ".tar.gz"))
-              (file-name (string-append name "-" version ".tar.gz"))
+              (method git-fetch)
+              (uri (git-reference (url home-page) (commit version)))
+              (file-name (git-file-name name version))
               (sha256
                (base32
-                "059r1czs28ljjd388pn6l3njg1ghbf1cv3q9nkxv3dj2a8siabqm"))))
+                "123rb2p4snqagrybw66vnapchqdwn2rfpr1wcq0ya9gwbyl7xccx"))))
     (build-system cmake-build-system)
     (arguments
      '(#:test-target "test"
@@ -2871,7 +2871,7 @@ parts of it.")
 (define-public openblas
   (package
     (name "openblas")
-    (version "0.3.2")
+    (version "0.3.3")
     (source
      (origin
        (method url-fetch)
@@ -2880,7 +2880,7 @@ parts of it.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "0b20km2jv7m6qiylrlvhq2vnmkmilb633mr8rhqmgbn1wqrp58jq"))))
+         "0cvlixnpc3cdvvn3f30phfvsgnqljqix6wn72ps9rj7xdhvw06jg"))))
     (build-system gnu-build-system)
     (arguments
      `(#:test-target "test"
diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm
index 67a3062a5a..1212f32812 100644
--- a/gnu/packages/nettle.scm
+++ b/gnu/packages/nettle.scm
@@ -44,8 +44,22 @@
      ;; $libdir, which is not the case by default.  Work around it.
      '(#:configure-flags (list (string-append "LDFLAGS=-Wl,-rpath="
                                               (assoc-ref %outputs "out")
-                                              "/lib"))))
-    (outputs '("out" "debug"))
+                                              "/lib"))
+       #:phases (modify-phases %standard-phases
+                  (add-after 'install 'move-static-libraries
+                    (lambda* (#:key outputs #:allow-other-keys)
+                      (let ((out (assoc-ref outputs "out"))
+                            (slib (string-append (assoc-ref outputs "static")
+                                                 "/lib")))
+                        (mkdir-p slib)
+                        (with-directory-excursion (string-append out "/lib")
+                          (for-each (lambda (ar)
+                                      (rename-file ar (string-append
+                                                       slib "/"
+                                                       (basename ar))))
+                                    (find-files "." "\\.a$")))
+                        #t))))))
+    (outputs '("out" "debug" "static"))
     (native-inputs `(("m4" ,m4)))
     (propagated-inputs `(("gmp" ,gmp)))
     (home-page "https://www.lysator.liu.se/~nisse/nettle/")
diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index b525804bdb..a0221601dd 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -184,7 +184,7 @@
      `(("c-ares" ,c-ares)
        ("http-parser" ,http-parser)
        ("icu4c" ,icu4c)
-       ("libuv" ,libuv)
+       ("libuv" ,libuv-1.19)
        ("nghttp2" ,nghttp2 "lib")
        ("openssl" ,openssl)
        ("zlib" ,zlib)))
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 962a9c8cfe..850223cd4c 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -84,11 +84,9 @@
    (native-inputs `(("libtool" ,libtool)))
    (arguments
     `(#:tests? #f
+      #:configure-flags '("--disable-static")
       #:phases
       (modify-phases %standard-phases
-        (add-after 'configure 'provide-libtool
-          (lambda _ (copy-file (which "libtool") "libtool")
-            #t))
         (add-after 'install 'patch-sasl-path
           ;; Give -L arguments for cyrus-sasl to avoid propagation.
           (lambda* (#:key inputs outputs #:allow-other-keys)
diff --git a/gnu/packages/openstack.scm b/gnu/packages/openstack.scm
index 64e05c4b0e..c07f011c9d 100644
--- a/gnu/packages/openstack.scm
+++ b/gnu/packages/openstack.scm
@@ -182,7 +182,7 @@ guidelines}.")
        ("python-pbr" ,python-pbr)))
     (native-inputs
       `(("python-openstackdocstheme" ,python-openstackdocstheme)
-        ("python-sphinx" ,python-sphinx-1.6)
+        ("python-sphinx" ,python-sphinx)
         ("python-subunit" ,python-subunit)
         ("python-testrepository" ,python-testrepository)
         ("python-testtools" ,python-testtools)))
@@ -216,7 +216,7 @@ with mox as possible, but small enhancements have been made.")
      `(("python-dulwich" ,python-dulwich)
        ("python-pbr" ,python-pbr)))
     (native-inputs
-     `(("python-sphinx" ,python-sphinx-1.6)))
+     `(("python-sphinx" ,python-sphinx)))
     (home-page "https://docs.openstack.org/openstackdocstheme/latest/")
     (synopsis "OpenStack Docs Theme")
     (description
@@ -313,7 +313,7 @@ to docs.openstack.org and developer.openstack.org.")
        ("python-six" ,python-six)))
     (native-inputs
      `(("python-mock" ,python-mock)
-       ("python-sphinx" ,python-sphinx-1.6)
+       ("python-sphinx" ,python-sphinx)
        ("python-testrepository" ,python-testrepository)))
     (home-page "https://github.com/dreamhost/stevedore")
     (synopsis "Manage dynamic plugins for Python applications")
@@ -405,7 +405,7 @@ common features used in Tempest.")
        ("python-openstackdocstheme" ,python-openstackdocstheme)
        ("python-oslotest" ,python-oslotest)
        ("python-reno" ,python-reno)
-       ("python-sphinx" ,python-sphinx-1.6)
+       ("python-sphinx" ,python-sphinx)
        ("python-testrepository" ,python-testrepository)
        ("python-testscenarios" ,python-testscenarios)
        ("python-testtools" ,python-testtools)))
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index fd01545082..b78190b6dc 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -267,9 +267,7 @@
          ("sqlite" ,sqlite)
          ("libgcrypt" ,libgcrypt)
 
-         ;; Use 2.2.4 to avoid various thread-safety issues while building
-         ;; code in parallel.
-         ("guile" ,guile-2.2.4)
+         ("guile" ,guile-2.2)
 
          ;; Many tests rely on the 'guile-bootstrap' package, which is why we
          ;; have it here.
diff --git a/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch
deleted file mode 100644
index fbd596862b..0000000000
--- a/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Fix a regression in Binutils 2.30 where some symbols are incorrectly assumed
-to be addresses:
-
-https://sourceware.org/bugzilla/show_bug.cgi?id=22764
-
-Patch taken from upstream (with ChangeLog entries and tests omitted):
-
-https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=279b2f94168ee91e02ccd070d27c983fc001fe12
-
-diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c
-index af448f9..2737773 100644
---- a/bfd/elfnn-aarch64.c
-+++ b/bfd/elfnn-aarch64.c
-@@ -7189,10 +7189,19 @@ elfNN_aarch64_check_relocs (bfd *abfd, struct bfd_link_info *info,
- #if ARCH_SIZE == 64
- 	case BFD_RELOC_AARCH64_32:
- #endif
--	  if (bfd_link_pic (info)
--	      && (sec->flags & SEC_ALLOC) != 0
--	      && (sec->flags & SEC_READONLY) != 0)
-+	  if (bfd_link_pic (info) && (sec->flags & SEC_ALLOC) != 0)
- 	    {
-+	      if (h != NULL
-+		  /* This is an absolute symbol.  It represents a value instead
-+		     of an address.  */
-+		  && ((h->root.type == bfd_link_hash_defined
-+		       && bfd_is_abs_section (h->root.u.def.section))
-+		      /* This is an undefined symbol.  */
-+		      || h->root.type == bfd_link_hash_undefined))
-+		break;
-+
-+	      /* For local symbols, defined global symbols in a non-ABS section,
-+		 it is assumed that the value is an address.  */
- 	      int howto_index = bfd_r_type - BFD_RELOC_AARCH64_RELOC_START;
- 	      _bfd_error_handler
- 		/* xgettext:c-format */
diff --git a/gnu/packages/patches/cairo-setjmp-wrapper.patch b/gnu/packages/patches/cairo-setjmp-wrapper.patch
new file mode 100644
index 0000000000..bffac6e041
--- /dev/null
+++ b/gnu/packages/patches/cairo-setjmp-wrapper.patch
@@ -0,0 +1,78 @@
+Revert faulty commit to avoid undefined behaviour:
+https://bugs.freedesktop.org/show_bug.cgi?id=104325
+
+Taken from this upstream commit:
+https://cgit.freedesktop.org/cairo/commit/?h=1.14&id=2acc4382c54bd8239361ceed14423412a343d311
+
+diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c
+index cb2e30c..5541bdc 100644
+--- a/src/cairo-bentley-ottmann-rectangular.c
++++ b/src/cairo-bentley-ottmann-rectangular.c
+@@ -593,12 +593,6 @@ sweep_line_insert (sweep_line_t	*sweep, rectangle_t *rectangle)
+     pqueue_push (sweep, rectangle);
+ }
+ 
+-static int
+-sweep_line_setjmp (sweep_line_t *sweep_line)
+-{
+-    return setjmp (sweep_line->unwind);
+-}
+-
+ static cairo_status_t
+ _cairo_bentley_ottmann_tessellate_rectangular (rectangle_t	**rectangles,
+ 					       int			  num_rectangles,
+@@ -615,7 +609,7 @@ _cairo_bentley_ottmann_tessellate_rectangular (rectangle_t	**rectangles,
+ 		     rectangles, num_rectangles,
+ 		     fill_rule,
+ 		     do_traps, container);
+-    if ((status = sweep_line_setjmp (&sweep_line)))
++    if ((status = setjmp (sweep_line.unwind)))
+ 	return status;
+ 
+     rectangle = rectangle_pop_start (&sweep_line);
+diff --git a/src/cairo-png.c b/src/cairo-png.c
+index e64b14a..068617d 100644
+--- a/src/cairo-png.c
++++ b/src/cairo-png.c
+@@ -158,14 +158,6 @@ png_simple_warning_callback (png_structp png,
+      */
+ }
+ 
+-static int
+-png_setjmp (png_struct *png)
+-{
+-#ifdef PNG_SETJMP_SUPPORTED
+-    return setjmp (png_jmpbuf (png));
+-#endif
+-    return 0;
+-}
+ 
+ /* Starting with libpng-1.2.30, we must explicitly specify an output_flush_fn.
+  * Otherwise, we will segfault if we are writing to a stream. */
+@@ -237,8 +229,10 @@ write_png (cairo_surface_t	*surface,
+ 	goto BAIL4;
+     }
+ 
+-    if (png_setjmp (png))
++#ifdef PNG_SETJMP_SUPPORTED
++    if (setjmp (png_jmpbuf (png)))
+ 	goto BAIL4;
++#endif
+ 
+     png_set_write_fn (png, closure, write_func, png_simple_output_flush_fn);
+ 
+@@ -577,11 +571,12 @@ read_png (struct png_read_closure_t *png_closure)
+     png_set_read_fn (png, png_closure, stream_read_func);
+ 
+     status = CAIRO_STATUS_SUCCESS;
+-
+-    if (png_setjmp (png)) {
++#ifdef PNG_SETJMP_SUPPORTED
++    if (setjmp (png_jmpbuf (png))) {
+ 	surface = _cairo_surface_create_in_error (status);
+ 	goto BAIL;
+     }
++#endif
+ 
+     png_read_info (png, info);
+ 
diff --git a/gnu/packages/patches/clang-3.5-libsanitizer-ustat-fix.patch b/gnu/packages/patches/clang-3.5-libsanitizer-ustat-fix.patch
new file mode 100644
index 0000000000..cfb09a8ce3
--- /dev/null
+++ b/gnu/packages/patches/clang-3.5-libsanitizer-ustat-fix.patch
@@ -0,0 +1,46 @@
+From d9d97cac3702b99a00cd113de98c41eb535d47ed Mon Sep 17 00:00:00 2001
+From: Efraim Flashner <efraim@flashner.co.il>
+Date: Sun, 14 Oct 2018 12:11:30 +0300
+Subject: [PATCH] patch modified from the gcc patch series, also dealing with
+ ustat.
+
+---
+ .../sanitizer_platform_limits_posix.cc            | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/lib/sanitizer_common/sanitizer_platform_limits_posix.cc b/lib/sanitizer_common/sanitizer_platform_limits_posix.cc
+index 29fea6e..570b9a5 100644
+--- a/lib/sanitizer_common/sanitizer_platform_limits_posix.cc
++++ b/lib/sanitizer_common/sanitizer_platform_limits_posix.cc
+@@ -129,7 +129,6 @@
+ #include <sys/statvfs.h>
+ #include <sys/timex.h>
+ #include <sys/user.h>
+-#include <sys/ustat.h>
+ #include <linux/cyclades.h>
+ #include <linux/if_eql.h>
+ #include <linux/if_plip.h>
+@@ -222,7 +221,19 @@ namespace __sanitizer {
+ #endif  // SANITIZER_LINUX || SANITIZER_FREEBSD
+ 
+ #if SANITIZER_LINUX && !SANITIZER_ANDROID
+-  unsigned struct_ustat_sz = sizeof(struct ustat);
++  // Use pre-computed size of struct ustat to avoid <sys/ustat.h> which
++  // has been removed from glibc 2.28.
++#if defined(__aarch64__) || defined(__s390x__) || defined (__mips64) \
++  || defined(__powerpc64__) || defined(__arch64__) || defined(__sparcv9) \
++  || defined(__x86_64__)
++#define SIZEOF_STRUCT_USTAT 32
++#elif defined(__arm__) || defined(__i386__) || defined(__mips__) \
++  || defined(__powerpc__) || defined(__s390__)
++#define SIZEOF_STRUCT_USTAT 20
++#else
++#error Unknown size of struct ustat
++#endif
++  unsigned struct_ustat_sz = SIZEOF_STRUCT_USTAT;
+   unsigned struct_rlimit64_sz = sizeof(struct rlimit64);
+   unsigned struct_statvfs64_sz = sizeof(struct statvfs64);
+ #endif  // SANITIZER_LINUX && !SANITIZER_ANDROID
+-- 
+2.19.1
+
diff --git a/gnu/packages/patches/doxygen-gcc-ice.patch b/gnu/packages/patches/doxygen-gcc-ice.patch
deleted file mode 100644
index fbfedcb7ab..0000000000
--- a/gnu/packages/patches/doxygen-gcc-ice.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Work around this GCC ICE: <https://bugs.gnu.org/31708>.  It shows up
-only when doing native compiles on armhf-linux.
-
-Yes it's a terrible patch, but it does the job.
-
---- doxygen-1.8.13/qtools/qutfcodec.cpp	1970-01-01 01:00:00.000000000 +0100
-+++ doxygen-1.8.13/qtools/qutfcodec.cpp	2018-06-08 14:14:29.614009929 +0200
-@@ -189,7 +189,7 @@ int QUtf16Codec::heuristicContentMatch(c
- }
- 
- 
--
-+volatile const void *bomPointer = &QChar::byteOrderMark;
- 
- class QUtf16Encoder : public QTextEncoder {
-     bool headerdone;
-@@ -209,7 +209,7 @@ public:
- 	    headerdone = TRUE;
- 	    len_in_out = (1+uc.length())*(int)sizeof(QChar);
- 	    QCString d(len_in_out);
--	    memcpy(d.rawData(),&QChar::byteOrderMark,sizeof(QChar));
-+	    memcpy(d.rawData(),(void *)bomPointer,sizeof(QChar));
- 	    memcpy(d.rawData()+sizeof(QChar),uc.unicode(),uc.length()*sizeof(QChar));
- 	    return d;
- 	}
diff --git a/gnu/packages/patches/findutils-gnulib-libio.patch b/gnu/packages/patches/findutils-gnulib-libio.patch
new file mode 100644
index 0000000000..79f9fd914d
--- /dev/null
+++ b/gnu/packages/patches/findutils-gnulib-libio.patch
@@ -0,0 +1,114 @@
+Adjust to removal of libio interface in glibc 2.28.
+
+Based on this gnulib commit:
+https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=4af4a4a71827c0bc5e0ec67af23edef4f15cee8e
+
+diff --git a/gl/lib/fflush.c b/gl/lib/fflush.c
+index 5ae3e41..7a82470 100644
+--- a/gl/lib/fflush.c
++++ b/gl/lib/fflush.c
+@@ -33,7 +33,7 @@
+ #undef fflush
+ 
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+ /* Clear the stream's ungetc buffer, preserving the value of ftello (fp).  */
+ static void
+@@ -72,7 +72,7 @@ clear_ungetc_buffer (FILE *fp)
+ 
+ #endif
+ 
+-#if ! (defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
++#if ! (defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
+ 
+ # if (defined __sferror || defined __DragonFly__ || defined __ANDROID__) && defined __SNPT
+ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
+@@ -148,7 +148,7 @@ rpl_fflush (FILE *stream)
+   if (stream == NULL || ! freading (stream))
+     return fflush (stream);
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+   clear_ungetc_buffer_preserving_position (stream);
+ 
+diff --git a/gl/lib/fpurge.c b/gl/lib/fpurge.c
+index f313b22..ecdf82d 100644
+--- a/gl/lib/fpurge.c
++++ b/gl/lib/fpurge.c
+@@ -62,7 +62,7 @@ fpurge (FILE *fp)
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   fp->_IO_read_end = fp->_IO_read_ptr;
+   fp->_IO_write_ptr = fp->_IO_write_base;
+   /* Avoid memory leak when there is an active ungetc buffer.  */
+diff --git a/gl/lib/freadahead.c b/gl/lib/freadahead.c
+index 094daab..3f8101e 100644
+--- a/gl/lib/freadahead.c
++++ b/gl/lib/freadahead.c
+@@ -25,7 +25,7 @@
+ size_t
+ freadahead (FILE *fp)
+ {
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_write_ptr > fp->_IO_write_base)
+     return 0;
+   return (fp->_IO_read_end - fp->_IO_read_ptr)
+diff --git a/gl/lib/freading.c b/gl/lib/freading.c
+index 0512b19..8c48fe4 100644
+--- a/gl/lib/freading.c
++++ b/gl/lib/freading.c
+@@ -31,7 +31,7 @@ freading (FILE *fp)
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   return ((fp->_flags & _IO_NO_WRITES) != 0
+           || ((fp->_flags & (_IO_NO_READS | _IO_CURRENTLY_PUTTING)) == 0
+               && fp->_IO_read_base != NULL));
+diff --git a/gl/lib/fseeko.c b/gl/lib/fseeko.c
+index 1c65d2a..9026408 100644
+--- a/gl/lib/fseeko.c
++++ b/gl/lib/fseeko.c
+@@ -47,7 +47,7 @@ fseeko (FILE *fp, off_t offset, int whence)
+ #endif
+ 
+   /* These tests are based on fpurge.c.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_read_end == fp->_IO_read_ptr
+       && fp->_IO_write_ptr == fp->_IO_write_base
+       && fp->_IO_save_base == NULL)
+@@ -123,7 +123,7 @@ fseeko (FILE *fp, off_t offset, int whence)
+           return -1;
+         }
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+       fp->_flags &= ~_IO_EOF_SEEN;
+       fp->_offset = pos;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+diff --git a/gl/lib/stdio-impl.h b/gl/lib/stdio-impl.h
+index 502d891..ea38ee2 100644
+--- a/gl/lib/stdio-impl.h
++++ b/gl/lib/stdio-impl.h
+@@ -18,6 +18,12 @@
+    the same implementation of stdio extension API, except that some fields
+    have different naming conventions, or their access requires some casts.  */
+ 
++/* Glibc 2.28 made _IO_IN_BACKUP private.  For now, work around this
++   problem by defining it ourselves.  FIXME: Do not rely on glibc
++   internals.  */
++#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN
++# define _IO_IN_BACKUP 0x100
++#endif
+ 
+ /* BSD stdio derived implementations.  */
+ 
diff --git a/gnu/packages/patches/findutils-makedev.patch b/gnu/packages/patches/findutils-makedev.patch
new file mode 100644
index 0000000000..2f16c625d8
--- /dev/null
+++ b/gnu/packages/patches/findutils-makedev.patch
@@ -0,0 +1,22 @@
+Include <sys/sysmacros.h> for "makedev".
+
+Taken from this gnulib commit:
+https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=4da63c5881f60f71999a943612da9112232b9161
+
+diff --git a/gl/lib/mountlist.c b/gl/lib/mountlist.c
+index bb4e4ee21..cf4020e2a 100644
+--- a/gl/lib/mountlist.c
++++ b/gl/lib/mountlist.c
+@@ -37,6 +37,12 @@
+ # include <sys/param.h>
+ #endif
+ 
++#if MAJOR_IN_MKDEV
++# include <sys/mkdev.h>
++#elif MAJOR_IN_SYSMACROS
++# include <sys/sysmacros.h>
++#endif
++
+ #if defined MOUNTED_GETFSSTAT   /* OSF_1 and Darwin1.3.x */
+ # if HAVE_SYS_UCRED_H
+ #  include <grp.h> /* needed on OSF V4.0 for definition of NGROUPS,
diff --git a/gnu/packages/patches/freetype-CVE-2018-6942.patch b/gnu/packages/patches/freetype-CVE-2018-6942.patch
deleted file mode 100644
index 680f357765..0000000000
--- a/gnu/packages/patches/freetype-CVE-2018-6942.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Fix CVE-2018-6942:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6942
-https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6942.html
-
-Copied from upstream (ChangeLog section removed):
-https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=29c759284e305ec428703c9a5831d0b1fc3497ef
-
-diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
-index d855aaa..551f14a 100644
---- a/src/truetype/ttinterp.c
-+++ b/src/truetype/ttinterp.c
-@@ -7532,8 +7532,16 @@
-       return;
-     }
- 
--    for ( i = 0; i < num_axes; i++ )
--      args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
-+    if ( coords )
-+    {
-+      for ( i = 0; i < num_axes; i++ )
-+        args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
-+    }
-+    else
-+    {
-+      for ( i = 0; i < num_axes; i++ )
-+        args[i] = 0;
-+    }
-   }
- 
- 
diff --git a/gnu/packages/patches/gcc-4.9-libsanitizer-ustat.patch b/gnu/packages/patches/gcc-4.9-libsanitizer-ustat.patch
new file mode 100644
index 0000000000..795881ab9b
--- /dev/null
+++ b/gnu/packages/patches/gcc-4.9-libsanitizer-ustat.patch
@@ -0,0 +1,37 @@
+Remove use of deprecated ustat interface in glibc 2.28:
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85835
+
+Adapted to GCC 4 series from this upstream patch:
+https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=260684
+
+--- a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc
++++ b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc
+@@ -81,7 +81,6 @@
+ #include <sys/statvfs.h>
+ #include <sys/timex.h>
+ #include <sys/user.h>
+-#include <sys/ustat.h>
+ #include <linux/cyclades.h>
+ #include <linux/if_eql.h>
+ #include <linux/if_plip.h>
+@@ -163,7 +162,19 @@
+   unsigned struct_old_utsname_sz = sizeof(struct old_utsname);
+   unsigned struct_oldold_utsname_sz = sizeof(struct oldold_utsname);
+   unsigned struct_itimerspec_sz = sizeof(struct itimerspec);
+-  unsigned struct_ustat_sz = sizeof(struct ustat);
++  // Use pre-computed size of struct ustat to avoid <sys/ustat.h> which
++  // has been removed from glibc 2.28.
++#if defined(__aarch64__) || defined(__s390x__) || defined (__mips64) \
++  || defined(__powerpc64__) || defined(__arch64__) || defined(__sparcv9) \
++  || defined(__x86_64__)
++#define SIZEOF_STRUCT_USTAT 32
++#elif defined(__arm__) || defined(__i386__) || defined(__mips__) \
++  || defined(__powerpc__) || defined(__s390__)
++#define SIZEOF_STRUCT_USTAT 20
++#else
++#error Unknown size of struct ustat
++#endif
++  unsigned struct_ustat_sz = SIZEOF_STRUCT_USTAT;
+ #endif // SANITIZER_LINUX
+ 
+ #if SANITIZER_LINUX && !SANITIZER_ANDROID
diff --git a/gnu/packages/patches/gcc-libsanitizer-ustat.patch b/gnu/packages/patches/gcc-libsanitizer-ustat.patch
new file mode 100644
index 0000000000..a4e0c6affa
--- /dev/null
+++ b/gnu/packages/patches/gcc-libsanitizer-ustat.patch
@@ -0,0 +1,41 @@
+Remove use of deprecated ustat interface in glibc 2.28:
+
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85835
+
+Taken from upstream:
+
+https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=260684
+
+diff --git a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc
+index 858bb2184505..de18e56d11cf 100644
+--- a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc
++++ b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc
+@@ -157,7 +157,6 @@ typedef struct user_fpregs elf_fpregset_t;
+ # include <sys/procfs.h>
+ #endif
+ #include <sys/user.h>
+-#include <sys/ustat.h>
+ #include <linux/cyclades.h>
+ #include <linux/if_eql.h>
+ #include <linux/if_plip.h>
+@@ -250,7 +249,19 @@ namespace __sanitizer {
+ #endif // SANITIZER_LINUX || SANITIZER_FREEBSD
+ 
+ #if SANITIZER_LINUX && !SANITIZER_ANDROID
+-  unsigned struct_ustat_sz = sizeof(struct ustat);
++  // Use pre-computed size of struct ustat to avoid <sys/ustat.h> which
++  // has been removed from glibc 2.28.
++#if defined(__aarch64__) || defined(__s390x__) || defined (__mips64) \
++  || defined(__powerpc64__) || defined(__arch64__) || defined(__sparcv9) \
++  || defined(__x86_64__)
++#define SIZEOF_STRUCT_USTAT 32
++#elif defined(__arm__) || defined(__i386__) || defined(__mips__) \
++  || defined(__powerpc__) || defined(__s390__)
++#define SIZEOF_STRUCT_USTAT 20
++#else
++#error Unknown size of struct ustat
++#endif
++  unsigned struct_ustat_sz = SIZEOF_STRUCT_USTAT;
+   unsigned struct_rlimit64_sz = sizeof(struct rlimit64);
+   unsigned struct_statvfs64_sz = sizeof(struct statvfs64);
+ #endif // SANITIZER_LINUX && !SANITIZER_ANDROID
diff --git a/gnu/packages/patches/gcc-strmov-store-file-names.patch b/gnu/packages/patches/gcc-strmov-store-file-names.patch
index 9f9162855d..7358de3326 100644
--- a/gnu/packages/patches/gcc-strmov-store-file-names.patch
+++ b/gnu/packages/patches/gcc-strmov-store-file-names.patch
@@ -15,7 +15,7 @@ and <https://bugs.gnu.org/30395>.
 
 --- gcc-5.3.0/gcc/builtins.c	2016-10-18 10:50:46.080616285 +0200
 +++ gcc-5.3.0/gcc/builtins.c	2016-11-09 15:26:43.693042737 +0100
-@@ -3192,6 +3192,54 @@ determine_block_size (tree len, rtx len_
+@@ -3192,6 +3192,58 @@ determine_block_size (tree len, rtx len_
  			  GET_MODE_MASK (GET_MODE (len_rtx)));
  }
  
@@ -35,9 +35,13 @@ and <https://bugs.gnu.org/30395>.
 +  if (TREE_CODE (str) == VAR_DECL
 +      && TREE_STATIC (str)
 +      && TREE_READONLY (str))
-+    /* STR may be a 'static const' variable whose initial value
-+       is a string constant.  See <https://bugs.gnu.org/30395>.  */
-+    str = DECL_INITIAL (str);
++    {
++      /* STR may be a 'static const' variable whose initial value
++         is a string constant.  See <https://bugs.gnu.org/30395>.  */
++      str = DECL_INITIAL (str);
++      if (str == NULL_TREE)
++        return false;
++    }
 +
 +  if (TREE_CODE (str) != STRING_CST)
 +    return false;
diff --git a/gnu/packages/patches/ghostscript-runpath.patch b/gnu/packages/patches/ghostscript-runpath.patch
deleted file mode 100644
index 9f161e45b3..0000000000
--- a/gnu/packages/patches/ghostscript-runpath.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/base/unix-dll.mak b/base/unix-dll.mak
-index 9d57a99..36ef1ff 100644
---- a/base/unix-dll.mak
-+++ b/base/unix-dll.mak
-@@ -171,11 +171,11 @@ gpdl-so-links-subtarget: $(GPDL_SO) $(UNIX_DLL_MAK) $(MAKEDIRS)
- # Build the small Ghostscript loaders, with Gtk+ and without
- $(GSSOC_XE): gs-so-links-subtarget $(PSSRC)$(SOC_LOADER) $(UNIX_DLL_MAK) $(MAKEDIRS)
- 	$(GLCC) -g -o $(GSSOC_XE) $(PSSRC)dxmainc.c \
--	-L$(BINDIR) -l$(GS_SO_BASE)
-+	-L$(BINDIR) -l$(GS_SO_BASE) -Wl,-rpath=$(libdir)
- 
- $(GSSOX_XE): gs-so-links-subtarget $(PSSRC)$(SOC_LOADER) $(UNIX_DLL_MAK) $(MAKEDIRS)
- 	$(GLCC) -g $(SOC_CFLAGS) -o $(GSSOX_XE) $(PSSRC)$(SOC_LOADER) \
--	-L$(BINDIR) -l$(GS_SO_BASE) $(SOC_LIBS)
-+	-L$(BINDIR) -l$(GS_SO_BASE) $(SOC_LIBS) -Wl,-rpath=$(libdir)
- 
- $(PCLSOC_XE): gpcl6-so-links-subtarget $(PLSRC)$(REALMAIN_SRC).c $(UNIX_DLL_MAK) $(MAKEDIRS)
- 	$(GLCC) -g -o $(PCLSOC_XE) $(PLSRC)$(REALMAIN_SRC).c -L$(BINDIR) -l$(PCL_SO_BASE)
diff --git a/gnu/packages/patches/glibc-2.28-git-fixes.patch b/gnu/packages/patches/glibc-2.28-git-fixes.patch
new file mode 100644
index 0000000000..7e370ef0b1
--- /dev/null
+++ b/gnu/packages/patches/glibc-2.28-git-fixes.patch
@@ -0,0 +1,248 @@
+This file contains fixes from the "release/2.28/master" branch:
+https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.28/master
+
+Currently we have these commits (sans tests and ChangeLog updates):
+7f11842e7483da7aa9fa3031be122021978ef600
+726e1554ce4db5e35af41cb0110c54c5e1232054
+4b25485f03158959cff45379eecc1d73c7dcdd11
+d05b05d1570ba3ae354a2f5a3cfeefb373b09979
+bfcfa22589f2b4277a65e60c6b736b6bbfbd87d0
+2f498f3d140ab5152bd784df2be7af7d9c5e63ed
+
+diff --git a/htl/Versions b/htl/Versions
+index 6a63a1b8a1..c5a616da10 100644
+--- a/htl/Versions
++++ b/htl/Versions
+@@ -150,6 +150,8 @@ libpthread {
+     __cthread_keycreate;
+     __cthread_getspecific;
+     __cthread_setspecific;
++    __pthread_getspecific;
++    __pthread_setspecific;
+     __pthread_getattr_np;
+     __pthread_attr_getstack;
+   }
+
+diff --git a/sysdeps/htl/pt-getspecific.c b/sysdeps/htl/pt-getspecific.c
+index a0227a67f6..64ddf9551a 100644
+--- a/sysdeps/htl/pt-getspecific.c
++++ b/sysdeps/htl/pt-getspecific.c
+@@ -36,3 +36,4 @@ __pthread_getspecific (pthread_key_t key)
+   return self->thread_specifics[key];
+ }
+ strong_alias (__pthread_getspecific, pthread_getspecific);
++hidden_def (__pthread_getspecific)
+diff --git a/sysdeps/htl/pt-setspecific.c b/sysdeps/htl/pt-setspecific.c
+index a46a12f157..02aff417ef 100644
+--- a/sysdeps/htl/pt-setspecific.c
++++ b/sysdeps/htl/pt-setspecific.c
+@@ -48,3 +48,4 @@ __pthread_setspecific (pthread_key_t key, const void *value)
+   return 0;
+ }
+ strong_alias (__pthread_setspecific, pthread_setspecific);
++hidden_def (__pthread_setspecific)
+diff --git a/sysdeps/htl/pthreadP.h b/sysdeps/htl/pthreadP.h
+index 132ac1718e..71c2fcd9c6 100644
+--- a/sysdeps/htl/pthreadP.h
++++ b/sysdeps/htl/pthreadP.h
+@@ -68,6 +68,8 @@ struct __pthread_cancelation_handler **___pthread_get_cleanup_stack (void) attri
+ 
+ #if IS_IN (libpthread)
+ hidden_proto (__pthread_key_create)
++hidden_proto (__pthread_getspecific)
++hidden_proto (__pthread_setspecific)
+ hidden_proto (_pthread_mutex_init)
+ #endif
+ 
+diff --git a/sysdeps/unix/sysv/linux/getdents64.c b/sysdeps/unix/sysv/linux/getdents64.c
+index 3bde0cf4f0..bc140b5a7f 100644
+--- a/sysdeps/unix/sysv/linux/getdents64.c
++++ b/sysdeps/unix/sysv/linux/getdents64.c
+@@ -33,41 +33,80 @@ strong_alias (__getdents64, __getdents)
+ # include <shlib-compat.h>
+ 
+ # if SHLIB_COMPAT(libc, GLIBC_2_1, GLIBC_2_2)
+-# include <olddirent.h>
++#  include <olddirent.h>
++#  include <unistd.h>
+ 
+-/* kernel definition of as of 3.2.  */
+-struct compat_linux_dirent
++static ssize_t
++handle_overflow (int fd, __off64_t offset, ssize_t count)
+ {
+-  /* Both d_ino and d_off are compat_ulong_t which are defined in all
+-     architectures as 'u32'.  */
+-  uint32_t        d_ino;
+-  uint32_t        d_off;
+-  unsigned short  d_reclen;
+-  char            d_name[1];
+-};
++  /* If this is the first entry in the buffer, we can report the
++     error.  */
++  if (count == 0)
++    {
++      __set_errno (EOVERFLOW);
++      return -1;
++    }
++
++  /* Otherwise, seek to the overflowing entry, so that the next call
++     will report the error, and return the data read so far..  */
++  if (__lseek64 (fd, offset, SEEK_SET) != 0)
++    return -1;
++  return count;
++}
+ 
+ ssize_t
+ __old_getdents64 (int fd, char *buf, size_t nbytes)
+ {
+-  ssize_t retval = INLINE_SYSCALL_CALL (getdents, fd, buf, nbytes);
++  /* We do not move the individual directory entries.  This is only
++     possible if the target type (struct __old_dirent64) is smaller
++     than the source type.  */
++  _Static_assert (offsetof (struct __old_dirent64, d_name)
++		  <= offsetof (struct dirent64, d_name),
++		  "__old_dirent64 is larger than dirent64");
++  _Static_assert (__alignof__ (struct __old_dirent64)
++		  <= __alignof__ (struct dirent64),
++		  "alignment of __old_dirent64 is larger than dirent64");
+ 
+-  /* The kernel added the d_type value after the name.  Change this now.  */
+-  if (retval != -1)
++  ssize_t retval = INLINE_SYSCALL_CALL (getdents64, fd, buf, nbytes);
++  if (retval > 0)
+     {
+-      union
+-      {
+-	struct compat_linux_dirent k;
+-	struct dirent u;
+-      } *kbuf = (void *) buf;
+-
+-      while ((char *) kbuf < buf + retval)
++      char *p = buf;
++      char *end = buf + retval;
++      while (p < end)
+ 	{
+-	  char d_type = *((char *) kbuf + kbuf->k.d_reclen - 1);
+-	  memmove (kbuf->u.d_name, kbuf->k.d_name,
+-		   strlen (kbuf->k.d_name) + 1);
+-	  kbuf->u.d_type = d_type;
++	  struct dirent64 *source = (struct dirent64 *) p;
++
++	  /* Copy out the fixed-size data.  */
++	  __ino_t ino = source->d_ino;
++	  __off64_t offset = source->d_off;
++	  unsigned int reclen = source->d_reclen;
++	  unsigned char type = source->d_type;
++
++	  /* Check for ino_t overflow.  */
++	  if (__glibc_unlikely (ino != source->d_ino))
++	    return handle_overflow (fd, offset, p - buf);
++
++	  /* Convert to the target layout.  Use a separate struct and
++	     memcpy to side-step aliasing issues.  */
++	  struct __old_dirent64 result;
++	  result.d_ino = ino;
++	  result.d_off = offset;
++	  result.d_reclen = reclen;
++	  result.d_type = type;
++
++	  /* Write the fixed-sized part of the result to the
++	     buffer.  */
++	  size_t result_name_offset = offsetof (struct __old_dirent64, d_name);
++	  memcpy (p, &result, result_name_offset);
++
++	  /* Adjust the position of the name if necessary.  Copy
++	     everything until the end of the record, including the
++	     terminating NUL byte.  */
++	  if (result_name_offset != offsetof (struct dirent64, d_name))
++	    memmove (p + result_name_offset, source->d_name,
++		     reclen - offsetof (struct dirent64, d_name));
+ 
+-	  kbuf = (void *) ((char *) kbuf + kbuf->k.d_reclen);
++	  p += reclen;
+ 	}
+      }
+   return retval;
+
+diff --git a/misc/error.c b/misc/error.c
+index b4e8b6c938..03378e2f2a 100644
+--- a/misc/error.c
++++ b/misc/error.c
+@@ -319,6 +319,7 @@ error (int status, int errnum, const char *message, ...)
+ 
+   va_start (args, message);
+   error_tail (status, errnum, message, args);
++  va_end (args);
+ 
+ #ifdef _LIBC
+   _IO_funlockfile (stderr);
+@@ -390,6 +391,7 @@ error_at_line (int status, int errnum, const char *file_name,
+ 
+   va_start (args, message);
+   error_tail (status, errnum, message, args);
++  va_end (args);
+ 
+ #ifdef _LIBC
+   _IO_funlockfile (stderr);
+
+diff --git a/nscd/nscd_conf.c b/nscd/nscd_conf.c
+index 265a02434d..7293b795b6 100644
+--- a/nscd/nscd_conf.c
++++ b/nscd/nscd_conf.c
+@@ -190,7 +190,10 @@ nscd_parse_file (const char *fname, struct database_dyn dbs[lastdb])
+ 	  if (!arg1)
+ 	    error (0, 0, _("Must specify user name for server-user option"));
+ 	  else
+-	    server_user = xstrdup (arg1);
++	    {
++	      free ((char *) server_user);
++	      server_user = xstrdup (arg1);
++	    }
+ 	}
+       else if (strcmp (entry, "stat-user") == 0)
+ 	{
+@@ -198,6 +201,7 @@ nscd_parse_file (const char *fname, struct database_dyn dbs[lastdb])
+ 	    error (0, 0, _("Must specify user name for stat-user option"));
+ 	  else
+ 	    {
++	      free ((char *) stat_user);
+ 	      stat_user = xstrdup (arg1);
+ 
+ 	      struct passwd *pw = getpwnam (stat_user);
+
+diff --git a/nss/nss_files/files-alias.c b/nss/nss_files/files-alias.c
+index cfd34b66b9..35b0bfc5d2 100644
+--- a/nss/nss_files/files-alias.c
++++ b/nss/nss_files/files-alias.c
+@@ -221,6 +221,13 @@ get_next_alias (FILE *stream, const char *match, struct aliasent *result,
+ 			{
+ 			  while (! feof_unlocked (listfile))
+ 			    {
++			      if (room_left < 2)
++				{
++				  free (old_line);
++				  fclose (listfile);
++				  goto no_more_room;
++				}
++
+ 			      first_unused[room_left - 1] = '\xff';
+ 			      line = fgets_unlocked (first_unused, room_left,
+ 						     listfile);
+@@ -229,6 +236,7 @@ get_next_alias (FILE *stream, const char *match, struct aliasent *result,
+ 			      if (first_unused[room_left - 1] != '\xff')
+ 				{
+ 				  free (old_line);
++				  fclose (listfile);
+ 				  goto no_more_room;
+ 				}
+ 
+@@ -256,6 +264,7 @@ get_next_alias (FILE *stream, const char *match, struct aliasent *result,
+ 						       + __alignof__ (char *)))
+ 					{
+ 					  free (old_line);
++					  fclose (listfile);
+ 					  goto no_more_room;
+ 					}
+ 				      room_left -= ((first_unused - cp)
+
diff --git a/gnu/packages/patches/grub-binutils-compat.patch b/gnu/packages/patches/grub-binutils-compat.patch
new file mode 100644
index 0000000000..2107869314
--- /dev/null
+++ b/gnu/packages/patches/grub-binutils-compat.patch
@@ -0,0 +1,53 @@
+Fix a relocation issue that shows up with recent binutils.
+
+Patch taken from upstream:
+https://git.sv.gnu.org/cgit/grub.git/commit/?id=842c390469e2c2e10b5aa36700324cd3bde25875
+
+diff --git a/grub-core/efiemu/i386/loadcore64.c b/grub-core/efiemu/i386/loadcore64.c
+index e49d0b6..18facf4 100644
+--- a/grub-core/efiemu/i386/loadcore64.c
++++ b/grub-core/efiemu/i386/loadcore64.c
+@@ -98,6 +98,7 @@ grub_arch_efiemu_relocate_symbols64 (grub_efiemu_segment_t segs,
+ 		    break;
+ 
+ 		  case R_X86_64_PC32:
++		  case R_X86_64_PLT32:
+ 		    err = grub_efiemu_write_value (addr,
+ 						   *addr32 + rel->r_addend
+ 						   + sym.off
+diff --git a/grub-core/kern/x86_64/dl.c b/grub-core/kern/x86_64/dl.c
+index 4406906..3a73e6e 100644
+--- a/grub-core/kern/x86_64/dl.c
++++ b/grub-core/kern/x86_64/dl.c
+@@ -70,6 +70,7 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
+ 	  break;
+ 
+ 	case R_X86_64_PC32:
++	case R_X86_64_PLT32:
+ 	  {
+ 	    grub_int64_t value;
+ 	    value = ((grub_int32_t) *addr32) + rel->r_addend + sym->st_value -
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index a2bb054..39d7efb 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -841,6 +841,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections,
+ 		  break;
+ 
+ 		case R_X86_64_PC32:
++		case R_X86_64_PLT32:
+ 		  {
+ 		    grub_uint32_t *t32 = (grub_uint32_t *) target;
+ 		    *t32 = grub_host_to_target64 (grub_target_to_host32 (*t32)
+diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c
+index 9179285..a79271f 100644
+--- a/util/grub-module-verifier.c
++++ b/util/grub-module-verifier.c
+@@ -19,6 +19,7 @@ struct grub_module_verifier_arch archs[] = {
+       -1
+     }, (int[]){
+       R_X86_64_PC32,
++      R_X86_64_PLT32,
+       -1
+     }
+   },
diff --git a/gnu/packages/patches/jemalloc-arm-address-bits.patch b/gnu/packages/patches/jemalloc-arm-address-bits.patch
deleted file mode 100644
index f2ef24c25a..0000000000
--- a/gnu/packages/patches/jemalloc-arm-address-bits.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 8cfc9dec37b312a2686f602bbcdd102ca07cca99 Mon Sep 17 00:00:00 2001
-From: David Goldblatt <davidgoldblatt@fb.com>
-Date: Fri, 29 Sep 2017 13:54:08 -0700
-Subject: [PATCH] ARM: Don't extend bit LG_VADDR to compute high address bits.
-
-In userspace ARM on Linux, zero-ing the high bits is the correct way to do this.
-This doesn't fix the fact that we currently set LG_VADDR to 48 on ARM, when in
-fact larger virtual address sizes are coming soon.  We'll cross that bridge when
-we come to it.
----
- include/jemalloc/internal/rtree.h | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/include/jemalloc/internal/rtree.h b/include/jemalloc/internal/rtree.h
-index b5d4db39..4563db23 100644
---- a/include/jemalloc/internal/rtree.h
-+++ b/include/jemalloc/internal/rtree.h
-@@ -178,9 +178,21 @@ rtree_leaf_elm_bits_read(tsdn_t *tsdn, rtree_t *rtree, rtree_leaf_elm_t *elm,
- 
- JEMALLOC_ALWAYS_INLINE extent_t *
- rtree_leaf_elm_bits_extent_get(uintptr_t bits) {
-+#    ifdef __aarch64__
-+	/*
-+	 * aarch64 doesn't sign extend the highest virtual address bit to set
-+	 * the higher ones.  Instead, the high bits gets zeroed.
-+	 */
-+	uintptr_t high_bit_mask = ((uintptr_t)1 << LG_VADDR) - 1;
-+	/* Mask off the slab bit. */
-+	uintptr_t low_bit_mask = ~(uintptr_t)1;
-+	uintptr_t mask = high_bit_mask & low_bit_mask;
-+	return (extent_t *)(bits & mask);
-+#    else
- 	/* Restore sign-extended high bits, mask slab bit. */
- 	return (extent_t *)((uintptr_t)((intptr_t)(bits << RTREE_NHIB) >>
- 	    RTREE_NHIB) & ~((uintptr_t)0x1));
-+#    endif
- }
- 
- JEMALLOC_ALWAYS_INLINE szind_t
diff --git a/gnu/packages/patches/libgcrypt-make-yat2m-reproducible.patch b/gnu/packages/patches/libgcrypt-make-yat2m-reproducible.patch
new file mode 100644
index 0000000000..3056f0baad
--- /dev/null
+++ b/gnu/packages/patches/libgcrypt-make-yat2m-reproducible.patch
@@ -0,0 +1,32 @@
+Make yat2m in libgcrypt respect SOURCE_DATE_EPOCH, making
+the build reproducible.
+
+This was already fixed upstream in GnuPG:
+https://dev.gnupg.org/rG139de02b93773615bdd95e04a7f0c1ad73b4f6fb
+
+and in libgpg-error:
+https://dev.gnupg.org/rE5494a5728418938d2e42158bb646b07124184e64
+
+
+--- a/doc/yat2m.c 2017-11-23 19:16:58.000000000 +0100
++++ b/doc/yat2m.c 2017-08-28 12:22:54.000000000 +0200
+@@ -1475,6 +1484,7 @@
+ main (int argc, char **argv)
+ {
+   int last_argc = -1;
++  const char *s;
+ 
+   opt_source = "GNU";
+   opt_release = "";
+@@ -1608,6 +1618,11 @@
+   if (argc > 1)
+     die ("usage: " PGM " [OPTION] [FILE] (try --help for more information)\n");
+ 
++  /* Take care of supplied timestamp for reproducible builds.  See
++   * https://reproducible-builds.org/specs/source-date-epoch/  */
++  if (!opt_date && (s = getenv ("SOURCE_DATE_EPOCH")) && *s)
++    opt_date = s;
++
+   /* Start processing. */
+   if (argc && strcmp (*argv, "-"))
+     {
diff --git a/gnu/packages/patches/libgpg-error-aarch64-logging-fix.patch b/gnu/packages/patches/libgpg-error-aarch64-logging-fix.patch
deleted file mode 100644
index d848d639b2..0000000000
--- a/gnu/packages/patches/libgpg-error-aarch64-logging-fix.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=patch;h=791177de023574223eddf7288eb7c5a0721ac623
-
-From 791177de023574223eddf7288eb7c5a0721ac623 Mon Sep 17 00:00:00 2001
-From: Werner Koch <wk@gnupg.org>
-Date: Sun, 18 Mar 2018 17:39:43 +0100
-Subject: [PATCH] core: Fix regression on arm64 due to invalid use of va_list.
-
-* src/logging.c (_gpgrt_log_printhex): Provide a dummy arg instead of
-NULL.
---
-
-Fix
-Suggested-by: Jakub Wilk <jwilk@jwilk.net>
-
-Signed-off-by: Werner Koch <wk@gnupg.org>
----
- src/logging.c | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/src/logging.c b/src/logging.c
-index 1a4f620..d01f974 100644
---- a/src/logging.c
-+++ b/src/logging.c
-@@ -1090,9 +1090,10 @@ _gpgrt_log_flush (void)
- 
- 
- /* Print a hexdump of (BUFFER,LENGTH).  With FMT passed as NULL print
-- * just the raw dump, with FMT being an empty string, print a trailing
-- * linefeed, otherwise print an entire debug line with the expanded
-- * FMT followed by a possible wrapped hexdump and a final LF.  */
-+ * just the raw dump (in this case ARG_PTR is not used), with FMT
-+ * being an empty string, print a trailing linefeed, otherwise print
-+ * an entire debug line with the expanded FMT followed by a possible
-+ * wrapped hexdump and a final LF.  */
- void
- _gpgrt_logv_printhex (const void *buffer, size_t length,
-                       const char *fmt, va_list arg_ptr)
-@@ -1150,7 +1151,16 @@ _gpgrt_log_printhex (const void *buffer, size_t length,
-       va_end (arg_ptr);
-     }
-   else
--    _gpgrt_logv_printhex (buffer, length, NULL, NULL);
-+    {
-+      /* va_list is not necessary a pointer and thus we can't use NULL
-+       * because that would conflict with platforms using a straight
-+       * struct for it (e.g. arm64).  We use a dummy variable instead;
-+       * the static is a simple way zero it out so to not get
-+       * complains about uninitialized use.  */
-+      static va_list dummy_argptr;
-+
-+      _gpgrt_logv_printhex (buffer, length, NULL, dummy_argptr);
-+    }
- }
- 
- 
--- 
-2.8.0.rc3
-
diff --git a/gnu/packages/patches/m4-gnulib-libio.patch b/gnu/packages/patches/m4-gnulib-libio.patch
new file mode 100644
index 0000000000..a26622ccf3
--- /dev/null
+++ b/gnu/packages/patches/m4-gnulib-libio.patch
@@ -0,0 +1,128 @@
+Adjust the bundled gnulib to cope with removal of libio interface in
+glibc 2.28.
+
+Based on this upstream patch, without hunks that do not apply to m4:
+https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=4af4a4a71827c0bc5e0ec67af23edef4f15cee8e
+
+diff --git a/lib/fflush.c b/lib/fflush.c
+index 983ade0..a6edfa1 100644
+--- a/lib/fflush.c
++++ b/lib/fflush.c
+@@ -33,7 +33,7 @@
+ #undef fflush
+ 
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+ /* Clear the stream's ungetc buffer, preserving the value of ftello (fp).  */
+ static void
+@@ -72,7 +72,7 @@ clear_ungetc_buffer (FILE *fp)
+ 
+ #endif
+ 
+-#if ! (defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
++#if ! (defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
+ 
+ # if (defined __sferror || defined __DragonFly__ || defined __ANDROID__) && defined __SNPT
+ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+@@ -148,7 +148,7 @@ rpl_fflush (FILE *stream)
+   if (stream == NULL || ! freading (stream))
+     return fflush (stream);
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+   clear_ungetc_buffer_preserving_position (stream);
+ 
+diff --git a/lib/fpending.c b/lib/fpending.c
+index c84e3a5..789f50e 100644
+--- a/lib/fpending.c
++++ b/lib/fpending.c
+@@ -32,7 +32,7 @@ __fpending (FILE *fp)
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   return fp->_IO_write_ptr - fp->_IO_write_base;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+   /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+diff --git a/lib/fpurge.c b/lib/fpurge.c
+index b1d417c..3aedcc3 100644
+--- a/lib/fpurge.c
++++ b/lib/fpurge.c
+@@ -62,7 +62,7 @@ fpurge (FILE *fp)
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   fp->_IO_read_end = fp->_IO_read_ptr;
+   fp->_IO_write_ptr = fp->_IO_write_base;
+   /* Avoid memory leak when there is an active ungetc buffer.  */
+diff --git a/lib/freadahead.c b/lib/freadahead.c
+index c2ecb5b..23ec76e 100644
+--- a/lib/freadahead.c
++++ b/lib/freadahead.c
+@@ -30,7 +30,7 @@ extern size_t __sreadahead (FILE *);
+ size_t
+ freadahead (FILE *fp)
+ {
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_write_ptr > fp->_IO_write_base)
+     return 0;
+   return (fp->_IO_read_end - fp->_IO_read_ptr)
+diff --git a/lib/freading.c b/lib/freading.c
+index 73c28ac..c24d0c8 100644
+--- a/lib/freading.c
++++ b/lib/freading.c
+@@ -31,7 +31,7 @@ freading (FILE *fp)
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   return ((fp->_flags & _IO_NO_WRITES) != 0
+           || ((fp->_flags & (_IO_NO_READS | _IO_CURRENTLY_PUTTING)) == 0
+               && fp->_IO_read_base != NULL));
+diff --git a/lib/fseeko.c b/lib/fseeko.c
+index 0101ab5..193f4e8 100644
+--- a/lib/fseeko.c
++++ b/lib/fseeko.c
+@@ -47,7 +47,7 @@ fseeko (FILE *fp, off_t offset, int whence)
+ #endif
+ 
+   /* These tests are based on fpurge.c.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_read_end == fp->_IO_read_ptr
+       && fp->_IO_write_ptr == fp->_IO_write_base
+       && fp->_IO_save_base == NULL)
+@@ -123,7 +123,7 @@ fseeko (FILE *fp, off_t offset, int whence)
+           return -1;
+         }
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+       fp->_flags &= ~_IO_EOF_SEEN;
+       fp->_offset = pos;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+diff --git a/lib/stdio-impl.h b/lib/stdio-impl.h
+index 78d896e..05c5752 100644
+--- a/lib/stdio-impl.h
++++ b/lib/stdio-impl.h
+@@ -18,6 +18,12 @@
+    the same implementation of stdio extension API, except that some fields
+    have different naming conventions, or their access requires some casts.  */
+ 
++/* Glibc 2.28 made _IO_IN_BACKUP private.  For now, work around this
++   problem by defining it ourselves.  FIXME: Do not rely on glibc
++   internals.  */
++#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN
++# define _IO_IN_BACKUP 0x100
++#endif
+ 
+ /* BSD stdio derived implementations.  */
+ 
diff --git a/gnu/packages/patches/mariadb-gcc-ice.patch b/gnu/packages/patches/mariadb-gcc-ice.patch
deleted file mode 100644
index 59b188f45a..0000000000
--- a/gnu/packages/patches/mariadb-gcc-ice.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Work around this GCC ICE: <https://bugs.gnu.org/31708>.  It shows up
-only when doing native compiles on armhf-linux.
-
---- mariadb-10.1.33/plugin/semisync/semisync_master.cc	2018-07-28 02:13:12.604020250 +0200
-+++ mariadb-10.1.33/plugin/semisync/semisync_master.cc	2018-07-28 02:14:11.907753417 +0200
-@@ -847,6 +847,8 @@
-   return function_exit(kWho, 0);
- }
- 
-+volatile const void *kSyncHeaderPtr = &ReplSemiSyncMaster::kSyncHeader;
-+
- int ReplSemiSyncMaster::reserveSyncHeader(unsigned char *header,
- 					  unsigned long size)
- {
-@@ -873,7 +875,7 @@
-     /* Set the magic number and the sync status.  By default, no sync
-      * is required.
-      */
--    memcpy(header, kSyncHeader, sizeof(kSyncHeader));
-+    memcpy(header, (void *)kSyncHeaderPtr, sizeof(kSyncHeader));
-     hlen= sizeof(kSyncHeader);
-   }
-   return function_exit(kWho, hlen);
-
diff --git a/gnu/packages/patches/meson-for-build-rpath.patch b/gnu/packages/patches/meson-for-build-rpath.patch
index 59249e294d..ef9a73f07c 100644
--- a/gnu/packages/patches/meson-for-build-rpath.patch
+++ b/gnu/packages/patches/meson-for-build-rpath.patch
@@ -2,10 +2,10 @@ This patch removes a part of meson that clears the rpath upon installation.
 This will only be applied to a special version of meson, used for the
 meson-build-system.
 
-Patch by Peter Mikkelsen <petermikkelsen10@gmail.com>
+Original patch for Meson 0.42.0 by Peter Mikkelsen <petermikkelsen10@gmail.com>
 
---- meson-0.42.0/mesonbuild/minstall.py.orig	2017-09-09 01:49:39.147374148 +0200
-+++ meson-0.42.0/mesonbuild/minstall.py	2017-09-09 01:51:01.209134717 +0200
+--- meson-0.47.1/mesonbuild/minstall.py.old	2018-08-10 11:01:27.812327013 +0200
++++ meson-0.47.1/mesonbuild/minstall.py	2018-08-10 11:01:51.940368505 +0200
 @@ -436,15 +436,6 @@
                          print("Symlink creation does not work on this platform. "
                                "Skipping all symlinking.")
diff --git a/gnu/packages/patches/oath-toolkit-glibc-compat.patch b/gnu/packages/patches/oath-toolkit-glibc-compat.patch
new file mode 100644
index 0000000000..22814599e5
--- /dev/null
+++ b/gnu/packages/patches/oath-toolkit-glibc-compat.patch
@@ -0,0 +1,90 @@
+Adjust the bundled Gnulib to cope with removal of libio interface in Glibc 2.28.
+
+Based on this upstream gnulib patch:
+https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=4af4a4a71827c0bc5e0ec67af23edef4f15cee8e
+
+--- a/liboath/gl/fflush.c
++++ b/liboath/gl/fflush.c
+@@ -33,7 +33,7 @@
+ #undef fflush
+ 
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+ /* Clear the stream's ungetc buffer, preserving the value of ftello (fp).  */
+ static void
+@@ -72,7 +72,7 @@
+ 
+ #endif
+ 
+-#if ! (defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
++#if ! (defined _IO_EOF_SEEN  || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
+ 
+ # if (defined __sferror || defined __DragonFly__ || defined __ANDROID__) && defined __SNPT
+ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
+@@ -148,7 +148,7 @@
+   if (stream == NULL || ! freading (stream))
+     return fflush (stream);
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+   clear_ungetc_buffer_preserving_position (stream);
+ 
+--- a/liboath/gl/fpurge.c
++++ b/liboath/gl/fpurge.c
+@@ -62,7 +62,7 @@
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   fp->_IO_read_end = fp->_IO_read_ptr;
+   fp->_IO_write_ptr = fp->_IO_write_base;
+   /* Avoid memory leak when there is an active ungetc buffer.  */
+--- a/libaoth/gl/freading.c
++++ b/liboath/gl/freading.c
+@@ -31,7 +31,7 @@
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   return ((fp->_flags & _IO_NO_WRITES) != 0
+           || ((fp->_flags & (_IO_NO_READS | _IO_CURRENTLY_PUTTING)) == 0
+               && fp->_IO_read_base != NULL));
+--- a/liboath/gl/fseeko.c
++++ b/liboath/gl/fseeko.c
+@@ -47,7 +47,7 @@
+ #endif
+ 
+   /* These tests are based on fpurge.c.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN  || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_read_end == fp->_IO_read_ptr
+       && fp->_IO_write_ptr == fp->_IO_write_base
+       && fp->_IO_save_base == NULL)
+@@ -123,7 +123,7 @@
+           return -1;
+         }
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN  || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+       fp->_flags &= ~_IO_EOF_SEEN;
+       fp->_offset = pos;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+--- a/liboath/gl/stdio-impl.h
++++ b/liboath/gl/stdio-impl.h
+@@ -18,6 +18,11 @@
+    the same implementation of stdio extension API, except that some fields
+    have different naming conventions, or their access requires some casts.  */
+ 
++/* Glibc 2.28 made _IO_IN_BACKUP private, so define it here for now.  */
++#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN
++# define _IO_IN_BACKUP 0x100
++#endif
++
+ /* BSD stdio derived implementations.  */
+ 
+ #if defined __NetBSD__                         /* NetBSD */
diff --git a/gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch b/gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch
deleted file mode 100644
index 2d54ed03b9..0000000000
--- a/gnu/packages/patches/openssl-1.0.2-CVE-2018-0495.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-Fix CVE-2018-0495:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
-https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
-
-Patch copied from upstream source repository:
-
-https://github.com/openssl/openssl/commit/949ff36623eafc3523a9f91784992965018ffb05
-
-From 949ff36623eafc3523a9f91784992965018ffb05 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 25 May 2018 12:10:13 +0100
-Subject: [PATCH] Add blinding to an ECDSA signature
-
-Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
-ECDSA signature operation. During signing the signer calculates:
-
-s:= k^-1 * (m + r * priv_key) mod order
-
-The addition operation above provides a sufficient signal for a
-flush+reload attack to derive the private key given sufficient signature
-operations.
-
-As a mitigation (based on a suggestion from Keegan) we add blinding to
-the operation so that:
-
-s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
-
-Since this attack is a localhost side channel only no CVE is assigned.
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- CHANGES                  |  4 ++
- crypto/ecdsa/ecdsatest.c |  9 ++++-
- crypto/ecdsa/ecs_ossl.c  | 82 ++++++++++++++++++++++++++++++++--------
- 3 files changed, 79 insertions(+), 16 deletions(-)
-
-diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c
-index 0f301f86d9..a130fc9117 100644
---- a/crypto/ecdsa/ecdsatest.c
-+++ b/crypto/ecdsa/ecdsatest.c
-@@ -137,7 +137,7 @@ int restore_rand(void)
-         return 1;
- }
- 
--static int fbytes_counter = 0;
-+static int fbytes_counter = 0, use_fake = 0;
- static const char *numbers[8] = {
-     "651056770906015076056810763456358567190100156695615665659",
-     "6140507067065001063065065565667405560006161556565665656654",
-@@ -158,6 +158,11 @@ int fbytes(unsigned char *buf, int num)
-     int ret;
-     BIGNUM *tmp = NULL;
- 
-+    if (use_fake == 0)
-+        return old_rand->bytes(buf, num);
-+
-+    use_fake = 0;
-+
-     if (fbytes_counter >= 8)
-         return 0;
-     tmp = BN_new();
-@@ -199,11 +204,13 @@ int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in)
-     /* create the key */
-     if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)
-         goto x962_int_err;
-+    use_fake = 1;
-     if (!EC_KEY_generate_key(key))
-         goto x962_int_err;
-     BIO_printf(out, ".");
-     (void)BIO_flush(out);
-     /* create the signature */
-+    use_fake = 1;
-     signature = ECDSA_do_sign(digest, 20, key);
-     if (signature == NULL)
-         goto x962_int_err;
-diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
-index 16d4f59b9b..1d37551803 100644
---- a/crypto/ecdsa/ecs_ossl.c
-+++ b/crypto/ecdsa/ecs_ossl.c
-@@ -252,6 +252,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
- {
-     int ok = 0, i;
-     BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL;
-+    BIGNUM *blind = NULL, *blindm = NULL;
-     const BIGNUM *ckinv;
-     BN_CTX *ctx = NULL;
-     const EC_GROUP *group;
-@@ -269,14 +270,25 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
-     }
- 
-     ret = ECDSA_SIG_new();
--    if (!ret) {
-+    if (ret == NULL) {
-         ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
-         return NULL;
-     }
-     s = ret->s;
- 
--    if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
--        (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
-+    ctx = BN_CTX_new();
-+    if (ctx == NULL) {
-+        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
-+        goto err;
-+    }
-+
-+    BN_CTX_start(ctx);
-+    order = BN_CTX_get(ctx);
-+    tmp = BN_CTX_get(ctx);
-+    m = BN_CTX_get(ctx);
-+    blind = BN_CTX_get(ctx);
-+    blindm = BN_CTX_get(ctx);
-+    if (blindm == NULL) {
-         ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
-         goto err;
-     }
-@@ -315,26 +327,70 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
-             }
-         }
- 
--        if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
-+        /*
-+         * The normal signature calculation is:
-+         *
-+         *   s := k^-1 * (m + r * priv_key) mod order
-+         *
-+         * We will blind this to protect against side channel attacks
-+         *
-+         *   s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order
-+         */
-+
-+        /* Generate a blinding value */
-+        do {
-+            if (!BN_rand(blind, BN_num_bits(order) - 1, -1, 0))
-+                goto err;
-+        } while (BN_is_zero(blind));
-+        BN_set_flags(blind, BN_FLG_CONSTTIME);
-+        BN_set_flags(blindm, BN_FLG_CONSTTIME);
-+        BN_set_flags(tmp, BN_FLG_CONSTTIME);
-+
-+        /* tmp := blind * priv_key * r mod order */
-+        if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) {
-+            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-+            goto err;
-+        }
-+        if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) {
-+            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-+            goto err;
-+        }
-+
-+        /* blindm := blind * m mod order */
-+        if (!BN_mod_mul(blindm, blind, m, order, ctx)) {
-+            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-+            goto err;
-+        }
-+
-+        /* s : = (blind * priv_key * r) + (blind * m) mod order */
-+        if (!BN_mod_add_quick(s, tmp, blindm, order)) {
-+            ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-+            goto err;
-+        }
-+
-+        /* s:= s * blind^-1 mod order */
-+        if (BN_mod_inverse(blind, blind, order, ctx) == NULL) {
-             ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-             goto err;
-         }
--        if (!BN_mod_add_quick(s, tmp, m, order)) {
-+        if (!BN_mod_mul(s, s, blind, order, ctx)) {
-             ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-             goto err;
-         }
-+
-+        /* s := s * k^-1 mod order */
-         if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
-             ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-             goto err;
-         }
-+
-         if (BN_is_zero(s)) {
-             /*
-              * if kinv and r have been supplied by the caller don't to
-              * generate new kinv and r values
-              */
-             if (in_kinv != NULL && in_r != NULL) {
--                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
--                         ECDSA_R_NEED_NEW_SETUP_VALUES);
-+                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES);
-                 goto err;
-             }
-         } else
-@@ -349,15 +405,11 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
-         ECDSA_SIG_free(ret);
-         ret = NULL;
-     }
--    if (ctx)
-+    if (ctx != NULL) {
-+        BN_CTX_end(ctx);
-         BN_CTX_free(ctx);
--    if (m)
--        BN_clear_free(m);
--    if (tmp)
--        BN_clear_free(tmp);
--    if (order)
--        BN_free(order);
--    if (kinv)
-+    }
-+    if (kinv != NULL)
-         BN_clear_free(kinv);
-     return ret;
- }
--- 
-2.17.1
-
diff --git a/gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch b/gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch
deleted file mode 100644
index 50b95306a5..0000000000
--- a/gnu/packages/patches/openssl-1.0.2-CVE-2018-0732.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-Fix CVE-2018-0732:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
-
-Patch copied from upstream source repository:
-
-https://github.com/openssl/openssl/commit/3984ef0b72831da8b3ece4745cac4f8575b19098
-
-From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001
-From: Guido Vranken <guidovranken@gmail.com>
-Date: Mon, 11 Jun 2018 19:38:54 +0200
-Subject: [PATCH] Reject excessively large primes in DH key generation.
-
-CVE-2018-0732
-
-Signed-off-by: Guido Vranken <guidovranken@gmail.com>
-
-(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/6457)
----
- crypto/dh/dh_key.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 387558f146..f235e0d682 100644
---- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -130,10 +130,15 @@ static int generate_key(DH *dh)
-     int ok = 0;
-     int generate_new_key = 0;
-     unsigned l;
--    BN_CTX *ctx;
-+    BN_CTX *ctx = NULL;
-     BN_MONT_CTX *mont = NULL;
-     BIGNUM *pub_key = NULL, *priv_key = NULL;
- 
-+    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
-+        return 0;
-+    }
-+
-     ctx = BN_CTX_new();
-     if (ctx == NULL)
-         goto err;
--- 
-2.17.1
-
diff --git a/gnu/packages/patches/parted-glibc-compat.patch b/gnu/packages/patches/parted-glibc-compat.patch
new file mode 100644
index 0000000000..edf4afb0d1
--- /dev/null
+++ b/gnu/packages/patches/parted-glibc-compat.patch
@@ -0,0 +1,17 @@
+Include <sys/sysmacros.h> for "major" and "minor".
+
+Taken from upstream:
+https://git.savannah.gnu.org/cgit/parted.git/commit/?id=ba5e0451b51c983e40afd123b6e0d3eddb55e610
+
+diff --git a/libparted/arch/linux.c b/libparted/arch/linux.c
+index 31b98ab..7e86b51 100644
+--- a/libparted/arch/linux.c
++++ b/libparted/arch/linux.c
+@@ -41,6 +41,7 @@
+ #include <sys/utsname.h>        /* for uname() */
+ #include <scsi/scsi.h>
+ #include <assert.h>
++#include <sys/sysmacros.h>
+ #ifdef ENABLE_DEVICE_MAPPER
+ #include <libdevmapper.h>
+ #endif
diff --git a/gnu/packages/patches/perf-gcc-ice.patch b/gnu/packages/patches/perf-gcc-ice.patch
deleted file mode 100644
index 58ab5359c2..0000000000
--- a/gnu/packages/patches/perf-gcc-ice.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Work around this GCC ICE: <https://bugs.gnu.org/31708>.
-
---- linux-4.16.13/tools/perf/util/header.c	2018-06-04 11:30:39.368146035 +0200
-+++ linux-4.16.13/tools/perf/util/header.c	2018-06-04 11:34:04.667212378 +0200
-@@ -135,7 +135,7 @@ int do_write(struct feat_fd *ff, const v
- int write_padded(struct feat_fd *ff, const void *bf,
- 		 size_t count, size_t count_aligned)
- {
--	static const char zero_buf[NAME_ALIGN];
-+	static const char zero_buf[NAME_ALIGN] = { 0 };
- 	int err = do_write(ff, bf, count);
- 
- 	if (!err)
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
deleted file mode 100644
index 6460cf5855..0000000000
--- a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Fix CVE-2018-12015:
-
-https://security-tracker.debian.org/tracker/CVE-2018-12015
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
-https://rt.cpan.org/Ticket/Display.html?id=125523
-
-Patch taken from this upstream commit and adapted to apply to
-the bundled copy in the Perl distribution:
-
-https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
-
-diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
-index 6244369..a83975f 100644
---- a/cpan/Archive-Tar/lib/Archive/Tar.pm
-+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
-@@ -845,6 +845,20 @@ sub _extract_file {
-         return;
-     }
- 
-+    ### If a file system already contains a block device with the same name as
-+    ### the being extracted regular file, we would write the file's content
-+    ### to the block device. So remove the existing file (block device) now.
-+    ### If an archive contains multiple same-named entries, the last one
-+    ### should replace the previous ones. So remove the old file now.
-+    ### If the old entry is a symlink to a file outside of the CWD, the new
-+    ### entry would create a file there. This is CVE-2018-12015
-+    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
-+    if (-l $full || -e _) {
-+	if (!unlink $full) {
-+	    $self->_error( qq[Could not remove old file '$full': $!] );
-+	    return;
-+	}
-+    }
-     if( length $entry->type && $entry->is_file ) {
-         my $fh = IO::File->new;
-         $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/patches/perl-deterministic-ordering.patch b/gnu/packages/patches/perl-deterministic-ordering.patch
index 92e33ef135..be63d5cde3 100644
--- a/gnu/packages/patches/perl-deterministic-ordering.patch
+++ b/gnu/packages/patches/perl-deterministic-ordering.patch
@@ -12,10 +12,10 @@ reproducibility.
  cpan/Devel-PPPort/PPPort_xs.PL | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/cpan/Devel-PPPort/PPPort_xs.PL b/cpan/Devel-PPPort/PPPort_xs.PL
+diff --git a/dist/Devel-PPPort/PPPort_xs.PL b/dist/Devel-PPPort/PPPort_xs.PL
 index 5f18940..149f2fe 100644
---- a/cpan/Devel-PPPort/PPPort_xs.PL
-+++ b/cpan/Devel-PPPort/PPPort_xs.PL
+--- a/dist/Devel-PPPort/PPPort_xs.PL
++++ b/dist/Devel-PPPort/PPPort_xs.PL
 @@ -38,7 +38,7 @@ END
  my $file;
  my $sec;
diff --git a/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch b/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch
deleted file mode 100644
index 28ab067599..0000000000
--- a/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-Fix CVE-2017-6512:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6512
-https://rt.cpan.org/Public/Bug/Display.html?id=121951
-
-Patch copied from Debian, adapted to apply to the copy of File::Path in Perl
-5.24.0.
-
-https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2
-https://anonscm.debian.org/cgit/perl/perl.git/diff/debian/patches/fixes/file_path_chmod_race.diff?id=e7b50f8fb6413f8ddfbbfda2d531615fb029e2d3
-
-From d760748be0efca7c05454440e24f3df77bf7cf5d Mon Sep 17 00:00:00 2001
-From: John Lightsey <john@nixnuts.net>
-Date: Tue, 2 May 2017 12:03:52 -0500
-Subject: Prevent directory chmod race attack.
-
-CVE-2017-6512 is a race condition attack where the chmod() of directories
-that cannot be entered is misused to change the permissions on other
-files or directories on the system. This has been corrected by limiting
-the directory-permission loosening logic to systems where fchmod() is
-supported.
-
-[Backported (whitespace adjustments) to File-Path 2.12 / perl 5.24 by
-Dominic Hargreaves for Debian.]
-
-Bug: https://rt.cpan.org/Public/Bug/Display.html?id=121951
-Bug-Debian: https://bugs.debian.org/863870
-Patch-Name: fixes/file_path_chmod_race.diff
----
- cpan/File-Path/lib/File/Path.pm | 39 +++++++++++++++++++++++++--------------
- cpan/File-Path/t/Path.t         | 40 ++++++++++++++++++++++++++--------------
- 2 files changed, 51 insertions(+), 28 deletions(-)
-
-diff --git a/cpan/File-Path/lib/File/Path.pm b/cpan/File-Path/lib/File/Path.pm
-index 034da1e..a824cc8 100644
---- a/cpan/File-Path/lib/File/Path.pm
-+++ b/cpan/File-Path/lib/File/Path.pm
-@@ -354,21 +354,32 @@ sub _rmtree {
- 
-                 # see if we can escalate privileges to get in
-                 # (e.g. funny protection mask such as -w- instead of rwx)
--                $perm &= oct '7777';
--                my $nperm = $perm | oct '700';
--                if (
--                    !(
--                           $arg->{safe}
--                        or $nperm == $perm
--                        or chmod( $nperm, $root )
--                    )
--                  )
--                {
--                    _error( $arg,
--                        "cannot make child directory read-write-exec", $canon );
--                    next ROOT_DIR;
-+                # This uses fchmod to avoid traversing outside of the proper
-+                # location (CVE-2017-6512)
-+                my $root_fh;
-+                if (open($root_fh, '<', $root)) {
-+                    my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1];
-+                    $perm &= oct '7777';
-+                    my $nperm = $perm | oct '700';
-+                    local $@;
-+                    if (
-+                        !(
-+                            $arg->{safe}
-+                           or $nperm == $perm
-+                           or !-d _
-+                           or $fh_dev ne $ldev
-+                           or $fh_inode ne $lino
-+                           or eval { chmod( $nperm, $root_fh ) }
-+                        )
-+                      )
-+                    {
-+                        _error( $arg,
-+                            "cannot make child directory read-write-exec", $canon );
-+                        next ROOT_DIR;
-+                    }
-+                    close $root_fh;
-                 }
--                elsif ( !chdir($root) ) {
-+                if ( !chdir($root) ) {
-                     _error( $arg, "cannot chdir to child", $canon );
-                     next ROOT_DIR;
-                 }
-diff --git a/cpan/File-Path/t/Path.t b/cpan/File-Path/t/Path.t
-index ff52fd6..956ca09 100644
---- a/cpan/File-Path/t/Path.t
-+++ b/cpan/File-Path/t/Path.t
-@@ -3,7 +3,7 @@
- 
- use strict;
- 
--use Test::More tests => 127;
-+use Test::More tests => 126;
- use Config;
- use Fcntl ':mode';
- use lib 't/';
-@@ -18,6 +18,13 @@ BEGIN {
- 
- my $Is_VMS = $^O eq 'VMS';
- 
-+my $fchmod_supported = 0;
-+if (open my $fh, curdir()) {
-+    my ($perm) = (stat($fh))[2];
-+    $perm &= 07777;
-+    eval { $fchmod_supported = chmod( $perm, $fh); };
-+}
-+
- # first check for stupid permissions second for full, so we clean up
- # behind ourselves
- for my $perm (0111,0777) {
-@@ -299,16 +306,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check");
- 
- is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef");
- 
--$dir = catdir($tmp_base,'G');
--$dir = VMS::Filespec::unixify($dir) if $Is_VMS;
-+SKIP: {
-+    skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported;
-+    $dir = catdir($tmp_base,'G');
-+    $dir = VMS::Filespec::unixify($dir) if $Is_VMS;
- 
--@created = mkpath($dir, undef, 0200);
-+    @created = mkpath($dir, undef, 0400);
- 
--is(scalar(@created), 1, "created write-only dir");
-+    is(scalar(@created), 1, "created read-only dir");
- 
--is($created[0], $dir, "created write-only directory cross-check");
-+    is($created[0], $dir, "created read-only directory cross-check");
- 
--is(rmtree($dir), 1, "removed write-only dir");
-+    is(rmtree($dir), 1, "removed read-only dir");
-+}
- 
- # borderline new-style heuristics
- if (chdir $tmp_base) {
-@@ -450,26 +460,28 @@ SKIP: {
- }
- 
- SKIP : {
--    my $skip_count = 19;
-+    my $skip_count = 18;
-     # this test will fail on Windows, as per:
-     #   http://perldoc.perl.org/perlport.html#chmod
- 
-     skip "Windows chmod test skipped", $skip_count
-         if $^O eq 'MSWin32';
-+    skip "fchmod() on directories is not supported on this platform", $skip_count
-+        unless $fchmod_supported;
-     my $mode;
-     my $octal_mode;
-     my @inputs = (
--      0777, 0700, 0070, 0007,
--      0333, 0300, 0030, 0003,
--      0111, 0100, 0010, 0001,
--      0731, 0713, 0317, 0371, 0173, 0137,
--      00 );
-+      0777, 0700, 0470, 0407,
-+      0433, 0400, 0430, 0403,
-+      0111, 0100, 0110, 0101,
-+      0731, 0713, 0317, 0371,
-+      0173, 0137);
-     my $input;
-     my $octal_input;
--    $dir = catdir($tmp_base, 'chmod_test');
- 
-     foreach (@inputs) {
-         $input = $_;
-+        $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input));
-         # We can skip from here because 0 is last in the list.
-         skip "Mode of 0 means assume user defaults on VMS", 1
-           if ($input == 0 && $Is_VMS);
diff --git a/gnu/packages/patches/python-pillow-fix-failing-tests.patch b/gnu/packages/patches/python-pillow-fix-failing-tests.patch
deleted file mode 100644
index 2575d6f612..0000000000
--- a/gnu/packages/patches/python-pillow-fix-failing-tests.patch
+++ /dev/null
Binary files differdiff --git a/gnu/packages/patches/python-testtools.patch b/gnu/packages/patches/python-testtools.patch
new file mode 100644
index 0000000000..42536e50f9
--- /dev/null
+++ b/gnu/packages/patches/python-testtools.patch
@@ -0,0 +1,57 @@
+https://github.com/testing-cabal/testtools/commit/29004731f9c480b7c44a9c2605513d50d372898f.patch
+Should be fixed in the next release
+
+From 29004731f9c480b7c44a9c2605513d50d372898f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Thu, 17 May 2018 17:52:26 +0200
+Subject: [PATCH] Fix the tests on Python 3.7
+
+Exception's repr got changed not to include trailing comma
+
+Fixes https://github.com/testing-cabal/testtools/issues/270
+---
+ .travis.yml                                |  1 +
+ testtools/tests/matchers/test_exception.py | 11 +++++++++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/.travis.yml b/.travis.yml
+index 7f1f4db7..784608e0 100644
+--- a/.travis.yml
++++ b/.travis.yml
+@@ -5,6 +5,7 @@ python:
+   - "3.4"
+   - "3.5"
+   - "3.6"
++  - "3.7-dev"
+   - "pypy"
+ 
+ install:
+diff --git a/testtools/tests/matchers/test_exception.py b/testtools/tests/matchers/test_exception.py
+index 6cd80af1..acd39252 100644
+--- a/testtools/tests/matchers/test_exception.py
++++ b/testtools/tests/matchers/test_exception.py
+@@ -32,15 +32,22 @@ class TestMatchesExceptionInstanceInterface(TestCase, TestMatchersInterface):
+     matches_matches = [error_foo]
+     matches_mismatches = [error_bar, error_base_foo]
+ 
++    if sys.version_info >= (3, 7):
++        # exception's repr has changed
++        _e = ''
++    else:
++        _e = ','
++
+     str_examples = [
+-        ("MatchesException(Exception('foo',))",
++        ("MatchesException(Exception('foo'%s))" % _e,
+          MatchesException(Exception('foo')))
+         ]
+     describe_examples = [
+         ("%r is not a %r" % (Exception, ValueError),
+          error_base_foo,
+          MatchesException(ValueError("foo"))),
+-        ("ValueError('bar',) has different arguments to ValueError('foo',).",
++        ("ValueError('bar'%s) has different arguments to ValueError('foo'%s)."
++         % (_e, _e),
+          error_bar,
+          MatchesException(ValueError("foo"))),
+         ]
diff --git a/gnu/packages/patches/qtbase-glibc-compat.patch b/gnu/packages/patches/qtbase-glibc-compat.patch
new file mode 100644
index 0000000000..15a2540b3a
--- /dev/null
+++ b/gnu/packages/patches/qtbase-glibc-compat.patch
@@ -0,0 +1,50 @@
+Fix qmake build with glibc 2.28.
+
+Taken from upstream:
+https://code.qt.io/cgit/qt/qtbase.git/commit/?id=25feee4e061b99edab79503d81f5bd045c6c8e3d
+
+diff --git a/src/corelib/global/qconfig-bootstrapped.h b/src/corelib/global/qconfig-bootstrapped.h
+index 3469ebe5e6..c5585ea32a 100644
+--- a/src/corelib/global/qconfig-bootstrapped.h
++++ b/src/corelib/global/qconfig-bootstrapped.h
+@@ -98,10 +98,18 @@
+ #define QT_NO_QOBJECT
+ #define QT_FEATURE_process -1
+ #define QT_FEATURE_regularexpression -1
+-#define QT_FEATURE_renameat2 -1
++#ifdef __GLIBC_PREREQ
++# define QT_FEATURE_renameat2 (__GLIBC_PREREQ(2, 28) ? 1 : -1)
++#else
++# define QT_FEATURE_renameat2 -1
++#endif
+ #define QT_FEATURE_sharedmemory -1
+ #define QT_FEATURE_slog2 -1
+-#define QT_FEATURE_statx -1
++#ifdef __GLIBC_PREREQ
++# define QT_FEATURE_statx (__GLIBC_PREREQ(2, 28) ? 1 : -1)
++#else
++# define QT_FEATURE_statx -1
++#endif
+ #define QT_FEATURE_syslog -1
+ #define QT_NO_SYSTEMLOCALE
+ #define QT_FEATURE_systemsemaphore -1
+diff --git a/src/corelib/io/qfilesystemengine_unix.cpp b/src/corelib/io/qfilesystemengine_unix.cpp
+index 0c9cdb8667..deb4a9f220 100644
+--- a/src/corelib/io/qfilesystemengine_unix.cpp
++++ b/src/corelib/io/qfilesystemengine_unix.cpp
+@@ -91,7 +91,6 @@ extern "C" NSString *NSTemporaryDirectory();
+ #  include <sys/syscall.h>
+ #  include <sys/sendfile.h>
+ #  include <linux/fs.h>
+-#  include <linux/stat.h>
+ 
+ // in case linux/fs.h is too old and doesn't define it:
+ #ifndef FICLONE
+@@ -112,6 +111,7 @@ static int renameat2(int oldfd, const char *oldpath, int newfd, const char *newp
+ #    endif
+ 
+ #    if !QT_CONFIG(statx) && defined(SYS_statx)
++#      include <linux/stat.h>
+ static int statx(int dirfd, const char *pathname, int flag, unsigned mask, struct statx *statxbuf)
+ { return syscall(SYS_statx, dirfd, pathname, flag, mask, statxbuf); }
+ #    elif !QT_CONFIG(statx) && !defined(SYS_statx)
diff --git a/gnu/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch b/gnu/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch
new file mode 100644
index 0000000000..561763dabe
--- /dev/null
+++ b/gnu/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch
@@ -0,0 +1,36 @@
+From: Tobias Geerinckx-Rice <me@tobias.gr>
+Date: Sun, 26 Aug 2018 17:24:42 +0200
+Subject: [PATCH] snappy: Add O2 flag in CmakeLists.txt.
+
+Use ‘-O2’ optimisation when building with CMake, as is already done when
+using the Makefile. This patch was copied verbatim from the Snappy
+mailing list[0].
+
+[0]: <snappy-compression@googlegroups.com>
+
+From 903c72fb29b2db07b4abc38a5feb83d88f739d80 Mon Sep 17 00:00:00 2001
+From: huangwenjun <huangwenjun-hf@loongson.cn>
+Date: Fri, 10 Aug 2018 17:17:35 +0800
+Subject: [PATCH] Add O2 optimize flag in CmakeLists.txt.
+
+---
+ CMakeLists.txt | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 62ecd09..29e0cdc 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -6,6 +6,9 @@ set(CMAKE_CXX_STANDARD 11)
+ set(CMAKE_CXX_STANDARD_REQUIRED ON)
+ set(CMAKE_CXX_EXTENSIONS OFF)
+ 
++SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O2")
++SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -O2")
++
+ # BUILD_SHARED_LIBS is a standard CMake variable, but we declare it here to make
+ # it prominent in the GUI.
+ option(BUILD_SHARED_LIBS "Build shared libraries(DLLs)." OFF)
+-- 
+2.1.0
+
diff --git a/gnu/packages/patches/texinfo-5-perl-compat.patch b/gnu/packages/patches/texinfo-5-perl-compat.patch
new file mode 100644
index 0000000000..f16d6b4da8
--- /dev/null
+++ b/gnu/packages/patches/texinfo-5-perl-compat.patch
@@ -0,0 +1,19 @@
+Fix a deprecation warning with newer Perl that breaks some tests.
+
+--- a/tp/Texinfo/Parser.pm
++++ b/tp/Texinfo/Parser.pm
+@@ -5438,12 +5438,12 @@
+     }
+   } elsif ($command eq 'clickstyle') {
+     # REMACRO
+-    if ($line =~ /^\s+@([[:alnum:]][[:alnum:]\-]*)({})?\s*/) {
++    if ($line =~ /^\s+@([[:alnum:]][[:alnum:]\-]*)(\{})?\s*/) {
+       $args = ['@'.$1];
+       $self->{'clickstyle'} = $1
+         unless(_ignore_global_commands($self));
+       $remaining = $line;
+-      $remaining =~ s/^\s+@([[:alnum:]][[:alnum:]\-]*)({})?\s*(\@(c|comment)((\@|\s+).*)?)?//;
++      $remaining =~ s/^\s+@([[:alnum:]][[:alnum:]\-]*)(\{})?\s*(\@(c|comment)((\@|\s+).*)?)?//;
+       $has_comment = 1 if (defined($4));
+     } else {
+       $self->line_error (sprintf($self->__(
diff --git a/gnu/packages/patches/texinfo-perl-compat.patch b/gnu/packages/patches/texinfo-perl-compat.patch
new file mode 100644
index 0000000000..a7348fde0d
--- /dev/null
+++ b/gnu/packages/patches/texinfo-perl-compat.patch
@@ -0,0 +1,51 @@
+Fix compatibility with newer Perls.
+
+The first patch is taken from upstream:
+https://svn.savannah.gnu.org/viewvc/texinfo?view=revision&revision=8008
+
+The second gets rid of a deprecation warning that breaks some tests.
+Taken from Fedora: <https://bugzilla.redhat.com/show_bug.cgi?id=1590308>.
+
+--- trunk/tp/Texinfo/Convert/XSParagraph/xspara.c	2017/04/30 14:57:26	7765
++++ trunk/tp/Texinfo/Convert/XSParagraph/xspara.c	2018/07/13 15:39:29	8008
+@@ -248,6 +248,11 @@
+ 
+   dTHX;
+ 
++#if PERL_VERSION > 27 || (PERL_VERSION == 27 && PERL_SUBVERSION > 8)
++  /* needed due to thread-safe locale handling in newer perls */
++  switch_to_global_locale();
++#endif
++
+   if (setlocale (LC_CTYPE, "en_US.UTF-8")
+       || setlocale (LC_CTYPE, "en_US.utf8"))
+     goto success;
+@@ -320,6 +325,10 @@
+     {
+ success: ;
+       free (utf8_locale);
++#if PERL_VERSION > 27 || (PERL_VERSION == 27 && PERL_SUBVERSION > 8)
++      /* needed due to thread-safe locale handling in newer perls */
++      sync_locale();
++#endif
+       /*
+       fprintf (stderr, "tried to set LC_CTYPE to UTF-8.\n");
+       fprintf (stderr, "character encoding is: %s\n",
+
+diff -up texinfo-6.5/tp/Texinfo/Parser.pm.orig texinfo-6.5/tp/Texinfo/Parser.pm
+--- texinfo-6.5/tp/Texinfo/Parser.pm.orig	2018-06-12 13:40:29.356030136 +0200
++++ texinfo-6.5/tp/Texinfo/Parser.pm	2018-06-12 13:41:28.357725639 +0200
+@@ -5478,11 +5478,11 @@ sub _parse_special_misc_command($$$$)
+     }
+   } elsif ($command eq 'clickstyle') {
+     # REMACRO
+-    if ($line =~ /^\s+@([[:alnum:]][[:alnum:]\-]*)({})?\s*/) {
++    if ($line =~ /^\s+@([[:alnum:]][[:alnum:]\-]*)(\{})?\s*/) {
+       $args = ['@'.$1];
+       $self->{'clickstyle'} = $1;
+       $remaining = $line;
+-      $remaining =~ s/^\s+@([[:alnum:]][[:alnum:]\-]*)({})?\s*(\@(c|comment)((\@|\s+).*)?)?//;
++      $remaining =~ s/^\s+@([[:alnum:]][[:alnum:]\-]*)(\{})?\s*(\@(c|comment)((\@|\s+).*)?)?//;
+       $has_comment = 1 if (defined($4));
+     } else {
+       $self->line_error (sprintf($self->__(
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 5719b7bb45..564a23d012 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -35,7 +35,7 @@
 (define-public pcre
   (package
    (name "pcre")
-   (version "8.41")
+   (version "8.42")
    (source (origin
             (method url-fetch)
             (uri (list
@@ -46,11 +46,12 @@
                                  version "/pcre-" version ".tar.bz2")))
             (sha256
              (base32
-              "0c5m469p5pd7jip621ipq6hbgh7128lzh7xndllfgh77ban7wb76"))))
+              "00ckpzlgyr16bnqx8fawa3afjgqxw5yxgs2l081vw23qi1y4pl1c"))))
    (build-system gnu-build-system)
    (outputs '("out"           ;library & headers
               "bin"           ;depends on Readline (adds 20MiB to the closure)
-              "doc"))         ;1.8 MiB of HTML
+              "doc"           ;1.8 MiB of HTML
+              "static"))      ;1.8 MiB static libraries
    (inputs `(("bzip2" ,bzip2)
              ("readline" ,readline)
              ("zlib" ,zlib)))
@@ -63,7 +64,19 @@
                           "--enable-unicode-properties"
                           "--enable-pcre16"
                           "--enable-pcre32"
-                          "--enable-jit")))
+                          "--enable-jit")
+      #:phases (modify-phases %standard-phases
+                 (add-after 'install 'move-static-libs
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((source (string-append (assoc-ref outputs "out") "/lib"))
+                           (static (string-append (assoc-ref outputs "static") "/lib")))
+                       (mkdir-p static)
+                       (for-each (lambda (lib)
+                                   (link lib (string-append static "/"
+                                                            (basename lib)))
+                                   (delete-file lib))
+                                 (find-files source "\\.a$"))
+                       #t))))))
    (synopsis "Perl Compatible Regular Expressions")
    (description
     "The PCRE library is a set of functions that implement regular expression
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 57a5e1c0ed..a28005a024 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -80,20 +80,20 @@
 (define-public poppler
   (package
    (name "poppler")
-   (version "0.63.0")
+   (version "0.68.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://poppler.freedesktop.org/poppler-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "04d1z1ygyb3llzc6s6c99wxafvljj2sc5b76djif34f7mzfqmk17"))))
+              "0n0f7mv24lzv9p3dlzakpdhqg7ygcvl6l40grcz95xldzgq083gr"))))
    (build-system cmake-build-system)
    ;; FIXME:
    ;;  use libcurl:        no
    (inputs `(("fontconfig" ,fontconfig)
              ("freetype" ,freetype)
-             ("libjpeg" ,libjpeg)
+             ("libjpeg" ,libjpeg-turbo)
              ("libpng" ,libpng)
              ("libtiff" ,libtiff)
              ("lcms" ,lcms)
@@ -104,8 +104,12 @@
              ;; GLib.  But of course, that Cairo must not depend on Poppler.
              ("cairo" ,(package (inherit cairo)
                          (inputs (alist-delete "poppler"
-                                               (package-inputs cairo)))))
-             ("glib" ,glib)))
+                                               (package-inputs cairo)))))))
+   (propagated-inputs
+    ;; As per poppler-cairo and poppler-glib.pc.
+    ;; XXX: Ideally we'd propagate Cairo too, but that would require a
+    ;; different solution to the circular dependency mentioned above.
+    `(("glib" ,glib)))
    (native-inputs
       `(("pkg-config" ,pkg-config)
         ("glib" ,glib "bin")                      ; glib-mkenums, etc.
@@ -511,7 +515,7 @@ by using the poppler rendering engine.")
 
                      ;; For tests.
                      ("check" ,check)
-                     ("xorg-server" ,xorg-server-1.19.3)))
+                     ("xorg-server" ,xorg-server-for-tests)))
     (inputs `(("sqlite" ,sqlite)))
     ;; Listed in 'Requires.private' of 'zathura.pc'.
     (propagated-inputs `(("cairo" ,cairo)
@@ -644,14 +648,14 @@ line tools for batch rendering @command{pdfdraw}, rewriting files
 (define-public qpdf
   (package
    (name "qpdf")
-   (version "8.1.0")
+   (version "8.2.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://sourceforge/qpdf/qpdf/" version
                                 "/qpdf-" version ".tar.gz"))
             (sha256
              (base32
-              "1m3hcgip6bzjx4gd7wq1328p8zi3pq5savzncdyln6l0lcklh7vx"))
+              "1jdb0jj72fjdp6xip4m7yz31r5x13zs7h4smnxsycgw3vbmx6igl"))
             (modules '((guix build utils)))
             (snippet
              ;; Replace shebang with the bi-lingual shell/Perl trick to remove
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index f556d19f3c..cadef602e4 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -43,9 +43,9 @@
   #:use-module (gnu packages)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
-  #:use-module (guix utils) ;substitute-keyword-arguments for perl-5.26.2
   #:use-module (gnu packages base)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages freedesktop)
@@ -62,17 +62,15 @@
   ;; Yeah, Perl...  It is required early in the bootstrap process by Linux.
   (package
     (name "perl")
-    (version "5.26.1")
-    (replacement perl/fixed)
+    (version "5.28.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://cpan/src/5.0/perl-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "1p81wwvr5jb81m41d07kfywk5gvbk0axdrnvhc2aghcdbr4alqz7"))
+               "1a3f822lcl8dr8v0hk80yyhpzqlljg49z9flb48rs3nbsij9z4ky"))
              (patches (search-patches
-                       "perl-file-path-CVE-2017-6512.patch"
                        "perl-no-sys-dirs.patch"
                        "perl-autosplit-default-time.patch"
                        "perl-deterministic-ordering.patch"
@@ -163,41 +161,6 @@ more.")
     (home-page "http://www.perl.org/")
     (license gpl1+)))                          ; or "Artistic"
 
-;; Fixes CVE-2018-6797, CVE-2018-6798, and CVE-2018-6913.
-;; See <https://metacpan.org/changes/release/SHAY/perl-5.26.2>.
-(define perl-5.26.2
-  (package
-    (inherit perl)
-    (version "5.26.2")
-    (source (origin
-              (inherit (package-source perl))
-              (uri (string-append "mirror://cpan/src/5.0/perl-"
-                                  version ".tar.gz"))
-              (patches (append (origin-patches (package-source perl))
-                               (search-patches "perl-archive-tar-CVE-2018-12015.patch")))
-              (sha256
-               (base32
-                "03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))))))
-
-;; When grafting perl, complications arise when the replacement perl has a
-;; different version number than the original.  So, here we create a version
-;; of perl-5.26.2 that thinks it is version 5.26.1.  See
-;; <https://bugs.gnu.org/31210> and <https://bugs.gnu.org/31216>.
-(define perl/fixed
-  (package
-    (inherit perl-5.26.2)
-    (version "5.26.1")
-    (arguments
-     (substitute-keyword-arguments (package-arguments perl-5.26.2)
-       ((#:phases phases)
-        `(modify-phases ,phases
-           (add-after 'unpack 'revert-perl-subversion
-             (lambda _
-               (substitute* "patchlevel.h"
-                 (("^#define PERL_SUBVERSION	2")
-                  "#define PERL_SUBVERSION	1"))
-               #t))))))))
-
 (define-public perl-algorithm-c3
   (package
     (name "perl-algorithm-c3")
@@ -5286,7 +5249,7 @@ examine the contents, and perform some simple tasks.  It can also load the
 (define-public perl-module-runtime
   (package
     (name "perl-module-runtime")
-    (version "0.014")
+    (version "0.016")
     (source
      (origin
        (method url-fetch)
@@ -5294,7 +5257,7 @@ examine the contents, and perform some simple tasks.  It can also load the
                            "Module-Runtime-" version ".tar.gz"))
        (sha256
         (base32
-         "19326f094jmjs6mgpwkyisid54k67w34br8yfh0gvaaml87gwi2c"))))
+         "097hy2czwkxlppri32m599ph0xfvfsbf0a5y23a4fdc38v32wc38"))))
     (build-system perl-build-system)
     (native-inputs `(("perl-module-build" ,perl-module-build)))
     (home-page "https://metacpan.org/release/Module-Runtime")
@@ -9036,6 +8999,9 @@ defined by Annex #11 is used to determine breaking positions.")
                (base32
                 "1xnhazbdvpyfpnxd90krzhxkvabf8fa2ji6xzlrf75j6nz8251zs"))))
     (build-system perl-build-system)
+    ;; FIXME: Tests fail on 32-bit architectures:
+    ;; <https://rt.cpan.org/Public/Bug/Display.html?id=127007>.
+    (arguments `(#:tests? ,(target-64bit?)))
     (native-inputs
      `(("perl-test-fatal" ,perl-test-fatal)
        ("perl-test-leaktrace" ,perl-test-leaktrace)
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
index c78902c97c..466b26c238 100644
--- a/gnu/packages/php.scm
+++ b/gnu/packages/php.scm
@@ -50,16 +50,6 @@
   #:use-module (guix build-system gnu)
   #:use-module ((guix licenses) #:prefix license:))
 
-(define gd-for-php
-  (package
-    (inherit gd)
-    (source (origin
-             (inherit (package-source gd))
-             (patches (search-patches "gd-fix-tests-on-i686.patch"
-                                      "gd-freetype-test-failure.patch"
-                                      "gd-CVE-2018-5711.patch"
-                                      "gd-CVE-2018-1000222.patch"))))))
-
 (define-public php
   (package
     (name "php")
@@ -313,7 +303,7 @@
        ("curl" ,curl)
        ("cyrus-sasl" ,cyrus-sasl)
        ("freetype" ,freetype)
-       ("gd" ,gd-for-php)
+       ("gd" ,gd)
        ("gdbm" ,gdbm)
        ("glibc" ,glibc)
        ("gmp" ,gmp)
diff --git a/gnu/packages/python-crypto.scm b/gnu/packages/python-crypto.scm
index bda547417c..d773b2f948 100644
--- a/gnu/packages/python-crypto.scm
+++ b/gnu/packages/python-crypto.scm
@@ -340,13 +340,13 @@ password storage.")
 (define-public python-certifi
   (package
     (name "python-certifi")
-    (version "2017.1.23")
+    (version "2018.8.13")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "certifi" version))
               (sha256
                (base32
-                "1klrzl3hgvcf2mjk00g0k3kk1p2z27vzwnxivwar4vhjmjvpz1w1"))))
+                "1x7jy10rz3100g9iw7c2czcw2z4lqfaalsd8yg991l4d82hnh7ac"))))
     (build-system python-build-system)
     (home-page "https://certifi.io/")
     (synopsis "Python CA certificate bundle")
diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm
index f8052458a1..d11a3f8c5c 100644
--- a/gnu/packages/python-web.scm
+++ b/gnu/packages/python-web.scm
@@ -1367,14 +1367,14 @@ authenticated session objects providing things like keep-alive.")
 (define-public python-urllib3
   (package
     (name "python-urllib3")
-    (version "1.18.1")
+    (version "1.23")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "urllib3" version))
         (sha256
          (base32
-          "1wb8aqnq53vzh2amrv8kc66f3h6fx217y0q62y6n30a64p2yqmam"))))
+          "1bvbd35q3zdcd7gsv38fwpizy7p06dr0154g5gfybrvnbvhwb2m6"))))
     (build-system python-build-system)
     (arguments `(#:tests? #f))
     (native-inputs
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index e3a04b0344..39ec96fd66 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -142,12 +142,13 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
-  #:use-module (srfi srfi-1))
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26))
 
 (define-public python-2.7
   (package
     (name "python2")
-    (version "2.7.14")
+    (version "2.7.15")
     (replacement python-2/fixed)
     (source
      (origin
@@ -156,7 +157,7 @@
                           version "/Python-" version ".tar.xz"))
       (sha256
        (base32
-        "0rka541ys16jwzcnnvjp2v12m4cwgd2jp6wj4kj511p715pb5zvi"))
+        "0x2mvz9dp11wj7p5ccvmk9s0hzjk2fa1m462p395l4r6bfnb3n92"))
       (patches (search-patches "python-2.7-search-paths.patch"
                                "python-2-deterministic-build-info.patch"
                                "python-2.7-site-prefixes.patch"
@@ -181,23 +182,7 @@
                "tk"))                     ;tkinter; adds 50 MiB to the closure
     (build-system gnu-build-system)
     (arguments
-     `(;; 356 tests OK.
-       ;; 6 tests failed:
-       ;;     test_compileall test_distutils test_import test_shutil test_socket
-       ;;     test_subprocess
-       ;; 39 tests skipped:
-       ;;     test_aepack test_al test_applesingle test_bsddb test_bsddb185
-       ;;     test_bsddb3 test_cd test_cl test_codecmaps_cn test_codecmaps_hk
-       ;;     test_codecmaps_jp test_codecmaps_kr test_codecmaps_tw test_curses
-       ;;     test_dl test_gdb test_gl test_imageop test_imgfile test_ioctl
-       ;;     test_kqueue test_linuxaudiodev test_macos test_macostools
-       ;;     test_msilib test_ossaudiodev test_scriptpackages test_smtpnet
-       ;;     test_socketserver test_startfile test_sunaudiodev test_timeout
-       ;;     test_tk test_ttk_guionly test_urllib2net test_urllibnet
-       ;;     test_winreg test_winsound test_zipfile64
-       ;; 4 skips unexpected on linux2:
-       ;;     test_bsddb test_bsddb3 test_gdb test_ioctl
-       #:test-target "test"
+     `(#:test-target "test"
        #:configure-flags
        (list "--enable-shared"                    ;allow embedding
              "--with-system-ffi"                  ;build ctypes
@@ -222,11 +207,6 @@
                                     "Lib/test/support/__init__.py"
                                     "Lib/test/test_subprocess.py"))
                (("/bin/sh") (which "sh")))
-
-             ;; Use zero as the timestamp in .pyc files so that builds are
-             ;; deterministic.  TODO: Remove it when this variable is set in
-             ;; gnu-build-system.scm.
-             (setenv "SOURCE_DATE_EPOCH" "1")
              #t))
           (add-before 'configure 'do-not-record-configure-flags
             (lambda* (#:key configure-flags #:allow-other-keys)
@@ -284,15 +264,6 @@
                                                               file))))))
                        (call-with-output-file "__init__.py" (const #t))
                        #t)))))))
-          (add-before 'strip 'make-libraries-writable
-            (lambda* (#:key outputs #:allow-other-keys)
-              ;; Make .so files writable so they can be stripped.
-              (let ((out (assoc-ref outputs "out")))
-                (for-each (lambda (file)
-                            (chmod file #o755))
-                          (find-files (string-append out "/lib")
-                                      "\\.so"))
-                #t)))
           (add-after 'install 'move-tk-inter
             (lambda* (#:key outputs #:allow-other-keys)
               ;; When Tkinter support is built move it to a separate output so
@@ -366,10 +337,10 @@ data types.")
     (name "python")
     (properties `((superseded . ,python-2)))))
 
-(define-public python-3.6
+(define-public python-3.7
   (package (inherit python-2)
     (name "python")
-    (version "3.6.5")
+    (version "3.7.0")
     (replacement python-3/fixed)
     (source (origin
               (method url-fetch)
@@ -383,66 +354,39 @@ data types.")
               (patch-flags '("-p0"))
               (sha256
                (base32
-                "19l7inxm056jjw33zz97z0m02hsi7jnnx5kyb76abj5ml4xhad7l"))
+                "0j9mic5c9lbd2b20wka7hily7szz740wy9ilfrczxap63rnrk0h3"))
               (snippet
                '(begin
                   (for-each delete-file
-                            '("Lib/ctypes/test/test_structures.py" ; fails on aarch64
-                              "Lib/ctypes/test/test_win32.py" ; fails on aarch64
-                              "Lib/test/test_fcntl.py")) ; fails on aarch64
+                            '(;; This test may hang and eventually run out of
+                              ;; memory on some systems:
+                              ;; <https://bugs.python.org/issue34587>
+                              "Lib/test/test_socket.py"
+
+                              ;; These tests fail on AArch64.
+                              "Lib/ctypes/test/test_win32.py"
+                              "Lib/test/test_fcntl.py"
+                              "Lib/test/test_posix.py"))
                   #t))))
     (arguments
      (substitute-keyword-arguments (package-arguments python-2)
-       ((#:tests? _) #t)
        ((#:phases phases)
-        `(modify-phases ,phases
-           (add-after 'unpack 'patch-timestamp-for-pyc-files
-             (lambda _
-               ;; We set DETERMINISTIC_BUILD to only override the mtime when
-               ;; building with Guix, lest we break auto-compilation in
-               ;; environments.
-               (setenv "DETERMINISTIC_BUILD" "1")
-               (substitute* "Lib/py_compile.py"
-                 (("source_stats\\['mtime'\\]")
-                  "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])"))
-
-               ;; Use deterministic hashes for strings, bytes, and datetime
-               ;; objects.
-               (setenv "PYTHONHASHSEED" "0")
-
-               ;; Reset mtime when validating bytecode header.
-               (substitute* "Lib/importlib/_bootstrap_external.py"
-                 (("source_mtime = int\\(source_stats\\['mtime'\\]\\)")
-                  "source_mtime = 1"))
-               #t))
-           ;; These tests fail because of our change to the bytecode
-           ;; validation.  They fail because expected exceptions do not get
-           ;; thrown.  This seems to be no problem.
-           (add-after 'unpack 'disable-broken-bytecode-tests
-             (lambda _
-               (substitute* "Lib/test/test_importlib/source/test_file_loader.py"
-                 (("test_bad_marshal")
-                  "disable_test_bad_marshal")
-                 (("test_no_marshal")
-                  "disable_test_no_marshal")
-                 (("test_non_code_marshal")
-                  "disable_test_non_code_marshal"))
-               #t))
-           ;; Unset DETERMINISTIC_BUILD to allow for tests that check that
-           ;; stale pyc files are rebuilt.
-           (add-before 'check 'allow-non-deterministic-compilation
-             (lambda _ (unsetenv "DETERMINISTIC_BUILD") #t))
-           ;; We need to rebuild all pyc files for three different
-           ;; optimization levels to replace all files that were not built
-           ;; deterministically.
-
-           ;; FIXME: Without this phase we have close to 2000 files that
+       `(modify-phases ,phases
+          ;; Unset SOURCE_DATE_EPOCH while running the test-suite and set it
+          ;; again afterwards.  See <https://bugs.python.org/issue34022>.
+          (add-before 'check 'unset-SOURCE_DATE_EPOCH
+            (lambda _ (unsetenv "SOURCE_DATE_EPOCH") #t))
+          (add-after 'check 'reset-SOURCE_DATE_EPOCH
+            (lambda _ (setenv "SOURCE_DATE_EPOCH" "1") #t))
+           ;; FIXME: Without this phase we have close to 400 files that
            ;; differ across different builds of this package.  With this phase
-           ;; there are about 500 files left that differ.
-           (add-after 'install 'rebuild-bytecode
+           ;; there are 44 files left that differ.
+           (add-after 'remove-tests 'rebuild-bytecode
              (lambda* (#:key outputs #:allow-other-keys)
-               (setenv "DETERMINISTIC_BUILD" "1")
                (let ((out (assoc-ref outputs "out")))
+                 ;; Disable hash randomization to ensure the generated .pycs
+                 ;; are reproducible.
+                 (setenv "PYTHONHASHSEED" "0")
                  (for-each
                   (lambda (opt)
                     (format #t "Compiling with optimization level: ~a\n"
@@ -454,8 +398,7 @@ data types.")
                                          "-m" "compileall"
                                          "-f" ; force rebuild
                                          ;; Don't build lib2to3, because it's Python 2 code.
-                                         ;; Also don't build obviously broken test code.
-                                         "-x" "(lib2to3|test/bad.*)"
+                                         "-x" "lib2to3/.*"
                                          ,file)))
                               (find-files out "\\.py$")))
                   (list '() '("-O") '("-OO")))
@@ -468,7 +411,7 @@ data types.")
                                         "/site-packages"))))))))
 
 ;; Current 3.x version.
-(define-public python-3 python-3.6)
+(define-public python-3 python-3.7)
 
 (define python-3/fixed
   (package
@@ -714,18 +657,24 @@ by @code{binstar}, @code{binstar-build} and @code{chalmers}.")
 (define-public python-babel
   (package
     (name "python-babel")
-    (version "2.3.4")
+    (version "2.6.0")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "Babel" version))
       (sha256
        (base32
-        "0x98qqqw35xllpcama013a9788ly84z8dm1w2wwfpxh2710c8df5"))))
+        "08rxmbx2s4irp0w0gmn498vns5xy0fagm0fg33xa772jiks51flc"))))
     (build-system python-build-system)
+    (native-inputs
+     `(("python-freezegun" ,python-freezegun)
+       ("python-pytest" ,python-pytest)))
     (propagated-inputs
      `(("python-pytz" ,python-pytz)))
-    (arguments `(#:tests? #f)) ; no test target
+    (arguments
+     `(#:phases (modify-phases %standard-phases
+                  (replace 'check
+                    (lambda _ (invoke "pytest" "-vv"))))))
     (home-page "http://babel.pocoo.org/")
     (synopsis
      "Tools for internationalizing Python applications")
@@ -969,14 +918,14 @@ version identifier.")
 (define-public python-setuptools
   (package
     (name "python-setuptools")
-    (version "31.0.0")
+    (version "40.0.0")
     (source
      (origin
       (method url-fetch)
-      (uri (pypi-uri "setuptools" version))
+      (uri (pypi-uri "setuptools" version ".zip"))
       (sha256
        (base32
-        "0ypybh4hx3bv4vhg2dc74xpj1g56ggnaffm87k4abhwjwq6wq608"))
+        "0pq116lr14gnc62v76nk0npkm6krb2mpp7p9ab369zgv4n7dnah1"))
       (modules '((guix build utils)))
       (snippet
        '(begin
@@ -1272,13 +1221,13 @@ human-friendly syntax.")
 (define-public python-pandas
   (package
     (name "python-pandas")
-    (version "0.23.1")
+    (version "0.23.4")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "pandas" version))
        (sha256
-        (base32 "142nvwb01r2wv42y2cz40bx33hd8ffh6s6gynapg859fmzr2mdah"))))
+        (base32 "1x54pd7hr3y7qahx6b5bf2wzj54xvl8r3s1h4pl254pnmi3wl92v"))))
     (build-system python-build-system)
     (arguments
      `(#:modules ((guix build utils)
@@ -1293,18 +1242,23 @@ human-friendly syntax.")
                               (getcwd) "/build/"
                               (car (scandir "build"
                                             (cut string-prefix? "lib." <>))))))
+                        ;; Disable the "strict data files" option which causes
+                        ;; the build to error out if required data files are not
+                        ;; available (as is the case with PyPI archives).
+                        (substitute* "setup.cfg"
+                          (("addopts = --strict-data-files") "addopts = "))
                         (with-directory-excursion build-directory
                           ;; Delete tests that require "moto" which is not yet in Guix.
                           (for-each delete-file
                                     '("pandas/tests/io/conftest.py"
                                       "pandas/tests/io/json/test_compression.py"
+                                      "pandas/tests/io/parser/test_network.py"
                                       "pandas/tests/io/test_excel.py"
                                       "pandas/tests/io/test_parquet.py"))
-                          (invoke "pytest" "-v" "pandas" "-k"
-                                  (string-append
-                                   "not network and not disabled"
-                                   ;; XXX: Due to the deleted tests above.
-                                   " and not test_read_s3_jsonl")))))))))
+                          (invoke "pytest" "-vv" "pandas" "--skip-slow"
+                                  "--skip-network" "-k"
+                                  ;; XXX: Due to the deleted tests above.
+                                  "not test_read_s3_jsonl"))))))))
     (propagated-inputs
      `(("python-numpy" ,python-numpy)
        ("python-pytz" ,python-pytz)
@@ -1815,14 +1769,14 @@ matching them against a list of media-ranges.")
 (define-public python-py
   (package
     (name "python-py")
-    (version "1.5.3")
+    (version "1.5.4")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "py" version))
        (sha256
         (base32
-         "10gq2lckvgwlk9w6yzijhzkarx44hsaknd0ypa08wlnpjnsgmj99"))))
+         "1xxvwfn82457djf55f5n2c94699rfqnk43br8fif2r2q8gvrmm9z"))))
     (build-system python-build-system)
     (arguments
      ;; FIXME: "ImportError: 'test' module incorrectly imported from
@@ -1830,7 +1784,9 @@ matching them against a list of media-ranges.")
      ;; Expected '/tmp/guix-build-python-py-1.4.31.drv-0/py-1.4.31/py'.
      ;; Is this module globally installed?"
      '(#:tests? #f))
-    (home-page "https://pylib.readthedocs.io/")
+    (native-inputs
+     `(("python-setuptools-scm" ,python-setuptools-scm)))
+    (home-page "https://github.com/pytest-dev/py")
     (synopsis "Python library for parsing, I/O, instrospection, and logging")
     (description
      "Py is a Python library for file name parsing, .ini file parsing, I/O,
@@ -2320,7 +2276,7 @@ object.")
 (define-public python-markupsafe
   (package
     (name "python-markupsafe")
-    (version "0.23")
+    (version "1.0")
     (source
      (origin
        (method url-fetch)
@@ -2329,7 +2285,7 @@ object.")
              version ".tar.gz"))
        (sha256
         (base32
-         "1hvip33wva3fnmvfp9x5klqri7hpl1hkgqmjbss18nmrb7zimv54"))))
+         "0rdn1s8x9ni7ss8rfiacj7x1085lx8mh2zdwqslnw8xc3l4nkgm6"))))
     (build-system python-build-system)
     (home-page "https://github.com/mitsuhiko/markupsafe")
     (synopsis "XML/HTML/XHTML markup safe string implementation for Python")
@@ -2344,14 +2300,14 @@ for Python.")
 (define-public python-jinja2
   (package
     (name "python-jinja2")
-    (version "2.9.6")
+    (version "2.10")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Jinja2" version))
        (sha256
         (base32
-         "1zzrkywhziqffrzks14kzixz7nd4yh2vc0fb04a68vfd2ai03anx"))))
+         "190l36hfw3wb2n3n68yacjabxyb1pnxwn7vjx96cmjj002xy2jzq"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-markupsafe" ,python-markupsafe)))
@@ -2507,26 +2463,17 @@ reStructuredText.")
 (define-public python-sphinxcontrib-websupport
   (package
     (name "python-sphinxcontrib-websupport")
-    (version "1.0.1")
+    (version "1.1.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "sphinxcontrib-websupport" version))
               (sha256
                (base32
-                "1f9f0wjpi9nhikbyaz6d19s7qvzdf1nq2g5dsh640fma4q9rd1bs"))))
+                "1ff3ix76xi1y6m99qxhaq5161ix9swwzydilvdya07mgbcvpzr4x"))))
     (build-system python-build-system)
-    (propagated-inputs
-     `(("python-mock" ,python-mock)
-       ("python-pytest" ,python-pytest)
-       ("python-xapian-bindings" ,python-xapian-bindings)))
-    ;; Needed for running the test suite
-    (native-inputs
-     `(("python-six" ,python-six)
-       ("python-jinja2" ,python-jinja2)
-       ("python-docutils" ,python-docutils)
-       ("python-sphinx" ,python-sphinx)
-       ("python-sqlalchemy" ,python-sqlalchemy)
-       ("python-whoosh" ,python-whoosh)))
+    (arguments
+     ;; FIXME: Tests depend on Sphinx, which depends on this.
+     `(#:tests? #f))
     (home-page "http://sphinx-doc.org/")
     (synopsis "Sphinx API for web applications")
     (description "This package provides a Python API to easily integrate
@@ -2534,17 +2481,20 @@ Sphinx documentation into your web application.  It provides tools to
 integrate Sphinx documents in web templates and to handle searches.")
     (license license:bsd-3)))
 
+(define-public python2-sphinxcontrib-websupport
+  (package-with-python2 python-sphinxcontrib-websupport))
+
 (define-public python-sphinx
   (package
     (name "python-sphinx")
-    (version "1.5.1")
+    (version "1.7.7")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Sphinx" version))
        (sha256
         (base32
-         "1i8p9idnli4gr0y4x67yakbdk5w6a0xjzhrg6bg51y9d1fi7fslf"))))
+         "0pkkbfj7cl157q550gcs45am5y78ps0h7q6455d64s1zmw01jlvi"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -2553,7 +2503,15 @@ integrate Sphinx documents in web templates and to handle searches.")
            (lambda _
              ;; Requires Internet access.
              (delete-file "tests/test_build_linkcheck.py")
-             (zero? (system* "make" "test")))))))
+             (substitute* "tests/test_build_latex.py"
+               (("@pytest.mark.sphinx\\('latex', testroot='images'\\)")
+                "@pytest.mark.skip()"))
+             (when (which "python")
+               ;; XXX: These tests are broken when using Python2:
+               ;; <https://github.com/sphinx-doc/sphinx/issues/4710>.
+               (delete-file "tests/test_api_translator.py")
+               (delete-file "tests/test_setup_command.py"))
+             (invoke "make" "test"))))))
     (propagated-inputs
      `(("python-imagesize" ,python-imagesize)
        ("python-sphinx-alabaster-theme"
@@ -2562,14 +2520,18 @@ integrate Sphinx documents in web templates and to handle searches.")
        ("python-snowballstemmer" ,python-snowballstemmer)
        ("python-docutils" ,python-docutils)
        ("python-jinja2" ,python-jinja2)
+       ("python-packaging" ,python-packaging)
        ("python-pygments" ,python-pygments)
        ("python-requests" ,python-requests)
-       ("python-six" ,python-six)))
+       ("python-six" ,python-six)
+       ("python-sphinxcontrib-websupport" ,python-sphinxcontrib-websupport)))
     (native-inputs
      `(("graphviz" ,graphviz)
+       ("imagemagick" ,imagemagick)                    ;for "convert"
        ("python-html5lib" ,python-html5lib)
        ("python-mock" ,python-mock)
-       ("python-nose" ,python-nose)))
+       ("python-nose" ,python-nose)
+       ("python-pytest" ,python-pytest)))
     (home-page "http://sphinx-doc.org/")
     (synopsis "Python documentation generator")
     (description "Sphinx is a tool that makes it easy to create documentation
@@ -2578,62 +2540,6 @@ sources.")
     (license license:bsd-3)
     (properties `((python2-variant . ,(delay python2-sphinx))))))
 
-(define-public python-sphinx-1.6
-  (package (inherit python-sphinx)
-    (name "python-sphinx")
-    (version "1.6.4")
-    (source (origin
-              (method url-fetch)
-              (uri (pypi-uri "Sphinx" version))
-              (sha256
-               (base32
-                "0gjakw9fv5pwqb5yyclxycs36sapxizk1vx6mkcdizmzgzcfy0gi"))))
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         (replace 'check
-           (lambda _
-             ;; Requires Internet access.
-             (delete-file "tests/test_build_linkcheck.py")
-             (substitute* "tests/test_build_latex.py"
-               (("@pytest.mark.sphinx\\('latex', testroot='images'\\)")
-                "@pytest.mark.skip()"))
-             (zero? (system* "make" "test")))))))
-    (propagated-inputs
-     `(("python-sphinxcontrib-websupport" ,python-sphinxcontrib-websupport)
-       ,@(package-propagated-inputs python-sphinx)))
-    (native-inputs
-     `(("python-pytest" ,python-pytest)
-       ("imagemagick" ,imagemagick) ; for "convert"
-       ,@(package-native-inputs python-sphinx)))
-    (properties `((python2-variant . ,(delay python2-sphinx-1.6))))))
-
-(define-public python2-sphinx-1.6
-  (let ((base (package-with-python2 (strip-python2-variant python-sphinx-1.6))))
-    (package
-      (inherit base)
-      (propagated-inputs
-       `(("python2-typing" ,python2-typing)
-         ,@(package-propagated-inputs base)))
-      (native-inputs `(("python2-enum34" ,python2-enum34)
-                       ,@(package-native-inputs base))))))
-
-(define-public python-sphinx-1.5.3
-  (package
-    (inherit python-sphinx)
-    (name "python-sphinx")
-    (version "1.5.3")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (pypi-uri "Sphinx" version))
-       (sha256
-        (base32
-         "0kw1axswbvaavr8ggyf4qr6hnisnrzlbkkcdada69vk1x9xjassg"))))
-    (native-inputs
-     `(("python-pytest" ,python-pytest)
-       ,@(package-native-inputs python-sphinx)))))
-
 (define-public python2-sphinx
   (let ((base (package-with-python2 (strip-python2-variant python-sphinx))))
     (package
@@ -2642,6 +2548,7 @@ sources.")
                        ("python2-enum34" ,python2-enum34)
                        ,@(package-native-inputs base)))
       (propagated-inputs `(("python2-pytz" ,python2-pytz)
+                           ("python2-typing" ,python2-typing)
                        ,@(package-propagated-inputs base))))))
 
 (define-public python-sphinx-gallery
@@ -2985,7 +2892,11 @@ and is very extensible.")
                '())
 
          (replace 'check
-           (lambda _ (invoke "python" "runtests.py" "-vv"))))))
+           (lambda _
+             ;; The "with_outer_raising" test fails with Python 3.7.  See
+             ;; https://github.com/cython/cython/issues/2454
+             (delete-file "tests/run/generators_py.py")
+             (invoke "python" "runtests.py" "-vv"))))))
     (home-page "http://cython.org/")
     (synopsis "C extensions for Python")
     (description "Cython is an optimising static compiler for both the Python
@@ -3029,7 +2940,7 @@ between language specification and implementation aspects.")
 (define-public python-numpy
   (package
     (name "python-numpy")
-    (version "1.14.5")
+    (version "1.15.1")
     (source
      (origin
        (method url-fetch)
@@ -3038,14 +2949,14 @@ between language specification and implementation aspects.")
              version "/numpy-" version ".tar.gz"))
        (sha256
         (base32
-         "0admjpkih63lm19zbbilq8ck4f6ny5kqi03dk3m6b2mnixsh4jhv"))))
+         "1yp75fkqk7abq3mrbqdf0pdmr2phkr2mnng0dbqqvvrmv7jwq71w"))))
     (build-system python-build-system)
     (inputs
      `(("openblas" ,openblas)
        ("lapack" ,lapack)))
     (native-inputs
      `(("python-cython" ,python-cython)
-       ("python-nose" ,python-nose)
+       ("python-pytest" ,python-pytest)
        ("gfortran" ,gfortran)))
     (arguments
      `(#:phases
@@ -3090,9 +3001,12 @@ include_dirs = ~a/include
            (lambda* (#:key outputs inputs #:allow-other-keys)
              ;; Make installed package available for running the tests
              (add-installed-pythonpath inputs outputs)
+             ;; Make sure "f2py" etc is found.
+             (setenv "PATH" (string-append (assoc-ref outputs "out") "/bin"
+                                           ":" (getenv "PATH")))
              (with-directory-excursion "/tmp"
-               (zero? (system* "python" "-c"
-                               "import numpy; numpy.test(verbose=2)"))))))))
+               (invoke "python" "-c"
+                       "import numpy; numpy.test(verbose=2)")))))))
     (home-page "http://www.numpy.org/")
     (synopsis "Fundamental package for scientific computing with Python")
     (description "NumPy is the fundamental package for scientific computing
@@ -3457,25 +3371,14 @@ that client code uses to construct the grammar directly in Python code.")
 (define-public python-numpydoc
   (package
     (name "python-numpydoc")
-    (version "0.5")
+    (version "0.8.0")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append
-             "https://pypi.python.org/packages/source/n/numpydoc/numpydoc-"
-             version ".tar.gz"))
+       (uri (pypi-uri "numpydoc" version))
        (sha256
         (base32
-         "0d4dnifaxkll50jx6czj05y8cb4ny60njd2wz299sj2jxfy51w4k"))
-       (modules '((guix build utils)))
-       (snippet
-        '(begin
-           ;; Drop a test requiring matplotlib, which we cannot add as an
-           ;; input since it would create a circular dependency: Extend the
-           ;; test for Python 3, where it is already dropped, to Python 2.
-           (substitute* "numpydoc/tests/test_plot_directive.py"
-             (("3") "2"))
-           #t))))
+         "1zazxg3m8j4fksv3f7v7vpf4bj9qb1vj3r326am0vdip141vzx31"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-sphinx" ,python-sphinx)))
@@ -3695,7 +3598,7 @@ toolkits.")
     (native-inputs
      `(("python-matplotlib" ,python-matplotlib)
        ("python-colorspacious" ,python-colorspacious)
-       ("python-sphinx" ,python-sphinx-1.6)
+       ("python-sphinx" ,python-sphinx)
        ("python-sphinx-gallery" ,python-sphinx-gallery)
        ("python-numpydoc" ,python-numpydoc)
        ("python-ipython" ,python-ipython)
@@ -3844,14 +3747,14 @@ functions.")
 (define-public python-scipy
   (package
     (name "python-scipy")
-    (version "1.0.1")
+    (version "1.1.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "scipy" version))
        (sha256
         (base32
-         "1fj0r7bg0cfk5clvl57ga06y9bfh05iwlv1dqqs1r6pd89wccfc7"))))
+         "1lfg686w6vv2m2dfs8v9d0bf2i18z7wz5vgzjnkgmpr4hi0550w7"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-numpy" ,python-numpy)
@@ -3982,14 +3885,14 @@ as the original project seems to have been abandoned circa 2007.")
 (define-public python-pycodestyle
   (package
     (name "python-pycodestyle")
-    (version "2.3.1")
+    (version "2.4.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "pycodestyle" version))
         (sha256
           (base32
-            "0rk78b66p57ala26mdldl9lafr48blv5s659sah9q50qnfjmc8k8"))))
+            "0fhy4vnlgpjq4qd1wdnl6pvdw7rah0ypmn8c9mkhz8clsndskz6b"))))
     (build-system python-build-system)
     (home-page "https://pycodestyle.readthedocs.io/")
     (synopsis "Python style guide checker")
@@ -4142,7 +4045,7 @@ services for your Python modules and applications.")
 (define-public python-olefile
   (package
     (name "python-olefile")
-    (version "0.44")
+    (version "0.45.1")
     (source
      (origin
        (method url-fetch)
@@ -4151,7 +4054,7 @@ services for your Python modules and applications.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "1wmxbrhyqjry2000zx0zdhqdqxhgi06nz7sbzjlh222q2zjv1gpj"))))
+         "18ai19zwagm6nli14k8bii31ipbab2rp7plrvsm6gmfql551a8ai"))))
     (build-system python-build-system)
     (home-page
      "https://www.decalage.info/python/olefileio")
@@ -4168,19 +4071,17 @@ the OleFileIO module from PIL, the Python Image Library.")
 (define-public python-pillow
   (package
     (name "python-pillow")
-    (version "4.3.0")
+    (version "5.2.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Pillow" version))
        (sha256
         (base32
-         "09xmn7rl6840sli2iz1k3fgxfgmri2nqz6vkinmb9mgg8ifp2z59"))
-       (patch-flags '("-p1" "--binary"))
-       (patches (search-patches "python-pillow-fix-failing-tests.patch"))))
+         "1ary9mj2ddllq3lkxgn6aac7qxqiwbcg2pacrl94py58ql9x9czq"))))
     (build-system python-build-system)
     (native-inputs
-     `(("python-nose"       ,python-nose)))
+     `(("python-pytest"       ,python-pytest)))
     (inputs
      `(("freetype" ,freetype)
        ("lcms"     ,lcms)
@@ -4201,9 +4102,8 @@ the OleFileIO module from PIL, the Python Image Library.")
                        ;; Make installed package available for running the
                        ;; tests
                        (add-installed-pythonpath inputs outputs)
-                       (and (zero? (system* "python" "selftest.py"
-                                            "--installed"))
-                            (zero? (system* "python" "test-installed.py"))))))
+                       (invoke "python" "selftest.py" "--installed")
+                       (invoke "python" "-m" "pytest" "-vv"))))
                  (delete 'check))))
     (home-page "https://pypi.python.org/pypi/Pillow")
     (synopsis "Fork of the Python Imaging Library")
@@ -4224,14 +4124,14 @@ a general image processing tool.")
 (define-public python-pycparser
   (package
     (name "python-pycparser")
-    (version "2.17")
+    (version "2.18")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "pycparser" version))
       (sha256
        (base32
-        "1dkkjri0miidqb1zcqhqljfa34fcy9k5akasgwsv6k622zlk3b0a"))))
+        "09mjyw82ibqzl449g7swy8bfxnfpmas0815d2rkdjlcqw81wma4r"))))
     (outputs '("out" "doc"))
     (build-system python-build-system)
     (native-inputs
@@ -4268,14 +4168,14 @@ a front-end for C compilers or analysis tools.")
 (define-public python-xcffib
   (package
     (name "python-xcffib")
-    (version "0.5.1")
+    (version "0.6.0")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "xcffib" version))
       (sha256
        (base32
-        "09gbnmr5vn58mm8xi3fmd7fz6743cks6c46dphnxzwax6zsxmy60"))))
+        "04k91yxyb3pgc5lvxmivh8w71yjrap2g57yk3s73x4rm4nvjq51n"))))
     (build-system python-build-system)
     (inputs
      `(("libxcb" ,libxcb)))
@@ -4314,17 +4214,14 @@ support for Python 3 and PyPy.  It is based on cffi.")
 (define-public python-cairocffi
   (package
     (name "python-cairocffi")
-    (version "0.8.0")
+    (version "0.9.0")
     (source
      (origin
       (method url-fetch)
-      ;; The archive on pypi is missing the 'utils' directory!
-      (uri (string-append "https://github.com/Kozea/cairocffi/archive/v"
-                          version ".tar.gz"))
-      (file-name (string-append name "-" version ".tar.gz"))
+      (uri (pypi-uri "cairocffi" version))
       (sha256
        (base32
-        "1rk2dvy3fxrga6bvvxc2fi5lbaynm5h4a0w0aaxyn3bc77rszjg9"))
+        "0dq3k4zhqd8cwsf3nyjqvjqm8wkvrjn1wjf44rl3v0h8kqx6qf0m"))
       (patches (search-patches "python-cairocffi-dlopen-path.patch"))))
     (build-system python-build-system)
     (outputs '("out" "doc"))
@@ -4337,14 +4234,14 @@ support for Python 3 and PyPy.  It is based on cffi.")
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("python-pytest" ,python-pytest)
+       ("python-pytest-cov" ,python-pytest-cov)
+       ("python-pytest-runner" ,python-pytest-runner)
        ("python-sphinx" ,python-sphinx)
        ("python-docutils" ,python-docutils)))
     (propagated-inputs
      `(("python-xcffib" ,python-xcffib))) ; used at run time
     (arguments
-     `(;; FIXME: Tests cannot find 'libcairo.so.2'.
-       #:tests? #t
-       #:phases
+     `(#:phases
        (modify-phases %standard-phases
          (add-after 'unpack 'patch-paths
            (lambda* (#:key inputs outputs #:allow-other-keys)
@@ -4560,13 +4457,13 @@ displayed.")
 (define-public python-pexpect
   (package
     (name "python-pexpect")
-    (version "4.2.1")
+    (version "4.6.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "pexpect" version))
        (sha256
-        (base32 "14ls7k99pwvl21zqv65kzrhccv50j89m5ij1hf0slmsvlxjj84rx"))))
+        (base32 "1fla85g47iaxxpjhp9vkxdnv4pgc7rplfy6ja491smrrk0jqi3ia"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -4609,13 +4506,13 @@ child application and control it as if a human were typing commands.")
 (define-public python-setuptools-scm
   (package
     (name "python-setuptools-scm")
-    (version "1.15.6")
+    (version "3.1.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "setuptools_scm" version))
               (sha256
                (base32
-                "0pzvfmx8s20yrgkgwfbxaspz2x1g38qv61jpm0ns91lrb22ldas9"))))
+                "0h4bglwfz8b9prqljv8z3w9rgydfyxzaj05bm1y6zs5m6shz548i"))))
     (build-system python-build-system)
     (home-page "https://github.com/pypa/setuptools_scm/")
     (synopsis "Manage Python package versions in SCM metadata")
@@ -4738,25 +4635,25 @@ away.")
 (define-public python-traitlets
   (package
     (name "python-traitlets")
-    (version "4.2.0")
+    (version "4.3.2")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "traitlets" version))
        (sha256
         (base32
-         "1afy08sa5n9gnkvh3da49c16zkyv598vchv0p1hp7zzjy8895hz4"))))
+         "0dbq7sx26xqz5ixs711k5nc88p8a0nqyz6162pwks5dpcz9d4jww"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
        (modify-phases %standard-phases
-         (replace 'check (lambda _ (zero? (system* "nosetests")))))))
+         (replace 'check (lambda _ (invoke "pytest" "-vv" "traitlets"))))))
     (propagated-inputs
      `(("python-ipython-genutils" ,python-ipython-genutils)
-       ("python-decorator" ,python-decorator)))
+       ("python-decorator" ,python-decorator)))    ;not needed for >4.3.2
     (native-inputs
-     `(("python-mock" ,python-mock)
-       ("python-nose" ,python-nose)))
+     `(("python-pytest" ,python-pytest)))
+    (properties `((python2-variant . ,(delay python2-traitlets))))
     (home-page "https://ipython.org")
     (synopsis "Configuration system for Python applications")
     (description
@@ -4769,7 +4666,12 @@ without using the configuration machinery.")
     (license license:bsd-3)))
 
 (define-public python2-traitlets
-  (package-with-python2 python-traitlets))
+  (let ((traitlets (package-with-python2 (strip-python2-variant python-traitlets))))
+    (package
+      (inherit traitlets)
+      (propagated-inputs
+       `(("python2-enum34" ,python2-enum34)
+         ,@(package-propagated-inputs traitlets))))))
 
 (define-public python-jupyter-core
   (package
@@ -5119,15 +5021,15 @@ parsing (browser/HTTP) user agent strings.")
 (define-public python-dbus
   (package
     (name "python-dbus")
-    (version "1.2.0")
+    (version "1.2.8")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append
-             "https://dbus.freedesktop.org/releases/dbus-python/dbus-python-"
-             version ".tar.gz"))
+       (uri (string-append "https://dbus.freedesktop.org/releases/dbus-python/"
+                           "dbus-python-" version ".tar.gz"))
        (sha256
-        (base32 "1py62qir966lvdkngg0v8k1khsqxwk5m4s8nflpk1agk5f5nqb71"))))
+        (base32
+         "0vvvjmiwnc9cjlks3gcdk43ap7llhlpz7cm1wbw0nc2yfsxjpwdb"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
@@ -5143,7 +5045,7 @@ parsing (browser/HTTP) user agent strings.")
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (inputs
-     `(("python" ,python)
+     `(("python" ,python-wrapper)
        ("dbus-glib" ,dbus-glib)))
     (synopsis "Python bindings for D-bus")
     (description "python-dbus provides bindings for libdbus, the reference
@@ -5165,14 +5067,14 @@ implementation of D-Bus.")
 (define-public python-lxml
   (package
     (name "python-lxml")
-    (version "3.8.0")
+    (version "4.2.4")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "lxml" version))
         (sha256
          (base32
-          "15nvf6n285n282682qyw3wihsncb0x5amdhyi4b83bfa2nz74vvk"))))
+          "1jk336k0kw616gfhqk1wwxsjjwz0flld0n294lz8kxch610bxbz2"))))
     (build-system python-build-system)
     (inputs
       `(("libxml2" ,libxml2)
@@ -5193,14 +5095,14 @@ libxml2 and libxslt.")
 (define-public python-beautifulsoup4
   (package
     (name "python-beautifulsoup4")
-    (version "4.5.3")
+    (version "4.6.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "beautifulsoup4" version))
        (sha256
         (base32
-         "0glaw1vyxnbp03fni7h5496n6iib0n5iim4gax1n0ngscs9s075j"))))
+         "041dhalzjciw6qyzzq7a2k4h1yvyk76xigp35hv5ibnn448ydy4h"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -5698,14 +5600,14 @@ so it might be a tiny bit slower.")
 (define-public python-waf
   (package
     (name "python-waf")
-    (version "1.9.8")
+    (version "2.0.11")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://waf.io/"
                                   "waf-" version ".tar.bz2"))
               (sha256
                (base32
-                "0wl4cnmp06lfxqjxaan58bqxn27smhydz0sg5prrfbl3bsw4gv6q"))))
+                "13zrniwkmfqgsgzi9v5m1367fppp9yzrz6z2ny6hy8dmpb8mj4z4"))))
     (build-system python-build-system)
     (arguments
      '(#:phases
@@ -5733,13 +5635,13 @@ applications.")
 (define-public python-pyzmq
   (package
     (name "python-pyzmq")
-    (version "15.1.0")
+    (version "17.1.2")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "pyzmq" version))
        (sha256
-        (base32 "13fhwnlvsvxv72kfhqbpn6qi7msh8mc8377mpabv32skk2cjfnxx"))))
+        (base32 "1pyxxrz60f88ffm0y6vpbx3q8jcr9ybz8fcilihwzwhh36n84ax7"))))
     (build-system python-build-system)
     (arguments
      `(#:configure-flags
@@ -5789,14 +5691,14 @@ PEP 8.")
 (define-public python-pyflakes
   (package
     (name "python-pyflakes")
-    (version "1.5.0")
+    (version "2.0.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "pyflakes" version))
         (sha256
           (base32
-            "1x1pcca4a24k4pw8x1c77sgi58cg1wl2k38mp8a25k608pzls3da"))))
+            "0jba28czyvimdc72llms3f17swp3i8jdcabf5w0j00adfbn64xls"))))
     (build-system python-build-system)
     (home-page
       "https://github.com/pyflakes/pyflakes")
@@ -5894,33 +5796,44 @@ complexity of Python source code.")
 (define-public python-flake8
   (package
     (name "python-flake8")
-    (version "3.4.1")
+    (version "3.5.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "flake8" version))
         (sha256
           (base32
-            "1n0i38592vy3q0x2a9bf8z6rhhn04i30wsn5i5zzcj7qkxvl8062"))))
+            "184b33grvvjmiwlv9kyd7yng9qv5ld24154j70z332xxg9gjclvj"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
        (modify-phases %standard-phases
+         ;; Two errors don't seem to have assigned codes.
+         (add-after 'unpack 'delete-broken-test
+           (lambda _ (delete-file "tests/unit/test_pyflakes_codes.py") #t))
+         (add-after 'unpack 'fix-problem-with-pycodestyle
+           (lambda _
+             ;; See https://gitlab.com/pycqa/flake8/merge_requests/230
+             ;; This should no longer be needed with the next release.
+             (substitute* "setup.py"
+               (("PEP8_PLUGIN\\('break_around_binary_operator'\\),")
+                "PEP8_PLUGIN('break_after_binary_operator'),\
+PEP8_PLUGIN('break_before_binary_operator'),"))
+             #t))
          (delete 'check)
          (add-after 'install 'check
-          (lambda* (#:key inputs outputs #:allow-other-keys)
-            (add-installed-pythonpath inputs outputs)
-            (zero? (system* "pytest" "-v")))))))
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (add-installed-pythonpath inputs outputs)
+             (invoke "pytest" "-v")
+             #t)))))
     (propagated-inputs
-      `(("python-pycodestyle" ,python-pycodestyle)
-        ("python-pyflakes" ,python-pyflakes)
-        ;; flake8 depends on a newer setuptools than provided by python.
-        ("python-setuptools" ,python-setuptools)
-        ("python-mccabe" ,python-mccabe)))
+     `(("python-pycodestyle" ,python-pycodestyle)
+       ("python-pyflakes" ,python-pyflakes)
+       ("python-mccabe" ,python-mccabe)))
     (native-inputs
-      `(("python-mock" ,python-mock) ; TODO: only required for < 3.3
-        ("python-pytest" ,python-pytest-bootstrap)
-        ("python-pytest-runner" ,python-pytest-runner)))
+     `(("python-mock" ,python-mock)
+       ("python-pytest" ,python-pytest-bootstrap)
+       ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://gitlab.com/pycqa/flake8")
     (synopsis
       "The modular source code checker: pep8, pyflakes and co")
@@ -6171,28 +6084,18 @@ add functionality and customization to your projects with their own plugins.")
 (define-public python-fonttools
   (package
     (name "python-fonttools")
-    (version "3.15.1")
+    (version "3.28.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "fonttools" version ".zip"))
               (sha256
                (base32
-                "1hhj97izwliy0vybmza72d90l5d4mcn50y8akq7kyccfl82vdx4d"))))
+                "0vsvjhidpb5kywpjgz1j3fywzkddxkb0afqai18qa3h6lqjyxwpb"))))
     (build-system python-build-system)
-    (arguments
-     '(#:test-target "check"
-       #:phases
-       (modify-phases %standard-phases
-         (add-after 'unpack 'patch-setuppy
-           ;; Remove the undocumented "extra_path" argument, which adds an
-           ;; intervening directories between site-packages and the package
-           ;; directory.
-           (lambda _
-             (substitute* "setup.py"
-               (("^[ \t]*extra_path *= *'FontTools',") ""))
-             #t)))))
     (native-inputs
-     `(("unzip" ,unzip)))
+     `(("unzip" ,unzip)
+       ("python-pytest" ,python-pytest)
+       ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://github.com/behdad/fonttools")
     (synopsis "Tools to manipulate font files")
     (description
@@ -6201,9 +6104,7 @@ supports reading and writing of TrueType/OpenType fonts, reading and writing
 of AFM files, reading (and partially writing) of PS Type 1 fonts.  The package
 also contains a tool called “TTX” which converts TrueType/OpenType fonts to and
 from an XML-based format.")
-    (license (license:non-copyleft
-              "file://LICENSE.txt"
-              "See LICENSE.txt in the distribution."))))
+    (license license:expat)))
 
 (define-public python2-fonttools
   (package-with-python2 python-fonttools))
@@ -6256,13 +6157,13 @@ should be stored on various operating systems.")
 (define-public python-llfuse
   (package
     (name "python-llfuse")
-    (version "1.3.3")
+    (version "1.3.5")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "llfuse" version ".tar.bz2"))
               (sha256
                (base32
-                "1rqww632y2zz71xmr6ch7yq80kvza9mhqr2z773k0d8l1lwzl575"))))
+                "1n7a90jww3ly49fm7x27m3xw3la3qfrnykcakga654g6kcyjlhbf"))))
     (build-system python-build-system)
     (inputs
      `(("fuse" ,fuse)
@@ -6575,13 +6476,13 @@ implementations of ASN.1-based codecs and protocols.")
 (define-public python-ipaddress
   (package
     (name "python-ipaddress")
-    (version "1.0.19")
+    (version "1.0.22")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "ipaddress" version))
               (sha256
                (base32
-                "10agaa1cys1bk1ycpl2w8lky9vjx8h1xh1z29mg0niqx0638c390"))))
+                "0b570bm6xqpjwqis15pvdy6lyvvzfndjvkynilcddjj5x98wfimi"))))
     (build-system python-build-system)
     (home-page "https://github.com/phihag/ipaddress")
     (synopsis "IP address manipulation library")
@@ -6627,14 +6528,14 @@ versions of Python.")
 (define-public python-idna
   (package
     (name "python-idna")
-    (version "2.6")
+    (version "2.7")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "idna" version))
        (sha256
         (base32
-         "13qaab6d0s15gknz8v3zbcfmbj6v86hn9pjxgkdf62ch13imssic"))))
+         "05jam7d31767dr12x0rbvvs8lxnpb1mhdb2zdlfxgh83z6k3hjk8"))))
     (build-system python-build-system)
     (home-page "https://github.com/kjd/idna")
     (synopsis "Internationalized domain names in applications")
@@ -7435,25 +7336,26 @@ be set via config files and/or environment variables.")
 @code{ArgumentParser} object.")
     (license license:asl2.0)))
 
-(define-public python-contextlib2
+(define-public python2-contextlib2
   (package
-    (name "python-contextlib2")
-    (version "0.4.0")
+    (name "python2-contextlib2")
+    (version "0.5.5")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "contextlib2" version))
        (sha256
         (base32
-         "0cmp131dlh0d0zvw0aza1zd13glvngzk8lb4avks0hm7yxwdr9am"))))
+         "0j6ad6lwwyc9kv71skj098v5l7x5biyj2hs4lc5x1kcixqcr97sh"))))
     (build-system python-build-system)
     (arguments
-     `(#:phases
+     `(#:python ,python-2
+       #:phases
        (modify-phases %standard-phases
          (replace 'check
-           (lambda _ (zero?
-                      (system*
-                       "python" "test_contextlib2.py" "-v")))))))
+           (lambda _ (invoke "python" "test_contextlib2.py" "-v"))))))
+    (native-inputs
+     `(("python2-unittest2" ,python2-unittest2)))
     (home-page "http://contextlib2.readthedocs.org/")
     (synopsis "Tools for decorators and context managers")
     (description "This module is primarily a backport of the Python
@@ -7463,9 +7365,6 @@ managers.  It also contains additional features that are not part of
 the standard library.")
     (license license:psfl)))
 
-(define-public python2-contextlib2
-  (package-with-python2 python-contextlib2))
-
 (define-public python-texttable
   (package
     (name "python-texttable")
@@ -7609,13 +7508,13 @@ minimal and fast API targeting the following uses:
 (define-public python-icalendar
   (package
     (name "python-icalendar")
-    (version "4.0.2")
+    (version "4.0.3")
     (source (origin
              (method url-fetch)
              (uri (pypi-uri "icalendar" version))
              (sha256
               (base32
-               "13003kw2vbas1ha146vv3x2rdg9k7w38rdzxj63vi1i67jgjldl0"))))
+               "0mk3dk1dxkcm46jy48v27j2w2349iv4sbimqj1yb5js43mx49hh7"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-dateutil" ,python-dateutil)
@@ -7944,15 +7843,17 @@ library as well as on the command line.")
 (define-public python-pluggy
   (package
    (name "python-pluggy")
-   (version "0.6.0")
+   (version "0.7.1")
    (source
     (origin
      (method url-fetch)
      (uri (pypi-uri "pluggy" version))
      (sha256
       (base32
-       "1zqckndfn85l1cd8pndw212zg1bq9fkg1nnj32kp2mppppsyg2kz"))))
+       "1qbn70mksmr03hac6jgp6fiqc4l7859z8dchx2x950vhlij87swm"))))
    (build-system python-build-system)
+   (native-inputs
+    `(("python-setuptools-scm" ,python-setuptools-scm)))
    (synopsis "Plugin and hook calling mechanism for Python")
    (description "Pluggy is an extraction of the plugin manager as used by
 Pytest but stripped of Pytest specific details.")
@@ -8660,6 +8561,15 @@ ambiguities (forward vs. backward slashes, etc.).
 @end enumerate")
     (license license:expat)))
 
+(define-public python2-pathlib2-bootstrap
+  (hidden-package
+   (package
+     (inherit python2-pathlib2)
+     (name "python2-pathlib2-bootstrap")
+     (propagated-inputs
+      `(("python2-scandir" ,python2-scandir)
+        ("python2-six" ,python2-six-bootstrap))))))
+
 (define-public python-jellyfish
   (package
     (name "python-jellyfish")
@@ -9141,13 +9051,13 @@ multiple processes (imagine multiprocessing, billiard, futures, celery etc).
 (define-public python-greenlet
   (package
     (name "python-greenlet")
-    (version "0.4.11")
+    (version "0.4.14")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "greenlet" version))
               (sha256
                (base32
-                "1xhik26j4f3kc4qw9xmj0c567rb5h1zryb4ijwqnqwwjvfhbv59h"))))
+                "1bsij3bwdhz2chq4ar2v6jqbh69yc7k9ymh41jd8vrdd2n52dk7i"))))
     (build-system python-build-system)
     (home-page "https://greenlet.readthedocs.io/")
     (synopsis "Lightweight in-process concurrent programming")
@@ -10619,21 +10529,17 @@ useful as a validator for JSON data.")
 (define-public python-imagesize
   (package
     (name "python-imagesize")
-    (version "0.7.1")
+    (version "1.0.0")
     (source
       (origin
       (method url-fetch)
       (uri (pypi-uri "imagesize" version))
       (sha256
         (base32
-          "0qk07k0z4241lkzzjji7z4da04pcvg7bfc4xz1934zlqhwmwdcha"))))
+          "05b3p62r7rbcvvbk5vknr3bhcq9b2airysn6ric534mng136wcjv"))))
     (build-system python-build-system)
-    (arguments
-     '(;; Test files are not distributed on PyPi:
-       ;; https://github.com/shibukawa/imagesize_py/issues/7
-       #:tests? #f))
     (home-page "https://github.com/shibukawa/imagesize_py")
-    (synopsis "Gets image size of files in variaous formats in Python")
+    (synopsis "Gets image size of files in various formats in Python")
     (description
       "This package allows determination of image size from
 PNG, JPEG, JPEG2000 and GIF files in pure Python.")
@@ -11100,6 +11006,32 @@ projects.")
 (define-public python2-incremental
   (package-with-python2 python-incremental))
 
+(define-public python-invoke
+  (package
+    (name "python-invoke")
+    (home-page "http://www.pyinvoke.org/")
+    (version "1.1.0")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "invoke" version))
+              (sha256
+               (base32
+                "0aiy1xvk1f91246zxd1zqrm679vdvd10h843a2na41cqr3cflpi6"))))
+    (build-system python-build-system)
+    (arguments
+     ;; XXX: Requires many dependencies that are not yet in Guix.
+     `(#:tests? #f))
+    (synopsis "Pythonic task execution")
+    (description
+     "Invoke is a Python task execution tool and library, drawing inspiration
+from various sources to arrive at a powerful and clean feature set.  It is
+evolved from the Fabric project, but focuses on local and abstract concerns
+instead of servers and network commands.")
+    (license license:bsd-3)))
+
+(define-public python2-invoke
+  (package-with-python2 python-invoke))
+
 (define-public python-automat
   (package
     (name "python-automat")
@@ -11714,13 +11646,13 @@ It supports both normal and Unicode strings.")
 (define-public python-scandir
   (package
     (name "python-scandir")
-    (version "1.7")
+    (version "1.9.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "scandir" version))
        (sha256
-        (base32 "0gbnhjzg42rj87ljv9kb648rfxph69ly3c8r9841dxy4d7l5pmdj"))))
+        (base32 "0r3hvf1a9jm1rkqgx40gxkmccknkaiqjavs8lccgq9s8khh5x5s4"))))
     (build-system python-build-system)
     (arguments
      `(#:phases (modify-phases %standard-phases
@@ -11840,15 +11772,19 @@ several utilities, as well as an API for building localization tools.")
 (define-public python-packaging
   (package
     (name "python-packaging")
-    (version "16.8")
+    (version "17.1")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "packaging" version))
         (sha256
          (base32
-          "17k1xbjshackwvbsnxqixbph8rbqhz4bf4g3al5xyzhavxgq6l2x"))))
+          "0nrpayk8kij1zm9sjnk38ldz3a6705ggvw8ljylqbrb4vmqbf6gh"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases (modify-phases %standard-phases
+                  (replace 'check
+                    (lambda _ (invoke "py.test" "-vv"))))))
     (native-inputs
      `(("python-pretend" ,python-pretend)
        ("python-pytest" ,python-pytest)))
@@ -13639,15 +13575,29 @@ file system events on Linux.")
 (define-public python-more-itertools
   (package
     (name "python-more-itertools")
-    (version "4.1.0")
+    (version "4.3.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "more-itertools" version))
        (sha256
         (base32
-         "0i3ch700g5fyjp692gprlnzbysl8w0sa2vijbp3s40drvk67xkn9"))))
+         "17h3na0rdh8xq30w4b9pizgkdxmm51896bxw600x84jflg9vaxn4"))))
     (build-system python-build-system)
+    (arguments
+     `(,@(if (any (cute string-prefix? <> (or (%current-system)
+                                              (%current-target-system)))
+                  '("armhf" "i686"))
+        '(#:phases
+          (modify-phases %standard-phases
+          ;; This is required for 32-bit hardware.
+          ;; TODO: Try to remove this when upgrading.
+          (add-after 'unpack 'patch-test
+            (lambda _
+              (substitute* "more_itertools/tests/test_more.py"
+                (("10 \\*\\* 10") "9 ** 9"))
+              #t))))
+        '())))
     (propagated-inputs
      `(("python-six" ,python-six-bootstrap)))
     (home-page "https://github.com/erikrose/more-itertools")
diff --git a/gnu/packages/qt.scm b/gnu/packages/qt.scm
index 7dfdade979..7d1a4ca585 100644
--- a/gnu/packages/qt.scm
+++ b/gnu/packages/qt.scm
@@ -494,7 +494,8 @@ system, and the core design of Django is reused in Grantlee.")
               (base32
                "0ipv18ypbgpxhh49rfplqmflskmnhhwj1bjr5hrwi0jpvar4gl50"))
              ;; Use TZDIR to avoid depending on package "tzdata".
-             (patches (search-patches "qtbase-use-TZDIR.patch"))
+             (patches (search-patches "qtbase-use-TZDIR.patch"
+                                      "qtbase-glibc-compat.patch"))
              (modules '((guix build utils)))
              (snippet
                ;; corelib uses bundled harfbuzz, md4, md5, sha3
@@ -608,7 +609,6 @@ system, and the core design of Django is reused in Grantlee.")
                  ;; kernels that the glibc supports, including the RHEL6
                  ;; (2.6.32) and RHEL7 (3.10) kernels.
                  "-no-feature-getentropy"  ; requires Linux 3.17
-                 "-no-feature-renameat2"   ; requires Linux 3.16
 
                  ;; Do not build examples; if desired, these could go
                  ;; into a separate output, but for the time being, we
diff --git a/gnu/packages/readline.scm b/gnu/packages/readline.scm
index 4695e9fc71..59fa8af8af 100644
--- a/gnu/packages/readline.scm
+++ b/gnu/packages/readline.scm
@@ -48,7 +48,9 @@
   (patch-series
    (1 "0xm3sxvwmss7ddyfb11n6pgcqd1aglnpy15g143vzcf75snb7hcs")
    (2 "0n1dxmqsbjgrfxb1hgk5c6lsraw4ncbnzxlsx7m35nym6lncjiw7")
-   (3 "1027kmymniizcy0zbdlrczxfx3clxcdln5yq05q9yzlc6y9slhwy")))
+   (3 "1027kmymniizcy0zbdlrczxfx3clxcdln5yq05q9yzlc6y9slhwy")
+   (4 "0r3bbaf12iz8m02z6p3fzww2m365fhn71xmzab2p62gj54s6h9gr")
+   (5 "0lxpa4f72y2nsgj6fgrhjk2nmmxvccys6aciwfxwchb5f21rq5fa")))
 
 (define-public readline
   (package
diff --git a/gnu/packages/samba.scm b/gnu/packages/samba.scm
index a6d6ee30cd..65d41a2b67 100644
--- a/gnu/packages/samba.scm
+++ b/gnu/packages/samba.scm
@@ -400,6 +400,18 @@ key-value pair databases and a real LDAP database.")
               (method url-fetch)
               (uri (string-append "https://www.samba.org/ftp/ppp/ppp-"
                                   version ".tar.gz"))
+              (patches
+               (list (origin
+                       ;; Use OpenSSL for cryptography instead of the obsolete glibc
+                       ;; crypto functions that were removed in glibc 2.28.
+                       (method url-fetch)
+                       (uri (string-append "https://github.com/paulusmack/ppp/commit/"
+                                           "3c7b86229f7bd2600d74db14b1fe5b3896be3875"
+                                           ".patch"))
+                       (file-name "ppp-use-openssl-crypto.patch")
+                       (sha256
+                        (base32
+                         "0qlbi247lx3injpy8a1gcij9yilik0vfaibkpvdp88k3sa1rs69z")))))
               (sha256
                (base32
                 "0c7vrjxl52pdwi4ckrvfjr08b31lfpgwf3pp0cqy76a77vfs7q02"))))
@@ -412,15 +424,19 @@ key-value pair databases and a real LDAP database.")
          (add-before 'configure 'patch-Makefile
            (lambda* (#:key inputs #:allow-other-keys)
              (let ((libc    (assoc-ref inputs "libc"))
+                   (openssl (assoc-ref inputs "openssl"))
                    (libpcap (assoc-ref inputs "libpcap")))
                (substitute* "pppd/Makefile.linux"
                  (("/usr/include/crypt\\.h")
                   (string-append libc "/include/crypt.h"))
+                 (("/usr/include/openssl")
+                  (string-append openssl "/include/openssl"))
                  (("/usr/include/pcap-bpf.h")
                   (string-append libpcap "/include/pcap-bpf.h")))
                #t))))))
     (inputs
-     `(("libpcap" ,libpcap)))
+     `(("libpcap" ,libpcap)
+       ("openssl" ,(@ (gnu packages tls) openssl))))
     (synopsis "Implementation of the Point-to-Point Protocol")
     (home-page "https://ppp.samba.org/")
     (description
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 362d427a2e..089e4f63f9 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -120,23 +120,10 @@ remote applications.")
    (propagated-inputs `(("libgcrypt" ,libgcrypt)
                         ("zlib" ,zlib)))
    (arguments `(#:configure-flags `("--with-libgcrypt")
-                #:phases
-                ;; FIXME: In the next core-updates cycle, replace the entire
-                ;; following ,(...) form with its first 'modify-phases'
-                ;; subform.  The change made here is only strictly needed on
-                ;; MIPS, but should work on any system.  For now, we apply it
-                ;; only to MIPS to avoid forcing thousands of rebuilds on
-                ;; other systems.
-                ,(if (string-prefix? "mips" (or (%current-target-system)
-                                                (%current-system)))
-                     '(modify-phases %standard-phases
-                        (replace 'bootstrap
-                          (lambda _
-                            (invoke "autoreconf" "-v"))))
-                     '(modify-phases %standard-phases
-                        (add-before 'configure 'autoreconf
-                          (lambda _
-                            (invoke "autoreconf" "-v")))))))
+                #:phases (modify-phases %standard-phases
+                           (replace 'bootstrap
+                             (lambda _
+                               (invoke "autoreconf" "-v"))))))
    (native-inputs `(("autoconf" ,autoconf)
                     ("automake" ,automake)))
    (synopsis "Client-side C library implementing the SSH2 protocol")
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index 04979ffe25..e2a673a4e6 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -213,9 +213,9 @@ as.POSIXct(if (\"\" != Sys.getenv(\"SOURCE_DATE_EPOCH\")) {\
                                     "/share/zoneinfo"))
              #t))
          (add-after 'build 'make-info
-          (lambda _ (zero? (system* "make" "info"))))
+          (lambda _ (invoke "make" "info")))
          (add-after 'build 'install-info
-          (lambda _ (zero? (system* "make" "install-info")))))
+          (lambda _ (invoke "make" "install-info"))))
        #:configure-flags
        `(;; We build the recommended packages here, because they are needed in
          ;; order to run the test suite.  We disable them in the r-minimal
diff --git a/gnu/packages/tcl.scm b/gnu/packages/tcl.scm
index f7d3e0ec7d..b8c85eb844 100644
--- a/gnu/packages/tcl.scm
+++ b/gnu/packages/tcl.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015, 2018 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014 Eric Bavier <bavier@member.fsf.org>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -25,6 +25,7 @@
 (define-module (gnu packages tcl)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
   #:use-module (gnu packages)
@@ -145,13 +146,22 @@ X11 GUIs.")
              (patches (search-patches "tk-find-library.patch"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:phases (modify-phases %standard-phases
+     `(#:phases (modify-phases %standard-phases
                   (add-before
                    'configure 'pre-configure
                    (lambda _
                      (chdir "unix")
                      #t))
                   (add-after
+                   'install 'create-wish-symlink
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((out (assoc-ref outputs "out")))
+                       (symlink (string-append out "/bin/wish"
+                                               ,(version-major+minor
+                                                  (package-version tk)))
+                                (string-append out "/bin/wish")))
+                     #t))
+                  (add-after
                    'install 'add-fontconfig-flag
                    (lambda* (#:key inputs outputs #:allow-other-keys)
                      ;; Add the missing -L flag for Fontconfig in 'tk.pc' and
@@ -179,7 +189,7 @@ X11 GUIs.")
     (propagated-inputs `(("libx11" ,libx11)
                          ("libxext" ,libxext)))
 
-    (home-page "http://www.tcl.tk/")
+    (home-page "https://www.tcl.tk/")
     (synopsis "Graphical user interface toolkit for Tcl")
     (description
      "Tk is a graphical toolkit for building graphical user
diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm
index be75bda7dd..c62512b8d0 100644
--- a/gnu/packages/tex.scm
+++ b/gnu/packages/tex.scm
@@ -6,7 +6,7 @@
 ;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Federico Beffa <beffa@fbengineering.ch>
 ;;; Copyright © 2016 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -76,42 +76,41 @@
 (define texlive-extra-src
   (origin
     (method url-fetch)
-    (uri "ftp://tug.org/historic/systems/texlive/2017/texlive-20170524-extra.tar.xz")
+    (uri "ftp://tug.org/historic/systems/texlive/2018/texlive-20180414-extra.tar.xz")
     (sha256 (base32
-              "0zvd2zskk78ig114mfj24g15qys41hzqv59fmqpirdbgq9c9gr5g"))))
+             "0a83kymxc8zmlxjb0y1gf6mx7qnf0hxffwkivwh5yh138y2rfhsv"))))
 
 (define texlive-texmf-src
   (origin
     (method url-fetch)
-    (uri "ftp://tug.org/historic/systems/texlive/2017/texlive-20170524-texmf.tar.xz")
+    (uri "ftp://tug.org/historic/systems/texlive/2018/texlive-20180414-texmf.tar.xz")
     (sha256 (base32
-              "1v69y3kgkbk24f7s4dfkknwd317mqmck5jgpyb35wqgqfy5p0qrz"))))
+             "1b8zigzg8raxkhhzphcmynf84rbdbj2ym2qkz24v8n0qx82zmqms"))))
 
 (define-public texlive-bin
   (package
    (name "texlive-bin")
-   (version "20170524")
+   (version "20180414")
    (source
     (origin
-     (method url-fetch)
-      (uri (string-append "ftp://tug.org/historic/systems/texlive/2017/"
+      (method url-fetch)
+      (uri (string-append "ftp://tug.org/historic/systems/texlive/2018/"
                           "texlive-" version "-source.tar.xz"))
+      (sha256
+       (base32
+        "0khyi6h015r2zfqgg0a44a2j7vmr1cy42knw7jbss237yvakc07y"))
       (patches
        (list
-        ;; This is required for compatibility with Poppler >= 0.58.
-        ;; See <http://tutex.tug.org/pipermail/tex-k/2017-September/002809.html>
-        ;; and <https://bugs.archlinux.org/task/55720> for some discussion.
+        ;; This is required for compatibility with Poppler 0.64.0 and to fix a
+        ;; segmentation fault in dvipdfm-x from XeTeX.
         (origin
           (method url-fetch)
-          (uri (string-append "https://git.archlinux.org/svntogit/packages.git/plain"
-                              "/trunk/texlive-poppler-0.59.patch?h=packages/texlive-bin"
-                              "&id=ba2de374e2b21ecc4b85cc9777f2f15c4d356c61"))
+          (uri (string-append "http://www.linuxfromscratch.org/patches/blfs/"
+                              "svn/texlive-" version "-source-upstream_fixes-1.patch"))
           (file-name "texlive-poppler-compat.patch")
           (sha256
            (base32
-            "1c4ikq4kxw48bi3i33bzpabrjvbk01fwjr2lz20gkc9kv8l0bg3n")))))
-      (sha256 (base32
-               "1amjrxyasplv4alfwcxwnw4nrx7dz2ydmddkq16k6hg90i9njq81"))))
+            "0f8vhyj167y4xj0jx47vkybrcacfpxw0wdn1b777yq3xmhlahhlg")))))))
    (build-system gnu-build-system)
    (inputs
     `(("texlive-extra-src" ,texlive-extra-src)
@@ -175,47 +174,54 @@
                   (not (or (string-prefix? "aarch64" s)
                            (string-prefix? "mips64" s))))
       #:phases
-       (modify-phases %standard-phases
-         (add-after 'unpack 'configure-ghostscript-executable
-           ;; ps2eps.pl uses the "gswin32c" ghostscript executable on Windows,
-           ;; and the "gs" ghostscript executable on Unix. It detects Unix by
-           ;; checking for the existence of the /usr/bin directory. Since
-           ;; GuixSD does not have /usr/bin, it is also detected as Windows.
-           (lambda* (#:key inputs #:allow-other-keys)
-             (substitute* "utils/ps2eps/ps2eps-src/bin/ps2eps.pl"
-               (("gswin32c") "gs"))
-             (substitute* "texk/texlive/linked_scripts/epstopdf/epstopdf.pl"
-               (("\"gs\"")
-                (string-append "\"" (assoc-ref inputs "ghostscript") "/bin/gs\"")))
-             #t))
-         (add-after 'install 'postint
-           (lambda* (#:key inputs outputs #:allow-other-keys #:rest args)
-             (let* ((out (assoc-ref outputs "out"))
-                    (share (string-append out "/share"))
-                    (texlive-extra (assoc-ref inputs "texlive-extra-src"))
-                    (unpack (assoc-ref %standard-phases 'unpack))
-                    (patch-source-shebangs
-                      (assoc-ref %standard-phases 'patch-source-shebangs)))
-               ;; Create symbolic links for the latex variants and their
-               ;; man pages.
-               (with-directory-excursion (string-append out "/bin/")
-                 (for-each symlink
-                 '("pdftex" "pdftex"   "xetex"   "luatex")
-                 '("latex"  "pdflatex" "xelatex" "lualatex")))
-               (with-directory-excursion (string-append share "/man/man1/")
-                 (symlink "luatex.1" "lualatex.1"))
-               ;; Unpack texlive-extra and install tlpkg.
-               (mkdir "texlive-extra")
-               (with-directory-excursion "texlive-extra"
-                 (apply unpack (list #:source texlive-extra))
-                 (apply patch-source-shebangs (list #:source texlive-extra))
-                 (invoke "mv" "tlpkg" share))
-               ;; texlua shebangs are not patched by the patch-source-shebangs
-               ;; phase because the texlua executable does not exist at that
-               ;; time.
-               (setenv "PATH" (string-append (getenv "PATH") ":" out "/bin"))
-               (with-directory-excursion out
-                 (patch-source-shebangs))))))))
+      (modify-phases %standard-phases
+        (add-after 'unpack 'configure-ghostscript-executable
+          ;; ps2eps.pl uses the "gswin32c" ghostscript executable on Windows,
+          ;; and the "gs" ghostscript executable on Unix. It detects Unix by
+          ;; checking for the existence of the /usr/bin directory. Since
+          ;; GuixSD does not have /usr/bin, it is also detected as Windows.
+          (lambda* (#:key inputs #:allow-other-keys)
+            (substitute* "utils/ps2eps/ps2eps-src/bin/ps2eps.pl"
+              (("gswin32c") "gs"))
+            (substitute* "texk/texlive/linked_scripts/epstopdf/epstopdf.pl"
+              (("\"gs\"")
+               (string-append "\"" (assoc-ref inputs "ghostscript") "/bin/gs\"")))
+            #t))
+        (add-after 'unpack 'use-code-for-new-poppler
+          (lambda _
+            (copy-file "texk/web2c/pdftexdir/pdftoepdf-newpoppler.cc"
+                       "texk/web2c/pdftexdir/pdftoepdf.cc")
+            (copy-file "texk/web2c/pdftexdir/pdftosrc-newpoppler.cc"
+                       "texk/web2c/pdftexdir/pdftosrc.cc")
+            #t))
+        (add-after 'install 'postint
+          (lambda* (#:key inputs outputs #:allow-other-keys #:rest args)
+            (let* ((out (assoc-ref outputs "out"))
+                   (share (string-append out "/share"))
+                   (texlive-extra (assoc-ref inputs "texlive-extra-src"))
+                   (unpack (assoc-ref %standard-phases 'unpack))
+                   (patch-source-shebangs
+                    (assoc-ref %standard-phases 'patch-source-shebangs)))
+              ;; Create symbolic links for the latex variants and their
+              ;; man pages.
+              (with-directory-excursion (string-append out "/bin/")
+                (for-each symlink
+                          '("pdftex" "pdftex"   "xetex"   "luatex")
+                          '("latex"  "pdflatex" "xelatex" "lualatex")))
+              (with-directory-excursion (string-append share "/man/man1/")
+                (symlink "luatex.1" "lualatex.1"))
+              ;; Unpack texlive-extra and install tlpkg.
+              (mkdir "texlive-extra")
+              (with-directory-excursion "texlive-extra"
+                (apply unpack (list #:source texlive-extra))
+                (apply patch-source-shebangs (list #:source texlive-extra))
+                (invoke "mv" "tlpkg" share))
+              ;; texlua shebangs are not patched by the patch-source-shebangs
+              ;; phase because the texlua executable does not exist at that
+              ;; time.
+              (setenv "PATH" (string-append (getenv "PATH") ":" out "/bin"))
+              (with-directory-excursion out
+                (patch-source-shebangs))))))))
    (synopsis "TeX Live, a package of the TeX typesetting system")
    (description
     "TeX Live provides a comprehensive TeX document production system.
@@ -3957,7 +3963,7 @@ directly generate PDF documents instead of DVI.")
 (define texlive-texmf
   (package
    (name "texlive-texmf")
-   (version "2017")
+   (version "20180414")
    (source texlive-texmf-src)
    (build-system gnu-build-system)
    (inputs
@@ -4029,7 +4035,7 @@ This package contains the complete tree of texmf-dist data.")
 (define-public texlive
   (package
    (name "texlive")
-   (version "2017")
+   (version "20180414")
    (source #f)
    (build-system trivial-build-system)
    (inputs `(("bash" ,bash) ; for wrap-program
diff --git a/gnu/packages/texinfo.scm b/gnu/packages/texinfo.scm
index 109a24bf62..fa98bd56b8 100644
--- a/gnu/packages/texinfo.scm
+++ b/gnu/packages/texinfo.scm
@@ -37,6 +37,7 @@
               (method url-fetch)
               (uri (string-append "mirror://gnu/texinfo/texinfo-"
                                   version ".tar.xz"))
+              (patches (search-patches "texinfo-perl-compat.patch"))
               (sha256
                (base32
                 "0qjzvbvnv9003xdrcpi3jp7y68j4hq2ciw9frh2hghh698zlnxvp"))))
@@ -68,6 +69,7 @@ is on expressing the content semantically, avoiding physical markup commands.")
               (method url-fetch)
               (uri (string-append "mirror://gnu/texinfo/texinfo-"
                                   version ".tar.xz"))
+              (patches (search-patches "texinfo-5-perl-compat.patch"))
               (sha256
                (base32
                 "1njfwh2z34r2c4r0iqa7v24wmjzvsfyz4vplzry8ln3479lfywal"))))
diff --git a/gnu/packages/time.scm b/gnu/packages/time.scm
index 69aff5efaa..895cf6ac3b 100644
--- a/gnu/packages/time.scm
+++ b/gnu/packages/time.scm
@@ -88,17 +88,15 @@ to a file.")
 (define-public python-pytz
   (package
     (name "python-pytz")
-    (version "2017.3")
+    (version "2018.5")
     (source
      (origin
       (method url-fetch)
-      (uri (pypi-uri "pytz" version ".zip"))
+      (uri (pypi-uri "pytz" version ".tar.gz"))
       (sha256
        (base32
-        "1dw5l527vcafvdqq4wadwl7ikhb2sssz0v0cssibh8890kyczr7s"))))
+        "0xzj5gkpdn2da8m6j47chlp6zrzcypv9m0fjv4236q3jw4fyzfgz"))))
     (build-system python-build-system)
-    (native-inputs
-     `(("unzip" ,unzip)))
     (home-page "http://pythonhosted.org/pytz")
     (synopsis "Python timezone library")
     (description "This library brings the Olson tz database into Python.  It
@@ -143,15 +141,17 @@ Pendulum instances.")
 (define-public python-dateutil
   (package
     (name "python-dateutil")
-    (version "2.6.1")
+    (version "2.7.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "python-dateutil" version))
        (sha256
         (base32
-         "1jkahssf0ir5ssxc3ydbp8cpv77limn8d4s77szb2nrgl2r3h749"))))
+         "1f7h54lg0w2ckch7592xpjkh8dg87k2br256h0iw49zn6bg02w72"))))
     (build-system python-build-system)
+    (native-inputs
+     `(("python-setuptools-scm" ,python-setuptools-scm)))
     (propagated-inputs
      `(("python-six" ,python-six)))
     (home-page "https://dateutil.readthedocs.io/en/stable/")
@@ -159,7 +159,10 @@ Pendulum instances.")
     (description
      "The dateutil module provides powerful extensions to the standard
 datetime module, available in Python 2.3+.")
-    (license bsd-3)))
+    ;; The license was changed from the three-clause BSD license to a dual
+    ;; Apache 2.0/BSD-3 variant at 2017-12-01.  Some code is only available as
+    ;; BSD-3 still; but all new code is dual licensed (the user can choose).
+    (license (list bsd-3 asl2.0))))
 
 (define-public python2-dateutil
   (package-with-python2 python-dateutil))
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 715148c432..d9fc601066 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -80,6 +80,8 @@
        (base32
         "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
     (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--disable-static")))
     (native-inputs `(("perl" ,perl)))
     (home-page "https://www.gnu.org/software/libtasn1/")
     (synopsis "ASN.1 library")
@@ -260,8 +262,7 @@ required structures.")
 (define-public openssl
   (package
    (name "openssl")
-   (replacement openssl/fixed)
-   (version "1.0.2o")
+   (version "1.0.2p")
    (source (origin
              (method url-fetch)
              (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -273,7 +274,7 @@ required structures.")
                                        "/" name "-" version ".tar.gz")))
              (sha256
               (base32
-               "0kcy13l701054nhpbd901mz32v1kn4g311z0nifd83xs2jbmqgzc"))
+               "003xh9f898i56344vpvpxxxzmikivxig4xwlm7vbi7m8n43qxaah"))
              (patches (search-patches "openssl-runpath.patch"
                                       "openssl-c-rehash-in.patch"))))
    (build-system gnu-build-system)
@@ -316,15 +317,7 @@ required structures.")
                      (string-append "--openssldir=" out
                                     "/share/openssl-" ,version)
 
-                     (string-append "--prefix=" out)
-
-                     ;; XXX FIXME: Work around a code generation bug in GCC
-                     ;; 4.9.3 on ARM when compiled with -mfpu=neon.  See:
-                     ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
-                     ,@(if (and (not (%current-target-system))
-                                (string-prefix? "armhf" (%current-system)))
-                           '("-mfpu=vfpv3")
-                           '())))))
+                     (string-append "--prefix=" out)))))
         (add-after
          'install 'make-libraries-writable
          (lambda* (#:key outputs #:allow-other-keys)
@@ -397,15 +390,6 @@ required structures.")
    (license license:openssl)
    (home-page "https://www.openssl.org/")))
 
-(define openssl/fixed
-  (package
-    (inherit openssl)
-    (source (origin
-              (inherit (package-source openssl))
-              (patches (append (origin-patches (package-source openssl))
-                               (search-patches "openssl-1.0.2-CVE-2018-0495.patch"
-                                               "openssl-1.0.2-CVE-2018-0732.patch")))))))
-
 (define-public openssl-next
   (package
     (inherit openssl)
@@ -616,7 +600,7 @@ netcat implementation that supports TLS.")
      `(("python-nose" ,python-nose)
        ("python-mock" ,python-mock)
        ;; For documentation
-       ("python-sphinx" ,python-sphinx-1.6)
+       ("python-sphinx" ,python-sphinx)
        ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
        ("python-sphinx-repoze-autointerface" ,python-sphinx-repoze-autointerface)
        ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index c3b06b05bc..4a8699c4c0 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -508,7 +508,7 @@ libraries for working with JNLP applets.")
 (define-public jansson
   (package
     (name "jansson")
-    (version "2.10")
+    (version "2.11")
     (source (origin
              (method url-fetch)
              (uri
@@ -516,7 +516,7 @@ libraries for working with JNLP applets.")
                              version ".tar.gz"))
              (sha256
               (base32
-               "0iv4rxsnamqm3ldpg7dyhjq0x9cp023nc7ac820jdd3pwb8ml8bq"))))
+               "1x5jllzzqamq6kahx9d9a5mrarm9m3f30vfxvcqpi6p4mcnz91bf"))))
     (build-system gnu-build-system)
     (home-page "http://www.digip.org/jansson/")
     (synopsis "JSON C library")
@@ -6635,7 +6635,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
 (define-public nghttp2
   (package
     (name "nghttp2")
-    (version "1.31.1")
+    (version "1.32.0")
     (source
      (origin
        (method url-fetch)
@@ -6644,7 +6644,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
                            name "-" version ".tar.xz"))
        (sha256
         (base32
-         "00z1687m4wi2gbgkijbv099l9hs1sjlyzbhh8jhn0xssx4xcifb5"))))
+         "0zbgp8f80h2zlfn8cd2ldrmgl81jzcdh1141n71aqmfckzaqj2kh"))))
     (build-system gnu-build-system)
     (outputs (list "out"
                    "lib"))              ; only libnghttp2
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index c92dbd1784..5f30df5efa 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -157,14 +157,14 @@ avoiding password prompts when X11 forwarding has already been setup.")
 (define-public libxkbcommon
   (package
     (name "libxkbcommon")
-    (version "0.8.0")
+    (version "0.8.2")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://xkbcommon.org/download/" name "-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "0vgy84vfbig5bqznr137h5arjidnfwrxrdli0pxyn2jfn1fjcag8"))))
+               "136mdq11lrwg6rjmm44lmysxxgb9c35p4sq6k0cd129x82rw9f3s"))))
     (build-system gnu-build-system)
     (inputs
      `(("libx11" ,libx11)
@@ -316,7 +316,7 @@ rasterisation.")
 (define-public libdrm
   (package
     (name "libdrm")
-    (version "2.4.92")
+    (version "2.4.93")
     (source
       (origin
         (method url-fetch)
@@ -326,7 +326,7 @@ rasterisation.")
                ".tar.bz2"))
         (sha256
          (base32
-          "1yirzx8hmlvv6r0l7lb3zxmgy5la2mri9al0k16xqfg19pdqzr79"))
+          "0g6d9wsnb7lx8r1m4kq8js0wsc5jl20cz1csnlh6z9s8jpfd313f"))
         (patches (search-patches "libdrm-symbol-check.patch"))))
     (build-system gnu-build-system)
     (arguments
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 489541b4f5..835bd42354 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -64,14 +64,14 @@
 (define-public expat
   (package
     (name "expat")
-    (version "2.2.5")
+    (version "2.2.6")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/expat/expat/"
                                  version "/expat-" version ".tar.bz2"))
              (sha256
               (base32
-               "1xpd78sp7m34jqrw5x13bz7kgz0n6aj15wn4zj4gfx3ypbpk5p6r"))))
+               "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
     (build-system gnu-build-system)
     (home-page "https://libexpat.github.io/")
     (synopsis "Stream-oriented XML parser library written in C")
@@ -129,8 +129,23 @@ hierarchical form with variable field lengths.")
               (base32
                "0ci7is75bwqqw2p32vxvrk6ds51ik7qgx73m920rakv5jlayax0b"))))
     (build-system gnu-build-system)
+    (outputs '("out" "static"))
+    (arguments
+     `(#:phases (modify-phases %standard-phases
+                  (add-after 'install 'move-static-libs
+                    (lambda* (#:key outputs #:allow-other-keys)
+                      (let ((src (string-append (assoc-ref outputs "out") "/lib"))
+                            (dst (string-append (assoc-ref outputs "static")
+                                                "/lib")))
+                        (mkdir-p dst)
+                        (for-each (lambda (ar)
+                                    (rename-file ar (string-append dst "/"
+                                                                   (basename ar))))
+                                  (find-files src "\\.a$"))
+                        #t))))))
     (home-page "http://www.xmlsoft.org/")
     (synopsis "C parser for XML")
+    (inputs `(("xz" ,xz)))
     (propagated-inputs `(("zlib" ,zlib))) ; libxml2.la says '-lz'.
     (native-inputs `(("perl" ,perl)))
     ;; $XML_CATALOG_FILES lists 'catalog.xml' files found in under the 'xml'
@@ -151,6 +166,7 @@ project (but it is usable outside of the Gnome platform).")
   (package/inherit libxml2
     (name "python-libxml2")
     (build-system python-build-system)
+    (outputs '("out"))
     (arguments
      `(;; XXX: Tests are specified in 'Makefile.am', but not in 'setup.py'.
        #:tests? #f
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 4cf8eb2de4..1af8fed5e7 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -3829,7 +3829,7 @@ extension to the X11 protocol.  It includes:
 (define-public xkeyboard-config
   (package
     (name "xkeyboard-config")
-    (version "2.23.1")
+    (version "2.24")
     (source
       (origin
         (method url-fetch)
@@ -3839,7 +3839,7 @@ extension to the X11 protocol.  It includes:
               ".tar.bz2"))
         (sha256
           (base32
-            "1wq27cs1c9y7d1d7zp5yhq29paj9smajdb68lyvm28d2zq2vqjra"))))
+            "1my4786pd7iv5x392r9skj3qclmbd26nqzvh2fllwkkbyj08bcci"))))
     (build-system gnu-build-system)
     (inputs
       `(("gettext" ,gettext-minimal)
@@ -5193,21 +5193,10 @@ draggable titlebars and borders.")
 ;; This package is intended to be used when building GTK+.
 ;; Note: It's currently marked as "hidden" to avoid having two non-eq?
 ;; packages with the same name and version.
-(define-public xorg-server-1.19.3
+(define-public xorg-server-for-tests
   (hidden-package
    (package
-     (inherit xorg-server)
-     (name "xorg-server")
-     (version "1.19.3")
-     (source
-      (origin
-        (method url-fetch)
-        (uri (string-append
-              "mirror://xorg/individual/xserver/"
-              name "-" version ".tar.bz2"))
-        (sha256
-         (base32
-          "162s1v901djr57gxmmk4airk8hiwcz79dqyz72972x1lw1k82yk7")))))))
+     (inherit xorg-server))))
 
 (define-public xorg-server-xwayland
   (package
@@ -5233,8 +5222,7 @@ draggable titlebars and borders.")
 (define-public libx11
   (package
     (name "libx11")
-    (version "1.6.5")
-    (replacement libx11-1.6.6)
+    (version "1.6.6")
     (source
       (origin
         (method url-fetch)
@@ -5244,7 +5232,7 @@ draggable titlebars and borders.")
                ".tar.bz2"))
         (sha256
           (base32
-            "0pa3cfp6h9rl2vxmkph65250gfqyki0ccqyaan6bl9d25gdr0f2d"))))
+            "0ks1mxlda7nxfmffihi15ljsn50q8dknl33i2xag8xzc80fiizk5"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"))                            ;8 MiB of man pages + XML
@@ -5264,20 +5252,6 @@ draggable titlebars and borders.")
     (description "Xorg Core X11 protocol client library.")
     (license license:x11)))
 
-;; Replacement package to fix multiple security bugs:
-;; <http://seclists.org/oss-sec/2018/q3/146>.
-(define-public libx11-1.6.6
-  (package
-    (inherit libx11)
-    (version "1.6.6")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://xorg/individual/lib/libX11-"
-                                  version ".tar.bz2"))
-              (sha256
-               (base32
-                "0ks1mxlda7nxfmffihi15ljsn50q8dknl33i2xag8xzc80fiizk5"))))))
-
 ;; packages of height 5 in the propagated-inputs tree
 
 (define-public libxcursor
diff --git a/guix/build-system/meson.scm b/guix/build-system/meson.scm
index fddf899092..8d49020454 100644
--- a/guix/build-system/meson.scm
+++ b/guix/build-system/meson.scm
@@ -41,7 +41,6 @@
 (define %meson-build-system-modules
   ;; Build-side modules imported by default.
   `((guix build meson-build-system)
-    (guix build rpath)
     ;; The modules from glib-or-gtk contains the modules from gnu-build-system,
     ;; so there is no need to import that too.
     ,@%glib-or-gtk-build-system-modules))
diff --git a/guix/build/gnu-build-system.scm b/guix/build/gnu-build-system.scm
index be5ad78b93..e5f3197b0a 100644
--- a/guix/build/gnu-build-system.scm
+++ b/guix/build/gnu-build-system.scm
@@ -792,26 +792,26 @@ in order.  Return #t if all the PHASES succeeded, #f otherwise."
 
   ;; The trick is to #:allow-other-keys everywhere, so that each procedure in
   ;; PHASES can pick the keyword arguments it's interested in.
-  (for-each (match-lambda
-              ((name . proc)
-               (let ((start (current-time time-monotonic)))
-                 (format #t "starting phase `~a'~%" name)
-                 (let ((result (apply proc args))
-                       (end    (current-time time-monotonic)))
-                   (format #t "phase `~a' ~:[failed~;succeeded~] after ~,1f seconds~%"
-                           name result
-                           (elapsed-time end start))
-
-                   ;; Issue a warning unless the result is #t.
-                   (unless (eqv? result #t)
-                     (format (current-error-port) "\
+  (every (match-lambda
+           ((name . proc)
+            (let ((start (current-time time-monotonic)))
+              (format #t "starting phase `~a'~%" name)
+              (let ((result (apply proc args))
+                    (end    (current-time time-monotonic)))
+                (format #t "phase `~a' ~:[failed~;succeeded~] after ~,1f seconds~%"
+                        name result
+                        (elapsed-time end start))
+
+                ;; Issue a warning unless the result is #t.
+                (unless (eqv? result #t)
+                  (format (current-error-port) "\
 ## WARNING: phase `~a' returned `~s'.  Return values other than #t
 ## are deprecated.  Please migrate this package so that its phase
 ## procedures report errors by raising an exception, and otherwise
 ## always return #t.~%"
-                             name result))
+                          name result))
 
-                   ;; Dump the environment variables as a shell script, for handy debugging.
-                   (system "export > $NIX_BUILD_TOP/environment-variables")
-                   result))))
-            phases))
+                ;; Dump the environment variables as a shell script, for handy debugging.
+                (system "export > $NIX_BUILD_TOP/environment-variables")
+                result))))
+         phases))
diff --git a/guix/build/gremlin.scm b/guix/build/gremlin.scm
index bb019967e5..e8ea66dfb3 100644
--- a/guix/build/gremlin.scm
+++ b/guix/build/gremlin.scm
@@ -41,7 +41,8 @@
             elf-dynamic-info-runpath
             expand-origin
 
-            validate-needed-in-runpath))
+            validate-needed-in-runpath
+            strip-runpath))
 
 ;;; Commentary:
 ;;;
@@ -99,10 +100,16 @@ dynamic linking information."
 ;;     } d_un;
 ;; } Elf64_Dyn;
 
+(define-record-type <dynamic-entry>
+  (dynamic-entry type value offset)
+  dynamic-entry?
+  (type   dynamic-entry-type)                     ;DT_*
+  (value  dynamic-entry-value)                    ;string | number | ...
+  (offset dynamic-entry-offset))                  ;integer
+
 (define (raw-dynamic-entries elf segment)
-  "Return as a list of type/value pairs all the dynamic entries found in
-SEGMENT, the 'PT_DYNAMIC' segment of ELF.  In the result, each car is a DT_
-value, and the interpretation of the cdr depends on the type."
+  "Return as a list of <dynamic-entry> for the dynamic entries found in
+SEGMENT, the 'PT_DYNAMIC' segment of ELF."
   (define start
     (elf-segment-offset segment))
   (define bytes
@@ -123,7 +130,9 @@ value, and the interpretation of the cdr depends on the type."
           (if (= type DT_NULL)                    ;finished?
               (reverse result)
               (loop (+ offset (* 2 word-size))
-                    (alist-cons type value result)))))))
+                    (cons (dynamic-entry type value
+                                         (+ start offset word-size))
+                          result)))))))
 
 (define (vma->offset elf vma)
   "Convert VMA, a virtual memory address, to an offset within ELF.
@@ -148,35 +157,33 @@ offset."
 
 (define (dynamic-entries elf segment)
   "Return all the dynamic entries found in SEGMENT, the 'PT_DYNAMIC' segment
-of ELF, as a list of type/value pairs.  The type is a DT_ value, and the value
-may be a string or an integer depending on the entry type (for instance, the
-value of DT_NEEDED entries is a string.)"
+of ELF, as a list of <dynamic-entry>.  The value of each entry may be a string
+or an integer depending on the entry type (for instance, the value of
+DT_NEEDED entries is a string.)  Likewise the offset is the offset within the
+string table if the type is a string."
   (define entries
     (raw-dynamic-entries elf segment))
 
   (define string-table-offset
-    (any (match-lambda
-            ((type . value)
-             (and (= type DT_STRTAB) value))
-            (_ #f))
+    (any (lambda (entry)
+           (and (= (dynamic-entry-type entry) DT_STRTAB)
+                (dynamic-entry-value entry)))
          entries))
 
-  (define (interpret-dynamic-entry type value)
-    (cond ((memv type (list DT_NEEDED DT_SONAME DT_RPATH DT_RUNPATH))
-           (if string-table-offset
-               (pointer->string
-                (bytevector->pointer (elf-bytes elf)
-                                     (vma->offset
-                                      elf
-                                      (+ string-table-offset value))))
-               value))
-          (else
-           value)))
-
-  (map (match-lambda
-         ((type . value)
-          (cons type (interpret-dynamic-entry type value))))
-       entries))
+  (define (interpret-dynamic-entry entry)
+    (let ((type  (dynamic-entry-type entry))
+          (value (dynamic-entry-value entry)))
+      (cond ((memv type (list DT_NEEDED DT_SONAME DT_RPATH DT_RUNPATH))
+             (if string-table-offset
+                 (let* ((offset (vma->offset elf (+ string-table-offset value)))
+                        (value  (pointer->string
+                                 (bytevector->pointer (elf-bytes elf) offset))))
+                   (dynamic-entry type value offset))
+                 (dynamic-entry type value (dynamic-entry-offset entry))))
+            (else
+             (dynamic-entry type value (dynamic-entry-offset entry))))))
+
+  (map interpret-dynamic-entry entries))
 
 
 ;;;
@@ -200,21 +207,29 @@ value of DT_NEEDED entries is a string.)"
 (define (elf-dynamic-info elf)
   "Return dynamic-link information for ELF as an <elf-dynamic-info> object, or
 #f if ELF lacks dynamic-link information."
+  (define (matching-entry type)
+    (lambda (entry)
+      (= type (dynamic-entry-type entry))))
+
   (match (dynamic-link-segment elf)
     (#f #f)
     ((? elf-segment? dynamic)
      (let ((entries (dynamic-entries elf dynamic)))
-       (%elf-dynamic-info (assv-ref entries DT_SONAME)
-                          (filter-map (match-lambda
-                                        ((type . value)
-                                         (and (= type DT_NEEDED) value))
-                                        (_ #f))
+       (%elf-dynamic-info (find (matching-entry DT_SONAME) entries)
+                          (filter-map (lambda (entry)
+                                        (and (= (dynamic-entry-type entry)
+                                                DT_NEEDED)
+                                             (dynamic-entry-value entry)))
                                       entries)
-                          (or (and=> (assv-ref entries DT_RPATH)
-                                     search-path->list)
+                          (or (and=> (find (matching-entry DT_RPATH)
+                                           entries)
+                                     (compose search-path->list
+                                              dynamic-entry-value))
                               '())
-                          (or (and=> (assv-ref entries DT_RUNPATH)
-                                     search-path->list)
+                          (or (and=> (find (matching-entry DT_RUNPATH)
+                                           entries)
+                                     (compose search-path->list
+                                              dynamic-entry-value))
                               '()))))))
 
 (define %libc-libraries
@@ -306,4 +321,47 @@ be found in RUNPATH ~s~%"
           ;;   (format (current-error-port) "~a is OK~%" file))
           (null? not-found))))))
 
+(define (strip-runpath file)
+  "Remove from the DT_RUNPATH of FILE any entries that are not necessary
+according to DT_NEEDED."
+  (define (minimal-runpath needed runpath)
+    (filter (lambda (directory)
+              (and (string-prefix? "/" directory)
+                   (any (lambda (lib)
+                          (file-exists? (string-append directory "/" lib)))
+                        needed)))
+            runpath))
+
+  (define port
+    (open-file file "r+b"))
+
+  (catch #t
+    (lambda ()
+      (let* ((elf      (parse-elf (get-bytevector-all port)))
+             (entries  (dynamic-entries elf (dynamic-link-segment elf)))
+             (needed   (filter-map (lambda (entry)
+                                     (and (= (dynamic-entry-type entry)
+                                             DT_NEEDED)
+                                          (dynamic-entry-value entry)))
+                                   entries))
+             (runpath  (find (lambda (entry)
+                               (= DT_RUNPATH (dynamic-entry-type entry)))
+                             entries))
+             (old      (search-path->list
+                        (dynamic-entry-value runpath)))
+             (new      (minimal-runpath needed old)))
+        (unless (equal? old new)
+          (format (current-error-port)
+                  "~a: stripping RUNPATH to ~s (removed ~s)~%"
+                  file new
+                  (lset-difference string=? old new))
+          (seek port (dynamic-entry-offset runpath) SEEK_SET)
+          (put-bytevector port (string->utf8 (string-join new ":")))
+          (put-u8 port 0))
+        (close-port port)
+        new))
+    (lambda (key . args)
+      (false-if-exception (close-port port))
+      (apply throw key args))))
+
 ;;; gremlin.scm ends here
diff --git a/guix/build/haskell-build-system.scm b/guix/build/haskell-build-system.scm
index be4f5b583b..72714a29ad 100644
--- a/guix/build/haskell-build-system.scm
+++ b/guix/build/haskell-build-system.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2015 Federico Beffa <beffa@fbengineering.ch>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
+;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -179,9 +180,10 @@ first match and return the content of the group."
                   (unless (file-exists? dest)
                     (copy-file file dest))))
               conf-files)
-    (zero? (system* "ghc-pkg"
-                    (string-append "--package-db=" %tmp-db-dir)
-                    "recache"))))
+    (invoke "ghc-pkg"
+            (string-append "--package-db=" %tmp-db-dir)
+            "recache")
+    #t))
 
 (define* (register #:key name system inputs outputs #:allow-other-keys)
   "Generate the compiler registration and binary package database files for a
@@ -239,32 +241,31 @@ given Haskell package."
           (list (string-append "--gen-pkg-config=" config-file))))
     (run-setuphs "register" params)
     ;; The conf file is created only when there is a library to register.
-    (or (not (file-exists? config-file))
-        (begin
-          (mkdir-p config-dir)
-          (let* ((config-file-name+id
-                  (call-with-ascii-input-file config-file (cut grep id-rx <>))))
-            (install-transitive-deps config-file %tmp-db-dir config-dir)
-            (rename-file config-file
-                         (string-append config-dir "/"
-                                        config-file-name+id ".conf"))
-            (zero? (system* "ghc-pkg"
-                            (string-append "--package-db=" config-dir)
-                            "recache")))))))
+    (unless (file-exists? config-file)
+      (mkdir-p config-dir)
+      (let* ((config-file-name+id
+              (call-with-ascii-input-file config-file (cut grep id-rx <>))))
+        (install-transitive-deps config-file %tmp-db-dir config-dir)
+        (rename-file config-file
+                     (string-append config-dir "/"
+                                    config-file-name+id ".conf"))
+        (invoke "ghc-pkg"
+                (string-append "--package-db=" config-dir)
+                "recache")))
+    #t))
 
 (define* (check #:key tests? test-target #:allow-other-keys)
   "Run the test suite of a given Haskell package."
   (if tests?
       (run-setuphs test-target '())
-      (begin
-        (format #t "test suite not run~%")
-        #t)))
+      (format #t "test suite not run~%"))
+  #t)
 
 (define* (haddock #:key outputs haddock? haddock-flags #:allow-other-keys)
   "Run the test suite of a given Haskell package."
-  (if haddock?
-      (run-setuphs "haddock" haddock-flags)
-      #t))
+  (when haddock?
+    (run-setuphs "haddock" haddock-flags))
+  #t)
 
 (define* (patch-cabal-file #:key cabal-revision #:allow-other-keys)
   (when cabal-revision
diff --git a/guix/build/meson-build-system.scm b/guix/build/meson-build-system.scm
index 80e54723c5..d0975fcab0 100644
--- a/guix/build/meson-build-system.scm
+++ b/guix/build/meson-build-system.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2017 Peter Mikkelsen <petermikkelsen10@gmail.com>
+;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -21,7 +22,6 @@
   #:use-module ((guix build gnu-build-system) #:prefix gnu:)
   #:use-module ((guix build glib-or-gtk-build-system) #:prefix glib-or-gtk:)
   #:use-module (guix build utils)
-  #:use-module (guix build rpath)
   #:use-module (guix build gremlin)
   #:use-module (guix elf)
   #:use-module (ice-9 match)
@@ -71,49 +71,19 @@
               "1"))
   (if tests?
       (invoke "ninja" test-target)
-      (begin
-        (format #t "test suite not run~%")
-        #t)))
+      (format #t "test suite not run~%"))
+  #t)
 
 (define* (install #:rest args)
   (invoke "ninja" "install"))
 
-(define* (fix-runpath #:key (elf-directories '("lib" "lib64" "libexec"
-                                               "bin" "sbin"))
-                      outputs #:allow-other-keys)
-  "Try to make sure all ELF files in ELF-DIRECTORIES are able to find their
-local dependencies in their RUNPATH, by searching for the needed libraries in
-the directories of the package, and adding them to the RUNPATH if needed.
-Also shrink the RUNPATH to what is needed,
+(define* (shrink-runpath #:key (elf-directories '("lib" "lib64" "libexec"
+                                                  "bin" "sbin"))
+                         outputs #:allow-other-keys)
+  "Go through all ELF files from ELF-DIRECTORIES and shrink the RUNPATH
 since a lot of directories are left over from the build phase of meson,
 for example libraries only needed for the tests."
 
-  ;; Find the directories (if any) that contains DEP-NAME.  The directories
-  ;; searched are the ones that ELF-FILES are in.
-  (define (find-deps dep-name elf-files)
-    (map dirname (filter (lambda (file)
-                           (string=? dep-name (basename file)))
-                         elf-files)))
-
-  ;; Return a list of libraries that FILE needs.
-  (define (file-needed file)
-    (let* ((elf (call-with-input-file file
-                  (compose parse-elf get-bytevector-all)))
-           (dyninfo (elf-dynamic-info elf)))
-      (if dyninfo
-          (elf-dynamic-info-needed dyninfo)
-          '())))
-
-
-  ;; If FILE needs any libs that are part of ELF-FILES, the RUNPATH
-  ;; is modified accordingly.
-  (define (handle-file file elf-files)
-    (let* ((dep-dirs (concatenate (map (lambda (dep-name)
-                                         (find-deps dep-name elf-files))
-                                       (file-needed file)))))
-      (unless (null? dep-dirs)
-        (augment-rpath file (string-join dep-dirs ":")))))
-
   (define handle-output
     (match-lambda
       ((output . directory)
@@ -129,10 +99,7 @@ for example libraries only needed for the tests."
               (elf-list (concatenate (map (lambda (dir)
                                             (find-files dir elf-pred))
                                           existing-elf-dirs))))
-         (for-each (lambda (elf-file)
-                     (invoke "patchelf" "--shrink-rpath" elf-file)
-                     (handle-file elf-file elf-list))
-                   elf-list)))))
+         (for-each strip-runpath elf-list)))))
   (for-each handle-output outputs)
   #t)
 
@@ -144,13 +111,8 @@ for example libraries only needed for the tests."
     (replace 'configure configure)
     (replace 'build build)
     (replace 'check check)
-    ;; XXX: We used to have 'fix-runpath' here, but it appears no longer
-    ;; necessary with newer Meson.  However on 'core-updates' there is a
-    ;; useful 'strip-runpath' procedure to ensure no bogus directories in
-    ;; RUNPATH (remember that we tell Meson to not touch RUNPATH in
-    ;; (@ (gnu packages build-tools) meson-for-build)), so it should be
-    ;; re-added there sans the augment-rpath calls (which are not needed).
-    (replace 'install install)))
+    (replace 'install install)
+    (add-after 'strip 'shrink-runpath shrink-runpath)))
 
 (define* (meson-build #:key inputs phases
                       #:allow-other-keys #:rest args)
diff --git a/guix/build/python-build-system.scm b/guix/build/python-build-system.scm
index 376ea81f1a..5bb0ba49d5 100644
--- a/guix/build/python-build-system.scm
+++ b/guix/build/python-build-system.scm
@@ -246,8 +246,6 @@ installed with setuptools."
 
 (define* (enable-bytecode-determinism #:rest _)
   "Improve determinism of pyc files."
-  ;; Set DETERMINISTIC_BUILD to override the embedded mtime in pyc files.
-  (setenv "DETERMINISTIC_BUILD" "1")
   ;; Use deterministic hashes for strings, bytes, and datetime objects.
   (setenv "PYTHONHASHSEED" "0")
   #t)
diff --git a/guix/build/r-build-system.scm b/guix/build/r-build-system.scm
index 4d8ac5b479..2c0b322da9 100644
--- a/guix/build/r-build-system.scm
+++ b/guix/build/r-build-system.scm
@@ -44,7 +44,7 @@
       (unless (zero? code)
         (raise (condition ((@@ (guix build utils) &invoke-error)
                            (program "R")
-                           (arguments (string-append params " " command))
+                           (arguments (cons command params))
                            (exit-status (status:exit-val code))
                            (term-signal (status:term-sig code))
                            (stop-signal (status:stop-sig code)))))))))
diff --git a/guix/build/svn.scm b/guix/build/svn.scm
index 252d1d4ee5..913f89471b 100644
--- a/guix/build/svn.scm
+++ b/guix/build/svn.scm
@@ -51,7 +51,7 @@ valid Subversion revision.  Return #t on success, #f otherwise."
   ;; of the repo.  Since we want a fixed output, this directory needs
   ;; to be taken out.
   (with-directory-excursion directory
-    (delete-file-recursively ".svn"))
+    (for-each delete-file-recursively (find-files "." "^\\.svn$" #:directories? #t)))
 
   #t)
 
diff --git a/guix/build/utils.scm b/guix/build/utils.scm
index c58a1afd1c..5fe3286843 100644
--- a/guix/build/utils.scm
+++ b/guix/build/utils.scm
@@ -1057,11 +1057,11 @@ with definitions for VARS."
        (format #f "export ~a=\"~a\""
                var (string-join rest sep)))
       ((var sep 'prefix rest)
-       (format #f "export ~a=\"~a${~a~a+~a}$~a\""
-               var (string-join rest sep) var sep sep var))
+       (format #f "export ~a=\"~a${~a:+~a}$~a\""
+               var (string-join rest sep) var sep var))
       ((var sep 'suffix rest)
-       (format #f "export ~a=\"$~a${~a~a+~a}~a\""
-               var var var sep sep (string-join rest sep)))
+       (format #f "export ~a=\"$~a${~a+~a}~a\""
+               var var var sep (string-join rest sep)))
       ((var '= rest)
        (format #f "export ~a=\"~a\""
                var (string-join rest ":")))
diff --git a/guix/gexp.scm b/guix/gexp.scm
index f7a23db872..770b79e012 100644
--- a/guix/gexp.scm
+++ b/guix/gexp.scm
@@ -601,12 +601,6 @@ names and file names suitable for the #:allowed-references argument to
                            allowed-references disallowed-references
                            leaked-env-vars
                            local-build? (substitutable? #t)
-
-                           ;; TODO: This parameter is transitional; it's here
-                           ;; to avoid a full rebuild.  Remove it on the next
-                           ;; rebuild cycle.
-                           import-creates-derivation?
-
                            deprecation-warnings
                            (script-name (string-append name "-builder")))
   "Return a derivation NAME that runs EXP (a gexp) with GUILE-FOR-BUILD (a
@@ -701,18 +695,12 @@ The other arguments are as for 'derivation'."
                                        extensions))
                        (modules  (if (pair? %modules)
                                      (imported-modules %modules
-                                                       #:derivation?
-                                                       import-creates-derivation?
                                                        #:system system
                                                        #:module-path module-path
-                                                       #:guile guile-for-build
-                                                       #:deprecation-warnings
-                                                       deprecation-warnings)
+                                                       #:guile guile-for-build)
                                      (return #f)))
                        (compiled (if (pair? %modules)
                                      (compiled-modules %modules
-                                                       #:derivation?
-                                                       import-creates-derivation?
                                                        #:system system
                                                        #:module-path module-path
                                                        #:extensions extensions
@@ -1080,15 +1068,7 @@ to a tree suitable for 'interned-file-tree'."
                                     #:key (name "file-import")
                                     (symlink? #f)
                                     (system (%current-system))
-                                    (guile (%guile-for-build))
-
-                                    ;; XXX: The only reason we have
-                                    ;; #:deprecation-warnings is because (guix
-                                    ;; build utils), which we use here, relies
-                                    ;; on _IO*, which is deprecated in 2.2.  On
-                                    ;; the next full-rebuild cycle, we should
-                                    ;; disable such warnings unconditionally.
-                                    (deprecation-warnings #f))
+                                    (guile (%guile-for-build)))
   "Return a derivation that imports FILES into STORE.  FILES must be a list
 of (FINAL-PATH . FILE) pairs.  Each FILE is mapped to FINAL-PATH in the
 resulting store path.  FILE can be either a file name, or a file-like object,
@@ -1128,54 +1108,38 @@ to the source files instead of copying them."
                       #:guile-for-build guile
                       #:local-build? #t
 
-                      ;; TODO: On the next rebuild cycle, set to "no"
-                      ;; unconditionally.
+                      ;; Avoid deprecation warnings about the use of the _IO*
+                      ;; constants in (guix build utils).
                       #:env-vars
-                      (case deprecation-warnings
-                        ((#f)
-                         '(("GUILE_WARN_DEPRECATED" . "no")))
-                        ((detailed)
-                         '(("GUILE_WARN_DEPRECATED" . "detailed")))
-                        (else
-                         '())))))
+                      '(("GUILE_WARN_DEPRECATED" . "no")))))
 
 (define* (imported-files files
                          #:key (name "file-import")
-
-                         ;; TODO: Remove this parameter on the next rebuild
-                         ;; cycle.
-                         (derivation? #f)
-
                          ;; The following parameters make sense when creating
                          ;; an actual derivation.
                          (system (%current-system))
-                         (guile (%guile-for-build))
-                         (deprecation-warnings #f))
+                         (guile (%guile-for-build)))
   "Import FILES into the store and return the resulting derivation or store
 file name (a derivation is created if and only if some elements of FILES are
 file-like objects and not local file names.)  FILES must be a list
 of (FINAL-PATH . FILE) pairs.  Each FILE is mapped to FINAL-PATH in the
 resulting store path.  FILE can be either a file name, or a file-like object,
 as returned by 'local-file' for example."
-  (if (or derivation?
-          (any (match-lambda
-                 ((_ . (? struct? source)) #t)
-                 (_ #f))
-               files))
+  (if (any (match-lambda
+             ((_ . (? struct? source)) #t)
+             (_ #f))
+           files)
       (imported-files/derivation files #:name name
                                  #:symlink? derivation?
-                                 #:system system #:guile guile
-                                 #:deprecation-warnings deprecation-warnings)
+                                 #:system system #:guile guile)
       (interned-file-tree `(,name directory
                                   ,@(file-mapping->tree files)))))
 
 (define* (imported-modules modules
                            #:key (name "module-import")
-                           (derivation? #f)      ;TODO: remove on next rebuild
                            (system (%current-system))
                            (guile (%guile-for-build))
-                           (module-path %load-path)
-                           (deprecation-warnings #f))
+                           (module-path %load-path))
   "Return a derivation that contains the source files of MODULES, a list of
 module names such as `(ice-9 q)'.  All of MODULES must be either names of
 modules to be found in the MODULE-PATH search path, or a module name followed
@@ -1196,14 +1160,11 @@ last one is created from the given <scheme-file> object."
                          (cons f (search-path* module-path f)))))
                     modules)))
     (imported-files files #:name name
-                    #:derivation? derivation?
                     #:system system
-                    #:guile guile
-                    #:deprecation-warnings deprecation-warnings)))
+                    #:guile guile)))
 
 (define* (compiled-modules modules
                            #:key (name "module-import-compiled")
-                           (derivation? #f)      ;TODO: remove on next rebuild
                            (system (%current-system))
                            (guile (%guile-for-build))
                            (module-path %load-path)
@@ -1214,22 +1175,11 @@ corresponding to MODULES.  All the MODULES are built in a context where
 they can refer to each other."
   (define total (length modules))
 
-  (define build-utils-hack?
-    ;; To avoid a full rebuild, we limit the fix below to the case where
-    ;; MODULE-PATH is different from %LOAD-PATH.  This happens when building
-    ;; modules for 'compute-guix-derivation' upon 'guix pull'.  TODO: Make
-    ;; this unconditional on the next rebuild cycle.
-    (and (member '(guix build utils) modules)
-         (not (equal? module-path %load-path))))
-
   (mlet %store-monad ((modules (imported-modules modules
-                                                 #:derivation? derivation?
                                                  #:system system
                                                  #:guile guile
                                                  #:module-path
-                                                 module-path
-                                                 #:deprecation-warnings
-                                                 deprecation-warnings)))
+                                                 module-path)))
     (define build
       (gexp
        (begin
@@ -1268,46 +1218,34 @@ they can refer to each other."
          (setvbuf (current-output-port)
                   (cond-expand (guile-2.2 'line) (else _IOLBF)))
 
-         (ungexp-splicing
-          (if build-utils-hack?
-              (gexp ((define mkdir-p
-                       ;; Capture 'mkdir-p'.
-                       (@ (guix build utils) mkdir-p))))
-              '()))
+         (define mkdir-p
+           ;; Capture 'mkdir-p'.
+           (@ (guix build utils) mkdir-p))
 
          ;; Add EXTENSIONS to the search path.
-         ;; TODO: Remove the outer 'ungexp-splicing' on the next rebuild cycle.
-         (ungexp-splicing
-          (if (null? extensions)
-              '()
-              (gexp ((set! %load-path
-                       (append (map (lambda (extension)
-                                      (string-append extension
-                                                     "/share/guile/site/"
-                                                     (effective-version)))
-                                    '((ungexp-native-splicing extensions)))
-                               %load-path))
-                     (set! %load-compiled-path
-                       (append (map (lambda (extension)
-                                      (string-append extension "/lib/guile/"
-                                                     (effective-version)
-                                                     "/site-ccache"))
-                                    '((ungexp-native-splicing extensions)))
-                               %load-compiled-path))))))
+         (set! %load-path
+           (append (map (lambda (extension)
+                          (string-append extension
+                                         "/share/guile/site/"
+                                         (effective-version)))
+                        '((ungexp-native-splicing extensions)))
+                   %load-path))
+         (set! %load-compiled-path
+           (append (map (lambda (extension)
+                          (string-append extension "/lib/guile/"
+                                         (effective-version)
+                                         "/site-ccache"))
+                        '((ungexp-native-splicing extensions)))
+                   %load-compiled-path))
 
          (set! %load-path (cons (ungexp modules) %load-path))
 
-         (ungexp-splicing
-          (if build-utils-hack?
-              ;; Above we loaded our own (guix build utils) but now we may
-              ;; need to load a compile a different one.  Thus, force a
-              ;; reload.
-              (gexp ((let ((utils (ungexp
-                                   (file-append modules
-                                                "/guix/build/utils.scm"))))
-                       (when (file-exists? utils)
-                         (load utils)))))
-              '()))
+         ;; Above we loaded our own (guix build utils) but now we may need to
+         ;; load a compile a different one.  Thus, force a reload.
+         (let ((utils (string-append (ungexp modules)
+                                     "/guix/build/utils.scm")))
+           (when (file-exists? utils)
+             (load utils)))
 
          (mkdir (ungexp output))
          (chdir (ungexp modules))
diff --git a/guix/packages.scm b/guix/packages.scm
index a220b9c476..eab0b3404c 100644
--- a/guix/packages.scm
+++ b/guix/packages.scm
@@ -628,12 +628,7 @@ specifies modules in scope when evaluating SNIPPET."
                                           #:fail-on-error? #t)))))
               (apply invoke
                      (string-append #+tar "/bin/tar")
-                     "cvf" #$output
-                     ;; The bootstrap xz does not support
-                     ;; threaded compression (introduced in
-                     ;; 5.2.0), but it ignores the extra flag.
-                     (string-append "--use-compress-program="
-                                    #+xz "/bin/xz --threads=0")
+                     "cvfa" #$output
                      ;; avoid non-determinism in the archive
                      "--mtime=@0"
                      "--owner=root:0"
@@ -646,9 +641,6 @@ specifies modules in scope when evaluating SNIPPET."
 
     (let ((name (tarxz-name original-file-name)))
       (gexp->derivation name build
-                        ;; TODO: Remove this on the next rebuild cycle.
-                        #:import-creates-derivation? #t
-
                         #:graft? #f
                         #:system system
                         #:deprecation-warnings #t ;to avoid a rebuild
diff --git a/guix/self.scm b/guix/self.scm
index ecf846490f..3e29c9a42a 100644
--- a/guix/self.scm
+++ b/guix/self.scm
@@ -883,16 +883,9 @@ running Guile."
                 'canonical-package))
 
   (match version
-    ("2.2.2"
-     ;; Gross hack to avoid ABI incompatibilities (see
-     ;; <https://bugs.gnu.org/29570>.)
-     (module-ref (resolve-interface '(gnu packages guile))
-                 'guile-2.2.2))
     ("2.2"
-     ;; Use the latest version, which has fixes for
-     ;; <https://bugs.gnu.org/30602> and VM stack-marking issues.
      (canonical-package (module-ref (resolve-interface '(gnu packages guile))
-                                    'guile-2.2.4)))
+                                    'guile-2.2)))
     ("2.0"
      (module-ref (resolve-interface '(gnu packages guile))
                  'guile-2.0))))
@@ -925,10 +918,7 @@ is not supported."
                                                      (shorten version))
                                #:pull-version pull-version
                                #:guile-version (if (>= pull-version 1)
-                                                   "2.2"
-                                                   (match guile-version
-                                                     ("2.2.2" "2.2")
-                                                     (version version)))
+                                                   "2.2" guile-version)
                                #:guile-for-build guile)))
       (if guix
           (lower-object guix)
diff --git a/tests/gexp.scm b/tests/gexp.scm
index 813ea2ff6f..bc83a8de8c 100644
--- a/tests/gexp.scm
+++ b/tests/gexp.scm
@@ -656,11 +656,11 @@
                        (drv      (imported-files files)))
     (define (file=? file1 file2)
       ;; Assume deduplication is in place.
-      (= (stat:ino (lstat file1))
-         (stat:ino (lstat file2))))
+      (= (stat:ino (stat file1))
+         (stat:ino (stat file2))))
 
     (mbegin %store-monad
-      (built-derivations (list drv))
+      (built-derivations (list (pk 'drv drv)))
       (mlet %store-monad ((dir -> (derivation->output-path drv))
                           (plain* (text-file "foo" "bar!"))
                           (q-scm* (interned-file q-scm "c")))
diff --git a/tests/gremlin.scm b/tests/gremlin.scm
index f1089e7da6..77a5dc1998 100644
--- a/tests/gremlin.scm
+++ b/tests/gremlin.scm
@@ -18,12 +18,14 @@
 
 (define-module (test-gremlin)
   #:use-module (guix elf)
+  #:use-module ((guix utils) #:select (call-with-temporary-directory))
   #:use-module (guix build utils)
   #:use-module (guix build gremlin)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-64)
   #:use-module (rnrs io ports)
+  #:use-module (ice-9 popen)
   #:use-module (ice-9 match))
 
 (define %guile-executable
@@ -37,6 +39,9 @@
 (define read-elf
   (compose parse-elf get-bytevector-all))
 
+(define c-compiler
+  (or (which "gcc") (which "cc") (which "g++")))
+
 
 (test-begin "gremlin")
 
@@ -63,4 +68,32 @@
          "../${ORIGIN}/bar/$ORIGIN/baz"
          "ORIGIN/foo")))
 
+(unless c-compiler
+  (test-skip 1))
+(test-equal "strip-runpath"
+  "hello\n"
+  (call-with-temporary-directory
+   (lambda (directory)
+     (with-directory-excursion directory
+       (call-with-output-file "t.c"
+         (lambda (port)
+           (display "int main () { puts(\"hello\"); }" port)))
+       (invoke c-compiler "t.c"
+               "-Wl,-rpath=/foo" "-Wl,-rpath=/bar")
+       (let* ((dyninfo (elf-dynamic-info
+                        (parse-elf (call-with-input-file "a.out"
+                                     get-bytevector-all))))
+              (old     (elf-dynamic-info-runpath dyninfo))
+              (new     (strip-runpath "a.out"))
+              (new*    (strip-runpath "a.out")))
+         (validate-needed-in-runpath "a.out")
+         (and (member "/foo" old) (member "/bar" old)
+              (not (member "/foo" new))
+              (not (member "/bar" new))
+              (equal? new* new)
+              (let* ((pipe (open-input-pipe "./a.out"))
+                     (str  (get-string-all pipe)))
+                (close-pipe pipe)
+                str)))))))
+
 (test-end "gremlin")