summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--doc/guix.texi6
-rw-r--r--gnu/local.mk2
-rw-r--r--gnu/packages/bioinformatics.scm11
-rw-r--r--gnu/packages/gnustep.scm8
-rw-r--r--gnu/packages/gnuzilla.scm10
-rw-r--r--gnu/packages/haskell.scm213
-rw-r--r--gnu/packages/image.scm17
-rw-r--r--gnu/packages/libevent.scm4
-rw-r--r--gnu/packages/linux.scm72
-rw-r--r--gnu/packages/maths.scm4
-rw-r--r--gnu/packages/music.scm68
-rw-r--r--gnu/packages/ocaml.scm70
-rw-r--r--gnu/packages/password-utils.scm4
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2015-6581.patch47
-rw-r--r--gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch245
-rw-r--r--gnu/packages/tls.scm45
-rw-r--r--gnu/packages/video.scm4
-rw-r--r--gnu/packages/web.scm4
-rw-r--r--guix/scripts/offload.scm38
19 files changed, 726 insertions, 146 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 71de73b953..0cb1bc7665 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1005,6 +1005,12 @@ command line:
 # guix offload test machines-qualif.scm
 @end example
 
+Last, you can test the subset of the machines whose name matches a
+regular expression like this:
+
+@example
+# guix offload test machines.scm '\.gnu\.org$'
+@end example
 
 @node Invoking guix-daemon
 @section Invoking @command{guix-daemon}
diff --git a/gnu/local.mk b/gnu/local.mk
index f8202e2e72..c6cb55b06f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -747,9 +747,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/ola-readdir-r.patch			\
   %D%/packages/patches/onionshare-fix-install-paths.patch		\
   %D%/packages/patches/openexr-missing-samples.patch		\
-  %D%/packages/patches/openjpeg-CVE-2015-6581.patch		\
   %D%/packages/patches/openjpeg-CVE-2016-5157.patch		\
   %D%/packages/patches/openjpeg-CVE-2016-7163.patch		\
+  %D%/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch		\
   %D%/packages/patches/openjpeg-use-after-free-fix.patch	\
   %D%/packages/patches/openocd-nrf52.patch			\
   %D%/packages/patches/openssh-memory-exhaustion.patch		\
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 625935dfd7..9ab55fb965 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -5629,7 +5629,7 @@ track.  The database is exposed as a @code{TxDb} object.")
 (define-public vsearch
   (package
     (name "vsearch")
-    (version "2.3.3")
+    (version "2.3.4")
     (source
      (origin
        (method url-fetch)
@@ -5639,7 +5639,7 @@ track.  The database is exposed as a @code{TxDb} object.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "1d3670apjy15c9l40fpq71lifxga6j9z2gisdirycwk18s4mvcp2"))
+         "1xyraxmhyx62mxx8z7c8waygvcijwkh48ms1ar60w2cv2y2sn4al"))
        (modules '((guix build utils)))
        (snippet
         '(begin
@@ -5699,15 +5699,16 @@ Needleman-Wunsch).")
 (define-public pardre
   (package
     (name "pardre")
-    (version "1.1.5")
+    ;; The source of 1.1.5 changed in place, so we append "-1" to the version.
+    (version "1.1.5-1")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "mirror://sourceforge/pardre/ParDRe-rel"
-                           version ".tar.gz"))
+                           "1.1.5" ".tar.gz"))
        (sha256
         (base32
-         "0zkyjzv4s8q2h5npalhirbk17r5b1h0n2a42mh7njzlf047h9bhy"))))
+         "17j73nc0viq4f6qj50nrndsrif5d6b71q8fl87m54psiv0ilns2b"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? #f ; no tests included
diff --git a/gnu/packages/gnustep.scm b/gnu/packages/gnustep.scm
index 6c365cbbc4..8f72bb3253 100644
--- a/gnu/packages/gnustep.scm
+++ b/gnu/packages/gnustep.scm
@@ -60,7 +60,13 @@
                         (string-append "\"" bin "/wmaker.inst")))
                      (substitute* '("src/defaults.c" "WPrefs.app/Menu.c")
                        (("\"wmsetbg")
-                        (string-append "\"" bin "/wmsetbg")))))
+                        (string-append "\"" bin "/wmsetbg")))
+                     ;; Add enough cells to the command character array to
+                     ;; allow passing our large path to the wmsetbg binary.
+                     ;; The path to wmsetbg in Guix requires 67 extra characters.
+                     (substitute* "src/defaults.c"
+                       (("len = strlen\\(text\\) \\+ 40;")
+                        (string-append "len = strlen(text) + 107;")))))
                  (alist-cons-after
                   'install 'wrap
                   (lambda* (#:key outputs #:allow-other-keys)
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index f63e950f29..5f7e45183b 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -337,7 +337,15 @@ standards.")
         (mozilla-patch "icecat-bug-1279202.patch"       "e560997291af" "1hn35slasfcj3ryka4fsarx4l9r99z0iwj67fmbv6zxz4z133kks")
         (mozilla-patch "icecat-bug-1320039.patch"       "21c615b65048" "0ibgsxa36x9ajn2jqbhxxvrfvj6x6iyspsmzzn4brdz11n93skhr")
         (mozilla-patch "icecat-bug-1320057.patch"       "c15e5afc0430" "17gj32agqs94548z8lvz0l6zz3kbwajn8as0y4iw5nb6jsll4c66")
-        (mozilla-patch "icecat-bug-1163212.patch"       "46163fb1cb34" "1yikayczfgfla3aka0159apq3149d52sgvlca0sivx4myd0lvjm7")))
+        (mozilla-patch "icecat-bug-1163212.patch"       "46163fb1cb34" "1yikayczfgfla3aka0159apq3149d52sgvlca0sivx4myd0lvjm7")
+        (mozilla-patch "icecat-bug-1317805.patch"       "cde2a37100f5" "100abggnhwyw84almxrkxqfpyfkd4pqkcrh5y9g4d3jd2h16asvl")
+        (mozilla-patch "icecat-bug-1298773-pt1.patch"   "9b78ab1e6d07" "19ib6bp96xk000ll40b8qxvizkncyzclz2rsb9w5fa42qs9978ff")
+        (mozilla-patch "icecat-bug-1298773-pt2.patch"   "78ebf9c9dfb0" "1shgr4rk6r2zxr1qqk1j3qnnqzqxnbi093qhlrfh8q5q1ivqf6k1")
+        (mozilla-patch "icecat-bug-1299098.patch"       "a46a9f16823c" "0dwkyz3kcqnfcbhbfh2lss7s0yh87rgzb871qxx3x4ynyqph9mnz")
+        (mozilla-patch "icecat-bug-1311687.patch"       "6bc7cc7a33a6" "1wggcqv84n8mp7xps7hy4rwy61fkh45imfqzc0b46s3w5hyhypn2")
+        (mozilla-patch "icecat-bug-1287912.patch"       "778f65148b40" "0j2a153sk0654vv2lnxjib4lwml3mlqn6vs46c2pp82iba8nyfrm")
+        (mozilla-patch "icecat-bug-1312272.patch"       "94bd2b43c766" "10h0qpr6m9cqyqxxnkbb6mzb3cagavzlynkxgd7a4izyq1bv28rk")
+        (mozilla-patch "icecat-bug-1315631.patch"       "893de7431d51" "11gyik8mwipl6ipypkvdq519pw7ccbg0g0bnvxb7271n44cqqcq5")))
       (modules '((guix build utils)))
       (snippet
        '(begin
diff --git a/gnu/packages/haskell.scm b/gnu/packages/haskell.scm
index 7a7d6bab87..8e5927a00b 100644
--- a/gnu/packages/haskell.scm
+++ b/gnu/packages/haskell.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2016 David Craven <david@craven.ch>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -2315,36 +2316,34 @@ the parsers provided by @code{parsec}, @code{attoparsec} and @code{base}'s
 (define-public ghc-trifecta
   (package
     (name "ghc-trifecta")
-    (version "1.5.2")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append
-             "https://hackage.haskell.org/package/trifecta/trifecta-"
-             version
-             ".tar.gz"))
-       (sha256
-        (base32
-         "0fjhnsbafl3yw34pyhcsvrqy6a2mnhyqys6gna3rrlygs8ck7hpb"))))
+    (version "1.6")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://hackage.haskell.org/package/trifecta/"
+                    "trifecta-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0rbhv9m17k7l1zr70i0yw5da0qjgxmfh1da8brj0zdzwjn9ac0mk"))))
     (build-system haskell-build-system)
-    (arguments `(#:tests? #f)) ; FIXME: Test fails with "cannot satisfy
-                               ; -package ansi-terminal-0.6.2.3"
     (inputs
-     `(("ghc-charset" ,ghc-charset)
-       ("ghc-comonad" ,ghc-comonad)
-       ("ghc-lens" ,ghc-lens)
-       ("ghc-profunctors" ,ghc-profunctors)
-       ("ghc-reducers" ,ghc-reducers)
+     `(("ghc-reducers" ,ghc-reducers)
        ("ghc-semigroups" ,ghc-semigroups)
        ("ghc-ansi-wl-pprint" ,ghc-ansi-wl-pprint)
        ("ghc-ansi-terminal" ,ghc-ansi-terminal)
        ("ghc-blaze-builder" ,ghc-blaze-builder)
        ("ghc-blaze-html" ,ghc-blaze-html)
        ("ghc-blaze-markup" ,ghc-blaze-markup)
+       ("ghc-charset" ,ghc-charset)
+       ("ghc-comonad" ,ghc-comonad)
+       ("ghc-doctest" ,ghc-doctest)
        ("ghc-fingertree" ,ghc-fingertree)
        ("ghc-hashable" ,ghc-hashable)
+       ("ghc-lens" ,ghc-lens)
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-parsers" ,ghc-parsers)
+       ("ghc-profunctors" ,ghc-profunctors)
+       ("ghc-quickcheck" ,ghc-quickcheck)
        ("ghc-unordered-containers" ,ghc-unordered-containers)
        ("ghc-utf8-string" ,ghc-utf8-string)))
     (home-page "https://github.com/ekmett/trifecta/")
@@ -6671,34 +6670,47 @@ constant-time:
     (license license:bsd-3)))
 
 (define-public idris
+  ;; TODO: IDRIS_LIBRARY_PATH only accepts a single path and not a colon
+  ;; separated list.
+  ;; TODO: When installing idris the location of the standard libraries
+  ;; cannot be specified.
+  ;; NOTE: Creating an idris build system:
+  ;; Idris packages can be packaged and installed using a trivial
+  ;; build system.
+  ;; (zero? (system* (string-append idris "/bin/idris")
+  ;;                                "--ibcsubdir"
+  ;;                                (string-append out "/idris/libs/lightyear")
+  ;;                                "--install" "lightyear.ipkg")
+  ;; (native-search-paths
+  ;;   (list (search-path-specification
+  ;;          (variable "IDRIS_LIBRARY_PATH")
+  ;;          (files '("idris/libs")))))
   (package
     (name "idris")
-    (version "0.9.19.1")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append "https://hackage.haskell.org/package/idris-"
-                           version "/idris-" version ".tar.gz"))
-       (sha256
-        (base32
-         "10641svdsjlxbxmbvylpia04cz5nn9486lpiay8ibqcrc1792qgc"))
-       (modules '((guix build utils)))
-       (snippet
-        '(substitute* "idris.cabal"
-           ;; Package description file has a too-tight version restriction,
-           ;; rendering it incompatible with GHC 7.10.2.  This is fixed
-           ;; upstream.  See
-           ;; <https://github.com/idris-lang/Idris-dev/issues/2734>.
-           (("vector < 0.11") "vector < 0.12")))))
+    (version "0.12.3")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://hackage.haskell.org/package/"
+                    "idris-" version "/idris-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1ijrbgzaahw9aagn4al55nqcggrg9ajlrkq2fjc1saq3xdd3v7rs"))))
     (build-system haskell-build-system)
     (arguments
-     `(#:phases (modify-phases %standard-phases
-                  (add-before 'configure 'patch-cc-command
-                              (lambda _
-                                (setenv "CC" "gcc"))))))
+     `(;; FIXME: runhaskell Setup.hs test doesn't set paths required by test
+       ;; suite.
+       #:tests? #f
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'patch-cc-command
+           (lambda _
+             (setenv "CC" "gcc"))))))
     (inputs
      `(("gmp" ,gmp)
        ("ncurses" ,ncurses)
+       ("ghc-aeson" ,ghc-aeson)
+       ("ghc-async" ,ghc-async)
        ("ghc-annotated-wl-pprint" ,ghc-annotated-wl-pprint)
        ("ghc-ansi-terminal" ,ghc-ansi-terminal)
        ("ghc-ansi-wl-pprint" ,ghc-ansi-wl-pprint)
@@ -6707,12 +6719,19 @@ constant-time:
        ("ghc-blaze-markup" ,ghc-blaze-markup)
        ("ghc-cheapskate" ,ghc-cheapskate)
        ("ghc-fingertree" ,ghc-fingertree)
+       ("ghc-fsnotify" ,ghc-fsnotify)
+       ("ghc-ieee754" ,ghc-ieee754)
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-network" ,ghc-network)
        ("ghc-optparse-applicative" ,ghc-optparse-applicative)
        ("ghc-parsers" ,ghc-parsers)
+       ("ghc-regex-tdfa" ,ghc-regex-tdfa)
        ("ghc-safe" ,ghc-safe)
        ("ghc-split" ,ghc-split)
+       ("ghc-tasty" ,ghc-tasty)
+       ("ghc-tasty-golden" ,ghc-tasty-golden)
+       ("ghc-tasty-rerun" ,ghc-tasty-rerun)
+       ("ghc-terminal-size" ,ghc-terminal-size)
        ("ghc-text" ,ghc-text)
        ("ghc-trifecta" ,ghc-trifecta)
        ("ghc-uniplate" ,ghc-uniplate)
@@ -7994,4 +8013,120 @@ helper functions for Lists, Maybes, Tuples, Functions.")
 3D plots using gnuplot.")
     (license license:bsd-3)))
 
+(define-public ghc-hinotify
+  (package
+    (name "ghc-hinotify")
+    (version "0.3.8.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://hackage.haskell.org/package/hinotify/"
+                    "hinotify-" version ".tar.gz"))
+              (sha256
+               (base32
+                "03c1f4d7x805zdiq2w26kl09xrfjw19saycdkhnixzv2qcr6xm1p"))))
+    (build-system haskell-build-system)
+    (home-page "https://github.com/kolmodin/hinotify.git")
+    (synopsis "Haskell binding to inotify")
+    (description "This library provides a wrapper to the Linux kernel's inotify
+feature, allowing applications to subscribe to notifications when a file is
+accessed or modified.")
+    (license license:bsd-3)))
+
+(define-public ghc-fsnotify
+  (package
+    (name "ghc-fsnotify")
+    (version "0.2.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://hackage.haskell.org/package/fsnotify/"
+                    "fsnotify-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0asl313a52qx2w6dw25g845683xsl840bwjh118nkwi5v1xipkzb"))))
+    (build-system haskell-build-system)
+    (inputs
+     `(("ghc-text" ,ghc-text)
+       ("ghc-async" ,ghc-async)
+       ("ghc-unix-compat" ,ghc-unix-compat)
+       ("ghc-hinotify" ,ghc-hinotify)
+       ("ghc-tasty" ,ghc-tasty)
+       ("ghc-tasty-hunit" ,ghc-tasty-hunit)
+       ("ghc-temporary-rc" ,ghc-temporary-rc)))
+    (home-page "https://github.com/haskell-fswatch/hfsnotify")
+    (synopsis "Cross platform library for file change notification.")
+    (description "Cross platform library for file creation, modification, and
+deletion notification. This library builds upon existing libraries for platform
+specific Windows, Mac, and Linux filesystem event notification.")
+    (license license:bsd-3)))
+
+(define-public ghc-tasty-rerun
+  (package
+    (name "ghc-tasty-rerun")
+    (version "1.1.6")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://hackage.haskell.org/package/tasty-rerun/"
+                    "tasty-rerun-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0ycxg7whabgcxyzy6gr536x8ykzx45whh1wrbsc7c58zi862fczd"))))
+    (build-system haskell-build-system)
+    (inputs
+     `(("ghc-mtl" ,ghc-mtl)
+       ("ghc-optparse-applicative" ,ghc-optparse-applicative)
+       ("ghc-reducers" ,ghc-reducers)
+       ("ghc-split" ,ghc-split)
+       ("ghc-stm" ,ghc-stm)
+       ("ghc-tagged" ,ghc-tagged)
+       ("ghc-tasty" ,ghc-tasty)))
+    (home-page "http://github.com/ocharles/tasty-rerun")
+    (synopsis "Run tests by filtering the test tree")
+    (description "This package adds the ability to run tests by filtering the
+test tree based on the result of a previous test run.  You can use this to run
+only those tests that failed in the last run, or to only run the tests that have
+been added since previous test run.")
+  (license license:bsd-3)))
+
+(define-public ghc-ieee754
+  (package
+    (name "ghc-ieee754")
+    (version "0.7.8")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://hackage.haskell.org/package/ieee754/"
+                    "ieee754-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1zvfnnd5nm5kgr60214cdyks0kqdqyzpwk5sdh0s60yr8b7fyjny"))))
+    (build-system haskell-build-system)
+    (home-page "http://github.com/patperry/hs-ieee754")
+    (synopsis "Utilities for dealing with IEEE floating point numbers")
+    (description "Utilities for dealing with IEEE floating point numbers,
+ported from the Tango math library; approximate and exact equality comparisons
+for general types.")
+    (license license:bsd-3)))
+
+(define-public ghc-terminal-size
+  (package
+    (name "ghc-terminal-size")
+    (version "0.3.2.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://hackage.haskell.org/package/terminal-size/"
+                    "terminal-size-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0n4nvj3dbj9gxfnprgish45asn9z4dipv9j98s8i7g2n8yb3xhmm"))))
+    (build-system haskell-build-system)
+    (home-page "http://hackage.haskell.org/package/terminal-size")
+    (synopsis "Get terminal window height and width")
+    (description "Get terminal window height and width without ncurses
+dependency.")
+    (license license:bsd-3)))
+
 ;;; haskell.scm ends here
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 7bf330be30..9c8a3fcde6 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -425,6 +425,7 @@ work.")
 (define-public openjpeg
   (package
     (name "openjpeg")
+    (replacement openjpeg/fixed)
     (version "2.1.1")
     (source
       (origin
@@ -461,9 +462,21 @@ error-resilience, a Java-viewer for j2k-images, ...")
     (home-page "https://github.com/uclouvain/openjpeg")
     (license license:bsd-2)))
 
+(define openjpeg/fixed
+  (package
+    (inherit openjpeg)
+    (source
+      (origin
+        (inherit (package-source openjpeg))
+        (patches
+          (append
+            (origin-patches (package-source openjpeg))
+            (search-patches "openjpeg-CVE-2016-9850-CVE-2016-9851.patch")))))))
+
 (define-public openjpeg-1
   (package (inherit openjpeg)
     (name "openjpeg")
+    (replacement #f)
     (version "1.5.2")
     (source
      (origin
@@ -860,14 +873,14 @@ convert, manipulate, filter and display a wide variety of image formats.")
 (define-public jasper
   (package
     (name "jasper")
-    (version "2.0.0")
+    (version "2.0.6")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.ece.uvic.ca/~frodo/jasper"
                                   "/software/jasper-" version ".tar.gz"))
               (sha256
                (base32
-                "1kg5yrdwgazhbczybyx4548m0ijssabcp8hl5l87w78z833vikks"))))
+                "0g6fl8rrbspa9vpswixmpxrg71l19kqgc2b5cak7vmwxphj01wbk"))))
     (build-system cmake-build-system)
     (inputs `(("libjpeg" ,libjpeg)))
     (synopsis "JPEG-2000 library")
diff --git a/gnu/packages/libevent.scm b/gnu/packages/libevent.scm
index c9e57d6331..cb76915ef7 100644
--- a/gnu/packages/libevent.scm
+++ b/gnu/packages/libevent.scm
@@ -65,7 +65,7 @@ loop.")
 (define-public libev
   (package
     (name "libev")
-    (version "4.20")
+    (version "4.23")
     (source (origin
               (method url-fetch)
               (uri (string-append "http://dist.schmorp.de/libev/Attic/libev-"
@@ -73,7 +73,7 @@ loop.")
                                   ".tar.gz"))
               (sha256
                (base32
-                "17j47pbkr65a18mfvy2861p5k7w4pxmdgiw723ryfqd9gx636w7q"))))
+                "0ynxxm7giy4hg3qp9q8wshqw1jla9sxbsbi2pwsdsl1v1hz79zn7"))))
     (build-system gnu-build-system)
     (home-page "http://software.schmorp.de/pkg/libev.html")
     (synopsis "Event loop loosely modelled after libevent")
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 3c24987aae..8f8bd32e1d 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -327,16 +327,52 @@ It has been modified to remove all non-free binary blobs.")
 (define %intel-compatible-systems '("x86_64-linux" "i686-linux"))
 
 (define-public linux-libre
-  (make-linux-libre "4.8.12"
-                    "1vhqpi5r219a9y1drc3pdzwjif8r974hbc0x9dk4w25c8bsr3cm1"
+  (make-linux-libre "4.8.13"
+                    "1n1bhasqih8acag2glwaqsh76avpinvchvwg6g4q1pfm2vs1499x"
                     %intel-compatible-systems
-                    #:configuration-file kernel-config))
+                    #:configuration-file kernel-config
+                    #:patches
+                    (list %boot-logo-patch
+                          (origin
+                            (method url-fetch)
+                            (uri "\
+https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git/patch/?id=9bd018da073c1360c260d2e11e0da9b24911c4a8")
+                            (file-name "linux-libre-4.8-CVE-2016-8655.patch")
+                            (sha256
+                             (base32
+                              "1pq80vnwv01l0rj2g0r7i4rjnx3ll8iq4rpl6w3fmc77agdb3bpq")))
+                          (origin
+                            (method url-fetch)
+                            (uri "\
+https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git/patch/?id=af8a38c78233a3356c626c1fabfc93c66094e6e8")
+                            (file-name "linux-libre-4.8-iovec-fix.patch")
+                            (sha256
+                             (base32
+                              "082a5dpkgsc0mjlzqc03d815xx8gdqk0s4glvi4y1b9vl8c4vmwy"))))))
 
 (define-public linux-libre-4.4
-  (make-linux-libre "4.4.36"
-                    "0cvax02jj9zyk818gi6fjgacxa5z89y03kxwclb8l7cr8mcbwcdf"
+  (make-linux-libre "4.4.37"
+                    "1zw3hwpgxkxwplb81in5969vgbaamcwqarmxj3aq88yg6bqnh6b5"
                     %intel-compatible-systems
-                    #:configuration-file kernel-config))
+                    #:configuration-file kernel-config
+                    #:patches
+                    (list %boot-logo-patch
+                          (origin
+                            (method url-fetch)
+                            (uri "\
+https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git/patch/?id=668dc0c33815e4f9ec02989785658516d343bc31")
+                            (file-name "linux-libre-4.4-CVE-2016-8655.patch")
+                            (sha256
+                             (base32
+                              "1bzgj36y8v7gflq3dlhmbbvvn9098a4yk4pcpixdz5c5pm7wrdv3")))
+                          (origin
+                            (method url-fetch)
+                            (uri "\
+https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git/patch/?id=82330dbfb463389f2b0214dbcc69b78cc8e6cf8f")
+                            (file-name "linux-libre-4.4-iovec-fix.patch")
+                            (sha256
+                             (base32
+                              "1mqmgiqjm4pf4b3jzknclmdjfaqqr4708gcdgzhn84brrcm5iz30"))))))
 
 (define-public linux-libre-4.1
   (make-linux-libre "4.1.36"
@@ -345,15 +381,33 @@ It has been modified to remove all non-free binary blobs.")
                     #:configuration-file kernel-config))
 
 ;; Avoid rebuilding kernel variants when there is a minor version bump.
-(define %linux-libre-version "4.8.12")
-(define %linux-libre-hash "1vhqpi5r219a9y1drc3pdzwjif8r974hbc0x9dk4w25c8bsr3cm1")
+(define %linux-libre-version "4.8.13")
+(define %linux-libre-hash "1n1bhasqih8acag2glwaqsh76avpinvchvwg6g4q1pfm2vs1499x")
 
 (define-public linux-libre-arm-generic
   (make-linux-libre %linux-libre-version
                     %linux-libre-hash
                     '("armhf-linux")
                     #:defconfig "multi_v7_defconfig"
-                    #:extra-version "arm-generic"))
+                    #:extra-version "arm-generic"
+                    #:patches
+                    (list %boot-logo-patch
+                          (origin
+                            (method url-fetch)
+                            (uri "\
+https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git/patch/?id=9bd018da073c1360c260d2e11e0da9b24911c4a8")
+                            (file-name "linux-libre-4.8-CVE-2016-8655.patch")
+                            (sha256
+                             (base32
+                              "1pq80vnwv01l0rj2g0r7i4rjnx3ll8iq4rpl6w3fmc77agdb3bpq")))
+                          (origin
+                            (method url-fetch)
+                            (uri "\
+https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git/patch/?id=af8a38c78233a3356c626c1fabfc93c66094e6e8")
+                            (file-name "linux-libre-4.8-iovec-fix.patch")
+                            (sha256
+                             (base32
+                              "082a5dpkgsc0mjlzqc03d815xx8gdqk0s4glvi4y1b9vl8c4vmwy"))))))
 
 
 ;;;
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index fc98eae4f7..313f6acc2b 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -959,14 +959,14 @@ script files.")
 (define-public gmsh
   (package
     (name "gmsh")
-    (version "2.14.1")
+    (version "2.15.0")
     (source
      (origin
       (method url-fetch)
       (uri (string-append "http://gmsh.info/src/gmsh-"
                           version "-source.tgz"))
       (sha256
-       (base32 "1vsxp47j6srmy8kqb3p1z9pmlm42whhhz7r0vzpa2a86gga4zx17"))
+       (base32 "02h7fk4vv8qwnq3ymm409c5sp4nksd0m9h2vkxqmy42l0ic4nalr"))
       (modules '((guix build utils)))
       (snippet
        ;; Remove non-free METIS code
diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 34beb09f44..116e8d4823 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -231,6 +231,74 @@ score, keyboard, guitar, drum and controller views.")
 many input formats and provides a customisable Vi-style user interface.")
      (license license:gpl2+)))
 
+(define-public denemo
+  (package
+    (name "denemo")
+    (version "2.0.14")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/denemo/denemo-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "1a7g38695g7jjypx25qp0dx0asrh72xwdj0mdhmb9pfyzlppq0wh"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'check
+           ;; Denemo's documentation says to use this command to run its
+           ;; testsuite.
+           (lambda _
+             (zero? (system* "make" "-C" "tests" "check"))))
+         (add-after 'install 'correct-filename
+           ;; "graft-derivation/shallow" from the (guix grafts) module runs in
+           ;; the C locale, expecting file names to be ASCII encoded. This
+           ;; phase renames a filename with a Unicode character in it to meet
+           ;; the aforementioned condition.
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out")))
+               (chdir (string-append
+                       out
+                       "/share/denemo/templates/instruments/woodwind"))
+               (rename-file "Clarinet in B♭.denemo"
+                            "Clarinet in Bb.denemo"))
+             #t)))))
+    (native-inputs
+     `(("glib:bin", glib "bin")   ; for gtester
+       ("pkg-config" ,pkg-config)))
+    (inputs
+     `(("alsa-lib" ,alsa-lib)
+       ("aubio" ,aubio)
+       ("evince" ,evince)
+       ("fftw" ,fftw)
+       ("fluidsynth" ,fluidsynth)
+       ("glib" ,glib)
+       ("gtk+" ,gtk+)
+       ("gtk-doc" ,gtk-doc)
+       ("gtksourceview" ,gtksourceview)
+       ("guile" ,guile-2.0)
+       ("intltool" ,intltool)
+       ("librsvg" ,librsvg)
+       ("libsndfile" ,libsndfile)
+       ("libtool" ,libtool)
+       ("libxml2" ,libxml2)
+       ("portaudio" ,portaudio)
+       ("portmidi" ,portmidi)
+       ("rubberband" ,rubberband)))
+    (propagated-inputs
+     `(("lilypond", lilypond)))
+    (synopsis "Graphical music notation, front-end to GNU Lilypond")
+    (description
+     "GNU Denemo is a music notation editor that provides a convenient
+interface to the powerful music engraving program Lilypond.  Music can be
+typed in using the computer keyboard, played in using a MIDI keyboard, or
+even input via a microphone connected to the sound card.  The final product
+is publication-quality music notation that is continuously generated in the
+background while you work.")
+    (home-page "http://www.denemo.org")
+    (license license:gpl3+)))
+
 (define-public hydrogen
   (package
     (name "hydrogen")
diff --git a/gnu/packages/ocaml.scm b/gnu/packages/ocaml.scm
index f1b4bdbf6f..61d51074e7 100644
--- a/gnu/packages/ocaml.scm
+++ b/gnu/packages/ocaml.scm
@@ -329,14 +329,14 @@ written in Objective Caml.")
 (define-public coq
   (package
     (name "coq")
-    (version "8.4pl6")
+    (version "8.5pl2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://coq.inria.fr/distrib/V" version
                                   "/files/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "1mpbj4yf36kpjg2v2sln12i8dzqn8rag6fd07hslj2lpm4qs4h55"))))
+                "0wyywia0darak2zmc5v0ra9rn0b9whwdfiahralm8v5za499s8w3"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("texlive" ,texlive)
@@ -348,24 +348,24 @@ written in Objective Caml.")
      `(#:phases
        (modify-phases %standard-phases
          (replace 'configure
-                  (lambda* (#:key outputs #:allow-other-keys)
-                    (let* ((out (assoc-ref outputs "out"))
-                           (mandir (string-append out "/share/man"))
-                           (browser "icecat -remote \"OpenURL(%s,new-tab)\""))
-                      (zero? (system* "./configure"
-                                      "--prefix" out
-                                      "--mandir" mandir
-                                      "--browser" browser)))))
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (mandir (string-append out "/share/man"))
+                    (browser "icecat -remote \"OpenURL(%s,new-tab)\""))
+               (zero? (system* "./configure"
+                               "-prefix" out
+                               "-mandir" mandir
+                               "-browser" browser)))))
          (replace 'build
-                  (lambda _
-                    (zero? (system* "make" "-j" (number->string
-                                                 (parallel-job-count))
-                                    "world"))))
+           (lambda _
+             (zero? (system* "make" "-j" (number->string
+                                          (parallel-job-count))
+                             "world"))))
          (delete 'check)
          (add-after 'install 'check
-                    (lambda _
-                      (with-directory-excursion "test-suite"
-                        (zero? (system* "make"))))))))
+           (lambda _
+             (with-directory-excursion "test-suite"
+               (zero? (system* "make"))))))))
     (home-page "https://coq.inria.fr")
     (synopsis "Proof assistant for higher-order logic")
     (description
@@ -454,6 +454,42 @@ assistant to write formal mathematical proofs using a variety of theorem
 provers.")
     (license gpl2+)))
 
+(define-public ocaml-menhir
+  (package
+    (name "ocaml-menhir")
+    (version "20161115")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "http://gallium.inria.fr/~fpottier/menhir/"
+                    "menhir-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1j8nmcj2gq6hyyi16z27amiahplgrnk4ppchpm0v4qy80kwkf47k"))))
+    (build-system gnu-build-system)
+    (inputs
+     `(("ocaml" ,ocaml)))
+    (arguments
+     `(#:parallel-build? #f ; Parallel build causes failure
+       #:tests? #f ; No check target
+       #:phases
+       (modify-phases %standard-phases
+         (replace 'configure
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out")))
+               (setenv "PREFIX" out))
+             #t)))))
+    (home-page "http://gallium.inria.fr/~fpottier/menhir")
+    (synopsis "Parser generator")
+    (description "Menhir is a parser generator.  It turns high-level grammar
+specifications, decorated with semantic actions expressed in the OCaml
+programming language into parsers, again expressed in OCaml. It is based on
+Knuth’s LR(1) parser construction technique.")
+    ;; The file src/standard.mly and all files listed in src/mnehirLib.mlpack
+    ;; that have an *.ml or *.mli extension are GPL licensed. All other files
+    ;; are QPL licensed.
+    (license (list gpl2+ qpl))))
+
 (define-public lablgtk
   (package
     (name "lablgtk")
diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index cf030ecc82..8f6210880c 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -280,6 +280,7 @@ any X11 window.")
      '(#:phases
        (modify-phases %standard-phases
          (delete 'configure)
+         (delete 'build)
          (add-after 'install 'wrap-path
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let ((out (assoc-ref outputs "out"))
@@ -290,6 +291,9 @@ any X11 window.")
                (wrap-program (string-append out "/bin/pass")
                  `("PATH" ":" prefix (,(string-join path ":"))))))))
        #:make-flags (list "CC=gcc" (string-append "PREFIX=" %output))
+       ;; Parallel tests may cause a race condition leading to a
+       ;; timeout in some circumstances.
+       #:parallel-tests? #f
        #:test-target "test"))
     (inputs
      `(("getopt" ,util-linux)
diff --git a/gnu/packages/patches/openjpeg-CVE-2015-6581.patch b/gnu/packages/patches/openjpeg-CVE-2015-6581.patch
deleted file mode 100644
index 7ce03501f4..0000000000
--- a/gnu/packages/patches/openjpeg-CVE-2015-6581.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0 Mon Sep 17 00:00:00 2001
-From: Matthieu Darbois <mayeut@users.noreply.github.com>
-Date: Tue, 19 May 2015 21:57:27 +0000
-Subject: [PATCH] [trunk] Correct potential double free on malloc failure in
- opj_j2k_copy_default_tcp_and_create_tcp (fixes issue 492)
-
----
- src/lib/openjp2/j2k.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
-index 8c62a39..cbdd368 100644
---- a/src/lib/openjp2/j2k.c
-+++ b/src/lib/openjp2/j2k.c
-@@ -7365,6 +7365,12 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd (       opj_j2k_t * p_j2
-                 l_tcp->cod = 0;
-                 l_tcp->ppt = 0;
-                 l_tcp->ppt_data = 00;
-+                /* Remove memory not owned by this tile in case of early error return. */
-+                l_tcp->m_mct_decoding_matrix = 00;
-+                l_tcp->m_nb_max_mct_records = 0;
-+                l_tcp->m_mct_records = 00;
-+                l_tcp->m_nb_max_mcc_records = 0;
-+                l_tcp->m_mcc_records = 00;
-                 /* Reconnect the tile-compo coding parameters pointer to the current tile coding parameters*/
-                 l_tcp->tccps = l_current_tccp;
- 
-@@ -7402,6 +7408,8 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd (       opj_j2k_t * p_j2
- 
-                         ++l_src_mct_rec;
-                         ++l_dest_mct_rec;
-+                        /* Update with each pass to free exactly what has been allocated on early return. */
-+                        l_tcp->m_nb_max_mct_records += 1;
-                 }
- 
-                 /* Get the mcc_record of the dflt_tile_cp and copy them into the current tile cp*/
-@@ -7411,6 +7419,7 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd (       opj_j2k_t * p_j2
-                         return OPJ_FALSE;
-                 }
-                 memcpy(l_tcp->m_mcc_records,l_default_tcp->m_mcc_records,l_mcc_records_size);
-+                l_tcp->m_nb_max_mcc_records = l_default_tcp->m_nb_max_mcc_records;
- 
-                 /* Copy the mcc record data from dflt_tile_cp to the current tile*/
-                 l_src_mcc_rec = l_default_tcp->m_mcc_records;
--- 
-2.5.0
-
diff --git a/gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch b/gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch
new file mode 100644
index 0000000000..3f637fa88b
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch
@@ -0,0 +1,245 @@
+From cadff5fb6e73398de26a92e96d3d7cac893af255 Mon Sep 17 00:00:00 2001
+From: szukw000 <szukw000@arcor.de>
+Date: Fri, 9 Dec 2016 08:29:55 +0100
+Subject: [PATCH] These changes repair bugs of #871 and #872
+
+email from http://openwall.com/lists/oss-security/2016/12/09/4
+patch is against openjpeg-2.1.2, applies cleanly to 2.1.1.
+
+---
+ src/bin/jp2/converttif.c | 107 +++++++++++++++++++++++++++++++----------------
+ 1 file changed, 70 insertions(+), 37 deletions(-)
+
+diff --git a/src/bin/jp2/converttif.c b/src/bin/jp2/converttif.c
+index 143d3be..c690f8b 100644
+--- a/src/bin/jp2/converttif.c
++++ b/src/bin/jp2/converttif.c
+@@ -553,20 +553,18 @@ static void tif_32sto16u(const OPJ_INT32* pSrc, OPJ_UINT16* pDst, OPJ_SIZE_T len
+ 
+ int imagetotif(opj_image_t * image, const char *outfile)
+ {
+-	int width, height;
+-	int bps,adjust, sgnd;
+-	int tiPhoto;
++	uint32 width, height, bps, tiPhoto;
++	int adjust, sgnd;
+ 	TIFF *tif;
+ 	tdata_t buf;
+-	tsize_t strip_size;
++	tmsize_t strip_size, rowStride;
+ 	OPJ_UINT32 i, numcomps;
+-	OPJ_SIZE_T rowStride;
+ 	OPJ_INT32* buffer32s = NULL;
+ 	OPJ_INT32 const* planes[4];
+ 	convert_32s_PXCX cvtPxToCx = NULL;
+ 	convert_32sXXx_C1R cvt32sToTif = NULL;
+ 
+-	bps = (int)image->comps[0].prec;
++	bps = (uint32)image->comps[0].prec;
+ 	planes[0] = image->comps[0].data;
+ 	
+ 	numcomps = image->numcomps;
+@@ -674,13 +672,13 @@ int imagetotif(opj_image_t * image, const char *outfile)
+ 			break;
+ 	}
+ 	sgnd = (int)image->comps[0].sgnd;
+-	adjust = sgnd ? 1 << (image->comps[0].prec - 1) : 0;
+-	width   = (int)image->comps[0].w;
+-	height  = (int)image->comps[0].h;
++	adjust = sgnd ? (int)(1 << (image->comps[0].prec - 1)) : 0;
++	width   = (uint32)image->comps[0].w;
++	height  = (uint32)image->comps[0].h;
+ 	
+ 	TIFFSetField(tif, TIFFTAG_IMAGEWIDTH, width);
+ 	TIFFSetField(tif, TIFFTAG_IMAGELENGTH, height);
+-	TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, numcomps);
++	TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, (uint32)numcomps);
+ 	TIFFSetField(tif, TIFFTAG_BITSPERSAMPLE, bps);
+ 	TIFFSetField(tif, TIFFTAG_ORIENTATION, ORIENTATION_TOPLEFT);
+ 	TIFFSetField(tif, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
+@@ -688,8 +686,8 @@ int imagetotif(opj_image_t * image, const char *outfile)
+ 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, 1);
+ 	
+ 	strip_size = TIFFStripSize(tif);
+-	rowStride = ((OPJ_SIZE_T)width * numcomps * (OPJ_SIZE_T)bps + 7U) / 8U;
+-	if (rowStride != (OPJ_SIZE_T)strip_size) {
++	rowStride = (width * numcomps * bps + 7U) / 8U;
++	if (rowStride != strip_size) {
+ 		fprintf(stderr, "Invalid TIFF strip size\n");
+ 		TIFFClose(tif);
+ 		return 1;
+@@ -699,7 +697,7 @@ int imagetotif(opj_image_t * image, const char *outfile)
+ 		TIFFClose(tif);
+ 		return 1;
+ 	}
+-	buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)width * numcomps * sizeof(OPJ_INT32));
++	buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(width * numcomps * sizeof(OPJ_INT32)));
+ 	if (buffer32s == NULL) {
+ 		_TIFFfree(buf);
+ 		TIFFClose(tif);
+@@ -1211,20 +1209,19 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 	TIFF *tif;
+ 	tdata_t buf;
+ 	tstrip_t strip;
+-	tsize_t strip_size;
++	tmsize_t strip_size;
+ 	int j, currentPlane, numcomps = 0, w, h;
+ 	OPJ_COLOR_SPACE color_space = OPJ_CLRSPC_UNKNOWN;
+ 	opj_image_cmptparm_t cmptparm[4]; /* RGBA */
+ 	opj_image_t *image = NULL;
+ 	int has_alpha = 0;
+-	unsigned short tiBps, tiPhoto, tiSf, tiSpp, tiPC;
+-	unsigned int tiWidth, tiHeight;
++	uint32 tiBps, tiPhoto, tiSf, tiSpp, tiPC, tiWidth, tiHeight;
+ 	OPJ_BOOL is_cinema = OPJ_IS_CINEMA(parameters->rsiz);
+ 	convert_XXx32s_C1R cvtTifTo32s = NULL;
+ 	convert_32s_CXPX cvtCxToPx = NULL;
+ 	OPJ_INT32* buffer32s = NULL;
+ 	OPJ_INT32* planes[4];
+-	OPJ_SIZE_T rowStride;
++	tmsize_t rowStride;
+ 	
+ 	tif = TIFFOpen(filename, "r");
+ 	
+@@ -1243,22 +1240,35 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 	TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &tiSpp);
+ 	TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &tiPhoto);
+ 	TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &tiPC);
+-	w= (int)tiWidth;
+-	h= (int)tiHeight;
+-	
+-	if(tiBps > 16U) {
+-		fprintf(stderr,"tiftoimage: Bits=%d, Only 1 to 16 bits implemented\n",tiBps);
+-		fprintf(stderr,"\tAborting\n");
++
++	if(tiSpp == 0 || tiSpp > 4) { /* should be 1 ... 4 */
++		fprintf(stderr,"tiftoimage: Bad value for samples per pixel == %hu.\n"
++		 "\tAborting.\n", tiSpp);
++		TIFFClose(tif);
++		return NULL;
++	}
++	if(tiBps > 16U || tiBps == 0) {
++		fprintf(stderr,"tiftoimage: Bad values for Bits == %d.\n"
++		 "\tMax. 16 Bits are allowed here.\n\tAborting.\n",tiBps);
+ 		TIFFClose(tif);
+ 		return NULL;
+ 	}
+ 	if(tiPhoto != PHOTOMETRIC_MINISBLACK && tiPhoto != PHOTOMETRIC_RGB) {
+-		fprintf(stderr,"tiftoimage: Bad color format %d.\n\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto);
++		fprintf(stderr,"tiftoimage: Bad color format %d.\n"
++		 "\tOnly RGB(A) and GRAY(A) has been implemented\n",(int) tiPhoto);
+ 		fprintf(stderr,"\tAborting\n");
+ 		TIFFClose(tif);
+ 		return NULL;
+ 	}
+-	
++	if(tiWidth == 0 || tiHeight == 0) {
++		fprintf(stderr,"tiftoimage: Bad values for width(%u) "
++		 "and/or height(%u)\n\tAborting.\n",tiWidth,tiHeight);
++		TIFFClose(tif);
++		return NULL;
++	}
++	w= (int)tiWidth;
++	h= (int)tiHeight;
++
+ 	switch (tiBps) {
+ 		case 1:
+ 		case 2:
+@@ -1312,7 +1322,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 		
+ 		TIFFGetFieldDefaulted(tif, TIFFTAG_EXTRASAMPLES,
+ 													&extrasamples, &sampleinfo);
+-		
++
+ 		if(extrasamples >= 1)
+ 		{
+ 			switch(sampleinfo[0])
+@@ -1333,7 +1343,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 		else /* extrasamples == 0 */
+ 			if(tiSpp == 4 || tiSpp == 2) has_alpha = 1;
+ 	}
+-	
++
+ 	/* initialize image components */
+ 	memset(&cmptparm[0], 0, 4 * sizeof(opj_image_cmptparm_t));
+ 	
+@@ -1346,7 +1356,7 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 	} else {
+ 		is_cinema = 0U;
+ 	}
+-	
++
+ 	if(tiPhoto == PHOTOMETRIC_RGB) /* RGB(A) */
+ 	{
+ 		numcomps = 3 + has_alpha;
+@@ -1384,10 +1394,24 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 	image->x0 = (OPJ_UINT32)parameters->image_offset_x0;
+ 	image->y0 = (OPJ_UINT32)parameters->image_offset_y0;
+ 	image->x1 =	!image->x0 ? (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1 :
+-	image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
++	 image->x0 + (OPJ_UINT32)(w - 1) * (OPJ_UINT32)subsampling_dx + 1;
++	if(image->x1 <= image->x0) {
++		fprintf(stderr,"tiftoimage: Bad value for image->x1(%d) vs. "
++		 "image->x0(%d)\n\tAborting.\n",image->x1,image->x0);
++		TIFFClose(tif);
++		opj_image_destroy(image);
++		return NULL;
++	}
+ 	image->y1 =	!image->y0 ? (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1 :
+-	image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
+-
++	 image->y0 + (OPJ_UINT32)(h - 1) * (OPJ_UINT32)subsampling_dy + 1;
++	if(image->y1 <= image->y0) {
++		fprintf(stderr,"tiftoimage: Bad value for image->y1(%d) vs. "
++		 "image->y0(%d)\n\tAborting.\n",image->y1,image->y0);
++		TIFFClose(tif);
++		opj_image_destroy(image);
++		return NULL;
++	}
++	
+ 	for(j = 0; j < numcomps; j++)
+ 	{
+ 		planes[j] = image->comps[j].data;
+@@ -1395,15 +1419,15 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 	image->comps[numcomps - 1].alpha = (OPJ_UINT16)(1 - (numcomps & 1));
+ 		
+ 	strip_size = TIFFStripSize(tif);
+-	
++
+ 	buf = _TIFFmalloc(strip_size);
+ 	if (buf == NULL) {
+ 		TIFFClose(tif);
+ 		opj_image_destroy(image);
+ 		return NULL;
+ 	}
+-	rowStride = ((OPJ_SIZE_T)w * tiSpp * tiBps + 7U) / 8U;
+-	buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)w * tiSpp * sizeof(OPJ_INT32));
++	rowStride = (w * tiSpp * tiBps + 7U) / 8U;
++	buffer32s = (OPJ_INT32 *)malloc((OPJ_SIZE_T)(w * tiSpp * sizeof(OPJ_INT32)));
+ 	if (buffer32s == NULL) {
+ 		_TIFFfree(buf);
+ 		TIFFClose(tif);
+@@ -1421,11 +1445,20 @@ opj_image_t* tiftoimage(const char *filename, opj_cparameters_t *parameters)
+ 		for(; (h > 0) && (strip < TIFFNumberOfStrips(tif)); strip++)
+ 		{
+ 				const OPJ_UINT8 *dat8;
+-				OPJ_SIZE_T ssize;
++				tmsize_t ssize;
+ 				
+-				ssize = (OPJ_SIZE_T)TIFFReadEncodedStrip(tif, strip, buf, strip_size);
++				ssize = TIFFReadEncodedStrip(tif, strip, buf, strip_size);
++				if(ssize < 1 || ssize > strip_size) {
++					fprintf(stderr,"tiftoimage: Bad value for ssize(%ld) "
++                     "vs. strip_size(%ld).\n\tAborting.\n",ssize,strip_size);
++					_TIFFfree(buf);
++					_TIFFfree(buffer32s);
++					TIFFClose(tif);
++					opj_image_destroy(image);
++					return NULL;
++				}
+ 				dat8 = (const OPJ_UINT8*)buf;
+-				
++
+ 				while (ssize >= rowStride) {
+ 					cvtTifTo32s(dat8, buffer32s, (OPJ_SIZE_T)w * tiSpp);
+ 					cvtCxToPx(buffer32s, planes, (OPJ_SIZE_T)w);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 854ba1cb47..f5ffe42b91 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -355,7 +355,7 @@ required structures.")
   (package
     (inherit openssl)
     (name "openssl")
-    (version "1.1.0b")
+    (version "1.1.0c")
     (source (origin
              (method url-fetch)
              (uri (list (string-append "ftp://ftp.openssl.org/source/"
@@ -366,7 +366,7 @@ required structures.")
               (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
               (sha256
                (base32
-                "1xznrqvb1dbngv2k2nb6da6fdw00c01sy2i36yjdxr4vpxrf0pd4"))))
+                "1xfn5ydl14myd9wgxm4nxy5a42cpp1g12ijf3g9m4mz0l90n8hzw"))))
     (outputs '("out"
                "doc"        ;1.3MiB of man3 pages
                "static"))   ; 5.5MiB of .a files
@@ -377,13 +377,42 @@ required structures.")
            (delete 'patch-tests)          ; These two phases are not needed by
            (delete 'patch-Makefile.org)   ; OpenSSL 1.1.0.
 
-           (add-after 'configure 'patch-runpath
+           ;; Override configure phase since -rpath is now a configure option.
+           (replace 'configure
              (lambda* (#:key outputs #:allow-other-keys)
-               (let ((lib (string-append (assoc-ref outputs "out") "/lib")))
-                 (substitute* "Makefile.shared"
-                   (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}")
-                    (string-append "$${SHAREDCMD} $${SHAREDFLAGS}"
-                                   " -Wl,-rpath," lib)))
+               (let* ((out (assoc-ref outputs "out"))
+                      (lib (string-append out "/lib")))
+                 (zero?
+                  (system* "./config"
+                           "shared"                   ;build shared libraries
+                           "--libdir=lib"
+
+                           ;; The default for this catch-all directory is
+                           ;; PREFIX/ssl.  Change that to something more
+                           ;; conventional.
+                           (string-append "--openssldir=" out
+                                          "/share/openssl-" ,version)
+
+                           (string-append "--prefix=" out)
+                           (string-append "-Wl,-rpath," lib)
+
+                           ;; XXX FIXME: Work around a code generation bug in GCC
+                           ;; 4.9.3 on ARM when compiled with -mfpu=neon.  See:
+                           ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
+                           ,@(if (and (not (%current-target-system))
+                                      (string-prefix? "armhf" (%current-system)))
+                                 '("-mfpu=vfpv3")
+                                 '()))))))
+
+           ;; XXX: Duplicate this phase to make sure 'version' evaluates
+           ;; in the current scope and not the inherited one.
+           (replace 'remove-miscellany
+             (lambda* (#:key outputs #:allow-other-keys)
+               ;; The 'misc' directory contains random undocumented shell and Perl
+               ;; scripts.  Remove them to avoid retaining a reference on Perl.
+               (let ((out (assoc-ref outputs "out")))
+                 (delete-file-recursively (string-append out "/share/openssl-"
+                                                         ,version "/misc"))
                  #t)))))))))
 
 (define-public libressl
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index acacaea15d..446de429f3 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -610,14 +610,14 @@ audio/video codec library.")
 (define-public ffmpeg-2.8
   (package
     (inherit ffmpeg)
-    (version "2.8.8")
+    (version "2.8.9")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "1691bmq8j56rcys09xwvzjq16z25m8vczj5a50gdn7ydm9qjykpr"))))
+               "1s3011q7sxyb55n3r8aiv7xh53bwxjdxa83s2ilqhq5rygrrgg8i"))))
     (arguments
      (substitute-keyword-arguments (package-arguments ffmpeg)
        ((#:configure-flags flags)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 81676386a0..3fa70980d7 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -523,7 +523,7 @@ for efficient socket-like bidirectional reliable communication channels.")
 (define-public libpsl
   (package
     (name "libpsl")
-    (version "0.15.0")
+    (version "0.16.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/rockdaboot/libpsl/"
@@ -531,7 +531,7 @@ for efficient socket-like bidirectional reliable communication channels.")
                                   "/libpsl-" version ".tar.gz"))
               (sha256
                (base32
-                "0wm9i3qshfdasd5s5nrdihl4f5c6zrd1nkqrqjnh7zhhv1an755m"))))
+                "1ghhwrn3y047ngs6d59z6ssnx6f7zr3fjvxji17ln9r10sj4njvi"))))
     (build-system gnu-build-system)
     (inputs
      `(("icu4c" ,icu4c)
diff --git a/guix/scripts/offload.scm b/guix/scripts/offload.scm
index ebff11664d..c98cf8c534 100644
--- a/guix/scripts/offload.scm
+++ b/guix/scripts/offload.scm
@@ -177,6 +177,14 @@ private key from '~a': ~a")
                                ;; #:log-verbosity 'protocol
                                #:identity (build-machine-private-key machine)
 
+                               ;; By default libssh reads ~/.ssh/known_hosts
+                               ;; and uses that to adjust its choice of cipher
+                               ;; suites, which changes the type of host key
+                               ;; that the server sends (RSA vs. Ed25519,
+                               ;; etc.).  Opt for something reproducible and
+                               ;; stateless instead.
+                               #:knownhosts "/dev/null"
+
                                ;; We need lightweight compression when
                                ;; exchanging full archives.
                                #:compression
@@ -700,9 +708,18 @@ allowed on MACHINE.  Return +∞ if MACHINE is unreachable."
           (leave (_ "failed to import '~a' from '~a'~%")
                  item name)))))
 
-(define (check-machine-availability machine-file)
-  "Check that each machine in MACHINE-FILE is usable as a build machine."
-  (let ((machines (build-machines machine-file)))
+(define (check-machine-availability machine-file pred)
+  "Check that each machine matching PRED in MACHINE-FILE is usable as a build
+machine."
+  (define (build-machine=? m1 m2)
+    (and (string=? (build-machine-name m1) (build-machine-name m2))
+         (= (build-machine-port m1) (build-machine-port m2))))
+
+  ;; A given build machine may appear several times (e.g., once for
+  ;; "x86_64-linux" and a second time for "i686-linux"); test them only once.
+  (let ((machines (filter pred
+                          (delete-duplicates (build-machines machine-file)
+                                             build-machine=?))))
     (info (_ "testing ~a build machines defined in '~a'...~%")
           (length machines) machine-file)
     (let* ((names    (map build-machine-name machines))
@@ -766,11 +783,16 @@ allowed on MACHINE.  Return +∞ if MACHINE is unreachable."
              (loop (read-line)))))))
     (("test" rest ...)
      (with-error-handling
-       (let ((file (match rest
-                     ((file) file)
-                     (()     %machine-file)
-                     (_      (leave (_ "wrong number of arguments~%"))))))
-         (check-machine-availability (or file %machine-file)))))
+       (let-values (((file pred)
+                     (match rest
+                       ((file regexp)
+                        (values file
+                                (compose (cut string-match regexp <>)
+                                         build-machine-name)))
+                       ((file) (values file (const #t)))
+                       (()     (values %machine-file (const #t)))
+                       (_      (leave (_ "wrong number of arguments~%"))))))
+         (check-machine-availability (or file %machine-file) pred))))
     (("--version")
      (show-version-and-exit "guix offload"))
     (("--help")