summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am3
-rw-r--r--build-aux/download.scm73
-rw-r--r--build-aux/test-env.in16
-rw-r--r--gnu/local.mk74
-rw-r--r--gnu/packages/acl.scm19
-rw-r--r--gnu/packages/autotools.scm109
-rw-r--r--gnu/packages/backup.scm64
-rw-r--r--gnu/packages/base.scm149
-rw-r--r--gnu/packages/bootstrap.scm83
-rw-r--r--gnu/packages/calendar.scm3
-rw-r--r--gnu/packages/commencement.scm122
-rw-r--r--gnu/packages/compression.scm23
-rw-r--r--gnu/packages/cross-base.scm1
-rw-r--r--gnu/packages/curl.scm29
-rw-r--r--gnu/packages/databases.scm6
-rw-r--r--gnu/packages/file.scm14
-rw-r--r--gnu/packages/gcc.scm38
-rw-r--r--gnu/packages/ghostscript.scm59
-rw-r--r--gnu/packages/glib.scm24
-rw-r--r--gnu/packages/gnome.scm4
-rw-r--r--gnu/packages/gnupg.scm17
-rw-r--r--gnu/packages/groff.scm9
-rw-r--r--gnu/packages/gtk.scm10
-rw-r--r--gnu/packages/image.scm4
-rw-r--r--gnu/packages/kerberos.scm18
-rw-r--r--gnu/packages/libidn.scm19
-rw-r--r--gnu/packages/linux.scm76
-rw-r--r--gnu/packages/maths.scm6
-rw-r--r--gnu/packages/multiprecision.scm4
-rw-r--r--gnu/packages/package-management.scm47
-rw-r--r--gnu/packages/patches/automake-regexp-syntax.patch34
-rw-r--r--gnu/packages/patches/automake-test-gzip-warning.patch17
-rw-r--r--gnu/packages/patches/coreutils-cut-huge-range-test.patch33
-rw-r--r--gnu/packages/patches/gcc-asan-powerpc-missing-include.patch20
-rw-r--r--gnu/packages/patches/gcc-fix-texi2pod.patch19
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2017-8291.patch195
-rw-r--r--gnu/packages/patches/glib-respect-datadir.patch21
-rw-r--r--gnu/packages/patches/grep-gnulib-lock.patch32
-rw-r--r--gnu/packages/patches/libxml2-CVE-2016-4658.patch257
-rw-r--r--gnu/packages/patches/libxml2-CVE-2016-5131.patch218
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-0663.patch53
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-7375.patch45
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-7376.patch41
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch130
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch319
-rw-r--r--gnu/packages/patches/libxslt-CVE-2016-4738.patch39
-rw-r--r--gnu/packages/patches/pcre-CVE-2017-7186.patch56
-rw-r--r--gnu/packages/patches/python-2.7-adjust-tests.patch22
-rw-r--r--gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch54
-rw-r--r--gnu/packages/patches/python-3-fix-tests.patch149
-rw-r--r--gnu/packages/patches/python-3.5-fix-tests.patch69
-rw-r--r--gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch720
-rw-r--r--gnu/packages/patches/python-unittest2-python3-compat.patch34
-rw-r--r--gnu/packages/patches/python-unittest2-remove-argparse.patch (renamed from gnu/packages/patches/python2-unittest2-remove-argparse.patch)0
-rw-r--r--gnu/packages/pcre.scm22
-rw-r--r--gnu/packages/perl.scm4
-rw-r--r--gnu/packages/python.scm346
-rw-r--r--gnu/packages/ruby.scm1
-rw-r--r--gnu/packages/texinfo.scm20
-rw-r--r--gnu/packages/tls.scm15
-rw-r--r--gnu/packages/web.scm2
-rw-r--r--gnu/packages/xml.scm45
-rw-r--r--gnu/packages/xorg.scm16
-rw-r--r--guix/build/utils.scm1
-rw-r--r--guix/download.scm110
65 files changed, 962 insertions, 3320 deletions
diff --git a/Makefile.am b/Makefile.am
index fd6f9729c9..affeb8dda7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -402,7 +402,7 @@ check-local:
 
 endif !CAN_RUN_TESTS
 
-check-system: $(GOBJECTS) $(BOOTSTRAP_GUILE_TARBALLS)
+check-system: $(GOBJECTS)
 	$(AM_V_at)$(top_builddir)/pre-inst-env			\
 	   $(GUILE) --no-auto-compile				\
 	   -e '(@@ (run-system-tests) run-system-tests)'	\
@@ -432,7 +432,6 @@ EXTRA_DIST =						\
   build-aux/hydra/guix.scm				\
   build-aux/check-available-binaries.scm		\
   build-aux/check-final-inputs-self-contained.scm	\
-  build-aux/download.scm				\
   build-aux/generate-authors.scm			\
   build-aux/test-driver.scm				\
   build-aux/update-guix-package.scm			\
diff --git a/build-aux/download.scm b/build-aux/download.scm
deleted file mode 100644
index 8dfa914603..0000000000
--- a/build-aux/download.scm
+++ /dev/null
@@ -1,73 +0,0 @@
-;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2017 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
-;;;
-;;; This file is part of GNU Guix.
-;;;
-;;; GNU Guix is free software; you can redistribute it and/or modify it
-;;; under the terms of the GNU General Public License as published by
-;;; the Free Software Foundation; either version 3 of the License, or (at
-;;; your option) any later version.
-;;;
-;;; GNU Guix is distributed in the hope that it will be useful, but
-;;; WITHOUT ANY WARRANTY; without even the implied warranty of
-;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-;;; GNU General Public License for more details.
-;;;
-;;; You should have received a copy of the GNU General Public License
-;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
-
-;;;
-;;; Download a binary file from an external source.
-;;;
-
-(use-modules (ice-9 match)
-             (web uri)
-             (web client)
-             (rnrs io ports)
-             (srfi srfi-11)
-             (guix base16)
-             (guix hash))
-
-(define %url-base
-  "http://alpha.gnu.org/gnu/guix/bootstrap"
-
-  ;; Alternately:
-  ;;"http://www.fdn.fr/~lcourtes/software/guix/packages"
-  )
-
-(define (file-name->uri file)
-  "Return the URI for FILE."
-  (match (string-tokenize file (char-set-complement (char-set #\/)))
-    ((_ ... system basename)
-     (string->uri
-      (string-append %url-base "/" system
-                     (match system
-                       ("aarch64-linux"
-                        "/20170217/")
-                       ("armhf-linux"
-                        "/20150101/")
-                       (_
-                        "/20131110/"))
-                     basename)))))
-
-(match (command-line)
-  ((_ file expected-hash)
-   (let ((uri (file-name->uri file)))
-     (format #t "downloading file `~a'~%from `~a'...~%"
-             file (uri->string uri))
-     (let*-values (((resp data) (http-get uri #:decode-body? #f))
-                   ((hash)      (bytevector->base16-string (sha256 data)))
-                   ((part)      (string-append file ".part")))
-       (if (string=? expected-hash hash)
-           (begin
-             (call-with-output-file part
-               (lambda (port)
-                 (put-bytevector port data)))
-             (rename-file part file))
-           (begin
-             (format (current-error-port)
-                     "file at `~a' has SHA256 ~a; expected ~a~%"
-                     (uri->string uri) hash expected-hash)
-             (exit 1)))))))
diff --git a/build-aux/test-env.in b/build-aux/test-env.in
index 1657556b19..4a422cf607 100644
--- a/build-aux/test-env.in
+++ b/build-aux/test-env.in
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # GNU Guix --- Functional package management for GNU
-# Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+# Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 #
 # This file is part of GNU Guix.
 #
@@ -110,6 +110,20 @@ then
 
     daemon_pid=$!
     trap "kill $daemon_pid ; rm -rf $NIX_STATE_DIR" EXIT
+
+    # The test suite expects the 'guile-bootstrap' package to be available.
+    # Normally the Guile bootstrap tarball is downloaded by a fixed-output
+    # derivation but when network access is missing we allow users to drop
+    # the tarball in 'gnu/packages/bootstrap/SYSTEM' and "intern" it here.
+    bootstrap_directory="@abs_top_builddir@/gnu/packages/bootstrap/@guix_system@"
+    if [ -d "$bootstrap_directory" ]
+    then
+	for file in "$bootstrap_directory"/guile-*
+	do
+	    "@abs_top_builddir@/pre-inst-env"			\
+		guix download "file://$file" > /dev/null
+	done
+    fi
 fi
 
 # Avoid issues that could stem from l10n, such as language/encoding
diff --git a/gnu/local.mk b/gnu/local.mk
index 90dc7aec1b..a8f4e1e574 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -535,8 +535,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/ath9k-htc-firmware-gcc.patch		\
   %D%/packages/patches/ath9k-htc-firmware-objcopy.patch		\
   %D%/packages/patches/automake-skip-amhello-tests.patch	\
-  %D%/packages/patches/automake-regexp-syntax.patch		\
-  %D%/packages/patches/automake-test-gzip-warning.patch		\
   %D%/packages/patches/avahi-localstatedir.patch		\
   %D%/packages/patches/avidemux-install-to-lib.patch		\
   %D%/packages/patches/awesome-reproducible-png.patch		\
@@ -571,7 +569,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/cool-retro-term-fix-array-size.patch	\
   %D%/packages/patches/cool-retro-term-memory-leak-1.patch	\
   %D%/packages/patches/cool-retro-term-remove-non-free-fonts.patch	\
-  %D%/packages/patches/coreutils-cut-huge-range-test.patch	\
   %D%/packages/patches/cpio-CVE-2016-2037.patch			\
   %D%/packages/patches/cpufrequtils-fix-aclocal.patch		\
   %D%/packages/patches/cracklib-CVE-2016-6318.patch		\
@@ -632,8 +629,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/gawk-shell.patch				\
   %D%/packages/patches/gcc-arm-bug-71399.patch			\
   %D%/packages/patches/gcc-arm-link-spec-fix.patch		\
-  %D%/packages/patches/gcc-asan-powerpc-missing-include.patch	\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
+  %D%/packages/patches/gcc-fix-texi2pod.patch			\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-strmov-store-file-names.patch	\
   %D%/packages/patches/gcc-4.6-gnu-inline.patch			\
@@ -653,12 +650,12 @@ dist_patch_DATA =						\
   %D%/packages/patches/gettext-multi-core.patch          	\
   %D%/packages/patches/gettext-gnulib-multi-core.patch          \
   %D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch	\
-  %D%/packages/patches/ghostscript-CVE-2017-8291.patch		\
   %D%/packages/patches/ghostscript-no-header-id.patch		\
   %D%/packages/patches/ghostscript-no-header-uuid.patch		\
   %D%/packages/patches/ghostscript-no-header-creationdate.patch \
   %D%/packages/patches/ghostscript-runpath.patch		\
   %D%/packages/patches/glib-networking-ssl-cert-file.patch	\
+  %D%/packages/patches/glib-respect-datadir.patch		\
   %D%/packages/patches/glib-tests-timer.patch			\
   %D%/packages/patches/glibc-CVE-2015-5180.patch		\
   %D%/packages/patches/glibc-CVE-2015-7547.patch		\
@@ -696,7 +693,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/graphicsmagick-CVE-2017-14165.patch	\
   %D%/packages/patches/graphicsmagick-CVE-2017-14649.patch	\
   %D%/packages/patches/graphite2-ffloat-store.patch		\
-  %D%/packages/patches/grep-gnulib-lock.patch                   \
   %D%/packages/patches/grep-timing-sensitive-test.patch		\
   %D%/packages/patches/groff-source-date-epoch.patch		\
   %D%/packages/patches/gsl-test-i686.patch			\
@@ -826,15 +822,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libxcb-python-3.5-compat.patch		\
   %D%/packages/patches/libxfont-CVE-2017-13720.patch		\
   %D%/packages/patches/libxfont-CVE-2017-13722.patch		\
-  %D%/packages/patches/libxml2-CVE-2016-4658.patch		\
-  %D%/packages/patches/libxml2-CVE-2016-5131.patch		\
-  %D%/packages/patches/libxml2-CVE-2017-0663.patch		\
-  %D%/packages/patches/libxml2-CVE-2017-7375.patch		\
-  %D%/packages/patches/libxml2-CVE-2017-7376.patch		\
-  %D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch	\
-  %D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch	\
   %D%/packages/patches/libxslt-generated-ids.patch		\
-  %D%/packages/patches/libxslt-CVE-2016-4738.patch		\
   %D%/packages/patches/libxt-guix-search-paths.patch		\
   %D%/packages/patches/lierolibre-check-unaligned-access.patch	\
   %D%/packages/patches/lierolibre-is-free-software.patch	\
@@ -930,7 +918,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/patchelf-rework-for-arm.patch		\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   %D%/packages/patches/patch-hurd-path-max.patch		\
-  %D%/packages/patches/pcre-CVE-2017-7186.patch			\
   %D%/packages/patches/pcre2-CVE-2017-7186.patch		\
   %D%/packages/patches/pcre2-CVE-2017-8786.patch		\
   %D%/packages/patches/perl-file-path-CVE-2017-6512.patch	\
@@ -973,14 +960,13 @@ dist_patch_DATA =						\
   %D%/packages/patches/pygpgme-disable-problematic-tests.patch  \
   %D%/packages/patches/pyqt-configure.patch			\
   %D%/packages/patches/python-2-deterministic-build-info.patch	\
-  %D%/packages/patches/python-2.7-getentropy-on-old-kernels.patch	\
+  %D%/packages/patches/python-2.7-adjust-tests.patch		\
   %D%/packages/patches/python-2.7-search-paths.patch		\
   %D%/packages/patches/python-2.7-site-prefixes.patch		\
   %D%/packages/patches/python-2.7-source-date-epoch.patch	\
   %D%/packages/patches/python-3-deterministic-build-info.patch	\
   %D%/packages/patches/python-3-search-paths.patch		\
-  %D%/packages/patches/python-3.5-fix-tests.patch		\
-  %D%/packages/patches/python-3.5-getentropy-on-old-kernels.patch	\
+  %D%/packages/patches/python-3-fix-tests.patch			\
   %D%/packages/patches/python-dendropy-fix-tests.patch		\
   %D%/packages/patches/python-fix-tests.patch			\
   %D%/packages/patches/python-genshi-add-support-for-python-3.4-AST.patch	\
@@ -1005,7 +991,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
   %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch	\
   %D%/packages/patches/python2-subprocess32-disable-input-test.patch	\
-  %D%/packages/patches/python2-unittest2-remove-argparse.patch \
+  %D%/packages/patches/python-unittest2-python3-compat.patch	\
+  %D%/packages/patches/python-unittest2-remove-argparse.patch	\
   %D%/packages/patches/qt4-ldflags.patch			\
   %D%/packages/patches/qtscript-disable-tests.patch		\
   %D%/packages/patches/quagga-reproducible-build.patch          \
@@ -1182,56 +1169,7 @@ dist_bootstrap_mips64el_linux_DATA =		\
   %D%/packages/bootstrap/mips64el-linux/tar	\
   %D%/packages/bootstrap/mips64el-linux/xz
 
-# Big bootstrap binaries are not included in the tarball.  Instead, they
-# are downloaded.
-nodist_bootstrap_x86_64_linux_DATA =					\
-  %D%/packages/bootstrap/x86_64-linux/guile-2.0.9.tar.xz
-nodist_bootstrap_i686_linux_DATA =					\
-  %D%/packages/bootstrap/i686-linux/guile-2.0.9.tar.xz
-nodist_bootstrap_armhf_linux_DATA =					\
-  %D%/packages/bootstrap/armhf-linux/guile-2.0.11.tar.xz
-nodist_bootstrap_aarch64_linux_DATA =					\
-  %D%/packages/bootstrap/aarch64-linux/guile-2.0.14.tar.xz
-nodist_bootstrap_mips64el_linux_DATA =					\
-  %D%/packages/bootstrap/mips64el-linux/guile-2.0.9.tar.xz
-
 # Those files must remain executable, so they remain executable once
 # imported into the store.
 set-bootstrap-executable-permissions:
 	chmod +x $(DESTDIR)$(bootstrapdir)/*/{bash,mkdir,tar,xz}
-
-BOOTSTRAP_GUILE_TARBALLS =			\
-  $(nodist_bootstrap_x86_64_linux_DATA)		\
-  $(nodist_bootstrap_i686_linux_DATA)		\
-  $(nodist_bootstrap_armhf_linux_DATA)		\
-  $(nodist_bootstrap_aarch64_linux_DATA)	\
-  $(nodist_bootstrap_mips64el_linux_DATA)
-
-DISTCLEANFILES = $(BOOTSTRAP_GUILE_TARBALLS)
-
-# Method to download a file from an external source.
-DOWNLOAD_FILE =								\
-  GUILE_LOAD_COMPILED_PATH="$(top_builddir):$$GUILE_LOAD_COMPILED_PATH"	\
-  $(GUILE) --no-auto-compile -L "$(top_builddir)" -L "$(top_srcdir)"	\
-           "$(top_srcdir)/build-aux/download.scm"
-
-%D%/packages/bootstrap/x86_64-linux/guile-2.0.9.tar.xz:
-	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
-	$(DOWNLOAD_FILE) "$@"			\
-	  "037b103522a2d0d7d69c7ffd8de683dfe5bb4b59c1fafd70b4ffd397fd2f57f0"
-%D%/packages/bootstrap/i686-linux/guile-2.0.9.tar.xz:
-	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
-	$(DOWNLOAD_FILE) "$@"			\
-	  "b757cd46bf13ecac83fb8e955fb50096ac2d17bb610ca8eb816f29302a00a846"
-%D%/packages/bootstrap/armhf-linux/guile-2.0.11.tar.xz:
-	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
-	$(DOWNLOAD_FILE) "$@"			\
-	  "e551d05d4d385d6706ab8d574856a087758294dc90ab4c06e70a157a685e23d6"
-%D%/packages/bootstrap/aarch64-linux/guile-2.0.14.tar.xz:
-	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
-	$(DOWNLOAD_FILE) "$@"			\
-	  "3939909f24dcb955621aa7f81ecde6844bea8a083969c2d275c55699af123ebe"
-%D%/packages/bootstrap/mips64el-linux/guile-2.0.9.tar.xz:
-	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
-	$(DOWNLOAD_FILE) "$@" 			\
-	  "994680f0001346864aa2c2cc5110f380ee7518dcd701c614291682b8e948f73b"
diff --git a/gnu/packages/acl.scm b/gnu/packages/acl.scm
index ae6764993b..35bafc4c14 100644
--- a/gnu/packages/acl.scm
+++ b/gnu/packages/acl.scm
@@ -47,16 +47,15 @@
      `(#:tests? #f   ; FIXME: Investigate test suite failures
        #:test-target "tests"
        #:phases
-        (alist-cons-after
-         'build 'patch-exec-bin-sh
-         (lambda _
-           (substitute* "test/run"
-             (("/bin/sh") (which "sh"))))
-         (alist-replace
-          'install
-          (lambda _
-            (zero? (system* "make" "install" "install-lib" "install-dev")))
-          %standard-phases))))
+       (modify-phases %standard-phases
+         (add-after 'build 'patch-exec-bin-sh
+           (lambda _
+             (substitute* "test/run"
+               (("/bin/sh") (which "sh")))
+             #t))
+         (replace 'install
+           (lambda _
+             (zero? (system* "make" "install" "install-lib" "install-dev")))))))
     (inputs `(("attr" ,attr)))
     (native-inputs
      `(("gettext" ,gettext-minimal)
diff --git a/gnu/packages/autotools.scm b/gnu/packages/autotools.scm
index 79ef31fc1b..6cba9ee2df 100644
--- a/gnu/packages/autotools.scm
+++ b/gnu/packages/autotools.scm
@@ -238,21 +238,18 @@ output is indexed in many ways to simplify browsing.")
     (license gpl3+)))
 
 (define-public automake
-  ;; Replace with 'automake/latest' on the next rebuild cycle.
   (package
     (name "automake")
-    (version "1.15")
+    (version "1.15.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/automake/automake-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "0dl6vfi2lzz8alnklwxzfz624b95hb1ipjvd3mk177flmddcf24r"))
+               "1bzd9g32dfm4rsbw93ld9x7b5nc1y6i4m6zp032qf1i28a8s6sxg"))
              (patches
-              (search-patches "automake-regexp-syntax.patch"
-                              "automake-skip-amhello-tests.patch"
-                              "automake-test-gzip-warning.patch"))))
+              (search-patches "automake-skip-amhello-tests.patch"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("autoconf" ,(autoconf-wrapper))
@@ -267,47 +264,47 @@ output is indexed in many ways to simplify browsing.")
                   (srfi srfi-1)
                   (srfi srfi-26)
                   (rnrs io ports))
-       #:phases (alist-cons-before
-                 'patch-source-shebangs 'patch-tests-shebangs
-                 (lambda _
-                   (let ((sh (which "sh")))
-                     (substitute* (find-files "t" "\\.(sh|tap)$")
-                       (("#![[:blank:]]?/bin/sh")
-                        (string-append "#!" sh)))
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'patch-source-shebangs 'patch-tests-shebangs
+           (lambda _
+             (let ((sh (which "sh")))
+               (substitute* (find-files "t" "\\.(sh|tap)$")
+                 (("#![[:blank:]]?/bin/sh")
+                  (string-append "#!" sh)))
 
-                     ;; Set these variables for all the `configure' runs
-                     ;; that occur during the test suite.
-                     (setenv "SHELL" sh)
-                     (setenv "CONFIG_SHELL" sh)))
+               ;; Set these variables for all the `configure' runs
+               ;; that occur during the test suite.
+               (setenv "SHELL" sh)
+               (setenv "CONFIG_SHELL" sh)
+               #t)))
 
-                 ;; Files like `install-sh', `mdate.sh', etc. must use
-                 ;; #!/bin/sh, otherwise users could leak erroneous shebangs
-                 ;; in the wild.  See <http://bugs.gnu.org/14201> for an
-                 ;; example.
-                 (alist-cons-after
-                  'install 'unpatch-shebangs
-                  (lambda* (#:key outputs #:allow-other-keys)
-                    (let* ((out (assoc-ref outputs "out"))
-                           (dir (string-append out "/share")))
-                      (define (starts-with-shebang? file)
-                        (equal? (call-with-input-file file
-                                  (lambda (p)
-                                    (list (get-u8 p) (get-u8 p))))
-                                (map char->integer '(#\# #\!))))
+           ;; Files like `install-sh', `mdate.sh', etc. must use
+           ;; #!/bin/sh, otherwise users could leak erroneous shebangs
+           ;; in the wild.  See <http://bugs.gnu.org/14201> for an
+           ;; example.
+           (add-after 'install 'unpatch-shebangs
+             (lambda* (#:key outputs #:allow-other-keys)
+               (let* ((out (assoc-ref outputs "out"))
+                      (dir (string-append out "/share")))
+                 (define (starts-with-shebang? file)
+                   (equal? (call-with-input-file file
+                             (lambda (p)
+                               (list (get-u8 p) (get-u8 p))))
+                           (map char->integer '(#\# #\!))))
 
-                      (for-each (lambda (file)
-                                  (when (and (starts-with-shebang? file)
-                                             (executable-file? file))
-                                    (format #t "restoring shebang on `~a'~%"
-                                            file)
-                                    (substitute* file
-                                      (("^#!.*/bin/sh")
-                                       "#!/bin/sh")
-                                      (("^#!.*/bin/env(.*)$" _ args)
-                                       (string-append "#!/usr/bin/env"
-                                                      args)))))
-                                (find-files dir ".*"))))
-                  %standard-phases))))
+                 (for-each (lambda (file)
+                             (when (and (starts-with-shebang? file)
+                                        (executable-file? file))
+                               (format #t "restoring shebang on `~a'~%"
+                                       file)
+                               (substitute* file
+                                 (("^#!.*/bin/sh")
+                                  "#!/bin/sh")
+                                 (("^#!.*/bin/env(.*)$" _ args)
+                                  (string-append "#!/usr/bin/env"
+                                                 args)))))
+                           (find-files dir ".*"))))))))
     (home-page "https://www.gnu.org/software/automake/")
     (synopsis "Making GNU standards-compliant Makefiles")
     (description
@@ -317,22 +314,6 @@ intuitive format and then Automake works with Autoconf to produce a robust
 Makefile, simplifying the entire process for the developer.")
     (license gpl2+)))                      ; some files are under GPLv3+
 
-
-(define-public automake/latest
-  ;; Merge with 'automake' on the next rebuild cycle.
-  (package
-    (inherit automake)
-    (version "1.15.1")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/automake/automake-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "1bzd9g32dfm4rsbw93ld9x7b5nc1y6i4m6zp032qf1i28a8s6sxg"))
-              (patches
-               (search-patches "automake-skip-amhello-tests.patch"))))))
-
 (define-public libtool
   (package
     (name "libtool")
@@ -410,11 +391,9 @@ complexity of working with shared libraries across platforms.")
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--enable-ltdl-install") ;really install it
-       #:phases (alist-cons-before
-                 'configure 'change-directory
-                 (lambda _
-                   (chdir "libltdl"))
-                 %standard-phases)))
+       #:phases (modify-phases %standard-phases
+                  (add-before 'configure 'change-directory
+                    (lambda _ (chdir "libltdl") #t)))))
 
     (synopsis "System-independent dlopen wrapper of GNU libtool")
     (description (package-description libtool))
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 55d5ede040..895b3b168d 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Christopher Allan Webber <cwebber@dustycloud.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -185,16 +186,16 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
-    (replacement libarchive-3.3.2)
-    (version "3.3.1")
+    (version "3.3.2")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "http://libarchive.org/downloads/libarchive-"
                            version ".tar.gz"))
+       (patches (search-patches "libarchive-CVE-2017-14166.patch"))
        (sha256
         (base32
-         "1rr40hxlm9vy5z2zb5w7pyfkgd1a4s061qapm83s19accb8mpji9"))))
+         "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"))))
     (build-system gnu-build-system)
     ;; TODO: Add -L/path/to/nettle in libarchive.pc.
     (inputs
@@ -206,26 +207,25 @@ backups (called chunks) to allow easy burning to CD/DVD.")
        ("xz" ,xz)))
     (arguments
      `(#:phases
-       (alist-cons-before
-        'build 'patch-pwd
-        (lambda _
-          (substitute* "Makefile"
-            (("/bin/pwd") (which "pwd"))))
-        (alist-replace
-         'check
-         (lambda _
-           ;; XXX: The test_owner_parse, test_read_disk, and
-           ;; test_write_disk_lookup tests expect user 'root' to exist, but
-           ;; the chroot's /etc/passwd doesn't have it.  Turn off those tests.
-           ;;
-           ;; The tests allow one to disable tests matching a globbing pattern.
-           (and (zero? (system* "make"
-                                "libarchive_test" "bsdcpio_test" "bsdtar_test"))
-                ;; XXX: This glob disables too much.
-                (zero? (system* "./libarchive_test" "^test_*_disk*"))
-                (zero? (system* "./bsdcpio_test" "^test_owner_parse"))
-                (zero? (system* "./bsdtar_test"))))
-         %standard-phases))
+       (modify-phases %standard-phases
+         (add-before 'build 'patch-pwd
+           (lambda _
+             (substitute* "Makefile"
+               (("/bin/pwd") (which "pwd"))
+               #t)))
+         (replace 'check
+           (lambda _
+             ;; XXX: The test_owner_parse, test_read_disk, and
+             ;; test_write_disk_lookup tests expect user 'root' to exist, but
+             ;; the chroot's /etc/passwd doesn't have it.  Turn off those tests.
+             ;;
+             ;; The tests allow one to disable tests matching a globbing pattern.
+             (and (zero? (system* "make"
+                                  "libarchive_test" "bsdcpio_test" "bsdtar_test"))
+                  ;; XXX: This glob disables too much.
+                  (zero? (system* "./libarchive_test" "^test_*_disk*"))
+                  (zero? (system* "./bsdcpio_test" "^test_owner_parse"))
+                  (zero? (system* "./bsdtar_test"))))))
        ;; libarchive/test/test_write_format_gnutar_filenames.c needs to be
        ;; compiled with C99 or C11 or a gnu variant.
        #:configure-flags '("CFLAGS=-O2 -g -std=c99")))
@@ -241,20 +241,6 @@ archive.  In particular, note that there is currently no built-in support for
 random access nor for in-place modification.")
     (license license:bsd-2)))
 
-(define libarchive-3.3.2
-  (package
-    (inherit libarchive)
-    (version "3.3.2")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append "http://libarchive.org/downloads/libarchive-"
-                           version ".tar.gz"))
-       (patches (search-patches "libarchive-CVE-2017-14166.patch"))
-       (sha256
-        (base32
-         "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"))))))
-
 (define-public rdup
   (package
     (name "rdup")
@@ -536,9 +522,7 @@ detection, and lossless compression.")
     (native-inputs
      `(("python-cython" ,python-cython)
        ("python-setuptools-scm" ,python-setuptools-scm)
-       ;; Borg 1.0.8's test suite uses 'tmpdir_factory', which was introduced in
-       ;; pytest 2.8.
-       ("python-pytest" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ;; For generating the documentation.
        ("python-sphinx" ,python-sphinx)
        ("python-guzzle-sphinx-theme" ,python-guzzle-sphinx-theme)))
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 9cb628d8d7..f519e10350 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -81,16 +81,15 @@ command-line arguments, multiple languages, and so on.")
 (define-public grep
   (package
    (name "grep")
-   (version "3.0")
+   (version "3.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/grep/grep-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1dcasjp3a578nrvzrcn38mpizb8w1q6mvfzhjmcqqgkf0nsivj72"))
-            (patches (search-patches "grep-timing-sensitive-test.patch"
-                                     "grep-gnulib-lock.patch"))))
+              "0zm0ywmyz9g8vn1plw14mn8kj74yipx5qsljndbyfgmvndx5qqnv"))
+            (patches (search-patches "grep-timing-sensitive-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))             ;some of the tests require it
    (arguments
@@ -293,15 +292,14 @@ used to apply commands with arbitrarily long arguments.")
 (define-public coreutils
   (package
    (name "coreutils")
-   (version "8.27")
+   (version "8.28")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/coreutils/coreutils-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0sv547572iq8ayy8klir4hnngnx92a9nsazmf1wgzfc7xr4x74c8"))
-            (patches (search-patches "coreutils-cut-huge-range-test.patch"))))
+              "0r8c1bgm68kl70j1lgd0rv12iykw6143k4m9a56xip9rc2hv25qi"))))
    (build-system gnu-build-system)
    (inputs `(("acl"  ,acl)                        ; TODO: add SELinux
              ("gmp"  ,gmp)                        ;bignums in 'expr', yay!
@@ -322,21 +320,18 @@ used to apply commands with arbitrarily long arguments.")
    (outputs '("out" "debug"))
    (arguments
     `(#:parallel-build? #f            ; help2man may be called too early
-      #:phases (alist-cons-before
-                'build 'patch-shell-references
-                (lambda* (#:key inputs #:allow-other-keys)
-                  (let ((bash (assoc-ref inputs "bash")))
-                    ;; 'split' uses either $SHELL or /bin/sh.  Set $SHELL so
-                    ;; that tests pass, since /bin/sh isn't in the chroot.
-                    (setenv "SHELL" (which "sh"))
-
-                    (substitute* (find-files "gnulib-tests" "\\.c$")
-                      (("/bin/sh")
-                       (format #f "~a/bin/sh" bash)))
-                    (substitute* (find-files "tests" "\\.sh$")
-                      (("#!/bin/sh")
-                       (format #f "#!~a/bin/sh" bash)))))
-                %standard-phases)))
+      #:phases (modify-phases %standard-phases
+                 (add-before 'build 'patch-shell-references
+                   (lambda _
+                     ;; 'split' uses either $SHELL or /bin/sh.  Set $SHELL so
+                     ;; that tests pass, since /bin/sh isn't in the chroot.
+                     (setenv "SHELL" (which "sh"))
+
+                     (substitute* (find-files "gnulib-tests" "\\.c$")
+                       (("/bin/sh") (which "sh")))
+                     (substitute* (find-files "tests" "\\.sh$")
+                       (("#!/bin/sh") (which "sh")))
+                     #t)))))
    (synopsis "Core GNU utilities (file, text, shell)")
    (description
     "GNU Coreutils includes all of the basic command-line tools that are
@@ -394,16 +389,15 @@ change.  GNU make offers many powerful extensions over the standard utility.")
 
 (define-public binutils
   (package
-   (replacement binutils/fixed)
    (name "binutils")
-   (version "2.28")
+   (version "2.28.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/binutils/binutils-"
                                 version ".tar.bz2"))
             (sha256
              (base32
-              "0wiasgns7i8km8nrxas265sh2dfpsw93b3qw195ipc90w4z475v2"))
+              "1sj234nd05cdgga1r36zalvvdkvpfbr12g5mir2n8i1dwsdrj939"))
             (patches (search-patches "binutils-ld-new-dtags.patch"
                                      "binutils-loongson-workaround.patch"))))
    (build-system gnu-build-system)
@@ -436,19 +430,6 @@ included.")
    (license gpl3+)
    (home-page "https://www.gnu.org/software/binutils/")))
 
-(define binutils/fixed
-  (package
-    (inherit binutils)
-    ;; 2.28.1 is two characters longer than 2.28, so grafting fails due to
-    ;; mismatched lengths of filenames, so we have to force  it to the same length.
-    (version "2281")
-    (source
-      (origin (inherit (package-source binutils))
-              (uri "mirror://gnu/binutils/binutils-2.28.1.tar.bz2")
-              (sha256
-               (base32
-                "1sj234nd05cdgga1r36zalvvdkvpfbr12g5mir2n8i1dwsdrj939"))))))
-
 (define* (make-ld-wrapper name #:key
                           (target (const #f))
                           binutils
@@ -527,15 +508,14 @@ store.")
 (define-public glibc/linux
   (package
    (name "glibc")
-   (version "2.25")
-   (replacement glibc/fixed)
+   (version "2.26")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/glibc/glibc-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1813dzkgw6v8q8q1m4v96yfis7vjqc9pslqib6j9mrwh6fxxjyq6"))
+              "1ggnj1hzjym7sn93rbwydcqd562q73lsb7g7kd199g6j9j9hlkp5"))
             (snippet
              ;; Disable 'ldconfig' and /etc/ld.so.cache.  The latter is
              ;; required on LFS distros to avoid loading the distro's libc.so
@@ -546,19 +526,16 @@ store.")
             (modules '((guix build utils)))
             (patches (search-patches "glibc-ldd-x86_64.patch"
                                      "glibc-versioned-locpath.patch"
-                                     "glibc-o-largefile.patch"
-                                     "glibc-memchr-overflow-i686.patch"
-                                     "glibc-vectorized-strcspn-guards.patch"
-                                     "glibc-CVE-2017-1000366-pt1.patch"
-                                     "glibc-CVE-2017-1000366-pt2.patch"
-                                     "glibc-CVE-2017-1000366-pt3.patch"))))
+                                     "glibc-CVE-2017-15670-15671.patch"
+                                     "glibc-o-largefile.patch"))))
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
    ;; users should automatically pull Linux headers as well.
    (propagated-inputs `(("kernel-headers" ,linux-libre-headers)))
 
-   (outputs '("out" "debug"))
+   (outputs '("out" "debug"
+              "static"))                          ;9 MiB of .a files
 
    (arguments
     `(#:out-of-source? #t
@@ -569,6 +546,11 @@ store.")
       ;; RUNPATH checks.
       #:validate-runpath? #f
 
+      #:modules ((ice-9 ftw)
+                 (srfi srfi-26)
+                 (guix build utils)
+                 (guix build gnu-build-system))
+
       #:configure-flags
       (list "--enable-add-ons"
             "--sysconfdir=/etc"
@@ -598,10 +580,10 @@ store.")
                                       "kernel-headers")
                            "/include")
 
-            ;; This is the default for most architectures as of GNU libc 2.21,
+            ;; This is the default for most architectures as of GNU libc 2.26,
             ;; but we specify it explicitly for clarity and consistency.  See
             ;; "kernel-features.h" in the GNU libc for details.
-            "--enable-kernel=2.6.32"
+            "--enable-kernel=3.2.0"
 
             ;; Use our Bash instead of /bin/sh.
             (string-append "BASH_SHELL="
@@ -673,7 +655,46 @@ store.")
                          ;; "bilingual" eval/exec magic at the top of the file.
                          "")
                         (("exec @PERL@")
-                         "exec perl"))))))))
+                         "exec perl")))))
+
+                 (add-after 'install 'move-static-libs
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     ;; Move static libraries to the "static" output.
+                     (define (static-library? file)
+                       ;; Return true if FILE is a static library.  The
+                       ;; "_nonshared.a" files are referred to by libc.so,
+                       ;; libpthread.so, etc., which are in fact linker
+                       ;; scripts.
+                       (and (string-suffix? ".a" file)
+                            (not (string-contains file "_nonshared"))))
+
+                     (define (linker-script? file)
+                       ;; Guess whether FILE, a ".a" file, is actually a
+                       ;; linker script.
+                       (and (not (ar-file? file))
+                            (not (elf-file? file))))
+
+                     (let* ((out    (assoc-ref outputs "out"))
+                            (lib    (string-append out "/lib"))
+                            (files  (scandir lib static-library?))
+                            (static (assoc-ref outputs "static"))
+                            (slib   (string-append static "/lib")))
+                       (mkdir-p slib)
+                       (for-each (lambda (base)
+                                   (rename-file (string-append lib "/" base)
+                                                (string-append slib "/" base)))
+                                 files)
+
+                       ;; Usually libm.a is a linker script so we need to
+                       ;; change the file names in there to refer to STATIC
+                       ;; instead of OUT.
+                       (for-each (lambda (ld-script)
+                                   (substitute* ld-script
+                                     ((out) static)))
+                                 (filter linker-script?
+                                         (map (cut string-append slib "/" <>)
+                                              files)))
+                       #t))))))
 
    (inputs `(("static-bash" ,static-bash)))
 
@@ -787,17 +808,29 @@ GLIBC/HURD for a Hurd host"
 (define-syntax glibc
   (identifier-syntax (glibc-for-target)))
 
-(define glibc/fixed
+;; Below are old libc versions, which we use mostly to build locale data in
+;; the old format (which the new libc cannot cope with.)
+
+(define-public glibc-2.25
   (package
     (inherit glibc)
+    (version "2.25")
     (source (origin
               (inherit (package-source glibc))
-              (patches (append
-                        (origin-patches (package-source glibc))
-                        (search-patches "glibc-CVE-2017-15670-15671.patch")))))))
-
-;; Below are old libc versions, which we use mostly to build locale data in
-;; the old format (which the new libc cannot cope with.)
+              (uri (string-append "mirror://gnu/glibc/glibc-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "1813dzkgw6v8q8q1m4v96yfis7vjqc9pslqib6j9mrwh6fxxjyq6"))
+              (patches (search-patches "glibc-ldd-x86_64.patch"
+                                       "glibc-versioned-locpath.patch"
+                                       "glibc-o-largefile.patch"
+                                       "glibc-vectorized-strcspn-guards.patch"
+                                       "glibc-CVE-2015-5180.patch"
+                                       "glibc-CVE-2017-15670-15671.patch"
+                                       "glibc-CVE-2017-1000366-pt1.patch"
+                                       "glibc-CVE-2017-1000366-pt2.patch"
+                                       "glibc-CVE-2017-1000366-pt3.patch"))))))
 
 (define-public glibc-2.24
   (package
diff --git a/gnu/packages/bootstrap.scm b/gnu/packages/bootstrap.scm
index ba733b3a9e..d1b03eb882 100644
--- a/gnu/packages/bootstrap.scm
+++ b/gnu/packages/bootstrap.scm
@@ -26,8 +26,10 @@
   #:use-module (guix build-system)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system trivial)
-  #:use-module ((guix store) #:select (add-to-store add-text-to-store))
-  #:use-module ((guix derivations) #:select (derivation))
+  #:use-module ((guix store)
+                #:select (run-with-store add-to-store add-text-to-store))
+  #:use-module ((guix derivations)
+                #:select (derivation derivation->output-path))
   #:use-module ((guix utils) #:select (gnu-triplet->nix-system))
   #:use-module ((guix build utils) #:select (elf-file?))
   #:use-module (guix memoization)
@@ -38,6 +40,8 @@
             package-with-bootstrap-guile
             glibc-dynamic-linker
 
+            bootstrap-guile-origin
+
             %bootstrap-guile
             %bootstrap-coreutils&co
             %bootstrap-binutils
@@ -191,6 +195,56 @@ successful, or false to signal an error."
 ;;; Bootstrap packages.
 ;;;
 
+(define %bootstrap-base-urls
+  ;; This is where the initial binaries come from.
+  '("https://alpha.gnu.org/gnu/guix/bootstrap"
+    "http://alpha.gnu.org/gnu/guix/bootstrap"
+    "ftp://alpha.gnu.org/gnu/guix/bootstrap"
+    "http://www.fdn.fr/~lcourtes/software/guix/packages"
+    "http://flashner.co.il/guix/bootstrap"))
+
+(define (bootstrap-guile-url-path system)
+  "Return the URI for FILE."
+  (string-append "/" system
+                 (match system
+                   ("aarch64-linux"
+                    "/20170217/guile-2.0.14.tar.xz")
+                   ("armhf-linux"
+                    "/20150101/guile-2.0.11.tar.xz")
+                   (_
+                    "/20131110/guile-2.0.9.tar.xz"))))
+
+(define (bootstrap-guile-hash system)
+  "Return the SHA256 hash of the Guile bootstrap tarball for SYSTEM."
+  (match system
+    ("x86_64-linux"
+     (base32 "1w2p5zyrglzzniqgvyn1b55vprfzhgk8vzbzkkbdgl5248si0yq3"))
+    ("i686-linux"
+     (base32 "0im800m30abgh7msh331pcbjvb4n02smz5cfzf1srv0kpx3csmxp"))
+    ("mips64el-linux"
+     (base32 "0fzp93lvi0hn54acc0fpvhc7bvl0yc853k62l958cihk03q80ilr"))
+    ("armhf-linux"
+     (base32 "1mi3brl7l58aww34rawhvja84xc7l1b4hmwdmc36fp9q9mfx0lg5"))
+    ("aarch64-linux"
+     (base32 "1giy2aprjmn5fp9c4s9r125fljw4wv6ixy5739i5bffw4jgr0f9r"))))
+
+(define (bootstrap-guile-origin system)
+  "Return an <origin> object for the Guile tarball of SYSTEM."
+  (origin
+    (method url-fetch)
+    (uri (map (cute string-append <> (bootstrap-guile-url-path system))
+              %bootstrap-base-urls))
+    (sha256 (bootstrap-guile-hash system))))
+
+(define (download-bootstrap-guile store system)
+  "Return a derivation that downloads the bootstrap Guile tarball for SYSTEM."
+  (let* ((path (bootstrap-guile-url-path system))
+         (base (basename path))
+         (urls (map (cut string-append <> path) %bootstrap-base-urls)))
+    (run-with-store store
+      (url-fetch urls 'sha256 (bootstrap-guile-hash system)
+                 #:system system))))
+
 (define* (raw-build store name inputs
                     #:key outputs system search-paths
                     #:allow-other-keys)
@@ -205,13 +259,7 @@ successful, or false to signal an error."
          (xz    (->store "xz"))
          (mkdir (->store "mkdir"))
          (bash  (->store "bash"))
-         (guile (->store (match system
-                           ("armhf-linux"
-                            "guile-2.0.11.tar.xz")
-                           ("aarch64-linux"
-                            "guile-2.0.14.tar.xz")
-                           (_
-                            "guile-2.0.9.tar.xz"))))
+         (guile (download-bootstrap-guile store system))
          ;; The following code, run by the bootstrap guile after it is
          ;; unpacked, creates a wrapper for itself to set its load path.
          ;; This replaces the previous non-portable method based on
@@ -246,7 +294,7 @@ exec -a \"~a0\" ~a \"~a@\"\n"
 echo \"unpacking bootstrap Guile to '$out'...\"
 ~a $out
 cd $out
-~a -dc < ~a | ~a xv
+~a -dc < $GUILE_TARBALL | ~a xv
 
 # Use the bootstrap guile to create its own wrapper to set the load path.
 GUILE_SYSTEM_PATH=$out/share/guile/2.0 \
@@ -255,14 +303,16 @@ $out/bin/guile -c ~s $out ~a
 
 # Sanity check.
 $out/bin/guile --version~%"
-                                     mkdir xz guile tar
+                                     mkdir xz tar
                                      (format #f "~s" make-guile-wrapper)
                                      bash)
-                             (list mkdir xz guile tar bash))))
+                             (list mkdir xz tar bash))))
     (derivation store name
                 bash `(,builder)
                 #:system system
-                #:inputs `((,bash) (,builder)))))
+                #:inputs `((,bash) (,builder) (,guile))
+                #:env-vars `(("GUILE_TARBALL"
+                              . ,(derivation->output-path guile))))))
 
 (define* (make-raw-bag name
                        #:key source inputs native-inputs outputs
@@ -294,13 +344,6 @@ $out/bin/guile --version~%"
      (home-page #f)
      (license lgpl3+))))
 
-(define %bootstrap-base-urls
-  ;; This is where the initial binaries come from.
-  '("ftp://alpha.gnu.org/gnu/guix/bootstrap"
-    "http://alpha.gnu.org/gnu/guix/bootstrap"
-    "http://www.fdn.fr/~lcourtes/software/guix/packages"
-    "http://flashner.co.il/guix/bootstrap"))
-
 (define %bootstrap-coreutils&co
   (package-from-tarball "bootstrap-binaries"
                         (lambda (system)
diff --git a/gnu/packages/calendar.scm b/gnu/packages/calendar.scm
index f208bc0803..2e2bd33a2d 100644
--- a/gnu/packages/calendar.scm
+++ b/gnu/packages/calendar.scm
@@ -118,8 +118,7 @@ data units.")
                               "not test_printics_read_from_stdin "
                               "and not test_import_from_stdin"))))))))
     (native-inputs
-      ;; XXX Uses tmpdir_factory, introduced in pytest 2.8.
-     `(("python-pytest" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-pytest-cov" ,python-pytest-cov)
        ("python-setuptools-scm" ,python-setuptools-scm)
        ;; Required for tests
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 406a23b21c..f3afb28e18 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -113,7 +113,7 @@
 
 (define file-boot0
   (package-with-bootstrap-guile
-   (package-with-explicit-inputs (package/inherit file
+   (package-with-explicit-inputs (package (inherit file)
                                    (name "file-boot0"))
                                  `(("make" ,gnu-make-boot0)
                                    ,@%bootstrap-inputs)
@@ -140,7 +140,7 @@
 
 (define binutils-boot0
   (package-with-bootstrap-guile
-   (package/inherit binutils
+   (package (inherit binutils)
      (name "binutils-cross-boot0")
      (arguments
       `(#:guile ,%bootstrap-guile
@@ -149,23 +149,22 @@
         #:modules ((guix build gnu-build-system)
                    (guix build utils)
                    (ice-9 ftw))                    ; for 'scandir'
-        #:phases (alist-cons-after
-                  'install 'add-symlinks
-                  (lambda* (#:key outputs #:allow-other-keys)
-                    ;; The cross-gcc invokes 'as', 'ld', etc, without the
-                    ;; triplet prefix, so add symlinks.
-                    (let ((out (assoc-ref outputs "out"))
-                          (triplet-prefix (string-append ,(boot-triplet) "-")))
-                      (define (has-triplet-prefix? name)
-                        (string-prefix? triplet-prefix name))
-                      (define (remove-triplet-prefix name)
-                        (substring name (string-length triplet-prefix)))
-                      (with-directory-excursion (string-append out "/bin")
-                        (for-each (lambda (name)
-                                    (symlink name (remove-triplet-prefix name)))
-                                  (scandir "." has-triplet-prefix?)))
-                      #t))
-                  %standard-phases)
+        #:phases (modify-phases %standard-phases
+                   (add-after 'install 'add-symlinks
+                     (lambda* (#:key outputs #:allow-other-keys)
+                       ;; The cross-gcc invokes 'as', 'ld', etc, without the
+                       ;; triplet prefix, so add symlinks.
+                       (let ((out (assoc-ref outputs "out"))
+                             (triplet-prefix (string-append ,(boot-triplet) "-")))
+                         (define (has-triplet-prefix? name)
+                           (string-prefix? triplet-prefix name))
+                         (define (remove-triplet-prefix name)
+                           (substring name (string-length triplet-prefix)))
+                         (with-directory-excursion (string-append out "/bin")
+                           (for-each (lambda (name)
+                                       (symlink name (remove-triplet-prefix name)))
+                                     (scandir "." has-triplet-prefix?)))
+                         #t))))
 
         ,@(substitute-keyword-arguments (package-arguments binutils)
             ((#:configure-flags cf)
@@ -286,9 +285,8 @@
                ("libc-native" ,@(assoc-ref %boot0-inputs "libc"))
                ,@(alist-delete "libc" %boot0-inputs)))
 
-     ;; No need for Texinfo at this stage.
-     (native-inputs (alist-delete "texinfo"
-                                  (package-native-inputs gcc))))))
+     ;; No need for the native-inputs to build the documentation at this stage.
+     (native-inputs `()))))
 
 (define perl-boot0
   (let ((perl (package
@@ -466,7 +464,7 @@ the bootstrap environment."
   ;; built just below; the only difference is that this one uses the
   ;; bootstrap Bash.
   (package-with-bootstrap-guile
-   (package/inherit glibc
+   (package (inherit glibc)
      (name "glibc-intermediate")
      (arguments
       `(#:guile ,%bootstrap-guile
@@ -583,12 +581,24 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
   (let* ((gcc  (cross-gcc-wrapper gcc-boot0 binutils-boot0
                                   glibc-final-with-bootstrap-bash
                                   (car (assoc-ref %boot1-inputs "bash"))))
-         (bash (package (inherit static-bash)
+         (bash (package
+                 (inherit static-bash)
                  (arguments
-                  `(#:guile ,%bootstrap-guile
-                    ,@(package-arguments static-bash)))))
+                  (substitute-keyword-arguments
+                      (package-arguments static-bash)
+                    ((#:guile _ #f)
+                     '%bootstrap-guile)
+                    ((#:configure-flags flags '())
+                     ;; Add a '-L' flag so that the pseudo-cross-ld of
+                     ;; BINUTILS-BOOT0 can find libc.a.
+                     `(append ,flags
+                              (list (string-append "LDFLAGS=-static -L"
+                                                   (assoc-ref %build-inputs
+                                                              "libc:static")
+                                                   "/lib"))))))))
          (inputs `(("gcc" ,gcc)
                    ("libc" ,glibc-final-with-bootstrap-bash)
+                   ("libc:static" ,glibc-final-with-bootstrap-bash "static")
                    ,@(fold alist-delete %boot1-inputs
                            '("gcc" "libc")))))
     (package-with-bootstrap-guile
@@ -632,7 +642,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
 
 (define glibc-final
   ;; The final glibc, which embeds the statically-linked Bash built above.
-  (package/inherit glibc-final-with-bootstrap-bash
+  (package (inherit glibc-final-with-bootstrap-bash)
     (name "glibc")
     (inputs `(("static-bash" ,static-bash-for-glibc)
               ,@(alist-delete
@@ -663,12 +673,13 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
 (define %boot2-inputs
   ;; 3rd stage inputs.
   `(("libc" ,glibc-final)
+    ("libc:static" ,glibc-final "static")
     ("gcc" ,gcc-boot0-wrapped)
     ,@(fold alist-delete %boot1-inputs '("libc" "gcc"))))
 
 (define binutils-final
   (package-with-bootstrap-guile
-   (package/inherit binutils
+   (package (inherit binutils)
      (arguments
       `(#:guile ,%bootstrap-guile
         #:implicit-inputs? #f
@@ -679,34 +690,29 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
 (define libstdc++
   ;; Intermediate libstdc++ that will allow us to build the final GCC
   ;; (remember that GCC-BOOT0 cannot build libstdc++.)
-  ;; TODO: Write in terms of 'make-libstdc++'.
-  (package-with-bootstrap-guile
-   (package (inherit gcc)
-     (name "libstdc++")
-     (arguments
-      `(#:guile ,%bootstrap-guile
-        #:implicit-inputs? #f
-        #:allowed-references ("out")
-        #:out-of-source? #t
-        #:phases (alist-cons-before
-                  'configure 'chdir
-                  (lambda _
-                    (chdir "libstdc++-v3"))
-                  %standard-phases)
-        #:configure-flags `("--disable-shared"
-                            "--disable-libstdcxx-threads"
-                            "--disable-libstdcxx-pch"
-                            ,(string-append "--with-gxx-include-dir="
-                                            (assoc-ref %outputs "out")
-                                            "/include"
-                                            ;; "/include/c++/"
-                                            ;; ,(package-version gcc)
-                                            ))))
-     (outputs '("out"))
-     (inputs %boot2-inputs)
-     (native-inputs '())
-     (propagated-inputs '())
-     (synopsis "GNU C++ standard library (intermediate)"))))
+  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc))))
+    (package
+      (inherit lib)
+      (arguments
+       `(#:guile ,%bootstrap-guile
+         #:implicit-inputs? #f
+         #:allowed-references ("out")
+
+         ;; XXX: libstdc++.so NEEDs ld.so for some reason.
+         #:validate-runpath? #f
+
+         ;; All of the package arguments from 'make-libstdc++
+         ;; except for the configure-flags.
+         ,@(package-arguments lib)
+         #:configure-flags `("--disable-shared"
+                             "--disable-libstdcxx-threads"
+                             "--disable-libstdcxx-pch"
+                             ,(string-append "--with-gxx-include-dir="
+                                             (assoc-ref %outputs "out")
+                                             "/include"))))
+      (outputs '("out"))
+      (inputs %boot2-inputs)
+      (synopsis "GNU C++ standard library (intermediate)"))))
 
 (define zlib-final
   ;; Zlib used by GCC-FINAL.
@@ -779,6 +785,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
     ;; scripts such as 'mkheaders' and 'fixinc.sh' (XXX: who cares about these
     ;; scripts?).
     (native-inputs `(("texinfo" ,texinfo-boot0)
+                     ("perl" ,perl-boot0) ;for manpages
                      ("static-bash" ,static-bash-for-glibc)
                      ,@(package-native-inputs gcc-boot0)))
 
@@ -923,12 +930,13 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
       ("binutils" ,binutils-final)
       ("gcc" ,gcc-final)
       ("libc" ,glibc-final)
+      ("libc:static" ,glibc-final "static")
       ("locales" ,glibc-utf8-locales-final))))
 
 (define-public canonical-package
   (let ((name->package (fold (lambda (input result)
                                (match input
-                                 ((_ package)
+                                 ((_ package . outputs)
                                   (vhash-cons (package-full-name package)
                                               package result))))
                              vlist-null
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index a2bf3a1861..9a1b628809 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -205,7 +205,16 @@ adding and extracting files to/from a tar archive.")
    (synopsis "General file (de)compression (using lzw)")
    (arguments
     ;; FIXME: The test suite wants `less', and optionally Perl.
-    '(#:tests? #f))
+    '(#:tests? #f
+      #:phases
+      (modify-phases %standard-phases
+        (add-after 'unpack 'use-absolute-name-of-gzip
+          (lambda* (#:key outputs #:allow-other-keys)
+            (substitute* "gunzip.in"
+              (("exec gzip")
+               (string-append "exec " (assoc-ref outputs "out")
+                              "/bin/gzip")))
+            #t)))))
    (description
     "GNU Gzip provides data compression and decompression utilities; the
 typical extension is \".gz\".  Unlike the \"zip\" format, it compresses a single
@@ -344,7 +353,7 @@ compressed with pbzip2 can be decompressed with bzip2).")
 (define-public xz
   (package
    (name "xz")
-   (version "5.2.2")
+   (version "5.2.3")
    (source (origin
             (method url-fetch)
             (uri (list (string-append "http://tukaani.org/xz/xz-" version
@@ -353,7 +362,7 @@ compressed with pbzip2 can be decompressed with bzip2).")
                                       version ".tar.gz")))
             (sha256
              (base32
-              "18h2k4jndhzjs8ln3a54qdnfv59y6spxiwh9gpaqniph6iflvpvk"))))
+              "1jr8pxnz55ifc8cvp3ivgl79ph9iik5aypsc9cma228aglsqp4ki"))))
    (build-system gnu-build-system)
    (synopsis "General-purpose data compression")
    (description
@@ -372,7 +381,7 @@ than gzip and 15 % smaller output than bzip2.")
 (define-public lzo
   (package
     (name "lzo")
-    (version "2.09")
+    (version "2.10")
     (source
      (origin
       (method url-fetch)
@@ -380,7 +389,7 @@ than gzip and 15 % smaller output than bzip2.")
                           version ".tar.gz"))
       (sha256
        (base32
-        "0k5kpj3jnsjfxqqkblpfpx0mqcy86zs5fhjhgh2kq1hksg7ag57j"))))
+        "0wm04519pd3g8hqpjqhfr72q8qmbiwqaxcs3cndny9h86aa95y60"))))
     (build-system gnu-build-system)
     (arguments '(#:configure-flags '("--enable-shared")))
     (home-page "http://www.oberhumer.com/opensource/lzo")
@@ -459,14 +468,14 @@ some compression ratio).")
 (define-public lzip
   (package
     (name "lzip")
-    (version "1.18")
+    (version "1.19")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://savannah/lzip/lzip-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "1p8lvc22sv3damld9ng8y6i8z2dvvpsbi9v7yhr5bc2a20m8iya7"))))
+               "1abbch762gv8rjr579q3qyyk6c80plklbv2mw4x0vg71dgsw9bgz"))))
     (build-system gnu-build-system)
     (home-page "http://www.nongnu.org/lzip/lzip.html")
     (synopsis "Lossless data compressor based on the LZMA algorithm")
diff --git a/gnu/packages/cross-base.scm b/gnu/packages/cross-base.scm
index abc3a2821c..369083eab0 100644
--- a/gnu/packages/cross-base.scm
+++ b/gnu/packages/cross-base.scm
@@ -248,6 +248,7 @@ target that libc."
                    ,@inputs)))
             (libc
              `(("libc" ,libc)
+               ("libc:static" ,libc "static")
                ("xkernel-headers"                ;the target headers
                 ,@(assoc-ref (package-propagated-inputs libc)
                              "kernel-headers"))
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 2e4a48d1ef..c291d605a2 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -42,15 +43,14 @@
 (define-public curl
   (package
    (name "curl")
-   (version "7.55.1")
-   (replacement curl-7.56.1)
+   (version "7.56.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://curl.haxx.se/download/curl-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1dvbcwcar3dv488h9378hy145ma3ws2fwpbr6mgszd7chipcmbry"))))
+              "1l9r386qz7l7h4n5lysrf1wq93lyc72a7shgg9b8s5d0ycn2ivcf"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -109,7 +109,15 @@
            ;; The top-level "make check" does "make -C tests quiet-test", which
            ;; is too quiet.  Use the "test" target instead, which is more
            ;; verbose.
-           (zero? (system* "make" "-C" "tests" "test")))))))
+           (zero? (system* "make" "-C" "tests" "test"))))
+        (add-before 'install 'fix-Makefile
+          ;; Fix a regression in 7.55.0 where docs are not installed.
+          ;; https://github.com/curl/curl/commit/a7bbbb7c368c6096802007f61f19a02e9d75285b
+          (lambda _
+            (substitute* "Makefile"
+              (("install-data-hook:\n")
+               "install-data-hook:\n\tcd docs/libcurl && $(MAKE) install\n"))
+            #t)))))
    (synopsis "Command line tool for transferring data with URL syntax")
    (description
     "curl is a command line tool for transferring data with URL syntax,
@@ -122,16 +130,3 @@ tunneling, and so on.")
    (license (license:non-copyleft "file://COPYING"
                                   "See COPYING in the distribution."))
    (home-page "https://curl.haxx.se/")))
-
-(define-public curl-7.56.1
-  (package
-    (inherit curl)
-    (version "7.56.1")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append "https://curl.haxx.se/download/curl-"
-                            version ".tar.xz"))
-        (sha256
-         (base32
-          "1l9r386qz7l7h4n5lysrf1wq93lyc72a7shgg9b8s5d0ycn2ivcf"))))))
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index c2b5add392..ceee88d82b 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -900,7 +900,7 @@ for example from a shell script.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.19.3")
+   (version "3.20.1")
    (source (origin
             (method url-fetch)
             (uri (let ((numeric-version
@@ -916,7 +916,7 @@ for example from a shell script.")
                                   numeric-version ".tar.gz")))
             (sha256
              (base32
-              "00b3l2qglpl1inx21fckiwxnfq5xf6441flc79rqg7zdvh1rq4h6"))))
+              "0hh7jnxfwvs2qlvmjwrgkvxb8sk4x8hj04m54fq9h1xw55dmjrpc"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
@@ -1814,7 +1814,7 @@ Memory-Mapped Database} (LMDB), a high-performance key-value store.")
              #t)))))
     (native-inputs
      `(("python-pytest-mock" ,python-pytest-mock)
-       ("python-pytest" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ("python-flexmock" ,python-flexmock)))
     (propagated-inputs
      `(("python-backpack" ,python-backpack)
diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm
index 3bc8e1dcfe..63aa3fac49 100644
--- a/gnu/packages/file.scm
+++ b/gnu/packages/file.scm
@@ -27,16 +27,15 @@
 
 (define-public file
   (package
-    (replacement file/fixed)
     (name "file")
-    (version "5.30")
+    (version "5.32")
     (source (origin
               (method url-fetch)
               (uri (string-append "ftp://ftp.astron.com/pub/file/file-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "057jpcyy8ws7q4s4sm8r1rxb8xycdbng2z4y9i98f094wlr28k39"))))
+                "0l1bfa0icng9vdwya00ff48fhvjazi5610ylbhl35qi13d6xqfc6"))))
    (build-system gnu-build-system)
 
    ;; When cross-compiling, this package depends upon a native install of
@@ -50,11 +49,4 @@ you in words what kind of data a file contains.  It does not rely on filename
 extensions to tell you the type of a file, but looks at the actual contents
 of the file.")
    (license bsd-2)
-   (home-page "http://www.darwinsys.com/file/")))
-
-(define file/fixed
-  (package
-    (inherit file)
-    (source (origin
-              (inherit (package-source file))
-              (patches (search-patches "file-CVE-2017-1000249.patch"))))))
+   (home-page "https://www.darwinsys.com/file/")))
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index 7870d4513f..a4d181cb11 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -138,7 +138,8 @@ where the OS part is overloaded to denote a specific ABI---into GCC
                                    version "/gcc-" version ".tar.bz2"))
                (sha256
                 (base32
-                 "10k2k71kxgay283ylbbhhs51cl55zn2q38vj5pk4k950qdnirrlj"))))
+                 "10k2k71kxgay283ylbbhhs51cl55zn2q38vj5pk4k950qdnirrlj"))
+               (patches (search-patches "gcc-fix-texi2pod.patch"))))
       (build-system gnu-build-system)
 
       ;; Separate out the run-time support libraries because all the
@@ -155,7 +156,8 @@ where the OS part is overloaded to denote a specific ABI---into GCC
 
       ;; GCC < 5 is one of the few packages that doesn't ship .info files.
       ;; Newer texinfos fail to build the manual, so we use an older one.
-      (native-inputs `(("texinfo" ,texinfo-5)))
+      (native-inputs `(("perl" ,perl)   ;for manpages
+                       ("texinfo" ,texinfo-5)))
 
       (arguments
        `(#:out-of-source? #t
@@ -351,7 +353,8 @@ Go.  It also includes runtime support libraries for these languages.")
               (sha256
                (base32
                 "08yggr18v373a1ihj0rg2vd6psnic42b518xcgp3r9k81xz1xyr2"))
-              (patches (search-patches "gcc-arm-link-spec-fix.patch"))))
+              (patches (search-patches "gcc-arm-link-spec-fix.patch"
+                                       "gcc-fix-texi2pod.patch"))))
     (supported-systems %supported-systems)
     (inputs
      `(("isl" ,isl-0.11)
@@ -369,31 +372,33 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "14l06m7nvcvb0igkbip58x59w3nq6315k6jcz3wr9ch1rn9d44bc"))
               (patches (search-patches "gcc-arm-bug-71399.patch"
-                                       "gcc-libvtv-runpath.patch"))))
-    (native-inputs `(("texinfo" ,texinfo)))))
+                                       "gcc-libvtv-runpath.patch"
+                                       "gcc-fix-texi2pod.patch"))))
+    ;; Override inherited texinfo-5 with latest version.
+    (native-inputs `(("perl" ,perl)   ;for manpages
+                     ("texinfo" ,texinfo)))))
 
 (define-public gcc-5
   ;; Note: GCC >= 5 ships with .info files but 'make install' fails to install
   ;; them in a VPATH build.
   (package (inherit gcc-4.9)
-    (version "5.4.0")
+    (version "5.5.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/gcc/gcc-"
-                                  version "/gcc-" version ".tar.bz2"))
+                                  version "/gcc-" version ".tar.xz"))
               (sha256
                (base32
-                "0fihlcy5hnksdxk0sn6bvgnyq8gfrgs8m794b1jxwd1dxinzg3b0"))
+                "11zd1hgzkli3b2v70qsm2hyqppngd4616qc96lmm9zl2kl9yl32k"))
               (patches (search-patches "gcc-arm-bug-71399.patch"
                                        "gcc-strmov-store-file-names.patch"
-                                       "gcc-asan-powerpc-missing-include.patch"
                                        "gcc-5.0-libvtv-runpath.patch"
                                        "gcc-5-source-date-epoch-1.patch"
-                                       "gcc-5-source-date-epoch-2.patch"))))))
-    ;; TODO: gcc-5 doesn't need cloog.
-    ;;(inputs
-    ;; `(("isl" ,isl)
-    ;;   ,@(package-inputs gcc-4.7)))))
+                                       "gcc-5-source-date-epoch-2.patch"
+                                       "gcc-fix-texi2pod.patch"))))
+    (inputs
+     `(("isl" ,isl)
+       ,@(package-inputs gcc-4.7)))))
 
 (define-public gcc-6
   (package
@@ -407,10 +412,7 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "1m0lr7938lw5d773dkvwld90hjlcq2282517d1gwvrfzmwgg42w5"))
               (patches (search-patches "gcc-strmov-store-file-names.patch"
-                                       "gcc-5.0-libvtv-runpath.patch"))))
-    (inputs
-     `(("isl" ,isl)
-       ,@(package-inputs gcc-4.7)))))
+                                       "gcc-5.0-libvtv-runpath.patch"))))))
 
 (define-public gcc-7
   (package
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 28477b2c42..72a737b013 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -100,23 +100,23 @@ paper size.")
    (arguments
     `(#:tests? #f ; none provided
       #:phases
-      (alist-replace
-       'configure
-       (lambda* (#:key inputs outputs #:allow-other-keys #:rest args)
-        (let ((perl (assoc-ref inputs "perl"))
-              (out (assoc-ref outputs "out")))
-         (copy-file "Makefile.unix" "Makefile")
-         (substitute* "Makefile"
-           (("/usr/local/bin/perl") (string-append perl "/bin/perl")))
-         (substitute* "Makefile"
-           (("/usr/local") out))
-         ;; for the install phase
-         (substitute* "Makefile"
-           (("-mkdir") "mkdir -p"))
-         ;; drop installation of non-free files
-         (substitute* "Makefile"
-           ((" install.include") ""))))
-      %standard-phases)))
+      (modify-phases %standard-phases
+        (replace 'configure
+          (lambda* (#:key inputs outputs #:allow-other-keys #:rest args)
+           (let ((perl (assoc-ref inputs "perl"))
+                 (out (assoc-ref outputs "out")))
+            (copy-file "Makefile.unix" "Makefile")
+            (substitute* "Makefile"
+              (("/usr/local/bin/perl") (string-append perl "/bin/perl")))
+            (substitute* "Makefile"
+              (("/usr/local") out))
+            ;; for the install phase
+            (substitute* "Makefile"
+              (("-mkdir") "mkdir -p"))
+            ;; drop installation of non-free files
+            (substitute* "Makefile"
+              ((" install.include") "")))
+           #t)))))
    (synopsis "Collection of utilities for manipulating PostScript documents")
    (description
     "PSUtils is a collection of utilities for manipulating PostScript
@@ -131,8 +131,7 @@ printing, and psresize, for adjusting page sizes.")
 (define-public ghostscript
   (package
     (name "ghostscript")
-    (replacement ghostscript-9.22)
-    (version "9.21")
+    (version "9.22")
     (source
       (origin
         (method url-fetch)
@@ -142,9 +141,8 @@ printing, and psresize, for adjusting page sizes.")
                             "/ghostscript-" version ".tar.xz"))
         (sha256
          (base32
-          "0lyhjcrkmd5fcmh8h56bs4xr9k4jasmikv5vsix1hd4ai0ad1q9b"))
+          "1fyi4yvdj39bjgs10klr31cda1fbx1ar7a7b7yz7v68gykk65y61"))
         (patches (search-patches "ghostscript-runpath.patch"
-                                 "ghostscript-CVE-2017-8291.patch"
                                  "ghostscript-no-header-creationdate.patch"
                                  "ghostscript-no-header-id.patch"
                                  "ghostscript-no-header-uuid.patch"))
@@ -255,25 +253,6 @@ output file formats and printers.")
     (home-page "https://www.ghostscript.com/")
     (license license:agpl3+)))
 
-(define ghostscript-9.22
-  (package
-    (inherit ghostscript)
-    (version "9.22")
-    (source
-      (origin
-        (inherit (package-source ghostscript))
-        (uri (string-append "https://github.com/ArtifexSoftware/"
-                            "ghostpdl-downloads/releases/download/gs"
-                            (string-delete #\. version)
-                            "/ghostscript-" version ".tar.xz"))
-        (sha256
-         (base32
-          "1fyi4yvdj39bjgs10klr31cda1fbx1ar7a7b7yz7v68gykk65y61"))
-        (patches (search-patches "ghostscript-runpath.patch"
-                                 "ghostscript-no-header-creationdate.patch"
-                                 "ghostscript-no-header-id.patch"
-                                 "ghostscript-no-header-uuid.patch"))))))
-
 (define-public ghostscript/x
   (package/inherit ghostscript
     (name (string-append (package-name ghostscript) "-with-x"))
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 8e799718f7..cef6d7bea0 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -72,7 +72,7 @@
 (define dbus
   (package
     (name "dbus")
-    (version "1.10.22")
+    (version "1.10.24")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -80,7 +80,7 @@
                     version ".tar.gz"))
               (sha256
                (base32
-                "15vv9gz5i4f5l7h0d045qz5iyvl89hjk2k83lb4vbizd7qg41cg2"))
+                "06ydmrg76l1kwl3190d72zpiy3qxy248x6gskxbj9qiqfsr4w63i"))
               (patches (search-patches "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -142,7 +142,7 @@ shared NFS home directories.")
 (define glib
   (package
    (name "glib")
-   (version "2.52.3")
+   (version "2.54.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/"
@@ -150,8 +150,9 @@ shared NFS home directories.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0a71wkkhkvad84gm30w13micxxgqqw3sxhybj7nd9z60lwspdvi5"))
-            (patches (search-patches "glib-tests-timer.patch"))))
+              "18s7rw127wrvb107bkmxd1lmh62b2v19ww5rz7xi0krj34a1ph2h"))
+            (patches (search-patches "glib-respect-datadir.patch"
+                                     "glib-tests-timer.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"           ; everything
               "bin"           ; glib-mkenums, gtester, etc.; depends on Python
@@ -252,12 +253,7 @@ shared NFS home directories.")
 
                      ("gio/tests/gdbus-unix-addresses.c"
                       (;; Requires /etc/machine-id.
-                       "/gdbus/x11-autolaunch"))
-
-                     ("glib/tests/gdatetime.c"
-                      (;; Assumes that the Brasilian time zone is named 'BRT',
-                       ;; which is no longer true as of tzdata-2017a.
-                       "/GDateTime/new_full")))))
+                       "/gdbus/x11-autolaunch")))))
               (and-map (lambda (x) (apply disable x)) failing-tests)))))
 
       ;; Note: `--docdir' and `--htmldir' are not honored, so work around it.
@@ -289,19 +285,19 @@ shared NFS home directories.")
 and interfaces for such runtime functionality as an event loop, threads,
 dynamic loading, and an object system.")
    (home-page "https://developer.gnome.org/glib/")
-   (license license:lgpl2.0+)))                        ; some files are under lgpl2.1+
+   (license license:lgpl2.1+)))
 
 (define gobject-introspection
   (package
     (name "gobject-introspection")
-    (version "1.52.1")
+    (version "1.54.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnome/sources/"
                    "gobject-introspection/" (version-major+minor version)
                    "/gobject-introspection-" version ".tar.xz"))
              (sha256
-              (base32 "1x5gkyrglv3dn9b4fsgw6asqgjw1wj7qc37g9pyac6pyaa6w7l1f"))
+              (base32 "0zl7pfkzkm07733391b4f3cwjbnvb1nwvpmajf5bajh6bxgfv3dq"))
              (modules '((guix build utils)))
              (snippet
               '(substitute* "tools/g-ir-tool-template.in"
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index bce2b8ae93..2ebbd29565 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -1166,7 +1166,7 @@ dealing with different structured file formats.")
 (define-public librsvg
   (package
     (name "librsvg")
-    (version "2.40.18")
+    (version "2.40.19")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -1174,7 +1174,7 @@ dealing with different structured file formats.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0k2nbd4g31qinkdfd8r5c5ih2ixl85fbkgkqqh9747lwr24c9j5z"))))
+                "1xy12qi29xqf3i61awf9qmm5ysw6v5qgxqwvi5fny0q9hs5lsav1"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 48e15e2cec..52a8a75739 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -89,16 +89,15 @@ Daemon and possibly more in the future.")
 
 (define-public libgcrypt
   (package
-    (replacement libgcrypt/fixed)
     (name "libgcrypt")
-    (version "1.7.8")
+    (version "1.8.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "16f1rsv4y4w2pk1il2jbcqggsb6mrlfva5vayd205fp68zm7d0ll"))))
+               "1cvqd9jk5qshbh48yh3ixw4zyr4n5k50r3475rrh20xfn7w7aa3s"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
@@ -124,18 +123,6 @@ generation.")
     (properties '((ftp-server . "ftp.gnupg.org")
                   (ftp-directory . "/gcrypt/libgcrypt")))))
 
-(define libgcrypt/fixed
-  (package
-    (inherit libgcrypt)
-    (version "1.8.1")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
-                                 version ".tar.bz2"))
-             (sha256
-              (base32
-               "1cvqd9jk5qshbh48yh3ixw4zyr4n5k50r3475rrh20xfn7w7aa3s"))))))
-
 (define-public libassuan
   (package
     (name "libassuan")
diff --git a/gnu/packages/groff.scm b/gnu/packages/groff.scm
index 67dd1dbfa6..6e1a60e9ba 100644
--- a/gnu/packages/groff.scm
+++ b/gnu/packages/groff.scm
@@ -56,7 +56,14 @@
                     ("perl" ,perl)
                     ("psutils" ,psutils)
                     ("texinfo" ,texinfo)))
-   (arguments '(#:parallel-build? #f))  ; parallel build fails
+   (arguments
+    `(#:parallel-build? #f   ; parallel build fails
+      #:phases
+      (modify-phases %standard-phases
+        (add-after 'unpack 'setenv
+          (lambda _
+            (setenv "GS_GENERATE_UUIDS" "0")
+            #t)))))
    (synopsis "Typesetting from plain text mixed with formatting commands")
    (description
     "Groff is a typesetting package that reads plain text and produces
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 235d2c3718..bb77279b32 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -9,7 +9,7 @@
 ;;; Copyright © 2015 Andy Wingo <wingo@igalia.com>
 ;;; Copyright © 2015 David Hashe <david.hashe@dhashe.com>
 ;;; Coypright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Fabian Harfert <fhmgufs@web.de>
 ;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Patrick Hetu <patrick.hetu@auf.org>
@@ -428,7 +428,7 @@ highlighting and other features typical of a source code editor.")
 (define-public gdk-pixbuf
   (package
    (name "gdk-pixbuf")
-   (version "2.36.10")
+   (version "2.36.11")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -436,7 +436,7 @@ highlighting and other features typical of a source code editor.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "1klsjkdbashd8yb8xjsc9ff3bz32n2id5s79nrrmqiw9df4zmxpq"))))
+              "1wz2vpciwdpdv612s8kbww08q80hgcs5dxrfsxp1a4q44n3snqmf"))))
    (build-system gnu-build-system)
    (arguments
     '(#:configure-flags '("--with-x11")
@@ -654,7 +654,7 @@ application suites.")
    (name "gtk+")
    ;; NOTE: When updating the version of 'gtk+', the hash of 'mate-themes' in
    ;;       mate.scm will also need to be updated.
-   (version "3.22.21")
+   (version "3.22.24")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -662,7 +662,7 @@ application suites.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "11vb1shgr4rlayfk0b858gz986jsn2mpjlxvr89b2kgvbjlc3lqv"))
+              "0asr6gccw1vv02i29ivwr74fpxlmdxhr0wigybsvi2ljzi66xcfb"))
             (patches (search-patches "gtk3-respect-GUIX_GTK3_PATH.patch"
                                      "gtk3-respect-GUIX_GTK3_IM_MODULE_FILE.patch"))))
    (outputs '("out" "bin" "doc"))
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index df8ac67e41..591c163ac3 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -71,7 +71,7 @@
 (define-public libpng
   (package
    (name "libpng")
-   (version "1.6.29")
+   (version "1.6.34")
    (source (origin
             (method url-fetch)
             (uri (list (string-append "mirror://sourceforge/libpng/libpng16/"
@@ -84,7 +84,7 @@
                         "/libpng16/libpng-" version ".tar.xz")))
             (sha256
              (base32
-              "0fgjqp7x6jynacmqh6dj72cn6nnf6yxjfqqqfsxrx0pyx22bcia2"))))
+              "1xjr0v34fyjgnhvaa1zixcpx5yvxcg4zwvfh0fyklfyfj86rc7ig"))))
    (build-system gnu-build-system)
 
    ;; libpng.la says "-lz", so propagate it.
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 801b4e44a9..b9f774a32a 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -46,8 +46,7 @@
 (define-public mit-krb5
   (package
     (name "mit-krb5")
-    (replacement mit-krb5-1.15.2)
-    (version "1.15.1")
+    (version "1.15.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/"
@@ -55,7 +54,7 @@
                                   "/krb5-" version ".tar.gz"))
               (sha256
                (base32
-                "0igbi5d095c2hgpn2cixpc4q2ij8vgg2bx7yjfly5zfmvlqqhz23"))))
+                "0zn8s7anb10hw3nzwjz7vg10fgmmgvwnibn2zrn3nppjxn9f6f8n"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("bison" ,bison)
@@ -94,19 +93,6 @@ cryptography.")
     (home-page "http://web.mit.edu/kerberos/")
     (properties '((cpe-name . "kerberos")))))
 
-(define mit-krb5-1.15.2 ; CVE-2017-{11368,11462}
-  (package
-    (inherit mit-krb5)
-    (version "1.15.2")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/"
-                                  (version-major+minor version)
-                                  "/krb5-" version ".tar.gz"))
-              (sha256
-               (base32
-                "0zn8s7anb10hw3nzwjz7vg10fgmmgvwnibn2zrn3nppjxn9f6f8n"))))))
-
 (define-public shishi
   (package
     (name "shishi")
diff --git a/gnu/packages/libidn.scm b/gnu/packages/libidn.scm
index dfb1be6c4f..ff0c05bad0 100644
--- a/gnu/packages/libidn.scm
+++ b/gnu/packages/libidn.scm
@@ -55,15 +55,14 @@ Java libraries.")
 (define-public libidn2
   (package
     (name "libidn2")
-    (version "2.0.2")
-    (replacement libidn2-2.0.4)
+    (version "2.0.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/libidn/" name "-" version
                                   ".tar.lz"))
               (sha256
                (base32
-                "0pqaj8d01aj4i110669fincqs10kgynyqcrmq2q7pss8v9dcd1jq"))))
+                "00f2fyw5kwr9is3cdn5h9arzxp0lnvg0z9bb9zyfs0dq81gaqim4"))))
     (native-inputs
      `(("lzip" ,lzip)))
     (inputs
@@ -75,19 +74,7 @@ the IDNA2008 specifications.   Libidn2 is believed to be a complete IDNA2008
 implementation, but has yet to be as extensively used as the original Libidn
 library.")
     (home-page "https://www.gnu.org/software/libidn/#libidn2")
+    (properties '((ftp-directory . "/gnu/libidn")))
     ;; The command-line tool 'idn2' is GPL3+, while the library is dual-licensed
     ;; GPL2+ or LGPL3+.
     (license (list gpl2+ gpl3+ lgpl3+))))
-
-(define-public libidn2-2.0.4
-  (package
-    (inherit libidn2)
-    (name "libidn2")
-    (version "2.0.4")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/libidn/" name "-" version
-                                  ".tar.lz"))
-              (sha256
-               (base32
-                "00f2fyw5kwr9is3cdn5h9arzxp0lnvg0z9bb9zyfs0dq81gaqim4"))))))
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 8a817df343..9c7bc67fcb 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -156,13 +156,13 @@ defconfig.  Return the appropiate make target if applicable, otherwise return
 (define-public linux-libre-headers
   (package
     (name "linux-libre-headers")
-    (version "4.4.47")
+    (version "4.9.59")
     (source (origin
              (method url-fetch)
              (uri (linux-libre-urls version))
              (sha256
               (base32
-               "00zdq7swhvzbbnnhzizq6m34q5k4fycpcp215bmkbxh1ic76v7bs"))))
+               "0z8hq8a6ic38xh33idzl0k0yi4isgd7ncl2g1d6mzf9ixw5krhvc"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (arguments
@@ -502,7 +502,7 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
   (package
     (name "util-linux")
-    (version "2.30.1")
+    (version "2.31")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/utils/"
@@ -510,7 +510,7 @@ providing the system administrator with some help in common tasks.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0hdq2fz405a89fyha4bgwg0rx8b65inxq17w8fg8qhmcj4x3dr0v"))
+                "12nw108xjhm63sh2n5a0qs33vpvbvb6rln96l9j50p7wykf7rgpr"))
               (patches (search-patches "util-linux-tests.patch"))
               (modules '((guix build utils)))
               (snippet
@@ -2046,30 +2046,50 @@ from the module-init-tools project.")
   ;; The post-systemd fork, maintained by Gentoo.
   (package
     (name "eudev")
-    (version "3.2.2")
+    (version "3.2.4")
     (source (origin
               (method url-fetch)
-              (uri (string-append
-                    "http://dev.gentoo.org/~blueness/eudev/eudev-"
-                    version ".tar.gz"))
+              (uri (string-append "https://github.com/gentoo/eudev/archive/v"
+                                  version ".zip"))
+              (file-name (string-append name "-" version ".zip"))
               (sha256
                (base32
-                "0qqgbgpm5wdllk0s04pf80nwc8pr93xazwri1bylm1f15zn5ck1y"))
+                "1r1ag0snarygrj5qqxi2xdq9w6g3sfjd5jx1b0fl7zmqlsz3vvxx"))
               (patches (search-patches "eudev-rules-directory.patch"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:phases (modify-phases %standard-phases
-                  (add-after 'install 'build-hwdb
-                    (lambda* (#:key outputs #:allow-other-keys)
-                      ;; Build OUT/etc/udev/hwdb.bin.  This allows 'lsusb' and
-                      ;; similar tools to display product names.
-                      (let ((out (assoc-ref outputs "out")))
-                        (zero? (system* (string-append out "/bin/udevadm")
-                                        "hwdb" "--update"))))))))
+     '(#:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'bootstrap
+           (lambda* (#:key inputs #:allow-other-keys)
+            (substitute* "man/make.sh"
+              (("/usr/bin/xsltproc")
+                (string-append (assoc-ref inputs "xsltproc")
+                               "/bin/xsltproc")))
+            ;; Manual pages are regenerated here.
+            (zero? (system* "./autogen.sh"))))
+         (add-after 'install 'build-hwdb
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; Build OUT/etc/udev/hwdb.bin.  This allows 'lsusb' and
+             ;; similar tools to display product names.
+             (let ((out (assoc-ref outputs "out")))
+               (zero? (system* (string-append out "/bin/udevadm")
+                               "hwdb" "--update"))))))
+       #:configure-flags (list "--enable-manpages")))
     (native-inputs
-     `(("pkg-config" ,pkg-config)
+     `(("autoconf" ,autoconf)
+       ("automake" ,automake)
+       ("gperf" ,gperf)
+       ("libtool" ,libtool)
+       ("pkg-config" ,pkg-config)
+       ;; For tests.
        ("perl" ,perl)
-       ("gperf" ,gperf)))
+       ("python" ,python-wrapper)
+       ;; For documentation.
+       ("docbook-xml" ,docbook-xml-4.2)
+       ("docbook-xsl" ,docbook-xsl)
+       ("libxml2" ,libxml2)             ;for $XML_CATALOG_FILES
+       ("xsltproc", libxslt)))
     (inputs
      ;; When linked against libblkid, eudev can populate /dev/disk/by-label
      ;; and similar; it also installs the '60-persistent-storage.rules' file,
@@ -3044,16 +3064,14 @@ Bluetooth audio output devices like headphones or loudspeakers.")
                (string-append "--with-udevdir=" out "/lib/udev")))
        #:phases
        (modify-phases %standard-phases
-         ,@(if (string=? (%current-system) "armhf-linux")
-               ;; This test fails unpredictably.
-               ;; TODO: skip it for all architectures.
-               `((add-before 'check 'skip-wonky-test
-                  (lambda _
-                    (substitute* "unit/test-gatt.c"
-                      (("tester_init\\(&argc, &argv\\);") "return 77;"))
-                    #t)))
-               `())
-
+         ;; Test unit/test-gatt fails unpredictably. Seems to be a timing
+         ;; issue (discussion on upstream mailing list:
+         ;; https://marc.info/?t=149578476300002&r=1&w=2)
+         (add-before 'check 'skip-wonky-test
+            (lambda _
+              (substitute* "unit/test-gatt.c"
+                (("tester_init\\(&argc, &argv\\);") "return 77;"))
+              #t))
          (add-after 'install 'post-install
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let* ((out        (assoc-ref outputs "out"))
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index b0c6089c1e..c854a5a599 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -2600,7 +2600,7 @@ parts of it.")
 (define-public openblas
   (package
     (name "openblas")
-    (version "0.2.19")
+    (version "0.2.20")
     (source
      (origin
        (method url-fetch)
@@ -2609,10 +2609,10 @@ parts of it.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "071zqnmnxhh0c9phzyn3f198yxa0hjxda7016azdbq2056sm70w7"))))
+         "1bd03c5xni0bla0wg1wba841b36b0sg13sjja955kn5xzvy4i61a"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f  ;no "check" target
+     `(#:test-target "test"
        ;; DYNAMIC_ARCH is only supported on x86.  When it is disabled and no
        ;; TARGET is specified, OpenBLAS will tune itself to the build host, so
        ;; we need to disable substitutions.
diff --git a/gnu/packages/multiprecision.scm b/gnu/packages/multiprecision.scm
index b6d2d7f4af..69272eb18a 100644
--- a/gnu/packages/multiprecision.scm
+++ b/gnu/packages/multiprecision.scm
@@ -87,13 +87,13 @@ cryptography and computational algebra.")
 (define-public mpfr
   (package
    (name "mpfr")
-   (version "3.1.5")
+   (version "3.1.6")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/mpfr/mpfr-" version
                                 ".tar.xz"))
             (sha256 (base32
-                     "1g32l2fg8f62lcyzzh88y3fsh6rk539qc6ahhdgvx7wpnf1dwpq1"))))
+                     "0l598h9klpgkz2bp0rxiqb90mkqh9f2f81n5rpy191j00hdaqqks"))))
    (build-system gnu-build-system)
    (outputs '("out" "debug"))
    (propagated-inputs `(("gmp" ,gmp)))            ; <mpfr.h> refers to <gmp.h>
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index af0ef1043d..cd81888cbb 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -35,6 +35,7 @@
   #:use-module (gnu packages guile)
   #:use-module (gnu packages file)
   #:use-module (gnu packages backup)
+  #:use-module (gnu packages bootstrap)          ;for 'bootstrap-guile-origin'
   #:use-module (gnu packages compression)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages databases)
@@ -232,39 +233,19 @@
                        ("graphviz" ,graphviz)
                        ("help2man" ,help2man)))
       (inputs
-       (let ((boot-guile (lambda (arch hash)
-                           (origin
-                             (method url-fetch)
-                             (uri (boot-guile-uri arch))
-                             (sha256 hash)))))
-         `(("bzip2" ,bzip2)
-           ("gzip" ,gzip)
-           ("zlib" ,zlib)                         ;for 'guix publish'
-
-           ("sqlite" ,sqlite)
-           ("libgcrypt" ,libgcrypt)
-           ("guile" ,guile-2.2)
-
-           ("boot-guile/i686"
-            ,(boot-guile "i686"
-                         (base32
-                          "0im800m30abgh7msh331pcbjvb4n02smz5cfzf1srv0kpx3csmxp")))
-           ("boot-guile/x86_64"
-            ,(boot-guile "x86_64"
-                         (base32
-                          "1w2p5zyrglzzniqgvyn1b55vprfzhgk8vzbzkkbdgl5248si0yq3")))
-           ("boot-guile/mips64el"
-            ,(boot-guile "mips64el"
-                         (base32
-                          "0fzp93lvi0hn54acc0fpvhc7bvl0yc853k62l958cihk03q80ilr")))
-           ("boot-guile/armhf"
-            ,(boot-guile "armhf"
-                         (base32
-                          "1mi3brl7l58aww34rawhvja84xc7l1b4hmwdmc36fp9q9mfx0lg5")))
-           ("boot-guile/aarch64"
-            ,(boot-guile "aarch64"
-                         (base32
-                          "1giy2aprjmn5fp9c4s9r125fljw4wv6ixy5739i5bffw4jgr0f9r"))))))
+       `(("bzip2" ,bzip2)
+         ("gzip" ,gzip)
+         ("zlib" ,zlib)                           ;for 'guix publish'
+
+         ("sqlite" ,sqlite)
+         ("libgcrypt" ,libgcrypt)
+         ("guile" ,guile-2.2)
+
+         ("boot-guile/i686" ,(bootstrap-guile-origin "i686-linux"))
+         ("boot-guile/x86_64" ,(bootstrap-guile-origin "x86_64-linux"))
+         ("boot-guile/mips64el" ,(bootstrap-guile-origin "mips64el-linux"))
+         ("boot-guile/armhf" ,(bootstrap-guile-origin "armhf-linux"))
+         ("boot-guile/aarch64" ,(bootstrap-guile-origin "aarch64-linux"))))
       (propagated-inputs
        `(("gnutls" ,gnutls)
          ("guile-json" ,guile-json)
diff --git a/gnu/packages/patches/automake-regexp-syntax.patch b/gnu/packages/patches/automake-regexp-syntax.patch
deleted file mode 100644
index 2e965c8c50..0000000000
--- a/gnu/packages/patches/automake-regexp-syntax.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From <https://lists.gnu.org/archive/html/automake-patches/2015-07/msg00000.html>.
-See also <http://bugs.gnu.org/22372>.
-
-From 34163794a58b5bd91c5d6bd9adf5437571c7a479 Mon Sep 17 00:00:00 2001
-From: Pavel Raiskup <praiskup@redhat.com>
-Date: Tue, 7 Jul 2015 10:54:24 +0200
-Subject: [PATCH] bin/automake: escape '{' in regexp pattern
-
-Based on perlre(1) documentation:
-.. in Perl v5.26, literal uses of a curly bracket will be required
-to be escaped, say by preceding them with a backslash ("\{" ) or
-enclosing them within square brackets ("[{]") ..
-
-References:
-https://bugzilla.redhat.com/1239379
-
-* bin/automake.in (substitute_ac_subst_variables): Escape the
-occurrence of '{' character.
----
- bin/automake.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/bin/automake.in b/bin/automake.in
-index 0c29184..c294ced 100644
---- a/bin/automake.in
-+++ b/bin/automake.in
-@@ -3898,7 +3898,7 @@ sub substitute_ac_subst_variables_worker
- sub substitute_ac_subst_variables
- {
-   my ($text) = @_;
--  $text =~ s/\${([^ \t=:+{}]+)}/substitute_ac_subst_variables_worker ($1)/ge;
-+  $text =~ s/\$\{([^ \t=:+{}]+)}/substitute_ac_subst_variables_worker ($1)/ge;
-   return $text;
- }
diff --git a/gnu/packages/patches/automake-test-gzip-warning.patch b/gnu/packages/patches/automake-test-gzip-warning.patch
deleted file mode 100644
index bcc9c207ae..0000000000
--- a/gnu/packages/patches/automake-test-gzip-warning.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Adjust test to ignore gzip 1.8+ warnings.
-
---- automake-1.15/t/distcheck-no-prefix-or-srcdir-override.sh	2016-06-14 00:36:26.554218552 +0200
-+++ automake-1.15/t/distcheck-no-prefix-or-srcdir-override.sh	2016-06-14 00:37:52.903157770 +0200
-@@ -49,7 +49,11 @@ grep "cannot find sources.* in foobar" s
- 
- ./configure
- run_make -E -O distcheck
--test ! -s stderr
-+
-+# Gzip 1.8+ emits warnings like "gzip: warning: GZIP environment
-+# variable is deprecated"; filter them out.
-+test `grep -v '^gzip: warning' stderr | wc -l` -eq 0
-+
- # Sanity check: the flags have been actually seen.
- $PERL -e 'undef $/; $_ = <>; s/ \\\n/ /g; print;' <stdout >t
- grep '/configure .* --srcdir am-src'   t || exit 99
diff --git a/gnu/packages/patches/coreutils-cut-huge-range-test.patch b/gnu/packages/patches/coreutils-cut-huge-range-test.patch
deleted file mode 100644
index e3a0ef28eb..0000000000
--- a/gnu/packages/patches/coreutils-cut-huge-range-test.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-This patch fixes 100% reproducible test failures on arm-linux-gnueabihf in our
-the build environment chroot, as reported at <https://bugs.gnu.org/26253>,
-and now on x86_64-linux-gnu as well.  It is a variant of this upstream patch:
-
-  commit f5422009389678680dba9ff4ecb7d33632ee3383
-  Author: Ludovic Courtès <ludo@gnu.org>
-  Date:   Mon Mar 27 20:34:39 2017 -0700
-
-      tests: avoid false ulimit failure on some systems
-
-      * tests/misc/cut-huge-range.sh: On some systems returns_ may
-      use more memory, so incorporate that in the determination
-      of the ulimit value to use.  Noticed on ARMv7 with bash-4.4.12,
-      and x86_64 with bash-4.2.37.
-      Fixes http://bugs.gnu.org/26253
-
-... which appeared to be insufficient.
-
-diff --git a/tests/misc/cut-huge-range.sh b/tests/misc/cut-huge-range.sh
-index 6b3c5b6ed..55b7b640e 100755
---- a/tests/misc/cut-huge-range.sh
-+++ b/tests/misc/cut-huge-range.sh
-@@ -20,9 +20,9 @@
- print_ver_ cut
- getlimits_
- 
--vm=$(get_min_ulimit_v_ cut -b1 /dev/null) \
-+vm=$(get_min_ulimit_v_ sh -c 'cut -b1 /dev/null') \
-   || skip_ "this shell lacks ulimit support"
- vm=$(($vm + 1000)) # avoid spurious failures
- 
- # sed script to subtract one from the input.
- # Each input line should consist of a positive decimal number.
diff --git a/gnu/packages/patches/gcc-asan-powerpc-missing-include.patch b/gnu/packages/patches/gcc-asan-powerpc-missing-include.patch
deleted file mode 100644
index 74b10c4a44..0000000000
--- a/gnu/packages/patches/gcc-asan-powerpc-missing-include.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Add missing include that triggers a build failure on PowerPC:
-
-  ../../../../gcc-5.4.0/libsanitizer/asan/asan_linux.cc: In function ‘bool __asan::AsanInterceptsSignal(int)’:
-  ../../../../gcc-5.4.0/libsanitizer/asan/asan_linux.cc:222:20: error: ‘SIGSEGV’ was not declared in this scope
-     return signum == SIGSEGV && common_flags()->handle_segv;
-		      ^
-From <https://patchwork.ozlabs.org/patch/725596/>.
-
-diff --git a/libsanitizer/asan/asan_linux.cc b/libsanitizer/asan/asan_linux.cc
-index c504168..59087b9 100644
---- a/libsanitizer/asan/asan_linux.cc
-+++ b/libsanitizer/asan/asan_linux.cc
-@@ -29,6 +29,7 @@
- #include <dlfcn.h>
- #include <fcntl.h>
- #include <pthread.h>
-+#include <signal.h>
- #include <stdio.h>
- #include <unistd.h>
- #include <unwind.h>
diff --git a/gnu/packages/patches/gcc-fix-texi2pod.patch b/gnu/packages/patches/gcc-fix-texi2pod.patch
new file mode 100644
index 0000000000..28bd56a382
--- /dev/null
+++ b/gnu/packages/patches/gcc-fix-texi2pod.patch
@@ -0,0 +1,19 @@
+This patch was taken from the official GCC git repository.
+X-Git-Url: https://gcc.gnu.org/git/?p=gcc.git;a=blobdiff_plain;f=contrib%2Ftexi2pod.pl;h=91bdbb5cea933d0381f2924ab94490fca31d5800;hp=eba1bcaa3cffa78b46030b219d04fe7d68367658;hb=67b56c905078d49d3e4028085e5cb1e1fb87a8aa;hpb=2f508a78310caab123e9794d3dcfe41f2769449b
+
+It fixes a defect in the contrib/texi2pod.pl script that prevented generating
+manual pages. It was corrected in the GCC 6.X series.
+
+diff --git a/contrib/texi2pod.pl b/contrib/texi2pod.pl
+index eba1bca..91bdbb5 100755
+--- a/contrib/texi2pod.pl
++++ b/contrib/texi2pod.pl
+@@ -316,7 +316,7 @@ while(<$inf>) {
+ 	@columns = ();
+ 	for $column (split (/\s*\@tab\s*/, $1)) {
+ 	    # @strong{...} is used a @headitem work-alike
+-	    $column =~ s/^\@strong{(.*)}$/$1/;
++	    $column =~ s/^\@strong\{(.*)\}$/$1/;
+ 	    push @columns, $column;
+ 	}
+ 	$_ = "\n=item ".join (" : ", @columns)."\n";
diff --git a/gnu/packages/patches/ghostscript-CVE-2017-8291.patch b/gnu/packages/patches/ghostscript-CVE-2017-8291.patch
deleted file mode 100644
index d38bd593c0..0000000000
--- a/gnu/packages/patches/ghostscript-CVE-2017-8291.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-Fix CVE-2017-8291:
-
-https://bugs.ghostscript.com/show_bug.cgi?id=697799
-https://bugs.ghostscript.com/show_bug.cgi?id=697808 (duplicate)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291
-
-Patches copied from upstream source repository:
-
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce174eed24edec7ad5b920eb93db4d47d
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad
-
-From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 27 Apr 2017 13:03:33 +0100
-Subject: [PATCH] Bug 697799: have .eqproc check its parameters
-
-The Ghostscript custom operator .eqproc was not check the number or type of
-the parameters it was given.
----
- psi/zmisc3.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/psi/zmisc3.c b/psi/zmisc3.c
-index 54b304246..37293ff4b 100644
---- a/psi/zmisc3.c
-+++ b/psi/zmisc3.c
-@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
-     ref2_t stack[MAX_DEPTH + 1];
-     ref2_t *top = stack;
- 
-+    if (ref_stack_count(&o_stack) < 2)
-+        return_error(gs_error_stackunderflow);
-+    if (!r_is_array(op - 1) || !r_is_array(op)) {
-+        return_error(gs_error_typecheck);
-+    }
-+
-     make_array(&stack[0].proc1, 0, 1, op - 1);
-     make_array(&stack[0].proc2, 0, 1, op);
-     for (;;) {
--- 
-2.13.0
-
-From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 27 Apr 2017 13:21:31 +0100
-Subject: [PATCH] Bug 697799: have .rsdparams check its parameters
-
-The Ghostscript internal operator .rsdparams wasn't checking the number or
-type of the operands it was being passed. Do so.
----
- psi/zfrsd.c | 22 +++++++++++++++-------
- 1 file changed, 15 insertions(+), 7 deletions(-)
-
-diff --git a/psi/zfrsd.c b/psi/zfrsd.c
-index 191107d8a..950588d69 100644
---- a/psi/zfrsd.c
-+++ b/psi/zfrsd.c
-@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
-     ref *pFilter;
-     ref *pDecodeParms;
-     int Intent = 0;
--    bool AsyncRead;
-+    bool AsyncRead = false;
-     ref empty_array, filter1_array, parms1_array;
-     uint i;
--    int code;
-+    int code = 0;
-+
-+    if (ref_stack_count(&o_stack) < 1)
-+        return_error(gs_error_stackunderflow);
-+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
-+        return_error(gs_error_typecheck);
-+    }
- 
-     make_empty_array(&empty_array, a_readonly);
--    if (dict_find_string(op, "Filter", &pFilter) > 0) {
-+    if (r_has_type(op, t_dictionary)
-+        && dict_find_string(op, "Filter", &pFilter) > 0) {
-         if (!r_is_array(pFilter)) {
-             if (!r_has_type(pFilter, t_name))
-                 return_error(gs_error_typecheck);
-@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
-                 return_error(gs_error_typecheck);
-         }
-     }
--    code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
-+    if (r_has_type(op, t_dictionary))
-+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
-     if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
-         return code;
--    if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
--        )
--        return code;
-+    if (r_has_type(op, t_dictionary))
-+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
-+            return code;
-     push(1);
-     op[-1] = *pFilter;
-     if (pDecodeParms)
--- 
-2.13.0
-
-From 57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Wed, 3 May 2017 12:05:45 +0100
-Subject: [PATCH] Bug 697846: revision to commit 4f83478c88 (.eqproc)
-
-When using the "DELAYBIND" feature, it turns out that .eqproc can be called with
-parameters that are not both procedures. In this case, it turns out, the
-expectation is for the operator to return 'false', rather than throw an error.
----
- psi/zmisc3.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/psi/zmisc3.c b/psi/zmisc3.c
-index 37293ff4b..3f01d39a3 100644
---- a/psi/zmisc3.c
-+++ b/psi/zmisc3.c
-@@ -38,6 +38,15 @@ zcliprestore(i_ctx_t *i_ctx_p)
-     return gs_cliprestore(igs);
- }
- 
-+static inline bool
-+eqproc_check_type(ref *r)
-+{
-+    return r_has_type(r, t_array)
-+           || r_has_type(r, t_mixedarray)
-+           || r_has_type(r, t_shortarray)
-+           || r_has_type(r, t_oparray);
-+}
-+
- /* <proc1> <proc2> .eqproc <bool> */
- /*
-  * Test whether two procedures are equal to depth 10.
-@@ -58,8 +67,10 @@ zeqproc(i_ctx_t *i_ctx_p)
- 
-     if (ref_stack_count(&o_stack) < 2)
-         return_error(gs_error_stackunderflow);
--    if (!r_is_array(op - 1) || !r_is_array(op)) {
--        return_error(gs_error_typecheck);
-+    if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) {
-+        make_false(op - 1);
-+        pop(1);
-+        return 0;
-     }
- 
-     make_array(&stack[0].proc1, 0, 1, op - 1);
--- 
-2.13.0
-
-From ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 11 May 2017 14:07:48 +0100
-Subject: [PATCH] Bug 697892: fix check for op stack underflow.
-
-In the original fix, I used the wrong method to check for stack underflow, this
-is using the correct method.
----
- psi/zfrsd.c  | 3 +--
- psi/zmisc3.c | 3 +--
- 2 files changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/psi/zfrsd.c b/psi/zfrsd.c
-index 950588d69..9c035b96d 100644
---- a/psi/zfrsd.c
-+++ b/psi/zfrsd.c
-@@ -54,8 +54,7 @@ zrsdparams(i_ctx_t *i_ctx_p)
-     uint i;
-     int code = 0;
- 
--    if (ref_stack_count(&o_stack) < 1)
--        return_error(gs_error_stackunderflow);
-+    check_op(1);
-     if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
-         return_error(gs_error_typecheck);
-     }
-diff --git a/psi/zmisc3.c b/psi/zmisc3.c
-index 3f01d39a3..43803b55b 100644
---- a/psi/zmisc3.c
-+++ b/psi/zmisc3.c
-@@ -65,8 +65,7 @@ zeqproc(i_ctx_t *i_ctx_p)
-     ref2_t stack[MAX_DEPTH + 1];
-     ref2_t *top = stack;
- 
--    if (ref_stack_count(&o_stack) < 2)
--        return_error(gs_error_stackunderflow);
-+    check_op(2);
-     if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) {
-         make_false(op - 1);
-         pop(1);
--- 
-2.13.0
-
diff --git a/gnu/packages/patches/glib-respect-datadir.patch b/gnu/packages/patches/glib-respect-datadir.patch
new file mode 100644
index 0000000000..309ce9fc0b
--- /dev/null
+++ b/gnu/packages/patches/glib-respect-datadir.patch
@@ -0,0 +1,21 @@
+On Guix, Python modules are in a different output from the executables,
+so searching "../share/glib-2.0" will not work.
+
+This patch restores behaviour prior to this commit:
+<https://git.gnome.org/browse/glib/commit/?id=fe2a9887a8ccb14f2386e01b14834e97a33bc2d7>
+
+--- a/gio/gdbus-2.0/codegen/gdbus-codegen.in
++++ b/gio/gdbus-2.0/codegen/gdbus-codegen.in
+@@ -25,9 +25,12 @@
+ 
+ srcdir = os.getenv('UNINSTALLED_GLIB_SRCDIR', None)
+ filedir = os.path.dirname(__file__)
++datadir = os.path.join('@datadir@', 'glib-2.0')
+ 
+ if srcdir is not None:
+     path = os.path.join(srcdir, 'gio', 'gdbus-2.0')
++elif os.path.exists(os.path.join(datadir, 'codegen')):
++    path = datadir
+ elif os.path.basename(filedir) == 'bin':
+     # Make the prefix containing gdbus-codegen 'relocatable' at runtime by
+     # adding /some/prefix/bin/../share/glib-2.0 to the python path
diff --git a/gnu/packages/patches/grep-gnulib-lock.patch b/gnu/packages/patches/grep-gnulib-lock.patch
deleted file mode 100644
index 68c33f1031..0000000000
--- a/gnu/packages/patches/grep-gnulib-lock.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-This patch fix error on 'gnulib' library required to build
-'grep' package on GNU/Hurd.
-The patch was adapted from upstream source repository:
-'<http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=4084b3a1094372b960ce4a97634e08f4538c8bdd>'
-
-Commit: 4084b3a1094372b960ce4a97634e08f4538c8bdd
-
-diff --git a/lib/glthread/lock.c b/lib/glthread/lock.c
-index 061562b..afc86f4 100644
---- a/lib/glthread/lock.c
-+++ b/lib/glthread/lock.c
-@@ -30,7 +30,7 @@
- 
- /* ------------------------- gl_rwlock_t datatype ------------------------- */
- 
--# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (__GNU_LIBRARY__ > 1))
-+# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (defined PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP && (__GNU_LIBRARY__ > 1)))
- 
- #  ifdef PTHREAD_RWLOCK_INITIALIZER
- 
-diff --git a/lib/glthread/lock.h b/lib/glthread/lock.h
-index ec16d39..67932aa 100644
---- a/lib/glthread/lock.h
-+++ b/lib/glthread/lock.h
-@@ -179,7 +179,7 @@ typedef pthread_mutex_t gl_lock_t;
- 
- /* ------------------------- gl_rwlock_t datatype ------------------------- */
- 
--# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (__GNU_LIBRARY__ > 1))
-+# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (defined PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP && (__GNU_LIBRARY__ > 1)))
- 
- #  ifdef PTHREAD_RWLOCK_INITIALIZER
diff --git a/gnu/packages/patches/libxml2-CVE-2016-4658.patch b/gnu/packages/patches/libxml2-CVE-2016-4658.patch
deleted file mode 100644
index a4e1f31fae..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2016-4658.patch
+++ /dev/null
@@ -1,257 +0,0 @@
-Fix CVE-2016-4658:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
-
-From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 18:34:52 +0200
-Subject: [PATCH] Disallow namespace nodes in XPointer ranges
-
-Namespace nodes must be copied to avoid use-after-free errors.
-But they don't necessarily have a physical representation in a
-document, so simply disallow them in XPointer ranges.
-
-Found with afl-fuzz.
-
-Fixes CVE-2016-4658.
----
- xpointer.c | 149 +++++++++++++++++++++++--------------------------------------
- 1 file changed, 56 insertions(+), 93 deletions(-)
-
-diff --git a/xpointer.c b/xpointer.c
-index a7b03fbd..694d120e 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) {
- }
- 
- /**
-+ * xmlXPtrNewRangeInternal:
-+ * @start:  the starting node
-+ * @startindex:  the start index
-+ * @end:  the ending point
-+ * @endindex:  the ending index
-+ *
-+ * Internal function to create a new xmlXPathObjectPtr of type range
-+ *
-+ * Returns the newly created object.
-+ */
-+static xmlXPathObjectPtr
-+xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex,
-+                        xmlNodePtr end, int endindex) {
-+    xmlXPathObjectPtr ret;
-+
-+    /*
-+     * Namespace nodes must be copied (see xmlXPathNodeSetDupNs).
-+     * Disallow them for now.
-+     */
-+    if ((start != NULL) && (start->type == XML_NAMESPACE_DECL))
-+	return(NULL);
-+    if ((end != NULL) && (end->type == XML_NAMESPACE_DECL))
-+	return(NULL);
-+
-+    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-+    if (ret == NULL) {
-+        xmlXPtrErrMemory("allocating range");
-+	return(NULL);
-+    }
-+    memset(ret, 0, sizeof(xmlXPathObject));
-+    ret->type = XPATH_RANGE;
-+    ret->user = start;
-+    ret->index = startindex;
-+    ret->user2 = end;
-+    ret->index2 = endindex;
-+    return(ret);
-+}
-+
-+/**
-  * xmlXPtrNewRange:
-  * @start:  the starting node
-  * @startindex:  the start index
-@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex,
-     if (endindex < 0)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = startindex;
--    ret->user2 = end;
--    ret->index2 = endindex;
-+    ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) {
-     if (end->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start->user;
--    ret->index = start->index;
--    ret->user2 = end->user;
--    ret->index2 = end->index;
-+    ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user,
-+                                  end->index);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) {
-     if (start->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start->user;
--    ret->index = start->index;
--    ret->user2 = end;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) {
-     if (end->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = end->user;
--    ret->index2 = end->index;
-+    ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) {
-     if (end == NULL)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = end;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start, -1, end, -1);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
-     if (start == NULL)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = NULL;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1);
-     return(ret);
- }
- 
-@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
-  */
- xmlXPathObjectPtr
- xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
-+    xmlNodePtr endNode;
-+    int endIndex;
-     xmlXPathObjectPtr ret;
- 
-     if (start == NULL)
-@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- 	return(NULL);
-     switch (end->type) {
- 	case XPATH_POINT:
-+	    endNode = end->user;
-+	    endIndex = end->index;
-+	    break;
- 	case XPATH_RANGE:
-+	    endNode = end->user2;
-+	    endIndex = end->index2;
- 	    break;
- 	case XPATH_NODESET:
- 	    /*
-@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- 	     */
- 	    if (end->nodesetval->nodeNr <= 0)
- 		return(NULL);
-+	    endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
-+	    endIndex = -1;
- 	    break;
- 	default:
- 	    /* TODO */
- 	    return(NULL);
-     }
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    switch (end->type) {
--	case XPATH_POINT:
--	    ret->user2 = end->user;
--	    ret->index2 = end->index;
--	    break;
--	case XPATH_RANGE:
--	    ret->user2 = end->user2;
--	    ret->index2 = end->index2;
--	    break;
--	case XPATH_NODESET: {
--	    ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
--	    ret->index2 = -1;
--	    break;
--	}
--	default:
--	    STRANGE
--	    return(NULL);
--    }
-+    ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
--- 
-2.11.0
-
diff --git a/gnu/packages/patches/libxml2-CVE-2016-5131.patch b/gnu/packages/patches/libxml2-CVE-2016-5131.patch
deleted file mode 100644
index 38938c8e3e..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2016-5131.patch
+++ /dev/null
@@ -1,218 +0,0 @@
-Fix CVE-2016-5131:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131
-
-Patches copied from upstream source repository (the test suite fails
-without the 2nd patch):
-
-https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
-https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8
-
-From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 14:22:23 +0200
-Subject: [PATCH] Fix XPointer paths beginning with range-to
-
-The old code would invoke the broken xmlXPtrRangeToFunction. range-to
-isn't really a function but a special kind of location step. Remove
-this function and always handle range-to in the XPath code.
-
-The old xmlXPtrRangeToFunction could also be abused to trigger a
-use-after-free error with the potential for remote code execution.
-
-Found with afl-fuzz.
-
-Fixes CVE-2016-5131.
----
- result/XPath/xptr/vidbase | 13 ++++++++
- test/XPath/xptr/vidbase   |  1 +
- xpath.c                   |  7 ++++-
- xpointer.c                | 76 ++++-------------------------------------------
- 4 files changed, 26 insertions(+), 71 deletions(-)
-
-diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
-index 8b9e92d6..f19193e7 100644
---- a/result/XPath/xptr/vidbase
-+++ b/result/XPath/xptr/vidbase
-@@ -17,3 +17,16 @@ Object is a Location Set:
-   To node
-     ELEMENT p
- 
-+
-+========================
-+Expression: xpointer(range-to(id('chapter2')))
-+Object is a Location Set:
-+1 :   Object is a range :
-+  From node
-+     /
-+  To node
-+    ELEMENT chapter
-+      ATTRIBUTE id
-+        TEXT
-+          content=chapter2
-+
-diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase
-index b1463830..884b1065 100644
---- a/test/XPath/xptr/vidbase
-+++ b/test/XPath/xptr/vidbase
-@@ -1,2 +1,3 @@
- xpointer(id('chapter1')/p)
- xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
-+xpointer(range-to(id('chapter2')))
-diff --git a/xpath.c b/xpath.c
-index d992841e..5a01b1b3 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
- 		    lc = 1;
- 		    break;
- 		} else if ((NXT(len) == '(')) {
--		    /* Note Type or Function */
-+		    /* Node Type or Function */
- 		    if (xmlXPathIsNodeType(name)) {
- #ifdef DEBUG_STEP
- 		        xmlGenericError(xmlGenericErrorContext,
- 				"PathExpr: Type search\n");
- #endif
- 			lc = 1;
-+#ifdef LIBXML_XPTR_ENABLED
-+                    } else if (ctxt->xptr &&
-+                               xmlStrEqual(name, BAD_CAST "range-to")) {
-+                        lc = 1;
-+#endif
- 		    } else {
- #ifdef DEBUG_STEP
- 		        xmlGenericError(xmlGenericErrorContext,
-diff --git a/xpointer.c b/xpointer.c
-index 676c5105..d74174a3 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
-     ret->here = here;
-     ret->origin = origin;
- 
--    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
--	                 xmlXPtrRangeToFunction);
-     xmlXPathRegisterFunc(ret, (xmlChar *)"range",
- 	                 xmlXPtrRangeFunction);
-     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
-@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
-  * @nargs:  the number of args
-  *
-  * Implement the range-to() XPointer function
-+ *
-+ * Obsolete. range-to is not a real function but a special type of location
-+ * step which is handled in xpath.c.
-  */
- void
--xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
--    xmlXPathObjectPtr range;
--    const xmlChar *cur;
--    xmlXPathObjectPtr res, obj;
--    xmlXPathObjectPtr tmp;
--    xmlLocationSetPtr newset = NULL;
--    xmlNodeSetPtr oldset;
--    int i;
--
--    if (ctxt == NULL) return;
--    CHECK_ARITY(1);
--    /*
--     * Save the expression pointer since we will have to evaluate
--     * it multiple times. Initialize the new set.
--     */
--    CHECK_TYPE(XPATH_NODESET);
--    obj = valuePop(ctxt);
--    oldset = obj->nodesetval;
--    ctxt->context->node = NULL;
--
--    cur = ctxt->cur;
--    newset = xmlXPtrLocationSetCreate(NULL);
--
--    for (i = 0; i < oldset->nodeNr; i++) {
--	ctxt->cur = cur;
--
--	/*
--	 * Run the evaluation with a node list made of a single item
--	 * in the nodeset.
--	 */
--	ctxt->context->node = oldset->nodeTab[i];
--	tmp = xmlXPathNewNodeSet(ctxt->context->node);
--	valuePush(ctxt, tmp);
--
--	xmlXPathEvalExpr(ctxt);
--	CHECK_ERROR;
--
--	/*
--	 * The result of the evaluation need to be tested to
--	 * decided whether the filter succeeded or not
--	 */
--	res = valuePop(ctxt);
--	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
--	if (range != NULL) {
--	    xmlXPtrLocationSetAdd(newset, range);
--	}
--
--	/*
--	 * Cleanup
--	 */
--	if (res != NULL)
--	    xmlXPathFreeObject(res);
--	if (ctxt->value == tmp) {
--	    res = valuePop(ctxt);
--	    xmlXPathFreeObject(res);
--	}
--
--	ctxt->context->node = NULL;
--    }
--
--    /*
--     * The result is used as the new evaluation set.
--     */
--    xmlXPathFreeObject(obj);
--    ctxt->context->node = NULL;
--    ctxt->context->contextSize = -1;
--    ctxt->context->proximityPosition = -1;
--    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
-+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
-+                       int nargs ATTRIBUTE_UNUSED) {
-+    XP_ERROR(XPATH_EXPR_ERROR);
- }
- 
- /**
--- 
-2.11.0
-
-From a005199330b86dada19d162cae15ef9bdcb6baa8 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 14:19:58 +0200
-Subject: [PATCH] Fix comparison with root node in xmlXPathCmpNodes
-
-This change has already been made in xmlXPathCmpNodesExt but not in
-xmlXPathCmpNodes.
----
- xpath.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/xpath.c b/xpath.c
-index 751665b8..d992841e 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
-      * compute depth to root
-      */
-     for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
--	if (cur == node1)
-+	if (cur->parent == node1)
- 	    return(1);
- 	depth2++;
-     }
-     root = cur;
-     for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
--	if (cur == node2)
-+	if (cur->parent == node2)
- 	    return(-1);
- 	depth1++;
-     }
--- 
-2.11.0
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/packages/patches/libxml2-CVE-2017-0663.patch
deleted file mode 100644
index b0277a2d23..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-0663.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Fix CVE-2017-0663:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
-https://security-tracker.debian.org/tracker/CVE-2017-0663
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66
-
-From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 6 Jun 2017 12:56:28 +0200
-Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace
-
-Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
-namespace declarations make no practical sense anyway.
-
-Fixes bug 780228.
-
-Found with libFuzzer and ASan.
----
- valid.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/valid.c b/valid.c
-index 8075d3a0..c51ea290 100644
---- a/valid.c
-+++ b/valid.c
-@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
- 	}
-     }
- 
-+    /*
-+     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
-+     * xmlAddID and xmlAddRef for namespace declarations, but it makes
-+     * no practical sense to use ID types anyway.
-+     */
-+#if 0
-     /* Validity Constraint: ID uniqueness */
-     if (attrDecl->atype == XML_ATTRIBUTE_ID) {
-         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
-@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
-         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
- 	    ret = 0;
-     }
-+#endif
- 
-     /* Validity Constraint: Notation Attributes */
-     if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/packages/patches/libxml2-CVE-2017-7375.patch
deleted file mode 100644
index 32af1ff6ba..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-7375.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2017-7375:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375
-https://security-tracker.debian.org/tracker/CVE-2017-7375
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e
-
-From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
-From: Neel Mehta <nmehta@google.com>
-Date: Fri, 7 Apr 2017 17:43:02 +0200
-Subject: [PATCH] Prevent unwanted external entity reference
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=780691
-
-* parser.c: add a specific check to avoid PE reference
----
- parser.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/parser.c b/parser.c
-index 609a2703..c2c812de 100644
---- a/parser.c
-+++ b/parser.c
-@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
- 	    if (xmlPushInput(ctxt, input) < 0)
- 		return;
- 	} else {
-+	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
-+	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
-+		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
-+		((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
-+		((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
-+		(ctxt->replaceEntities == 0) &&
-+		(ctxt->validate == 0))
-+		return;
-+
- 	    /*
- 	     * TODO !!!
- 	     * handle the extra spaces added before and after
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/packages/patches/libxml2-CVE-2017-7376.patch
deleted file mode 100644
index 5b9e45bd83..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-7376.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Fix CVE-2017-7376:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376
-https://security-tracker.debian.org/tracker/CVE-2017-7376
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
-
-From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
-From: Daniel Veillard <veillard@redhat.com>
-Date: Fri, 7 Apr 2017 17:13:28 +0200
-Subject: [PATCH] Increase buffer space for port in HTTP redirect support
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=780690
-
-nanohttp.c: the code wrongly assumed a short int port value.
----
- nanohttp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/nanohttp.c b/nanohttp.c
-index e109ad75..373425de 100644
---- a/nanohttp.c
-+++ b/nanohttp.c
-@@ -1423,9 +1423,9 @@ retry:
-     if (ctxt->port != 80) {
- 	/* reserve space for ':xxxxx', incl. potential proxy */
- 	if (proxy)
--	    blen += 12;
-+	    blen += 17;
- 	else
--	    blen += 6;
-+	    blen += 11;
-     }
-     bp = (char*)xmlMallocAtomic(blen);
-     if ( bp == NULL ) {
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
deleted file mode 100644
index 0a0e6d34cf..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-Fix CVE-2017-{9047,9048}:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not yet public)
-https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048
-http://www.openwall.com/lists/oss-security/2017/05/15/1
-https://security-tracker.debian.org/tracker/CVE-2017-9047
-https://security-tracker.debian.org/tracker/CVE-2017-9048
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
-
-From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sat, 3 Jun 2017 02:01:29 +0200
-Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-xmlSnprintfElementContent failed to correctly check the available
-buffer space in two locations.
-
-Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
-
-Thanks to Marcel Böhme and Thuan Pham for the report.
----
- result/valid/781333.xml         |  5 +++++
- result/valid/781333.xml.err     |  3 +++
- result/valid/781333.xml.err.rdr |  6 ++++++
- test/valid/781333.xml           |  4 ++++
- valid.c                         | 20 +++++++++++---------
- 5 files changed, 29 insertions(+), 9 deletions(-)
- create mode 100644 result/valid/781333.xml
- create mode 100644 result/valid/781333.xml.err
- create mode 100644 result/valid/781333.xml.err.rdr
- create mode 100644 test/valid/781333.xml
-
-diff --git a/result/valid/781333.xml b/result/valid/781333.xml
-new file mode 100644
-index 00000000..45dc451d
---- /dev/null
-+++ b/result/valid/781333.xml
-@@ -0,0 +1,5 @@
-+<?xml version="1.0"?>
-+<!DOCTYPE a [
-+<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
-+]>
-+<a/>
-diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
-new file mode 100644
-index 00000000..b401b49a
---- /dev/null
-+++ b/result/valid/781333.xml.err
-@@ -0,0 +1,3 @@
-+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got 
-+<a/>
-+    ^
-diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr
-new file mode 100644
-index 00000000..5ff56992
---- /dev/null
-+++ b/result/valid/781333.xml.err.rdr
-@@ -0,0 +1,6 @@
-+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got 
-+<a/>
-+    ^
-+./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
-+
-+^
-diff --git a/test/valid/781333.xml b/test/valid/781333.xml
-new file mode 100644
-index 00000000..b29e5a68
---- /dev/null
-+++ b/test/valid/781333.xml
-@@ -0,0 +1,4 @@
-+<!DOCTYPE a [
-+    <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
-+]>
-+<a/>
-diff --git a/valid.c b/valid.c
-index 19f84b82..9b2df56a 100644
---- a/valid.c
-+++ b/valid.c
-@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
-         case XML_ELEMENT_CONTENT_PCDATA:
-             strcat(buf, "#PCDATA");
- 	    break;
--	case XML_ELEMENT_CONTENT_ELEMENT:
-+	case XML_ELEMENT_CONTENT_ELEMENT: {
-+            int qnameLen = xmlStrlen(content->name);
-+
-+	    if (content->prefix != NULL)
-+                qnameLen += xmlStrlen(content->prefix) + 1;
-+	    if (size - len < qnameLen + 10) {
-+		strcat(buf, " ...");
-+		return;
-+	    }
- 	    if (content->prefix != NULL) {
--		if (size - len < xmlStrlen(content->prefix) + 10) {
--		    strcat(buf, " ...");
--		    return;
--		}
- 		strcat(buf, (char *) content->prefix);
- 		strcat(buf, ":");
- 	    }
--	    if (size - len < xmlStrlen(content->name) + 10) {
--		strcat(buf, " ...");
--		return;
--	    }
- 	    if (content->name != NULL)
- 		strcat(buf, (char *) content->name);
- 	    break;
-+        }
- 	case XML_ELEMENT_CONTENT_SEQ:
- 	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- 	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
- 		xmlSnprintfElementContent(buf, size, content->c2, 0);
- 	    break;
-     }
-+    if (size - strlen(buf) <= 2) return;
-     if (englob)
-         strcat(buf, ")");
-     switch (content->ocur) {
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
deleted file mode 100644
index 890e9c2284..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
+++ /dev/null
@@ -1,319 +0,0 @@
-Fix CVE-2017-{9049,9050}:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not yet public)
-https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050
-http://www.openwall.com/lists/oss-security/2017/05/15/1
-https://security-tracker.debian.org/tracker/CVE-2017-9049
-https://security-tracker.debian.org/tracker/CVE-2017-9050
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
-
-Changes to 'runtest.c' are removed since they introduce test failure
-when applying to libxml2 2.9.4 release tarball.
-
-From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 5 Jun 2017 15:37:17 +0200
-Subject: [PATCH] Fix handling of parameter-entity references
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There were two bugs where parameter-entity references could lead to an
-unexpected change of the input buffer in xmlParseNameComplex and
-xmlDictLookup being called with an invalid pointer.
-
-Percent sign in DTD Names
-=========================
-
-The NEXTL macro used to call xmlParserHandlePEReference. When parsing
-"complex" names inside the DTD, this could result in entity expansion
-which created a new input buffer. The fix is to simply remove the call
-to xmlParserHandlePEReference from the NEXTL macro. This is safe because
-no users of the macro require expansion of parameter entities.
-
-- xmlParseNameComplex
-- xmlParseNCNameComplex
-- xmlParseNmtoken
-
-The percent sign is not allowed in names, which are grammatical tokens.
-
-- xmlParseEntityValue
-
-Parameter-entity references in entity values are expanded but this
-happens in a separate step in this function.
-
-- xmlParseSystemLiteral
-
-Parameter-entity references are ignored in the system literal.
-
-- xmlParseAttValueComplex
-- xmlParseCharDataComplex
-- xmlParseCommentComplex
-- xmlParsePI
-- xmlParseCDSect
-
-Parameter-entity references are ignored outside the DTD.
-
-- xmlLoadEntityContent
-
-This function is only called from xmlStringLenDecodeEntities and
-entities are replaced in a separate step immediately after the function
-call.
-
-This bug could also be triggered with an internal subset and double
-entity expansion.
-
-This fixes bug 766956 initially reported by Wei Lei and independently by
-Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
-involved.
-
-xmlParseNameComplex with XML_PARSE_OLD10
-========================================
-
-When parsing Names inside an expanded parameter entity with the
-XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
-GROW macro if the input buffer was exhausted. At the end of the
-parameter entity's replacement text, this function would then call
-xmlPopInput which invalidated the input buffer.
-
-There should be no need to invoke GROW in this situation because the
-buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
-at least for UTF-8, in xmlCurrentChar. This also matches the code path
-executed when XML_PARSE_OLD10 is not set.
-
-This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
-Thanks to Marcel Böhme and Thuan Pham for the report.
-
-Additional hardening
-====================
-
-A separate check was added in xmlParseNameComplex to validate the
-buffer size.
----
- Makefile.am                     | 18 ++++++++++++++++++
- parser.c                        | 18 ++++++++++--------
- result/errors10/781205.xml      |  0
- result/errors10/781205.xml.err  | 21 +++++++++++++++++++++
- result/errors10/781361.xml      |  0
- result/errors10/781361.xml.err  | 13 +++++++++++++
- result/valid/766956.xml         |  0
- result/valid/766956.xml.err     |  9 +++++++++
- result/valid/766956.xml.err.rdr | 10 ++++++++++
- runtest.c                       |  3 +++
- test/errors10/781205.xml        |  3 +++
- test/errors10/781361.xml        |  3 +++
- test/valid/766956.xml           |  2 ++
- test/valid/dtds/766956.dtd      |  2 ++
- 14 files changed, 94 insertions(+), 8 deletions(-)
- create mode 100644 result/errors10/781205.xml
- create mode 100644 result/errors10/781205.xml.err
- create mode 100644 result/errors10/781361.xml
- create mode 100644 result/errors10/781361.xml.err
- create mode 100644 result/valid/766956.xml
- create mode 100644 result/valid/766956.xml.err
- create mode 100644 result/valid/766956.xml.err.rdr
- create mode 100644 test/errors10/781205.xml
- create mode 100644 test/errors10/781361.xml
- create mode 100644 test/valid/766956.xml
- create mode 100644 test/valid/dtds/766956.dtd
-
-diff --git a/Makefile.am b/Makefile.am
-index 6fc8ffa9..10e716a5 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)
- 	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
- 	      rm result.$$name error.$$name ; \
- 	  fi ; fi ; done)
-+	@echo "## Error cases regression tests (old 1.0)"
-+	-@(for i in $(srcdir)/test/errors10/*.xml ; do \
-+	  name=`basename $$i`; \
-+	  if [ ! -d $$i ] ; then \
-+	  if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
-+	      echo New test file $$name ; \
-+	      $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
-+	         2> $(srcdir)/result/errors10/$$name.err \
-+		 > $(srcdir)/result/errors10/$$name ; \
-+	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
-+	  else \
-+	      log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
-+	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
-+	      diff $(srcdir)/result/errors10/$$name result.$$name ; \
-+	      diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
-+	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
-+	      rm result.$$name error.$$name ; \
-+	  fi ; fi ; done)
- 	@echo "## Error cases stream regression tests"
- 	-@(for i in $(srcdir)/test/errors/*.xml ; do \
- 	  name=`basename $$i`; \
-diff --git a/parser.c b/parser.c
-index df2efa55..a175ac4e 100644
---- a/parser.c
-+++ b/parser.c
-@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
- 	ctxt->input->line++; ctxt->input->col = 1;			\
-     } else ctxt->input->col++;						\
-     ctxt->input->cur += l;				\
--    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);	\
-   } while (0)
- 
- #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
-@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
- 	    len += l;
- 	    NEXTL(l);
- 	    c = CUR_CHAR(l);
--	    if (c == 0) {
--		count = 0;
--		GROW;
--                if (ctxt->instate == XML_PARSER_EOF)
--                    return(NULL);
--		c = CUR_CHAR(l);
--	    }
- 	}
-     }
-     if ((len > XML_MAX_NAME_LENGTH) &&
-@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
-         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
-         return(NULL);
-     }
-+    if (ctxt->input->cur - ctxt->input->base < len) {
-+        /*
-+         * There were a couple of bugs where PERefs lead to to a change
-+         * of the buffer. Check the buffer size to avoid passing an invalid
-+         * pointer to xmlDictLookup.
-+         */
-+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
-+                    "unexpected change of input buffer");
-+        return (NULL);
-+    }
-     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
-         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
-     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
-diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
-new file mode 100644
-index 00000000..da15c3f7
---- /dev/null
-+++ b/result/errors10/781205.xml.err
-@@ -0,0 +1,21 @@
-+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+ %a; 
-+    ^
-+Entity: line 1: 
-+<:0000
-+^
-+Entity: line 1: parser error : DOCTYPE improperly terminated
-+ %a; 
-+    ^
-+Entity: line 1: 
-+<:0000
-+^
-+namespace error : Failed to parse QName ':0000'
-+ %a; 
-+    ^
-+<:0000
-+      ^
-+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
-+
-+^
-diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
-new file mode 100644
-index 00000000..655f41a2
---- /dev/null
-+++ b/result/errors10/781361.xml.err
-@@ -0,0 +1,13 @@
-+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
-+
-+^
-+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+
-+^
-+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
-+
-+^
-+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
-+
-+^
-diff --git a/result/valid/766956.xml b/result/valid/766956.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
-new file mode 100644
-index 00000000..34b1dae6
---- /dev/null
-+++ b/result/valid/766956.xml.err
-@@ -0,0 +1,9 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+   ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent; 
-+      ^
-+Entity: line 1: 
-+value
-+^
-diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
-new file mode 100644
-index 00000000..77603462
---- /dev/null
-+++ b/result/valid/766956.xml.err.rdr
-@@ -0,0 +1,10 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+   ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent; 
-+      ^
-+Entity: line 1: 
-+value
-+^
-+./test/valid/766956.xml : failed to parse
-diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
-new file mode 100644
-index 00000000..d9e9e839
---- /dev/null
-+++ b/test/errors10/781205.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE D [
-+  <!ENTITY % a "<:0000">
-+  %a;
-diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
-new file mode 100644
-index 00000000..67476bcb
---- /dev/null
-+++ b/test/errors10/781361.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE doc [
-+  <!ENTITY % elem "<!ELEMENT e0000000000">
-+  %elem;
-diff --git a/test/valid/766956.xml b/test/valid/766956.xml
-new file mode 100644
-index 00000000..19a95a0e
---- /dev/null
-+++ b/test/valid/766956.xml
-@@ -0,0 +1,2 @@
-+<!DOCTYPE test SYSTEM "dtds/766956.dtd">
-+<test/>
-diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
-new file mode 100644
-index 00000000..dddde68b
---- /dev/null
-+++ b/test/valid/dtds/766956.dtd
-@@ -0,0 +1,2 @@
-+<!ENTITY % ent "value">
-+%ä%ent;
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/libxslt-CVE-2016-4738.patch b/gnu/packages/patches/libxslt-CVE-2016-4738.patch
deleted file mode 100644
index a7537c66ca..0000000000
--- a/gnu/packages/patches/libxslt-CVE-2016-4738.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Fix CVE-2016-4738:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
-https://bugs.chromium.org/p/chromium/issues/detail?id=619006
-
-Patch copied from upstream source repository:
-https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
-
-From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Fri, 10 Jun 2016 14:23:58 +0200
-Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
-
-An empty decimal-separator could cause a heap overread. This can be
-exploited to leak a couple of bytes after the buffer that holds the
-pattern string.
-
-Found with afl-fuzz and ASan.
----
- libxslt/numbers.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index d1549b4..e78c46b 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
-     }
- 
-     /* We have finished the integer part, now work on fraction */
--    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
-+    if ( (*the_format != 0) &&
-+         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
-         format_info.add_decimal = TRUE;
- 	the_format += xsltUTF8Size(the_format);	/* Skip over the decimal */
-     }
--- 
-2.10.2
-
diff --git a/gnu/packages/patches/pcre-CVE-2017-7186.patch b/gnu/packages/patches/pcre-CVE-2017-7186.patch
deleted file mode 100644
index d23aa10374..0000000000
--- a/gnu/packages/patches/pcre-CVE-2017-7186.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-Patch for <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>
-from <https://vcs.pcre.org/pcre?view=revision&revision=1688>.
-
---- trunk/pcre_internal.h	2016/05/21 13:34:44	1649
-+++ trunk/pcre_internal.h	2017/02/24 17:30:30	1688
-@@ -2772,6 +2772,9 @@
- extern const pcre_uint16 PRIV(ucd_stage2)[];
- extern const pcre_uint32 PRIV(ucp_gentype)[];
- extern const pcre_uint32 PRIV(ucp_gbtable)[];
-+#ifdef COMPILE_PCRE32
-+extern const ucd_record  PRIV(dummy_ucd_record)[];
-+#endif
- #ifdef SUPPORT_JIT
- extern const int         PRIV(ucp_typerange)[];
- #endif
-@@ -2780,9 +2783,15 @@
- /* UCD access macros */
- 
- #define UCD_BLOCK_SIZE 128
--#define GET_UCD(ch) (PRIV(ucd_records) + \
-+#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
-         PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
-         UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
-+        
-+#ifdef COMPILE_PCRE32
-+#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
-+#else
-+#define GET_UCD(ch) REAL_GET_UCD(ch)
-+#endif 
- 
- #define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
- #define UCD_SCRIPT(ch)      GET_UCD(ch)->script
-
---- trunk/pcre_ucd.c	2014/06/19 07:51:39	1490
-+++ trunk/pcre_ucd.c	2017/02/24 17:30:30	1688
-@@ -38,6 +38,20 @@
- const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0};
- #else
- 
-+/* If the 32-bit library is run in non-32-bit mode, character values
-+greater than 0x10ffff may be encountered. For these we set up a
-+special record. */
-+
-+#ifdef COMPILE_PCRE32
-+const ucd_record PRIV(dummy_ucd_record)[] = {{
-+  ucp_Common,    /* script */
-+  ucp_Cn,        /* type unassigned */
-+  ucp_gbOther,   /* grapheme break property */
-+  0,             /* case set */
-+  0,             /* other case */
-+  }};
-+#endif
-+
- /* When recompiling tables with a new Unicode version, please check the
- types in this structure definition from pcre_internal.h (the actual
- field names will be different):
diff --git a/gnu/packages/patches/python-2.7-adjust-tests.patch b/gnu/packages/patches/python-2.7-adjust-tests.patch
new file mode 100644
index 0000000000..12fe6e2e1e
--- /dev/null
+++ b/gnu/packages/patches/python-2.7-adjust-tests.patch
@@ -0,0 +1,22 @@
+SIGINT is ignored in the Guix build environment.
+
+--- a/Lib/test/test_regrtest.py
++++ b/Lib/test/test_regrtest.py
+@@ -399,6 +399,8 @@
+         output = self.run_tests('--fromfile', filename)
+         self.check_executed_tests(output, tests)
+ 
++    @unittest.skipIf(True,
++        "KeyboardInterrupts do not work in the build environment")
+     def test_interrupted(self):
+         code = TEST_INTERRUPTED
+         test = self.create_test('sigint', code=code)
+@@ -416,6 +418,8 @@
+                  % (self.TESTNAME_REGEX, len(tests)))
+         self.check_line(output, regex)
+ 
++    @unittest.skipIf(True,
++        "KeyboardInterrupts do not work in the build environment")
+     def test_slow_interrupted(self):
+         # Issue #25373: test --slowest with an interrupted test
+         code = TEST_INTERRUPTED
diff --git a/gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch b/gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch
deleted file mode 100644
index 5a09b4ac52..0000000000
--- a/gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-This patch resolves a compatibility issue when compiled against glibc
-2.25
-and run runder kernels < 3.17:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1410175
-
-Upstream bug URLs:
-
-https://bugs.python.org/issue29157
-https://bugs.python.org/issue29188
-
-Patch adapted from upstream source repository:
-
-https://github.com/python/cpython/commit/01bdbad3e951014c58581635b94b22868537901c
-
-From 01bdbad3e951014c58581635b94b22868537901c Mon Sep 17 00:00:00 2001
-From: Victor Stinner <victor.stinner@gmail.com>
-Date: Mon, 9 Jan 2017 11:10:41 +0100
-Subject: [PATCH] Don't use getentropy() on Linux
-
-Issue #29188: Support glibc 2.24 on Linux: don't use getentropy() function but
-read from /dev/urandom to get random bytes, for example in os.urandom().  On
-Linux, getentropy() is implemented which getrandom() is blocking mode, whereas
-os.urandom() should not block.
----
- Misc/NEWS       |  5 +++++
- Python/random.c | 11 +++++++++--
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/Python/random.c b/Python/random.c
-index 57c41ffcd6..000cb36938 100644
---- a/Python/random.c
-+++ b/Python/random.c
-@@ -97,8 +97,15 @@ win32_urandom(unsigned char *buffer, Py_ssize_t size, int raise)
- }
- 
- /* Issue #25003: Don't use getentropy() on Solaris (available since
-- * Solaris 11.3), it is blocking whereas os.urandom() should not block. */
--#elif defined(HAVE_GETENTROPY) && !defined(sun)
-+   Solaris 11.3), it is blocking whereas os.urandom() should not block.
-+
-+   Issue #29188: Don't use getentropy() on Linux since the glibc 2.24
-+   implements it with the getrandom() syscall which can fail with ENOSYS,
-+   and this error is not supported in py_getentropy() and getrandom() is called
-+   with flags=0 which blocks until system urandom is initialized, which is not
-+   the desired behaviour to seed the Python hash secret nor for os.urandom():
-+   see the PEP 524 which was only implemented in Python 3.6. */
-+#elif defined(HAVE_GETENTROPY) && !defined(sun) && !defined(linux)
- #define PY_GETENTROPY 1
- 
- /* Fill buffer with size pseudo-random bytes generated by getentropy().
--- 
-2.12.0
-
diff --git a/gnu/packages/patches/python-3-fix-tests.patch b/gnu/packages/patches/python-3-fix-tests.patch
new file mode 100644
index 0000000000..ab713c54dd
--- /dev/null
+++ b/gnu/packages/patches/python-3-fix-tests.patch
@@ -0,0 +1,149 @@
+Additional test fixes which affect Python 3.5 (and presumably later) but not
+prior revisions of Python.
+
+--- Lib/test/test_pathlib.py     2014-03-01 03:02:36.088311000 +0100
++++ Lib/test/test_pathlib.py     2014-03-01 04:56:37.768311000 +0100
+@@ -2132,8 +2132,7 @@
+         self.assertEqual(given, expect)
+         self.assertEqual(set(p.rglob("FILEd*")), set())
+ 
+-    @unittest.skipUnless(hasattr(pwd, 'getpwall'),
+-                         'pwd module does not expose getpwall()')
++    @unittest.skipIf(True, "Guix builder home is '/' which causes trouble for these tests")
+     def test_expanduser(self):
+         P = self.cls
+         support.import_module('pwd')
+--- Lib/test/test_tarfile.py        2016-02-24 19:22:52.597208055 +0000
++++ Lib/test/test_tarfile.py     2016-02-24 20:50:48.941950135 +0000
+@@ -2305,11 +2305,14 @@
+     try:
+         import pwd, grp
+     except ImportError:
+         return False
+-    if pwd.getpwuid(0)[0] != 'root':
+-        return False
+-    if grp.getgrgid(0)[0] != 'root':
++    try:
++        if pwd.getpwuid(0)[0] != 'root':
++            return False
++        if grp.getgrgid(0)[0] != 'root':
++            return False
++    except KeyError:
+         return False
+     return True
+
+
+--- Lib/test/test_asyncio/test_base_events.py
++++ Lib/test/test_asyncio/test_base_events.py
+@@ -1216,6 +1216,8 @@
+         self._test_create_connection_ip_addr(m_socket, False)
+
+     @patch_socket
++    @unittest.skipUnless(support.is_resource_enabled('network'),
++                         'network is not enabled')
+     def test_create_connection_service_name(self, m_socket):
+         m_socket.getaddrinfo = socket.getaddrinfo
+         sock = m_socket.socket.return_value
+
+--- Lib/test/test_pdb.py.org    2017-03-12 03:09:01.991856701 +0100
++++ Lib/test/test_pdb.py        2017-03-12 03:26:17.742572869 +0100
+
+For some reason, KeyboardInterrupts do not work in the build
+environment (lack of controlling TTY?). Just change the expected
+outcome. Unfortunately, this will make it fail for users running
+`python -m test test_pdb test_pdb` interactively.
+
+@@ -928,11 +928,11 @@
+     > <doctest test.test_pdb.test_pdb_issue_20766[0]>(6)test_function()
+     -> print('pdb %d: %s' % (i, sess._previous_sigint_handler))
+     (Pdb) continue
+-    pdb 1: <built-in function default_int_handler>
++    pdb 1: Handlers.SIG_IGN
+     > <doctest test.test_pdb.test_pdb_issue_20766[0]>(5)test_function()
+     -> sess.set_trace(sys._getframe())
+     (Pdb) continue
+-    pdb 2: <built-in function default_int_handler>
++    pdb 2: Handlers.SIG_IGN
+     """
+
+ class PdbTestCase(unittest.TestCase):
+--- Lib/test/test_socket.py
++++ Lib/test/test_socket.py
+@@ -802,6 +802,8 @@
+         if not fqhn in all_host_names:
+             self.fail("Error testing host resolution mechanisms. (fqdn: %s, all: %s)" % (fqhn, repr(all_host_names)))
+ 
++    @unittest.skipUnless(support.is_resource_enabled('network'),
++                         'network is not enabled')
+     def test_host_resolution(self):
+         for addr in [support.HOST, '10.0.0.1', '255.255.255.255']:
+             self.assertEqual(socket.gethostbyname(addr), addr)
+--- Lib/test/test_spwd.py
++++ Lib/test/test_spwd.py
+@@ -5,8 +5,7 @@
+ spwd = support.import_module('spwd')
+ 
+ 
+-@unittest.skipUnless(hasattr(os, 'geteuid') and os.geteuid() == 0,
+-                     'root privileges required')
++@unittest.skipUnless(os.path.exists("/etc/shadow"), 'spwd tests require /etc/shadow')
+ class TestSpwdRoot(unittest.TestCase):
+ 
+     def test_getspall(self):
+@@ -56,8 +55,7 @@
+             self.assertRaises(TypeError, spwd.getspnam, bytes_name)
+ 
+ 
+-@unittest.skipUnless(hasattr(os, 'geteuid') and os.geteuid() != 0,
+-                     'non-root user required')
++@unittest.skipUnless(os.path.exists("/etc/shadow"), 'spwd tests require /etc/shadow')
+ class TestSpwdNonRoot(unittest.TestCase):
+ 
+     def test_getspnam_exception(self):
+--- Lib/test/test_regrtest.py
++++ Lib/test/test_regrtest.py
+@@ -700,6 +700,7 @@
+         output = self.run_tests('--fromfile', filename)
+         self.check_executed_tests(output, tests)
+ 
++    @unittest.skipIf(True, 'Keyboard interrupts do not work in the Guix build environment.')
+     def test_interrupted(self):
+         code = TEST_INTERRUPTED
+         test = self.create_test('sigint', code=code)
+@@ -717,6 +718,7 @@
+                  % (self.TESTNAME_REGEX, len(tests)))
+         self.check_line(output, regex)
+ 
++    @unittest.skipIf(True, 'Keyboard interrupts do not work in the Guix build environment.')
+     def test_slow_interrupted(self):
+         # Issue #25373: test --slowest with an interrupted test
+         code = TEST_INTERRUPTED
+--- Lib/test/test_generators.py
++++ Lib/test/test_generators.py
+@@ -29,6 +29,7 @@
+         else:
+             return "FAILED"
+ 
++    @unittest.skipIf(True, 'Keyboard interrupts do not work in the Guix build environment')
+     def test_raise_and_yield_from(self):
+         gen = self.generator1()
+         gen.send(None)
+--- Lib/test/test_normalization.py
++++ Lib/test/test_normalization.py
+@@ -2,6 +2,7 @@
+ import unittest
+ 
+ from http.client import HTTPException
++from urllib.error import URLError
+ import sys
+ from unicodedata import normalize, unidata_version
+ 
+@@ -43,6 +44,8 @@
+         except PermissionError:
+             self.skipTest(f"Permission error when downloading {TESTDATAURL} "
+                           f"into the test data directory")
++        except URLError:
++            self.skipTest("DNS lookups are not enabled.")
+         except (OSError, HTTPException):
+             self.fail(f"Could not retrieve {TESTDATAURL}")
+ 
diff --git a/gnu/packages/patches/python-3.5-fix-tests.patch b/gnu/packages/patches/python-3.5-fix-tests.patch
deleted file mode 100644
index 9778b88dbd..0000000000
--- a/gnu/packages/patches/python-3.5-fix-tests.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-Additional test fixes which affect Python 3.5 (and presumably later) but not
-prior revisions of Python.
-
---- Lib/test/test_pathlib.py     2014-03-01 03:02:36.088311000 +0100
-+++ Lib/test/test_pathlib.py     2014-03-01 04:56:37.768311000 +0100
-@@ -1986,8 +1986,9 @@
-         expect = set() if not support.fs_is_case_insensitive(BASE) else given
-         self.assertEqual(given, expect)
-         self.assertEqual(set(p.rglob("FILEd*")), set())
- 
-+    @unittest.skipIf(True, "Guix builder home is '/' which causes trouble for these tests")
-     def test_expanduser(self):
-         P = self.cls
-         support.import_module('pwd')
-         import pwd
---- Lib/test/test_tarfile.py        2016-02-24 19:22:52.597208055 +0000
-+++ Lib/test/test_tarfile.py     2016-02-24 20:50:48.941950135 +0000
-@@ -2305,11 +2305,14 @@
-     try:
-         import pwd, grp
-     except ImportError:
-         return False
--    if pwd.getpwuid(0)[0] != 'root':
--        return False
--    if grp.getgrgid(0)[0] != 'root':
-+    try:
-+        if pwd.getpwuid(0)[0] != 'root':
-+            return False
-+        if grp.getgrgid(0)[0] != 'root':
-+            return False
-+    except KeyError:
-         return False
-     return True
-
-
---- Lib/test/test_asyncio/test_base_events.py
-+++ Lib/test/test_asyncio/test_base_events.py
-@@ -1216,6 +1216,8 @@
-         self._test_create_connection_ip_addr(m_socket, False)
-
-     @patch_socket
-+    @unittest.skipUnless(support.is_resource_enabled('network'),
-+                         'network is not enabled')
-     def test_create_connection_service_name(self, m_socket):
-         m_socket.getaddrinfo = socket.getaddrinfo
-         sock = m_socket.socket.return_value
-
---- Lib/test/test_pdb.py.org    2017-03-12 03:09:01.991856701 +0100
-+++ Lib/test/test_pdb.py        2017-03-12 03:26:17.742572869 +0100
-
-For some reason, KeyboardInterrupts do not work in the build
-environment (lack of controlling TTY?). Just change the expected
-outcome. Unfortunately, this will make it fail for users running
-`python -m test test_pdb test_pdb` interactively.
-
-@@ -928,11 +928,11 @@
-     > <doctest test.test_pdb.test_pdb_issue_20766[0]>(6)test_function()
-     -> print('pdb %d: %s' % (i, sess._previous_sigint_handler))
-     (Pdb) continue
--    pdb 1: <built-in function default_int_handler>
-+    pdb 1: Handlers.SIG_IGN
-     > <doctest test.test_pdb.test_pdb_issue_20766[0]>(5)test_function()
-     -> sess.set_trace(sys._getframe())
-     (Pdb) continue
--    pdb 2: <built-in function default_int_handler>
-+    pdb 2: Handlers.SIG_IGN
-     """
-
- class PdbTestCase(unittest.TestCase):
diff --git a/gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch b/gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch
deleted file mode 100644
index 8a12b5b448..0000000000
--- a/gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch
+++ /dev/null
@@ -1,720 +0,0 @@
-This patch resolves a compatibility issue when compiled against glibc 2.25
-and run runder kernels < 3.17:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1410175
-
-Upstream bug URL: https://bugs.python.org/issue29157
-
-Patch copied from upstream source repository:
-
-https://hg.python.org/cpython/rev/8125d9a8152b
-
-# HG changeset patch
-# User Victor Stinner <victor.stinner@gmail.com>
-# Date 1483957133 -3600
-# Node ID 8125d9a8152b79e712cb09c7094b9129b9bcea86
-# Parent  337461574c90281630751b6095c4e1baf380cf7d
-Issue #29157: Prefer getrandom() over getentropy()
-
-Copy and then adapt Python/random.c from default branch. Difference between 3.5
-and default branches:
-
-* Python 3.5 only uses getrandom() in non-blocking mode: flags=GRND_NONBLOCK
-* If getrandom() fails with EAGAIN: py_getrandom() immediately fails and
-  remembers that getrandom() doesn't work.
-* Python 3.5 has no _PyOS_URandomNonblock() function: _PyOS_URandom()
-  works in non-blocking mode on Python 3.5
-
-diff --git a/Python/random.c b/Python/random.c
---- Python/random.c
-+++ Python/random.c
-@@ -1,6 +1,9 @@
- #include "Python.h"
- #ifdef MS_WINDOWS
- #  include <windows.h>
-+/* All sample MSDN wincrypt programs include the header below. It is at least
-+ * required with Min GW. */
-+#  include <wincrypt.h>
- #else
- #  include <fcntl.h>
- #  ifdef HAVE_SYS_STAT_H
-@@ -37,10 +40,9 @@ win32_urandom_init(int raise)
-     return 0;
- 
- error:
--    if (raise)
-+    if (raise) {
-         PyErr_SetFromWindowsErr(0);
--    else
--        Py_FatalError("Failed to initialize Windows random API (CryptoGen)");
-+    }
-     return -1;
- }
- 
-@@ -53,8 +55,9 @@ win32_urandom(unsigned char *buffer, Py_
- 
-     if (hCryptProv == 0)
-     {
--        if (win32_urandom_init(raise) == -1)
-+        if (win32_urandom_init(raise) == -1) {
-             return -1;
-+        }
-     }
- 
-     while (size > 0)
-@@ -63,11 +66,9 @@ win32_urandom(unsigned char *buffer, Py_
-         if (!CryptGenRandom(hCryptProv, (DWORD)chunk, buffer))
-         {
-             /* CryptGenRandom() failed */
--            if (raise)
-+            if (raise) {
-                 PyErr_SetFromWindowsErr(0);
--            else
--                Py_FatalError("Failed to initialized the randomized hash "
--                        "secret using CryptoGen)");
-+            }
-             return -1;
-         }
-         buffer += chunk;
-@@ -76,58 +77,23 @@ win32_urandom(unsigned char *buffer, Py_
-     return 0;
- }
- 
--/* Issue #25003: Don't use getentropy() on Solaris (available since
-- * Solaris 11.3), it is blocking whereas os.urandom() should not block. */
--#elif defined(HAVE_GETENTROPY) && !defined(sun)
--#define PY_GETENTROPY 1
--
--/* Fill buffer with size pseudo-random bytes generated by getentropy().
--   Return 0 on success, or raise an exception and return -1 on error.
--
--   If fatal is nonzero, call Py_FatalError() instead of raising an exception
--   on error. */
--static int
--py_getentropy(unsigned char *buffer, Py_ssize_t size, int fatal)
--{
--    while (size > 0) {
--        Py_ssize_t len = Py_MIN(size, 256);
--        int res;
--
--        if (!fatal) {
--            Py_BEGIN_ALLOW_THREADS
--            res = getentropy(buffer, len);
--            Py_END_ALLOW_THREADS
--
--            if (res < 0) {
--                PyErr_SetFromErrno(PyExc_OSError);
--                return -1;
--            }
--        }
--        else {
--            res = getentropy(buffer, len);
--            if (res < 0)
--                Py_FatalError("getentropy() failed");
--        }
--
--        buffer += len;
--        size -= len;
--    }
--    return 0;
--}
--
--#else
-+#else /* !MS_WINDOWS */
- 
- #if defined(HAVE_GETRANDOM) || defined(HAVE_GETRANDOM_SYSCALL)
- #define PY_GETRANDOM 1
- 
--/* Call getrandom()
-+/* Call getrandom() to get random bytes:
-+
-    - Return 1 on success
--   - Return 0 if getrandom() syscall is not available (failed with ENOSYS or
--     EPERM) or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom
--     not initialized yet) and raise=0.
-+   - Return 0 if getrandom() is not available (failed with ENOSYS or EPERM),
-+     or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom not
-+     initialized yet).
-    - Raise an exception (if raise is non-zero) and return -1 on error:
--     getrandom() failed with EINTR and the Python signal handler raised an
--     exception, or getrandom() failed with a different error. */
-+     if getrandom() failed with EINTR, raise is non-zero and the Python signal
-+     handler raised an exception, or if getrandom() failed with a different
-+     error.
-+
-+   getrandom() is retried if it failed with EINTR: interrupted by a signal. */
- static int
- py_getrandom(void *buffer, Py_ssize_t size, int raise)
- {
-@@ -142,16 +108,19 @@ py_getrandom(void *buffer, Py_ssize_t si
-      * see https://bugs.python.org/issue26839. To avoid this, use the
-      * GRND_NONBLOCK flag. */
-     const int flags = GRND_NONBLOCK;
-+    char *dest;
-     long n;
- 
-     if (!getrandom_works) {
-         return 0;
-     }
- 
-+    dest = buffer;
-     while (0 < size) {
- #ifdef sun
-         /* Issue #26735: On Solaris, getrandom() is limited to returning up
--           to 1024 bytes */
-+           to 1024 bytes. Call it multiple times if more bytes are
-+           requested. */
-         n = Py_MIN(size, 1024);
- #else
-         n = Py_MIN(size, LONG_MAX);
-@@ -161,34 +130,35 @@ py_getrandom(void *buffer, Py_ssize_t si
- #ifdef HAVE_GETRANDOM
-         if (raise) {
-             Py_BEGIN_ALLOW_THREADS
--            n = getrandom(buffer, n, flags);
-+            n = getrandom(dest, n, flags);
-             Py_END_ALLOW_THREADS
-         }
-         else {
--            n = getrandom(buffer, n, flags);
-+            n = getrandom(dest, n, flags);
-         }
- #else
-         /* On Linux, use the syscall() function because the GNU libc doesn't
--         * expose the Linux getrandom() syscall yet. See:
--         * https://sourceware.org/bugzilla/show_bug.cgi?id=17252 */
-+           expose the Linux getrandom() syscall yet. See:
-+           https://sourceware.org/bugzilla/show_bug.cgi?id=17252 */
-         if (raise) {
-             Py_BEGIN_ALLOW_THREADS
--            n = syscall(SYS_getrandom, buffer, n, flags);
-+            n = syscall(SYS_getrandom, dest, n, flags);
-             Py_END_ALLOW_THREADS
-         }
-         else {
--            n = syscall(SYS_getrandom, buffer, n, flags);
-+            n = syscall(SYS_getrandom, dest, n, flags);
-         }
- #endif
- 
-         if (n < 0) {
--            /* ENOSYS: getrandom() syscall not supported by the kernel (but
--             * maybe supported by the host which built Python). EPERM:
--             * getrandom() syscall blocked by SECCOMP or something else. */
-+            /* ENOSYS: the syscall is not supported by the kernel.
-+               EPERM: the syscall is blocked by a security policy (ex: SECCOMP)
-+               or something else. */
-             if (errno == ENOSYS || errno == EPERM) {
-                 getrandom_works = 0;
-                 return 0;
-             }
-+
-             if (errno == EAGAIN) {
-                 /* getrandom(GRND_NONBLOCK) fails with EAGAIN if the system
-                    urandom is not initialiazed yet. In this case, fall back on
-@@ -202,32 +172,101 @@ py_getrandom(void *buffer, Py_ssize_t si
-             }
- 
-             if (errno == EINTR) {
--                if (PyErr_CheckSignals()) {
--                    if (!raise) {
--                        Py_FatalError("getrandom() interrupted by a signal");
-+                if (raise) {
-+                    if (PyErr_CheckSignals()) {
-+                        return -1;
-                     }
--                    return -1;
-                 }
- 
--                /* retry getrandom() */
-+                /* retry getrandom() if it was interrupted by a signal */
-                 continue;
-             }
- 
-             if (raise) {
-                 PyErr_SetFromErrno(PyExc_OSError);
-             }
--            else {
--                Py_FatalError("getrandom() failed");
-+            return -1;
-+        }
-+
-+        dest += n;
-+        size -= n;
-+    }
-+    return 1;
-+}
-+
-+#elif defined(HAVE_GETENTROPY)
-+#define PY_GETENTROPY 1
-+
-+/* Fill buffer with size pseudo-random bytes generated by getentropy():
-+
-+   - Return 1 on success
-+   - Return 0 if getentropy() syscall is not available (failed with ENOSYS or
-+     EPERM).
-+   - Raise an exception (if raise is non-zero) and return -1 on error:
-+     if getentropy() failed with EINTR, raise is non-zero and the Python signal
-+     handler raised an exception, or if getentropy() failed with a different
-+     error.
-+
-+   getentropy() is retried if it failed with EINTR: interrupted by a signal. */
-+static int
-+py_getentropy(char *buffer, Py_ssize_t size, int raise)
-+{
-+    /* Is getentropy() supported by the running kernel? Set to 0 if
-+       getentropy() failed with ENOSYS or EPERM. */
-+    static int getentropy_works = 1;
-+
-+    if (!getentropy_works) {
-+        return 0;
-+    }
-+
-+    while (size > 0) {
-+        /* getentropy() is limited to returning up to 256 bytes. Call it
-+           multiple times if more bytes are requested. */
-+        Py_ssize_t len = Py_MIN(size, 256);
-+        int res;
-+
-+        if (raise) {
-+            Py_BEGIN_ALLOW_THREADS
-+            res = getentropy(buffer, len);
-+            Py_END_ALLOW_THREADS
-+        }
-+        else {
-+            res = getentropy(buffer, len);
-+        }
-+
-+        if (res < 0) {
-+            /* ENOSYS: the syscall is not supported by the running kernel.
-+               EPERM: the syscall is blocked by a security policy (ex: SECCOMP)
-+               or something else. */
-+            if (errno == ENOSYS || errno == EPERM) {
-+                getentropy_works = 0;
-+                return 0;
-+            }
-+
-+            if (errno == EINTR) {
-+                if (raise) {
-+                    if (PyErr_CheckSignals()) {
-+                        return -1;
-+                    }
-+                }
-+
-+                /* retry getentropy() if it was interrupted by a signal */
-+                continue;
-+            }
-+
-+            if (raise) {
-+                PyErr_SetFromErrno(PyExc_OSError);
-             }
-             return -1;
-         }
- 
--        buffer += n;
--        size -= n;
-+        buffer += len;
-+        size -= len;
-     }
-     return 1;
- }
--#endif
-+#endif /* defined(HAVE_GETENTROPY) && !defined(sun) */
-+
- 
- static struct {
-     int fd;
-@@ -235,136 +274,123 @@ static struct {
-     ino_t st_ino;
- } urandom_cache = { -1 };
- 
-+/* Read random bytes from the /dev/urandom device:
- 
--/* Read 'size' random bytes from py_getrandom(). Fall back on reading from
--   /dev/urandom if getrandom() is not available.
-+   - Return 0 on success
-+   - Raise an exception (if raise is non-zero) and return -1 on error
- 
--   Call Py_FatalError() on error. */
--static void
--dev_urandom_noraise(unsigned char *buffer, Py_ssize_t size)
-+   Possible causes of errors:
-+
-+   - open() failed with ENOENT, ENXIO, ENODEV, EACCES: the /dev/urandom device
-+     was not found. For example, it was removed manually or not exposed in a
-+     chroot or container.
-+   - open() failed with a different error
-+   - fstat() failed
-+   - read() failed or returned 0
-+
-+   read() is retried if it failed with EINTR: interrupted by a signal.
-+
-+   The file descriptor of the device is kept open between calls to avoid using
-+   many file descriptors when run in parallel from multiple threads:
-+   see the issue #18756.
-+
-+   st_dev and st_ino fields of the file descriptor (from fstat()) are cached to
-+   check if the file descriptor was replaced by a different file (which is
-+   likely a bug in the application): see the issue #21207.
-+
-+   If the file descriptor was closed or replaced, open a new file descriptor
-+   but don't close the old file descriptor: it probably points to something
-+   important for some third-party code. */
-+static int
-+dev_urandom(char *buffer, Py_ssize_t size, int raise)
- {
-     int fd;
-     Py_ssize_t n;
- 
--    assert (0 < size);
-+    if (raise) {
-+        struct _Py_stat_struct st;
- 
--#ifdef PY_GETRANDOM
--    if (py_getrandom(buffer, size, 0) == 1) {
--        return;
-+        if (urandom_cache.fd >= 0) {
-+            /* Does the fd point to the same thing as before? (issue #21207) */
-+            if (_Py_fstat_noraise(urandom_cache.fd, &st)
-+                || st.st_dev != urandom_cache.st_dev
-+                || st.st_ino != urandom_cache.st_ino) {
-+                /* Something changed: forget the cached fd (but don't close it,
-+                   since it probably points to something important for some
-+                   third-party code). */
-+                urandom_cache.fd = -1;
-+            }
-+        }
-+        if (urandom_cache.fd >= 0)
-+            fd = urandom_cache.fd;
-+        else {
-+            fd = _Py_open("/dev/urandom", O_RDONLY);
-+            if (fd < 0) {
-+                if (errno == ENOENT || errno == ENXIO ||
-+                    errno == ENODEV || errno == EACCES) {
-+                    PyErr_SetString(PyExc_NotImplementedError,
-+                                    "/dev/urandom (or equivalent) not found");
-+                }
-+                /* otherwise, keep the OSError exception raised by _Py_open() */
-+                return -1;
-+            }
-+            if (urandom_cache.fd >= 0) {
-+                /* urandom_fd was initialized by another thread while we were
-+                   not holding the GIL, keep it. */
-+                close(fd);
-+                fd = urandom_cache.fd;
-+            }
-+            else {
-+                if (_Py_fstat(fd, &st)) {
-+                    close(fd);
-+                    return -1;
-+                }
-+                else {
-+                    urandom_cache.fd = fd;
-+                    urandom_cache.st_dev = st.st_dev;
-+                    urandom_cache.st_ino = st.st_ino;
-+                }
-+            }
-+        }
-+
-+        do {
-+            n = _Py_read(fd, buffer, (size_t)size);
-+            if (n == -1)
-+                return -1;
-+            if (n == 0) {
-+                PyErr_Format(PyExc_RuntimeError,
-+                        "Failed to read %zi bytes from /dev/urandom",
-+                        size);
-+                return -1;
-+            }
-+
-+            buffer += n;
-+            size -= n;
-+        } while (0 < size);
-     }
--    /* getrandom() failed with ENOSYS or EPERM,
--       fall back on reading /dev/urandom */
--#endif
--
--    fd = _Py_open_noraise("/dev/urandom", O_RDONLY);
--    if (fd < 0) {
--        Py_FatalError("Failed to open /dev/urandom");
--    }
--
--    while (0 < size)
--    {
--        do {
--            n = read(fd, buffer, (size_t)size);
--        } while (n < 0 && errno == EINTR);
--
--        if (n <= 0) {
--            /* read() failed or returned 0 bytes */
--            Py_FatalError("Failed to read bytes from /dev/urandom");
--            break;
--        }
--        buffer += n;
--        size -= n;
--    }
--    close(fd);
--}
--
--/* Read 'size' random bytes from py_getrandom(). Fall back on reading from
--   /dev/urandom if getrandom() is not available.
--
--   Return 0 on success. Raise an exception and return -1 on error. */
--static int
--dev_urandom_python(char *buffer, Py_ssize_t size)
--{
--    int fd;
--    Py_ssize_t n;
--    struct _Py_stat_struct st;
--#ifdef PY_GETRANDOM
--    int res;
--#endif
--
--    if (size <= 0)
--        return 0;
--
--#ifdef PY_GETRANDOM
--    res = py_getrandom(buffer, size, 1);
--    if (res < 0) {
--        return -1;
--    }
--    if (res == 1) {
--        return 0;
--    }
--    /* getrandom() failed with ENOSYS or EPERM,
--       fall back on reading /dev/urandom */
--#endif
--
--    if (urandom_cache.fd >= 0) {
--        /* Does the fd point to the same thing as before? (issue #21207) */
--        if (_Py_fstat_noraise(urandom_cache.fd, &st)
--            || st.st_dev != urandom_cache.st_dev
--            || st.st_ino != urandom_cache.st_ino) {
--            /* Something changed: forget the cached fd (but don't close it,
--               since it probably points to something important for some
--               third-party code). */
--            urandom_cache.fd = -1;
--        }
--    }
--    if (urandom_cache.fd >= 0)
--        fd = urandom_cache.fd;
-     else {
--        fd = _Py_open("/dev/urandom", O_RDONLY);
-+        fd = _Py_open_noraise("/dev/urandom", O_RDONLY);
-         if (fd < 0) {
--            if (errno == ENOENT || errno == ENXIO ||
--                errno == ENODEV || errno == EACCES)
--                PyErr_SetString(PyExc_NotImplementedError,
--                                "/dev/urandom (or equivalent) not found");
--            /* otherwise, keep the OSError exception raised by _Py_open() */
-             return -1;
-         }
--        if (urandom_cache.fd >= 0) {
--            /* urandom_fd was initialized by another thread while we were
--               not holding the GIL, keep it. */
--            close(fd);
--            fd = urandom_cache.fd;
--        }
--        else {
--            if (_Py_fstat(fd, &st)) {
-+
-+        while (0 < size)
-+        {
-+            do {
-+                n = read(fd, buffer, (size_t)size);
-+            } while (n < 0 && errno == EINTR);
-+
-+            if (n <= 0) {
-+                /* stop on error or if read(size) returned 0 */
-                 close(fd);
-                 return -1;
-             }
--            else {
--                urandom_cache.fd = fd;
--                urandom_cache.st_dev = st.st_dev;
--                urandom_cache.st_ino = st.st_ino;
--            }
-+
-+            buffer += n;
-+            size -= n;
-         }
-+        close(fd);
-     }
--
--    do {
--        n = _Py_read(fd, buffer, (size_t)size);
--        if (n == -1) {
--            return -1;
--        }
--        if (n == 0) {
--            PyErr_Format(PyExc_RuntimeError,
--                    "Failed to read %zi bytes from /dev/urandom",
--                    size);
--            return -1;
--        }
--
--        buffer += n;
--        size -= n;
--    } while (0 < size);
--
-     return 0;
- }
- 
-@@ -376,8 +402,8 @@ dev_urandom_close(void)
-         urandom_cache.fd = -1;
-     }
- }
-+#endif /* !MS_WINDOWS */
- 
--#endif
- 
- /* Fill buffer with pseudo-random bytes generated by a linear congruent
-    generator (LCG):
-@@ -400,29 +426,98 @@ lcg_urandom(unsigned int x0, unsigned ch
-     }
- }
- 
-+/* Read random bytes:
-+
-+   - Return 0 on success
-+   - Raise an exception (if raise is non-zero) and return -1 on error
-+
-+   Used sources of entropy ordered by preference, preferred source first:
-+
-+   - CryptGenRandom() on Windows
-+   - getrandom() function (ex: Linux and Solaris): call py_getrandom()
-+   - getentropy() function (ex: OpenBSD): call py_getentropy()
-+   - /dev/urandom device
-+
-+   Read from the /dev/urandom device if getrandom() or getentropy() function
-+   is not available or does not work.
-+
-+   Prefer getrandom() over getentropy() because getrandom() supports blocking
-+   and non-blocking mode and Python requires non-blocking RNG at startup to
-+   initialize its hash secret: see the PEP 524.
-+
-+   Prefer getrandom() and getentropy() over reading directly /dev/urandom
-+   because these functions don't need file descriptors and so avoid ENFILE or
-+   EMFILE errors (too many open files): see the issue #18756.
-+
-+   Only use RNG running in the kernel. They are more secure because it is
-+   harder to get the internal state of a RNG running in the kernel land than a
-+   RNG running in the user land. The kernel has a direct access to the hardware
-+   and has access to hardware RNG, they are used as entropy sources.
-+
-+   Note: the OpenSSL RAND_pseudo_bytes() function does not automatically reseed
-+   its RNG on fork(), two child processes (with the same pid) generate the same
-+   random numbers: see issue #18747. Kernel RNGs don't have this issue,
-+   they have access to good quality entropy sources.
-+
-+   If raise is zero:
-+
-+   - Don't raise an exception on error
-+   - Don't call the Python signal handler (don't call PyErr_CheckSignals()) if
-+     a function fails with EINTR: retry directly the interrupted function
-+   - Don't release the GIL to call functions.
-+*/
-+static int
-+pyurandom(void *buffer, Py_ssize_t size, int raise)
-+{
-+#if defined(PY_GETRANDOM) || defined(PY_GETENTROPY)
-+    int res;
-+#endif
-+
-+    if (size < 0) {
-+        if (raise) {
-+            PyErr_Format(PyExc_ValueError,
-+                         "negative argument not allowed");
-+        }
-+        return -1;
-+    }
-+
-+    if (size == 0) {
-+        return 0;
-+    }
-+
-+#ifdef MS_WINDOWS
-+    return win32_urandom((unsigned char *)buffer, size, raise);
-+#else
-+
-+#if defined(PY_GETRANDOM) || defined(PY_GETENTROPY)
-+#ifdef PY_GETRANDOM
-+    res = py_getrandom(buffer, size, raise);
-+#else
-+    res = py_getentropy(buffer, size, raise);
-+#endif
-+    if (res < 0) {
-+        return -1;
-+    }
-+    if (res == 1) {
-+        return 0;
-+    }
-+    /* getrandom() or getentropy() function is not available: failed with
-+       ENOSYS, EPERM or EAGAIN. Fall back on reading from /dev/urandom. */
-+#endif
-+
-+    return dev_urandom(buffer, size, raise);
-+#endif
-+}
-+
- /* Fill buffer with size pseudo-random bytes from the operating system random
-    number generator (RNG). It is suitable for most cryptographic purposes
-    except long living private keys for asymmetric encryption.
- 
--   Return 0 on success, raise an exception and return -1 on error. */
-+   Return 0 on success. Raise an exception and return -1 on error. */
- int
- _PyOS_URandom(void *buffer, Py_ssize_t size)
- {
--    if (size < 0) {
--        PyErr_Format(PyExc_ValueError,
--                     "negative argument not allowed");
--        return -1;
--    }
--    if (size == 0)
--        return 0;
--
--#ifdef MS_WINDOWS
--    return win32_urandom((unsigned char *)buffer, size, 1);
--#elif defined(PY_GETENTROPY)
--    return py_getentropy(buffer, size, 0);
--#else
--    return dev_urandom_python((char*)buffer, size);
--#endif
-+    return pyurandom(buffer, size, 1);
- }
- 
- void
-@@ -463,13 +558,14 @@ void
-         }
-     }
-     else {
--#ifdef MS_WINDOWS
--        (void)win32_urandom(secret, secret_size, 0);
--#elif defined(PY_GETENTROPY)
--        (void)py_getentropy(secret, secret_size, 1);
--#else
--        dev_urandom_noraise(secret, secret_size);
--#endif
-+        int res;
-+
-+        /* _PyRandom_Init() is called very early in the Python initialization
-+           and so exceptions cannot be used (use raise=0). */
-+        res = pyurandom(secret, secret_size, 0);
-+        if (res < 0) {
-+            Py_FatalError("failed to get random numbers to initialize Python");
-+        }
-     }
- }
- 
-@@ -481,8 +577,6 @@ void
-         CryptReleaseContext(hCryptProv, 0);
-         hCryptProv = 0;
-     }
--#elif defined(PY_GETENTROPY)
--    /* nothing to clean */
- #else
-     dev_urandom_close();
- #endif
-
diff --git a/gnu/packages/patches/python-unittest2-python3-compat.patch b/gnu/packages/patches/python-unittest2-python3-compat.patch
new file mode 100644
index 0000000000..fe0afe559a
--- /dev/null
+++ b/gnu/packages/patches/python-unittest2-python3-compat.patch
@@ -0,0 +1,34 @@
+Skip tests that fail with newer versions of Python.
+
+Patch copied from Gentoo:
+
+https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-python/unittest2/files/unittest2-1.1.0-python3.5-test.patch
+
+diff --git a/unittest2/test/test_loader.py b/unittest2/test/test_loader.py
+index 683f662..347eea5 100644
+--- a/unittest2/test/test_loader.py
++++ b/unittest2/test/test_loader.py
+@@ -509,6 +509,7 @@ class Test_TestLoader(unittest2.TestCase):
+     #
+     # What happens when an impossible name is given, relative to the provided
+     # `module`?
++    @unittest.skipIf(sys.version_info[:2] >= (3, 5), "python 3.5 has problems here")
+     def test_loadTestsFromName__relative_malformed_name(self):
+         loader = unittest.TestLoader()
+ 
+@@ -811,6 +812,7 @@ class Test_TestLoader(unittest2.TestCase):
+     # TestCase or TestSuite instance."
+     #
+     # What happens when presented with an impossible module name?
++    @unittest.skipIf(sys.version_info[:2] >= (3, 5), "python 3.5 has problems here")
+     def test_loadTestsFromNames__malformed_name(self):
+         loader = unittest2.TestLoader()
+ 
+@@ -918,6 +920,7 @@ class Test_TestLoader(unittest2.TestCase):
+     # "The method optionally resolves name relative to the given module"
+     #
+     # What happens when presented with an impossible attribute name?
++    @unittest.skipIf(sys.version_info[:2] >= (3, 5), "python 3.5 has problems here")
+     def test_loadTestsFromNames__relative_malformed_name(self):
+         loader = unittest.TestLoader()
+ 
diff --git a/gnu/packages/patches/python2-unittest2-remove-argparse.patch b/gnu/packages/patches/python-unittest2-remove-argparse.patch
index c96738757e..c96738757e 100644
--- a/gnu/packages/patches/python2-unittest2-remove-argparse.patch
+++ b/gnu/packages/patches/python-unittest2-remove-argparse.patch
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 574ae4a6ba..c84f07cc7e 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -33,8 +34,7 @@
 (define-public pcre
   (package
    (name "pcre")
-   (version "8.40")
-   (replacement pcre-8.41)
+   (version "8.41")
    (source (origin
             (method url-fetch)
             (uri (list
@@ -43,10 +43,9 @@
                                  "pcre-" version ".tar.bz2")
                   (string-append "mirror://sourceforge/pcre/pcre/"
                                  version "/pcre-" version ".tar.bz2")))
-            (patches (search-patches "pcre-CVE-2017-7186.patch"))
             (sha256
              (base32
-              "1x7lpjn7jhk0n3sdvggxrlrhab8kkfjwl7qix0ypw9nlx8lpmqh0"))))
+              "0c5m469p5pd7jip621ipq6hbgh7128lzh7xndllfgh77ban7wb76"))))
    (build-system gnu-build-system)
    (outputs '("out"           ;library & headers
               "bin"           ;depends on Readline (adds 20MiB to the closure)
@@ -73,21 +72,6 @@ POSIX regular expression API.")
    (license license:bsd-3)
    (home-page "http://www.pcre.org/")))
 
-(define pcre-8.41
-  (package
-    (inherit pcre)
-    (version "8.41")
-    (source (origin
-              (method url-fetch)
-              (uri (list (string-append "mirror://sourceforge/pcre/pcre/"
-                                        version "/pcre-" version ".tar.bz2")
-                         (string-append "ftp://ftp.csx.cam.ac.uk"
-                                        "/pub/software/programming/pcre/"
-                                        "pcre-" version ".tar.bz2")))
-              (sha256
-               (base32
-                "0c5m469p5pd7jip621ipq6hbgh7128lzh7xndllfgh77ban7wb76"))))))
-
 (define-public pcre2
   (package
     (name "pcre2")
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 0343b167ab..7225336c7c 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -54,14 +54,14 @@
   ;; Yeah, Perl...  It is required early in the bootstrap process by Linux.
   (package
     (name "perl")
-    (version "5.26.0")
+    (version "5.26.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://cpan/src/5.0/perl-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "0zxn9hd7mqgq06ikyi6k70ngbvjf01z1paw0jd25byyl0rlwdrzb"))
+               "1p81wwvr5jb81m41d07kfywk5gvbk0axdrnvhc2aghcdbr4alqz7"))
              (patches (search-patches
                        "perl-file-path-CVE-2017-6512.patch"
                        "perl-no-sys-dirs.patch"
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index e8a7339199..d257d48bc4 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -132,7 +132,7 @@
 (define-public python-2.7
   (package
     (name "python")
-    (version "2.7.13")
+    (version "2.7.14")
     (source
      (origin
       (method url-fetch)
@@ -140,12 +140,12 @@
                           version "/Python-" version ".tar.xz"))
       (sha256
        (base32
-        "0cgpk3zk0fgpji59pb4zy9nzljr70qzgv1vpz5hq5xw2d2c47m9m"))
+        "0rka541ys16jwzcnnvjp2v12m4cwgd2jp6wj4kj511p715pb5zvi"))
       (patches (search-patches "python-2.7-search-paths.patch"
                                "python-2-deterministic-build-info.patch"
                                "python-2.7-site-prefixes.patch"
                                "python-2.7-source-date-epoch.patch"
-                               "python-2.7-getentropy-on-old-kernels.patch"))
+                               "python-2.7-adjust-tests.patch"))
       (modules '((guix build utils)))
       ;; suboptimal to delete failing tests here, but if we delete them in the
       ;; arguments then we need to make sure to strip out that phase when it
@@ -203,6 +203,7 @@
                                   '("Lib/subprocess.py"
                                     "Lib/popen2.py"
                                     "Lib/distutils/tests/test_spawn.py"
+                                    "Lib/test/support/__init__.py"
                                     "Lib/test/test_subprocess.py"))
                (("/bin/sh") (which "sh")))
 
@@ -328,28 +329,28 @@ data types.")
 ;; Current 2.x version.
 (define-public python-2 python-2.7)
 
-(define-public python-3.5
+(define-public python-3.6
   (package (inherit python-2)
-    (version "3.5.3")
+    (version "3.6.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.python.org/ftp/python/"
                                   version "/Python-" version ".tar.xz"))
               (patches (search-patches
                         "python-fix-tests.patch"
-                        "python-3.5-fix-tests.patch"
-                        "python-3.5-getentropy-on-old-kernels.patch"
+                        "python-3-fix-tests.patch"
                         "python-3-deterministic-build-info.patch"
                         "python-3-search-paths.patch"))
               (patch-flags '("-p0"))
               (sha256
                (base32
-                "1c6v1n9nz4mlx9mw1125fxpmbrgniqdbbx9hnqx44maqazb2mzpf"))
+                "1nl1raaagr4car787a2hmjv2dw6gqny53xfd6wisbgx4r5kxk9yd"))
               (snippet
                '(begin
                   (for-each delete-file
-                            '("Lib/ctypes/test/test_win32.py" ; fails on aarch64
-                              "Lib/test/test_fcntl.py"))
+                            '("Lib/ctypes/test/test_structures.py" ; fails on aarch64
+                              "Lib/ctypes/test/test_win32.py" ; fails on aarch64
+                              "Lib/test/test_fcntl.py")) ; fails on aarch64
                   #t))))
     (arguments (substitute-keyword-arguments (package-arguments python-2)
                  ((#:tests? _) #t)))
@@ -361,7 +362,7 @@ data types.")
                                         "/site-packages"))))))))
 
 ;; Current 3.x version.
-(define-public python-3 python-3.5)
+(define-public python-3 python-3.6)
 
 ;; Current major version.
 (define-public python python-3)
@@ -933,45 +934,43 @@ API for locking files.")
 (define-public python-mock
   (package
     (name "python-mock")
-    (version "1.0.1")
+    (version "2.0.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "mock" version))
        (sha256
         (base32
-         "0kzlsbki6q0awf89rc287f3aj8x431lrajf160a70z0ikhnxsfdq"))))
+         "1flbpksir5sqrvq2z0dp8sl4bzbadg21sj4d42w3klpdfvgvcn5i"))))
+    (propagated-inputs
+     `(("python-pbr" ,python-pbr-minimal)
+       ("python-six" ,python-six)))
     (build-system python-build-system)
-    (arguments '(#:test-target "check"))
+    (native-inputs
+     `(("python-unittest2" ,python-unittest2)))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'check
+           (lambda _
+             (zero? (system* "unit2")))))))
     (home-page "https://github.com/testing-cabal/mock")
     (synopsis "Python mocking and patching library for testing")
     (description
      "Mock is a library for testing in Python.  It allows you to replace parts
 of your system under test with mock objects and make assertions about how they
 have been used.")
+    (properties `((python2-variant . ,(delay python2-mock))))
     (license license:expat)))
 
 (define-public python2-mock
-  (package-with-python2 python-mock))
-
-;;; Some packages (notably, certbot and python-acme) rely on this newer version
-;;; of python-mock. However, a large number of packages fail to build with
-;;; mock@2, so we add a new variable for now. Also, there may be a dependency
-;;; cycle between mock and six, so we avoid creating python2-mock@2 for now.
-(define-public python-mock-2
-  (package
-    (inherit python-mock)
-    (version "2.0.0")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (pypi-uri "mock" version))
-        (sha256
-         (base32
-          "1flbpksir5sqrvq2z0dp8sl4bzbadg21sj4d42w3klpdfvgvcn5i"))))
-    (propagated-inputs
-     `(("python-pbr" ,python-pbr-minimal)
-       ,@(package-propagated-inputs python-mock)))))
+  (let ((base (package-with-python2
+               (strip-python2-variant python-mock))))
+    (package (inherit base)
+      (propagated-inputs
+       `(("python2-functools32" ,python2-functools32)
+         ("python2-funcsigs" ,python2-funcsigs)
+         ,@(package-propagated-inputs base))))))
 
 (define-public python-setuptools
   (package
@@ -1282,18 +1281,24 @@ password storage.")
 (define-public python-six
   (package
     (name "python-six")
-    (version "1.10.0")
+    (version "1.11.0")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "six" version))
       (sha256
        (base32
-        "0snmb8xffb3vsma0z67i0h0w2g2dy0p3gsgh9gi4i0kgc5l8spqh"))))
+        "1scqzwc51c875z23phj48gircqjgnn3af8zy2izjwmnlxrxsgs3h"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'check
+           (lambda _
+             (zero? (system* "py.test" "-v")))))))
     (native-inputs
      `(("python-py" ,python-py)
-       ("python-pytest" ,python-pytest)))
+       ("python-pytest" ,python-pytest-bootstrap)))
     (home-page "http://pypi.python.org/pypi/six/")
     (synopsis "Python 2 and 3 compatibility utilities")
     (description
@@ -1679,6 +1684,28 @@ bug tracker.")
     (home-page "http://www.liquidx.net/pybugz/")
     (license license:gpl2)))
 
+(define-public python2-enum
+  (package
+    (name "python2-enum")
+    (version "0.4.6")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "enum" version))
+              (sha256
+               (base32
+                "13lk3yrwj42vl30kw3c194f739nrfrdg64s6i0v2p636n4k8brsl"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:python ,python-2))
+    (home-page "http://pypi.python.org/pypi/enum/")
+    (synopsis "Robust enumerated type support in Python")
+    (description
+     "This provides a module for robust enumerations in Python.  It has
+been superseded by the Python standard library and is provided only for
+compatibility.")
+    ;; Choice of either license.
+    (license (list license:gpl3+ license:psfl))))
+
 (define-public python-enum34
   (package
     (name "python-enum34")
@@ -1929,20 +1956,51 @@ interfaces and processes.")
 (define-public python2-nose2
   (package-with-python2 python-nose2))
 
+(define-public python2-funcsigs
+  (package
+    (name "python2-funcsigs")
+    (version "1.0.2")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "funcsigs" version))
+              (sha256
+               (base32
+                "0l4g5818ffyfmfs1a924811azhjj8ax9xd1cffr1mzd3ycn0zfx7"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:python ,python-2))
+    (native-inputs
+     `(("python2-unittest2" ,python2-unittest2)))
+    (home-page "http://funcsigs.readthedocs.org")
+    (synopsis "Python function signatures from PEP362")
+    (description
+     "Backport of @code{funcsigs} which was introduced in Python 3.3.")
+    (license license:asl2.0)))
+
 (define-public python-unittest2
   (package
     (name "python-unittest2")
-    (version "0.5.1")
+    (version "1.1.0")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append
-             "https://pypi.python.org/packages/source/u/unittest2py3k/unittest2py3k-"
-             version ".tar.gz"))
+       (uri (pypi-uri "unittest2" version))
+       (patches
+        (search-patches "python-unittest2-python3-compat.patch"
+                        "python-unittest2-remove-argparse.patch"))
        (sha256
         (base32
-         "00yl6lskygcrddx5zspkhr0ibgvpknl4678kkm6s626539grq93q"))))
+         "0y855kmx7a8rnf81d3lh5lyxai1908xjp0laf4glwa4c8472m212"))))
     (build-system python-build-system)
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         (replace 'check
+           (lambda _
+             (zero? (system* "python" "-m" "unittest2" "discover" "--verbose")))))))
+    (propagated-inputs
+     `(("python-six" ,python-six)
+       ("python-traceback2" ,python-traceback2)))
     (home-page "http://pypi.python.org/pypi/unittest2")
     (synopsis "Python unit testing library")
     (description
@@ -1951,26 +2009,7 @@ standard library.")
     (license license:psfl)))
 
 (define-public python2-unittest2
-  (package (inherit python-unittest2)
-    (name "python2-unittest2")
-    (version "1.1.0")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append
-             "https://pypi.python.org/packages/source/u/unittest2/unittest2-"
-             version ".tar.gz"))
-       (sha256
-        (base32
-         "0y855kmx7a8rnf81d3lh5lyxai1908xjp0laf4glwa4c8472m212"))
-       (patches
-        (search-patches "python2-unittest2-remove-argparse.patch"))))
-    (propagated-inputs
-     `(("python2-six" ,python2-six)
-       ("python2-traceback2" ,python2-traceback2)))
-    (arguments
-     `(#:python ,python-2
-       #:tests? #f)))) ; no setup.py test command
+  (package-with-python2 python-unittest2))
 
 (define-public python-pafy
   (package
@@ -1999,14 +2038,14 @@ standard library.")
 (define-public python-py
   (package
     (name "python-py")
-    (version "1.4.32")
+    (version "1.4.34")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "py" version))
        (sha256
         (base32
-         "19s1pql9pq85h1qzsdwgyb8a3k1qgkvh33b02m8kfqhizz8rzf64"))))
+         "1qyd5z0hv8ymxy84v5vig3vps2fvhcf4bdlksb3r03h549fmhb8g"))))
     (build-system python-build-system)
     (arguments
      ;; FIXME: "ImportError: 'test' module incorrectly imported from
@@ -2027,30 +2066,39 @@ code introspection, and logging.")
 (define-public python-pytest
   (package
     (name "python-pytest")
-    (version "2.7.3")
+    (version "3.2.3")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append
-             "https://pypi.python.org/packages/source/p/pytest/pytest-"
-             version ".tar.gz"))
+       (uri (pypi-uri "pytest" version))
        (sha256
         (base32
-         "1z4yi986f9n0p8qmzmn21m21m8j1x78hk3505f89baqm6pdw7afm"))
-       (modules '((guix build utils)))
-       (snippet
-        ;; One of the tests involves the /usr directory, so it fails.
-        '(substitute* "testing/test_argcomplete.py"
-           (("def test_remove_dir_prefix\\(self\\):")
-            "@pytest.mark.xfail\n    def test_remove_dir_prefix(self):")))))
+         "0g6w86ks73fnrnsyib9ii2rbyx830vn7aglsjqz9v1n2xwbndyi7"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-before 'check 'disable-invalid-tests
+           (lambda _
+             ;; Some tests involves the /usr directory, and fails.
+             (substitute* "testing/test_argcomplete.py"
+               (("def test_remove_dir_prefix\\(self\\):")
+                "@pytest.mark.xfail\n    def test_remove_dir_prefix(self):"))
+             (substitute* "testing/test_argcomplete.py"
+               (("def test_remove_dir_prefix" line)
+                (string-append "@pytest.mark.skip"
+                               "(reason=\"Assumes that /usr exists.\")\n    "
+                               line)))
+             #t)))))
     (propagated-inputs
      `(("python-py" ,python-py)))
     (native-inputs
      `(;; Tests need the "regular" bash since 'bash-final' lacks `compgen`.
        ("bash" ,bash)
+       ("python-hypothesis" ,python-hypothesis)
        ("python-nose" ,python-nose)
-       ("python-mock" ,python-mock)))
+       ("python-mock" ,python-mock)
+       ("python-setuptools-scm" ,python-setuptools-scm)))
     (home-page "http://pytest.org")
     (synopsis "Python testing library")
     (description
@@ -2062,41 +2110,15 @@ and many external plugins.")
 (define-public python2-pytest
   (package-with-python2 python-pytest))
 
-;; Some packages require a newer pytest.
-(define-public python-pytest-3.0
+(define-public python-pytest-bootstrap
   (package
     (inherit python-pytest)
-    (name "python-pytest")
-    (version "3.0.7")
-    (source (origin
-              (method url-fetch)
-              (uri (pypi-uri "pytest" version))
-              (sha256
-               (base32
-                "1asc4b2nd2a4f0g3r12y97rslq5wliji7b73wwkvdrm5s7mrc1mp"))))
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         (add-before 'check 'disable-invalid-test
-           (lambda _
-             (substitute* "testing/test_argcomplete.py"
-               (("def test_remove_dir_prefix" line)
-                (string-append "@pytest.mark.skip"
-                               "(reason=\"Assumes that /usr exists.\")\n    "
-                               line)))
-             #t)))))
-    (native-inputs
-     `(("python-hypothesis" ,python-hypothesis)
-       ,@(package-native-inputs python-pytest)))
-    (properties `((python2-variant . ,(delay python2-pytest-3.0))))))
+    (name "python-pytest-bootstrap")
+    (native-inputs `(("python-setuptools-scm" ,python-setuptools-scm)))
+    (arguments `(#:tests? #f))))
 
-(define-public python2-pytest-3.0
-  (let ((base (package-with-python2
-                (strip-python2-variant python-pytest-3.0))))
-    (package (inherit base)
-      (native-inputs
-        `(("python2-enum34" ,python2-enum34)
-          ,@(package-native-inputs base))))))
+(define-public python2-pytest-bootstrap
+  (package-with-python2 python-pytest-bootstrap))
 
 (define-public python-pytest-cov
   (package
@@ -2158,7 +2180,7 @@ supports coverage of subprocesses.")
                (string-append "version = \"" ,version "\"")))
             #t)))))
     (native-inputs
-     `(("python-pytest" ,python-pytest)
+     `(("python-pytest" ,python-pytest-bootstrap)
        ("python-setuptools-scm" ,python-setuptools-scm)))
     (home-page "https://github.com/pytest-dev/pytest-runner")
     (synopsis "Invoke py.test as a distutils command")
@@ -2546,14 +2568,14 @@ have failed since the last commit or what tests are currently failing.")
 (define-public python-coverage
   (package
     (name "python-coverage")
-    (version "4.1")
+    (version "4.4.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "coverage" version))
        (sha256
         (base32
-         "01rbr4br4lsk0lwn8fb96zwd2xr4f0mg1w7iq3j11i8f5ig2nqs1"))))
+         "097l4s3ssxm1vncsn0nw3a1pbzah28773q36c1ab9wz01r04973s"))))
     (build-system python-build-system)
     (arguments
      ;; FIXME: 95 tests failed, 539 passed, 6 skipped, 2 errors.
@@ -2995,7 +3017,7 @@ somewhat intelligible.")
            #t))))
     (build-system python-build-system)
     (native-inputs
-     `(("python-pytest" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-pytest-cov" ,python-pytest-cov)
        ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://github.com/progrium/pyjwt")
@@ -3189,18 +3211,6 @@ for Python.")
         (base32
          "1zzrkywhziqffrzks14kzixz7nd4yh2vc0fb04a68vfd2ai03anx"))))
     (build-system python-build-system)
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         ;; These files cannot be built with Python < 3.6.  See
-         ;; https://github.com/pallets/jinja/issues/655
-         ;; FIXME: Remove this when the "python" package is upgraded.
-         (add-after 'unpack 'delete-incompatible-files
-           (lambda _
-             (for-each delete-file
-                       '("jinja2/asyncsupport.py"
-                         "jinja2/asyncfilters.py"))
-             #t)))))
     (propagated-inputs
      `(("python-markupsafe" ,python-markupsafe)))
     (home-page "http://jinja.pocoo.org/")
@@ -3451,7 +3461,7 @@ sources.")
      `(("python-sphinxcontrib-websupport" ,python-sphinxcontrib-websupport)
        ,@(package-propagated-inputs python-sphinx)))
     (native-inputs
-     `(("python-pytest" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("imagemagick" ,imagemagick) ; for "convert"
        ,@(package-native-inputs python-sphinx)))
     (properties '())))
@@ -3469,7 +3479,7 @@ sources.")
         (base32
          "0kw1axswbvaavr8ggyf4qr6hnisnrzlbkkcdada69vk1x9xjassg"))))
     (native-inputs
-     `(("python-pytest" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ,@(package-native-inputs python-sphinx)))))
 
 (define-public python2-sphinx
@@ -5420,7 +5430,7 @@ Python language binding specification.")
     (arguments '(#:tests? #f)) ; Test file 'grako.ebnf' is missing from archive.
     (native-inputs
      `(("unzip" ,unzip)
-       ("python-pytest" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://bitbucket.org/neogeny/grako")
     (synopsis "EBNF parser generator")
@@ -5478,7 +5488,7 @@ cluster without needing to write any wrapper code yourself.")
         (base32 "0zizn61n5z5hq421hkypk9pw8s6fpxw30f4hsg7k4ivwzy3gjw9j"))))
     (build-system python-build-system)
     (native-inputs
-     `(("python-pytest" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-mock" ,python-mock)
        ("python-tox" ,python-tox)
        ("which" ,which))) ;for tests
@@ -5541,7 +5551,7 @@ displayed.")
          (replace 'check (lambda _ (zero? (system* "nosetests" "-v")))))))
     (native-inputs
      `(("python-nose" ,python-nose)
-       ("python-pytest" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ("man-db" ,man-db)
        ("which" ,which)
        ("bash-full" ,bash)))                 ;full Bash for 'test_replwrap.py'
@@ -5562,13 +5572,13 @@ child application and control it as if a human were typing commands.")
 (define-public python-setuptools-scm
   (package
     (name "python-setuptools-scm")
-    (version "1.15.0")
+    (version "1.15.6")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "setuptools_scm" version))
               (sha256
                (base32
-                "0bwyc5markib0i7i2qlyhdzxhiywzxbkfiapldma8m91m82jvwfs"))))
+                "0pzvfmx8s20yrgkgwfbxaspz2x1g38qv61jpm0ns91lrb22ldas9"))))
     (build-system python-build-system)
     (home-page "https://github.com/pypa/setuptools_scm/")
     (synopsis "Manage Python package versions in SCM metadata")
@@ -6359,14 +6369,15 @@ implementation of D-Bus.")
 (define-public python-apsw
   (package
     (name "python-apsw")
-    (version "3.9.2-r1")
+    (version "3.20.1-r1")
     (source
       (origin
         (method url-fetch)
-        (uri (pypi-uri "apsw" version))
+        (uri (string-append "https://github.com/rogerbinns/apsw/archive/"
+                            version ".tar.gz"))
         (sha256
           (base32
-           "0w4jb0wpx785qw42r3h4fh7gl5w2968q48i7gygybsfxck8nzffs"))))
+           "00ai7m2pqi26qaflhz314d8k5i3syw7xzr145fhfl0crhyh6adz2"))))
     (build-system python-build-system)
     (inputs
       `(("sqlite" ,sqlite)))
@@ -7106,14 +7117,14 @@ PEP 8.")
 (define-public python-pyflakes
   (package
     (name "python-pyflakes")
-    (version "1.0.0")
+    (version "1.5.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "pyflakes" version))
         (sha256
           (base32
-            "0qs2sgqszq7wcplis8509wk2ygqcrwzbs1ghfj3svvivq2j377pk"))))
+            "1x1pcca4a24k4pw8x1c77sgi58cg1wl2k38mp8a25k608pzls3da"))))
     (build-system python-build-system)
     (home-page
       "https://github.com/pyflakes/pyflakes")
@@ -7128,17 +7139,17 @@ PEP 8.")
 (define-public python-mccabe
   (package
     (name "python-mccabe")
-    (version "0.4.0")
+    (version "0.6.1")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "mccabe" version))
         (sha256
           (base32
-            "0yr08a36h8lqlif10l4xcikbbig7q8f41gqywir7rrvnv3mi4aws"))))
+            "07w3p1qm44hgxf3vvwz84kswpsx6s7kvaibzrsx5dzm0hli1i3fx"))))
     (build-system python-build-system)
     (native-inputs
-      `(("python-pytest" ,python-pytest)
+      `(("python-pytest" ,python-pytest-bootstrap)
         ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://github.com/flintwork/mccabe")
     (synopsis "McCabe checker, plugin for flake8")
@@ -7211,39 +7222,48 @@ complexity of Python source code.")
 (define-public python-flake8
   (package
     (name "python-flake8")
-    (version "2.5.4")
+    (version "3.4.1")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "flake8" version))
         (sha256
           (base32
-            "0bs9cz4fr99r2rwig1b8jwaadl1nan7kgpdzqwj0bwbckwbmh7nc"))
-        (modules '((guix build utils)))
-        (snippet
-         '(begin
-            ;; Remove pre-compiled .pyc files from source.
-            (for-each delete-file-recursively
-                      (find-files "." "__pycache__" #:directories? #t))
-            (for-each delete-file (find-files "." "\\.pyc$"))
-            #t))))
+            "1n0i38592vy3q0x2a9bf8z6rhhn04i30wsn5i5zzcj7qkxvl8062"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (delete 'check)
+         (add-after 'install 'check
+          (lambda* (#:key inputs outputs #:allow-other-keys)
+            (add-installed-pythonpath inputs outputs)
+            (zero? (system* "pytest" "-v")))))))
     (propagated-inputs
-      `(("python-pep8" ,python-pep8)
+      `(("python-pycodestyle" ,python-pycodestyle)
         ("python-pyflakes" ,python-pyflakes)
+        ;; flake8 depends on a newer setuptools than provided by python.
+        ("python-setuptools" ,python-setuptools)
         ("python-mccabe" ,python-mccabe)))
     (native-inputs
       `(("python-mock" ,python-mock) ; TODO: only required for < 3.3
-        ("python-nose" ,python-nose)))
+        ("python-pytest" ,python-pytest-bootstrap)
+        ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://gitlab.com/pycqa/flake8")
     (synopsis
       "The modular source code checker: pep8, pyflakes and co")
     (description
       "Flake8 is a wrapper around PyFlakes, pep8 and python-mccabe.")
+    (properties `((python2-variant . ,(delay python2-flake8))))
     (license license:expat)))
 
 (define-public python2-flake8
-  (package-with-python2 python-flake8))
+  (let ((base (package-with-python2 (strip-python2-variant python-flake8))))
+    (package (inherit base)
+      (propagated-inputs
+       `(("python2-configparser" ,python2-configparser)
+         ("python2-enum" ,python2-enum)
+          ,@(package-propagated-inputs base))))))
 
 (define-public python-flake8-polyfill
   (package
@@ -8124,7 +8144,7 @@ responses, rather than doing any computation.")
        ("python-hypothesis" ,python-hypothesis)
        ("python-pretend" ,python-pretend)
        ("python-pytz" ,python-pytz)
-       ("python-pytest" ,python-pytest-3.0)))
+       ("python-pytest" ,python-pytest)))
     (home-page "https://github.com/pyca/cryptography")
     (synopsis "Cryptographic recipes and primitives for Python")
     (description
@@ -8184,7 +8204,7 @@ message digests and key derivation functions.")
     (native-inputs
      `(("python-flaky" ,python-flaky)
        ("python-pretend" ,python-pretend)
-       ("python-pytest" ,python-pytest-3.0)))
+       ("python-pytest" ,python-pytest)))
     (home-page "https://github.com/pyca/pyopenssl")
     (synopsis "Python wrapper module around the OpenSSL library")
     (description
@@ -10264,7 +10284,7 @@ Amazon Web Services (AWS) API.")
     (build-system python-build-system)
     (native-inputs
      `(("python-flake8" ,python-flake8)
-       ("python-pytest" ,python-pytest)))
+       ("python-pytest" ,python-pytest-bootstrap)))
     (synopsis "Library for property based testing")
     (description "Hypothesis is a library for testing your Python code against a
 much larger range of examples than you would ever want to write by hand.  It’s
@@ -15161,7 +15181,7 @@ for Flask.")
          "0gf2dpahpl5igb7jh1sr9acj3z3gp7zahqdqb69nk6wx01c8kc1g"))))
     (build-system python-build-system)
     (propagated-inputs
-     `(("pytest" ,python-pytest-3.0)))
+     `(("pytest" ,python-pytest)))
     (home-page "https://github.com/fschulze/pytest-warnings")
     (synopsis "Pytest plugin to list Python warnings in pytest report")
     (description
@@ -15185,7 +15205,7 @@ pytest report.")
          "038049nyjl7di59ycnxvc9nydivc5m8np3hqq84j2iirkccdbs5n"))))
     (build-system python-build-system)
     (propagated-inputs
-     `(("pytest" ,python-pytest-3.0)))
+     `(("pytest" ,python-pytest)))
     (home-page "http://bitbucket.org/memedough/pytest-capturelog/overview")
     (synopsis "Pytest plugin to catch log messages")
     (description
@@ -15210,7 +15230,7 @@ pytest report.")
     (native-inputs
      `(("unzip" ,unzip)))
     (propagated-inputs
-     `(("pytest" ,python-pytest-3.0)))
+     `(("pytest" ,python-pytest)))
     (home-page "https://github.com/eisensheng/pytest-catchlog")
     (synopsis "Pytest plugin to catch log messages")
     (description
@@ -16201,7 +16221,7 @@ address is valid and really exists.")
      `(("python-dateutil" ,python-dateutil)
        ("python-simplejson" ,python-simplejson)))
     (native-inputs
-     `(("python-pytest-3.0" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-pytz" ,python-pytz)))
     (home-page "https://github.com/marshmallow-code/marshmallow")
     (synopsis "Convert complex datatypes to and from native
@@ -16248,7 +16268,7 @@ complex datatypes to and from native Python datatypes.")
     (propagated-inputs
      `(("python-pyyaml" ,python-pyyaml)))
     (native-inputs
-     `(("python-pytest-3.0" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-flask" ,python-flask)
        ("python-marshmallow" ,python-marshmallow)
        ("python-tornado" ,python-tornado)
@@ -16301,7 +16321,7 @@ Swagger 2.0).")
        ("python-flake8" ,python-flake8)
        ("python-flask-restful" ,python-flask-restful)
        ("python-flex" ,python-flex)
-       ("python-pytest-3.0" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ("python-pytest-cov" ,python-pytest-cov)
        ("python-marshmallow" ,python-marshmallow)
        ("python-apispec" ,python-apispec)))
@@ -16804,7 +16824,7 @@ their files and supports any packaging format (including wheels).")
      `(;; The tests depend on unittest2, and our version is a bit too old.
        #:tests? #f))
     (native-inputs
-     `(("python-pbr" ,python-pbr)))
+     `(("python-pbr" ,python-pbr-minimal)))
     (home-page
       "https://github.com/testing-cabal/linecache2")
     (synopsis "Backports of the linecache module")
@@ -16833,7 +16853,7 @@ lines are read from a single file.")
      `(;; python-traceback2 and python-unittest2 depend on one another.
        #:tests? #f))
     (native-inputs
-     `(("python-pbr" ,python-pbr)))
+     `(("python-pbr" ,python-pbr-minimal)))
     (propagated-inputs
       `(("python-linecache2" ,python-linecache2)))
     (home-page
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index caab8fac4b..5a7548df68 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2015, 2016, 2017 Ben Woodcroft <donttrustben@gmail.com>
 ;;; Copyright © 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
diff --git a/gnu/packages/texinfo.scm b/gnu/packages/texinfo.scm
index 8c33023bd0..c7f2f4840f 100644
--- a/gnu/packages/texinfo.scm
+++ b/gnu/packages/texinfo.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2012, 2013, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -30,19 +31,17 @@
   #:use-module (gnu packages ncurses))
 
 (define-public texinfo
-  ;; TODO: Merge with 'texinfo-latest' on the next core-updates.
   (package
     (name "texinfo")
-    (version "6.3")
+    (version "6.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/texinfo/texinfo-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "0fpr9kdjjl6nj2pc50k2zr7134hvqz8bi8pfqa7131a9lpzz6v14"))))
+                "0qjzvbvnv9003xdrcpi3jp7y68j4hq2ciw9frh2hghh698zlnxvp"))))
     (build-system gnu-build-system)
-    (native-inputs `(("procps" ,procps)))  ;one of the tests needs pgrep
     (inputs `(("ncurses" ,ncurses)
               ("perl" ,perl)))
 
@@ -63,19 +62,6 @@ their source and the command-line Info reader.  The emphasis of the language
 is on expressing the content semantically, avoiding physical markup commands.")
     (license gpl3+)))
 
-(define-public texinfo-latest
-  ;; TODO: Turn this into 'texinfo' on the next core-updates cycle.
-  (package (inherit texinfo)
-    (version "6.5")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/texinfo/texinfo-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "0qjzvbvnv9003xdrcpi3jp7y68j4hq2ciw9frh2hghh698zlnxvp"))))
-    (native-inputs '())))
-
 (define-public texinfo-5
   (package (inherit texinfo)
     (version "5.2")
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 075ea7a1c2..bb66fabc4c 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -56,7 +56,6 @@
   (package
     (name "libtasn1")
     (version "4.12")
-    (replacement libtasn1/fixed)
     (source
      (origin
       (method url-fetch)
@@ -64,7 +63,8 @@
                           version ".tar.gz"))
       (sha256
        (base32
-        "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))))
+        "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))
+      (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (home-page "https://www.gnu.org/software/libtasn1/")
@@ -76,13 +76,6 @@ networking, allowing for formal validation of data according to some
 specifications.")
     (license license:lgpl2.0+)))
 
-(define libtasn1/fixed
-  (package
-    (inherit libtasn1)
-    (source (origin
-              (inherit (package-source libtasn1))
-              (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))))
-
 (define-public asn1c
   (package
     (name "asn1c")
@@ -522,7 +515,7 @@ netcat implementation that supports TLS.")
                #t))))))
     ;; TODO: Add optional inputs for testing.
     (native-inputs
-     `(("python-mock" ,python-mock-2)
+     `(("python-mock" ,python-mock)
        ;; For documentation
        ("python-sphinx" ,python-sphinx)
        ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
@@ -571,7 +564,7 @@ netcat implementation that supports TLS.")
     ;; TODO: Add optional inputs for testing.
     (native-inputs
      `(("python-nose" ,python-nose)
-       ("python-mock" ,python-mock-2)
+       ("python-mock" ,python-mock)
        ;; For documentation
        ("python-sphinx" ,python-sphinx)
        ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index eea8bb63a8..22a8ea0c43 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -5154,7 +5154,7 @@ command-line arguments or read from stdin.")
        ("python-schema" ,python-schema-0.5)
        ("python-backports-csv" ,python-backports-csv)))
     (native-inputs
-     `(("python-pytest-3.0" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-pytest-capturelog" ,python-pytest-capturelog)
        ("python-responses" ,python-responses)))
     (home-page "https://github.com/jjjake/internetarchive")
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index c4bd67117d..c91e72a5a2 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015 Raimon Grau <raimonster@gmail.com>
 ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
 ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
@@ -57,15 +57,14 @@
 (define-public expat
   (package
     (name "expat")
-    (version "2.2.1")
-    (replacement expat-2.2.4)
+    (version "2.2.4")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/expat/expat/"
                                  version "/expat-" version ".tar.bz2"))
              (sha256
               (base32
-               "11c8jy1wvllvlk7xdc5cm8hdhg0hvs8j0aqy6s702an8wkdcls0q"))))
+               "17h1fb9zvqvf0sr78j211bngc6jpql5wzar8fg9b52jzjvdqbb83"))))
     (build-system gnu-build-system)
     (home-page "http://www.libexpat.org/")
     (synopsis "Stream-oriented XML parser library written in C")
@@ -75,18 +74,6 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
-(define expat-2.2.4  ; Fix CVE-{2016-9063,2017-9233,2017-11742} & other issues.
-  (package
-    (inherit expat)
-    (version "2.2.4")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://sourceforge/expat/expat/"
-                                 version "/expat-" version ".tar.bz2"))
-             (sha256
-              (base32
-               "17h1fb9zvqvf0sr78j211bngc6jpql5wzar8fg9b52jzjvdqbb83"))))))
-
 (define-public libebml
   (package
     (name "libebml")
@@ -111,17 +98,14 @@ hierarchical form with variable field lengths.")
 (define-public libxml2
   (package
     (name "libxml2")
-    (version "2.9.4")
-    (replacement libxml2/fixed)
+    (version "2.9.6")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
                                  version ".tar.gz"))
-             (patches (search-patches "libxml2-CVE-2016-4658.patch"
-                                      "libxml2-CVE-2016-5131.patch"))
              (sha256
               (base32
-               "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))
+               "1g7byn6y0yw17rl74gs89xnxrpwj424938rf8qfqh3i4lz63i44b"))))
     (build-system gnu-build-system)
     (home-page "http://www.xmlsoft.org/")
     (synopsis "C parser for XML")
@@ -141,20 +125,6 @@ hierarchical form with variable field lengths.")
 project (but it is usable outside of the Gnome platform).")
     (license license:x11)))
 
-(define libxml2/fixed
-  (package
-    (inherit libxml2)
-    (source
-     (origin
-       (inherit (package-source libxml2))
-       (patches
-        (append (origin-patches (package-source libxml2))
-        (search-patches "libxml2-CVE-2017-0663.patch"
-                        "libxml2-CVE-2017-7375.patch"
-                        "libxml2-CVE-2017-7376.patch"
-                        "libxml2-CVE-2017-9047+CVE-2017-9048.patch"
-                        "libxml2-CVE-2017-9049+CVE-2017-9050.patch")))))))
-
 (define-public python-libxml2
   (package (inherit libxml2)
     (name "python-libxml2")
@@ -187,15 +157,14 @@ project (but it is usable outside of the Gnome platform).")
 (define-public libxslt
   (package
     (name "libxslt")
-    (version "1.1.29")
+    (version "1.1.31")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxslt/libxslt-"
                                  version ".tar.gz"))
-             (patches (search-patches "libxslt-CVE-2016-4738.patch"))
              (sha256
               (base32
-               "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
+               "1azk48vf91nfajhm7k9cz3zrvh0aaq85ph37gqkl84c0ddmyj9fv"))
              (patches (search-patches "libxslt-generated-ids.patch"))))
     (build-system gnu-build-system)
     (home-page "http://xmlsoft.org/XSLT/index.html")
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 5820b3d6ad..4c03a858c2 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -3818,7 +3818,7 @@ extension to the X11 protocol.  It includes:
 (define-public xkeyboard-config
   (package
     (name "xkeyboard-config")
-    (version "2.21")
+    (version "2.22")
     (source
       (origin
         (method url-fetch)
@@ -3828,7 +3828,7 @@ extension to the X11 protocol.  It includes:
               ".tar.bz2"))
         (sha256
           (base32
-            "1iffxpchy6dfgbby23nfsqqk17h9lfddlmjnhwagqag1z94p1h9h"))))
+            "1garmbyfjp0han04l2l90zzwlfbdgdxl6r1qnic36i5wkycckbny"))))
     (build-system gnu-build-system)
     (inputs
       `(("gettext" ,gettext-minimal)
@@ -4892,24 +4892,16 @@ new API's in libXft, or the legacy API's in libX11.")
   (package
     (inherit libxfont)
     (version "2.0.1")
-    (replacement libxfont2/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://xorg/individual/lib/libXfont2-"
                                   version ".tar.bz2"))
+              (patches (search-patches "libxfont-CVE-2017-13720.patch"
+                                       "libxfont-CVE-2017-13722.patch"))
               (sha256
                (base32
                 "0znvwk36nhmyqpmhbm9mzisgixp1mp5qkfald8x1n5yxbm3vpyz9"))))))
 
-(define libxfont2/fixed
-  (package
-    (inherit libxfont2)
-    (source
-     (origin
-       (inherit (package-source libxfont2))
-       (patches (search-patches "libxfont-CVE-2017-13720.patch"
-                                "libxfont-CVE-2017-13722.patch"))))))
-
 (define-public libxi
   (package
     (name "libxi")
diff --git a/guix/build/utils.scm b/guix/build/utils.scm
index 7391307c87..d7ed3d5177 100644
--- a/guix/build/utils.scm
+++ b/guix/build/utils.scm
@@ -29,6 +29,7 @@
   #:use-module (ice-9 regex)
   #:use-module (ice-9 rdelim)
   #:use-module (ice-9 format)
+  #:use-module (ice-9 threads)
   #:use-module (rnrs bytevectors)
   #:use-module (rnrs io ports)
   #:re-export (alist-cons
diff --git a/guix/download.scm b/guix/download.scm
index 17dac3f8ef..1bd4875b10 100644
--- a/guix/download.scm
+++ b/guix/download.scm
@@ -447,89 +447,6 @@ download by itself using its own dependencies."
                     ;; for that built-in is widespread.
                     #:local-build? #t)))
 
-(define* (in-band-download file-name url
-                           #:key system hash-algo hash
-                           mirrors content-addressed-mirrors
-                           guile)
-  "Download FILE-NAME from URL using a normal, \"in-band\" fixed-output
-derivation.
-
-This is now deprecated since it has the drawback of causing bootstrapping
-issues: we may need to build GnuTLS just to be able to download the source of
-GnuTLS itself and its dependencies.  See <http://bugs.gnu.org/22774>."
-  (define need-gnutls?
-    ;; True if any of the URLs need TLS support.
-    (let ((https? (cut string-prefix? "https://" <>)))
-      (match url
-        ((? string?)
-         (https? url))
-        ((url ...)
-         (any https? url)))))
-
-  (define builder
-    (with-imported-modules '((guix build download)
-                             (guix build utils)
-                             (guix ftp-client)
-                             (guix base32)
-                             (guix base64))
-      #~(begin
-          #+(if need-gnutls?
-
-                ;; Add GnuTLS to the inputs and to the load path.
-                #~(eval-when (load expand eval)
-                    (set! %load-path
-                      (cons (string-append #+(gnutls-package)
-                                           "/share/guile/site/"
-                                           (effective-version))
-                            %load-path)))
-                #~#t)
-
-          (use-modules (guix build download)
-                       (guix base32))
-
-          (let ((value-from-environment (lambda (variable)
-                                          (call-with-input-string
-                                              (getenv variable)
-                                            read))))
-            (url-fetch (value-from-environment "guix download url")
-                       #$output
-                       #:mirrors (call-with-input-file #$mirrors read)
-
-                       ;; Content-addressed mirrors.
-                       #:hashes
-                       (value-from-environment "guix download hashes")
-                       #:content-addressed-mirrors
-                       (primitive-load #$content-addressed-mirrors)
-
-                       ;; No need to validate certificates since we know the
-                       ;; hash of the expected result.
-                       #:verify-certificate? #f)))))
-
-  (mlet %store-monad ((guile (package->derivation guile system)))
-    (gexp->derivation file-name builder
-                      #:guile-for-build guile
-                      #:system system
-                      #:hash-algo hash-algo
-                      #:hash hash
-
-                      ;; Use environment variables and a fixed script
-                      ;; name so there's only one script in store for
-                      ;; all the downloads.
-                      #:script-name "download"
-                      #:env-vars
-                      `(("guix download url" . ,(object->string url))
-                        ("guix download hashes"
-                         . ,(object->string `((,hash-algo . ,hash)))))
-
-                      ;; Honor the user's proxy settings.
-                      #:leaked-env-vars '("http_proxy" "https_proxy")
-
-                      ;; In general, offloading downloads is not a good
-                      ;; idea.  Daemons before 0.8.3 would also
-                      ;; interpret this as "do not substitute" (see
-                      ;; <https://bugs.gnu.org/18747>.)
-                      #:local-build? #t)))
-
 (define* (url-fetch url hash-algo hash
                     #:optional name
                     #:key (system (%current-system))
@@ -556,18 +473,21 @@ in the store."
             (and uri (memq (uri-scheme uri) '(#f file))))
         (interned-file (if uri (uri-path uri) url)
                        (or name file-name))
-        (mlet* %store-monad ((builtins (built-in-builders*))
-                             (download -> (if (member "download" builtins)
-                                              built-in-download
-                                              in-band-download)))
-          (download (or name file-name) url
-                    #:guile guile
-                    #:system system
-                    #:hash-algo hash-algo
-                    #:hash hash
-                    #:mirrors %mirror-file
-                    #:content-addressed-mirrors
-                    %content-addressed-mirror-file)))))
+        (mlet %store-monad ((builtins (built-in-builders*)))
+          ;; The "download" built-in builder was added in guix-daemon in
+          ;; Nov. 2016 and made it in the 0.12.0 release of Dec. 2016.  We now
+          ;; require it.
+          (unless (member "download" builtins)
+            (error "'guix-daemon' is too old, please upgrade" builtins))
+
+          (built-in-download (or name file-name) url
+                             #:guile guile
+                             #:system system
+                             #:hash-algo hash-algo
+                             #:hash hash
+                             #:mirrors %mirror-file
+                             #:content-addressed-mirrors
+                             %content-addressed-mirror-file)))))
 
 (define* (url-fetch/tarbomb url hash-algo hash
                             #:optional name