summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am2
-rw-r--r--doc/guix.texi7
-rw-r--r--gnu/local.mk10
-rw-r--r--gnu/packages/admin.scm26
-rw-r--r--gnu/packages/audio.scm32
-rw-r--r--gnu/packages/axoloti.scm352
-rw-r--r--gnu/packages/backup.scm108
-rw-r--r--gnu/packages/bioinformatics.scm173
-rw-r--r--gnu/packages/check.scm4
-rw-r--r--gnu/packages/compression.scm38
-rw-r--r--gnu/packages/cran.scm24
-rw-r--r--gnu/packages/crypto.scm2
-rw-r--r--gnu/packages/cups.scm4
-rw-r--r--gnu/packages/databases.scm4
-rw-r--r--gnu/packages/display-managers.scm9
-rw-r--r--gnu/packages/dns.scm10
-rw-r--r--gnu/packages/emacs.scm32
-rw-r--r--gnu/packages/engineering.scm2
-rw-r--r--gnu/packages/erlang.scm2
-rw-r--r--gnu/packages/fonts.scm21
-rw-r--r--gnu/packages/game-development.scm5
-rw-r--r--gnu/packages/games.scm22
-rw-r--r--gnu/packages/gnome.scm19
-rw-r--r--gnu/packages/graph.scm30
-rw-r--r--gnu/packages/graphics.scm2
-rw-r--r--gnu/packages/gtk.scm6
-rw-r--r--gnu/packages/haskell.scm6
-rw-r--r--gnu/packages/irc.scm4
-rw-r--r--gnu/packages/java.scm4
-rw-r--r--gnu/packages/kde-frameworks.scm2
-rw-r--r--gnu/packages/lighting.scm5
-rw-r--r--gnu/packages/linux.scm37
-rw-r--r--gnu/packages/mail.scm23
-rw-r--r--gnu/packages/mate.scm28
-rw-r--r--gnu/packages/messaging.scm4
-rw-r--r--gnu/packages/mp3.scm8
-rw-r--r--gnu/packages/music.scm12
-rw-r--r--gnu/packages/musl.scm5
-rw-r--r--gnu/packages/networking.scm8
-rw-r--r--gnu/packages/ocaml.scm76
-rw-r--r--gnu/packages/package-management.scm6
-rw-r--r--gnu/packages/password-utils.scm5
-rw-r--r--gnu/packages/patches/libusb-for-axoloti.patch14
-rw-r--r--gnu/packages/patches/libvirt-CVE-2017-1000256.patch84
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-15587.patch21
-rw-r--r--gnu/packages/patches/musl-CVE-2016-8859.patch81
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2017-13082.patch182
-rw-r--r--gnu/packages/patches/wpa-supplicant-fix-key-reuse.patch448
-rw-r--r--gnu/packages/patches/wpa-supplicant-fix-nonce-reuse.patch72
-rw-r--r--gnu/packages/patches/wpa-supplicant-fix-zeroed-keys.patch86
-rw-r--r--gnu/packages/patches/wpa-supplicant-krack-followups.patch275
-rw-r--r--gnu/packages/patchutils.scm2
-rw-r--r--gnu/packages/pdf.scm38
-rw-r--r--gnu/packages/perl.scm67
-rw-r--r--gnu/packages/protobuf.scm55
-rw-r--r--gnu/packages/python.scm58
-rw-r--r--gnu/packages/qt.scm14
-rw-r--r--gnu/packages/serialization.scm2
-rw-r--r--gnu/packages/spice.scm4
-rw-r--r--gnu/packages/statistics.scm28
-rw-r--r--gnu/packages/textutils.scm41
-rw-r--r--gnu/packages/version-control.scm32
-rw-r--r--gnu/packages/video.scm91
-rw-r--r--gnu/packages/vim.scm4
-rw-r--r--gnu/packages/virtualization.scm31
-rw-r--r--gnu/packages/web.scm8
-rw-r--r--gnu/packages/webkit.scm4
-rw-r--r--gnu/packages/xdisorg.scm4
-rw-r--r--gnu/packages/xiph.scm13
-rw-r--r--gnu/system/vm.scm10
-rw-r--r--guix/build-system/r.scm2
-rw-r--r--guix/build/download-nar.scm125
-rw-r--r--guix/build/download.scm216
-rw-r--r--guix/cvs-download.scm38
-rw-r--r--guix/git-download.scm37
-rw-r--r--guix/hg-download.scm36
-rw-r--r--guix/import/cran.scm8
-rw-r--r--guix/progress.scm228
-rw-r--r--guix/scripts/download.scm4
-rwxr-xr-xguix/scripts/substitute.scm16
-rw-r--r--guix/utils.scm30
81 files changed, 3037 insertions, 651 deletions
diff --git a/Makefile.am b/Makefile.am
index 9bd81c3881..817421069b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -47,6 +47,7 @@ MODULES =					\
   guix/hash.scm					\
   guix/pk-crypto.scm				\
   guix/pki.scm					\
+  guix/progress.scm				\
   guix/combinators.scm				\
   guix/memoization.scm				\
   guix/utils.scm				\
@@ -105,6 +106,7 @@ MODULES =					\
   guix/ui.scm					\
   guix/build/ant-build-system.scm		\
   guix/build/download.scm			\
+  guix/build/download-nar.scm			\
   guix/build/cargo-build-system.scm		\
   guix/build/cmake-build-system.scm		\
   guix/build/dub-build-system.scm		\
diff --git a/doc/guix.texi b/doc/guix.texi
index b7f4f88f92..7d7d556697 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -5881,7 +5881,7 @@ dependency graph of the given upstream package recursively and generate
 package expressions for all those packages that are not yet in Guix.
 
 When @code{--archive=bioconductor} is added, metadata is imported from
-@uref{http://www.bioconductor.org/, Bioconductor}, a repository of R
+@uref{https://www.bioconductor.org/, Bioconductor}, a repository of R
 packages for for the analysis and comprehension of high-throughput
 genomic data in bioinformatics.
 
@@ -6236,7 +6236,7 @@ the updater for @uref{http://elpa.gnu.org/, ELPA} packages;
 @item cran
 the updater for @uref{http://cran.r-project.org/, CRAN} packages;
 @item bioconductor
-the updater for @uref{http://www.bioconductor.org/, Bioconductor} R packages;
+the updater for @uref{https://www.bioconductor.org/, Bioconductor} R packages;
 @item cpan
 the updater for @uref{http://www.cpan.org/, CPAN} packages;
 @item pypi
@@ -18605,7 +18605,8 @@ The boot script is what the initial RAM disk runs when booting.
 @end defvr
 
 @defvr {Scheme Variable} etc-service-type
-The type of the @file{/etc} service.  This service can be extended by
+The type of the @file{/etc} service.  This service is used to create
+files under @file{/etc} and can be extended by
 passing it name/file tuples such as:
 
 @example
diff --git a/gnu/local.mk b/gnu/local.mk
index 6c65090621..6c1cde7ac4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -66,6 +66,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/packages/autotools.scm			\
   %D%/packages/avahi.scm			\
   %D%/packages/avr.scm				\
+  %D%/packages/axoloti.scm			\
   %D%/packages/backup.scm			\
   %D%/packages/base.scm				\
   %D%/packages/bash.scm				\
@@ -810,6 +811,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libtool-skip-tests2.patch		\
   %D%/packages/patches/libunistring-gnulib-multi-core.patch	\
   %D%/packages/patches/libusb-0.1-disable-tests.patch		\
+  %D%/packages/patches/libusb-for-axoloti.patch			\
+  %D%/packages/patches/libvirt-CVE-2017-1000256.patch		\
   %D%/packages/patches/libvisio-fix-tests.patch			\
   %D%/packages/patches/libvpx-CVE-2016-2818.patch		\
   %D%/packages/patches/libxcb-python-3.5-compat.patch		\
@@ -864,8 +867,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/mozjs38-version-detection.patch		\
   %D%/packages/patches/mumps-build-parallelism.patch		\
   %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch	\
+  %D%/packages/patches/mupdf-CVE-2017-15587.patch		\
   %D%/packages/patches/mupen64plus-ui-console-notice.patch	\
-  %D%/packages/patches/musl-CVE-2016-8859.patch			\
   %D%/packages/patches/mutt-store-references.patch		\
   %D%/packages/patches/ncurses-CVE-2017-10684-10685.patch	\
   %D%/packages/patches/net-tools-bitrot.patch			\
@@ -1092,6 +1095,11 @@ dist_patch_DATA =						\
   %D%/packages/patches/wordnet-CVE-2008-2149.patch			\
   %D%/packages/patches/wordnet-CVE-2008-3908-pt1.patch			\
   %D%/packages/patches/wordnet-CVE-2008-3908-pt2.patch			\
+  %D%/packages/patches/wpa-supplicant-CVE-2017-13082.patch	\
+  %D%/packages/patches/wpa-supplicant-fix-key-reuse.patch	\
+  %D%/packages/patches/wpa-supplicant-fix-zeroed-keys.patch	\
+  %D%/packages/patches/wpa-supplicant-fix-nonce-reuse.patch	\
+  %D%/packages/patches/wpa-supplicant-krack-followups.patch	\
   %D%/packages/patches/xcb-proto-python3-print.patch		\
   %D%/packages/patches/xcb-proto-python3-whitespace.patch	\
   %D%/packages/patches/xdotool-fix-makefile.patch               \
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index bc8dc48f0e..cb5e86d39a 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -783,6 +783,11 @@ over ssh connections.")
                                          "/etc"))
 
        #:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'patch-paths
+                    (lambda _
+                      (substitute* "rc/rc"
+                        (("/usr/sbin/sendmail") "sendmail"))
+                      #t))
                   (add-after 'build 'set-packdir
                     (lambda _
                       ;; Set a default location for archived logs.
@@ -902,6 +907,11 @@ commands and their arguments.")
                     "http://w1.fi/releases/wpa_supplicant-"
                     version
                     ".tar.gz"))
+              (patches (search-patches "wpa-supplicant-CVE-2017-13082.patch"
+                                       "wpa-supplicant-fix-key-reuse.patch"
+                                       "wpa-supplicant-fix-zeroed-keys.patch"
+                                       "wpa-supplicant-fix-nonce-reuse.patch"
+                                       "wpa-supplicant-krack-followups.patch"))
               (sha256
                (base32
                 "0l0l5gz3d5j9bqjsbjlfcv4w4jwndllp9fmyai4x9kg6qhs6v4xl"))))
@@ -2134,7 +2144,7 @@ tool for remote execution and deployment.")
 (define-public neofetch
   (package
     (name "neofetch")
-    (version "3.2.0")
+    (version "3.3.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/dylanaraps/neofetch/"
@@ -2142,10 +2152,10 @@ tool for remote execution and deployment.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "07a32rzmch51znxspzyc7zyaldmr383v70b49wmnjdjs2qfdbv3a"))))
+                "15p69q0jchfms1fpb4i7kq8b28w2xpgh2zmynln618qxv1myf228"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:tests? #f                      ; there are no tests
+     `(#:tests? #f                      ; there are no tests
        #:make-flags
        (list (string-append "PREFIX=" %output))
        #:phases
@@ -2162,7 +2172,15 @@ tool for remote execution and deployment.")
                  (("\"/usr/share/neofetch")
                   (string-append "\"" out "/share/neofetch"))))
              #t))
-         (delete 'configure))))
+         (delete 'configure)            ; no configure script
+         (replace 'install
+           (lambda* (#:key make-flags outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (doc (string-append out "/share/doc/" ,name "-" ,version))
+                    (etc (string-append doc "/examples/etc")))
+               (zero? (apply system* `("make" ,@make-flags
+                                       ,(string-append "SYSCONFDIR=" etc)
+                                       "install")))))))))
     (home-page "https://github.com/dylanaraps/neofetch")
     (synopsis "System info script")
     (description "Neofetch is a CLI system information tool written in Bash.
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index e0aa1705e2..aaac1c357e 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -580,7 +580,7 @@ emulation (valve, tape), bit fiddling (decimator, pointer-cast), etc.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0f67vyy3r29hn26qkkcwnizrnzzy8p7gmg3say5q3wjhxns3b5yl"))))
+                "0xqpqws4jsv7fyawcjzwaw544qbfh29xq164kdf30a9v1n3yklp4"))))
     (build-system cmake-build-system)
     (inputs
      `(("alsa-lib" ,alsa-lib)
@@ -1660,6 +1660,21 @@ add functionality to support the needs of increasingly powerful audio
 software.")
     (license license:isc)))
 
+(define-public lv2-devel
+  (let ((commit "39c7c726cd52b2863fcea356cafe1bcab2ba7f37")
+        (revision "1"))
+    (package (inherit lv2)
+      (name "lv2-devel")
+      (version (string-append "1.15.3-" revision "." (string-take commit 7)))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                      (url "http://lv2plug.in/git/lv2.git")
+                      (commit commit)))
+                (sha256
+                 (base32
+                  "1gp2rd99dfmpibvpixrqn115mrhybzf3if3h8bssf6siyi13f29r")))))))
+
 (define-public lv2-mda-piano
   (package
     (name "lv2-mda-piano")
@@ -1916,11 +1931,11 @@ aimed at audio/musical applications.")
     (license license:gpl2+)))
 
 (define-public raul-devel
-  (let ((commit "f8bf77d3c3b77830aedafb9ebb5cdadfea7ed07a")
+  (let ((commit "4db870b2b20b0a608ec0283139056b836c5b1624")
         (revision "1"))
     (package (inherit raul)
       (name "raul")
-      (version (string-append "0.8.4-" revision "."
+      (version (string-append "0.8.9-" revision "."
                               (string-take commit 9)))
       (source (origin
                 (method git-fetch)
@@ -1930,7 +1945,7 @@ aimed at audio/musical applications.")
                 (file-name (string-append name "-" version "-checkout"))
                 (sha256
                  (base32
-                  "1lby508fb0n8ks6iz959sh18fc37br39d6pbapwvbcw5nckdrxwj")))))))
+                  "04fajrass3ymr72flx5js5vxc601ccrmx8ny8scp0rw7j0igyjdr")))))))
 
 (define-public rubberband
   (package
@@ -2040,14 +2055,14 @@ the Turtle syntax.")
 (define-public suil
   (package
     (name "suil")
-    (version "0.8.4")
+    (version "0.10.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "http://download.drobilla.net/suil-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "1kji3lhha26qr6xm9j8ic5c40zbrrb5qnwm2qxzmsfxgmrz29wkf"))))
+               "0j489gm3fhnmwmbgw30bvd4byw1vsy4yazdlnji8jzhcz0qwb5cq"))))
     (build-system waf-build-system)
     (arguments
      `(#:tests? #f ; no check target
@@ -2055,7 +2070,8 @@ the Turtle syntax.")
        '("CXXFLAGS=-std=gnu++11")))
     (inputs
      `(("lv2" ,lv2)
-       ("gtk+-2" ,gtk+-2)
+       ("gtk+" ,gtk+-2)
+       ("gtk+" ,gtk+)
        ("qt" ,qtbase)))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
@@ -2069,7 +2085,7 @@ toolkit.  The API is designed such that hosts do not need to explicitly
 support specific toolkits – if Suil supports a particular toolkit, then UIs in
 that toolkit will work in all hosts that use Suil automatically.
 
-Suil currently supports every combination of Gtk 2, Qt 4, and X11.")
+Suil currently supports every combination of Gtk, Qt, and X11.")
     (license license:isc)))
 
 (define-public timidity++
diff --git a/gnu/packages/axoloti.scm b/gnu/packages/axoloti.scm
new file mode 100644
index 0000000000..8ce4a63131
--- /dev/null
+++ b/gnu/packages/axoloti.scm
@@ -0,0 +1,352 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages axoloti)
+  #:use-module (guix utils)
+  #:use-module (guix packages)
+  #:use-module (guix download)
+  #:use-module ((guix licenses) #:prefix license:)
+  #:use-module (guix build-system gnu)
+  #:use-module (guix build-system ant)
+  #:use-module (gnu packages)
+  #:use-module (gnu packages base)
+  #:use-module (gnu packages compression)
+  #:use-module (gnu packages cross-base)
+  #:use-module (gnu packages embedded)
+  #:use-module (gnu packages flashing-tools)
+  #:use-module (gnu packages java)
+  #:use-module (gnu packages libusb)
+  #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages textutils)
+  #:use-module (gnu packages version-control)
+  #:use-module (gnu packages xml))
+
+(define libusb-for-axoloti
+  (package (inherit libusb)
+    (name "axoloti-libusb")
+    (version (package-version libusb))
+    (source
+     (origin
+       (inherit (package-source libusb))
+       (patches (list (search-patch "libusb-for-axoloti.patch")))))))
+
+(define dfu-util-for-axoloti
+  (package (inherit dfu-util)
+    (name "axoloti-dfu-util")
+    (version "0.8")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://dfu-util.sourceforge.net/releases/"
+                           "dfu-util-" version ".tar.gz"))
+       (sha256
+        (base32
+         "0n7h08avlzin04j93m6hkq9id6hxjiiix7ff9gc2n89aw6dxxjsm"))))
+    (inputs
+     `(("libusb" ,libusb-for-axoloti)))))
+
+(define-public axoloti-runtime
+  (package
+    (name "axoloti-runtime")
+    (version "1.0.12")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/axoloti/axoloti/"
+                                  "archive/" version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1dynk6h0nixp4zihpirpqa4vi8fq1lhm443jsmvhk135ykhf364p"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  ;; Remove pre-built Java binaries.
+                  (delete-file-recursively "lib/")
+                  #t))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:tests? #f ; no check target
+       #:modules ((guix build gnu-build-system)
+                  (guix build utils)
+                  (srfi srfi-1)
+                  (srfi srfi-26)
+                  (ice-9 match)
+                  (ice-9 regex))
+       #:imported-modules ((guix build syscalls)
+                           ,@%gnu-build-system-modules)
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'patch-paths
+           (lambda* (#:key inputs #:allow-other-keys)
+             ;; prepare ChibiOS
+             (and (zero? (system* "unzip" "-o" (assoc-ref inputs "chibios")))
+                  (zero? (system* "mv" "ChibiOS_2.6.9" "chibios"))
+                  (with-directory-excursion "chibios/ext"
+                    (zero? (system* "unzip" "-o" "fatfs-0.9-patched.zip"))))
+
+             ;; Remove source of non-determinism in ChibiOS
+             (substitute* "chibios/os/various/shell.c"
+               (("#ifdef __DATE__") "#if 0"))
+
+             ;; Patch shell paths
+             (substitute* '("src/main/java/qcmds/QCmdCompileFirmware.java"
+                            "src/main/java/qcmds/QCmdCompilePatch.java"
+                            "src/main/java/qcmds/QCmdFlashDFU.java")
+               (("/bin/sh") (which "sh")))
+
+             ;; Override cross compiler base name
+             (substitute* "firmware/Makefile.patch"
+               (("arm-none-eabi-(gcc|g\\+\\+|objcopy|objdump)" tool)
+                (which tool)))
+
+             ;; Hardcode full path to compiler tools
+             (substitute* '("firmware/Makefile"
+                            "firmware/flasher/Makefile"
+                            "firmware/mounter/Makefile")
+               (("TRGT =.*")
+                (string-append "TRGT = "
+                               (assoc-ref inputs "cross-toolchain")
+                               "/bin/arm-none-eabi-\n")))
+
+             ;; Hardcode path to "make"
+             (substitute* '("firmware/compile_firmware_linux.sh"
+                            "firmware/compile_patch_linux.sh")
+               (("make") (which "make")))
+
+             ;; Hardcode path to "dfu-util"
+             (substitute* "platform_linux/upload_fw_dfu.sh"
+               (("-f \"\\$\\{platformdir\\}/bin/dfu-util\"") "-z \"\"")
+               (("\\./dfu-util") (which "dfu-util")))
+             #t))
+         (delete 'configure)
+         (replace 'build
+           ;; Build Axoloti firmware with cross-compiler
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let* ((toolchain (assoc-ref inputs "cross-toolchain"))
+                    (headers   (string-append
+                                toolchain
+                                "/arm-none-eabi/include:"
+                                toolchain
+                                "/arm-none-eabi/include/arm-none-eabi/armv7e-m")))
+               (setenv "CROSS_CPATH" headers)
+               (setenv "CROSS_CPLUS_INCLUDE_PATH" headers)
+               (setenv "CROSS_LIBRARY_PATH"
+                       (string-append toolchain
+                                      "/arm-none-eabi/lib")))
+             (with-directory-excursion "platform_linux"
+               (zero? (system* "sh" "compile_firmware.sh")))))
+         (replace 'install
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let* ((out   (assoc-ref outputs "out"))
+                    (share (string-append out "/share/axoloti/"))
+                    (doc   (string-append share "doc"))
+                    (dir   (getcwd))
+                    (pats  '("/doc/[^/]+$"
+                             "/patches/[^/]+/[^/]+$"
+                             "/objects/[^/]+/[^/]+$"
+                             "/firmware/.+"
+                             "/chibios/[^/]+$"
+                             "/chibios/boards/ST_STM32F4_DISCOVERY/[^/]+$"
+                             "/chibios/(ext|os|docs)/.+"
+                             "/CMSIS/[^/]+/[^/]+$"
+                             "/patch/[^/]+/[^/]+$"
+                             "/[^/]+\\.txt$"))
+                    (pattern (string-append
+                              "(" (string-join
+                                   (map (cut string-append dir <>)
+                                        pats)
+                                   "|") ")"))
+                    (files   (find-files dir
+                                         (lambda (file stat)
+                                           (and (eq? 'regular (stat:type stat))
+                                                (string-match pattern file))))))
+               (for-each (lambda (file)
+                           (install-file file
+                                         (string-append
+                                          share
+                                          (regexp-substitute
+                                           #f
+                                           (string-match dir (dirname file))
+                                           'pre  'post))))
+                         files)
+               #t))))))
+    (inputs
+     `(("chibios"
+        ,(origin
+           (method url-fetch)
+           (uri "mirror://sourceforge/chibios/ChibiOS_RT%20stable/Version%202.6.9/ChibiOS_2.6.9.zip")
+           (sha256
+            (base32
+             "0lb5s8pkj80mqhsy47mmq0lqk34s2a2m3xagzihalvabwd0frhlj"))))
+       ;; for compiling patches
+       ("make" ,gnu-make)
+       ;; for compiling firmware
+       ("cross-toolchain" ,arm-none-eabi-nano-toolchain-4.9)
+       ;; for uploading compiled patches and firmware
+       ("dfu-util" ,dfu-util-for-axoloti)))
+    (native-inputs
+     `(("unzip" ,unzip)))
+    (home-page "http://www.axoloti.com/")
+    (synopsis "Audio development environment for the Axoloti core board")
+    (description
+     "The Axoloti patcher offers a “patcher” environment similar to Pure Data
+for sketching digital audio algorithms.  The patches run on a standalone
+powerful microcontroller board: Axoloti Core.  This package provides the
+runtime.")
+    (license license:gpl3+)))
+
+(define-public axoloti-patcher
+  (package (inherit axoloti-runtime)
+    (name "axoloti-patcher")
+    (version (package-version axoloti-runtime))
+    (arguments
+     `(#:tests? #f ; no check target
+       #:modules ((guix build gnu-build-system)
+                  ((guix build ant-build-system) #:prefix ant:)
+                  (guix build utils)
+                  (srfi srfi-1)
+                  (srfi srfi-26)
+                  (ice-9 match)
+                  (ice-9 regex)
+                  (sxml simple)
+                  (sxml xpath)
+                  (sxml transform))
+       #:imported-modules ((guix build ant-build-system)
+                           (guix build syscalls)
+                           ,@%gnu-build-system-modules)
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (replace 'build
+           (lambda* (#:key inputs #:allow-other-keys)
+             (setenv "JAVA_HOME" (assoc-ref inputs "icedtea"))
+             ;; We want to use our own jar files instead of the pre-built
+             ;; stuff in lib.  So we replace the zipfileset tags in the
+             ;; build.xml with new ones that reference our jars.
+             (let* ((build.xml (with-input-from-file "build.xml"
+                                 (lambda _
+                                   (xml->sxml #:trim-whitespace? #t))))
+                    (jars      (append-map (match-lambda
+                                             (((? (cut string-prefix? "java-" <>)
+                                                  label) . directory)
+                                              (find-files directory "\\.jar$"))
+                                             (_ '()))
+                                           inputs))
+                    (classpath (string-join jars ":"))
+                    (fileset   (map (lambda (jar)
+                                      `(zipfileset (@ (excludes "META-INF/*.SF")
+                                                      (src ,jar))))
+                                    jars)))
+               (call-with-output-file "build.xml"
+                 (lambda (port)
+                   (sxml->xml
+                    (pre-post-order
+                     build.xml
+                     `(;; Remove all zipfileset tags from the "jar" tree and
+                       ;; inject our own tags.
+                       (jar . ,(lambda (tag . kids)
+                                 `(jar ,@(append-map
+                                          (filter (lambda (e)
+                                                    (not (eq? 'zipfileset (car e)))))
+                                          kids)
+                                       ,@fileset)))
+                       ;; Skip the "bundle" target (and the "-post-jar" target
+                       ;; that depends on it), because we don't need it and it
+                       ;; confuses sxml->xml.
+                       (target . ,(lambda (tag . kids)
+                                    (let ((name ((sxpath '(name *text*))
+                                                 (car kids))))
+                                      (if (or (member "bundle" name)
+                                              (member "-post-jar" name))
+                                          '() ; skip
+                                          `(,tag ,@kids)))))
+                       (*default*  . ,(lambda (tag . kids) `(,tag ,@kids)))
+                       (*text*     . ,(lambda (_ txt)
+                                        (match txt
+                                          ;; Remove timestamp.
+                                          ("${TODAY}" "(unknown)")
+                                          (_ txt))))))
+                    port)))
+
+               ;; Build it!
+               (zero? (system* "ant"
+                               (string-append "-Djavac.classpath=" classpath)
+                               "-Dbuild.runtime=true"
+                               "-Dbuild.time=01/01/1970 00:00:00"
+                               "-Djavac.source=1.7"
+                               "-Djavac.target=1.7"
+                               (string-append "-Dtag.short.version="
+                                              ,version))))))
+         (replace 'install
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let* ((out   (assoc-ref outputs "out"))
+                    (share (string-append out "/share/axoloti/")))
+               (install-file "dist/Axoloti.jar" share)
+
+               ;; We do this to ensure that this package retains references to
+               ;; other Java packages' jar files.
+               (install-file "build.xml" share)
+
+               ;; Create a launcher script
+               (mkdir (string-append out "/bin"))
+               (let ((target (string-append out "/bin/Axoloti")))
+                 (with-output-to-file target
+                   (lambda ()
+                     (let* ((dir       (string-append (assoc-ref outputs "out")
+                                                      "/share/axoloti"))
+                            (runtime   (string-append (assoc-ref inputs "axoloti-runtime")
+                                                      "/share/axoloti"))
+                            (toolchain (assoc-ref inputs "cross-toolchain"))
+                            (includes  (string-append
+                                        toolchain
+                                        "/arm-none-eabi/include:"
+                                        toolchain
+                                        "/arm-none-eabi/include/arm-none-eabi/armv7e-m")))
+                       (display
+                        (string-append "#!" (which "sh") "\n"
+                                       "export CROSS_CPATH=" includes "\n"
+                                       "export CROSS_CPLUS_INCLUDE_PATH=" includes "\n"
+                                       "export CROSS_LIBRARY_PATH="
+                                       toolchain "/arm-none-eabi/lib" "\n"
+                                       (which "java")
+                                       " -Daxoloti_release=" runtime
+                                       " -Daxoloti_runtime=" runtime
+                                       " -jar " dir "/Axoloti.jar")))))
+                 (chmod target #o555))
+               #t)))
+         (add-after 'install 'strip-jar-timestamps
+           (assoc-ref ant:%standard-phases 'strip-jar-timestamps)))))
+    (inputs
+     `(("icedtea" ,icedtea "jdk")
+       ("cross-toolchain" ,arm-none-eabi-nano-toolchain-4.9)
+       ("java-simple-xml" ,java-simple-xml)
+       ("java-rsyntaxtextarea" ,java-rsyntaxtextarea)
+       ("java-usb4java" ,java-usb4java)
+       ("java-jsch" ,java-jsch)
+       ("java-slf4j-api" ,java-slf4j-api)
+       ("java-jgit" ,java-jgit-4.2)
+       ("axoloti-runtime" ,axoloti-runtime)))
+    (native-inputs
+     `(("ant" ,ant)
+       ("zip" ,zip) ; for repacking the jar
+       ("unzip" ,unzip)))
+    (description
+     "The Axoloti patcher offers a “patcher” environment similar to Pure Data
+for sketching digital audio algorithms.  The patches run on a standalone
+powerful microcontroller board: Axoloti Core.  This package provides the
+patcher application.")))
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 44670d3f03..781cc26078 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017 Christopher Allan Webber <cwebber@dustycloud.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -676,3 +677,110 @@ using GnuPG.  Backups can be stored on local hard disks, or online via
 the SSH SFTP protocol.  The backup server, if used, does not require
 any special software, on top of SSH.")
     (license license:gpl3+)))
+
+(define-public dirvish
+  (package
+    (name "dirvish")
+    (version "1.2.1")
+    (build-system gnu-build-system)
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "http://dirvish.org/dirvish-" version ".tgz"))
+              (sha256
+               (base32
+                "1kbxa1irszp2zw8hd5qzqnrrzb4vxfivs1vn64yxnj0lak1jjzvb"))))
+    (arguments
+     `(#:modules ((ice-9 match) (ice-9 rdelim)
+                  ,@%gnu-build-system-modules)
+       #:phases
+       ;; This mostly mirrors the steps taken in the install.sh that ships
+       ;; with dirvish, but simplified because we aren't prompting interactively
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (delete 'build)
+         (delete 'check)
+         (replace 'install
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             ;; These are mostly the same steps the install.sh that comes with
+             ;; dirvish does
+             (let* (;; Files we'll be copying
+                    (executables
+                     '("dirvish" "dirvish-runall"
+                       "dirvish-expire" "dirvish-locate"))
+                    (man-pages
+                     '(("dirvish" "8") ("dirvish-runall" "8")
+                       ("dirvish-expire" "8") ("dirvish-locate" "8")
+                       ("dirvish.conf" "5")))
+
+                    (output-dir
+                     (assoc-ref outputs "out"))
+
+                    ;; Just a default... not so useful on guixsd though
+                    ;; You probably want to a service with file(s) to point to.
+                    (confdir "/etc/dirvish")
+
+                    (perl (string-append (assoc-ref %build-inputs "perl")
+                                         "/bin/perl"))
+                    (loadconfig.pl (call-with-input-file "loadconfig.pl"
+                                     read-string)))
+
+
+               (define (write-pl filename)
+                 (define pl-header
+                   (string-append "#!" perl "\n\n"
+                                  "$CONFDIR = \"" confdir "\";\n\n"))
+                 (define input-file-location
+                   (string-append filename ".pl"))
+                 (define target-file-location
+                   (string-append output-dir "/bin/" filename ".pl"))
+                 (define text-to-write
+                   (string-append pl-header
+                                  (call-with-input-file input-file-location
+                                    read-string)
+                                  "\n" loadconfig.pl))
+                 (with-output-to-file target-file-location
+                   (lambda ()
+                     (display text-to-write)))
+                 (chmod target-file-location #o755)
+                 (wrap-program target-file-location
+                   `("PERL5LIB" ":" prefix
+                     ,(map (lambda (l) (string-append (assoc-ref %build-inputs l)
+                                                      "/lib/perl5/site_perl"))
+                           '("perl-libtime-period"
+                             "perl-libtime-parsedate")))))
+
+               (define write-man
+                 (match-lambda
+                   ((file-base man-num)
+                    (let* ((filename
+                            (string-append file-base "." man-num))
+                           (output-path
+                            (string-append output-dir
+                                           "/share/man/man" man-num
+                                           "/" filename)))
+                      (copy-file filename output-path)))))
+
+               ;; Make directories
+               (mkdir-p (string-append output-dir "/bin/"))
+               (mkdir-p (string-append output-dir "/share/man/man8/"))
+               (mkdir-p (string-append output-dir "/share/man/man5/"))
+
+               ;; Write out executables
+               (for-each write-pl executables)
+               ;; Write out man pages
+               (for-each write-man man-pages)
+               #t))))))
+    (inputs
+     `(("perl" ,perl)
+       ("rsync" ,rsync)
+       ("perl-libtime-period" ,perl-libtime-period)
+       ("perl-libtime-parsedate" ,perl-libtime-parsedate)))
+    (home-page "http://dirvish.org/")
+    (synopsis "Fast, disk based, rotating network backup system")
+    (description
+     "With dirvish you can maintain a set of complete images of your
+filesystems with unattended creation and expiration.  A dirvish backup vault
+is like a time machine for your data. ")
+    (license (license:fsf-free "file://COPYING"
+                               "Open Software License 2.0"))))
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 32603ae57e..bb8a0f8d40 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -5747,7 +5747,7 @@ data types as well.")
        ("r-xml" ,r-xml)
        ("r-xtable" ,r-xtable)))
     (home-page
-     "http://bioconductor.org/packages/annotate")
+     "https://bioconductor.org/packages/annotate")
     (synopsis "Annotation for microarrays")
     (description "This package provides R environments for the annotation of
 microarrays.")
@@ -5772,7 +5772,7 @@ microarrays.")
        ("r-biocgenerics" ,r-biocgenerics)
        ("r-lattice" ,r-lattice)
        ("r-rcolorbrewer" ,r-rcolorbrewer)))
-    (home-page "http://bioconductor.org/packages/geneplotter")
+    (home-page "https://bioconductor.org/packages/geneplotter")
     (synopsis "Graphics functions for genomic data")
     (description
      "This package provides functions for plotting genomic data.")
@@ -5798,7 +5798,7 @@ microarrays.")
        ("r-biobase" ,r-biobase)
        ("r-s4vectors" ,r-s4vectors)
        ("r-survival" ,r-survival)))
-    (home-page "http://bioconductor.org/packages/genefilter")
+    (home-page "https://bioconductor.org/packages/genefilter")
     (synopsis "Filter genes from high-throughput experiments")
     (description
      "This package provides basic functions for filtering genes from
@@ -5833,7 +5833,7 @@ high-throughput sequencing experiments.")
        ("r-rcpparmadillo" ,r-rcpparmadillo)
        ("r-s4vectors" ,r-s4vectors)
        ("r-summarizedexperiment" ,r-summarizedexperiment)))
-    (home-page "http://bioconductor.org/packages/DESeq2")
+    (home-page "https://bioconductor.org/packages/DESeq2")
     (synopsis "Differential gene expression analysis")
     (description
      "This package provides functions to estimate variance-mean dependence in
@@ -5873,7 +5873,7 @@ distribution.")
        ("r-statmod" ,r-statmod)
        ("r-stringr" ,r-stringr)
        ("r-summarizedexperiment" ,r-summarizedexperiment)))
-    (home-page "http://bioconductor.org/packages/DEXSeq")
+    (home-page "https://bioconductor.org/packages/DEXSeq")
     (synopsis "Inference of differential exon usage in RNA-Seq")
     (description
      "This package is focused on finding differential exon usage using RNA-seq
@@ -5908,7 +5908,7 @@ exploration of the results.")
        ("r-rsqlite" ,r-rsqlite)
        ("r-s4vectors" ,r-s4vectors)
        ("r-xml" ,r-xml)))
-    (home-page "http://bioconductor.org/packages/AnnotationForge")
+    (home-page "https://bioconductor.org/packages/AnnotationForge")
     (synopsis "Code for building annotation database packages")
     (description
      "This package provides code for generating Annotation packages and their
@@ -5929,7 +5929,7 @@ databases.  Packages produced are intended to be used with AnnotationDbi.")
     (properties `((upstream-name . "RBGL")))
     (build-system r-build-system)
     (propagated-inputs `(("r-graph" ,r-graph)))
-    (home-page "http://www.bioconductor.org/packages/RBGL")
+    (home-page "https://www.bioconductor.org/packages/RBGL")
     (synopsis "Interface to the Boost graph library")
     (description
      "This package provides a fairly extensive and comprehensive interface to
@@ -5956,7 +5956,7 @@ the graph algorithms contained in the Boost library.")
        ("r-biocgenerics" ,r-biocgenerics)
        ("r-graph" ,r-graph)
        ("r-xml" ,r-xml)))
-    (home-page "http://bioconductor.org/packages/GSEABase")
+    (home-page "https://bioconductor.org/packages/GSEABase")
     (synopsis "Gene set enrichment data structures and methods")
     (description
      "This package provides classes and methods to support @dfn{Gene Set
@@ -5987,7 +5987,7 @@ Enrichment Analysis} (GSEA).")
        ("r-matrix" ,r-matrix)
        ("r-rbgl" ,r-rbgl)
        ("r-rsqlite" ,r-rsqlite)))
-    (home-page "http://bioconductor.org/packages/Category")
+    (home-page "https://bioconductor.org/packages/Category")
     (synopsis "Category analysis")
     (description
      "This package provides a collection of tools for performing category
@@ -6016,7 +6016,7 @@ analysis.")
        ("r-go-db" ,r-go-db)
        ("r-graph" ,r-graph)
        ("r-rbgl" ,r-rbgl)))
-    (home-page "http://bioconductor.org/packages/GOstats")
+    (home-page "https://bioconductor.org/packages/GOstats")
     (synopsis "Tools for manipulating GO and microarrays")
     (description
      "This package provides a set of tools for interacting with GO and
@@ -6055,7 +6055,7 @@ testing and other simple calculations.")
        ("r-s4vectors" ,r-s4vectors)
        ("r-xvector" ,r-xvector)
        ("r-zlibbioc" ,r-zlibbioc)))
-    (home-page "http://bioconductor.org/packages/ShortRead")
+    (home-page "https://bioconductor.org/packages/ShortRead")
     (synopsis "FASTQ input and manipulation tools")
     (description
      "This package implements sampling, iteration, and input of FASTQ files.
@@ -6147,7 +6147,7 @@ annotation infrastructure.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://bioconductor.org/packages/"
+              (uri (string-append "https://bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib"
                                   "/TxDb.Hsapiens.UCSC.hg19.knownGene_"
                                   version ".tar.gz"))
@@ -6163,7 +6163,7 @@ annotation infrastructure.")
     (propagated-inputs
      `(("r-genomicfeatures" ,r-genomicfeatures)))
     (home-page
-     "http://bioconductor.org/packages/TxDb.Hsapiens.UCSC.hg19.knownGene/")
+     "https://bioconductor.org/packages/TxDb.Hsapiens.UCSC.hg19.knownGene/")
     (synopsis "Annotation package for human genome in TxDb format")
     (description
      "This package provides an annotation database of Homo sapiens genome
@@ -6444,7 +6444,7 @@ barplots or heatmaps.")
     (properties
      `((upstream-name . "BiocGenerics")))
     (build-system r-build-system)
-    (home-page "http://bioconductor.org/packages/BiocGenerics")
+    (home-page "https://bioconductor.org/packages/BiocGenerics")
     (synopsis "S4 generic functions for Bioconductor")
     (description
      "This package provides S4 generic functions needed by many Bioconductor
@@ -6464,7 +6464,7 @@ packages.")
     (properties
      `((upstream-name . "BiocInstaller")))
     (build-system r-build-system)
-    (home-page "http://bioconductor.org/packages/BiocInstaller")
+    (home-page "https://bioconductor.org/packages/BiocInstaller")
     (synopsis "Install Bioconductor packages")
     (description "This package is used to install and update R packages from
 Bioconductor, CRAN, and Github.")
@@ -6491,7 +6491,7 @@ Bioconductor, CRAN, and Github.")
        ("r-xml" ,r-xml)
        ("r-knitr" ,r-knitr)
        ("r-runit" ,r-runit)))
-    (home-page "http://bioconductor.org/packages/biocViews")
+    (home-page "https://bioconductor.org/packages/biocViews")
     (synopsis "Bioconductor package categorization helper")
     (description "The purpose of biocViews is to create HTML pages that
 categorize packages in a Bioconductor package repository according to keywords,
@@ -6538,7 +6538,7 @@ authoring books and technical documents with R Markdown.")
        ("r-knitr" ,r-knitr)
        ("r-rmarkdown" ,r-rmarkdown)
        ("r-yaml" ,r-yaml)))
-    (home-page "http://bioconductor.org/packages/BiocStyle")
+    (home-page "https://bioconductor.org/packages/BiocStyle")
     (synopsis "Bioconductor formatting styles")
     (description "This package provides standard formatting styles for
 Bioconductor PDF and HTML documents.  Package vignettes illustrate use and
@@ -6586,7 +6586,7 @@ functionality.")
        ("r-optparse" ,r-optparse)
        ("r-biocinstaller" ,r-biocinstaller)
        ("r-biocviews" ,r-biocviews)))
-    (home-page "http://bioconductor.org/packages/BiocCheck")
+    (home-page "https://bioconductor.org/packages/BiocCheck")
     (synopsis "Executes Bioconductor-specific package checks")
     (description "This package contains tools to perform additional quality
 checks on R packages that are to be submitted to the Bioconductor repository.")
@@ -6674,7 +6674,7 @@ abnormal copy number.")
     (build-system r-build-system)
     (propagated-inputs
      `(("r-biocgenerics" ,r-biocgenerics)))
-    (home-page "http://bioconductor.org/packages/S4Vectors")
+    (home-page "https://bioconductor.org/packages/S4Vectors")
     (synopsis "S4 implementation of vectors and lists")
     (description
      "The S4Vectors package defines the @code{Vector} and @code{List} virtual
@@ -6727,7 +6727,7 @@ utilities for sequence data management under the ACNUC system.")
     (propagated-inputs
      `(("r-biocgenerics" ,r-biocgenerics)
        ("r-s4vectors" ,r-s4vectors)))
-    (home-page "http://bioconductor.org/packages/IRanges")
+    (home-page "https://bioconductor.org/packages/IRanges")
     (synopsis "Infrastructure for manipulating intervals on sequences")
     (description
      "This package provides efficient low-level and highly reusable S4 classes
@@ -6757,7 +6757,7 @@ possible.")
     (properties
      `((upstream-name . "GenomeInfoDbData")))
     (build-system r-build-system)
-    (home-page "http://bioconductor.org/packages/GenomeInfoDbData")
+    (home-page "https://bioconductor.org/packages/GenomeInfoDbData")
     (synopsis "Species and taxonomy ID look up tables for GenomeInfoDb")
     (description "This package contains data for mapping between NCBI taxonomy
 ID and species.  It is used by functions in the GenomeInfoDb package.")
@@ -6782,7 +6782,7 @@ ID and species.  It is used by functions in the GenomeInfoDb package.")
        ("r-iranges" ,r-iranges)
        ("r-rcurl" ,r-rcurl)
        ("r-s4vectors" ,r-s4vectors)))
-    (home-page "http://bioconductor.org/packages/GenomeInfoDb")
+    (home-page "https://bioconductor.org/packages/GenomeInfoDb")
     (synopsis "Utilities for manipulating chromosome identifiers")
     (description
      "This package contains data and functions that define and allow
@@ -6904,7 +6904,7 @@ different technologies, including microarrays, RNA-seq, and quantitative PCR.")
      `(("r-biocgenerics" ,r-biocgenerics)
        ("r-iranges" ,r-iranges)
        ("r-s4vectors" ,r-s4vectors)))
-    (home-page "http://bioconductor.org/packages/XVector")
+    (home-page "https://bioconductor.org/packages/XVector")
     (synopsis "Representation and manpulation of external sequences")
     (description
      "This package provides memory efficient S4 classes for storing sequences
@@ -6930,7 +6930,7 @@ different technologies, including microarrays, RNA-seq, and quantitative PCR.")
        ("r-iranges" ,r-iranges)
        ("r-s4vectors" ,r-s4vectors)
        ("r-xvector" ,r-xvector)))
-    (home-page "http://bioconductor.org/packages/GenomicRanges")
+    (home-page "https://bioconductor.org/packages/GenomicRanges")
     (synopsis "Representation and manipulation of genomic intervals")
     (description
      "This package provides tools to efficiently represent and manipulate
@@ -6955,7 +6955,7 @@ manipulating genomic intervals and variables defined along a genome.")
     (build-system r-build-system)
     (propagated-inputs
      `(("r-biocgenerics" ,r-biocgenerics)))
-    (home-page "http://bioconductor.org/packages/Biobase")
+    (home-page "https://bioconductor.org/packages/Biobase")
     (synopsis "Base functions for Bioconductor")
     (description
      "This package provides functions that are needed by many other packages
@@ -6982,7 +6982,7 @@ on Bioconductor or which replace R functions.")
        ("r-iranges" ,r-iranges)
        ("r-rsqlite" ,r-rsqlite)
        ("r-s4vectors" ,r-s4vectors)))
-    (home-page "http://bioconductor.org/packages/AnnotationDbi")
+    (home-page "https://bioconductor.org/packages/AnnotationDbi")
     (synopsis "Annotation database interface")
     (description
      "This package provides user interface and database connection code for
@@ -7006,7 +7006,7 @@ annotation data packages using SQLite data storage.")
      `(("r-annotationdbi" ,r-annotationdbi)
        ("r-rcurl" ,r-rcurl)
        ("r-xml" ,r-xml)))
-    (home-page "http://bioconductor.org/packages/biomaRt")
+    (home-page "https://bioconductor.org/packages/biomaRt")
     (synopsis "Interface to BioMart databases")
     (description
      "biomaRt provides an interface to a growing collection of databases
@@ -7035,7 +7035,7 @@ powerful online queries from gene annotation to database mining.")
     (propagated-inputs
      `(("r-futile-logger" ,r-futile-logger)
        ("r-snow" ,r-snow)))
-    (home-page "http://bioconductor.org/packages/BiocParallel")
+    (home-page "https://bioconductor.org/packages/BiocParallel")
     (synopsis "Bioconductor facilities for parallel evaluation")
     (description
      "This package provides modified versions and novel implementation of
@@ -7061,7 +7061,7 @@ objects.")
        ("r-iranges" ,r-iranges)
        ("r-s4vectors" ,r-s4vectors)
        ("r-xvector" ,r-xvector)))
-    (home-page "http://bioconductor.org/packages/Biostrings")
+    (home-page "https://bioconductor.org/packages/Biostrings")
     (synopsis "String objects and algorithms for biological sequences")
     (description
      "This package provides memory efficient string containers, string
@@ -7104,7 +7104,7 @@ biological sequences or sets of sequences.")
        ("r-iranges" ,r-iranges)
        ("r-s4vectors" ,r-s4vectors)
        ("r-xvector" ,r-xvector)))
-    (home-page "http://bioconductor.org/packages/release/bioc/html/Rsamtools.html")
+    (home-page "https://bioconductor.org/packages/release/bioc/html/Rsamtools.html")
     (synopsis "Interface to samtools, bcftools, and tabix")
     (description
      "This package provides an interface to the 'samtools', 'bcftools', and
@@ -7131,7 +7131,7 @@ files.")
        ("r-s4vectors" ,r-s4vectors)
        ("r-iranges" ,r-iranges)
        ("r-matrixstats" ,r-matrixstats)))
-    (home-page "http://bioconductor.org/packages/DelayedArray")
+    (home-page "https://bioconductor.org/packages/DelayedArray")
     (synopsis "Delayed operations on array-like objects")
     (description
      "Wrapping an array-like object (typically an on-disk object) in a
@@ -7165,7 +7165,7 @@ array-like objects like @code{DataFrame} objects (typically with Rle columns),
        ("r-iranges" ,r-iranges)
        ("r-matrix" ,r-matrix)
        ("r-s4vectors" ,r-s4vectors)))
-    (home-page "http://bioconductor.org/packages/SummarizedExperiment")
+    (home-page "https://bioconductor.org/packages/SummarizedExperiment")
     (synopsis "Container for representing genomic ranges by sample")
     (description
      "The SummarizedExperiment container contains one or more assays, each
@@ -7197,7 +7197,7 @@ samples.")
        ("r-rsamtools" ,r-rsamtools)
        ("r-s4vectors" ,r-s4vectors)
        ("r-summarizedexperiment" ,r-summarizedexperiment)))
-    (home-page "http://bioconductor.org/packages/GenomicAlignments")
+    (home-page "https://bioconductor.org/packages/GenomicAlignments")
     (synopsis "Representation and manipulation of short genomic alignments")
     (description
      "This package provides efficient containers for storing and manipulating
@@ -7242,7 +7242,7 @@ alignments.")
        ("r-s4vectors" ,r-s4vectors)
        ("r-xml" ,r-xml)
        ("r-xvector" ,r-xvector)))
-    (home-page "http://bioconductor.org/packages/rtracklayer")
+    (home-page "https://bioconductor.org/packages/rtracklayer")
     (synopsis "R interface to genome browsers and their annotation tracks")
     (description
      "rtracklayer is an extensible framework for interacting with multiple
@@ -7280,7 +7280,7 @@ as well as query and modify the browser state, such as the current viewport.")
        ("r-rtracklayer" ,r-rtracklayer)
        ("r-s4vectors" ,r-s4vectors)
        ("r-xvector" ,r-xvector)))
-    (home-page "http://bioconductor.org/packages/GenomicFeatures")
+    (home-page "https://bioconductor.org/packages/GenomicFeatures")
     (synopsis "Tools for working with transcript centric annotations")
     (description
      "This package provides a set of tools and methods for making and
@@ -7299,7 +7299,7 @@ extracting the desired features in a convenient format.")
     (version "3.4.0")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/GO.db_"
                                   version ".tar.gz"))
               (sha256
@@ -7310,7 +7310,7 @@ extracting the desired features in a convenient format.")
     (build-system r-build-system)
     (propagated-inputs
      `(("r-annotationdbi" ,r-annotationdbi)))
-    (home-page "http://bioconductor.org/packages/GO.db")
+    (home-page "https://bioconductor.org/packages/GO.db")
     (synopsis "Annotation maps describing the entire Gene Ontology")
     (description
      "The purpose of this GO.db annotation package is to provide detailed
@@ -7330,7 +7330,7 @@ information about the latest version of the Gene Ontologies.")
     (build-system r-build-system)
     (propagated-inputs
      `(("r-biocgenerics" ,r-biocgenerics)))
-    (home-page "http://bioconductor.org/packages/graph")
+    (home-page "https://bioconductor.org/packages/graph")
     (synopsis "Handle graph data structures in R")
     (description
      "This package implements some simple graph handling capabilities for R.")
@@ -7359,7 +7359,7 @@ information about the latest version of the Gene Ontologies.")
        ("r-lattice" ,r-lattice)
        ("r-matrixstats" ,r-matrixstats)
        ("r-sparsem" ,r-sparsem)))
-    (home-page "http://bioconductor.org/packages/topGO")
+    (home-page "https://bioconductor.org/packages/topGO")
     (synopsis "Enrichment analysis for gene ontology")
     (description
      "The topGO package provides tools for testing @dfn{gene ontology} (GO)
@@ -7392,7 +7392,7 @@ dependencies between GO terms can be implemented and applied.")
        ("r-rtracklayer" ,r-rtracklayer)
        ("r-s4vectors" ,r-s4vectors)
        ("r-xvector" ,r-xvector)))
-    (home-page "http://bioconductor.org/packages/BSgenome")
+    (home-page "https://bioconductor.org/packages/BSgenome")
     (synopsis "Infrastructure for Biostrings-based genome data packages")
     (description
      "This package provides infrastructure shared by all Biostrings-based
@@ -7407,7 +7407,7 @@ genome data packages and support for efficient SNP representation.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "BSgenome.Hsapiens.1000genomes.hs37d5_"
                                   version ".tar.gz"))
@@ -7423,7 +7423,7 @@ genome data packages and support for efficient SNP representation.")
     (propagated-inputs
      `(("r-bsgenome" ,r-bsgenome)))
     (home-page
-     "http://www.bioconductor.org/packages/BSgenome.Hsapiens.1000genomes.hs37d5/")
+     "https://www.bioconductor.org/packages/BSgenome.Hsapiens.1000genomes.hs37d5/")
     (synopsis "Full genome sequences for Homo sapiens")
     (description
      "This package provides full genome sequences for Homo sapiens from
@@ -7443,7 +7443,7 @@ genome data packages and support for efficient SNP representation.")
     (inputs
      `(("gfortran" ,gfortran)))
     (build-system r-build-system)
-    (home-page "http://bioconductor.org/packages/impute")
+    (home-page "https://bioconductor.org/packages/impute")
     (synopsis "Imputation for microarray data")
     (description
      "This package provides a function to impute missing gene expression
@@ -7469,7 +7469,7 @@ microarray data, using nearest neighbor averaging.")
        ("r-iranges" ,r-iranges)
        ("r-kernsmooth" ,r-kernsmooth)
        ("r-plotrix" ,r-plotrix)))
-    (home-page "http://bioconductor.org/packages/seqPattern")
+    (home-page "https://bioconductor.org/packages/seqPattern")
     (synopsis "Visualising oligonucleotide patterns and motif occurrences")
     (description
      "This package provides tools to visualize oligonucleotide patterns and
@@ -7562,7 +7562,7 @@ downloaded from Encode.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "org.Hs.eg.db_" version ".tar.gz"))
               (sha256
@@ -7573,7 +7573,7 @@ downloaded from Encode.")
     (build-system r-build-system)
     (propagated-inputs
      `(("r-annotationdbi" ,r-annotationdbi)))
-    (home-page "http://www.bioconductor.org/packages/org.Hs.eg.db/")
+    (home-page "https://www.bioconductor.org/packages/org.Hs.eg.db/")
     (synopsis "Genome wide annotation for Human")
     (description
      "This package provides mappings from Entrez gene identifiers to various
@@ -7588,7 +7588,7 @@ annotations for the human genome.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "org.Ce.eg.db_" version ".tar.gz"))
               (sha256
@@ -7599,7 +7599,7 @@ annotations for the human genome.")
     (build-system r-build-system)
     (propagated-inputs
      `(("r-annotationdbi" ,r-annotationdbi)))
-    (home-page "http://www.bioconductor.org/packages/org.Ce.eg.db/")
+    (home-page "https://www.bioconductor.org/packages/org.Ce.eg.db/")
     (synopsis "Genome wide annotation for Worm")
     (description
      "This package provides mappings from Entrez gene identifiers to various
@@ -7614,7 +7614,7 @@ annotations for the genome of the model worm Caenorhabditis elegans.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "org.Dm.eg.db_" version ".tar.gz"))
               (sha256
@@ -7625,7 +7625,7 @@ annotations for the genome of the model worm Caenorhabditis elegans.")
     (build-system r-build-system)
     (propagated-inputs
      `(("r-annotationdbi" ,r-annotationdbi)))
-    (home-page "http://www.bioconductor.org/packages/org.Dm.eg.db/")
+    (home-page "https://www.bioconductor.org/packages/org.Dm.eg.db/")
     (synopsis "Genome wide annotation for Fly")
     (description
      "This package provides mappings from Entrez gene identifiers to various
@@ -7640,7 +7640,7 @@ annotations for the genome of the model fruit fly Drosophila melanogaster.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "org.Mm.eg.db_" version ".tar.gz"))
               (sha256
@@ -7651,7 +7651,7 @@ annotations for the genome of the model fruit fly Drosophila melanogaster.")
     (build-system r-build-system)
     (propagated-inputs
      `(("r-annotationdbi" ,r-annotationdbi)))
-    (home-page "http://www.bioconductor.org/packages/org.Mm.eg.db/")
+    (home-page "https://www.bioconductor.org/packages/org.Mm.eg.db/")
     (synopsis "Genome wide annotation for Mouse")
     (description
      "This package provides mappings from Entrez gene identifiers to various
@@ -7671,7 +7671,7 @@ annotations for the genome of the model mouse Mus musculus.")
          "19d5zmy7m8svljwgbmrb4vxkq18slq0f3all6k2ayv42b8w44h6q"))))
     (properties `((upstream-name . "seqLogo")))
     (build-system r-build-system)
-    (home-page "http://bioconductor.org/packages/seqLogo")
+    (home-page "https://bioconductor.org/packages/seqLogo")
     (synopsis "Sequence logos for DNA sequence alignments")
     (description
      "seqLogo takes the position weight matrix of a DNA sequence motif and
@@ -7687,7 +7687,7 @@ Stephens (1990).")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "BSgenome.Hsapiens.UCSC.hg19_"
                                   version ".tar.gz"))
@@ -7703,7 +7703,7 @@ Stephens (1990).")
     (propagated-inputs
      `(("r-bsgenome" ,r-bsgenome)))
     (home-page
-     "http://www.bioconductor.org/packages/BSgenome.Hsapiens.UCSC.hg19/")
+     "https://www.bioconductor.org/packages/BSgenome.Hsapiens.UCSC.hg19/")
     (synopsis "Full genome sequences for Homo sapiens")
     (description
      "This package provides full genome sequences for Homo sapiens as provided
@@ -7718,7 +7718,7 @@ by UCSC (hg19, February 2009) and stored in Biostrings objects.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "BSgenome.Mmusculus.UCSC.mm9_"
                                   version ".tar.gz"))
@@ -7734,7 +7734,7 @@ by UCSC (hg19, February 2009) and stored in Biostrings objects.")
     (propagated-inputs
      `(("r-bsgenome" ,r-bsgenome)))
     (home-page
-     "http://www.bioconductor.org/packages/BSgenome.Mmusculus.UCSC.mm9/")
+     "https://www.bioconductor.org/packages/BSgenome.Mmusculus.UCSC.mm9/")
     (synopsis "Full genome sequences for Mouse")
     (description
      "This package provides full genome sequences for Mus musculus (Mouse) as
@@ -7749,7 +7749,7 @@ provided by UCSC (mm9, July 2007) and stored in Biostrings objects.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "BSgenome.Mmusculus.UCSC.mm10_"
                                   version ".tar.gz"))
@@ -7765,7 +7765,7 @@ provided by UCSC (mm9, July 2007) and stored in Biostrings objects.")
     (propagated-inputs
      `(("r-bsgenome" ,r-bsgenome)))
     (home-page
-     "http://www.bioconductor.org/packages/BSgenome.Mmusculus.UCSC.mm10/")
+     "https://www.bioconductor.org/packages/BSgenome.Mmusculus.UCSC.mm10/")
     (synopsis "Full genome sequences for Mouse")
     (description
      "This package provides full genome sequences for Mus
@@ -7781,7 +7781,7 @@ in Biostrings objects.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "TxDb.Mmusculus.UCSC.mm10.knownGene_"
                                   version ".tar.gz"))
@@ -7799,7 +7799,7 @@ in Biostrings objects.")
        ("r-genomicfeatures" ,r-genomicfeatures)
        ("r-annotationdbi" ,r-annotationdbi)))
     (home-page
-     "http://bioconductor.org/packages/TxDb.Mmusculus.UCSC.mm10.knownGene/")
+     "https://bioconductor.org/packages/TxDb.Mmusculus.UCSC.mm10.knownGene/")
     (synopsis "Annotation package for TxDb knownGene object(s) for Mouse")
     (description
      "This package loads a TxDb object, which is an R interface to
@@ -7816,7 +7816,7 @@ based on the knownGene track.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "BSgenome.Celegans.UCSC.ce6_"
                                   version ".tar.gz"))
@@ -7832,7 +7832,7 @@ based on the knownGene track.")
     (propagated-inputs
      `(("r-bsgenome" ,r-bsgenome)))
     (home-page
-     "http://www.bioconductor.org/packages/BSgenome.Celegans.UCSC.ce6/")
+     "https://www.bioconductor.org/packages/BSgenome.Celegans.UCSC.ce6/")
     (synopsis "Full genome sequences for Worm")
     (description
      "This package provides full genome sequences for Caenorhabditis
@@ -7848,7 +7848,7 @@ objects.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "BSgenome.Celegans.UCSC.ce10_"
                                   version ".tar.gz"))
@@ -7864,7 +7864,7 @@ objects.")
     (propagated-inputs
      `(("r-bsgenome" ,r-bsgenome)))
     (home-page
-     "http://www.bioconductor.org/packages/BSgenome.Celegans.UCSC.ce10/")
+     "https://www.bioconductor.org/packages/BSgenome.Celegans.UCSC.ce10/")
     (synopsis "Full genome sequences for Worm")
     (description
      "This package provides full genome sequences for Caenorhabditis
@@ -7880,7 +7880,7 @@ objects.")
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
               ;; located under "data/annotation/" instead of "bioc/".
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/data/annotation/src/contrib/"
                                   "BSgenome.Dmelanogaster.UCSC.dm3_"
                                   version ".tar.gz"))
@@ -7896,7 +7896,7 @@ objects.")
     (propagated-inputs
      `(("r-bsgenome" ,r-bsgenome)))
     (home-page
-     "http://www.bioconductor.org/packages/BSgenome.Dmelanogaster.UCSC.dm3/")
+     "https://www.bioconductor.org/packages/BSgenome.Dmelanogaster.UCSC.dm3/")
     (synopsis "Full genome sequences for Fly")
     (description
      "This package provides full genome sequences for Drosophila
@@ -7924,7 +7924,7 @@ Biostrings objects.")
        ("r-iranges" ,r-iranges)
        ("r-seqlogo" ,r-seqlogo)
        ("r-xvector" ,r-xvector)))
-    (home-page "http://bioconductor.org/packages/motifRG")
+    (home-page "https://bioconductor.org/packages/motifRG")
     (synopsis "Discover motifs in high throughput sequencing data")
     (description
      "This package provides tools for discriminative motif discovery in high
@@ -8046,7 +8046,7 @@ of other R packages who wish to make use of HTSlib.")
        ("r-zlibbioc" ,r-zlibbioc)))
     (inputs
      `(("zlib" ,zlib)))
-    (home-page "http://bioconductor.org/packages/bamsignals")
+    (home-page "https://bioconductor.org/packages/bamsignals")
     (synopsis "Extract read count signals from bam files")
     (description
      "This package allows to efficiently obtain count vectors from indexed bam
@@ -8175,7 +8175,7 @@ library implementing most of the pipeline's features.")
        ("r-reshape2" ,r-reshape2)
        ("r-summarizedexperiment" ,r-summarizedexperiment)
        ("r-variantannotation" ,r-variantannotation)))
-    (home-page "http://bioconductor.org/packages/MutationalPatterns/")
+    (home-page "https://bioconductor.org/packages/MutationalPatterns/")
     (synopsis "Extract and visualize mutational patterns in genomic data")
     (description "This package provides an extensive toolset for the
 characterization and visualization of a wide range of mutational patterns
@@ -8331,7 +8331,7 @@ kernels, including: gkmSVM, kmer-SVM, mismatch kernel and wildcard kernel.")
                (base32
                 "1mklb02bj4gnbjlmb7vv6k4lr3w9fp3pzli9rddbrwd0y5n8fcpx"))))
     (build-system r-build-system)
-    (home-page "http://bioconductor.org/packages/tximport")
+    (home-page "https://bioconductor.org/packages/tximport")
     (synopsis "Import and summarize transcript-level estimates for gene-level analysis")
     (description
      "This package provides tools to import transcript-level abundance,
@@ -8373,7 +8373,7 @@ of gene-level counts.")
     (inputs
      `(("perl" ,perl)
        ("zlib" ,zlib)))
-    (home-page "http://bioconductor.org/packages/rhdf5")
+    (home-page "https://bioconductor.org/packages/rhdf5")
     (synopsis "HDF5 interface to R")
     (description
      "This R/Bioconductor package provides an interface between HDF5 and R.
@@ -8692,7 +8692,7 @@ common bioinformatics tools.")
        ("r-iranges" ,r-iranges)
        ("r-s4vectors" ,r-s4vectors)
        ("r-shortread" ,r-shortread)))
-    (home-page "http://bioconductor.org/packages/chipseq")
+    (home-page "https://bioconductor.org/packages/chipseq")
     (synopsis "Package for analyzing ChIPseq data")
     (description
      "This package provides tools for processing short read data from ChIPseq
@@ -8706,7 +8706,7 @@ experiments.")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append "http://bioconductor.org/packages/release/"
+       (uri (string-append "https://bioconductor.org/packages/release/"
                            "data/experiment/src/contrib/CopyhelpeR_"
                            version ".tar.gz"))
        (sha256
@@ -8714,7 +8714,7 @@ experiments.")
          "0x7cyynjmxls9as2gg0iyp9x5fpalxmdjq914ss7i84i9zyk5bhq"))))
     (properties `((upstream-name . "CopyhelpeR")))
     (build-system r-build-system)
-    (home-page "http://bioconductor.org/packages/CopyhelpeR/")
+    (home-page "https://bioconductor.org/packages/CopyhelpeR/")
     (synopsis "Helper files for CopywriteR")
     (description
      "This package contains the helper files that are required to run the
@@ -8829,7 +8829,7 @@ TAB-Seq.")
        ("r-biocparallel" ,r-biocparallel)
        ("r-matrixstats" ,r-matrixstats)
        ("r-limma" ,r-limma)))
-    (home-page "http://bioconductor.org/packages/sva")
+    (home-page "https://bioconductor.org/packages/sva")
     (synopsis "Surrogate variable analysis")
     (description
      "This package contains functions for removing batch effects and other
@@ -9017,7 +9017,7 @@ CDF file formats.")
        ("r-biocinstaller" ,r-biocinstaller)
        ("r-preprocesscore" ,r-preprocesscore)
        ("r-zlibbioc" ,r-zlibbioc)))
-    (home-page "http://bioconductor.org/packages/affy")
+    (home-page "https://bioconductor.org/packages/affy")
     (synopsis "Methods for affymetrix oligonucleotide arrays")
     (description
      "This package contains functions for exploratory oligonucleotide array
@@ -9043,7 +9043,7 @@ analysis.")
        ("r-hexbin" ,r-hexbin)
        ("r-lattice" ,r-lattice)
        ("r-limma" ,r-limma)))
-    (home-page "http://bioconductor.org/packages/release/bioc/html/vsn.html")
+    (home-page "https://bioconductor.org/packages/release/bioc/html/vsn.html")
     (synopsis "Variance stabilization and calibration for microarray data")
     (description
      "The package implements a method for normalising microarray intensities,
@@ -9080,7 +9080,7 @@ and specific in detecting differential transcription.")
        ("r-protgenerics" ,r-protgenerics)
        ("r-rcpp" ,r-rcpp)
        ("r-xml" ,r-xml)))
-    (home-page "http://bioconductor.org/packages/mzID")
+    (home-page "https://bioconductor.org/packages/mzID")
     (synopsis "Parser for mzIdentML files")
     (description
      "This package provides a parser for mzIdentML files implemented using the
@@ -9187,7 +9187,7 @@ of mass spectrometry based proteomics data.")
        ("r-r-cache" ,r-r-cache)
        ("r-rcpp" ,r-rcpp)
        ("r-reshape2" ,r-reshape2)))
-    (home-page "http://bioconductor.org/packages/MSnID")
+    (home-page "https://bioconductor.org/packages/MSnID")
     (synopsis "Utilities for LC-MSn proteomics identifications")
     (description
      "This package extracts @dfn{tandem mass spectrometry} (MS/MS) ID data
@@ -9391,7 +9391,7 @@ global-scaling and full-quantile normalization.")
     (propagated-inputs
      `(("r-biocgenerics" ,r-biocgenerics)
        ("r-shiny" ,r-shiny)))
-    (home-page "http://bioconductor.org/packages/interactiveDisplayBase")
+    (home-page "https://bioconductor.org/packages/interactiveDisplayBase")
     (synopsis "Base package for web displays of Bioconductor objects")
     (description
      "This package contains the basic methods needed to generate interactive
@@ -9420,7 +9420,7 @@ Shiny-based display methods for Bioconductor objects.")
        ("r-rsqlite" ,r-rsqlite)
        ("r-s4vectors" ,r-s4vectors)
        ("r-yaml" ,r-yaml)))
-    (home-page "http://bioconductor.org/packages/AnnotationHub")
+    (home-page "https://bioconductor.org/packages/AnnotationHub")
     (synopsis "Client to access AnnotationHub resources")
     (description
      "This package provides a client for the Bioconductor AnnotationHub web
@@ -10035,13 +10035,18 @@ browser.")
          #:phases
          (modify-phases %standard-phases
            (replace 'install
-             (lambda* (#:key outputs #:allow-other-keys)
+             (lambda* (#:key inputs outputs #:allow-other-keys)
                (let* ((target (assoc-ref outputs "out"))
                       (doc (string-append target "/share/doc/f-seq/")))
                  (mkdir-p target)
                  (mkdir-p doc)
                  (substitute* "bin/linux/fseq"
-                   (("java") (which "java")))
+                   (("java") (which "java"))
+                   (("\\$REALDIR/../lib/commons-cli-1.1.jar")
+                    (string-append (assoc-ref inputs "java-commons-cli")
+                                   "/share/java/commons-cli.jar"))
+                   (("REALDIR=.*")
+                    (string-append "REALDIR=" target "/bin\n")))
                  (install-file "README.txt" doc)
                  (install-file "bin/linux/fseq" (string-append target "/bin"))
                  (install-file "build~/fseq.jar" (string-append target "/lib"))
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 5236444abc..1d2ac20326 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -244,13 +244,13 @@ format.")
 (define-public cppcheck
   (package
     (name "cppcheck")
-    (version "1.80")
+    (version "1.81")
     (source (origin
       (method url-fetch)
       (uri (string-append "https://github.com/danmar/cppcheck/archive/"
                           version ".tar.gz"))
       (sha256
-       (base32 "007hs15i2pn49l6kycy49h3bj66qh6fxrp6yidj3776n32q3v1i0"))
+       (base32 "0miamqk7pa2dzmnmi5wb6hjp2a3zya1x8afnlcxby8jb6gp6wf8j"))
       (file-name (string-append name "-" version ".tar.gz"))))
     (build-system cmake-build-system)
     (home-page "http://cppcheck.sourceforge.net")
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index f8cfd4dde8..69cf6d3a33 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -17,6 +17,7 @@
 ;;; Copyright © 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2017 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
 ;;; Copyright © 2017 Theodoros Foradis <theodoros@foradis.org>
+;;; Copyright © 2017 Stefan Reichör <stefan@xsteve.at>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -50,6 +51,7 @@
   #:use-module (gnu packages base)
   #:use-module (gnu packages check)
   #:use-module (gnu packages curl)
+  #:use-module (gnu packages file)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
@@ -1574,3 +1576,39 @@ zip archives.  Files can be added from data buffers, files, or compressed data
 copied directly from other zip archives.  Changes made without closing the
 archive can be reverted.")
     (license license:bsd-3)))
+
+(define-public atool
+  (package
+    (name "atool")
+    (version "0.39.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://savannah.nongnu.org/download/atool/atool-"
+                           version ".tar.gz"))
+       (sha256
+        (base32
+         "0fvhzip2v08jgnlfpyj6rapan39xlsl1ksgq4lp8gfsai2ah1xma"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'embed-absolute-file-name
+           (lambda* (#:key inputs #:allow-other-keys)
+             (substitute* "atool"
+               (("(^\\$::cfg_path_file.*= )'file'" _ pre)
+                (string-append pre "'" (assoc-ref inputs "file")
+                               "/bin/file'")))
+             #t)))))
+    (inputs
+     `(("perl" ,perl)
+       ("file" ,file)))
+    (home-page "http://www.nongnu.org/atool/")
+    (synopsis  "Universal tool to manage file archives of various types")
+    (description "The main command is @command{aunpack} which extracts files
+from an archive.  The other commands provided are @command{apack} (to create
+archives), @command{als} (to list files in archives), and @command{acat} (to
+extract files to standard out).  As @command{atool} invokes external programs
+to handle the archives, not all commands may be supported for a certain type
+of archives.")
+    (license license:gpl2+)))
diff --git a/gnu/packages/cran.scm b/gnu/packages/cran.scm
index e00a8a4ba2..dba294c8d7 100644
--- a/gnu/packages/cran.scm
+++ b/gnu/packages/cran.scm
@@ -1217,3 +1217,27 @@ initial data set and then applied to other data sets.  The resulting design
 matrices can then be used as inputs into statistical or machine learning
 models.")
     (license license:gpl2)))
+
+(define-public r-pdist
+  (package
+    (name "r-pdist")
+    (version "1.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "pdist" version))
+       (sha256
+        (base32
+         "18nd3mgad11f2zmwcp0w3sxlch4a9y6wp8dfdyzvjn7y4b4bq0dd"))))
+    (build-system r-build-system)
+    (home-page "https://github.com/jeffwong/pdist")
+    (synopsis "Partitioned distance function")
+    (description
+     "Pdist computes the euclidean distance between rows of a matrix X and
+rows of another matrix Y.  Previously, this could be done by binding the two
+matrices together and calling @code{dist}, but this creates unnecessary
+computation by computing the distances between a row of X and another row of
+X, and likewise for Y.  Pdist strictly computes distances across the two
+matrices, not within the same matrix, making computations significantly faster
+for certain use cases.")
+    (license license:gpl3+)))
diff --git a/gnu/packages/crypto.scm b/gnu/packages/crypto.scm
index 427318d455..549955d7b4 100644
--- a/gnu/packages/crypto.scm
+++ b/gnu/packages/crypto.scm
@@ -556,7 +556,7 @@ generator.")
     (synopsis "Get weak or strong random data from pluggable sources")
     (description "This module provides implementations for a number of
 byte-oriented sources of random data.")
-    (license (package-license perl))))
+    (license license:perl-license)))
 
 (define-public perl-math-random-secure
   (package
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index b3268bee7b..491668e522 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -377,14 +377,14 @@ device-specific programs to convert and print many types of files.")
 (define-public hplip
   (package
     (name "hplip")
-    (version "3.17.7")
+    (version "3.17.10")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/hplip/hplip/" version
                                   "/hplip-" version ".tar.gz"))
               (sha256
                (base32
-                "03a0vkbrzvgj15il9rvr93kf5pc706gxcjk6akbkzds0zmdbsxrm"))))
+                "0v27hg856b5z2rilczcbfgz8ksxn0n810g1glac3mxkj8qbl8wqg"))))
     (build-system gnu-build-system)
     (home-page "http://hplipopensource.com/")
     (synopsis "HP Printer Drivers")
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 9359243644..2d6baea9fa 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -453,7 +453,7 @@ RDBMS systems (which are deep in functionality).")
 (define-public mysql
   (package
     (name "mysql")
-    (version "5.7.19")
+    (version "5.7.20")
     (source (origin
              (method url-fetch)
              (uri (list (string-append
@@ -465,7 +465,7 @@ RDBMS systems (which are deep in functionality).")
                           name "-" version ".tar.gz")))
              (sha256
               (base32
-               "1c8y54yk756179nx4dgg79dijmjdq5n8l057cnqsg70pjdpyfl9y"))))
+               "11v4g3igigv3zvknv67qml8in6fjrbs2vnr3q6bg6f62nydm95sk"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/display-managers.scm b/gnu/packages/display-managers.scm
index 8e5bca64c0..7c7a70e950 100644
--- a/gnu/packages/display-managers.scm
+++ b/gnu/packages/display-managers.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Sou Bunnbu <iyzsong@gmail.com>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -188,6 +189,14 @@ Qt-style API for Wayland clients.")
              (substitute* "CMakeLists.txt"
                (("/usr/bin/loginctl") (which "loginctl")))
              #t))
+         (add-before 'configure 'fix-qml-include
+           (lambda _
+             ;; Make sure QtQml is found when building the helper.
+             ;; See <https://github.com/sddm/sddm/pull/918>.
+             (substitute* "src/helper/CMakeLists.txt"
+               (("target_link_libraries\\(sddm-helper")
+                "target_link_libraries(sddm-helper Qt5::Qml"))
+             #t))
          (add-after 'install 'wrap-programs
            (lambda* (#:key outputs #:allow-other-keys)
              (let ((out (assoc-ref outputs "out")))
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 657e7eb2a4..e6afc04208 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -284,7 +284,7 @@ asynchronous fashion.")
 (define-public unbound
   (package
     (name "unbound")
-    (version "1.6.3")
+    (version "1.6.7")
     (source
      (origin
        (method url-fetch)
@@ -292,7 +292,7 @@ asynchronous fashion.")
                            version ".tar.gz"))
        (sha256
         (base32
-         "0pw4m4z5qspsagxzbjb61xq5bhd57amw26xqvqzi6b8d3mf6azjc"))))
+         "17qwfmlls0w9kpkya3dlpn44b3kr87wsswzg3gawc13hh8yx8ysf"))))
     (build-system gnu-build-system)
     (outputs '("out" "python"))
     (native-inputs
@@ -443,9 +443,9 @@ served by AS112.  Stub and forward zones are supported.")
 (define-public yadifa
   (package
     (name "yadifa")
-    (version "2.2.5")
+    (version "2.2.6")
     (source
-     (let ((build "6937"))
+     (let ((build "7246"))
        (origin
          (method url-fetch)
          (uri
@@ -453,7 +453,7 @@ served by AS112.  Stub and forward zones are supported.")
                          name "-" version "-" build ".tar.gz"))
          (sha256
           (base32
-           "146fs52izf6dfwsxal3srpwin2yyl41g31cy4pyvbi5mqy2craj7")))))
+           "041a35f5jz2wcn8pxk1m7b2qln2wbvj4ddwb0a53lqabl912xi6p")))))
     (build-system gnu-build-system)
     (native-inputs
      `(("which" ,which)))
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 315db18a57..bc803892af 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -135,7 +135,17 @@
                     (format #f "(tramp-default-remote-path ~s ~s ~s ~s "
                             "~/.guix-profile/bin" "~/.guix-profile/sbin"
                             "/run/current-system/profile/bin"
-                            "/run/current-system/profile/sbin")))))))
+                            "/run/current-system/profile/sbin")))
+
+                 ;; Make sure Man looks for C header files in the right
+                 ;; places.
+                 (substitute* "man.el"
+                   (("\"/usr/local/include\"" line)
+                    (string-join
+                     (list line
+                           "\"~/.guix-profile/include\""
+                           "\"/var/guix/profiles/system/profile/include\"")
+                     " ")))))))
     (build-system glib-or-gtk-build-system)
     (arguments
      `(#:phases
@@ -5657,6 +5667,26 @@ pair of minor modes which suppress all mouse events by intercepting them and
 running a customisable handler command (@code{ignore} by default). ")
     (license license:gpl3+)))
 
+(define-public emacs-json-snatcher
+  (package
+    (name "emacs-json-snatcher")
+    (version "1.0.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/Sterlingg/json-snatcher/archive/"
+                           version ".tar.gz"))
+       (file-name (string-append name "-" version ".tar.gz"))
+       (sha256
+        (base32
+         "1nfiwsifpdiz0lbrqa77nl0crnfrv5h85ans9b0g5rggnmyshcfb"))))
+    (build-system emacs-build-system)
+    (home-page "https://github.com/sterlingg/json-snatcher")
+    (synopsis "Grabs the path to JSON values in a JSON file")
+    (description "@code{emacs-json-snatcher} grabs the path to JSON values in
+a @url{http://json.org/, JSON} file.")
+    (license license:gpl3+)))
+
 (define-public emacs-restclient
   (let ((commit "07a3888bb36d0e29608142ebe743b4362b800f40")
         (revision "1"))                 ;Guix package revision,
diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 9f9949ef84..c9e184d7d5 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -429,7 +429,7 @@ multipole-accelerated algorithm.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0pvk57z2pxz89pcwwm61lkpvj4w9qxqz8mi0zkpj6pnaljabp7bf"))))
+                "15rwjp4xdj9w1z9f709rz9p0k2mi9k9idma9hvzkj5j8p04mg7yd"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/erlang.scm b/gnu/packages/erlang.scm
index cf4d7a5955..1a575a0fd0 100644
--- a/gnu/packages/erlang.scm
+++ b/gnu/packages/erlang.scm
@@ -46,7 +46,7 @@
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "1azjjyb743i6vjq7rnh5qnslsqg0x60a9zrlhg9n3dpm13z1b22l"))
+                "11xp6vv1v7iay9dg1xc6xm7izfsanbn5pgwp96ba0j1fmlkhjw92"))
               (patches (search-patches "erlang-man-path.patch"))))
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/fonts.scm b/gnu/packages/fonts.scm
index b65d3a9e94..4acebeb405 100644
--- a/gnu/packages/fonts.scm
+++ b/gnu/packages/fonts.scm
@@ -764,17 +764,15 @@ glyph designs, not just an added slant.")
 (define-public font-hack
   (package
     (name "font-hack")
-    (version "2.020")
+    (version "3.000")
     (source (origin
               (method url-fetch/zipbomb)
               (uri (string-append
-                    "https://github.com/chrissimpkins/Hack/releases/download/v"
-                    version "/Hack-v"
-                    (string-replace-substring version "." "_")
-                    "-ttf.zip"))
+                    "https://github.com/source-foundry/Hack/releases/download/v"
+                    version "/Hack-v" version "-ttf.zip"))
               (sha256
                (base32
-                "16kkmc3psckw1b7k07ccn1gi5ymhlg9djh43nqjzg065g6p6d184"))))
+                "0h6slqg25a6cq57k6rh5hmnk8dxbprmf8shs4iyj1pc83sw6b1r3"))))
     (build-system font-build-system)
     (home-page "https://sourcefoundry.org/hack/")
     (synopsis "Typeface designed for source code")
@@ -782,9 +780,12 @@ glyph designs, not just an added slant.")
      "Hack is designed to be a workhorse typeface for code.  It expands upon
 the Bitstream Vera & DejaVu projects, provides 1561 glyphs, and includes
 Powerline support.")
-    (license (license:x11-style
-              "https://github.com/chrissimpkins/Hack/blob/master/LICENSE.md"
-              "Hack Open Font License v2.0"))))
+    (license
+     ;; See https://github.com/source-foundry/Hack/issues/271 for details.
+     (list license:expat                ; the Hack modifications to...
+           license:public-domain        ; ...the DejaVu modifications to...
+           (license:x11-style           ; ...the Bitstream Vera typeface
+            "file://LICENSE.md" "Bitstream Vera License")))))
 
 (define-public font-adobe-source-code-pro
   (package
@@ -1026,7 +1027,7 @@ monospace, slab-serif fonts.")
                     version ".tar.gz"))
               (sha256
                (base32
-                "183n0qv3q8w6n27libarq1fhc4mqv2d3sasbfmbn7x9r5pw9c6ga"))
+                "018i3za9r6kf6svci33z09lc5pr5yz4164m8gzzwjzzqcrng0p5j"))
               (file-name (string-append name "-" version ".tar.gz"))))
     (build-system font-build-system)
     (home-page "http://google.github.io/material-design-icons")
diff --git a/gnu/packages/game-development.scm b/gnu/packages/game-development.scm
index 9916a1cb3e..37a30c835b 100644
--- a/gnu/packages/game-development.scm
+++ b/gnu/packages/game-development.scm
@@ -280,7 +280,10 @@ files) into @file{.grf} and/or @file{.nfo} files.")
     (source
      (origin
        (method url-fetch)
-       (uri (pypi-uri "sge-pygame" version))
+       (uri (string-append "mirror://savannah/stellarengine/"
+                           (version-major+minor version) "/sge-pygame-"
+                           version ".tar.gz"))
+       (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
          "1rl3xjzh78sl0sq3xl8rl7cgp9v9v3h7s2pfwn7nj1vrmffzkcpd"))))
diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm
index 04b7b78d36..6709f02923 100644
--- a/gnu/packages/games.scm
+++ b/gnu/packages/games.scm
@@ -248,22 +248,22 @@ the others like yourself, that want what you have.")
 (define-public cowsay
   (package
     (name "cowsay")
-    (version "3.03")
+    (version "3.04")
     (source (origin
               (method url-fetch)
-              (uri (string-append "https://web.archive.org/web/20071026043648/"
-                                  "http://www.nog.net:80/~tony/warez/"
-                                  "cowsay-" version ".tar.gz"))
+              (uri (string-append "https://github.com/tnalpgge/"
+                                  "rank-amateur-cowsay/archive/"
+                                  name "-" version ".tar.gz"))
               (sha256
                (base32
-                "1bxj802na2si2bk5zh7n0b7c33mg8a5n2wnvh0vihl9bmjkp51hb"))))
+                "12w7apbf6a9qffk92r32b16w22na2fjcqbl32rn0n7zw5hrp3f6q"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
        (modify-phases %standard-phases
-         (delete 'configure)
-         (delete 'install)
-         (replace 'build
+         (delete 'configure)            ; no configure script
+         (delete 'build)                ; nothing to be built
+         (replace 'install
            (lambda* (#:key outputs #:allow-other-keys)
              (zero? (system* "sh" "install.sh"
                              (assoc-ref outputs "out")))))
@@ -275,12 +275,12 @@ the others like yourself, that want what you have.")
     (inputs
      `(("perl" ,perl)))
     (home-page (string-append "https://web.archive.org/web/20071026043648/"
-                              "http://www.nog.net:80/~tony/warez/"))
+                              "http://www.nog.net:80/~tony/warez/cowsay.shtml"))
     (synopsis "Speaking cow text filter")
     (description "Cowsay is basically a text filter.  Send some text into it,
 and you get a cow saying your text.  If you think a talking cow isn't enough,
-cows can think too.  All you have to do is run @code{cowthink}.")
-    ;; Any version of the GPL.
+cows can think too: all you have to do is run @command{cowthink}.  If you're
+tired of cows, a variety of other ASCII-art messengers are available.")
     (license license:gpl3+)))
 
 (define-public freedoom
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 52bcedb0aa..2ebbd29565 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -517,7 +517,7 @@ and keep up to date translations of documentation.")
 (define-public gnome-disk-utility
   (package
     (name "gnome-disk-utility")
-    (version "3.24.1")
+    (version "3.26.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -525,10 +525,11 @@ and keep up to date translations of documentation.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "18akarcbhm8djlmz49jzavc7qx8dg71gvxc9xd23p0bwjj4h93w7"))))
-    (build-system gnu-build-system)
+                "10spllvcq2q71xk3dnhzjk8v4qx9am8y1h68k8z2j0l94g1c8bi3"))))
+    (build-system meson-build-system)
     (native-inputs
      `(("glib:bin" ,glib "bin")
+       ("gtk+" ,gtk+ "bin")             ; gtk-update-icon-cache
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("docbook-xml" ,docbook-xml)
@@ -2371,7 +2372,7 @@ library.")
 (define-public rest
   (package
     (name "rest")
-    (version "0.8.0")
+    (version "0.8.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/rest/"
@@ -2379,7 +2380,7 @@ library.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0iznvzhab1jq9z3nwy97dh2pid9azwkqm7kkxwx0f5ql1hh9pf77"))))
+                "1j81bgqmd55s5lxyaxcplym9n6xywcs1cm9wmvafsg2xiv9sl4q5"))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f ; tests require internet connection
@@ -3769,7 +3770,7 @@ supports playlists, song ratings, and any codecs installed through gstreamer.")
 (define-public eog
  (package
    (name "eog")
-   (version "3.24.1")
+   (version "3.26.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -3777,7 +3778,7 @@ supports playlists, song ratings, and any codecs installed through gstreamer.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "1rr7zy8afqgl15j1zz8l37svyv6bw4r3l04yf70zlnf1w8bf27pm"))))
+              "125wzr1mai4raybfb2hwjzxv59q20bjpw9j4wn682nn5bd9ypnwq"))))
    (build-system glib-or-gtk-build-system)
    (arguments
     `(#:phases
@@ -3824,7 +3825,7 @@ supports image conversion, rotation, and slideshows.")
   ;; 'XDG_DATA_DIRS' appropriately set.
   (package
     (name "eog-plugins")
-    (version "3.25.1")
+    (version "3.26.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -3832,7 +3833,7 @@ supports image conversion, rotation, and slideshows.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0an04z8v83qa6j950rbwdzf1s86y7zd8h1r4p2x36fwbkk1m617q"))))
+                "0v45f2m3b60ygkwpq6jrl49nwrivw6qy0ciibpv821qrm73hsgd7"))))
     (build-system gnu-build-system)
     (home-page "https://wiki.gnome.org/Apps/EyeOfGnome/Plugins")
     (synopsis "Extensions for the Eye of GNOME image viewer")
diff --git a/gnu/packages/graph.scm b/gnu/packages/graph.scm
index 683bfeec66..f91e81a30f 100644
--- a/gnu/packages/graph.scm
+++ b/gnu/packages/graph.scm
@@ -25,7 +25,9 @@
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (gnu packages)
   #:use-module (gnu packages gcc)
+  #:use-module (gnu packages bioinformatics)
   #:use-module (gnu packages compression)
+  #:use-module (gnu packages graphviz)
   #:use-module (gnu packages maths)
   #:use-module (gnu packages multiprecision)
   #:use-module (gnu packages pkg-config)
@@ -116,3 +118,31 @@ It can handle large graphs very well and provides functions for generating
 random and regular graphs, graph visualization, centrality methods and much
 more.")
     (license license:gpl2+)))
+
+(define-public r-rgraphviz
+  (package
+    (name "r-rgraphviz")
+    (version "2.20.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (bioconductor-uri "Rgraphviz" version))
+       (sha256
+        (base32
+         "0mwdqsmmhpk8szp3pf3bw66nv2sazpjiflpwdvqwjamvxyynmp67"))))
+    (properties `((upstream-name . "Rgraphviz")))
+    (build-system r-build-system)
+    ;; FIXME: Rgraphviz bundles the sources of an older variant of
+    ;; graphviz.  It does not build with the latest version of graphviz, so
+    ;; we do not add graphviz to the inputs.
+    (inputs `(("zlib" ,zlib)))
+    (propagated-inputs
+     `(("r-graph" ,r-graph)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (home-page "http://bioconductor.org/packages/Rgraphviz")
+    (synopsis "Plotting capabilities for R graph objects")
+    (description
+     "This package interfaces R with the graphviz library for plotting R graph
+objects from the @code{graph} package.")
+    (license license:epl1.0)))
diff --git a/gnu/packages/graphics.scm b/gnu/packages/graphics.scm
index 8e3c5563f6..3ffb4dd25c 100644
--- a/gnu/packages/graphics.scm
+++ b/gnu/packages/graphics.scm
@@ -244,7 +244,7 @@ exception-handling library.")
                            "/archive/v" version ".tar.gz"))
        (sha256
         (base32
-         "1ab354bmwwryxr4zgxchfkm6h4z38mjgif8yn89x640rsrgw5ipj"))
+         "1p0c91cc7zg3c00wjaibnxb0a0xm14mkg0h65pzpw93m0d6nc8wd"))
        (file-name (string-append name "-" version ".tar.gz"))))
     (build-system cmake-build-system)
     (arguments
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 295658f8ea..bb77279b32 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -306,12 +306,12 @@ diagrams.")
     (license license:gpl3+)))
 
 (define-public ganv-devel
-  (let ((commit "31685d283e9b811b61014f820c42807f4effa071")
+  (let ((commit "12f7d6b0438c94dd87f773a92eee3453d971846e")
         (revision "1"))
     (package
       (inherit ganv)
       (name "ganv")
-      (version (string-append "1.4.2-" revision "."
+      (version (string-append "1.5.4-" revision "."
                               (string-take commit 9)))
       (source (origin
                 (method git-fetch)
@@ -320,7 +320,7 @@ diagrams.")
                       (commit commit)))
                 (sha256
                  (base32
-                  "0xmbykdl42jn9cgzrqrys5lng67d26nk5xq10wkkvjqldiwdck56")))))))
+                  "1cr8w02lr6bk9mkxa12j3imq721b2an2yn4bj5wnwmpm91ddn2gi")))))))
 
 (define-public gtksourceview-2
   (package
diff --git a/gnu/packages/haskell.scm b/gnu/packages/haskell.scm
index 7e879f4ad5..6864b7df6d 100644
--- a/gnu/packages/haskell.scm
+++ b/gnu/packages/haskell.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
+;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016, 2017 David Craven <david@craven.ch>
@@ -8601,7 +8601,7 @@ JSON (JavaScript Object Notation) is a lightweight data-interchange format.")
 (define-public shellcheck
   (package
     (name "shellcheck")
-    (version "0.4.5")
+    (version "0.4.6")
     (source
      (origin
        (method url-fetch)
@@ -8609,7 +8609,7 @@ JSON (JavaScript Object Notation) is a lightweight data-interchange format.")
                            "v" version ".tar.gz"))
        (sha256
         (base32
-         "14r84fcn28rin339avlvca5g0kz832f01x8dpmwb5ql8mbc4rlxr"))
+         "1qkd69lc34n3l23ss9rq1azvx49bfq4hi4bmaj76rgxybscxhg0w"))
        (file-name (string-append name "-" version ".tar.gz"))))
     (build-system haskell-build-system)
     (inputs
diff --git a/gnu/packages/irc.scm b/gnu/packages/irc.scm
index 552349247f..5f031e3983 100644
--- a/gnu/packages/irc.scm
+++ b/gnu/packages/irc.scm
@@ -110,7 +110,7 @@ irssi, but graphical.")
 (define-public irssi
   (package
     (name "irssi")
-    (version "1.0.4")
+    (version "1.0.5")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://github.com/irssi/irssi/"
@@ -118,7 +118,7 @@ irssi, but graphical.")
                                  version ".tar.xz"))
              (sha256
               (base32
-               "1jl6p431rv4iixk48wn607m4s0mcy3wgasfwrhz22y71mzdhfp5q"))))
+               "055r9fhbfcfkzinsnprnlqd8psspdyn3j26lzsmnrc1fw4kn8mf2"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 95fba20e88..45cb16f1f6 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -2299,7 +2299,7 @@ more.")
                                   "plexus-interpolation-" version ".tar.gz"))
               (sha256
                (base32
-                "1w79ljwk42ymrgy8kqxq4l82pgdj6287gabpfnpkyzbrnclsnfrp"))))
+                "03377yzlx5q440m6sxxgv6a5qb8fl30zzcgxgc0hxk5qgl2z1jjn"))))
     (build-system ant-build-system)
     (arguments
      `(#:jar-name "plexus-interpolation.jar"
@@ -4429,7 +4429,7 @@ StringTemplate also powers ANTLR.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "07zff5frmjd53rnqdx31h0pmswz1lv0p2lp28cspfszh25ysz6sj"))))
+                "0218v683081lg54z9hvjxinhxd4dqp870jx6n39gslm0bkyi4vd6"))))
     (build-system ant-build-system)
     (arguments
      `(#:jar-name (string-append ,name "-" ,version ".jar")
diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
index 5fdf3bc9e9..6a46f28684 100644
--- a/gnu/packages/kde-frameworks.scm
+++ b/gnu/packages/kde-frameworks.scm
@@ -2780,7 +2780,7 @@ typed.")
        ("ki18n" ,ki18n)
        ("qtbase" ,qtbase)))
     (arguments
-     `(#:tests? #f ; FIXME: 8/10 tests fail.
+     `(#:tests? #f ; FIXME: 6/10 tests fail.
        #:phases
        (modify-phases %standard-phases
          (add-before 'check 'check-setup
diff --git a/gnu/packages/lighting.scm b/gnu/packages/lighting.scm
index 7f01cdbc99..ab7069b53b 100644
--- a/gnu/packages/lighting.scm
+++ b/gnu/packages/lighting.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016 John J. Foerch <jjfoerch@earthlink.net>
+;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -59,7 +60,9 @@
        ("libuuid" ,util-linux)
        ("zlib" ,zlib)))
     (propagated-inputs
-     `(("protobuf" ,protobuf))) ;; for pkg-config --libs libola
+     ;; Ola 0.10.5 only supports protobuf 2.x, and building it with 3.x breaks.
+     ;; XXX Remove protobuf-2 when it is no longer needed.
+     `(("protobuf" ,protobuf-2))) ;; for pkg-config --libs libola
     (arguments
      `(;; G++ >= 4.8 macro expansion tracking requires lots of memory, causing
        ;; build to fail on low memory systems.  We disable that with the
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index cc0a3cee68..289ec440f4 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -72,6 +72,7 @@
   #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages gperf)
   #:use-module (gnu packages gtk)
+  #:use-module (gnu packages libunwind)
   #:use-module (gnu packages libusb)
   #:use-module (gnu packages man)
   #:use-module (gnu packages maths)
@@ -367,8 +368,8 @@ It has been modified to remove all non-free binary blobs.")
 
 (define %intel-compatible-systems '("x86_64-linux" "i686-linux"))
 
-(define %linux-libre-version "4.13.7")
-(define %linux-libre-hash "1znf2zrhfb6wmlv09c14y6sawl4nb0jr7gzwwnakspvy0yjs95r3")
+(define %linux-libre-version "4.13.8")
+(define %linux-libre-hash "0qi2n5lczqwq2v0q5zl08ac3x4lixpj1dmb0kza6hsllmx8hbybw")
 
 (define-public linux-libre
   (make-linux-libre %linux-libre-version
@@ -377,32 +378,22 @@ It has been modified to remove all non-free binary blobs.")
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.9
-  (make-linux-libre "4.9.56"
-                    "05wy73yh4jbn1881djs21wl4hws62lyc1frb5di6cg6m3z7j658i"
+  (make-linux-libre "4.9.57"
+                    "02ldxzbazdbhvgkwxl6xblkwj75s5cm33fpm77kv394w35jan3by"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.4
-  (make-linux-libre "4.4.92"
-                    "038mrv36n2521xd1f4nlpn00ar4vwzbwkldf6pk7rflbc3zi0p8g"
+  (make-linux-libre "4.4.93"
+                    "1llpqkm7vvwi5fm92y4n6qrc89ps7kdfl83s7m38a2yivm3kgzr6"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.1
-  (make-linux-libre "4.1.44"
-                    "1h1v2n8fxnn98y0jz9pnr4xdmc0v4l5d3hfxa5n5r3xmjksf1xs3"
+  (make-linux-libre "4.1.45"
+                    "1ifpyyq86x0imjdfb9vm7m8dbnkw82a7bqczx166zrssc1fc677l"
                     %intel-compatible-systems
-                    #:configuration-file kernel-config
-                    #:patches
-                    (list %boot-logo-patch
-                          (origin
-                            (method url-fetch)
-                            (uri "\
-https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/patch/?id=f7ec367c8ea7021517c9c04b0022c225d2d0785a")
-                            (file-name "linux-libre-4.4-CVE-2017-1000251.patch")
-                            (sha256
-                             (base32
-                              "1glnjvs3xkvana2wfdv47dxi7jz2s4dz3v0b8ryglf2vbflm388w"))))))
+                    #:configuration-file kernel-config))
 
 (define-public linux-libre-arm-generic
   (make-linux-libre %linux-libre-version
@@ -2525,7 +2516,7 @@ in a digital read-out.")
              (setenv "SHELL_PATH" (which "bash"))
              (chdir "tools/perf")
              #t)))
-       #:make-flags (list (string-append "DESTDIR="
+       #:make-flags (list (string-append "prefix="
                                          (assoc-ref %outputs "out"))
                           "WERROR=0"
 
@@ -2547,6 +2538,8 @@ in a digital read-out.")
        ("python" ,python-2)                    ;'perf' links against libpython
        ("elfutils" ,elfutils)
        ("libiberty" ,libiberty)      ;used alongside BDF for symbol demangling
+       ("libunwind" ,libunwind)      ;better stack walking
+       ("numactl" ,numactl)          ;for 'perf bench numa mem'
 
        ;; Documentation.
        ("libxml2" ,libxml2)                       ;for $XML_CATALOG_FILES
@@ -3186,7 +3179,7 @@ and copy/paste text in the console and in xterm.")
 (define-public btrfs-progs
   (package
     (name "btrfs-progs")
-    (version "4.13.2")
+    (version "4.13.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/kernel/"
@@ -3194,7 +3187,7 @@ and copy/paste text in the console and in xterm.")
                                   "btrfs-progs-v" version ".tar.xz"))
               (sha256
                (base32
-                "1ga8jk2hkaxpm17z3gdfrpq0i62kqpv2wm5yzbzmsj862cgk7ivm"))))
+                "10yp0b4pwrw5mcd81yn3d0d87fnqpp4si5d25dfhl6n2640dnnw0"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "static"))      ; static versions of the binaries in "out"
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index a07cb1b004..acbb68b51b 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015, 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
 ;;; Copyright © 2014 Sou Bunnbu <iyzsong@gmail.com>
@@ -117,19 +117,19 @@
 (define-public mailutils
   (package
     (name "mailutils")
-    (version "3.2")
+    (version "3.3")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/mailutils/mailutils-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0c06yj5hgqibi24ib9sx865kq6i1h18wn201g6iwcfbpi2a7psdm"))))
+               "1v110avpdz0bvz3yh3cfvvd0dnn7sa6hrpql2h8dgnri8fww6cag"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
        (modify-phases %standard-phases
-         (add-before 'build 'pre-build
+         (add-before 'check 'prepare-test-suite
            (lambda _
              ;; Use the right file name for `cat'.
              (substitute* "testsuite/lib/mailutils.exp"
@@ -162,6 +162,17 @@
                (("\\$\\(SHELL\\) \\$\\(TESTSUITE\\)" all)
                 (string-append "-" all)))
 
+             ;; 'frm' tests expect write access to $HOME.
+             (setenv "HOME" (getcwd))
+
+             ;; Avoid the message "I'm going to create the standard MH path
+             ;; for you", which would lead to one test failure (when diffing
+             ;; stdout of 'fmtcheck'.)
+             (call-with-output-file ".mh_profile"
+               (lambda (port)
+                 (format port "Path: ~a/Mail-for-tests~%"
+                         (getcwd))))
+
              #t)))
        ;; TODO: Add `--with-sql'.
        #:configure-flags '("--sysconfdir=/etc")
@@ -1097,7 +1108,7 @@ facilities for checking incoming mail.")
 (define-public dovecot
   (package
     (name "dovecot")
-    (version "2.2.33.1")
+    (version "2.2.33.2")
     (source
      (origin
        (method url-fetch)
@@ -1105,7 +1116,7 @@ facilities for checking incoming mail.")
                            (version-major+minor version) "/"
                            name "-" version ".tar.gz"))
        (sha256 (base32
-                "02w932hq8v9889k709gbg94jl983lzwd3nh51vkxq041821a3ng4"))))
+                "117f9i62liz2pm96zi2lpldzlj2knzj7g410zhifwmlsc1w3n7py"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
diff --git a/gnu/packages/mate.scm b/gnu/packages/mate.scm
index 91489ba91b..ea4c8aecc8 100644
--- a/gnu/packages/mate.scm
+++ b/gnu/packages/mate.scm
@@ -27,28 +27,28 @@
   #:use-module (guix build-system glib-or-gtk)
   #:use-module (guix build-system trivial)
   #:use-module (gnu packages)
-  #:use-module (gnu packages pkg-config)
-  #:use-module (gnu packages freedesktop)
-  #:use-module (gnu packages fontutils)
+  #:use-module (gnu packages base)
+  #:use-module (gnu packages docbook)
+  #:use-module (gnu packages documentation)
   #:use-module (gnu packages fonts)
-  #:use-module (gnu packages libcanberra)
-  #:use-module (gnu packages linux)
-  #:use-module (gnu packages glib)
-  #:use-module (gnu packages gtk)
+  #:use-module (gnu packages fontutils)
+  #:use-module (gnu packages freedesktop)
   #:use-module (gnu packages gettext)
+  #:use-module (gnu packages glib)
   #:use-module (gnu packages gnome)
-  #:use-module (gnu packages docbook)
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages gnuzilla)
-  #:use-module (gnu packages xorg)
-  #:use-module (gnu packages documentation)
-  #:use-module (gnu packages xdisorg)
-  #:use-module (gnu packages base)
-  #:use-module (gnu packages xml)
+  #:use-module (gnu packages gtk)
+  #:use-module (gnu packages libcanberra)
+  #:use-module (gnu packages linux)
+  #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages photo)
   #:use-module (gnu packages polkit)
   #:use-module (gnu packages pulseaudio)
-  #:use-module (gnu packages python))
+  #:use-module (gnu packages python)
+  #:use-module (gnu packages xdisorg)
+  #:use-module (gnu packages xml)
+  #:use-module (gnu packages xorg))
 
 (define-public mate-icon-theme
   (package
diff --git a/gnu/packages/messaging.scm b/gnu/packages/messaging.scm
index 7e093bc111..cd9c41fccf 100644
--- a/gnu/packages/messaging.scm
+++ b/gnu/packages/messaging.scm
@@ -801,14 +801,14 @@ instant messenger with audio and video chat capabilities.")
 (define-public qtox
   (package
     (name "qtox")
-    (version "1.12.0")
+    (version "1.12.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/qTox/qTox/archive/v"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0ycgvcfn8hchc775dcn1wpdqff8chvzz1svx9g99wa5vcns9pflg"))
+                "0dwy0abcxzzcybww2xi33cla71a7752cq02qswcks5kbxnf5pck5"))
               (file-name (string-append name "-" version ".tar.gz"))))
     (build-system cmake-build-system)
     (arguments
diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 579559616e..a75b1f3f78 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -43,6 +43,7 @@
   #:use-module (gnu packages video)               ;ffmpeg
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system python)
   #:use-module (guix build-system cmake))
@@ -348,14 +349,15 @@ use with CD-recording software).")
 (define-public lame
   (package
     (name "lame")
-    (version "3.99.5")
+    (version "3.100")
     (source (origin
              (method url-fetch)
-             (uri (string-append "mirror://sourceforge/lame/lame/3.99/lame-"
+             (uri (string-append "mirror://sourceforge/lame/lame/"
+                                 (version-major+minor version) "/lame-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "1zr3kadv35ii6liia0bpfgxpag27xcivp571ybckpbz4b10nnd14"))))
+               "07nsn5sy3a8xbmw1bidxnsj5fj6kg9ai04icmqw40ybkp353dznx"))))
     (build-system gnu-build-system)
     ;; XXX FIXME: Use gcc-4.8 on i686 to work around
     ;; <http://bugs.gnu.org/20856>.
diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 69d69a6185..ea1904596e 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -2300,7 +2300,7 @@ for improved Amiga ProTracker 2/3 compatibility.")
 (define-public schismtracker
   (package
     (name "schismtracker")
-    (version "20170420")
+    (version "20170910")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -2309,7 +2309,7 @@ for improved Amiga ProTracker 2/3 compatibility.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0k06vri29ayaq7mzsik3yywh6zdar2nfpkav2sp6g2rjl6k6vi5z"))
+                "01gfcjngbpv87y9w5jln8k313hycpkb1d617hdy2cdw2hxqzlclz"))
               (modules '((guix build utils)))
               (snippet
                ;; Remove use of __DATE__ and __TIME__ for reproducibility.
@@ -2807,8 +2807,8 @@ plugins, a switch trigger, a toggle switch, and a peakmeter.")
       (license license:gpl2+))))
 
 (define-public ingen
-  (let ((commit "fd147d0b888090bfb897505852c1f25dbdf77e18")
-        (revision "1"))
+  (let ((commit "cc4a4db33f4d126a07a4a498e053c5fb9a883be3")
+        (revision "2"))
     (package
       (name "ingen")
       (version (string-append "0.0.0-" revision "."
@@ -2822,7 +2822,7 @@ plugins, a switch trigger, a toggle switch, and a peakmeter.")
          (file-name (string-append name "-" version "-checkout"))
          (sha256
           (base32
-           "1qmg79962my82c43vyrv5sxbqci9c7gc2s9bwaaqd0fcf08xcz1z"))))
+           "1wg47vjw9djn99gbnsl2bcwj4xhdid61m4wrbn2nlp797flj91ic"))))
       (build-system waf-build-system)
       (arguments
        `(#:tests? #f ; no "check" target
@@ -2866,7 +2866,7 @@ plugins, a switch trigger, a toggle switch, and a peakmeter.")
          ("python-rdflib" ,python-rdflib)
          ("python" ,python)
          ("jack" ,jack-1)
-         ("lv2" ,lv2)
+         ("lv2" ,lv2-devel)
          ("lilv" ,lilv)
          ("raul" ,raul-devel)
          ("ganv" ,ganv-devel)
diff --git a/gnu/packages/musl.scm b/gnu/packages/musl.scm
index 321290872e..dbb8c4856f 100644
--- a/gnu/packages/musl.scm
+++ b/gnu/packages/musl.scm
@@ -27,15 +27,14 @@
 (define-public musl
   (package
     (name "musl")
-    (version "1.1.15")
+    (version "1.1.17")
     (source (origin
               (method url-fetch)
               (uri (string-append "http://www.musl-libc.org/releases/"
                                   name "-" version ".tar.gz"))
-              (patches (search-patches "musl-CVE-2016-8859.patch"))
               (sha256
                (base32
-                "1ymhxkskivzph0q34zadwfglc5gyahqajm7chqqn2zraxv3lgr4p"))))
+                "0r0lyp2w6v2bvm8h1si7w3p2qx037szl14qnxm5p00568z3m3an8"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? #f  ; Musl has no tests
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 633b8ca43e..265455e5b2 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -875,7 +875,7 @@ offline emulation of DNS.")
 (define-public perl-geo-ip
  (package
   (name "perl-geo-ip")
-  (version "1.50")
+  (version "1.51")
   (source
     (origin
       (method url-fetch)
@@ -885,7 +885,7 @@ offline emulation of DNS.")
              ".tar.gz"))
       (sha256
         (base32
-          "0ar69lrm26rp6sqxjf0p6cvjfprjx8gkxx11r399lvh99rqfl7zr"))))
+          "1fka8fr7fw6sh3xa9glhs1zjg3s2gfkhi7n7da1l2m2wblqj0c0n"))))
   (build-system perl-build-system)
   (home-page "http://search.cpan.org/dist/Geo-IP")
   (synopsis
@@ -1267,7 +1267,7 @@ networks.")
 (define-public speedtest-cli
   (package
     (name "speedtest-cli")
-    (version "1.0.6")
+    (version "1.0.7")
     (source
      (origin
        (method url-fetch)
@@ -1276,7 +1276,7 @@ networks.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "1alambi1ljng6j04k7pq58jqwd0wh1q9630f17nl34ljabji5lwy"))))
+         "1fbq4kpx8sj50g74hwpixisfjjgxq6zyn40d3m28dxhn7mxbnlrq"))))
     (build-system python-build-system)
     (home-page "https://github.com/sivel/speedtest-cli")
     (synopsis "Internet bandwidth tester")
diff --git a/gnu/packages/ocaml.scm b/gnu/packages/ocaml.scm
index aa2f006674..b13168c7da 100644
--- a/gnu/packages/ocaml.scm
+++ b/gnu/packages/ocaml.scm
@@ -401,7 +401,12 @@ syntax of OCaml.")
                   (lambda _
                     (zero? (system* "make" "-j" (number->string
                                                  (parallel-job-count))
-                                    "world.opt")))))))
+                                    "world.opt"))))
+         ;; Required for findlib to find camlp5's libraries
+         (add-after 'install 'install-meta
+           (lambda* (#:key outputs #:allow-other-keys)
+             (install-file "etc/META" (string-append (assoc-ref outputs "out")
+                                                     "/lib/ocaml/camlp5/")))))))
     (home-page "http://camlp5.gforge.inria.fr/")
     (synopsis "Pre-processor Pretty Printer for OCaml")
     (description
@@ -445,26 +450,25 @@ written in Objective Caml.")
 (define-public coq
   (package
     (name "coq")
-    (version "8.5pl2")
+    (version "8.7.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://coq.inria.fr/distrib/V" version
                                   "/files/" name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0wyywia0darak2zmc5v0ra9rn0b9whwdfiahralm8v5za499s8w3"))))
+                "15wjngjd5pyfqdl5yw92rvdxvy15xcjlpx0rqlkzvcsis1z20xpk"))))
     (native-search-paths
      (list (search-path-specification
             (variable "COQPATH")
             (files (list "lib/coq/user-contrib")))))
-    (build-system gnu-build-system)
+    (build-system ocaml-build-system)
     (native-inputs
      `(("texlive" ,texlive)
-       ("findlib" ,ocaml-findlib)
        ("hevea" ,hevea)))
     (inputs
-     `(("ocaml" ,ocaml)
-       ("lablgtk" ,lablgtk)
+     `(("lablgtk" ,lablgtk)
+       ("python" ,python-2)
        ("camlp5" ,camlp5)))
     (arguments
      `(#:phases
@@ -488,6 +492,11 @@ written in Objective Caml.")
          (add-after 'install 'check
            (lambda _
              (with-directory-excursion "test-suite"
+               ;; These two tests fail.
+               ;; This one fails because the output is not formatted as expected.
+               (delete-file-recursively "coq-makefile/timing")
+               ;; This one fails because we didn't build coqtop.byte.
+               (delete-file-recursively "coq-makefile/findlib-package")
                (zero? (system* "make"))))))))
     (home-page "https://coq.inria.fr")
     (synopsis "Proof assistant for higher-order logic")
@@ -3551,14 +3560,14 @@ library is currently designed for Unicode Standard 3.2.")
 (define-public coq-flocq
   (package
     (name "coq-flocq")
-    (version "2.5.2")
+    (version "2.6.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://gforge.inria.fr/frs/download.php/file"
-                                  "/36199/flocq-" version ".tar.gz"))
+                                  "/37054/flocq-" version ".tar.gz"))
               (sha256
                (base32
-                "0h5mlasirfzc0wwn2isg4kahk384n73145akkpinrxq5jsn5d22h"))))
+                "13fv150dcwnjrk00d7zj2c5x9jwmxgrq0ay440gkr730l8mvk3l3"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("ocaml" ,ocaml)
@@ -3648,14 +3657,14 @@ assistant.")
 (define-public coq-mathcomp
   (package
     (name "coq-mathcomp")
-    (version "1.6.1")
+    (version "1.6.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/math-comp/math-comp/archive/mathcomp-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1j9ylggjzrxz1i2hdl2yhsvmvy5z6l4rprwx7604401080p5sgjw"))))
+                "0lg5ncr7p4y8qqq6pfw6brqc6a9xzlfa0drprwfdn0rnyaq5nca6"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("ocaml" ,ocaml)
@@ -3690,14 +3699,14 @@ part of the distribution.")
 (define-public coq-coquelicot
   (package
     (name "coq-coquelicot")
-    (version "3.0.0")
+    (version "3.0.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://gforge.inria.fr/frs/download.php/"
-                                  "file/36537/coquelicot-" version ".tar.gz"))
+                                  "file/37045/coquelicot-" version ".tar.gz"))
               (sha256
                (base32
-                "0fx99bvsbdizj00gx2im8939y4wwl05f4qhw184j90kcx5vjxxv9"))))
+                "0hsyhsy2lwqxxx2r8xgi5csmirss42lp9bkb9yy35mnya0w78c8r"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("ocaml" ,ocaml)
@@ -3737,17 +3746,49 @@ conservative extension of Coq's standard library and provides correspondence
 theorems between the two libraries.")
     (license license:lgpl3+)))
 
+(define-public coq-bignums
+  (package
+    (name "coq-bignums")
+    (version "8.7.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/coq/bignums/archive/V"
+                                  version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "03iw9jiwq9jx45gsvp315y3lxr8m9ksppmcjvxs5c23qnky6zqjx"))))
+    (build-system gnu-build-system)
+    (native-inputs
+     `(("ocaml" ,ocaml)
+       ("coq" ,coq)))
+    (inputs
+     `(("camlp5" ,camlp5)))
+    (arguments
+     `(#:tests? #f; No test target
+       #:make-flags
+       (list (string-append "COQLIBINSTALL=" (assoc-ref %outputs "out")
+                            "/lib/coq/user-contrib"))
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure))))
+    (home-page "https://github.com/coq/bignums")
+    (synopsis "Coq library for arbitrary large numbers")
+    (description "Bignums is a coq library of arbitrary large numbers.  It
+provides BigN, BigZ, BigQ that used to be part of Coq standard library.")
+    (license license:lgpl2.1+)))
+
 (define-public coq-interval
   (package
     (name "coq-interval")
-    (version "3.2.0")
+    (version "3.3.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://gforge.inria.fr/frs/download.php/"
                                   "file/36538/interval-" version ".tar.gz"))
               (sha256
                (base32
-                "16ir7mizl18kwa1ls8fwjih6r87894bvc1r6lh85cd43la7nriq3"))))
+                "08fdcf3hbwqphglvwprvqzgkg0qbimpyhnqsgv3gac4y1ap0f903"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("ocaml" ,ocaml)
@@ -3755,6 +3796,7 @@ theorems between the two libraries.")
        ("coq" ,coq)))
     (propagated-inputs
      `(("flocq" ,coq-flocq)
+       ("bignums" ,coq-bignums)
        ("coquelicot" ,coq-coquelicot)
        ("mathcomp" ,coq-mathcomp)))
     (arguments
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 8d21f700e7..07ac59da5b 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -79,8 +79,8 @@
   ;; Note: the 'update-guix-package.scm' script expects this definition to
   ;; start precisely like this.
   (let ((version "0.13.0")
-        (commit "8b920d707ed07a3251227f77526cf875d86a4417")
-        (revision 7))
+        (commit "357ab93aacbd882a48cd7961ab301afa78c941d0")
+        (revision 8))
     (package
       (name "guix")
 
@@ -96,7 +96,7 @@
                       (commit commit)))
                 (sha256
                  (base32
-                  "15phwcadkw44mr4hnv1dxzzw9an6x7sbdfzwy4iciqw6y2wckncd"))
+                  "19cf4gpdkqv8lxpqg4ibmxhmnsm2ggi3wrhaslfmypa2a5b5jls1"))
                 (file-name (string-append "guix-" version "-checkout"))))
       (build-system gnu-build-system)
       (arguments
diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index df6103f6a1..2fed93bf22 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -12,6 +12,7 @@
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Jelle Licht <jlicht@fsfe.org>
 ;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2017 Nicolas Goaziou <mail@nicolasgoaziou.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -83,7 +84,7 @@ human.")
 (define-public keepassxc
   (package
     (name "keepassxc")
-    (version "2.2.0")
+    (version "2.2.1")
     (source
      (origin
        (method url-fetch)
@@ -92,7 +93,7 @@ human.")
                            version "-src.tar.xz"))
        (sha256
         (base32
-         "0nby6aq6w8g7c9slzahf7i34sbj8majf8rhmqqww87v6kaypxi3i"))))
+         "1gkxsv3g4pkzbjkd1c27k15m2b5y2fqnnijphnaiv542yk7csqb7"))))
     (build-system cmake-build-system)
     (inputs
      `(("libgcrypt" ,libgcrypt)
diff --git a/gnu/packages/patches/libusb-for-axoloti.patch b/gnu/packages/patches/libusb-for-axoloti.patch
new file mode 100644
index 0000000000..2c07d767d9
--- /dev/null
+++ b/gnu/packages/patches/libusb-for-axoloti.patch
@@ -0,0 +1,14 @@
+diff -rp -u4 libusb-1.0.19-orig/libusb/descriptor.c libusb-1.0.19/libusb/descriptor.c
+--- libusb-1.0.19-orig/libusb/descriptor.c	2015-05-12 00:15:19 +0200
++++ libusb-1.0.19/libusb/descriptor.c	2015-05-12 00:17:09 +0200
+@@ -1181,9 +1181,9 @@ int API_EXPORTED libusb_get_string_descr
+ 	if (tbuf[1] != LIBUSB_DT_STRING)
+ 		return LIBUSB_ERROR_IO;
+ 
+ 	if (tbuf[0] > r)
+-		return LIBUSB_ERROR_IO;
++            tbuf[0] = r;
+ 
+ 	for (di = 0, si = 2; si < tbuf[0]; si += 2) {
+ 		if (di >= (length - 1))
+ 			break;
diff --git a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch
new file mode 100644
index 0000000000..d577e1eb50
--- /dev/null
+++ b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch
@@ -0,0 +1,84 @@
+Fix CVE-2017-1000256:
+
+https://security.libvirt.org/2017/0002.html
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256
+
+Patch copied from upstream source repository:
+
+https://libvirt.org/git/?p=libvirt.git;a=commit;h=dc6c41798d1eb5c52c75365ffa22f7672709dfa7
+
+From dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Thu, 5 Oct 2017 17:54:28 +0100
+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
+
+The default_tls_x509_verify (and related) parameters in qemu.conf
+control whether the QEMU TLS servers request & verify certificates
+from clients. This works as a simple access control system for
+servers by requiring the CA to issue certs to permitted clients.
+This use of client certificates is disabled by default, since it
+requires extra work to issue client certificates.
+
+Unfortunately the code was using this configuration parameter when
+setting up both TLS clients and servers in QEMU. The result was that
+TLS clients for character devices and disk devices had verification
+turned off, meaning they would ignore errors while validating the
+server certificate.
+
+This allows for trivial MITM attacks between client and server,
+as any certificate returned by the attacker will be accepted by
+the client.
+
+This is assigned CVE-2017-1000256  / LSN-2017-0002
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
+---
+ src/qemu/qemu_command.c                            |    2 +-
+ .../qemuxml2argv-serial-tcp-tlsx509-chardev.args   |    2 +-
+ ...xml2argv-serial-tcp-tlsx509-secret-chardev.args |    2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index 9a27987..ae78cd1 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
+     if (virJSONValueObjectCreate(propsret,
+                                  "s:dir", path,
+                                  "s:endpoint", (isListen ? "server": "client"),
+-                                 "b:verify-peer", verifypeer,
++                                 "b:verify-peer", (isListen ? verifypeer : true),
+                                  NULL) < 0)
+         goto cleanup;
+ 
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+index 5aff773..ab5f7e2 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+@@ -26,7 +26,7 @@ server,nowait \
+ localport=1111 \
+ -device isa-serial,chardev=charserial0,id=serial0 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no \
++endpoint=client,verify-peer=yes \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+index 91f1fe0..2567abb 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+@@ -31,7 +31,7 @@ localport=1111 \
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+-- 
+1.7.1
+
diff --git a/gnu/packages/patches/mupdf-CVE-2017-15587.patch b/gnu/packages/patches/mupdf-CVE-2017-15587.patch
new file mode 100644
index 0000000000..5da7737ea1
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2017-15587.patch
@@ -0,0 +1,21 @@
+Fix CVE-2017-15587.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587
+https://nandynarwhals.org/CVE-2017-15587/
+
+Copied from upstream:
+<https://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8>
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 66bd0ed..6292793 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
+ 	pdf_xref_entry *table;
+ 	int i, n;
+ 
+-	if (i0 < 0 || i1 < 0)
++	if (i0 < 0 || i1 < 0 || (i0+i1) < 0)
+ 		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
+ 	//if (i0 + i1 > pdf_xref_len(ctx, doc))
+ 	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
diff --git a/gnu/packages/patches/musl-CVE-2016-8859.patch b/gnu/packages/patches/musl-CVE-2016-8859.patch
deleted file mode 100644
index 7bb5b892dd..0000000000
--- a/gnu/packages/patches/musl-CVE-2016-8859.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-Fix CVE-2016-8859:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8859
-
-Patch copied from upstream source repository:
-
-http://git.musl-libc.org/cgit/musl/commit/?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7
-
-From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001
-From: Rich Felker <dalias@aerifal.cx>
-Date: Thu, 6 Oct 2016 18:34:58 -0400
-Subject: [PATCH] fix missing integer overflow checks in regexec buffer size
- computations
-
-most of the possible overflows were already ruled out in practice by
-regcomp having already succeeded performing larger allocations.
-however at least the num_states*num_tags multiplication can clearly
-overflow in practice. for safety, check them all, and use the proper
-type, size_t, rather than int.
-
-also improve comments, use calloc in place of malloc+memset, and
-remove bogus casts.
----
- src/regex/regexec.c | 23 ++++++++++++++++++-----
- 1 file changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/src/regex/regexec.c b/src/regex/regexec.c
-index 16c5d0a..dd52319 100644
---- a/src/regex/regexec.c
-+++ b/src/regex/regexec.c
-@@ -34,6 +34,7 @@
- #include <wchar.h>
- #include <wctype.h>
- #include <limits.h>
-+#include <stdint.h>
- 
- #include <regex.h>
- 
-@@ -206,11 +207,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
- 
-   /* Allocate memory for temporary data required for matching.	This needs to
-      be done for every matching operation to be thread safe.  This allocates
--     everything in a single large block from the stack frame using alloca()
--     or with malloc() if alloca is unavailable. */
-+     everything in a single large block with calloc(). */
-   {
--    int tbytes, rbytes, pbytes, xbytes, total_bytes;
-+    size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
-     char *tmp_buf;
-+
-+    /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
-+     * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
-+    if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
-+      goto error_exit;
-+
-+    /* Likewise check rbytes. */
-+    if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
-+      goto error_exit;
-+
-+    /* Likewise check pbytes. */
-+    if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
-+      goto error_exit;
-+
-     /* Compute the length of the block we need. */
-     tbytes = sizeof(*tmp_tags) * num_tags;
-     rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
-@@ -221,10 +235,9 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
-       + (rbytes + xbytes * tnfa->num_states) * 2 + tbytes + pbytes;
- 
-     /* Allocate the memory. */
--    buf = xmalloc((unsigned)total_bytes);
-+    buf = calloc(total_bytes, 1);
-     if (buf == NULL)
-       return REG_ESPACE;
--    memset(buf, 0, (size_t)total_bytes);
- 
-     /* Get the various pointers within tmp_buf (properly aligned). */
-     tmp_tags = (void *)buf;
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2017-13082.patch b/gnu/packages/patches/wpa-supplicant-CVE-2017-13082.patch
new file mode 100644
index 0000000000..371456d157
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2017-13082.patch
@@ -0,0 +1,182 @@
+Fix CVE-2017-13082:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13082
+https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
+
+Patch copied from upstream:
+https://w1.fi/security/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
+
+From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 14 Jul 2017 15:15:35 +0200
+Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
+
+Do not reinstall TK to the driver during Reassociation Response frame
+processing if the first attempt of setting the TK succeeded. This avoids
+issues related to clearing the TX/RX PN that could result in reusing
+same PN values for transmitted frames (e.g., due to CCM nonce reuse and
+also hitting replay protection on the receiver) and accepting replayed
+frames on RX side.
+
+This issue was introduced by the commit
+0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
+authenticator') which allowed wpa_ft_install_ptk() to be called multiple
+times with the same PTK. While the second configuration attempt is
+needed with some drivers, it must be done only if the first attempt
+failed.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/ap/ieee802_11.c  | 16 +++++++++++++---
+ src/ap/wpa_auth.c    | 11 +++++++++++
+ src/ap/wpa_auth.h    |  3 ++-
+ src/ap/wpa_auth_ft.c | 10 ++++++++++
+ src/ap/wpa_auth_i.h  |  1 +
+ 5 files changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index 4e04169..333035f 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ {
+ 	struct ieee80211_ht_capabilities ht_cap;
+ 	struct ieee80211_vht_capabilities vht_cap;
++	int set = 1;
+ 
+ 	/*
+ 	 * Remove the STA entry to ensure the STA PS state gets cleared and
+@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ 	 * FT-over-the-DS, where a station re-associates back to the same AP but
+ 	 * skips the authentication flow, or if working with a driver that
+ 	 * does not support full AP client state.
++	 *
++	 * Skip this if the STA has already completed FT reassociation and the
++	 * TK has been configured since the TX/RX PN must not be reset to 0 for
++	 * the same key.
+ 	 */
+-	if (!sta->added_unassoc)
++	if (!sta->added_unassoc &&
++	    (!(sta->flags & WLAN_STA_AUTHORIZED) ||
++	     !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
+ 		hostapd_drv_sta_remove(hapd, sta->addr);
++		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
++		set = 0;
++	}
+ 
+ #ifdef CONFIG_IEEE80211N
+ 	if (sta->flags & WLAN_STA_HT)
+@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ 			    sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
+ 			    sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
+ 			    sta->vht_opmode, sta->p2p_ie ? 1 : 0,
+-			    sta->added_unassoc)) {
++			    set)) {
+ 		hostapd_logger(hapd, sta->addr,
+ 			       HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
+ 			       "Could not %s STA to kernel driver",
+-			       sta->added_unassoc ? "set" : "add");
++			       set ? "set" : "add");
+ 
+ 		if (sta->added_unassoc) {
+ 			hostapd_drv_sta_remove(hapd, sta->addr);
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 3587086..707971d 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
+ #else /* CONFIG_IEEE80211R */
+ 		break;
+ #endif /* CONFIG_IEEE80211R */
++	case WPA_DRV_STA_REMOVED:
++		sm->tk_already_set = FALSE;
++		return 0;
+ 	}
+ 
+ #ifdef CONFIG_IEEE80211R
+@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
+ }
+ 
+ 
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
++{
++	if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
++		return 0;
++	return sm->tk_already_set;
++}
++
++
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+ 			     struct rsn_pmksa_cache_entry *entry)
+ {
+diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
+index 0de8d97..97461b0 100644
+--- a/src/ap/wpa_auth.h
++++ b/src/ap/wpa_auth.h
+@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
+ 		 u8 *data, size_t data_len);
+ enum wpa_event {
+ 	WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
+-	WPA_REAUTH_EAPOL, WPA_ASSOC_FT
++	WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
+ };
+ void wpa_remove_ptk(struct wpa_state_machine *sm);
+ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
+@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
+ int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
+ int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
+ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+ 			     struct rsn_pmksa_cache_entry *entry);
+ struct rsn_pmksa_cache_entry *
+diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
+index 42242a5..e63b99a 100644
+--- a/src/ap/wpa_auth_ft.c
++++ b/src/ap/wpa_auth_ft.c
+@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
+ 		return;
+ 	}
+ 
++	if (sm->tk_already_set) {
++		/* Must avoid TK reconfiguration to prevent clearing of TX/RX
++		 * PN in the driver */
++		wpa_printf(MSG_DEBUG,
++			   "FT: Do not re-install same PTK to the driver");
++		return;
++	}
++
+ 	/* FIX: add STA entry to kernel/driver here? The set_key will fail
+ 	 * most likely without this.. At the moment, STA entry is added only
+ 	 * after association has been completed. This function will be called
+@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
+ 
+ 	/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
+ 	sm->pairwise_set = TRUE;
++	sm->tk_already_set = TRUE;
+ }
+ 
+ 
+@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
+ 
+ 	sm->pairwise = pairwise;
+ 	sm->PTK_valid = TRUE;
++	sm->tk_already_set = FALSE;
+ 	wpa_ft_install_ptk(sm);
+ 
+ 	buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
+index 72b7eb3..7fd8f05 100644
+--- a/src/ap/wpa_auth_i.h
++++ b/src/ap/wpa_auth_i.h
+@@ -65,6 +65,7 @@ struct wpa_state_machine {
+ 	struct wpa_ptk PTK;
+ 	Boolean PTK_valid;
+ 	Boolean pairwise_set;
++	Boolean tk_already_set;
+ 	int keycount;
+ 	Boolean Pair;
+ 	struct wpa_key_replay_counter {
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/wpa-supplicant-fix-key-reuse.patch b/gnu/packages/patches/wpa-supplicant-fix-key-reuse.patch
new file mode 100644
index 0000000000..20d7c37662
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-fix-key-reuse.patch
@@ -0,0 +1,448 @@
+Fix CVE-2017-{13078,13079,13080,13081,13087,13088}:
+
+https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13078
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13079
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13087
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13088
+
+These two patches are copied from upstream:
+https://w1.fi/security/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
+https://w1.fi/security/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
+
+From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Wed, 12 Jul 2017 16:03:24 +0200
+Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
+
+Track the current GTK and IGTK that is in use and when receiving a
+(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
+not install the given key if it is already in use. This prevents an
+attacker from trying to trick the client into resetting or lowering the
+sequence counter associated to the group key.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/common/wpa_common.h |  11 +++++
+ src/rsn_supp/wpa.c      | 116 ++++++++++++++++++++++++++++++------------------
+ src/rsn_supp/wpa_i.h    |   4 ++
+ 3 files changed, 87 insertions(+), 44 deletions(-)
+
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index af1d0f0..d200285 100644
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -217,6 +217,17 @@ struct wpa_ptk {
+ 	size_t tk_len;
+ };
+ 
++struct wpa_gtk {
++	u8 gtk[WPA_GTK_MAX_LEN];
++	size_t gtk_len;
++};
++
++#ifdef CONFIG_IEEE80211W
++struct wpa_igtk {
++	u8 igtk[WPA_IGTK_MAX_LEN];
++	size_t igtk_len;
++};
++#endif /* CONFIG_IEEE80211W */
+ 
+ /* WPA IE version 1
+  * 00-50-f2:1 (OUI:OUI type)
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 3c47879..95bd7be 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 	const u8 *_gtk = gd->gtk;
+ 	u8 gtk_buf[32];
+ 
++	/* Detect possible key reinstallation */
++	if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++	    os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
++			gd->keyidx, gd->tx, gd->gtk_len);
++		return 0;
++	}
++
+ 	wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
+ 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 		"WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
+@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 	}
+ 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ 
++	sm->gtk.gtk_len = gd->gtk_len;
++	os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++
+ 	return 0;
+ }
+ 
+@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ }
+ 
+ 
++#ifdef CONFIG_IEEE80211W
++static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
++				       const struct wpa_igtk_kde *igtk)
++{
++	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
++	u16 keyidx = WPA_GET_LE16(igtk->keyid);
++
++	/* Detect possible key reinstallation */
++	if (sm->igtk.igtk_len == len &&
++	    os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
++			keyidx);
++		return  0;
++	}
++
++	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++		"WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
++		keyidx, MAC2STR(igtk->pn));
++	wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
++	if (keyidx > 4095) {
++		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++			"WPA: Invalid IGTK KeyID %d", keyidx);
++		return -1;
++	}
++	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
++			   broadcast_ether_addr,
++			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
++			   igtk->igtk, len) < 0) {
++		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++			"WPA: Failed to configure IGTK to the driver");
++		return -1;
++	}
++
++	sm->igtk.igtk_len = len;
++	os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++
++	return 0;
++}
++#endif /* CONFIG_IEEE80211W */
++
++
+ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ 			       struct wpa_eapol_ie_parse *ie)
+ {
+@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ 	if (ie->igtk) {
+ 		size_t len;
+ 		const struct wpa_igtk_kde *igtk;
+-		u16 keyidx;
++
+ 		len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ 		if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
+ 			return -1;
++
+ 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-		keyidx = WPA_GET_LE16(igtk->keyid);
+-		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
+-			"pn %02x%02x%02x%02x%02x%02x",
+-			keyidx, MAC2STR(igtk->pn));
+-		wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
+-				igtk->igtk, len);
+-		if (keyidx > 4095) {
+-			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-				"WPA: Invalid IGTK KeyID %d", keyidx);
+-			return -1;
+-		}
+-		if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-				   broadcast_ether_addr,
+-				   keyidx, 0, igtk->pn, sizeof(igtk->pn),
+-				   igtk->igtk, len) < 0) {
+-			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-				"WPA: Failed to configure IGTK to the driver");
++		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+ 			return -1;
+-		}
+ 	}
+ 
+ 	return 0;
+@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
+  */
+ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ {
+-	int clear_ptk = 1;
++	int clear_keys = 1;
+ 
+ 	if (sm == NULL)
+ 		return;
+@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ 		/* Prepare for the next transition */
+ 		wpa_ft_prepare_auth_request(sm, NULL);
+ 
+-		clear_ptk = 0;
++		clear_keys = 0;
+ 	}
+ #endif /* CONFIG_IEEE80211R */
+ 
+-	if (clear_ptk) {
++	if (clear_keys) {
+ 		/*
+ 		 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
+ 		 * this is not part of a Fast BSS Transition.
+@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ 		os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 		sm->tptk_set = 0;
+ 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ 	}
+ 
+ #ifdef CONFIG_TDLS
+@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+ 	os_memset(sm->pmk, 0, sizeof(sm->pmk));
+ 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+ 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+ 	os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
+@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ 		os_memset(&gd, 0, sizeof(gd));
+ #ifdef CONFIG_IEEE80211W
+ 	} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
+-		struct wpa_igtk_kde igd;
+-		u16 keyidx;
+-
+-		os_memset(&igd, 0, sizeof(igd));
+-		keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
+-		os_memcpy(igd.keyid, buf + 2, 2);
+-		os_memcpy(igd.pn, buf + 4, 6);
+-
+-		keyidx = WPA_GET_LE16(igd.keyid);
+-		os_memcpy(igd.igtk, buf + 10, keylen);
+-
+-		wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
+-				igd.igtk, keylen);
+-		if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-				   broadcast_ether_addr,
+-				   keyidx, 0, igd.pn, sizeof(igd.pn),
+-				   igd.igtk, keylen) < 0) {
+-			wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
+-				   "WNM mode");
+-			os_memset(&igd, 0, sizeof(igd));
++		const struct wpa_igtk_kde *igtk;
++
++		igtk = (const struct wpa_igtk_kde *) (buf + 2);
++		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+ 			return -1;
+-		}
+-		os_memset(&igd, 0, sizeof(igd));
+ #endif /* CONFIG_IEEE80211W */
+ 	} else {
+ 		wpa_printf(MSG_DEBUG, "Unknown element id");
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index f653ba6..afc9e37 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -31,6 +31,10 @@ struct wpa_sm {
+ 	u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
+ 	int rx_replay_counter_set;
+ 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
++	struct wpa_gtk gtk;
++#ifdef CONFIG_IEEE80211W
++	struct wpa_igtk igtk;
++#endif /* CONFIG_IEEE80211W */
+ 
+ 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+ 
+-- 
+2.7.4
+
+From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Oct 2017 12:12:24 +0300
+Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
+ Mode cases
+
+This extends the protection to track last configured GTK/IGTK value
+separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
+corner case where these two different mechanisms may get used when the
+GTK/IGTK has changed and tracking a single value is not sufficient to
+detect a possible key reconfiguration.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/wpa.c   | 53 +++++++++++++++++++++++++++++++++++++---------------
+ src/rsn_supp/wpa_i.h |  2 ++
+ 2 files changed, 40 insertions(+), 15 deletions(-)
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 95bd7be..7a2c68d 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -709,14 +709,17 @@ struct wpa_gtk_data {
+ 
+ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 				      const struct wpa_gtk_data *gd,
+-				      const u8 *key_rsc)
++				      const u8 *key_rsc, int wnm_sleep)
+ {
+ 	const u8 *_gtk = gd->gtk;
+ 	u8 gtk_buf[32];
+ 
+ 	/* Detect possible key reinstallation */
+-	if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
+-	    os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++	if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++	     os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
++	    (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
++	     os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
++		       sm->gtk_wnm_sleep.gtk_len) == 0)) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
+ 			gd->keyidx, gd->tx, gd->gtk_len);
+@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 	}
+ 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ 
+-	sm->gtk.gtk_len = gd->gtk_len;
+-	os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++	if (wnm_sleep) {
++		sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
++		os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
++			  sm->gtk_wnm_sleep.gtk_len);
++	} else {
++		sm->gtk.gtk_len = gd->gtk_len;
++		os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++	}
+ 
+ 	return 0;
+ }
+@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ 	    (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
+ 					       gtk_len, gtk_len,
+ 					       &gd.key_rsc_len, &gd.alg) ||
+-	     wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
++	     wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"RSN: Failed to install GTK");
+ 		os_memset(&gd, 0, sizeof(gd));
+@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ 
+ #ifdef CONFIG_IEEE80211W
+ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+-				       const struct wpa_igtk_kde *igtk)
++				       const struct wpa_igtk_kde *igtk,
++				       int wnm_sleep)
+ {
+ 	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ 	u16 keyidx = WPA_GET_LE16(igtk->keyid);
+ 
+ 	/* Detect possible key reinstallation */
+-	if (sm->igtk.igtk_len == len &&
+-	    os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++	if ((sm->igtk.igtk_len == len &&
++	     os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
++	    (sm->igtk_wnm_sleep.igtk_len == len &&
++	     os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++		       sm->igtk_wnm_sleep.igtk_len) == 0)) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
+ 			keyidx);
+@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+ 		return -1;
+ 	}
+ 
+-	sm->igtk.igtk_len = len;
+-	os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++	if (wnm_sleep) {
++		sm->igtk_wnm_sleep.igtk_len = len;
++		os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++			  sm->igtk_wnm_sleep.igtk_len);
++	} else {
++		sm->igtk.igtk_len = len;
++		os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++	}
+ 
+ 	return 0;
+ }
+@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ 			return -1;
+ 
+ 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++		if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
+ 			return -1;
+ 	}
+ 
+@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
+ 	if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
+ 		key_rsc = null_rsc;
+ 
+-	if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
++	if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
+ 	    wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
+ 		goto failed;
+ 	os_memset(&gd, 0, sizeof(gd));
+@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ 		sm->tptk_set = 0;
+ 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ 		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++		os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+ 		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++		os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ 	}
+ 
+@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+ 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ 	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++	os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+ 	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++	os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+ 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ 
+ 		wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
+ 				gd.gtk, gd.gtk_len);
+-		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
++		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
+ 			os_memset(&gd, 0, sizeof(gd));
+ 			wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
+ 				   "WNM mode");
+@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ 		const struct wpa_igtk_kde *igtk;
+ 
+ 		igtk = (const struct wpa_igtk_kde *) (buf + 2);
+-		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++		if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
+ 			return -1;
+ #endif /* CONFIG_IEEE80211W */
+ 	} else {
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index afc9e37..9a54631 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -32,8 +32,10 @@ struct wpa_sm {
+ 	int rx_replay_counter_set;
+ 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
+ 	struct wpa_gtk gtk;
++	struct wpa_gtk gtk_wnm_sleep;
+ #ifdef CONFIG_IEEE80211W
+ 	struct wpa_igtk igtk;
++	struct wpa_igtk igtk_wnm_sleep;
+ #endif /* CONFIG_IEEE80211W */
+ 
+ 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/wpa-supplicant-fix-nonce-reuse.patch b/gnu/packages/patches/wpa-supplicant-fix-nonce-reuse.patch
new file mode 100644
index 0000000000..d8dd9cd204
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-fix-nonce-reuse.patch
@@ -0,0 +1,72 @@
+Fix a nonce re-use bug:
+
+https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
+
+Patch copied from upstream:
+
+https://w1.fi/security/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
+
+From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Oct 2017 12:32:57 +0300
+Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce
+
+The Authenticator state machine path for PTK rekeying ended up bypassing
+the AUTHENTICATION2 state where a new ANonce is generated when going
+directly to the PTKSTART state since there is no need to try to
+determine the PMK again in such a case. This is far from ideal since the
+new PTK would depend on a new nonce only from the supplicant.
+
+Fix this by generating a new ANonce when moving to the PTKSTART state
+for the purpose of starting new 4-way handshake to rekey PTK.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wpa_auth.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 707971d..bf10cc1 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
+ }
+ 
+ 
++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
++{
++	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
++		wpa_printf(MSG_ERROR,
++			   "WPA: Failed to get random data for ANonce");
++		sm->Disconnect = TRUE;
++		return -1;
++	}
++	wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
++		    WPA_NONCE_LEN);
++	sm->TimeoutCtr = 0;
++	return 0;
++}
++
++
+ SM_STATE(WPA_PTK, INITPMK)
+ {
+ 	u8 msk[2 * PMK_LEN];
+@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK)
+ 		SM_ENTER(WPA_PTK, AUTHENTICATION);
+ 	else if (sm->ReAuthenticationRequest)
+ 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
+-	else if (sm->PTKRequest)
+-		SM_ENTER(WPA_PTK, PTKSTART);
+-	else switch (sm->wpa_ptk_state) {
++	else if (sm->PTKRequest) {
++		if (wpa_auth_sm_ptk_update(sm) < 0)
++			SM_ENTER(WPA_PTK, DISCONNECTED);
++		else
++			SM_ENTER(WPA_PTK, PTKSTART);
++	} else switch (sm->wpa_ptk_state) {
+ 	case WPA_PTK_INITIALIZE:
+ 		break;
+ 	case WPA_PTK_DISCONNECT:
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/wpa-supplicant-fix-zeroed-keys.patch b/gnu/packages/patches/wpa-supplicant-fix-zeroed-keys.patch
new file mode 100644
index 0000000000..7f437271f3
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-fix-zeroed-keys.patch
@@ -0,0 +1,86 @@
+Don't install a zeroed encryption key:
+
+https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
+
+Patch copied from upstream:
+https://w1.fi/security/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
+
+From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 29 Sep 2017 04:22:51 +0200
+Subject: [PATCH 4/8] Prevent installation of an all-zero TK
+
+Properly track whether a PTK has already been installed to the driver
+and the TK part cleared from memory. This prevents an attacker from
+trying to trick the client into installing an all-zero TK.
+
+This fixes the earlier fix in commit
+ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
+driver in EAPOL-Key 3/4 retry case') which did not take into account
+possibility of an extra message 1/4 showing up between retries of
+message 3/4.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/common/wpa_common.h | 1 +
+ src/rsn_supp/wpa.c      | 5 ++---
+ src/rsn_supp/wpa_i.h    | 1 -
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index d200285..1021ccb 100644
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -215,6 +215,7 @@ struct wpa_ptk {
+ 	size_t kck_len;
+ 	size_t kek_len;
+ 	size_t tk_len;
++	int installed; /* 1 if key has already been installed to driver */
+ };
+ 
+ struct wpa_gtk {
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 7a2c68d..0550a41 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
+ 		os_memset(buf, 0, sizeof(buf));
+ 	}
+ 	sm->tptk_set = 1;
+-	sm->tk_to_set = 1;
+ 
+ 	kde = sm->assoc_wpa_ie;
+ 	kde_len = sm->assoc_wpa_ie_len;
+@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+ 	enum wpa_alg alg;
+ 	const u8 *key_rsc;
+ 
+-	if (!sm->tk_to_set) {
++	if (sm->ptk.installed) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Do not re-install same PTK to the driver");
+ 		return 0;
+@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+ 
+ 	/* TK is not needed anymore in supplicant */
+ 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
+-	sm->tk_to_set = 0;
++	sm->ptk.installed = 1;
+ 
+ 	if (sm->wpa_ptk_rekey) {
+ 		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 9a54631..41f371f 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -24,7 +24,6 @@ struct wpa_sm {
+ 	struct wpa_ptk ptk, tptk;
+ 	int ptk_set, tptk_set;
+ 	unsigned int msg_3_of_4_ok:1;
+-	unsigned int tk_to_set:1;
+ 	u8 snonce[WPA_NONCE_LEN];
+ 	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
+ 	int renew_snonce;
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/wpa-supplicant-krack-followups.patch b/gnu/packages/patches/wpa-supplicant-krack-followups.patch
new file mode 100644
index 0000000000..00904addb1
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-krack-followups.patch
@@ -0,0 +1,275 @@
+These three patches are follow-ups to the bug fixes for the 'KRACK' key
+re-installation attacks on Wi-Fi's WPA2 security protocol. See upstream
+security announcement for more information:
+
+https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
+
+These three patches copied from upstream:
+
+https://w1.fi/security/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
+https://w1.fi/security/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
+https://w1.fi/security/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
+
+From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 11:03:15 +0300
+Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration
+
+Do not try to reconfigure the same TPK-TK to the driver after it has
+been successfully configured. This is an explicit check to avoid issues
+related to resetting the TX/RX packet number. There was already a check
+for this for TPK M2 (retries of that message are ignored completely), so
+that behavior does not get modified.
+
+For TPK M3, the TPK-TK could have been reconfigured, but that was
+followed by immediate teardown of the link due to an issue in updating
+the STA entry. Furthermore, for TDLS with any real security (i.e.,
+ignoring open/WEP), the TPK message exchange is protected on the AP path
+and simple replay attacks are not feasible.
+
+As an additional corner case, make sure the local nonce gets updated if
+the peer uses a very unlikely "random nonce" of all zeros.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
+index e424168..9eb9738 100644
+--- a/src/rsn_supp/tdls.c
++++ b/src/rsn_supp/tdls.c
+@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
+ 		u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
+ 	} tpk;
+ 	int tpk_set;
++	int tk_set; /* TPK-TK configured to the driver */
+ 	int tpk_success;
+ 	int tpk_in_progress;
+ 
+@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ 	u8 rsc[6];
+ 	enum wpa_alg alg;
+ 
++	if (peer->tk_set) {
++		/*
++		 * This same TPK-TK has already been configured to the driver
++		 * and this new configuration attempt (likely due to an
++		 * unexpected retransmitted frame) would result in clearing
++		 * the TX/RX sequence number which can break security, so must
++		 * not allow that to happen.
++		 */
++		wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
++			   " has already been configured to the driver - do not reconfigure",
++			   MAC2STR(peer->addr));
++		return -1;
++	}
++
+ 	os_memset(rsc, 0, 6);
+ 
+ 	switch (peer->cipher) {
+@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ 		return -1;
+ 	}
+ 
++	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
++		   MAC2STR(peer->addr));
+ 	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
+ 			   rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
+ 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
+ 			   "driver");
+ 		return -1;
+ 	}
++	peer->tk_set = 1;
+ 	return 0;
+ }
+ 
+@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ 	peer->cipher = 0;
+ 	peer->qos_info = 0;
+ 	peer->wmm_capable = 0;
+-	peer->tpk_set = peer->tpk_success = 0;
++	peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
+ 	peer->chan_switch_enabled = 0;
+ 	os_memset(&peer->tpk, 0, sizeof(peer->tpk));
+ 	os_memset(peer->inonce, 0, WPA_NONCE_LEN);
+@@ -1159,6 +1177,7 @@ skip_rsnie:
+ 		wpa_tdls_peer_free(sm, peer);
+ 		return -1;
+ 	}
++	peer->tk_set = 0; /* A new nonce results in a new TK */
+ 	wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
+ 		    peer->inonce, WPA_NONCE_LEN);
+ 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
+ }
+ 
+ 
++static int tdls_nonce_set(const u8 *nonce)
++{
++	int i;
++
++	for (i = 0; i < WPA_NONCE_LEN; i++) {
++		if (nonce[i])
++			return 1;
++	}
++
++	return 0;
++}
++
++
+ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
+ 				   const u8 *buf, size_t len)
+ {
+@@ -2004,7 +2036,8 @@ skip_rsn:
+ 	peer->rsnie_i_len = kde.rsn_ie_len;
+ 	peer->cipher = cipher;
+ 
+-	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
++	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
++	    !tdls_nonce_set(peer->inonce)) {
+ 		/*
+ 		 * There is no point in updating the RNonce for every obtained
+ 		 * TPK M1 frame (e.g., retransmission due to timeout) with the
+@@ -2020,6 +2053,7 @@ skip_rsn:
+ 				"TDLS: Failed to get random data for responder nonce");
+ 			goto error;
+ 		}
++		peer->tk_set = 0; /* A new nonce results in a new TK */
+ 	}
+ 
+ #if 0
+-- 
+2.7.4
+
+From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 11:25:02 +0300
+Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
+ request
+
+Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
+Mode Response if WNM-Sleep Mode has not been used') started ignoring the
+response when no WNM-Sleep Mode Request had been used during the
+association. This can be made tighter by clearing the used flag when
+successfully processing a response. This adds an additional layer of
+protection against unexpected retransmissions of the response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ wpa_supplicant/wnm_sta.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
+index 1b3409c..67a07ff 100644
+--- a/wpa_supplicant/wnm_sta.c
++++ b/wpa_supplicant/wnm_sta.c
+@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
+ 
+ 	if (!wpa_s->wnmsleep_used) {
+ 		wpa_printf(MSG_DEBUG,
+-			   "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
++			   "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
+ 		return;
+ 	}
+ 
+@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
+ 		return;
+ 	}
+ 
++	wpa_s->wnmsleep_used = 0;
++
+ 	if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
+ 	    wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
+ 		wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "
+-- 
+2.7.4
+
+https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
+
+Patch copied from upstream:
+
+https://w1.fi/security/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
+
+From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 12:06:37 +0300
+Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
+
+The driver is expected to not report a second association event without
+the station having explicitly request a new association. As such, this
+case should not be reachable. However, since reconfiguring the same
+pairwise or group keys to the driver could result in nonce reuse issues,
+be extra careful here and do an additional state check to avoid this
+even if the local driver ends up somehow accepting an unexpected
+Reassociation Response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/wpa.c    | 3 +++
+ src/rsn_supp/wpa_ft.c | 8 ++++++++
+ src/rsn_supp/wpa_i.h  | 1 +
+ 3 files changed, 12 insertions(+)
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 0550a41..2a53c6f 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
+ #ifdef CONFIG_TDLS
+ 	wpa_tdls_disassoc(sm);
+ #endif /* CONFIG_TDLS */
++#ifdef CONFIG_IEEE80211R
++	sm->ft_reassoc_completed = 0;
++#endif /* CONFIG_IEEE80211R */
+ 
+ 	/* Keys are not needed in the WPA state machine anymore */
+ 	wpa_sm_drop_sa(sm);
+diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
+index 205793e..d45bb45 100644
+--- a/src/rsn_supp/wpa_ft.c
++++ b/src/rsn_supp/wpa_ft.c
+@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
+ 	u16 capab;
+ 
+ 	sm->ft_completed = 0;
++	sm->ft_reassoc_completed = 0;
+ 
+ 	buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+ 		2 + sm->r0kh_id_len + ric_ies_len + 100;
+@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
+ 		return -1;
+ 	}
+ 
++	if (sm->ft_reassoc_completed) {
++		wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
++		return 0;
++	}
++
+ 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
+ 		wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
+ 		return -1;
+@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
+ 		return -1;
+ 	}
+ 
++	sm->ft_reassoc_completed = 1;
++
+ 	if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
+ 		return -1;
+ 
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 41f371f..56f88dc 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -128,6 +128,7 @@ struct wpa_sm {
+ 	size_t r0kh_id_len;
+ 	u8 r1kh_id[FT_R1KH_ID_LEN];
+ 	int ft_completed;
++	int ft_reassoc_completed;
+ 	int over_the_ds_in_progress;
+ 	u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
+ 	int set_ptk_after_assoc;
+-- 
+2.7.4
+
diff --git a/gnu/packages/patchutils.scm b/gnu/packages/patchutils.scm
index f527231aa8..1e4b3fbd1c 100644
--- a/gnu/packages/patchutils.scm
+++ b/gnu/packages/patchutils.scm
@@ -171,7 +171,7 @@ refreshed, and more.")
     (inputs
      `(("perl" ,perl)
        ("xmlto" ,xmlto)))
-    (home-page "http://www.colordiff.org")
+    (home-page "https://www.colordiff.org")
     (synopsis "Display diff output with colors")
     (description
      "Colordiff is Perl script wrapper on top of diff command which provides
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 98df90e2d4..6dbba2c7ec 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -413,6 +413,41 @@ using libspectre.")
 using the DjVuLibre library.")
     (license license:zlib)))
 
+(define-public zathura-pdf-mupdf
+  (package
+    (name "zathura-pdf-mupdf")
+    (version "0.3.1")
+    (source (origin
+              (method url-fetch)
+              (uri
+               (string-append "https://pwmt.org/projects/zathura-pdf-mupdf"
+                              "/download/zathura-pdf-mupdf-" version ".tar.gz"))
+              (sha256
+               (base32
+                "06zqn8z6a0hfsx3s1kzqvqzb73afgcl6z5r062sxv7kv570fvffr"))))
+    (native-inputs `(("pkg-config" ,pkg-config)))
+    (propagated-inputs `(("girara" ,girara)))
+    (inputs
+     `(("gtk+" ,gtk+)
+       ("jbig2dec" ,jbig2dec)
+       ("libjpeg" ,libjpeg)
+       ("mupdf" ,mupdf)
+       ("openjpeg" ,openjpeg)
+       ("openssl" ,openssl)
+       ("zathura" ,zathura)))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:make-flags (list (string-append "PREFIX=" %output)
+                          (string-append "PLUGINDIR=" %output "/lib/zathura")
+                          "CC=gcc")
+       #:tests? #f ;No tests.
+       #:phases (modify-phases %standard-phases (delete 'configure))))
+    (home-page "https://pwmt.org/projects/zathura-pdf-mupdf/")
+    (synopsis "PDF support for zathura (mupdf backend)")
+    (description "The zathura-pdf-mupdf plugin adds PDF support to zathura
+by using the @code{mupdf} rendering library.")
+    (license license:zlib)))
+
 (define-public zathura-pdf-poppler
   (package
     (name "zathura-pdf-poppler")
@@ -540,7 +575,8 @@ extracting content or merging files.")
         (sha256
          (base32
           "02phamcchgsmvjnb3ir7r5sssvx9fcrscn297z73b82n1jl79510"))
-        (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"))
+        (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
+                                 "mupdf-CVE-2017-15587.patch"))
         (modules '((guix build utils)))
         (snippet
             ;; Delete all the bundled libraries except for mujs, which is
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index fd183bc900..0935cb45ba 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -17,6 +17,7 @@
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Christopher Allan Webber <cwebber@dustycloud.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -40,6 +41,7 @@
   #:use-module (guix download)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
+  #:use-module (gnu packages base)
   #:use-module (gnu packages perl-web)
   #:use-module (gnu packages pkg-config))
 
@@ -9187,3 +9189,68 @@ interface to File::Find::Object.")
   (description "Test::TrailingSpace tests for trailing spaces
 in Perl source files.")
   (license x11)))
+
+(define-public perl-libtime-parsedate
+  (package
+    (name "perl-libtime-parsedate")
+    (version "2015.103")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "mirror://cpan/authors/id/M/MU/MUIR/modules/Time-ParseDate-"
+             version ".tar.gz"))
+       (sha256
+        (base32 "1lgfr87j4qwqnln0hyyzgik5ixqslzdaksn9m8y824gqbcihc6ic"))))
+    (build-system perl-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         ;; This is needed for tests
+         (add-after 'unpack 'set-TZDIR
+           (lambda* (#:key inputs #:allow-other-keys)
+             (setenv "TZDIR" (string-append (assoc-ref inputs "tzdata")
+                                            "/share/zoneinfo"))
+             #t)))))
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)
+       ("tzdata" ,tzdata-2017a)))
+    (home-page "https://metacpan.org/release/Time-ParseDate")
+    (synopsis "Collection of Perl modules for time/date manipulation")
+    (description "Provides several perl modules for date/time manipulation:
+@code{Time::CTime.pm}, @code{Time::JulianDay.pm}, @code{Time::ParseDate.pm},
+@code{Time::Timezone.pm}, and @code{Time::DaysInMonth.pm}.")
+    ;; License text:
+    ;;   "License hereby granted for anyone to use, modify or redistribute this
+    ;;   module at their own risk. Please feed useful changes back to
+    ;;   cpan@dave.sharnoff.org."
+    (license (non-copyleft "http://metadata.ftp-master.debian.org/\
+changelogs/main/libt/libtime-parsedate-perl/\
+libtime-parsedate-perl_2015.103-2_copyright"))))
+
+(define-public perl-libtime-period
+  (package
+    (name "perl-libtime-period")
+    (version "1.20")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "http://http.debian.net/debian/pool/main/libt/"
+             "libtime-period-perl/libtime-period-perl_"
+             version ".orig.tar.gz"))
+       (sha256
+        (base32 "0c0yd999h0ikj88c9j95wa087m87i0qh7vja3715y2kd7vixkci2"))))
+    (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
+    ;; Unless some other homepage is out there...
+    (home-page "https://packages.debian.org/stretch/libtime-period-perl")
+    (synopsis "Perl library for testing if a time() is in a specific period")
+    (description "This Perl library provides a function which tells whether a
+specific time falls within a specified time period.  Its syntax for specifying
+time periods allows you to test for conditions like \"Monday to Friday, 9am
+till 5pm\" and \"on the second Tuesday of the month\" and \"between 4pm and
+4:15pm\" and \"in the first half of each minute\" and \"in January of
+1998\".")
+    (license perl-license)))
diff --git a/gnu/packages/protobuf.scm b/gnu/packages/protobuf.scm
index 12f6f70521..2e681ca97d 100644
--- a/gnu/packages/protobuf.scm
+++ b/gnu/packages/protobuf.scm
@@ -2,6 +2,8 @@
 ;;; Copyright © 2014 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Daniel Pimentel <d4n1@d4n1.org>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -24,23 +26,24 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system python)
   #:use-module ((guix licenses)
-                #:select (bsd-3))
+                #:select (bsd-2 bsd-3))
   #:use-module (gnu packages compression)
   #:use-module (gnu packages gcc)
+  #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python))
 
 (define-public protobuf
   (package
     (name "protobuf")
-    (version "2.6.1")
+    (version "3.4.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/google/protobuf/releases/"
-                                  "download/v" version "/protobuf-"
-                                  version ".tar.bz2"))
+                                  "download/v" version "/protobuf-cpp-"
+                                  version ".tar.gz"))
               (sha256
                (base32
-                "040rcs9fpv4bslhiy43v7dcrzakz4vwwpyqg4jp8bn24sl95ci7f"))))
+                "0y6cr4l7bwa6zvjv5flzr4cx28shk5h8dz99xw90v8qih954pcrb"))))
     (build-system gnu-build-system)
     (inputs `(("zlib" ,zlib)))
     (home-page "https://github.com/google/protobuf")
@@ -51,17 +54,55 @@ yet extensible format.  Google uses Protocol Buffers for almost all of its
 internal RPC protocols and file formats.")
     (license bsd-3)))
 
+;; XXX Remove this old version when no other packages depend on it.
+(define-public protobuf-2
+  (package (inherit protobuf)
+    (version "2.6.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/google/protobuf/releases/"
+                                  "download/v" version "/protobuf-"
+                                  version ".tar.bz2"))
+              (sha256
+               (base32
+                "040rcs9fpv4bslhiy43v7dcrzakz4vwwpyqg4jp8bn24sl95ci7f"))))))
+
+(define-public protobuf-c
+  (package
+    (name "protobuf-c")
+    (version "1.3.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/protobuf-c/protobuf-c/"
+                                  "releases/download/v" version
+                                  "/protobuf-c-" version ".tar.gz"))
+              (sha256
+               (base32
+                "18aj4xfv26zjmj44zbb01wk90jl7y4aj5xvbzz4gg748kdxavjax"))))
+    (build-system gnu-build-system)
+    (inputs `(("protobuf" ,protobuf)))
+    (native-inputs `(("pkg-config" ,pkg-config)))
+    (home-page "https://github.com/protobuf-c/protobuf-c")
+    (synopsis "Protocol Buffers implementation in C")
+    (description
+     "This is protobuf-c, a C implementation of the Google Protocol Buffers
+data serialization format.  It includes @code{libprotobuf-c}, a pure C library
+that implements protobuf encoding and decoding, and @code{protoc-c}, a code
+generator that converts Protocol Buffer @code{.proto} files to C descriptor
+code.")
+    (license bsd-2)))
+
 (define-public python-protobuf
   (package
     (name "python-protobuf")
-    (version "3.0.0")
+    (version "3.4.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "protobuf" version))
        (sha256
         (base32
-         "1xbgbfg4g43bihkyw1a2giqa2gxmqc5wkh0fzqcb90qi1z1hpi7c"))))
+         "0x33xz85cy5ilg1n2rn92l4qwlcw25vzysx2ldv7k625yjg600pg"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-six" ,python-six)))
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index c555d8072a..0b62c4a628 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -7550,6 +7550,48 @@ and MAC network addresses.")
 (define-public python2-netaddr
   (package-with-python2 python-netaddr))
 
+(define-public python2-neo4j-driver
+  (package
+    (name "python2-neo4j-driver")
+    ;; NOTE: When upgrading to 1.5.0, please add a python3 variant.
+    (version "1.4.0")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "neo4j-driver" version))
+              (sha256
+               (base32
+                "011r1vh182p8mm83d8dz9rfnc3l7rf7fd00cyrbyfzi71jmc4g98"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:python ,python-2))
+    (home-page "https://neo4j.com/developer/python/")
+    (synopsis "Neo4j driver code written in Python")
+    (description "This package provides the Neo4j Python driver that connects
+to the database using Neo4j's binary protocol.  It aims to be minimal, while
+being idiomatic to Python.")
+    (license license:asl2.0)))
+
+(define-public python2-py2neo
+  (package
+    (name "python2-py2neo")
+    (version "3.1.2")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "py2neo" version))
+              (sha256
+               (base32
+                "1f1q95vqcvlc3nsc33p841swnjdcjazddlq2dzi3qfnjqjrajxw1"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:python ,python-2))
+    (home-page "http://py2neo.org")
+    (synopsis "Library and toolkit for working with Neo4j in Python")
+    (description "This package provides a client library and toolkit for
+working with Neo4j from within Python applications and from the command
+line.  The core library has no external dependencies and has been carefully
+designed to be easy and intuitive to use.")
+    (license license:asl2.0)))
+
 (define-public python-wrapt
   (package
     (name "python-wrapt")
@@ -8578,7 +8620,7 @@ simulation, statistical modeling, machine learning and much more.")
 (define-public python-chardet
   (package
     (name "python-chardet")
-    (version "2.3.0")
+    (version "3.0.4")
     (source
      (origin
        (method url-fetch)
@@ -8588,7 +8630,11 @@ simulation, statistical modeling, machine learning and much more.")
              ".tar.gz"))
        (sha256
         (base32
-         "1ak87ikcw34fivcgiz2xvi938dmclh078az65l9x3rmgljrkhgp5"))))
+         "1bpalpia6r5x1kknbk11p1fzph56fmmnp405ds8icksd3knr5aw4"))))
+    (native-inputs
+     `(("python-hypothesis" ,python-hypothesis)
+       ("python-pytest" ,python-pytest)
+       ("python-pytest-runner" ,python-pytest-runner)))
     (build-system python-build-system)
     (home-page "https://github.com/chardet/chardet")
     (synopsis "Universal encoding detector for Python 2 and 3")
@@ -9672,13 +9718,13 @@ with a new public API, and RPython support.")
 (define-public python-hy
   (package
     (name "python-hy")
-    (version "0.11.1")
+    (version "0.13.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "hy" version))
               (sha256
                (base32
-                "1msqv747iz12r73mz4qvsmlwkddwjvrahlrk7ysrcz07h7dsscxs"))))
+                "19sfymaksx9jhksfnb15ahid46mzrhdfzz6yy2craz2qnzvpmky8"))))
     (build-system python-build-system)
     (arguments
      '(#:phases
@@ -10109,9 +10155,9 @@ seamlessly into your existing Python unit testing work flow.")
   (let ((hypothesis (package-with-python2
                      (strip-python2-variant python-hypothesis))))
     (package (inherit hypothesis)
-      (native-inputs
+      (propagated-inputs
        `(("python2-enum34" ,python2-enum34)
-         ,@(package-native-inputs hypothesis))))))
+         ,@(package-propagated-inputs hypothesis))))))
 
 (define-public python-pytest-subtesthack
   (package
diff --git a/gnu/packages/qt.scm b/gnu/packages/qt.scm
index a74ea01796..b7a615bc10 100644
--- a/gnu/packages/qt.scm
+++ b/gnu/packages/qt.scm
@@ -617,7 +617,11 @@ HostPrefix=~a
 HostData=lib/qt5
 HostBinaries=bin
 HostLibraries=lib
-" out out)))
+
+[EffectiveSourcePaths]
+HostPrefix=~a
+HostData=lib/qt5
+" out out qtbase)))
                #t)))
          (replace 'configure
            (lambda* (#:key inputs outputs #:allow-other-keys)
@@ -1443,7 +1447,7 @@ message.")))
 (define-public python-sip
   (package
     (name "python-sip")
-    (version "4.19.2")
+    (version "4.19.3")
     (source
       (origin
         (method url-fetch)
@@ -1452,7 +1456,7 @@ message.")))
                          "sip-" version "/sip-" version ".tar.gz"))
         (sha256
          (base32
-          "0cq5r21fmjyw5v7a6l4sfbaj3zgm7k5b2cryj6bnjki54nnllas3"))))
+          "0x2bghbprwl3az1ni3p87i0bq8r99694la93kg65vi0cz12gh3bl"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("python" ,python-wrapper)))
@@ -1506,7 +1510,7 @@ module provides support functions to the automatically generated code.")
 (define-public python-pyqt
   (package
     (name "python-pyqt")
-    (version "5.8.2")
+    (version "5.9")
     (source
       (origin
         (method url-fetch)
@@ -1516,7 +1520,7 @@ module provides support functions to the automatically generated code.")
                          version ".tar.gz"))
         (sha256
          (base32
-          "1s1nalcspam9dc7f63jkqn1i2sv9lrqn57p2zsc61g8bncahbmzb"))
+          "15hh4z5vd45dcswjla58q6rrfr6ic7jfz2n7c8lwfb10rycpj3mb"))
        (patches (search-patches "pyqt-configure.patch"))))
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/serialization.scm b/gnu/packages/serialization.scm
index 7d25e0d919..03365ad3fa 100644
--- a/gnu/packages/serialization.scm
+++ b/gnu/packages/serialization.scm
@@ -248,7 +248,7 @@ that implements both the msgpack and msgpack-rpc specifications.")
                     "yaml-cpp-" version ".tar.gz"))
               (sha256
                (base32
-                "1vk6pjh0f5k6jwk2sszb9z5169whmiha9ainbdpa1arxlkq7v3b6"))))
+                "1ck7jk0wjfigrf4cgcjqsir4yp1s6vamhhxhpsgfvs46pgm5pk6y"))))
     (build-system cmake-build-system)
     (arguments
      '(#:configure-flags '("-DBUILD_SHARED_LIBS=ON")))
diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm
index 8e3c5e2b7f..7d49f90be9 100644
--- a/gnu/packages/spice.scm
+++ b/gnu/packages/spice.scm
@@ -162,6 +162,7 @@ which allows users to view a desktop computing environment.")
         ("spice-protocol" ,spice-protocol)))
     (inputs
       `(("glib-networking" ,glib-networking)
+        ("gobject-introspection" ,gobject-introspection)
         ("gtk+" ,gtk+)
         ("libepoxy" ,libepoxy)
         ("libjpeg" ,libjpeg)
@@ -182,7 +183,8 @@ which allows users to view a desktop computing environment.")
       `(#:configure-flags
         '("--enable-gstaudio"
           "--enable-gstvideo"
-          "--enable-pulse")
+          "--enable-pulse"
+          "--enable-introspection")
         #:phases
          (modify-phases %standard-phases
            (add-after
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index 2b640645c4..b3ebd5abbd 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -1578,13 +1578,13 @@ and printing capabilities than traditional data frames.")
 (define-public r-dplyr
   (package
     (name "r-dplyr")
-    (version "0.7.3")
+    (version "0.7.4")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "dplyr" version))
               (sha256
                (base32
-                "0wz5vrcsxzmxpxvs1raz9kyfc7mq3591nadq4rb4hx4sc97ysrxf"))))
+                "1hm8ml7yaraag1ak6kvz2mxx6if568c759ix8a1n9d7va03wj7vv"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-assertthat" ,r-assertthat)
@@ -1730,13 +1730,13 @@ and density estimation.")
 (define-public r-chron
   (package
     (name "r-chron")
-    (version "2.3-50")
+    (version "2.3-51")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "chron" version))
               (sha256
                (base32
-                "1w3sl60gsirniqslb3pa75caiqbzbvc44phpd4czvwkb62xx1vx9"))))
+                "05aznigw9nwv3hbwjnjbvqhfjqkwsw2csgrjx8500gzr2fvla5w8"))))
     (build-system r-build-system)
     (home-page "http://cran.r-project.org/web/packages/chron")
     (synopsis "Chronological R objects which can handle dates and times")
@@ -1748,13 +1748,13 @@ times.")
 (define-public r-data-table
   (package
     (name "r-data-table")
-    (version "1.10.4")
+    (version "1.10.4-2")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "data.table" version))
               (sha256
                (base32
-                "0ykbjr1x50ajxbri385vi3mnxj7zg1dcgh9y0snp341qmmmdypw6"))))
+                "159dgcjlrpq17iy7y3a6v2wnlrszjlz031cj4aqcl9bbfkh07mr7"))))
     (build-system r-build-system)
     (home-page "https://github.com/Rdatatable/data.table/wiki")
     (synopsis "Enhanced version of data.frame R object")
@@ -2480,15 +2480,17 @@ well as additional utilities such as panel and axis annotation functions.")
 (define-public r-rcpparmadillo
   (package
     (name "r-rcpparmadillo")
-    (version "0.7.960.1.2")
+    (version "0.8.100.1.0")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "RcppArmadillo" version))
               (sha256
                (base32
-                "0kg8vbamaz3413h283f23hzgqkmfpf6fs0vbklmpj0l3ricvp9cc"))))
+                "19sghlkslz6llcrjk5pd8c6dsb338jsi4dnwrbbrjkfq6jdr5jlp"))))
     (properties `((upstream-name . "RcppArmadillo")))
     (build-system r-build-system)
+    (native-inputs
+     `(("r-knitr" ,r-knitr)))  ; needed for vignettes
     (propagated-inputs
      `(("r-rcpp" ,r-rcpp)))
     (home-page "https://github.com/RcppCore/RcppArmadillo")
@@ -2716,7 +2718,7 @@ engine (version 3.8.8.2) is included.")
     (version "1.95-0.1.2")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.bioconductor.org/packages/"
+              (uri (string-append "https://www.bioconductor.org/packages/"
                                   "release/extra/src/"
                                   "contrib/RCurl_" version ".tar.gz"))
               (sha256
@@ -3586,14 +3588,14 @@ the 'lite' version of the more complete @code{viridis} package.")
 (define-public r-tidyselect
   (package
     (name "r-tidyselect")
-    (version "0.2.0")
+    (version "0.2.2")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "tidyselect" version))
        (sha256
         (base32
-         "1h10qc5bxk5v0zhmip3gwnzy50fs2gbdvcg2163is0k9a8rifq9r"))))
+         "1lndr0ajd3fhycmrw2fdaiyf32in5pgl5ig901q221g24n87vmnd"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-glue" ,r-glue)
@@ -3612,14 +3614,14 @@ selection.")
 (define-public r-tidyr
   (package
     (name "r-tidyr")
-    (version "0.7.1")
+    (version "0.7.2")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "tidyr" version))
        (sha256
         (base32
-         "18fii18f967xaw6swn0w744sncx37rfq6gd8d9dccrpyf8647hmr"))))
+         "1700fry2b3d3ksj7x2f09xl6agjrdnx1rqsc1r8gvzsp5cpflb06"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-dplyr" ,r-dplyr)
diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm
index 2007a25d93..674a3507d0 100644
--- a/gnu/packages/textutils.scm
+++ b/gnu/packages/textutils.scm
@@ -38,6 +38,7 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system trivial)
+  #:use-module (guix build-system python)
   #:use-module (gnu packages)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages compression)
@@ -53,14 +54,14 @@
 (define-public dos2unix
   (package
     (name "dos2unix")
-    (version "7.3.4")
+    (version "7.4.0")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://waterlan.home.xs4all.nl/" name "/"
                            name "-" version ".tar.gz"))
        (sha256
-        (base32 "1i9hbxn0br7xa18z4bjpkdv7mrzmbfxhm44mzpd07yd2qnxsgkcc"))))
+        (base32 "12h4c61g376bhq03y5g2xszkrkrj5hwd928rly3xsp6rvfmnbixs"))))
     (build-system gnu-build-system)
     (arguments
      '(#:make-flags (list "CC=gcc"
@@ -623,3 +624,39 @@ completely with the standard @code{javax.swing.text} package.  It is fast and
 efficient, and can be used in any application that needs to edit or view
 source code.")
     (license license:bsd-3)))
+
+;; We use the sources from git instead of the tarball from pypi, because the
+;; latter does not include the Cython source file from which bycython.cpp is
+;; generated.
+(define-public python-editdistance
+  (let ((commit "3ea84a7dd3258c76aa3be851ef3d50e59c886846")
+        (revision "1"))
+    (package
+      (name "python-editdistance")
+      (version (string-append "0.3.1-" revision "." (string-take commit 7)))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://github.com/aflc/editdistance.git")
+               (commit commit)))
+         (sha256
+          (base32
+           "1l43svsv12crvzphrgi6x435z6xg8m086c64armp8wzb4l8ccm7g"))))
+      (build-system python-build-system)
+      (arguments
+       `(#:phases
+         (modify-phases %standard-phases
+           (add-after 'unpack 'build-cython-code
+             (lambda _
+               (with-directory-excursion "editdistance"
+                 (delete-file "bycython.cpp")
+                 (zero? (system* "cython" "--cplus" "bycython.pyx"))))))))
+      (native-inputs
+       `(("python-cython" ,python-cython)))
+      (home-page "https://www.github.com/aflc/editdistance")
+      (synopsis "Fast implementation of the edit distance (Levenshtein distance)")
+      (description
+       "This library simply implements Levenshtein distance algorithm with C++
+and Cython.")
+      (license license:expat))))
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 38756f06c2..8038024b38 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -363,7 +363,7 @@ everything from small to very large projects with speed and efficiency.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa"))
+                "1b3figbhp5l83vd37vq6j2narrq4yl9pfw6mw0px0dzb1hz3jqka"))
               (patches (search-patches "libgit2-0.25.1-mtime-0.patch"))))
     (build-system cmake-build-system)
     (outputs '("out" "debug"))
@@ -1650,7 +1650,17 @@ unique algebra of patches called @url{http://darcs.net/Theory,Patchtheory}.
        ;; JGit must be built with a JDK supporting Java 8.
        #:jdk ,icedtea-8
        ;; Target our older default JDK.
-       #:make-flags (list "-Dtarget=1.7")))
+       #:make-flags (list "-Dtarget=1.7")
+       #:phases
+       (modify-phases %standard-phases
+         ;; The jar file generated by the default build.xml does not include
+         ;; the text properties files, so we need to add them.
+         (add-after 'build 'add-properties
+           (lambda* (#:key jar-name #:allow-other-keys)
+             (with-directory-excursion "src"
+               (zero? (apply system* "jar" "-uf"
+                             (string-append "../build/jar/" jar-name)
+                             (find-files "." "\\.properties$")))))))))
     (inputs
      `(("java-classpathx-servletapi" ,java-classpathx-servletapi)
        ("java-javaewah" ,java-javaewah)
@@ -1679,16 +1689,16 @@ network protocols, and core version control algorithms.")
                 "15gm537iivhnzlkjym4x3wn5jqdjdragsw9pdpzqqg21nrc817mm"))))
     (build-system ant-build-system)
     (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         (add-after 'unpack 'use-latest-javaewah-API
-           (lambda _
-             (substitute* "src/org/eclipse/jgit/internal/storage/file/BitmapIndexImpl.java"
-               (("wordinbits") "WORD_IN_BITS"))
-             #t)))
+     (substitute-keyword-arguments (package-arguments java-jgit)
        ;; Build for default JDK.
-       ,@(substitute-keyword-arguments (package-arguments java-jgit)
-           ((#:jdk _) icedtea-7))))
+       ((#:jdk _) icedtea-7)
+       ((#:phases phases)
+        `(modify-phases ,phases
+           (add-after 'unpack 'use-latest-javaewah-API
+             (lambda _
+               (substitute* "src/org/eclipse/jgit/internal/storage/file/BitmapIndexImpl.java"
+                 (("wordinbits") "WORD_IN_BITS"))
+               #t))))))
     (inputs
      `(("java-javaewah" ,java-javaewah)
        ("java-jsch" ,java-jsch)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index c1856b62f3..63824f6c57 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -85,6 +85,7 @@
   #:use-module (gnu packages gtk)
   #:use-module (gnu packages image)
   #:use-module (gnu packages imagemagick)
+  #:use-module (gnu packages libreoffice)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages lua)
   #:use-module (gnu packages m4)
@@ -1115,7 +1116,7 @@ access to mpv's powerful playback capabilities.")
 (define-public youtube-dl
   (package
     (name "youtube-dl")
-    (version "2017.10.15.1")
+    (version "2017.10.20")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://yt-dl.org/downloads/"
@@ -1123,7 +1124,7 @@ access to mpv's powerful playback capabilities.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0zr9sx0nxk36si8xbvhlnazb69xzlygrhsxcyiydm0dy5y5ycsns"))))
+                "0npr8b1xg1dylz717kfllw433h1y16251npzch48lchq69bhm4iy"))))
     (build-system python-build-system)
     (arguments
      ;; The problem here is that the directory for the man page and completion
@@ -2385,3 +2386,89 @@ tables")
 generation of MPEG TS and DVB PSI tables according to standards ISO/IEC 13818s
 and ITU-T H.222.0.")
     (license license:lgpl2.1)))
+
+(define-public ffms2
+  (package
+    (name "ffms2")
+    (version "2.23")
+    (home-page "https://github.com/FFMS/ffms2/")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append home-page "archive/" version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1vbkab8vrplxz5xgag8ggzkwp4f7nf285pd0l2a7zy66n6i2m6xh"))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:configure-flags
+       (list "--enable-avresample")))
+    (inputs
+     `(("zlib" ,zlib)))
+    (propagated-inputs
+     `(("ffmpeg" ,ffmpeg)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (synopsis "Cross-platform wrapper around ffmpeg/libav")
+    (description
+      "FFMpegSource is a wrapper library around ffmpeg/libav that allows
+programmers to access a standard API to open and decompress media files.")
+    ;; sources are distributed under a different license that the binary.
+    ;; see https://github.com/FFMS/ffms2/blob/master/COPYING
+    (license license:gpl2+))); inherits from ffmpeg
+
+(define-public aegisub
+  (package
+    (name "aegisub")
+    (version "3.2.2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                     "http://ftp.aegisub.org/pub/archives/releases/source/"
+                     name "-" version ".tar.xz"))
+              (sha256
+               (base32
+                "11b83qazc8h0iidyj1rprnnjdivj1lpphvpa08y53n42bfa36pn5"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags
+       (list "--disable-update-checker"
+             "--without-portaudio"
+             "--without-openal"
+             "--without-oss")
+       ;; tests require busted, a lua package we don't have yet
+       #:tests? #f
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'fix-ldflags
+           (lambda _
+             (setenv "LDFLAGS" "-pthread"))))))
+    (inputs
+     `(("boost" ,boost)
+       ("desktop-file-utils" ,desktop-file-utils)
+       ("ffms2" ,ffms2)
+       ("fftw" ,fftw)
+       ("hunspell" ,hunspell)
+       ("mesa" ,mesa)
+       ("libass" ,libass)
+       ("alsa-lib" ,alsa-lib)
+       ("pulseaudio" ,pulseaudio)
+       ("libx11" ,libx11)
+       ("freetype" ,freetype)
+       ("wxwidgets-gtk2" ,wxwidgets-gtk2)))
+    (native-inputs
+     `(("intltool" ,intltool)
+       ("pkg-config" ,pkg-config)))
+    (home-page "http://www.aegisub.org/")
+    (synopsis "Subtitle engine")
+    (description
+      "Aegisub is a tool for creating and modifying subtitles.  Aegisub makes
+it quick and easy to time subtitles to audio, and features many powerful
+tools for styling them, including a built-in real-time video preview.")
+    (license (list license:bsd-3 ; the package is licensed under the bsd-3, except
+                   license:mpl1.1 ; for vendor/universalchardet under the mpl1.1
+                   license:expat)))) ; and src/gl that is under a license similar
+   ; the the Expat license, with a rewording (Software -> Materials). (called MIT
+   ; by upstream). See https://github.com/Aegisub/Aegisub/blob/master/LICENCE
+   ; src/MatroskaParser.(c|h) is under bsd-3 with permission from the author
+
diff --git a/gnu/packages/vim.scm b/gnu/packages/vim.scm
index dffd6d96c0..560203fcaf 100644
--- a/gnu/packages/vim.scm
+++ b/gnu/packages/vim.scm
@@ -60,7 +60,7 @@
 (define-public vim
   (package
     (name "vim")
-    (version "8.0.1130")
+    (version "8.0.1207")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://github.com/vim/vim/archive/v"
@@ -68,7 +68,7 @@
              (file-name (string-append name "-" version ".tar.gz"))
              (sha256
               (base32
-               "0zqyk7086crc6q5fil38szppx9sgd14fs3wb9h4ak13jg6s2ir90"))))
+               "0zq740d0crybva00dk0rxsa9q1gafvc438syxqlmlxgnk5f0xd11"))))
     (build-system gnu-build-system)
     (arguments
      `(#:test-target "test"
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 4e384e79ae..8fce545dbe 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
+;;; Copyright © 2017 Andy Patterson <ajpatter@uwaterloo.ca>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -85,7 +86,7 @@
      '(;; Running tests in parallel can occasionally lead to failures, like:
        ;; boot_sector_test: assertion failed (signature == SIGNATURE): (0x00000000 == 0x0000dead)
        #:parallel-tests? #f
-
+       #:configure-flags '("--enable-usb-redir" "--enable-opengl")
        #:phases
        (modify-phases %standard-phases
          (replace 'configure
@@ -143,7 +144,9 @@
        ("libaio" ,libaio)
        ("libattr" ,attr)
        ("libcap" ,libcap)           ; virtfs support requires libcap & libattr
-       ("libjpeg" ,libjpeg-8)
+       ("libdrm" ,libdrm)
+       ("libepoxy" ,libepoxy)
+       ("libjpeg" ,libjpeg-turbo)
        ("libpng" ,libpng)
        ("libusb" ,libusb)                         ;USB pass-through support
        ("mesa" ,mesa)
@@ -152,6 +155,7 @@
        ("pixman" ,pixman)
        ("sdl" ,sdl)
        ("spice" ,spice)
+       ("usbredir" ,usbredir)
        ("util-linux" ,util-linux)
        ;; ("vde2" ,vde2)
        ("virglrenderer" ,virglrenderer)
@@ -188,14 +192,15 @@ server and embedded PowerPC, and S390 guests.")
     (name "qemu-minimal")
     (synopsis "Machine emulator and virtualizer (without GUI)")
     (arguments
-     `(#:configure-flags
-       ;; Restrict to the targets supported by Guix.
-       '("--target-list=i386-softmmu,x86_64-softmmu,mips64el-softmmu,arm-softmmu,aarch64-softmmu")
-       ,@(package-arguments qemu)))
+     (substitute-keyword-arguments (package-arguments qemu)
+       ((#:configure-flags _ '(list))
+        ;; Restrict to the targets supported by Guix.
+        ''("--target-list=i386-softmmu,x86_64-softmmu,mips64el-softmmu,arm-softmmu,aarch64-softmmu"))))
 
     ;; Remove dependencies on optional libraries, notably GUI libraries.
     (inputs (fold alist-delete (package-inputs qemu)
-                  '("libusb" "mesa" "sdl" "spice" "virglrenderer")))))
+                  '("libusb" "mesa" "sdl" "spice" "virglrenderer"
+                    "usbredir" "libdrm" "libepoxy")))))
 
 (define-public libosinfo
   (package
@@ -317,6 +322,7 @@ manage system or application containers.")
               (method url-fetch)
               (uri (string-append "https://libvirt.org/sources/libvirt-"
                                   version ".tar.xz"))
+              (patches (search-patches "libvirt-CVE-2017-1000256.patch"))
               (sha256
                (base32
                 "1fk75cdzg59y9hnfdpdwv83fsc1yffy3lac4ch19zygfkqhcnysf"))))
@@ -510,6 +516,13 @@ virtualization library.")
              (substitute* "virtcli/cliconfig.py"
                (("/usr") (assoc-ref outputs "out")))
              #t))
+         (add-after 'unpack 'fix-default-uri
+           (lambda* (#:key inputs #:allow-other-keys)
+             ;; xen is not available for now - so only patch qemu
+             (substitute* "virtManager/connect.py"
+               (("/usr(/bin/qemu-system)" _ suffix)
+                (string-append (assoc-ref inputs "qemu") suffix)))
+             #t))
          (add-before 'wrap 'wrap-with-GI_TYPELIB_PATH
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let* ((bin       (string-append (assoc-ref outputs "out") "/bin"))
@@ -540,8 +553,10 @@ virtualization library.")
        ("python2-libvirt" ,python2-libvirt)
        ("python2-requests" ,python2-requests)
        ("python2-ipaddr" ,python2-ipaddr)
+       ("python2-pycairo" ,python2-pycairo)
        ("python2-pygobject" ,python2-pygobject)
-       ("python2-libxml2" ,python2-libxml2)))
+       ("python2-libxml2" ,python2-libxml2)
+       ("spice-gtk" ,spice-gtk)))
     ;; virt-manager searches for qemu-img or kvm-img in the PATH.
     (propagated-inputs
      `(("qemu" ,qemu)))
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 41e52756e3..c7b44fafa1 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -142,14 +142,14 @@ and its related documentation.")
     (name "nginx")
     ;; Consider updating the nginx-docs package if the nginx package is
     ;; updated.
-    (version "1.12.1")
+    (version "1.12.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://nginx.org/download/nginx-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1yvnmj7vlykrqdi6amkvs63lva6qkxd98sqv0a8hz8w5ci1bz4w7"))))
+                "05h4rwja7170z0l979yjghy9i9ichllwhicylzpmmyyml6fkfprh"))))
     (build-system gnu-build-system)
     (inputs `(("pcre" ,pcre)
               ("openssl" ,openssl)
@@ -3788,13 +3788,13 @@ LaTeX.")
 (define-public r-curl
   (package
     (name "r-curl")
-    (version "2.8.1")
+    (version "3.0")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "curl" version))
               (sha256
                (base32
-                "0dgfl7wn4r8inv55xnk4ybf1y2x4qmi4cbr6phr3lfi1dnjm4hsm"))))
+                "01m52jz2q38yc32xbnmpm48hck2xj9fyhxq262p04y67gjpf7y3v"))))
     (build-system r-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index 7b4b306e8f..59188ac4db 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -54,14 +54,14 @@
 (define-public webkitgtk
   (package
     (name "webkitgtk")
-    (version "2.18.0")
+    (version "2.18.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.webkitgtk.org/releases/"
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1383wlv98l8fwmhzy0fad82a44h5svm89c1kpa03wsp37mmf90xm"))))
+                "15fp7szmkpannx7avsynf0nv3y343qwq0fvq3rz2m2mw5wq7pnww"))))
     (build-system cmake-build-system)
     (arguments
      '(#:tests? #f ; no tests
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index a44390200f..78d090926b 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -1073,7 +1073,7 @@ connectivity of the X server running on a particular @code{DISPLAY}.")
 (define-public rofi
   (package
     (name "rofi")
-    (version "1.4.1")
+    (version "1.4.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/DaveDavenport/rofi/"
@@ -1081,7 +1081,7 @@ connectivity of the X server running on a particular @code{DISPLAY}.")
                                   version "/rofi-" version ".tar.xz"))
               (sha256
                (base32
-                "0xnfzbwhxd2cd4lxkc24mbx3f4b1h3l1alcdbbsymi2b9fdwmywh"))))
+                "1129cbg76g56c6ckzj5y5haf92jxhx3b71cr3qmhrb0n8g4gi38s"))))
     (build-system gnu-build-system)
     (inputs
      `(("pango" ,pango)
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index 47274411b5..9277f57ad4 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2014 Sree Harsha Totakura <sreeharsha@totakura.in>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
-;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -139,7 +139,11 @@ compressed video format.")
        (base32
         "150047wnllz4r94whb9r73l5qf0z5z3rlhy98bawfbblmkq8mbpa"))))
     (build-system gnu-build-system)
-    (inputs `(("libogg" ,libogg)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (inputs
+     `(("libogg" ,libogg)
+       ("speexdsp" ,speexdsp)))
     (home-page "https://gnu.org/software/speex")
     (synopsis "Library for patent-free audio compression format")
     (description
@@ -163,6 +167,11 @@ stereo encoding, and voice activity detection.")
                (base32
                 "1wcjyrnwlkayb20zdhp48y260rfyzg925qpjpljd5x9r01h8irja"))))
     (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '(,@(if (string=? "aarch64-linux"
+                                           (%current-system))
+                               '("--enable-neon=no") ; neon defaults to armv7-a
+                               '()))))
     (home-page "https://speex.org/")
     (synopsis "Speex processing library")
     (description
diff --git a/gnu/system/vm.scm b/gnu/system/vm.scm
index 273a895bef..3127b305e1 100644
--- a/gnu/system/vm.scm
+++ b/gnu/system/vm.scm
@@ -49,7 +49,7 @@
   #:use-module (gnu packages admin)
 
   #:use-module (gnu bootloader)
-  #:use-module ((gnu bootloader grub) #:select (grub-mkrescue-bootloader))
+  #:use-module (gnu bootloader grub)
   #:use-module (gnu system shadow)
   #:use-module (gnu system pam)
   #:use-module (gnu system linux-initrd)
@@ -565,6 +565,14 @@ environment with the store shared with the host.  MAPPINGS is a list of
                   user-file-systems)))
 
   (operating-system (inherit os)
+
+    ;; XXX: Until we run QEMU with UEFI support (with the OVMF firmware),
+    ;; force the traditional i386/BIOS method.
+    ;; See <https://bugs.gnu.org/28768>.
+    (bootloader (bootloader-configuration
+                  (bootloader grub-bootloader)
+                  (target "/dev/vda")))
+
     (initrd (lambda (file-systems . rest)
               (apply base-initrd file-systems
                      #:volatile-root? #t
diff --git a/guix/build-system/r.scm b/guix/build-system/r.scm
index c649036210..2c8a89f8de 100644
--- a/guix/build-system/r.scm
+++ b/guix/build-system/r.scm
@@ -50,7 +50,7 @@ available via the first URI, the second URI points to the archived version."
 (define (bioconductor-uri name version)
   "Return a URI string for the R package archive on Bioconductor for the
 release corresponding to NAME and VERSION."
-  (string-append "http://bioconductor.org/packages/release/bioc/src/contrib/"
+  (string-append "https://bioconductor.org/packages/release/bioc/src/contrib/"
                  name "_" version ".tar.gz"))
 
 (define %r-build-system-modules
diff --git a/guix/build/download-nar.scm b/guix/build/download-nar.scm
new file mode 100644
index 0000000000..13f01fb1e8
--- /dev/null
+++ b/guix/build/download-nar.scm
@@ -0,0 +1,125 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (guix build download-nar)
+  #:use-module (guix build download)
+  #:use-module (guix build utils)
+  #:use-module (guix serialization)
+  #:use-module (guix zlib)
+  #:use-module (guix progress)
+  #:use-module (web uri)
+  #:use-module (srfi srfi-11)
+  #:use-module (srfi srfi-26)
+  #:use-module (ice-9 format)
+  #:use-module (ice-9 match)
+  #:export (download-nar))
+
+;;; Commentary:
+;;;
+;;; Download a normalized archive or "nar", similar to what 'guix substitute'
+;;; does.  The intent here is to use substitute servers as content-addressed
+;;; mirrors of VCS checkouts.  This is mostly useful for users who have
+;;; disabled substitutes.
+;;;
+;;; Code:
+
+(define (urls-for-item item)
+  "Return the fallback nar URL for ITEM--e.g.,
+\"/gnu/store/cabbag3…-foo-1.2-checkout\"."
+  ;; Here we hard-code nar URLs without checking narinfos.  That's probably OK
+  ;; though.
+  ;; TODO: Use HTTPS?  The downside is the extra dependency.
+  (let ((bases '("http://mirror.hydra.gnu.org/guix"
+                 "http://berlin.guixsd.org"))
+        (item  (basename item)))
+    (append (map (cut string-append <> "/nar/gzip/" item) bases)
+            (map (cut string-append <> "/nar/" item) bases))))
+
+(define (restore-gzipped-nar port item size)
+  "Restore the gzipped nar read from PORT, of SIZE bytes (compressed), to
+ITEM."
+  ;; Since PORT is typically a non-file port (for instance because 'http-get'
+  ;; returns a delimited port), create a child process so we're back to a file
+  ;; port that can be passed to 'call-with-gzip-input-port'.
+  (match (pipe)
+    ((input . output)
+     (match (primitive-fork)
+       (0
+        (dynamic-wind
+          (const #t)
+          (lambda ()
+            (close-port output)
+            (close-port port)
+            (catch #t
+              (lambda ()
+                (call-with-gzip-input-port input
+                  (cut restore-file <> item)))
+              (lambda (key . args)
+                (print-exception (current-error-port)
+                                 (stack-ref (make-stack #t) 1)
+                                 key args)
+                (primitive-exit 1))))
+          (lambda ()
+            (primitive-exit 0))))
+       (child
+        (close-port input)
+        (dump-port* port output
+                    #:reporter (progress-reporter/file item size
+                                                       #:abbreviation
+                                                       store-path-abbreviation))
+        (close-port output)
+        (newline)
+        (match (waitpid child)
+          ((_ . status)
+           (unless (zero? status)
+             (error "nar decompression failed" status)))))))))
+
+(define (download-nar item)
+  "Download and extract the normalized archive for ITEM.  Return #t on
+success, #f otherwise."
+  ;; Let progress reports go through.
+  (setvbuf (current-error-port) _IONBF)
+  (setvbuf (current-output-port) _IONBF)
+
+  (let loop ((urls (urls-for-item item)))
+    (match urls
+      ((url rest ...)
+       (format #t "Trying content-addressed mirror at ~a...~%"
+               (uri-host (string->uri url)))
+       (let-values (((port size)
+                     (catch #t
+                       (lambda ()
+                         (http-fetch (string->uri url)))
+                       (lambda args
+                         (values #f #f)))))
+         (if (not port)
+             (loop rest)
+             (begin
+               (if size
+                   (format #t "Downloading from ~a (~,2h MiB)...~%" url
+                           (/ size (expt 2 20.)))
+                   (format #t "Downloading from ~a...~%" url))
+               (if (string-contains url "/gzip")
+                   (restore-gzipped-nar port item size)
+                   (begin
+                     ;; FIXME: Add progress report.
+                     (restore-file port item)
+                     (close-port port)))
+               #t))))
+      (()
+       #f))))
diff --git a/guix/build/download.scm b/guix/build/download.scm
index 9490f48055..61c9c6d3f1 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -1,7 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2015 Steve Sprang <scs@stevesprang.com>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -27,7 +26,7 @@
   #:use-module (guix base64)
   #:use-module (guix ftp-client)
   #:use-module (guix build utils)
-  #:use-module (guix utils)
+  #:use-module (guix progress)
   #:use-module (rnrs io ports)
   #:use-module (rnrs bytevectors)
   #:use-module (srfi srfi-1)
@@ -39,14 +38,13 @@
   #:use-module (ice-9 format)
   #:export (open-socket-for-uri
             open-connection-for-uri
+            http-fetch
             %x509-certificate-directory
             close-connection
             resolve-uri-reference
             maybe-expand-mirrors
             url-fetch
             byte-count->string
-            current-terminal-columns
-            progress-reporter/file
             uri-abbreviation
             nar-uri-abbreviation
             store-path-abbreviation))
@@ -61,69 +59,6 @@
   ;; Size of the HTTP receive buffer.
   65536)
 
-(define current-terminal-columns
-  ;; Number of columns of the terminal.
-  (make-parameter 80))
-
-(define (nearest-exact-integer x)
-  "Given a real number X, return the nearest exact integer, with ties going to
-the nearest exact even integer."
-  (inexact->exact (round x)))
-
-(define (duration->seconds duration)
-  "Return the number of seconds represented by DURATION, a 'time-duration'
-object, as an inexact number."
-  (+ (time-second duration)
-     (/ (time-nanosecond duration) 1e9)))
-
-(define (seconds->string duration)
-  "Given DURATION in seconds, return a string representing it in 'mm:ss' or
-'hh:mm:ss' format, as needed."
-  (if (not (number? duration))
-      "00:00"
-      (let* ((total-seconds (nearest-exact-integer duration))
-             (extra-seconds (modulo total-seconds 3600))
-             (num-hours     (quotient total-seconds 3600))
-             (hours         (and (positive? num-hours) num-hours))
-             (mins          (quotient extra-seconds 60))
-             (secs          (modulo extra-seconds 60)))
-        (format #f "~@[~2,'0d:~]~2,'0d:~2,'0d" hours mins secs))))
-
-(define (byte-count->string size)
-  "Given SIZE in bytes, return a string representing it in a human-readable
-way."
-  (let ((KiB 1024.)
-        (MiB (expt 1024. 2))
-        (GiB (expt 1024. 3))
-        (TiB (expt 1024. 4)))
-    (cond
-     ((< size KiB) (format #f "~dB"     (nearest-exact-integer size)))
-     ((< size MiB) (format #f "~dKiB"   (nearest-exact-integer (/ size KiB))))
-     ((< size GiB) (format #f "~,1fMiB" (/ size MiB)))
-     ((< size TiB) (format #f "~,2fGiB" (/ size GiB)))
-     (else         (format #f "~,3fTiB" (/ size TiB))))))
-
-(define* (progress-bar % #:optional (bar-width 20))
-  "Return % as a string representing an ASCII-art progress bar.  The total
-width of the bar is BAR-WIDTH."
-  (let* ((fraction (/ % 100))
-         (filled   (inexact->exact (floor (* fraction bar-width))))
-         (empty    (- bar-width filled)))
-    (format #f "[~a~a]"
-            (make-string filled #\#)
-            (make-string empty #\space))))
-
-(define (string-pad-middle left right len)
-  "Combine LEFT and RIGHT with enough padding in the middle so that the
-resulting string has length at least LEN (it may overflow).  If the string
-does not overflow, the last char in RIGHT will be flush with the LEN
-column."
-  (let* ((total-used (+ (string-length left)
-                        (string-length right)))
-         (num-spaces (max 1 (- len total-used)))
-         (padding    (make-string num-spaces #\space)))
-    (string-append left padding right)))
-
 (define* (ellipsis #:optional (port (current-output-port)))
   "Make a rough guess at whether Unicode's HORIZONTAL ELLIPSIS can be written
 in PORT's encoding, and return either that or ASCII dots."
@@ -142,105 +77,6 @@ Otherwise return STORE-PATH."
                        (string-drop base 32)))
       store-path))
 
-(cond-expand
-  (guile-2.2
-   ;; Guile 2.2.2 has a bug whereby 'time-monotonic' objects have seconds and
-   ;; nanoseconds swapped (fixed in Guile commit 886ac3e).  Work around it.
-   (define time-monotonic time-tai))
-  (else #t))
-
-
-;; TODO: replace '(@ (guix build utils) dump-port))'.
-(define* (dump-port* in out
-                     #:key (buffer-size 16384)
-                     (reporter (make-progress-reporter noop noop noop)))
-  "Read as much data as possible from IN and write it to OUT, using chunks of
-BUFFER-SIZE bytes.  After each successful transfer of BUFFER-SIZE bytes or
-less, report the total number of bytes transferred to the REPORTER, which
-should be a <progress-reporter> object."
-  (define buffer
-    (make-bytevector buffer-size))
-
-  (call-with-progress-reporter reporter
-    (lambda (report)
-      (let loop ((total 0)
-                 (bytes (get-bytevector-n! in buffer 0 buffer-size)))
-        (or (eof-object? bytes)
-            (let ((total (+ total bytes)))
-              (put-bytevector out buffer 0 bytes)
-              (report total)
-              (loop total (get-bytevector-n! in buffer 0 buffer-size))))))))
-
-(define (rate-limited proc interval)
-  "Return a procedure that will forward the invocation to PROC when the time
-elapsed since the previous forwarded invocation is greater or equal to
-INTERVAL (a time-duration object), otherwise does nothing and returns #f."
-  (let ((previous-at #f))
-    (lambda args
-      (let* ((now (current-time time-monotonic))
-             (forward-invocation (lambda ()
-                                   (set! previous-at now)
-                                   (apply proc args))))
-        (if previous-at
-            (let ((elapsed (time-difference now previous-at)))
-              (if (time>=? elapsed interval)
-                  (forward-invocation)
-                  #f))
-            (forward-invocation))))))
-
-(define* (progress-reporter/file file size
-                                 #:optional (log-port (current-output-port))
-                                 #:key (abbreviation basename))
-  "Return a <progress-reporter> object to show the progress of FILE's download,
-which is SIZE bytes long.  The progress report is written to LOG-PORT, with
-ABBREVIATION used to shorten FILE for display."
-  (let ((start-time (current-time time-monotonic))
-        (transferred 0))
-    (define (render)
-      "Write the progress report to LOG-PORT."
-      (define elapsed
-        (duration->seconds
-         (time-difference (current-time time-monotonic) start-time)))
-      (if (number? size)
-          (let* ((%  (* 100.0 (/ transferred size)))
-                 (throughput (/ transferred elapsed))
-                 (left       (format #f " ~a  ~a"
-                                     (abbreviation file)
-                                     (byte-count->string size)))
-                 (right      (format #f "~a/s ~a ~a~6,1f%"
-                                     (byte-count->string throughput)
-                                     (seconds->string elapsed)
-                                     (progress-bar %) %)))
-            (display "\r\x1b[K" log-port)
-            (display (string-pad-middle left right
-                                        (current-terminal-columns))
-                     log-port)
-            (flush-output-port log-port))
-          (let* ((throughput (/ transferred elapsed))
-                 (left       (format #f " ~a"
-                                     (abbreviation file)))
-                 (right      (format #f "~a/s ~a | ~a transferred"
-                                     (byte-count->string throughput)
-                                     (seconds->string elapsed)
-                                     (byte-count->string transferred))))
-            (display "\r\x1b[K" log-port)
-            (display (string-pad-middle left right
-                                        (current-terminal-columns))
-                     log-port)
-            (flush-output-port log-port))))
-
-    (progress-reporter
-     (start render)
-     ;; Report the progress every 300ms or longer.
-     (report
-      (let ((rate-limited-render
-             (rate-limited render (make-time time-monotonic 300000000 0))))
-        (lambda (value)
-          (set! transferred value)
-          (rate-limited-render))))
-     ;; Don't miss the last report.
-     (stop render))))
-
 (define* (uri-abbreviation uri #:optional (max-length 42))
   "If URI's string representation is larger than MAX-LENGTH, return an
 abbreviation of URI showing the scheme, host, and basename of the file."
@@ -745,11 +581,11 @@ Return the resulting target URI."
                     #:query    (uri-query    ref)
                     #:fragment (uri-fragment ref)))))
 
-(define* (http-fetch uri file #:key timeout (verify-certificate? #t))
-  "Fetch data from URI and write it to FILE; when TIMEOUT is true, bail out if
-the connection could not be established in less than TIMEOUT seconds.  Return
-FILE on success.  When VERIFY-CERTIFICATE? is true, verify HTTPS
-certificates; otherwise simply ignore them."
+(define* (http-fetch uri #:key timeout (verify-certificate? #t))
+  "Return an input port containing the data at URI, and the expected number of
+bytes available or #f.  When TIMEOUT is true, bail out if the connection could
+not be established in less than TIMEOUT seconds.  When VERIFY-CERTIFICATE? is
+true, verify HTTPS certificates; otherwise simply ignore them."
 
   (define headers
     `(;; Some web sites, such as http://dist.schmorp.de, would block you if
@@ -774,28 +610,15 @@ certificates; otherwise simply ignore them."
                                           #:timeout timeout
                                           #:verify-certificate?
                                           verify-certificate?))
-                ((resp bv-or-port)
+                ((resp port)
                  (http-get uri #:port connection #:decode-body? #f
                            #:streaming? #t
                            #:headers headers))
                 ((code)
-                 (response-code resp))
-                ((size)
-                 (response-content-length resp)))
+                 (response-code resp)))
     (case code
       ((200)                                      ; OK
-       (begin
-         (call-with-output-file file
-           (lambda (p)
-             (if (port? bv-or-port)
-                 (begin
-                   (dump-port* bv-or-port p
-                               #:buffer-size %http-receive-buffer-size
-                               #:reporter (progress-reporter/file
-                                           (uri-abbreviation uri) size))
-                   (newline))
-                 (put-bytevector p bv-or-port))))
-         file))
+       (values port (response-content-length resp)))
       ((301                                       ; moved permanently
         302                                       ; found (redirection)
         303                                       ; see other
@@ -805,7 +628,7 @@ certificates; otherwise simply ignore them."
          (format #t "following redirection to `~a'...~%"
                  (uri->string uri))
          (close connection)
-         (http-fetch uri file
+         (http-fetch uri
                      #:timeout timeout
                      #:verify-certificate? verify-certificate?)))
       (else
@@ -876,10 +699,19 @@ otherwise simply ignore them."
             file (uri->string uri))
     (case (uri-scheme uri)
       ((http https)
-       (false-if-exception* (http-fetch uri file
-                                        #:verify-certificate?
-                                        verify-certificate?
-                                        #:timeout timeout)))
+       (false-if-exception*
+        (let-values (((port size)
+                      (http-fetch uri
+                                  #:verify-certificate? verify-certificate?
+                                  #:timeout timeout)))
+          (call-with-output-file file
+            (lambda (output)
+              (dump-port* port output
+                          #:buffer-size %http-receive-buffer-size
+                          #:reporter (progress-reporter/file
+                                      (uri-abbreviation uri) size))
+              (newline)))
+          #t)))
       ((ftp)
        (false-if-exception* (ftp-fetch uri file
                                        #:timeout timeout)))
diff --git a/guix/cvs-download.scm b/guix/cvs-download.scm
index 85744c5b55..8b46f8ef8c 100644
--- a/guix/cvs-download.scm
+++ b/guix/cvs-download.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Sree Harsha Totakura <sreeharsha@totakura.in>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;;
@@ -23,6 +23,7 @@
   #:use-module (guix gexp)
   #:use-module (guix store)
   #:use-module (guix monads)
+  #:use-module (guix modules)
   #:use-module (guix packages)
   #:use-module (ice-9 match)
   #:export (cvs-reference
@@ -59,16 +60,35 @@
   "Return a fixed-output derivation that fetches REF, a <cvs-reference>
 object.  The output is expected to have recursive hash HASH of type
 HASH-ALGO (a symbol).  Use NAME as the file name, or a generic name if #f."
+  (define zlib
+    (module-ref (resolve-interface '(gnu packages compression)) 'zlib))
+
+  (define config.scm
+    (scheme-file "config.scm"
+                 #~(begin
+                     (define-module (guix config)
+                       #:export (%libz))
+
+                     (define %libz
+                       #+(file-append zlib "/lib/libz")))))
+
+  (define modules
+    (cons `((guix config) => ,config.scm)
+          (delete '(guix config)
+                  (source-module-closure '((guix build cvs)
+                                           (guix build download-nar))))))
   (define build
-    (with-imported-modules '((guix build cvs)
-                             (guix build utils))
+    (with-imported-modules modules
       #~(begin
-          (use-modules (guix build cvs))
-          (cvs-fetch '#$(cvs-reference-root-directory ref)
-                     '#$(cvs-reference-module ref)
-                     '#$(cvs-reference-revision ref)
-                     #$output
-                     #:cvs-command (string-append #+cvs "/bin/cvs")))))
+          (use-modules (guix build cvs)
+                       (guix build download-nar))
+
+          (or (cvs-fetch '#$(cvs-reference-root-directory ref)
+                         '#$(cvs-reference-module ref)
+                         '#$(cvs-reference-revision ref)
+                         #$output
+                         #:cvs-command (string-append #+cvs "/bin/cvs"))
+              (download-nar #$output)))))
 
   (mlet %store-monad ((guile (package->derivation guile system)))
     (gexp->derivation (or name "cvs-checkout") build
diff --git a/guix/git-download.scm b/guix/git-download.scm
index 7397cbe7f5..731e549b38 100644
--- a/guix/git-download.scm
+++ b/guix/git-download.scm
@@ -25,6 +25,7 @@
   #:use-module (guix monads)
   #:use-module (guix records)
   #:use-module (guix packages)
+  #:use-module (guix modules)
   #:autoload   (guix build-system gnu) (standard-packages)
   #:use-module (ice-9 match)
   #:use-module (ice-9 popen)
@@ -77,12 +78,31 @@ HASH-ALGO (a symbol).  Use NAME as the file name, or a generic name if #f."
         (standard-packages)
         '()))
 
+  (define zlib
+    (module-ref (resolve-interface '(gnu packages compression)) 'zlib))
+
+  (define config.scm
+    (scheme-file "config.scm"
+                 #~(begin
+                     (define-module (guix config)
+                       #:export (%libz))
+
+                     (define %libz
+                       #+(file-append zlib "/lib/libz")))))
+
+  (define modules
+    (cons `((guix config) => ,config.scm)
+          (delete '(guix config)
+                  (source-module-closure '((guix build git)
+                                           (guix build utils)
+                                           (guix build download-nar))))))
+
   (define build
-    (with-imported-modules '((guix build git)
-                             (guix build utils))
+    (with-imported-modules modules
       #~(begin
           (use-modules (guix build git)
                        (guix build utils)
+                       (guix build download-nar)
                        (ice-9 match))
 
           ;; The 'git submodule' commands expects Coreutils, sed,
@@ -92,12 +112,13 @@ HASH-ALGO (a symbol).  Use NAME as the file name, or a generic name if #f."
                                            (((names dirs) ...)
                                             dirs)))
 
-          (git-fetch (getenv "git url") (getenv "git commit")
-                     #$output
-                     #:recursive? (call-with-input-string
-                                      (getenv "git recursive?")
-                                    read)
-                     #:git-command (string-append #+git "/bin/git")))))
+          (or (git-fetch (getenv "git url") (getenv "git commit")
+                         #$output
+                         #:recursive? (call-with-input-string
+                                          (getenv "git recursive?")
+                                        read)
+                         #:git-command (string-append #+git "/bin/git"))
+              (download-nar #$output)))))
 
   (mlet %store-monad ((guile (package->derivation guile system)))
     (gexp->derivation (or name "git-checkout") build
diff --git a/guix/hg-download.scm b/guix/hg-download.scm
index 8420980905..6b25b87b6b 100644
--- a/guix/hg-download.scm
+++ b/guix/hg-download.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -22,6 +22,7 @@
   #:use-module (guix store)
   #:use-module (guix monads)
   #:use-module (guix records)
+  #:use-module (guix modules)
   #:use-module (guix packages)
   #:autoload   (guix build-system gnu) (standard-packages)
   #:use-module (ice-9 match)
@@ -59,18 +60,35 @@
   "Return a fixed-output derivation that fetches REF, a <hg-reference>
 object.  The output is expected to have recursive hash HASH of type
 HASH-ALGO (a symbol).  Use NAME as the file name, or a generic name if #f."
+  (define zlib
+    (module-ref (resolve-interface '(gnu packages compression)) 'zlib))
+
+  (define config.scm
+    (scheme-file "config.scm"
+                 #~(begin
+                     (define-module (guix config)
+                       #:export (%libz))
+
+                     (define %libz
+                       #+(file-append zlib "/lib/libz")))))
+
+  (define modules
+    (cons `((guix config) => ,config.scm)
+          (delete '(guix config)
+                  (source-module-closure '((guix build hg)
+                                           (guix build download-nar))))))
+
   (define build
-    (with-imported-modules '((guix build hg)
-                             (guix build utils))
+    (with-imported-modules modules
       #~(begin
           (use-modules (guix build hg)
-                       (guix build utils)
-                       (ice-9 match))
+                       (guix build download-nar))
 
-          (hg-fetch '#$(hg-reference-url ref)
-                    '#$(hg-reference-changeset ref)
-                    #$output
-                    #:hg-command (string-append #+hg "/bin/hg")))))
+          (or (hg-fetch '#$(hg-reference-url ref)
+                        '#$(hg-reference-changeset ref)
+                        #$output
+                        #:hg-command (string-append #+hg "/bin/hg"))
+              (download-nar #$output)))))
 
   (mlet %store-monad ((guile (package->derivation guile system)))
     (gexp->derivation (or name "hg-checkout") build
diff --git a/guix/import/cran.scm b/guix/import/cran.scm
index 056a7dcc7c..9b08ebfb63 100644
--- a/guix/import/cran.scm
+++ b/guix/import/cran.scm
@@ -126,7 +126,7 @@ package definition."
      `((,type (,'quasiquote ,(format-inputs package-inputs)))))))
 
 (define %cran-url "http://cran.r-project.org/web/packages/")
-(define %bioconductor-url "http://bioconductor.org/packages/")
+(define %bioconductor-url "https://bioconductor.org/packages/")
 
 ;; The latest Bioconductor release is 3.5.  Bioconductor packages should be
 ;; updated together.
@@ -446,7 +446,7 @@ dependencies."
 (define (bioconductor-package? package)
   "Return true if PACKAGE is an R package from Bioconductor."
   (let ((predicate (lambda (uri)
-                     (and (string-prefix? "http://bioconductor.org" uri)
+                     (and (string-prefix? "https://bioconductor.org" uri)
                           ;; Data packages are neither listed in SVN nor on
                           ;; the Github mirror, so we have to exclude them
                           ;; from the set of bioconductor packages that can be
@@ -465,7 +465,7 @@ dependencies."
 (define (bioconductor-data-package? package)
   "Return true if PACKAGE is an R data package from Bioconductor."
   (let ((predicate (lambda (uri)
-                     (and (string-prefix? "http://bioconductor.org" uri)
+                     (and (string-prefix? "https://bioconductor.org" uri)
                           (string-contains uri "/data/annotation/")))))
     (and (string-prefix? "r-" (package-name package))
          (match (and=> (package-source package) origin-uri)
@@ -478,7 +478,7 @@ dependencies."
 (define (bioconductor-experiment-package? package)
   "Return true if PACKAGE is an R experiment package from Bioconductor."
   (let ((predicate (lambda (uri)
-                     (and (string-prefix? "http://bioconductor.org" uri)
+                     (and (string-prefix? "https://bioconductor.org" uri)
                           (string-contains uri "/data/experiment/")))))
     (and (string-prefix? "r-" (package-name package))
          (match (and=> (package-source package) origin-uri)
diff --git a/guix/progress.scm b/guix/progress.scm
new file mode 100644
index 0000000000..beca2c22a6
--- /dev/null
+++ b/guix/progress.scm
@@ -0,0 +1,228 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 Sou Bunnbu <iyzsong@gmail.com>
+;;; Copyright © 2015 Steve Sprang <scs@stevesprang.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (guix progress)
+  #:use-module (guix records)
+  #:use-module (srfi srfi-19)
+  #:use-module (rnrs io ports)
+  #:use-module (rnrs bytevectors)
+  #:use-module (ice-9 format)
+  #:use-module (ice-9 match)
+  #:export (<progress-reporter>
+            progress-reporter
+            make-progress-reporter
+            progress-reporter?
+            call-with-progress-reporter
+
+            progress-reporter/silent
+            progress-reporter/file
+
+            byte-count->string
+            current-terminal-columns
+
+            dump-port*))
+
+;;; Commentary:
+;;;
+;;; Helper to write progress report code for downloads, etc.
+;;;
+;;; Code:
+
+(define-record-type* <progress-reporter>
+  progress-reporter make-progress-reporter progress-reporter?
+  (start   progress-reporter-start)     ; thunk
+  (report  progress-reporter-report)    ; procedure
+  (stop    progress-reporter-stop))     ; thunk
+
+(define (call-with-progress-reporter reporter proc)
+  "Start REPORTER for progress reporting, and call @code{(@var{proc} report)}
+with the resulting report procedure.  When @var{proc} returns, the REPORTER is
+stopped."
+  (match reporter
+    (($ <progress-reporter> start report stop)
+     (dynamic-wind start (lambda () (proc report)) stop))))
+
+(define progress-reporter/silent
+  (make-progress-reporter noop noop noop))
+
+
+;;;
+;;; File download progress report.
+;;;
+
+(cond-expand
+  (guile-2.2
+   ;; Guile 2.2.2 has a bug whereby 'time-monotonic' objects have seconds and
+   ;; nanoseconds swapped (fixed in Guile commit 886ac3e).  Work around it.
+   (define time-monotonic time-tai))
+  (else #t))
+
+(define (nearest-exact-integer x)
+  "Given a real number X, return the nearest exact integer, with ties going to
+the nearest exact even integer."
+  (inexact->exact (round x)))
+
+(define (duration->seconds duration)
+  "Return the number of seconds represented by DURATION, a 'time-duration'
+object, as an inexact number."
+  (+ (time-second duration)
+     (/ (time-nanosecond duration) 1e9)))
+
+(define (seconds->string duration)
+  "Given DURATION in seconds, return a string representing it in 'mm:ss' or
+'hh:mm:ss' format, as needed."
+  (if (not (number? duration))
+      "00:00"
+      (let* ((total-seconds (nearest-exact-integer duration))
+             (extra-seconds (modulo total-seconds 3600))
+             (num-hours     (quotient total-seconds 3600))
+             (hours         (and (positive? num-hours) num-hours))
+             (mins          (quotient extra-seconds 60))
+             (secs          (modulo extra-seconds 60)))
+        (format #f "~@[~2,'0d:~]~2,'0d:~2,'0d" hours mins secs))))
+
+(define (byte-count->string size)
+  "Given SIZE in bytes, return a string representing it in a human-readable
+way."
+  (let ((KiB 1024.)
+        (MiB (expt 1024. 2))
+        (GiB (expt 1024. 3))
+        (TiB (expt 1024. 4)))
+    (cond
+     ((< size KiB) (format #f "~dB"     (nearest-exact-integer size)))
+     ((< size MiB) (format #f "~dKiB"   (nearest-exact-integer (/ size KiB))))
+     ((< size GiB) (format #f "~,1fMiB" (/ size MiB)))
+     ((< size TiB) (format #f "~,2fGiB" (/ size GiB)))
+     (else         (format #f "~,3fTiB" (/ size TiB))))))
+
+(define (string-pad-middle left right len)
+  "Combine LEFT and RIGHT with enough padding in the middle so that the
+resulting string has length at least LEN (it may overflow).  If the string
+does not overflow, the last char in RIGHT will be flush with the LEN
+column."
+  (let* ((total-used (+ (string-length left)
+                        (string-length right)))
+         (num-spaces (max 1 (- len total-used)))
+         (padding    (make-string num-spaces #\space)))
+    (string-append left padding right)))
+
+(define (rate-limited proc interval)
+  "Return a procedure that will forward the invocation to PROC when the time
+elapsed since the previous forwarded invocation is greater or equal to
+INTERVAL (a time-duration object), otherwise does nothing and returns #f."
+  (let ((previous-at #f))
+    (lambda args
+      (let* ((now (current-time time-monotonic))
+             (forward-invocation (lambda ()
+                                   (set! previous-at now)
+                                   (apply proc args))))
+        (if previous-at
+            (let ((elapsed (time-difference now previous-at)))
+              (if (time>=? elapsed interval)
+                  (forward-invocation)
+                  #f))
+            (forward-invocation))))))
+
+(define current-terminal-columns
+  ;; Number of columns of the terminal.
+  (make-parameter 80))
+
+(define* (progress-bar % #:optional (bar-width 20))
+  "Return % as a string representing an ASCII-art progress bar.  The total
+width of the bar is BAR-WIDTH."
+  (let* ((fraction (/ % 100))
+         (filled   (inexact->exact (floor (* fraction bar-width))))
+         (empty    (- bar-width filled)))
+    (format #f "[~a~a]"
+            (make-string filled #\#)
+            (make-string empty #\space))))
+
+(define* (progress-reporter/file file size
+                                 #:optional (log-port (current-output-port))
+                                 #:key (abbreviation basename))
+  "Return a <progress-reporter> object to show the progress of FILE's download,
+which is SIZE bytes long.  The progress report is written to LOG-PORT, with
+ABBREVIATION used to shorten FILE for display."
+  (let ((start-time (current-time time-monotonic))
+        (transferred 0))
+    (define (render)
+      "Write the progress report to LOG-PORT."
+      (define elapsed
+        (duration->seconds
+         (time-difference (current-time time-monotonic) start-time)))
+      (if (number? size)
+          (let* ((%  (* 100.0 (/ transferred size)))
+                 (throughput (/ transferred elapsed))
+                 (left       (format #f " ~a  ~a"
+                                     (abbreviation file)
+                                     (byte-count->string size)))
+                 (right      (format #f "~a/s ~a ~a~6,1f%"
+                                     (byte-count->string throughput)
+                                     (seconds->string elapsed)
+                                     (progress-bar %) %)))
+            (display "\r\x1b[K" log-port)
+            (display (string-pad-middle left right
+                                        (current-terminal-columns))
+                     log-port)
+            (force-output log-port))
+          (let* ((throughput (/ transferred elapsed))
+                 (left       (format #f " ~a"
+                                     (abbreviation file)))
+                 (right      (format #f "~a/s ~a | ~a transferred"
+                                     (byte-count->string throughput)
+                                     (seconds->string elapsed)
+                                     (byte-count->string transferred))))
+            (display "\r\x1b[K" log-port)
+            (display (string-pad-middle left right
+                                        (current-terminal-columns))
+                     log-port)
+            (force-output log-port))))
+
+    (progress-reporter
+     (start render)
+     ;; Report the progress every 300ms or longer.
+     (report
+      (let ((rate-limited-render
+             (rate-limited render (make-time time-monotonic 300000000 0))))
+        (lambda (value)
+          (set! transferred value)
+          (rate-limited-render))))
+     ;; Don't miss the last report.
+     (stop render))))
+
+;; TODO: replace '(@ (guix build utils) dump-port))'.
+(define* (dump-port* in out
+                     #:key (buffer-size 16384)
+                     (reporter progress-reporter/silent))
+  "Read as much data as possible from IN and write it to OUT, using chunks of
+BUFFER-SIZE bytes.  After each successful transfer of BUFFER-SIZE bytes or
+less, report the total number of bytes transferred to the REPORTER, which
+should be a <progress-reporter> object."
+  (define buffer
+    (make-bytevector buffer-size))
+
+  (call-with-progress-reporter reporter
+    (lambda (report)
+      (let loop ((total 0)
+                 (bytes (get-bytevector-n! in buffer 0 buffer-size)))
+        (or (eof-object? bytes)
+            (let ((total (+ total bytes)))
+              (put-bytevector out buffer 0 bytes)
+              (report total)
+              (loop total (get-bytevector-n! in buffer 0 buffer-size))))))))
diff --git a/guix/scripts/download.scm b/guix/scripts/download.scm
index 8225f82bb9..1b99bc62cf 100644
--- a/guix/scripts/download.scm
+++ b/guix/scripts/download.scm
@@ -25,7 +25,9 @@
   #:use-module (guix base32)
   #:use-module ((guix download) #:hide (url-fetch))
   #:use-module ((guix build download)
-                #:select (url-fetch current-terminal-columns))
+                #:select (url-fetch))
+  #:use-module ((guix progress)
+                #:select (current-terminal-columns))
   #:use-module ((guix build syscalls)
                 #:select (terminal-columns))
   #:use-module (web uri)
diff --git a/guix/scripts/substitute.scm b/guix/scripts/substitute.scm
index 921a7c6790..1fbeed71e8 100755
--- a/guix/scripts/substitute.scm
+++ b/guix/scripts/substitute.scm
@@ -33,13 +33,12 @@
   #:use-module (guix pki)
   #:use-module ((guix build utils) #:select (mkdir-p dump-port))
   #:use-module ((guix build download)
-                #:select (current-terminal-columns
-                          progress-reporter/file
-                          uri-abbreviation nar-uri-abbreviation
+                #:select (uri-abbreviation nar-uri-abbreviation
                           (open-connection-for-uri
                            . guix:open-connection-for-uri)
                           close-connection
                           store-path-abbreviation byte-count->string))
+  #:use-module (guix progress)
   #:use-module ((guix build syscalls)
                 #:select (set-thread-name))
   #:use-module (ice-9 rdelim)
@@ -956,19 +955,22 @@ DESTINATION as a nar file.  Verify the substitute against ACL."
                                      #:abbreviation nar-uri-abbreviation)))
                      (progress-report-port reporter raw)))
                   ((input pids)
+                   ;; NOTE: This 'progress' port of current process will be
+                   ;; closed here, while the child process doing the
+                   ;; reporting will close it upon exit.
                    (decompressed-port (and=> (narinfo-compression narinfo)
                                              string->symbol)
                                       progress)))
       ;; Unpack the Nar at INPUT into DESTINATION.
       (restore-file input destination)
       (close-port input)
-      (close-port progress)
+
+      ;; Wait for the reporter to finish.
+      (every (compose zero? cdr waitpid) pids)
 
       ;; Skip a line after what 'progress-reporter/file' printed, and another
       ;; one to visually separate substitutions.
-      (display "\n\n" (current-error-port))
-
-      (every (compose zero? cdr waitpid) pids))))
+      (display "\n\n" (current-error-port)))))
 
 
 ;;;
diff --git a/guix/utils.scm b/guix/utils.scm
index de4aa65319..eb1ec29b32 100644
--- a/guix/utils.scm
+++ b/guix/utils.scm
@@ -33,7 +33,6 @@
   #:autoload   (rnrs io ports) (make-custom-binary-input-port)
   #:use-module ((rnrs bytevectors) #:select (bytevector-u8-set!))
   #:use-module (guix memoization)
-  #:use-module (guix records)
   #:use-module ((guix build utils) #:select (dump-port mkdir-p))
   #:use-module ((guix build syscalls) #:select (mkdtemp! fdatasync))
   #:use-module (ice-9 format)
@@ -95,13 +94,7 @@
             call-with-decompressed-port
             compressed-output-port
             call-with-compressed-output-port
-            canonical-newline-port
-
-            <progress-reporter>
-            progress-reporter
-            make-progress-reporter
-            progress-reporter?
-            call-with-progress-reporter))
+            canonical-newline-port))
 
 
 ;;;
@@ -153,9 +146,11 @@ buffered data is lost."
                   (close-port in)
                   (dump-port input out))
                 (lambda ()
+                  (close-port input)
                   (false-if-exception (close out))
                   (primitive-_exit 0))))
              (child
+              (close-port input)
               (close-port out)
               (loop in (cons child pids)))))))))
 
@@ -755,25 +750,6 @@ a location object."
     (column   . ,(location-column loc))
     (filename . ,(location-file loc))))
 
-
-;;;
-;;; Progress reporter.
-;;;
-
-(define-record-type* <progress-reporter>
-  progress-reporter make-progress-reporter progress-reporter?
-  (start   progress-reporter-start)     ; thunk
-  (report  progress-reporter-report)    ; procedure
-  (stop    progress-reporter-stop))     ; thunk
-
-(define (call-with-progress-reporter reporter proc)
-  "Start REPORTER for progress reporting, and call @code{(@var{proc} report)}
-with the resulting report procedure.  When @var{proc} returns, the REPORTER is
-stopped."
-  (match reporter
-    (($ <progress-reporter> start report stop)
-     (dynamic-wind start (lambda () (proc report)) stop))))
-
 ;;; Local Variables:
 ;;; eval: (put 'call-with-progress-reporter 'scheme-indent-function 1)
 ;;; End: