summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--doc/guix.texi832
-rw-r--r--gnu/local.mk35
-rw-r--r--gnu/packages/acl.scm2
-rw-r--r--gnu/packages/admin.scm4
-rw-r--r--gnu/packages/algebra.scm4
-rw-r--r--gnu/packages/apl.scm2
-rw-r--r--gnu/packages/attr.scm2
-rw-r--r--gnu/packages/audio.scm4
-rw-r--r--gnu/packages/backup.scm43
-rw-r--r--gnu/packages/base.scm103
-rw-r--r--gnu/packages/bash.scm161
-rw-r--r--gnu/packages/cdrom.scm2
-rw-r--r--gnu/packages/cmake.scm18
-rw-r--r--gnu/packages/commencement.scm206
-rw-r--r--gnu/packages/cross-base.scm169
-rw-r--r--gnu/packages/crypto.scm2
-rw-r--r--gnu/packages/cups.scm266
-rw-r--r--gnu/packages/curl.scm22
-rw-r--r--gnu/packages/databases.scm35
-rw-r--r--gnu/packages/dav.scm8
-rw-r--r--gnu/packages/disk.scm6
-rw-r--r--gnu/packages/documentation.scm2
-rw-r--r--gnu/packages/education.scm2
-rw-r--r--gnu/packages/engineering.scm5
-rw-r--r--gnu/packages/enlightenment.scm2
-rw-r--r--gnu/packages/fcitx.scm2
-rw-r--r--gnu/packages/file.scm5
-rw-r--r--gnu/packages/flex.scm1
-rw-r--r--gnu/packages/fonts.scm5
-rw-r--r--gnu/packages/fontutils.scm14
-rw-r--r--gnu/packages/freedesktop.scm2
-rw-r--r--gnu/packages/games.scm12
-rw-r--r--gnu/packages/gawk.scm52
-rw-r--r--gnu/packages/gcc.scm26
-rw-r--r--gnu/packages/gettext.scm56
-rw-r--r--gnu/packages/ghostscript.scm65
-rw-r--r--gnu/packages/gkrellm.scm2
-rw-r--r--gnu/packages/gl.scm149
-rw-r--r--gnu/packages/glib.scm17
-rw-r--r--gnu/packages/gnome.scm177
-rw-r--r--gnu/packages/gnupg.scm55
-rw-r--r--gnu/packages/gnuzilla.scm16
-rw-r--r--gnu/packages/grub.scm2
-rw-r--r--gnu/packages/gtk.scm36
-rw-r--r--gnu/packages/guile.scm56
-rw-r--r--gnu/packages/gv.scm3
-rw-r--r--gnu/packages/ibus.scm2
-rw-r--r--gnu/packages/image.scm37
-rw-r--r--gnu/packages/irc.scm2
-rw-r--r--gnu/packages/iso-codes.scm2
-rw-r--r--gnu/packages/kde-frameworks.scm2
-rw-r--r--gnu/packages/kodi.scm2
-rw-r--r--gnu/packages/libidn.scm21
-rw-r--r--gnu/packages/linux.scm118
-rw-r--r--gnu/packages/lout.scm3
-rw-r--r--gnu/packages/make-bootstrap.scm8
-rw-r--r--gnu/packages/man.scm2
-rw-r--r--gnu/packages/maths.scm6
-rw-r--r--gnu/packages/mit-krb5.scm20
-rw-r--r--gnu/packages/mono.scm2
-rw-r--r--gnu/packages/mp3.scm2
-rw-r--r--gnu/packages/multiprecision.scm4
-rw-r--r--gnu/packages/music.scm12
-rw-r--r--gnu/packages/nano.scm2
-rw-r--r--gnu/packages/networking.scm2
-rw-r--r--gnu/packages/ocaml.scm2
-rw-r--r--gnu/packages/openldap.scm5
-rw-r--r--gnu/packages/openstack.scm1
-rw-r--r--gnu/packages/package-management.scm2
-rw-r--r--gnu/packages/patches/ath9k-htc-firmware-binutils.patch39
-rw-r--r--gnu/packages/patches/binutils-mips-bash-bug.patch22
-rw-r--r--gnu/packages/patches/cmake-fix-tests.patch83
-rw-r--r--gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch142
-rw-r--r--gnu/packages/patches/expat-CVE-2015-1283-refix.patch39
-rw-r--r--gnu/packages/patches/expat-CVE-2016-0718.patch761
-rw-r--r--gnu/packages/patches/flex-CVE-2016-6354.patch30
-rw-r--r--gnu/packages/patches/fontconfig-CVE-2016-5384.patch170
-rw-r--r--gnu/packages/patches/gawk-fts-test.patch51
-rw-r--r--gnu/packages/patches/gcc-arm-bug-71399.patch55
-rw-r--r--gnu/packages/patches/gnupg-fix-expired-test.patch78
-rw-r--r--gnu/packages/patches/guile-relocatable.patch14
-rw-r--r--gnu/packages/patches/isl-0.11.1-aarch64-support.patch40
-rw-r--r--gnu/packages/patches/libx11-CVE-2016-7942.patch76
-rw-r--r--gnu/packages/patches/libx11-CVE-2016-7943.patch113
-rw-r--r--gnu/packages/patches/libxfixes-CVE-2016-7944.patch62
-rw-r--r--gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch420
-rw-r--r--gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch447
-rw-r--r--gnu/packages/patches/libxrender-CVE-2016-7949.patch66
-rw-r--r--gnu/packages/patches/libxrender-CVE-2016-7950.patch73
-rw-r--r--gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch152
-rw-r--r--gnu/packages/patches/libxv-CVE-2016-5407.patch162
-rw-r--r--gnu/packages/patches/libxvmc-CVE-2016-7953.patch42
-rw-r--r--gnu/packages/patches/linux-pam-no-setfsuid.patch75
-rw-r--r--gnu/packages/patches/openssl-CVE-2016-2177.patch286
-rw-r--r--gnu/packages/patches/openssl-CVE-2016-2178.patch112
-rw-r--r--gnu/packages/patches/perl-CVE-2015-8607.patch68
-rw-r--r--gnu/packages/patches/perl-CVE-2016-2381.patch116
-rw-r--r--gnu/packages/patches/perl-no-build-time.patch26
-rw-r--r--gnu/packages/patches/perl-reproducible-build-date.patch50
-rw-r--r--gnu/packages/patches/perl-source-date-epoch.patch19
-rw-r--r--gnu/packages/patches/procps-non-linux.patch40
-rw-r--r--gnu/packages/patches/python-3.4-fix-tests.patch12
-rw-r--r--gnu/packages/patches/python-3.5-fix-tests.patch46
-rw-r--r--gnu/packages/patches/python-disable-ssl-test.patch12
-rw-r--r--gnu/packages/patches/python-fix-tests.patch15
-rw-r--r--gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch33
-rw-r--r--gnu/packages/pdf.scm53
-rw-r--r--gnu/packages/perl.scm72
-rw-r--r--gnu/packages/plotutils.scm3
-rw-r--r--gnu/packages/python.scm169
-rw-r--r--gnu/packages/readline.scm4
-rw-r--r--gnu/packages/sawfish.scm2
-rw-r--r--gnu/packages/scheme.scm2
-rw-r--r--gnu/packages/shells.scm8
-rw-r--r--gnu/packages/shishi.scm3
-rw-r--r--gnu/packages/skribilo.scm3
-rw-r--r--gnu/packages/statistics.scm8
-rw-r--r--gnu/packages/terminals.scm2
-rw-r--r--gnu/packages/texinfo.scm16
-rw-r--r--gnu/packages/tls.scm58
-rw-r--r--gnu/packages/version-control.scm6
-rw-r--r--gnu/packages/video.scm7
-rw-r--r--gnu/packages/vpn.scm2
-rw-r--r--gnu/packages/w3m.scm2
-rw-r--r--gnu/packages/webkit.scm2
-rw-r--r--gnu/packages/wicd.scm2
-rw-r--r--gnu/packages/wine.scm2
-rw-r--r--gnu/packages/xdisorg.scm10
-rw-r--r--gnu/packages/xml.scm21
-rw-r--r--gnu/packages/xorg.scm162
-rw-r--r--gnu/services/cups.scm1166
-rw-r--r--gnu/system.scm7
-rw-r--r--guix/build/gnu-build-system.scm96
-rw-r--r--guix/build/utils.scm134
-rw-r--r--guix/packages.scm7
-rw-r--r--guix/profiles.scm21
-rw-r--r--m4/guix.m43
-rw-r--r--tests/build-utils.scm88
138 files changed, 4171 insertions, 4966 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 47fc199c6c..66316ecd84 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -7658,6 +7658,7 @@ declaration.
 * Log Rotation::                The rottlog service.
 * Networking Services::         Network setup, SSH daemon, etc.
 * X Window::                    Graphical display.
+* Printing Services::           Local and remote printer support.
 * Desktop Services::            D-Bus and desktop services.
 * Database Services::           SQL databases.
 * Mail Services::               IMAP, POP3, SMTP, and all that.
@@ -8702,6 +8703,837 @@ makes the good ol' XlockMore usable.
 @end deffn
 
 
+@node Printing Services
+@subsubsection Printing Services
+
+The @code{(gnu services cups)} module provides a Guix service definition
+for the CUPS printing service.  To add printer support to a GuixSD
+system, add a @code{cups-service} to the operating system definition:
+
+@deffn {Scheme Variable} cups-service-type
+The service type for the CUPS print server.  Its value should be a valid
+CUPS configuration (see below).  For example:
+@example
+(service cups-service-type (cups-configuration))
+@end example
+@end deffn
+
+The CUPS configuration controls the basic things about your CUPS
+installation: what interfaces it listens on, what to do if a print job
+fails, how much logging to do, and so on.  To actually add a printer,
+you have to visit the @url{http://localhost:631} URL, or use a tool such
+as GNOME's printer configuration services.  By default, configuring a
+CUPS service will generate a self-signed certificate if needed, for
+secure connections to the print server.
+
+One way you might want to customize CUPS is to enable or disable the web
+interface.  You can do that directly, like this:
+
+@example
+(service cups-service-type
+         (cups-configuration
+           (web-interface? #f)))
+@end example
+
+The available configuration parameters follow.  Each parameter
+definition is preceded by its type; for example, @samp{string-list foo}
+indicates that the @code{foo} parameter should be specified as a list of
+strings.  There is also a way to specify the configuration as a string,
+if you have an old @code{cupsd.conf} file that you want to port over
+from some other system; see the end for more details.
+
+@c The following documentation was initially generated by
+@c (generate-documentation) in (gnu services cups).  Manually maintained
+@c documentation is better, so we shouldn't hesitate to edit below as
+@c needed.  However if the change you want to make to this documentation
+@c can be done in an automated way, it's probably easier to change
+@c (generate-documentation) than to make it below and have to deal with
+@c the churn as CUPS updates.
+
+
+Available @code{cups-configuration} fields are:
+
+@deftypevr {@code{cups-configuration} parameter} package cups
+The CUPS package.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} package-list extensions
+Drivers and other extensions to the CUPS package.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} files-configuration files-configuration
+Configuration of where to write logs, what directories to use for print
+spools, and related privileged configuration parameters.
+
+Available @code{files-configuration} fields are:
+
+@deftypevr {@code{files-configuration} parameter} log-location access-log
+Defines the access log filename.  Specifying a blank filename disables
+access log generation.  The value @code{stderr} causes log entries to be
+sent to the standard error file when the scheduler is running in the
+foreground, or to the system log daemon when run in the background.  The
+value @code{syslog} causes log entries to be sent to the system log
+daemon.  The server name may be included in filenames using the string
+@code{%s}, as in @code{/var/log/cups/%s-access_log}.
+
+Defaults to @samp{"/var/log/cups/access_log"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} file-name cache-dir
+Where CUPS should cache data.
+
+Defaults to @samp{"/var/cache/cups"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} string config-file-perm
+Specifies the permissions for all configuration files that the scheduler
+writes.
+
+Note that the permissions for the printers.conf file are currently
+masked to only allow access from the scheduler user (typically root).
+This is done because printer device URIs sometimes contain sensitive
+authentication information that should not be generally known on the
+system.  There is no way to disable this security feature.
+
+Defaults to @samp{"0640"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} log-location error-log
+Defines the error log filename.  Specifying a blank filename disables
+access log generation.  The value @code{stderr} causes log entries to be
+sent to the standard error file when the scheduler is running in the
+foreground, or to the system log daemon when run in the background.  The
+value @code{syslog} causes log entries to be sent to the system log
+daemon.  The server name may be included in filenames using the string
+@code{%s}, as in @code{/var/log/cups/%s-error_log}.
+
+Defaults to @samp{"/var/log/cups/error_log"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} string fatal-errors
+Specifies which errors are fatal, causing the scheduler to exit.  The
+kind strings are:
+
+@table @code
+@item none
+No errors are fatal.
+
+@item all
+All of the errors below are fatal.
+
+@item browse
+Browsing initialization errors are fatal, for example failed connections
+to the DNS-SD daemon.
+
+@item config
+Configuration file syntax errors are fatal.
+
+@item listen
+Listen or Port errors are fatal, except for IPv6 failures on the
+loopback or @code{any} addresses.
+
+@item log
+Log file creation or write errors are fatal.
+
+@item permissions
+Bad startup file permissions are fatal, for example shared TLS
+certificate and key files with world-read permissions.
+@end table
+
+Defaults to @samp{"all -browse"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} boolean file-device?
+Specifies whether the file pseudo-device can be used for new printer
+queues.  The URI @uref{file:///dev/null} is always allowed.
+
+Defaults to @samp{#f}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} string group
+Specifies the group name or ID that will be used when executing external
+programs.
+
+Defaults to @samp{"lp"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} string log-file-perm
+Specifies the permissions for all log files that the scheduler writes.
+
+Defaults to @samp{"0644"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} log-location page-log
+Defines the page log filename.  Specifying a blank filename disables
+access log generation.  The value @code{stderr} causes log entries to be
+sent to the standard error file when the scheduler is running in the
+foreground, or to the system log daemon when run in the background.  The
+value @code{syslog} causes log entries to be sent to the system log
+daemon.  The server name may be included in filenames using the string
+@code{%s}, as in @code{/var/log/cups/%s-page_log}.
+
+Defaults to @samp{"/var/log/cups/page_log"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} string remote-root
+Specifies the username that is associated with unauthenticated accesses
+by clients claiming to be the root user.  The default is @code{remroot}.
+
+Defaults to @samp{"remroot"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} file-name request-root
+Specifies the directory that contains print jobs and other HTTP request
+data.
+
+Defaults to @samp{"/var/spool/cups"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} sandboxing sandboxing
+Specifies the level of security sandboxing that is applied to print
+filters, backends, and other child processes of the scheduler; either
+@code{relaxed} or @code{strict}.  This directive is currently only
+used/supported on macOS.
+
+Defaults to @samp{strict}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} file-name server-keychain
+Specifies the location of TLS certificates and private keys.  CUPS will
+look for public and private keys in this directory: a @code{.crt} files
+for PEM-encoded certificates and corresponding @code{.key} files for
+PEM-encoded private keys.
+
+Defaults to @samp{"/etc/cups/ssl"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} file-name server-root
+Specifies the directory containing the server configuration files.
+
+Defaults to @samp{"/etc/cups"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} boolean sync-on-close?
+Specifies whether the scheduler calls fsync(2) after writing
+configuration or state files.
+
+Defaults to @samp{#f}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} space-separated-string-list system-group
+Specifies the group(s) to use for @code{@@SYSTEM} group authentication.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} file-name temp-dir
+Specifies the directory where temporary files are stored.
+
+Defaults to @samp{"/var/spool/cups/tmp"}.
+@end deftypevr
+
+@deftypevr {@code{files-configuration} parameter} string user
+Specifies the user name or ID that is used when running external
+programs.
+
+Defaults to @samp{"lp"}.
+@end deftypevr
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} access-log-level access-log-level
+Specifies the logging level for the AccessLog file.  The @code{config}
+level logs when printers and classes are added, deleted, or modified and
+when configuration files are accessed or updated.  The @code{actions}
+level logs when print jobs are submitted, held, released, modified, or
+canceled, and any of the conditions for @code{config}.  The @code{all}
+level logs all requests.
+
+Defaults to @samp{actions}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} boolean auto-purge-jobs?
+Specifies whether to purge job history data automatically when it is no
+longer required for quotas.
+
+Defaults to @samp{#f}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} browse-local-protocols browse-local-protocols
+Specifies which protocols to use for local printer sharing.
+
+Defaults to @samp{dnssd}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} boolean browse-web-if?
+Specifies whether the CUPS web interface is advertised.
+
+Defaults to @samp{#f}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} boolean browsing?
+Specifies whether shared printers are advertised.
+
+Defaults to @samp{#f}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} string classification
+Specifies the security classification of the server.  Any valid banner
+name can be used, including "classified", "confidential", "secret",
+"topsecret", and "unclassified", or the banner can be omitted to disable
+secure printing functions.
+
+Defaults to @samp{""}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} boolean classify-override?
+Specifies whether users may override the classification (cover page) of
+individual print jobs using the @code{job-sheets} option.
+
+Defaults to @samp{#f}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} default-auth-type default-auth-type
+Specifies the default type of authentication to use.
+
+Defaults to @samp{Basic}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} default-encryption default-encryption
+Specifies whether encryption will be used for authenticated requests.
+
+Defaults to @samp{Required}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} string default-language
+Specifies the default language to use for text and web content.
+
+Defaults to @samp{"en"}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} string default-paper-size
+Specifies the default paper size for new print queues.  @samp{"Auto"}
+uses a locale-specific default, while @samp{"None"} specifies there is
+no default paper size.  Specific size names are typically
+@samp{"Letter"} or @samp{"A4"}.
+
+Defaults to @samp{"Auto"}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} string default-policy
+Specifies the default access policy to use.
+
+Defaults to @samp{"default"}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} boolean default-shared?
+Specifies whether local printers are shared by default.
+
+Defaults to @samp{#t}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer dirty-clean-interval
+Specifies the delay for updating of configuration and state files, in
+seconds.  A value of 0 causes the update to happen as soon as possible,
+typically within a few milliseconds.
+
+Defaults to @samp{30}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} error-policy error-policy
+Specifies what to do when an error occurs.  Possible values are
+@code{abort-job}, which will discard the failed print job;
+@code{retry-job}, which will retry the job at a later time;
+@code{retry-this-job}, which retries the failed job immediately; and
+@code{stop-printer}, which stops the printer.
+
+Defaults to @samp{stop-printer}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer filter-limit
+Specifies the maximum cost of filters that are run concurrently, which
+can be used to minimize disk, memory, and CPU resource problems.  A
+limit of 0 disables filter limiting.  An average print to a
+non-PostScript printer needs a filter limit of about 200.  A PostScript
+printer needs about half that (100).  Setting the limit below these
+thresholds will effectively limit the scheduler to printing a single job
+at any time.
+
+Defaults to @samp{0}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer filter-nice
+Specifies the scheduling priority of filters that are run to print a
+job.  The nice value ranges from 0, the highest priority, to 19, the
+lowest priority.
+
+Defaults to @samp{0}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} host-name-lookups host-name-lookups
+Specifies whether to do reverse lookups on connecting clients.  The
+@code{double} setting causes @code{cupsd} to verify that the hostname
+resolved from the address matches one of the addresses returned for that
+hostname.  Double lookups also prevent clients with unregistered
+addresses from connecting to your server.  Only set this option to
+@code{#t} or @code{double} if absolutely required.
+
+Defaults to @samp{#f}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer job-kill-delay
+Specifies the number of seconds to wait before killing the filters and
+backend associated with a canceled or held job.
+
+Defaults to @samp{30}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer job-retry-interval
+Specifies the interval between retries of jobs in seconds.  This is
+typically used for fax queues but can also be used with normal print
+queues whose error policy is @code{retry-job} or
+@code{retry-current-job}.
+
+Defaults to @samp{30}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer job-retry-limit
+Specifies the number of retries that are done for jobs.  This is
+typically used for fax queues but can also be used with normal print
+queues whose error policy is @code{retry-job} or
+@code{retry-current-job}.
+
+Defaults to @samp{5}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} boolean keep-alive?
+Specifies whether to support HTTP keep-alive connections.
+
+Defaults to @samp{#t}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer keep-alive-timeout
+Specifies how long an idle client connection remains open, in seconds.
+
+Defaults to @samp{30}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer limit-request-body
+Specifies the maximum size of print files, IPP requests, and HTML form
+data.  A limit of 0 disables the limit check.
+
+Defaults to @samp{0}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} multiline-string-list listen
+Listens on the specified interfaces for connections.  Valid values are
+of the form @var{address}:@var{port}, where @var{address} is either an
+IPv6 address enclosed in brackets, an IPv4 address, or @code{*} to
+indicate all addresses.  Values can also be file names of local UNIX
+domain sockets.  The Listen directive is similar to the Port directive
+but allows you to restrict access to specific interfaces or networks.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer listen-back-log
+Specifies the number of pending connections that will be allowed.  This
+normally only affects very busy servers that have reached the MaxClients
+limit, but can also be triggered by large numbers of simultaneous
+connections.  When the limit is reached, the operating system will
+refuse additional connections until the scheduler can accept the pending
+ones.
+
+Defaults to @samp{128}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} location-access-control-list location-access-controls
+Specifies a set of additional access controls.
+
+Available @code{location-access-controls} fields are:
+
+@deftypevr {@code{location-access-controls} parameter} file-name path
+Specifies the URI path to which the access control applies.
+@end deftypevr
+
+@deftypevr {@code{location-access-controls} parameter} access-control-list access-controls
+Access controls for all access to this path, in the same format as the
+@code{access-controls} of @code{operation-access-control}.
+
+Defaults to @samp{()}.
+@end deftypevr
+
+@deftypevr {@code{location-access-controls} parameter} method-access-control-list method-access-controls
+Access controls for method-specific access to this path.
+
+Defaults to @samp{()}.
+
+Available @code{method-access-controls} fields are:
+
+@deftypevr {@code{method-access-controls} parameter} boolean reverse?
+If @code{#t}, apply access controls to all methods except the listed
+methods.  Otherwise apply to only the listed methods.
+
+Defaults to @samp{#f}.
+@end deftypevr
+
+@deftypevr {@code{method-access-controls} parameter} method-list methods
+Methods to which this access control applies.
+
+Defaults to @samp{()}.
+@end deftypevr
+
+@deftypevr {@code{method-access-controls} parameter} access-control-list access-controls
+Access control directives, as a list of strings.  Each string should be
+one directive, such as "Order allow,deny".
+
+Defaults to @samp{()}.
+@end deftypevr
+@end deftypevr
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer log-debug-history
+Specifies the number of debugging messages that are retained for logging
+if an error occurs in a print job.  Debug messages are logged regardless
+of the LogLevel setting.
+
+Defaults to @samp{100}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} log-level log-level
+Specifies the level of logging for the ErrorLog file.  The value
+@code{none} stops all logging while @code{debug2} logs everything.
+
+Defaults to @samp{info}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} log-time-format log-time-format
+Specifies the format of the date and time in the log files.  The value
+@code{standard} logs whole seconds while @code{usecs} logs microseconds.
+
+Defaults to @samp{standard}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer max-clients
+Specifies the maximum number of simultaneous clients that are allowed by
+the scheduler.
+
+Defaults to @samp{100}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer max-clients-per-host
+Specifies the maximum number of simultaneous clients that are allowed
+from a single address.
+
+Defaults to @samp{100}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer max-copies
+Specifies the maximum number of copies that a user can print of each
+job.
+
+Defaults to @samp{9999}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer max-hold-time
+Specifies the maximum time a job may remain in the @code{indefinite}
+hold state before it is canceled.  A value of 0 disables cancellation of
+held jobs.
+
+Defaults to @samp{0}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs
+Specifies the maximum number of simultaneous jobs that are allowed.  Set
+to 0 to allow an unlimited number of jobs.
+
+Defaults to @samp{500}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs-per-printer
+Specifies the maximum number of simultaneous jobs that are allowed per
+printer.  A value of 0 allows up to MaxJobs jobs per printer.
+
+Defaults to @samp{0}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer max-jobs-per-user
+Specifies the maximum number of simultaneous jobs that are allowed per
+user.  A value of 0 allows up to MaxJobs jobs per user.
+
+Defaults to @samp{0}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer max-job-time
+Specifies the maximum time a job may take to print before it is
+canceled, in seconds.  Set to 0 to disable cancellation of "stuck" jobs.
+
+Defaults to @samp{10800}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer max-log-size
+Specifies the maximum size of the log files before they are rotated, in
+bytes.  The value 0 disables log rotation.
+
+Defaults to @samp{1048576}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer multiple-operation-timeout
+Specifies the maximum amount of time to allow between files in a
+multiple file print job, in seconds.
+
+Defaults to @samp{300}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} string page-log-format
+Specifies the format of PageLog lines.  Sequences beginning with percent
+(@samp{%}) characters are replaced with the corresponding information,
+while all other characters are copied literally.  The following percent
+sequences are recognized:
+
+@table @samp
+@item %%
+insert a single percent character
+
+@item %@{name@}
+insert the value of the specified IPP attribute
+
+@item %C
+insert the number of copies for the current page
+
+@item %P
+insert the current page number
+
+@item %T
+insert the current date and time in common log format
+
+@item %j
+insert the job ID
+
+@item %p
+insert the printer name
+
+@item %u
+insert the username
+@end table
+
+A value of the empty string disables page logging.  The string @code{%p
+%u %j %T %P %C %@{job-billing@} %@{job-originating-host-name@}
+%@{job-name@} %@{media@} %@{sides@}} creates a page log with the
+standard items.
+
+Defaults to @samp{""}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} environment-variables environment-variables
+Passes the specified environment variable(s) to child processes; a list
+of strings.
+
+Defaults to @samp{()}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} policy-configuration-list policies
+Specifies named access control policies.
+
+Available @code{policy-configuration} fields are:
+
+@deftypevr {@code{policy-configuration} parameter} string name
+Name of the policy.
+@end deftypevr
+
+@deftypevr {@code{policy-configuration} parameter} string job-private-access
+Specifies an access list for a job's private values.  @code{@@ACL} maps
+to the printer's requesting-user-name-allowed or
+requesting-user-name-denied values.  @code{@@OWNER} maps to the job's
+owner.  @code{@@SYSTEM} maps to the groups listed for the
+@code{system-group} field of the @code{files-config} configuration,
+which is reified into the @code{cups-files.conf(5)} file.  Other
+possible elements of the access list include specific user names, and
+@code{@@@var{group}} to indicate members of a specific group.  The
+access list may also be simply @code{all} or @code{default}.
+
+Defaults to @samp{"@@OWNER @@SYSTEM"}.
+@end deftypevr
+
+@deftypevr {@code{policy-configuration} parameter} string job-private-values
+Specifies the list of job values to make private, or @code{all},
+@code{default}, or @code{none}.
+
+Defaults to @samp{"job-name job-originating-host-name
+job-originating-user-name phone"}.
+@end deftypevr
+
+@deftypevr {@code{policy-configuration} parameter} string subscription-private-access
+Specifies an access list for a subscription's private values.
+@code{@@ACL} maps to the printer's requesting-user-name-allowed or
+requesting-user-name-denied values.  @code{@@OWNER} maps to the job's
+owner.  @code{@@SYSTEM} maps to the groups listed for the
+@code{system-group} field of the @code{files-config} configuration,
+which is reified into the @code{cups-files.conf(5)} file.  Other
+possible elements of the access list include specific user names, and
+@code{@@@var{group}} to indicate members of a specific group.  The
+access list may also be simply @code{all} or @code{default}.
+
+Defaults to @samp{"@@OWNER @@SYSTEM"}.
+@end deftypevr
+
+@deftypevr {@code{policy-configuration} parameter} string subscription-private-values
+Specifies the list of job values to make private, or @code{all},
+@code{default}, or @code{none}.
+
+Defaults to @samp{"notify-events notify-pull-method notify-recipient-uri
+notify-subscriber-user-name notify-user-data"}.
+@end deftypevr
+
+@deftypevr {@code{policy-configuration} parameter} operation-access-control-list access-controls
+Access control by IPP operation.
+
+Defaults to @samp{()}.
+@end deftypevr
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} boolean-or-non-negative-integer preserve-job-files
+Specifies whether job files (documents) are preserved after a job is
+printed.  If a numeric value is specified, job files are preserved for
+the indicated number of seconds after printing.  Otherwise a boolean
+value applies indefinitely.
+
+Defaults to @samp{86400}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} boolean-or-non-negative-integer preserve-job-history
+Specifies whether the job history is preserved after a job is printed.
+If a numeric value is specified, the job history is preserved for the
+indicated number of seconds after printing.  If @code{#t}, the job
+history is preserved until the MaxJobs limit is reached.
+
+Defaults to @samp{#t}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer reload-timeout
+Specifies the amount of time to wait for job completion before
+restarting the scheduler.
+
+Defaults to @samp{30}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} string rip-cache
+Specifies the maximum amount of memory to use when converting documents
+into bitmaps for a printer.
+
+Defaults to @samp{"128m"}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} string server-admin
+Specifies the email address of the server administrator.
+
+Defaults to @samp{"root@@localhost.localdomain"}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} host-name-list-or-* server-alias
+The ServerAlias directive is used for HTTP Host header validation when
+clients connect to the scheduler from external interfaces.  Using the
+special name @code{*} can expose your system to known browser-based DNS
+rebinding attacks, even when accessing sites through a firewall.  If the
+auto-discovery of alternate names does not work, we recommend listing
+each alternate name with a ServerAlias directive instead of using
+@code{*}.
+
+Defaults to @samp{*}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} string server-name
+Specifies the fully-qualified host name of the server.
+
+Defaults to @samp{"localhost"}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} server-tokens server-tokens
+Specifies what information is included in the Server header of HTTP
+responses.  @code{None} disables the Server header.  @code{ProductOnly}
+reports @code{CUPS}.  @code{Major} reports @code{CUPS 2}.  @code{Minor}
+reports @code{CUPS 2.0}.  @code{Minimal} reports @code{CUPS 2.0.0}.
+@code{OS} reports @code{CUPS 2.0.0 (@var{uname})} where @var{uname} is
+the output of the @code{uname} command.  @code{Full} reports @code{CUPS
+2.0.0 (@var{uname}) IPP/2.0}.
+
+Defaults to @samp{Minimal}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} string set-env
+Set the specified environment variable to be passed to child processes.
+
+Defaults to @samp{"variable value"}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} multiline-string-list ssl-listen
+Listens on the specified interfaces for encrypted connections.  Valid
+values are of the form @var{address}:@var{port}, where @var{address} is
+either an IPv6 address enclosed in brackets, an IPv4 address, or
+@code{*} to indicate all addresses.
+
+Defaults to @samp{()}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} ssl-options ssl-options
+Sets encryption options.  By default, CUPS only supports encryption
+using TLS v1.0 or higher using known secure cipher suites.  The
+@code{AllowRC4} option enables the 128-bit RC4 cipher suites, which are
+required for some older clients that do not implement newer ones.  The
+@code{AllowSSL3} option enables SSL v3.0, which is required for some
+older clients that do not support TLS v1.0.
+
+Defaults to @samp{()}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} boolean strict-conformance?
+Specifies whether the scheduler requires clients to strictly adhere to
+the IPP specifications.
+
+Defaults to @samp{#f}.
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} non-negative-integer timeout
+Specifies the HTTP request timeout, in seconds.
+
+Defaults to @samp{300}.
+
+@end deftypevr
+
+@deftypevr {@code{cups-configuration} parameter} boolean web-interface?
+Specifies whether the web interface is enabled.
+
+Defaults to @samp{#f}.
+@end deftypevr
+
+At this point you're probably thinking ``oh dear, Guix manual, I like
+you but you can stop already with the configuration options''.  Indeed.
+However, one more point: it could be that you have an existing
+@code{cupsd.conf} that you want to use.  In that case, you can pass an
+@code{opaque-cups-configuration} as the configuration of a
+@code{cups-service-type}.
+
+Available @code{opaque-cups-configuration} fields are:
+
+@deftypevr {@code{opaque-cups-configuration} parameter} package cups
+The CUPS package.
+@end deftypevr
+
+@deftypevr {@code{opaque-cups-configuration} parameter} string cupsd.conf
+The contents of the @code{cupsd.conf}, as a string.
+@end deftypevr
+
+@deftypevr {@code{opaque-cups-configuration} parameter} string cups-files.conf
+The contents of the @code{cups-files.conf} file, as a string.
+@end deftypevr
+
+For example, if your @code{cupsd.conf} and @code{cups-files.conf} are in
+strings of the same name, you could instantiate a CUPS service like
+this:
+
+@example
+(service cups-service-type
+         (opaque-cups-configuration
+           (cupsd.conf cupsd.conf)
+           (cups-files.conf cups-files.conf)))
+@end example
+
+
 @node Desktop Services
 @subsubsection Desktop Services
 
diff --git a/gnu/local.mk b/gnu/local.mk
index c80b213078..1c91e79fea 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -5,6 +5,7 @@
 # Copyright © 2013, 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 # Copyright © 2016 Chris Marusich <cmmarusich@gmail.com>
 # Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+# Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
 # Copyright © 2016 Adonay "adfeno" Felipe Nogueira <https://libreplanet.org/wiki/User:Adfeno> <adfeno@openmailbox.org>
 #
 # This file is part of GNU Guix.
@@ -391,6 +392,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/services/admin.scm			\
   %D%/services/avahi.scm			\
   %D%/services/base.scm				\
+  %D%/services/cups.scm				\
   %D%/services/databases.scm			\
   %D%/services/dbus.scm				\
   %D%/services/desktop.scm			\
@@ -471,6 +473,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/bigloo-gc-shebangs.patch			\
   %D%/packages/patches/binutils-ld-new-dtags.patch		\
   %D%/packages/patches/binutils-loongson-workaround.patch	\
+  %D%/packages/patches/binutils-mips-bash-bug.patch		\
   %D%/packages/patches/byobu-writable-status.patch		\
   %D%/packages/patches/calibre-drop-unrar.patch			\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
@@ -510,9 +513,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/emacs-source-date-epoch.patch		\
   %D%/packages/patches/eudev-rules-directory.patch		\
   %D%/packages/patches/evilwm-lost-focus-bug.patch		\
-  %D%/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch	\
-  %D%/packages/patches/expat-CVE-2015-1283-refix.patch		\
-  %D%/packages/patches/expat-CVE-2016-0718.patch		\
   %D%/packages/patches/expat-CVE-2016-0718-fix-regression.patch	\
   %D%/packages/patches/fastcap-mulGlobal.patch			\
   %D%/packages/patches/fastcap-mulSetup.patch			\
@@ -523,15 +523,15 @@ dist_patch_DATA =						\
   %D%/packages/patches/fasthenry-spFactor.patch			\
   %D%/packages/patches/findutils-localstatedir.patch		\
   %D%/packages/patches/findutils-test-xargs.patch		\
+  %D%/packages/patches/flex-CVE-2016-6354.patch			\
   %D%/packages/patches/flint-ldconfig.patch			\
   %D%/packages/patches/fltk-shared-lib-defines.patch		\
   %D%/packages/patches/fltk-xfont-on-demand.patch		\
-  %D%/packages/patches/fontconfig-CVE-2016-5384.patch		\
   %D%/packages/patches/fontforge-svg-modtime.patch		\
   %D%/packages/patches/freeimage-CVE-2015-0852.patch		\
   %D%/packages/patches/freeimage-CVE-2016-5684.patch		\
-  %D%/packages/patches/gawk-fts-test.patch			\
   %D%/packages/patches/gawk-shell.patch				\
+  %D%/packages/patches/gcc-arm-bug-71399.patch			\
   %D%/packages/patches/gcc-arm-link-spec-fix.patch		\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
@@ -562,7 +562,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/gmp-faulty-test.patch			\
   %D%/packages/patches/gnome-tweak-tool-search-paths.patch	\
   %D%/packages/patches/gnucash-price-quotes-perl.patch		\
-  %D%/packages/patches/gnupg-fix-expired-test.patch		\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
   %D%/packages/patches/gobject-introspection-cc.patch		\
   %D%/packages/patches/gobject-introspection-girepository.patch	\
@@ -604,6 +603,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/id3lib-CVE-2007-4460.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
   %D%/packages/patches/inkscape-drop-wait-for-targets.patch	\
+  %D%/packages/patches/isl-0.11.1-aarch64-support.patch	\
   %D%/packages/patches/jansson-CVE-2016-4425.patch		\
   %D%/packages/patches/jasper-CVE-2007-2721.patch		\
   %D%/packages/patches/jasper-CVE-2008-3520.patch		\
@@ -675,17 +675,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch	\
   %D%/packages/patches/libwmf-CVE-2015-4695.patch		\
   %D%/packages/patches/libwmf-CVE-2015-4696.patch		\
-  %D%/packages/patches/libx11-CVE-2016-7942.patch		\
-  %D%/packages/patches/libx11-CVE-2016-7943.patch		\
-  %D%/packages/patches/libxfixes-CVE-2016-7944.patch		\
-  %D%/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch	\
-  %D%/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch	\
-  %D%/packages/patches/libxrender-CVE-2016-7949.patch		\
-  %D%/packages/patches/libxrender-CVE-2016-7950.patch		\
-  %D%/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch	\
-  %D%/packages/patches/libxv-CVE-2016-5407.patch		\
-  %D%/packages/patches/libxvmc-CVE-2016-7953.patch		\
   %D%/packages/patches/libxslt-generated-ids.patch		\
+  %D%/packages/patches/linux-pam-no-setfsuid.patch		\
   %D%/packages/patches/lirc-localstatedir.patch			\
   %D%/packages/patches/llvm-for-extempore.patch			\
   %D%/packages/patches/lm-sensors-hwmon-attrs.patch		\
@@ -742,8 +733,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/openssl-runpath.patch			\
   %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch		\
   %D%/packages/patches/openssl-c-rehash-in.patch		\
-  %D%/packages/patches/openssl-CVE-2016-2177.patch		\
-  %D%/packages/patches/openssl-CVE-2016-2178.patch		\
   %D%/packages/patches/orpheus-cast-errors-and-includes.patch	\
   %D%/packages/patches/ots-no-include-missing-file.patch	\
   %D%/packages/patches/p7zip-remove-unused-code.patch		\
@@ -753,8 +742,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/patch-hurd-path-max.patch		\
   %D%/packages/patches/pcre-CVE-2016-3191.patch			\
   %D%/packages/patches/pcre2-CVE-2016-3191.patch		\
-  %D%/packages/patches/perl-CVE-2015-8607.patch			\
-  %D%/packages/patches/perl-CVE-2016-2381.patch			\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
   %D%/packages/patches/perl-deterministic-ordering.patch	\
   %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
@@ -763,10 +750,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/perl-net-amazon-s3-moose-warning.patch	\
   %D%/packages/patches/perl-net-ssleay-disable-ede-test.patch	\
   %D%/packages/patches/perl-net-dns-resolver-programmable-Fix-broken-interface.patch	\
-  %D%/packages/patches/perl-no-build-time.patch			\
   %D%/packages/patches/perl-no-sys-dirs.patch			\
   %D%/packages/patches/perl-module-pluggable-search.patch	\
-  %D%/packages/patches/perl-source-date-epoch.patch		\
+  %D%/packages/patches/perl-reproducible-build-date.patch	\
   %D%/packages/patches/pidgin-add-search-path.patch		\
   %D%/packages/patches/pinball-const-fix.patch			\
   %D%/packages/patches/pinball-cstddef.patch			\
@@ -782,7 +768,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/portmidi-modular-build.patch		\
   %D%/packages/patches/procmail-ambiguous-getline-debian.patch  \
   %D%/packages/patches/procmail-CVE-2014-3618.patch		\
-  %D%/packages/patches/procps-non-linux.patch			\
   %D%/packages/patches/pt-scotch-build-parallelism.patch	\
   %D%/packages/patches/pulseaudio-fix-mult-test.patch		\
   %D%/packages/patches/pulseaudio-longer-test-timeout.patch	\
@@ -796,8 +781,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-2.7-source-date-epoch.patch	\
   %D%/packages/patches/python-3-deterministic-build-info.patch	\
   %D%/packages/patches/python-3-search-paths.patch		\
+  %D%/packages/patches/python-3.4-fix-tests.patch		\
+  %D%/packages/patches/python-3.5-fix-tests.patch		\
   %D%/packages/patches/python-dendropy-exclude-failing-tests.patch \
-  %D%/packages/patches/python-disable-ssl-test.patch		\
   %D%/packages/patches/python-django-fix-testcase.patch		\
   %D%/packages/patches/python-fix-tests.patch			\
   %D%/packages/patches/python-ipython-inputhook-ctype.patch	\
@@ -847,6 +833,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/tar-skip-unreliable-tests.patch		\
   %D%/packages/patches/tcl-mkindex-deterministic.patch		\
   %D%/packages/patches/tclxml-3.2-install.patch			\
+  %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch		\
   %D%/packages/patches/tcsh-fix-autotest.patch			\
   %D%/packages/patches/teensy-loader-cli-help.patch		\
   %D%/packages/patches/texi2html-document-encoding.patch	\
diff --git a/gnu/packages/acl.scm b/gnu/packages/acl.scm
index 415fae496b..ae6764993b 100644
--- a/gnu/packages/acl.scm
+++ b/gnu/packages/acl.scm
@@ -59,7 +59,7 @@
           %standard-phases))))
     (inputs `(("attr" ,attr)))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("perl" ,perl)))
     (home-page "http://savannah.nongnu.org/projects/acl")
     (synopsis
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index d9b08efc4c..9724c9b652 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -178,7 +178,7 @@ interface and is based on GNU Guile.")
         "0zk1ppx93ijimf4sbgqilxxikpsa2gmpbynknyh41xy7jbdjxp0b"))))
    (build-system cmake-build-system)
    (arguments '(#:tests? #f)) ; There are no tests.
-   (native-inputs `(("gettext" ,gnu-gettext)))
+   (native-inputs `(("gettext" ,gettext-minimal)))
    (home-page "http://projects.gw-computing.net/projects/dfc")
    (synopsis "Display file system space usage using graphs and colors")
    (description
@@ -1761,7 +1761,7 @@ highly portable.  Great for heterogenous networks.")
          (delete 'configure)))) ; no configure script
     (inputs
      `(("gtk+" ,gtk+)
-       ("gnu-gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("libnotify" ,libnotify)))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 9e19d5552f..32f23597ae 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -534,14 +534,14 @@ a C program.")
 (define-public fftw
   (package
     (name "fftw")
-    (version "3.3.4")
+    (version "3.3.5")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://ftp.fftw.org/pub/fftw/fftw-"
                                  version".tar.gz"))
              (sha256
               (base32
-               "10h9mzjxnwlsjziah4lri85scc05rlajz39nqf3mbh4vja8dw34g"))))
+               "1kwbx92ps0r7s2mqy7lxbxanslxdzj7dp7r7gmdkzv1j8yqf3kwf"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--enable-shared" "--enable-openmp")
diff --git a/gnu/packages/apl.scm b/gnu/packages/apl.scm
index 5b55c9cef3..1c7d42b713 100644
--- a/gnu/packages/apl.scm
+++ b/gnu/packages/apl.scm
@@ -41,7 +41,7 @@
     (build-system gnu-build-system)
     (home-page "http://www.gnu.org/software/apl/")
     (inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("lapack" ,lapack)
        ("sqlite" ,sqlite)
        ("readline" ,readline)))
diff --git a/gnu/packages/attr.scm b/gnu/packages/attr.scm
index 53766af06f..907a568bdd 100644
--- a/gnu/packages/attr.scm
+++ b/gnu/packages/attr.scm
@@ -69,7 +69,7 @@
          '()
          `(("perl" ,perl))))
     (native-inputs
-     `(("gettext" ,gnu-gettext)))
+     `(("gettext" ,gettext-minimal)))
 
     (home-page "http://savannah.nongnu.org/projects/attr/")
     (synopsis "Library and tools for manipulating extended attributes")
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index d2203229af..811da498cc 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -397,7 +397,7 @@ envelope follower, distortion effects, tape effects and more.")
        ("liblo" ,liblo)
        ("ladspa" ,ladspa)
        ("jack" ,jack-1)
-       ("gettext" ,gnu-gettext)))
+       ("gettext" ,gettext-minimal)))
     (native-inputs
      `(("bison" ,bison)
        ("flex" ,flex)
@@ -948,7 +948,7 @@ patches that can be used with softsynths such as Timidity and WildMidi.")
      `(("gperf" ,gperf)
        ("faust" ,faust)
        ("intltool" ,intltool)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("pkg-config" ,pkg-config)))
     (native-search-paths
      (list (search-path-specification
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 797c06e149..ffd7ef4c3e 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -172,13 +172,17 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
-    (replacement libarchive/fixed)
     (version "3.2.1")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "http://libarchive.org/downloads/libarchive-"
                            version ".tar.gz"))
+       (patches (search-patches
+                  "libarchive-7zip-heap-overflow.patch"
+                  "libarchive-fix-symlink-check.patch"
+                  "libarchive-fix-filesystem-attacks.patch"
+                  "libarchive-safe_fprintf-buffer-overflow.patch"))
        (sha256
         (base32
          "1lngng84k1kkljl74q0cdqc3s82vn2kimfm02dgm4d6m7x71mvkj"))))
@@ -228,17 +232,6 @@ archive.  In particular, note that there is currently no built-in support for
 random access nor for in-place modification.")
     (license license:bsd-2)))
 
-(define libarchive/fixed
-  (package
-    (inherit libarchive)
-    (source (origin
-              (inherit (package-source libarchive))
-              (patches (search-patches
-                         "libarchive-7zip-heap-overflow.patch"
-                         "libarchive-fix-symlink-check.patch"
-                         "libarchive-fix-filesystem-attacks.patch"
-                         "libarchive-safe_fprintf-buffer-overflow.patch"))))))
-
 (define-public rdup
   (package
     (name "rdup")
@@ -435,7 +428,27 @@ detection, and lossless compression.")
                (setenv "BORG_OPENSSL_PREFIX" openssl)
                (setenv "BORG_LZ4_PREFIX" lz4)
                (setenv "PYTHON_EGG_CACHE" "/tmp")
+               ;; The test 'test_return_codes[python]' fails when
+               ;; HOME=/homeless-shelter.
+               (setenv "HOME" "/tmp")
                #t)))
+         ;; The tests need to be run after Borg is installed.
+         (delete 'check)
+         (add-after 'install 'check
+           (lambda _
+             (zero?
+               (system* "py.test" "-v" "--pyargs" "borg.testsuite" "-k"
+                        (string-append
+                          ;; These tests need to write to '/var'.
+                          "not test_get_cache_dir "
+                          "and not test_get_keys_dir "
+                          ;; These tests assume there is a root user in
+                          ;; '/etc/passwd'.
+                          "and not test_access_acl "
+                          "and not test_default_acl "
+                          "and not test_non_ascii_acl "
+                          ;; This test needs the unpackaged pytest-benchmark.
+                          "and not benchmark")))))
          (add-after 'install 'install-doc
            (lambda* (#:key outputs #:allow-other-keys)
              (let* ((out (assoc-ref outputs "out"))
@@ -449,6 +462,7 @@ detection, and lossless compression.")
     (native-inputs
      `(("python-cython" ,python-cython)
        ("python-setuptools-scm" ,python-setuptools-scm)
+       ("python-pytest" ,python-pytest)
        ;; For generating the documentation.
        ("python-sphinx" ,python-sphinx)
        ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)))
@@ -482,7 +496,10 @@ to not fully trusted targets.  Borg is a fork of Attic.")
                 "0b5skd36r4c0915lwpkqg5hxm49gls9pprs1b7hc40910wlcsl36"))))
     (build-system python-build-system)
     (arguments
-     `(#:phases
+     `(;; The tests assume they are run as root:
+       ;; https://github.com/jborg/attic/issues/7
+       #:tests? #f
+       #:phases
        (modify-phases %standard-phases
          (add-before
           'build 'set-openssl-prefix
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index a476837102..5aea2cee0e 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -88,6 +88,20 @@ command-line arguments, multiple languages, and so on.")
             (patches (search-patches "grep-timing-sensitive-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))             ;some of the tests require it
+   (arguments
+    `(#:phases
+      (modify-phases %standard-phases
+        (add-after 'install 'fix-egrep-and-fgrep
+          ;; Patch 'egrep' and 'fgrep' to execute 'grep' via its
+          ;; absolute file name instead of searching for it in $PATH.
+          (lambda* (#:key outputs #:allow-other-keys)
+            (let* ((out (assoc-ref outputs "out"))
+                   (bin (string-append out "/bin")))
+              (substitute* (list (string-append bin "/egrep")
+                                 (string-append bin "/fgrep"))
+                (("^exec grep")
+                 (string-append "exec " bin "/grep")))
+              #t))))))
    (synopsis "Print lines matching a pattern")
    (description
      "grep is a tool for finding text inside files.  Text is found by
@@ -205,14 +219,14 @@ differences.")
 (define-public diffutils
   (package
    (name "diffutils")
-   (version "3.3")
+   (version "3.5")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/diffutils/diffutils-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1761vymxbp4wb5rzjvabhdkskk95pghnn67464byvzb5mfl8jpm2"))))
+              "0csmqfz8ks23kdjsq0v2ll1acqiz8lva06dj19mwmymrsp69ilys"))))
    (build-system gnu-build-system)
    (synopsis "Comparing and merging files")
    (description
@@ -325,30 +339,30 @@ functionality beyond that which is outlined in the POSIX standard.")
 (define-public gnu-make
   (package
    (name "make")
-   (version "4.2")
+   (version "4.2.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/make/make-" version
                                 ".tar.bz2"))
             (sha256
              (base32
-              "0pv5rvz5pp4njxiz3syf786d2xp4j7gzddwjvgw5zmz55yvf6p2f"))
+              "12f5zzyq2w56g95nni65hc0g5p7154033y2f3qmjvd016szn5qnn"))
             (patches (search-patches "make-impure-dirs.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("pkg-config" ,pkg-config)))  ; to detect Guile
    (inputs `(("guile" ,guile-2.0)))
    (outputs '("out" "debug"))
    (arguments
-    '(#:phases (alist-cons-before
-                'build 'set-default-shell
-                (lambda* (#:key inputs #:allow-other-keys)
-                  ;; Change the default shell from /bin/sh.
-                  (let ((bash (assoc-ref inputs "bash")))
-                    (substitute* "job.c"
-                      (("default_shell =.*$")
-                       (format #f "default_shell = \"~a/bin/bash\";\n"
-                               bash)))))
-                %standard-phases)))
+    '(#:phases
+      (modify-phases %standard-phases
+        (add-before 'build 'set-default-shell
+          (lambda* (#:key inputs #:allow-other-keys)
+            ;; Change the default shell from /bin/sh.
+            (let ((bash (assoc-ref inputs "bash")))
+              (substitute* "job.c"
+                (("default_shell =.*$")
+                 (format #f "default_shell = \"~a/bin/bash\";\n"
+                         bash)))))))))
    (synopsis "Remake files automatically")
    (description
     "Make is a program that is used to control the production of
@@ -363,16 +377,17 @@ change.  GNU make offers many powerful extensions over the standard utility.")
 (define-public binutils
   (package
    (name "binutils")
-   (version "2.25.1")
+   (version "2.27")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/binutils/binutils-"
                                 version ".tar.bz2"))
             (sha256
              (base32
-              "08lzmhidzc16af1zbx34f8cy4z7mzrswpdbhrb8shy3xxpflmcdm"))
+              "125clslv17xh1sab74343fg6v31msavpmaa1c1394zsqa773g5rn"))
             (patches (search-patches "binutils-ld-new-dtags.patch"
-                                     "binutils-loongson-workaround.patch"))))
+                                     "binutils-loongson-workaround.patch"
+                                     "binutils-mips-bash-bug.patch"))))
    (build-system gnu-build-system)
 
    ;; TODO: Add dependency on zlib + those for Gold.
@@ -476,14 +491,14 @@ store.")
 (define-public glibc/linux
   (package
    (name "glibc")
-   (version "2.23")
+   (version "2.24")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/glibc/glibc-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))
+              "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))
             (snippet
              ;; Disable 'ldconfig' and /etc/ld.so.cache.  The latter is
              ;; required on LFS distros to avoid loading the distro's libc.so
@@ -511,7 +526,7 @@ store.")
       #:parallel-build? #f
 
       ;; The libraries have an empty RUNPATH, but some, such as the versioned
-      ;; libraries (libdl-2.23.so, etc.) have ld.so marked as NEEDED.  Since
+      ;; libraries (libdl-2.24.so, etc.) have ld.so marked as NEEDED.  Since
       ;; these libraries are always going to be found anyway, just skip
       ;; RUNPATH checks.
       #:validate-runpath? #f
@@ -527,7 +542,7 @@ store.")
             ;; Set the default locale path.  In practice, $LOCPATH may be
             ;; defined to point whatever locales users want.  However, setuid
             ;; binaries don't honor $LOCPATH, so they'll instead look into
-            ;; $libc_cv_localedir; we choose /run/current-system/locale/X.Y,
+            ;; $libc_cv_complocaledir; we choose /run/current-system/locale/X.Y,
             ;; with the idea that it is going to be populated by the sysadmin.
             ;; The "X.Y" sub-directory is because locale data formats are
             ;; incompatible across libc versions; see
@@ -535,8 +550,7 @@ store.")
             ;;
             ;; `--localedir' is not honored, so work around it.
             ;; See <http://sourceware.org/ml/libc-alpha/2013-03/msg00093.html>.
-            ;; FIXME: This hack no longer works on 2.23!
-            (string-append "libc_cv_localedir=/run/current-system/locale/"
+            (string-append "libc_cv_complocaledir=/run/current-system/locale/"
                            ,version)
 
             (string-append "--with-headers="
@@ -629,7 +643,7 @@ store.")
    ;; install the message catalogs, with 'msgfmt'.
    (native-inputs `(("texinfo" ,texinfo)
                     ("perl" ,perl)
-                    ("gettext" ,gnu-gettext)))
+                    ("gettext" ,gettext-minimal)))
 
    (native-search-paths
     ;; Search path for packages that provide locale data.  This is useful
@@ -905,7 +919,7 @@ command.")
 (define-public tzdata
   (package
     (name "tzdata")
-    (version "2015g")
+    (version "2016g")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -913,7 +927,7 @@ command.")
                    version ".tar.gz"))
              (sha256
               (base32
-               "0qb1awqrn3215zd2jikpqnmkzrxwfjf0d3dw2xmnk4c40yzws8xr"))))
+               "1lgbh49bsbysibzr7imjsh1xa7pqmimphxvvwh6kncj7pjr3fw9w"))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f
@@ -936,23 +950,24 @@ command.")
                   (guix build gnu-build-system)
                   (srfi srfi-1))
        #:phases
-       (alist-replace
-        'unpack
-        (lambda* (#:key source inputs #:allow-other-keys)
-          (and (zero? (system* "tar" "xvf" source))
-               (zero? (system* "tar" "xvf" (assoc-ref inputs "tzcode")))))
-        (alist-cons-after
-         'install 'post-install
-         (lambda* (#:key outputs #:allow-other-keys)
-           ;; Move data in the right place.
-           (let ((out (assoc-ref outputs "out")))
-             (copy-recursively (string-append out "/share/zoneinfo-posix")
-                               (string-append out "/share/zoneinfo/posix"))
-             (copy-recursively (string-append out "/share/zoneinfo-leaps")
-                               (string-append out "/share/zoneinfo/right"))
-             (delete-file-recursively (string-append out "/share/zoneinfo-posix"))
-             (delete-file-recursively (string-append out "/share/zoneinfo-leaps"))))
-         (alist-delete 'configure %standard-phases)))))
+       (modify-phases %standard-phases
+         (replace 'unpack
+           (lambda* (#:key source inputs #:allow-other-keys)
+             (and (zero? (system* "tar" "xvf" source))
+                  (zero? (system* "tar" "xvf" (assoc-ref inputs "tzcode"))))))
+         (add-after 'install 'post-install
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; Move data in the right place.
+             (let ((out (assoc-ref outputs "out")))
+               (symlink (string-append out "/share/zoneinfo")
+                        (string-append out "/share/zoneinfo/posix"))
+               (delete-file-recursively
+                (string-append out "/share/zoneinfo-posix"))
+               (copy-recursively (string-append out "/share/zoneinfo-leaps")
+                                 (string-append out "/share/zoneinfo/right"))
+               (delete-file-recursively
+                (string-append out "/share/zoneinfo-leaps")))))
+         (delete 'configure))))
     (inputs `(("tzcode" ,(origin
                           (method url-fetch)
                           (uri (string-append
@@ -960,7 +975,7 @@ command.")
                                 version ".tar.gz"))
                           (sha256
                            (base32
-                            "1i3y1kzjiz2j62c7vd4wf85983sqk9x9lg3473njvbdz4kph5r0q"))))))
+                            "0azsz436vd65bkdkdmjgsh7zhh0whnqqfliva45191krmm3hpy8z"))))))
     (home-page "http://www.iana.org/time-zones")
     (synopsis "Database of current and historical time zones")
     (description "The Time Zone Database (often called tz or zoneinfo)
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index f3d851717f..d328d711d1 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
 ;;;
@@ -51,52 +51,10 @@
   (list (bash-patch seqno (base32 hash))
         ...))
 
-(define %patch-series-4.3
-  ;; This is the current patches series for 4.3, generated using
+(define %patch-series-4.4
+  ;; This is the current patches series for 4.4, generated using
   ;; 'download-patches' below.
-  (patch-series
-   (1 "0hip2n2s5hws8p4nfcz37379zn6cak83ljsm64z52rw6ckrdzczc")
-   (2 "0ashj5d1g3zbyr7zf0r72s5wnk96cz1xj919y3jajadbc9qcvrzf")
-   (3 "0z88q4daq7dmw93iqd9c5i5d1sndklih3nrh0v75746da2n6w3h0")
-   (4 "0f0kh9j5k4ym6knshscx31przm50x5cc7ifkwqk0swh6clna982y")
-   (5 "1ym3b8b7lgmdp3dklp8qaqhyq965wd5392namq8mz7rb0d231j0s")
-   (6 "04q20igq49py49ynb0f83f6f52cdkyqwd9bpic6akr0m5pkqwr50")
-   (7 "18zkz23d9myshrwfcwcdjk7qmkqp8az5n91ni9jaixlwqlhy64qi")
-   (8 "0pprcwvh7ngdli0x95pc1cpssg4qg7layi9xrv2jq6c7965ajhcr")
-   (9 "19a0pf0alp30d1bjj0zf3zq2f5n0s6y91w7brm9jyswl51kns8n0")
-   (10 "1dzhr5ammyijisz48cqi5vaw26hfr5vh9smnqxq4qc9p06f7j1ff")
-   (11 "0fvzdzzi142a8rf3v965r6gbpn0k7fv2gif1yq8a4160vcn40qvw")
-   (12 "04lcgfcyz7p3zagb4hkia3hkpd7lii9m8ycy9qqwzyrm1c1pj4ry")
-   (13 "0y9cqi378z6flapkd5k5lfl4lq3ivzg4njj3i3wmw7xb6r9wma5z")
-   (14 "04xcb0k9fxxq4vashgzb98567xzdnm4655nlm4jvfvjv6si6ykas")
-   (15 "13ay6lldy1p00xj41nfjpq8lai3vw2qwca79gx6s80z04j53wa8k")
-   (16 "0wq7bvx3pfw90pnfb86yg5nr9jgjsvm2nq5rrkqxf6zn977hpmlj")
-   (17 "103p7sibihv6cshqj12k546zsbz0dnd5cv5vlx1719avddfc4rqj")
-   (18 "0n1x3812y1brb9xbabaj3fvr4cpvm2225iwckmqk2fcpkq5b9a3s")
-   (19 "08rd1p7zpzgbpmmmnj2im8wj2pcwmbbx51psr9vdc5c049si9ad7")
-   (20 "163c6g05qpag2plx5q795pmw3f3m904jy7z93xj2i08pgzc8cpna")
-   (21 "1a90cl3h10dh8k9f2ddrsjmw5ywaw2d5x78xb4fd2sryi039yhs1")
-   (22 "120s0s4qcqd0q12j1iv0hkpf9fp3w5jnqw646kv66n66jnxlfkgx")
-   (23 "1m00sfi88p2akgiyrg4hw0gvz3s1586pkzjdr3dm73vs773m1hls")
-   (24 "0v0gjqzjsqjfgj5x17fq7g649k94jn8zq92qsxkhc2d6l215hl1v")
-   (25 "0lcj96i659q35f1jcmwwbnw3p7w7vvlxjxqi989vn6d6qksqcl8y") ;CVE-2014-6271
-   (26 "0k919ir0inwn4wai2vdzpbwqq5h54fnrlkmgccxjg91v3ch15k1f") ;CVE-2014-7169
-   (27 "1gnsfvq6bhb3srlbh0cannj2hackdsipcg7z0ds7zlk1hp96mdqy")
-   (28 "17a65c4fn4c5rgsiw9gqqnzhznh3gwnd2xzzv2dppyi48znxpc78") ;CVE-2014-7186
-   (29 "14k27p28r5l2fz3r03kd0x72vvsq8bja8c6hjz5kxikbzsbs7i2c") ;CVE-2014-6277
-   (30 "0nrqb0m7s89qsrbfaffpilc5gcf82bx9yvgzld4hr79p5y54yhw5") ;CVE-2014-6278
-   (31 "07d62bl3z7qa8v6kgk47vzzazw563mlk9zhrsr4xsbqgvmcrylnd")
-   (32 "0jjgapfq4qhmndfrw8c3q3lva8xjdhlbd9cc631v41b0kb95g4w8")
-   (33 "05ma5rlxiadnfh925p4y7s0vvk917kmsdb1mfdx05gizl63pfapv")
-   (34 "12gq9whkq3naa3iy7c7x5pfpvrg7d0kwqld8609zxphhy424ysgi")
-   (35 "1qy1jflmbazjykq766gwabkaiswnx7pwa66whqiny0w02zjqa39p")
-   (36 "0z6jbyy70lfdm6d3x0sbazbqdxb3xnpn9bmz7madpvrnbd284pxc")
-   (37 "04sqr8zkl6s5fccfvb775ppn3ldij5imria9swc39aq0fkfp1w9k")
-   (38 "0rv3g14mpgv8br267bf7rmgqlgwnc4v6g3g8y0sjba571i8amgmd")
-   (39 "1v3l3vkc3g2b6fjycqwlakr8xhiw6bmw6q0zd6bi0m0m4bnxr55b")
-   (40 "0sypv66vsldmc95gwvf7ylz1k7y37vnvdsjg8ajjr6b2j9mkkfw4")
-   (41 "06ic2gdpbi1afik3wqf9d4vh95if4bz8bmhcgr555621dsb35i2f")
-   (42 "06a90k0p6bqc4wk2dsmapna69124an76xvlnlj3xm497vci968dc")))
+  (patch-series))
 
 (define (download-patches store count)
   "Download COUNT Bash patches into store.  Return a list of
@@ -134,34 +92,7 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
                " -Wl,-rpath -Wl,"
                (assoc-ref %build-inputs "ncurses")
                "/lib")))
-         (post-install-phase
-          '(lambda* (#:key outputs #:allow-other-keys)
-             ;; Add a `bash' -> `sh' link.
-             (let ((out (assoc-ref outputs "out")))
-               (with-directory-excursion (string-append out "/bin")
-                 (symlink "bash" "sh")))))
-         (install-headers-phase
-          '(lambda* (#:key outputs #:allow-other-keys)
-             ;; Install Bash headers so that packages that provide extensions
-             ;; can use them.  We install them in include/bash; that's what
-             ;; Debian does and what Bash extensions like recutils or
-             ;; guile-bash expect.
-             (let ((include (string-append (assoc-ref outputs "include")
-                                            "/include/bash"))
-                   (includes "^\\./include/[^/]+\\.h$")
-                   (headers "^\\./(builtins/|lib/glob/|lib/tilde/|)[^/]+\\.h$"))
-               (mkdir-p include)
-               (for-each (lambda (file)
-                           (when (string-match includes file)
-                             (install-file file include))
-                           (when (string-match headers file)
-                             (install-file file
-                                           (string-append include "/"
-                                                          (dirname file)))))
-                         (find-files "." "\\.h$"))
-               (delete-file (string-append include "/" "y.tab.h"))
-               #t)))
-         (version "4.3"))
+         (version "4.4"))
     (package
      (name "bash")
      (source (origin
@@ -170,22 +101,16 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
                     "mirror://gnu/bash/bash-" version ".tar.gz"))
               (sha256
                (base32
-                "1m14s1f61mf6bijfibcjm9y6pkyvz6gibyl8p4hxq90fisi8gimg"))
+                "1jyz6snd63xjn6skk7za6psgidsd53k05cr3lksqybi0q6936syq"))
               (patch-flags '("-p0"))
-              (patches %patch-series-4.3)
-
-              ;; The patches above modify 'parse.y', so force a rebuild of the
-              ;; parser.
-              (snippet '(for-each delete-file
-                                  '("y.tab.c" "y.tab.h" "parser-built")))))
+              (patches %patch-series-4.4)))
      (version (string-append version "."
-                             (number->string (length %patch-series-4.3))))
+                             (number->string (length %patch-series-4.4))))
      (build-system gnu-build-system)
 
      (outputs '("out"
                 "doc"                         ;1.7 MiB of HTML and extra files
                 "include"))                   ;headers used by extensions
-     (native-inputs `(("bison" ,bison)))      ;to rebuild the parser
      (inputs `(("readline" ,readline)
                ("ncurses" ,ncurses)))             ;TODO: add texinfo
      (arguments
@@ -206,14 +131,41 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
         ;; for now.
         #:tests? #f
 
-        #:modules ((ice-9 regex)
+        #:modules ((srfi srfi-26)
                    (guix build utils)
                    (guix build gnu-build-system))
 
-        #:phases (modify-phases %standard-phases
-                   (add-after 'install 'post-install ,post-install-phase)
-                   (add-after 'install 'install-headers
-                     ,install-headers-phase))))
+        #:phases
+        (modify-phases %standard-phases
+          (add-after 'install 'install-sh-symlink
+            (lambda* (#:key outputs #:allow-other-keys)
+              ;; Add a `sh' -> `bash' link.
+              (let ((out (assoc-ref outputs "out")))
+                (with-directory-excursion (string-append out "/bin")
+                  (symlink "bash" "sh")))))
+
+          (add-after 'install 'move-development-files
+            (lambda* (#:key outputs #:allow-other-keys)
+              ;; Move 'Makefile.inc' and 'bash.pc' to "include" to avoid
+              ;; circular references among the outputs.
+              (let ((out     (assoc-ref outputs "out"))
+                    (include (assoc-ref outputs "include"))
+                    (lib     (cut string-append <> "/lib/bash")))
+                (mkdir-p (lib include))
+                (rename-file (string-append (lib out)
+                                            "/Makefile.inc")
+                             (string-append (lib include)
+                                            "/Makefile.inc"))
+                (rename-file (string-append out "/lib/pkgconfig")
+                             (string-append include
+                                            "/lib/pkgconfig"))
+                #t))))))
+
+     (native-search-paths
+      (list (search-path-specification            ;new in 4.4
+             (variable "BASH_LOADABLES_PATH")
+             (files '("lib/bash")))))
+
      (synopsis "The GNU Bourne-Again SHell")
      (description
       "Bash is the shell, or command-line interpreter, of the GNU system.  It
@@ -230,6 +182,10 @@ without modification.")
   (package (inherit bash)
     (name "bash-minimal")
     (inputs '())                                ; no readline, no curses
+
+    ;; No "include" output because there's no support for loadable modules.
+    (outputs (delete "include" (package-outputs bash)))
+
     (arguments
      (let ((args `(#:modules ((guix build gnu-build-system)
                               (guix build utils)
@@ -246,9 +202,17 @@ without modification.")
                  "--disable-net-redirections"
                  "--disable-nls"
 
+                 ;; Pretend 'dlopen' is missing so we don't build loadable
+                 ;; modules and related code.
+                 "ac_cv_func_dlopen=no"
+
                  ,@(if (%current-target-system)
                        '("bash_cv_job_control_missing=no")
-                       '()))))))))
+                       '())))
+         ((#:phases phases)
+          `(modify-phases ,phases
+             ;; No loadable modules.
+             (delete 'move-development-files))))))))
 
 (define-public static-bash
   ;; Statically-linked Bash that contains nothing but the 'bash' binary and
@@ -261,16 +225,15 @@ without modification.")
        (substitute-keyword-arguments
            `(#:allowed-references ("out") ,@(package-arguments bash))
          ((#:phases phases)
-          `(alist-cons-after
-            'strip 'remove-everything-but-the-binary
-            (lambda* (#:key outputs #:allow-other-keys)
-              (let* ((out (assoc-ref outputs "out"))
-                     (bin (string-append out "/bin")))
-                (remove-store-references (string-append bin "/bash"))
-                (delete-file (string-append bin "/bashbug"))
-                (delete-file-recursively (string-append out "/share"))
-                #t))
-            ,phases)))))))
+          `(modify-phases ,phases
+             (add-after 'strip 'remove-everything-but-the-binary
+               (lambda* (#:key outputs #:allow-other-keys)
+                 (let* ((out (assoc-ref outputs "out"))
+                        (bin (string-append out "/bin")))
+                   (remove-store-references (string-append bin "/bash"))
+                   (delete-file (string-append bin "/bashbug"))
+                   (delete-file-recursively (string-append out "/share"))
+                   #t))))))))))
 
 (define-public bash-completion
   (package
diff --git a/gnu/packages/cdrom.scm b/gnu/packages/cdrom.scm
index 39c7b52426..1524ef530b 100644
--- a/gnu/packages/cdrom.scm
+++ b/gnu/packages/cdrom.scm
@@ -205,7 +205,7 @@ reconstruction capability.")
     (inputs
      `(("gtk+" ,gtk+-2)))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("pkg-config" ,pkg-config)
        ("which" ,which)))
     (arguments
diff --git a/gnu/packages/cmake.scm b/gnu/packages/cmake.scm
index ac88e59ec1..cd82978de2 100644
--- a/gnu/packages/cmake.scm
+++ b/gnu/packages/cmake.scm
@@ -32,12 +32,13 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages curl)
   #:use-module (gnu packages file)
+  #:use-module (gnu packages ncurses)
   #:use-module (gnu packages xml))
 
 (define-public cmake
   (package
     (name "cmake")
-    (version "3.5.2")
+    (version "3.6.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://www.cmake.org/files/v"
@@ -45,7 +46,7 @@
                                  "/cmake-" version ".tar.gz"))
              (sha256
               (base32
-               "0ap6nlmv6nda942db43k9k9mhnm5dm3fsapzvy0vh6wq7l6l3n4j"))
+               "04ggm9c0zklxypm6df1v4klrrd85m6vpv13kasj42za283n9ivi8"))
              (patches (search-patches "cmake-fix-tests.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -97,27 +98,20 @@
                        "--mandir=share/man"
                        ,(string-append
                          "--docdir=share/doc/cmake-"
-                         (version-major+minor version)))))))
-         (add-after 'unpack 'remove-libarchive-version-test
-           ; This test check has been failing consistantly over libarchive 3.2.x
-           ; and cmake 3.4.x and 3.5.x so we disable it for now
-           (lambda _
-               (substitute*
-               "Tests/CMakeOnly/AllFindModules/CMakeLists.txt"
-               (("LibArchive") ""))
-               #t)))))
+                         (version-major+minor version))))))))))
     (inputs
      `(("file"       ,file)
        ("curl"       ,curl)
        ("zlib"       ,zlib)
        ("expat"      ,expat)
        ("bzip2"      ,bzip2)
+       ("ncurses"    ,ncurses) ; required for ccmake
        ("libarchive" ,libarchive)))
     (native-search-paths
      (list (search-path-specification
              (variable "CMAKE_PREFIX_PATH")
              (files '("")))))
-    (home-page "http://www.cmake.org/")
+    (home-page "https://www.cmake.org/")
     (synopsis "Cross-platform build system")
     (description
      "CMake is a family of tools designed to build, test and package software.
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index cce831bfb6..53ba7189b4 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -27,15 +27,18 @@
   #:use-module (gnu packages bash)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages m4)
+  #:use-module (gnu packages indent)
   #:use-module (gnu packages file)
   #:use-module (gnu packages gawk)
   #:use-module (gnu packages bison)
+  #:use-module (gnu packages flex)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages multiprecision)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages hurd)
   #:use-module (gnu packages texinfo)
   #:use-module (gnu packages pkg-config)
   #:use-module (guix packages)
@@ -46,7 +49,8 @@
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
   #:use-module (ice-9 vlist)
-  #:use-module (ice-9 match))
+  #:use-module (ice-9 match)
+  #:use-module (ice-9 regex))
 
 ;;; Commentary:
 ;;;
@@ -71,17 +75,15 @@
         #:tests? #f                  ; cannot run "make check"
         ,@(substitute-keyword-arguments (package-arguments gnu-make)
             ((#:phases phases)
-             `(alist-replace
-               'build (lambda _
-                        (zero? (system* "./build.sh")))
-               (alist-replace
-                'install (lambda* (#:key outputs #:allow-other-keys)
-                           (let* ((out (assoc-ref outputs "out"))
-                                  (bin (string-append out "/bin")))
-                             (mkdir-p bin)
-                             (copy-file "make"
-                                        (string-append bin "/make"))))
-                ,phases))))))
+             `(modify-phases ,phases
+                (replace 'build
+                  (lambda _
+                    (zero? (system* "./build.sh"))))
+                (replace 'install
+                  (lambda* (#:key outputs #:allow-other-keys)
+                    (let* ((out (assoc-ref outputs "out"))
+                           (bin (string-append out "/bin")))
+                      (install-file "make" bin)))))))))
      (native-inputs '())                          ; no need for 'pkg-config'
      (inputs %bootstrap-inputs))))
 
@@ -282,13 +284,55 @@
                            (lambda _
                              (substitute* "Configure"
                                (("^libswanted=(.*)pthread" _ before)
-                                (string-append "libswanted=" before)))))))))))))
+                                (string-append "libswanted=" before)))))))
+                     ;; Do not configure with '-Dusethreads' since pthread
+                     ;; support is missing.
+                     ((#:configure-flags configure-flags)
+                      `(delete "-Dusethreads" ,configure-flags))))))))
     (package-with-bootstrap-guile
      (package-with-explicit-inputs perl
                                    %boot0-inputs
                                    (current-source-location)
                                    #:guile %bootstrap-guile))))
 
+(define bison-boot0
+  ;; This Bison is needed to build MiG so we need it early in the process.
+  ;; It is also needed to rebuild Bash's parser, which is modified by
+  ;; its CVE patches.  Remove it when it's no longer needed.
+  (let* ((m4    (package-with-bootstrap-guile
+                 (package-with-explicit-inputs m4 %boot0-inputs
+                                               (current-source-location)
+                                               #:guile %bootstrap-guile)))
+         (bison (package (inherit bison)
+                  (propagated-inputs `(("m4" ,m4)))
+                  (inputs '())                    ;remove Flex...
+                  (arguments
+                   '(#:tests? #f                  ;... and thus disable tests
+
+                     ;; Zero timestamps in liby.a; this must be done
+                     ;; explicitly here because the bootstrap Binutils don't
+                     ;; do that (default is "cru".)
+                     #:make-flags '("ARFLAGS=crD" "RANLIB=ranlib -D"
+                                    "V=1"))))))
+    (package
+      (inherit (package-with-bootstrap-guile
+                (package-with-explicit-inputs bison %boot0-inputs
+                                              (current-source-location)
+                                              #:guile %bootstrap-guile)))
+      (native-inputs `(("perl" ,perl-boot0))))))
+
+(define flex-boot0
+  ;; This Flex is needed to build MiG.
+  (let* ((flex (package (inherit flex)
+                 (native-inputs `(("bison" ,bison-boot0)))
+                 (propagated-inputs `(("m4" ,m4)))
+                 (inputs `(("indent" ,indent)))
+                 (arguments '(#:tests? #f)))))
+    (package-with-bootstrap-guile
+     (package-with-explicit-inputs flex %boot0-inputs
+                                   (current-source-location)
+                                   #:guile %bootstrap-guile))))
+
 (define (linux-libre-headers-boot0)
   "Return Linux-Libre header files for the bootstrap environment."
   ;; Note: this is wrapped in a thunk to nicely handle circular dependencies
@@ -302,6 +346,63 @@
       `(("perl" ,perl-boot0)
         ,@%boot0-inputs)))))
 
+(define gnumach-headers-boot0
+  (package-with-bootstrap-guile
+   (package-with-explicit-inputs gnumach-headers
+                                 %boot0-inputs
+                                 (current-source-location)
+                                 #:guile %bootstrap-guile)))
+
+(define mig-boot0
+  (let* ((mig (package (inherit mig)
+                 (native-inputs `(("bison" ,bison-boot0)
+                                  ("flex" ,flex-boot0)))
+                 (inputs `(("flex" ,flex-boot0)))
+                 (arguments
+                  `(#:configure-flags
+                    `(,(string-append "LDFLAGS=-Wl,-rpath="
+                                      (assoc-ref %build-inputs "flex") "/lib/")))))))
+    (package-with-bootstrap-guile
+     (package-with-explicit-inputs mig %boot0-inputs
+                                   (current-source-location)
+                                   #:guile %bootstrap-guile))))
+
+(define hurd-headers-boot0
+  (let ((hurd-headers (package (inherit hurd-headers)
+                        (native-inputs `(("mig" ,mig-boot0)))
+                        (inputs '()))))
+    (package-with-bootstrap-guile
+     (package-with-explicit-inputs hurd-headers %boot0-inputs
+                                   (current-source-location)
+                                   #:guile %bootstrap-guile))))
+
+(define hurd-minimal-boot0
+  (let ((hurd-minimal (package (inherit hurd-minimal)
+                        (native-inputs `(("mig" ,mig-boot0)))
+                        (inputs '()))))
+    (package-with-bootstrap-guile
+     (package-with-explicit-inputs hurd-minimal %boot0-inputs
+                                   (current-source-location)
+                                   #:guile %bootstrap-guile))))
+
+(define (hurd-core-headers-boot0)
+  "Return the Hurd and Mach headers as well as initial Hurd libraries for
+the bootstrap environment."
+  (package-with-bootstrap-guile
+   (package (inherit hurd-core-headers)
+            (arguments `(#:guile ,%bootstrap-guile
+                                 ,@(package-arguments hurd-core-headers)))
+            (inputs
+             `(("gnumach-headers" ,gnumach-headers-boot0)
+               ("hurd-headers" ,hurd-headers-boot0)
+               ("hurd-minimal" ,hurd-minimal-boot0)
+               ,@%boot0-inputs)))))
+
+(define* (kernel-headers-boot0 #:optional (system (%current-system)))
+  (match system
+    ("i586-gnu" (hurd-core-headers-boot0))
+    (_ (linux-libre-headers-boot0))))
+
 (define texinfo-boot0
   ;; Texinfo used to build libc's manual.
   ;; We build without ncurses because it fails to build at this stage, and
@@ -320,9 +421,19 @@
                                    (current-source-location)
                                    #:guile %bootstrap-guile))))
 
+(define ld-wrapper-boot0
+  ;; We need this so binaries on Hurd will have libmachuser and libhurduser
+  ;; in their RUNPATH, otherwise validate-runpath will fail.
+  (make-ld-wrapper (string-append "ld-wrapper-" (boot-triplet))
+                   #:target (boot-triplet)
+                   #:binutils binutils-boot0
+                   #:guile %bootstrap-guile
+                   #:bash (car (assoc-ref %boot0-inputs "bash"))))
+
 (define %boot1-inputs
   ;; 2nd stage inputs.
   `(("gcc" ,gcc-boot0)
+    ("ld-wrapper-cross" ,ld-wrapper-boot0)
     ("binutils-cross" ,binutils-boot0)
     ,@(alist-delete "binutils" %boot0-inputs)))
 
@@ -356,6 +467,15 @@
                  (setenv "NATIVE_CPATH" (getenv "CPATH"))
                  (unsetenv "CPATH")
 
+                 ;; Tell 'libpthread' where to find 'libihash' on Hurd systems.
+                 ,@(if (string-match "i586-gnu" (%current-system))
+                       `((substitute* "libpthread/Makefile"
+                           (("LDLIBS-pthread.so =.*")
+                            (string-append "LDLIBS-pthread.so = "
+                                           (assoc-ref %build-inputs "kernel-headers")
+                                           "/lib/libihash.a\n"))))
+                       '())
+
                  ;; 'rpcgen' needs native libc headers to be built.
                  (substitute* "sunrpc/Makefile"
                    (("sunrpc-CPPFLAGS =.*" all)
@@ -363,7 +483,7 @@
                                    "export CPATH\n"
                                    all "\n"))))
                ,phases)))))
-     (propagated-inputs `(("kernel-headers" ,(linux-libre-headers-boot0))))
+     (propagated-inputs `(("kernel-headers" ,(kernel-headers-boot0))))
      (native-inputs
       `(("texinfo" ,texinfo-boot0)
         ("perl" ,perl-boot0)))
@@ -372,6 +492,11 @@
         ;; it in $CPATH, hence the 'pre-configure' phase above.
         ,@%boot1-inputs
 
+        ;; A native MiG is needed to build Glibc on Hurd.
+        ,@(if (string-match "i586-gnu" (%current-system))
+              `(("mig" ,mig-boot0))
+              '())
+
         ;; A native GCC is needed to build `cross-rpcgen'.
         ("native-gcc" ,@(assoc-ref %boot0-inputs "gcc"))
 
@@ -430,31 +555,6 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
        ("bash" ,bash)))
     (inputs '())))
 
-(define bison-boot1
-  ;; XXX: This Bison is needed to rebuild Bash's parser, which is modified by
-  ;; its CVE patches.  Remove it when it's no longer needed.
-  (let* ((m4    (package-with-bootstrap-guile
-                 (package-with-explicit-inputs m4 %boot0-inputs
-                                               (current-source-location)
-                                               #:guile %bootstrap-guile)))
-         (bison (package (inherit bison)
-                  (propagated-inputs `(("m4" ,m4)))
-                  (inputs '())                    ;remove Flex...
-                  (arguments
-                   '(#:tests? #f                  ;... and thus disable tests
-
-                     ;; Zero timestamps in liby.a; this must be done
-                     ;; explicitly here because the bootstrap Binutils don't
-                     ;; do that (default is "cru".)
-                     #:make-flags '("ARFLAGS=crD" "RANLIB=ranlib -D"
-                                    "V=1"))))))
-    (package
-      (inherit (package-with-bootstrap-guile
-                (package-with-explicit-inputs bison %boot0-inputs
-                                              (current-source-location)
-                                              #:guile %bootstrap-guile)))
-      (native-inputs `(("perl" ,perl-boot0))))))
-
 (define static-bash-for-glibc
   ;; A statically-linked Bash to be used by GLIBC-FINAL in system(3) & co.
   (let* ((gcc  (cross-gcc-wrapper gcc-boot0 binutils-boot0
@@ -468,23 +568,21 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
                    ("libc" ,glibc-final-with-bootstrap-bash)
                    ,@(fold alist-delete %boot1-inputs
                            '("gcc" "libc")))))
-    (package
-      (inherit (package-with-bootstrap-guile
-                (package-with-explicit-inputs bash inputs
-                                              (current-source-location)
-                                              #:guile %bootstrap-guile)))
-      (native-inputs `(("bison" ,bison-boot1))))))
+    (package-with-bootstrap-guile
+     (package-with-explicit-inputs bash inputs
+                                   (current-source-location)
+                                   #:guile %bootstrap-guile))))
 
 (define gettext-boot0
   ;; A minimal gettext used during bootstrap.
   (let ((gettext-minimal
-         (package (inherit gnu-gettext)
+         (package (inherit gettext-minimal)
            (name "gettext-boot0")
            (inputs '())                           ;zero dependencies
            (arguments
             (substitute-keyword-arguments
                 `(#:tests? #f
-                  ,@(package-arguments gnu-gettext))
+                  ,@(package-arguments gettext-minimal))
               ((#:phases phases)
                `(modify-phases ,phases
                   ;; Build only the tools.
@@ -527,7 +625,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
     ;; if 'allowed-references' were per-output.
     (arguments
      `(#:allowed-references
-       ,(cons* `(,gcc-boot0 "lib") (linux-libre-headers-boot0)
+       ,(cons* `(,gcc-boot0 "lib") (kernel-headers-boot0)
                static-bash-for-glibc
                (package-outputs glibc-final-with-bootstrap-bash))
 
@@ -679,13 +777,11 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
 (define bash-final
   ;; Link with `-static-libgcc' to make sure we don't retain a reference
   ;; to the bootstrap GCC.
-  (package
-    (inherit (package-with-bootstrap-guile
-              (package-with-explicit-inputs (static-libgcc-package bash)
-                                            %boot3-inputs
-                                            (current-source-location)
-                                            #:guile %bootstrap-guile)))
-    (native-inputs `(("bison" ,bison-boot1)))))
+  (package-with-bootstrap-guile
+   (package-with-explicit-inputs (static-libgcc-package bash)
+                                 %boot3-inputs
+                                 (current-source-location)
+                                 #:guile %bootstrap-guile)))
 
 (define %boot4-inputs
   ;; Now use the final Bash.
diff --git a/gnu/packages/cross-base.scm b/gnu/packages/cross-base.scm
index 3bd30fd78c..b4324c2aeb 100644
--- a/gnu/packages/cross-base.scm
+++ b/gnu/packages/cross-base.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2016 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -25,6 +26,7 @@
   #:use-module (gnu packages base)
   #:use-module (gnu packages commencement)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages hurd)
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix utils)
@@ -33,6 +35,7 @@
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
   #:use-module (ice-9 match)
+  #:use-module (ice-9 regex)
   #:export (cross-binutils
             cross-libc
             cross-gcc))
@@ -292,12 +295,12 @@ GCC that does not target a libc; otherwise, target that libc."
             (files '("lib" "lib64")))))
     (native-search-paths '())))
 
-(define* (cross-libc target
-                     #:optional
-                     (xgcc (cross-gcc target))
-                     (xbinutils (cross-binutils target)))
-  "Return a libc cross-built for TARGET, a GNU triplet.  Use XGCC and
-XBINUTILS and the cross tool chain."
+(define* (cross-kernel-headers target
+                               #:optional
+                               (xgcc (cross-gcc target))
+                               (xbinutils (cross-binutils target)))
+  "Return headers depending on TARGET."
+
   (define xlinux-headers
     (package (inherit linux-libre-headers)
       (name (string-append (package-name linux-libre-headers)
@@ -320,6 +323,147 @@ XBINUTILS and the cross tool chain."
                        ("cross-binutils" ,xbinutils)
                        ,@(package-native-inputs linux-libre-headers)))))
 
+  (define xgnumach-headers
+    (package (inherit gnumach-headers)
+      (name (string-append (package-name gnumach-headers)
+                           "-cross-" target))
+
+      (native-inputs `(("cross-gcc" ,xgcc)
+                       ("cross-binutils" ,xbinutils)
+                       ,@(package-native-inputs gnumach-headers)))))
+
+  (define xmig
+    (package (inherit mig)
+      (name (string-append "mig-cross"))
+      (arguments
+       `(#:modules ((guix build gnu-build-system)
+                    (guix build utils)
+                    (srfi srfi-26))
+         #:phases (alist-cons-before
+                   'configure 'set-cross-headers-path
+                   (lambda* (#:key inputs #:allow-other-keys)
+                     (let* ((mach (assoc-ref inputs "cross-gnumach-headers"))
+                            (cpath (string-append mach "/include")))
+                       (for-each (cut setenv <> cpath)
+                                 '("CROSS_C_INCLUDE_PATH"
+                                   "CROSS_CPLUS_INCLUDE_PATH"
+                                   "CROSS_OBJC_INCLUDE_PATH"
+                                   "CROSS_OBJCPLUS_INCLUDE_PATH"))))
+                   %standard-phases)
+         #:configure-flags (list ,(string-append "--target=" target))
+         ,@(package-arguments mig)))
+
+      (propagated-inputs `(("cross-gnumach-headers" ,xgnumach-headers)))
+      (native-inputs `(("cross-gcc" ,xgcc)
+                       ("cross-binutils" ,xbinutils)
+                       ,@(package-native-inputs mig)))))
+
+  (define xhurd-headers
+    (package (inherit hurd-headers)
+      (name (string-append (package-name hurd-headers)
+                           "-cross-" target))
+
+      (propagated-inputs `(("cross-mig" ,xmig)))
+      (native-inputs `(("cross-gcc" ,xgcc)
+                       ("cross-binutils" ,xbinutils)
+                       ("cross-mig" ,xmig)
+                       ,@(alist-delete "mig"(package-native-inputs hurd-headers))))))
+
+   (define xglibc/hurd-headers
+    (package (inherit glibc/hurd-headers)
+      (name (string-append (package-name glibc/hurd-headers)
+                           "-cross-" target))
+
+      (arguments
+       (substitute-keyword-arguments
+           `(#:modules ((guix build gnu-build-system)
+                        (guix build utils)
+                        (srfi srfi-26))
+             ,@(package-arguments glibc/hurd-headers))
+         ((#:phases phases)
+          `(alist-cons-before
+            'pre-configure 'set-cross-headers-path
+            (lambda* (#:key inputs #:allow-other-keys)
+              (let* ((mach (assoc-ref inputs "gnumach-headers"))
+                     (hurd (assoc-ref inputs "hurd-headers"))
+                     (cpath (string-append mach "/include:"
+                                           hurd "/include")))
+                (for-each (cut setenv <> cpath)
+                          '("CROSS_C_INCLUDE_PATH"
+                            "CROSS_CPLUS_INCLUDE_PATH"
+                            "CROSS_OBJC_INCLUDE_PATH"
+                            "CROSS_OBJCPLUS_INCLUDE_PATH"))))
+            ,phases))))
+
+      (propagated-inputs `(("gnumach-headers" ,xgnumach-headers)
+                           ("hurd-headers" ,xhurd-headers)))
+
+      (native-inputs `(("cross-gcc" ,xgcc)
+                       ("cross-binutils" ,xbinutils)
+                       ("cross-mig" ,xmig)
+                       ,@(alist-delete "mig"(package-native-inputs glibc/hurd-headers))))))
+
+  (define xhurd-minimal
+    (package (inherit hurd-minimal)
+      (name (string-append (package-name hurd-minimal)
+                           "-cross-" target))
+      (arguments
+       (substitute-keyword-arguments
+         `(#:modules ((guix build gnu-build-system)
+                      (guix build utils)
+                      (srfi srfi-26))
+           ,@(package-arguments hurd-minimal))
+         ((#:phases phases)
+          `(alist-cons-before
+            'configure 'set-cross-headers-path
+            (lambda* (#:key inputs #:allow-other-keys)
+              (let* ((glibc-headers (assoc-ref inputs "cross-glibc-hurd-headers"))
+                    (cpath (string-append glibc-headers "/include")))
+                (for-each (cut setenv <> cpath)
+                          '("CROSS_C_INCLUDE_PATH"
+                            "CROSS_CPLUS_INCLUDE_PATH"
+                            "CROSS_OBJC_INCLUDE_PATH"
+                            "CROSS_OBJCPLUS_INCLUDE_PATH"))))
+            ,phases))))
+
+      (inputs `(("cross-glibc-hurd-headers" ,xglibc/hurd-headers)))
+
+      (native-inputs `(("cross-gcc" ,xgcc)
+                       ("cross-binutils" ,xbinutils)
+                       ("cross-mig" ,xmig)
+                       ,@(alist-delete "mig"(package-native-inputs hurd-minimal))))))
+
+  (define xhurd-core-headers
+    (package (inherit hurd-core-headers)
+      (name (string-append (package-name hurd-core-headers)
+                           "-cross-" target))
+
+      (inputs `(("gnumach-headers" ,xgnumach-headers)
+                ("hurd-headers" ,xhurd-headers)
+                ("hurd-minimal" ,xhurd-minimal)))
+
+      (native-inputs `(("cross-gcc" ,xgcc)
+                       ("cross-binutils" ,xbinutils)
+                       ("cross-mig" ,xmig)
+                       ,@(package-native-inputs hurd-core-headers)))))
+
+  (match target
+    ((or "i586-pc-gnu" "i586-gnu") xhurd-core-headers)
+    (_ xlinux-headers)))
+
+(define* (cross-libc target
+                     #:optional
+                     (xgcc (cross-gcc target))
+                     (xbinutils (cross-binutils target))
+                     (xheaders (cross-kernel-headers target)))
+  "Return a libc cross-built for TARGET, a GNU triplet.  Use XGCC and
+XBINUTILS and the cross tool chain."
+  (define (cross-libc-for-target target)
+    "Return libc depending on TARGET."
+    (match target
+      ((or "i586-pc-gnu" "i586-gnu") glibc/hurd)
+      (_ glibc/linux)))
+
   (package (inherit glibc)
     (name (string-append "glibc-cross-" target))
     (arguments
@@ -337,7 +481,9 @@ XBINUTILS and the cross tool chain."
                       (guix build utils)
                       (srfi srfi-26))
 
-           ,@(package-arguments glibc))
+           ;; Package-arguments does not use the correct libc, so we use
+           ;; (cross-libc-for-target ...) to determine the correct one.
+           ,@(package-arguments (cross-libc-for-target target)))
        ((#:configure-flags flags)
         `(cons ,(string-append "--host=" target)
                ,flags))
@@ -352,12 +498,14 @@ XBINUTILS and the cross tool chain."
                           "CROSS_CPLUS_INCLUDE_PATH"
                           "CROSS_OBJC_INCLUDE_PATH"
                           "CROSS_OBJCPLUS_INCLUDE_PATH"))
+              (setenv "CROSS_LIBRARY_PATH"
+                      (string-append kernel "/lib")) ;for Hurd's libihash
               #t))
           ,phases))))
 
     ;; Shadow the native "kernel-headers" because glibc's recipe expects the
     ;; "kernel-headers" input to point to the right thing.
-    (propagated-inputs `(("kernel-headers" ,xlinux-headers)))
+    (propagated-inputs `(("kernel-headers" ,xheaders)))
 
     ;; FIXME: 'static-bash' should really be an input, not a native input, but
     ;; to do that will require building an intermediate cross libc.
@@ -365,6 +513,11 @@ XBINUTILS and the cross tool chain."
 
     (native-inputs `(("cross-gcc" ,xgcc)
                      ("cross-binutils" ,xbinutils)
+                     ,@(if (string-match (or "i586-pc-gnu" "i586-gnu") target)
+                           `(("cross-mig"
+                              ,@(assoc-ref (package-native-inputs xheaders)
+                                           "cross-mig")))
+                           '())
                      ,@(package-inputs glibc)     ;FIXME: static-bash
                      ,@(package-native-inputs glibc)))))
 
diff --git a/gnu/packages/crypto.scm b/gnu/packages/crypto.scm
index 14084c91b1..88e9038dc3 100644
--- a/gnu/packages/crypto.scm
+++ b/gnu/packages/crypto.scm
@@ -189,7 +189,7 @@ communication.")
                                        #:directories? #t)))))
     (build-system cmake-build-system)
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
 
        ;; Test dependencies.
        ("expect" ,expect)
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index e51dcb5e8c..2050c9b7e7 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -40,10 +40,18 @@
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages tls))
 
+;; Delay to avoid module circularity problems.
+(define ghostscript/cups
+  (delay
+    (package (inherit ghostscript)
+      (name "ghostscript-with-cups")
+      (inputs `(("cups" ,cups-minimal)
+                ,@(package-inputs ghostscript))))))
+
 (define-public cups-filters
   (package
     (name "cups-filters")
-    (version "1.4.0")
+    (version "1.11.2")
     (source (origin
               (method url-fetch)
               (uri
@@ -51,22 +59,28 @@
                               "cups-filters-" version ".tar.xz"))
               (sha256
                (base32
-                "16jpqqlixlv2dxqv8gak5qg4qnsnw4p745xr6rhw9dgylf13z9ha"))
+                "0x864p794m10kn157n6iv1q9nix5f7x82a8xwjf8hlvri4458j2b"))
               (modules '((guix build utils)))
               (snippet
                ;; install backends, banners and filters to cups-filters output
                ;; directory, not the cups server directory
-               '(substitute* "Makefile.in"
-                  (("CUPS_DATADIR = @CUPS_DATADIR@")
-                   "CUPS_DATADIR = $(PREFIX)/share/cups")
-                  (("pkgcupsserverrootdir = \\$\\(CUPS_SERVERROOT\\)")
-                   "pkgcupsserverrootdir = $(PREFIX)")
-                  ;; Choose standard directories notably so that binaries are
-                  ;; stripped.
-                  (("pkgbackenddir = \\$\\(CUPS_SERVERBIN\\)/backend")
-                   "pkgbackenddir = $(PREFIX)/lib/cups/backend")
-                  (("pkgfilterdir = \\$\\(CUPS_SERVERBIN\\)/filter")
-                   "pkgfilterdir = $(PREFIX)/lib/cups/filter")))))
+               '(begin
+                  (substitute* "Makefile.in"
+                    (("CUPS_DATADIR = @CUPS_DATADIR@")
+                     "CUPS_DATADIR = $(PREFIX)/share/cups")
+                    (("pkgcupsserverrootdir = \\$\\(CUPS_SERVERROOT\\)")
+                     "pkgcupsserverrootdir = $(PREFIX)")
+                    ;; Choose standard directories notably so that binaries are
+                    ;; stripped.
+                    (("pkgbackenddir = \\$\\(CUPS_SERVERBIN\\)/backend")
+                     "pkgbackenddir = $(PREFIX)/lib/cups/backend")
+                    (("pkgfilterdir = \\$\\(CUPS_SERVERBIN\\)/filter")
+                     "pkgfilterdir = $(PREFIX)/lib/cups/filter"))
+                  ;; Find bannertopdf data such as the print test page in our
+                  ;; output directory, not CUPS's prefix.
+                  (substitute* "configure"
+                    (("\\{CUPS_DATADIR\\}/data")
+                     "{prefix}/share/cups/data"))))))
     (build-system gnu-build-system)
     (arguments
      `(#:make-flags (list (string-append "PREFIX=" %output))
@@ -74,16 +88,20 @@
        `(,(string-append "--with-test-font-path="
                          (assoc-ref %build-inputs "font-dejavu")
                          "/share/fonts/truetype/DejaVuSans.ttf")
+         ,(string-append "--with-gs-path="
+                         (assoc-ref %build-inputs "ghostscript")
+                         "/bin/gsc")
          ,(string-append "--with-rcdir="
                          (assoc-ref %outputs "out") "/etc/rc.d"))))
     (native-inputs
      `(("glib" ,glib "bin") ; for gdbus-codegen
        ("pkg-config" ,pkg-config)))
     (inputs
-     `(("fontconfig"   ,fontconfig)
+     `(("avahi"        ,avahi)
+       ("fontconfig"   ,fontconfig)
        ("freetype"     ,freetype)
        ("font-dejavu"  ,font-dejavu) ;needed by test suite
-       ("ghostscript"  ,ghostscript)
+       ("ghostscript"  ,(force ghostscript/cups))
        ("ijs"          ,ijs)
        ("dbus"         ,dbus)
        ("lcms"         ,lcms)
@@ -94,7 +112,7 @@
        ("qpdf"         ,qpdf)
        ("poppler"      ,poppler)
        ("cups-minimal" ,cups-minimal)))
-    (home-page "http://www.linuxfoundation.org/collaborate/workgroups/openprinting/cups-filters")
+    (home-page "https://wiki.linuxfoundation.org/openprinting/cups-filters")
     (synopsis "OpenPrinting CUPS filters and backends")
     (description
      "Contains backends, filters, and other software that was once part of the
@@ -116,14 +134,18 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
 (define-public cups-minimal
   (package
     (name "cups-minimal")
-    (version "2.1.0")
+    (version "2.1.4")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://www.cups.org/software/"
-                                  version "/cups-" version "-source.tar.bz2"))
+              (uri (list (string-append "https://www.cups.org/software/"
+                                        version "/cups-"
+                                        version "-source.tar.gz")
+                         (string-append "https://github.com/apple/cups/releases"
+                                        "/download/release-" version
+                                        "/cups-" version "-source.tar.gz")))
               (sha256
                (base32
-                "1jfjqsw9l7jbn5kb9i96k0wj12kjdbgx0rd8157dif22hi0kh0ms"))))
+                "13bjxw256wd1nff22vj2z25mdhllj2h6d9xypsg55b40661zs52b"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -151,7 +173,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
     (inputs
      `(("zlib"  ,zlib)
        ("gnutls" ,gnutls)))
-    (home-page "http://www.cups.org")
+    (home-page "https://www.cups.org")
     (synopsis "The Common Unix Printing System")
     (description
      "CUPS is a printing system that uses the Internet Printing
@@ -178,122 +200,116 @@ device-specific programs to convert and print many types of files.")
        '("--disable-launchd"
          "--disable-systemd")
        #:phases
-       (alist-cons-before
-        'configure
-        'patch-makedefs
-        (lambda _
-          (substitute* "Makedefs.in"
-            (("INITDIR.*=.*@INITDIR@") "INITDIR = @prefix@/@INITDIR@")
-            (("/bin/sh") (which "sh"))))
-        (alist-cons-before
-         'check
-         'patch-tests
-         (lambda _
-           (let ((filters (assoc-ref %build-inputs "cups-filters"))
-                 (catpath (string-append
-                           (assoc-ref %build-inputs "coreutils") "/bin/"))
-                 (testdir (string-append (getcwd) "/tmp/")))
-             (mkdir testdir)
-             (substitute* "test/run-stp-tests.sh"
-               ((" *BASE=/tmp/") (string-append "BASE=" testdir))
+       (modify-phases %standard-phases
+         (add-before 'configure 'patch-makedefs
+           (lambda _
+             (substitute* "Makedefs.in"
+               (("INITDIR.*=.*@INITDIR@") "INITDIR = @prefix@/@INITDIR@")
+               (("/bin/sh") (which "sh")))))
+         (add-before 'check 'patch-tests
+           (lambda _
+             (let ((filters (assoc-ref %build-inputs "cups-filters"))
+                   (catpath (string-append
+                             (assoc-ref %build-inputs "coreutils") "/bin/"))
+                   (testdir (string-append (getcwd) "/tmp/")))
+               (mkdir testdir)
+               (substitute* "test/run-stp-tests.sh"
+                 ((" *BASE=/tmp/") (string-append "BASE=" testdir))
 
-               ;; allow installation of filters from output dir and from
-               ;; cups-filters
-               (("for dir in /usr/libexec/cups/filter /usr/lib/cups/filter")
-                (string-append
-                 "for dir in "
-                 (assoc-ref %outputs "out") "/lib/cups/filter "
-                 filters "/lib/cups/filter"))
+                 ;; allow installation of filters from output dir and from
+                 ;; cups-filters
+                 (("for dir in /usr/libexec/cups/filter /usr/lib/cups/filter")
+                  (string-append
+                   "for dir in "
+                   (assoc-ref %outputs "out") "/lib/cups/filter "
+                   filters "/lib/cups/filter"))
 
-               ;; check for charsets in cups-filters output
-               (("/usr/share/cups/charsets")
-                (string-append filters "/share/cups/charsets"))
+                 ;; check for charsets in cups-filters output
+                 (("/usr/share/cups/charsets")
+                  (string-append filters "/share/cups/charsets"))
 
-               ;; install additional required filters
-               (("instfilter texttopdf texttopdf pdf")
-                (string-append
-                 "instfilter texttopdf texttopdf pdf;"
-                 "instfilter imagetoraster imagetoraster raster;"
-                 "instfilter gstoraster gstoraster raster;"
-                 "instfilter urftopdf urftopdf pdf;"
-                 "instfilter rastertopdf rastertopdf pdf;"
-                 "instfilter pstopdf pstopdf pdf"))
+                 ;; install additional required filters
+                 (("instfilter texttopdf texttopdf pdf")
+                  (string-append
+                   "instfilter texttopdf texttopdf pdf;"
+                   "instfilter imagetoraster imagetoraster raster;"
+                   "instfilter gstoraster gstoraster raster;"
+                   "instfilter urftopdf urftopdf pdf;"
+                   "instfilter rastertopdf rastertopdf pdf;"
+                   "instfilter pstopdf pstopdf pdf"))
 
-               ;; specify location of lpstat binary
-               (("description=\"`lpstat -l")
-                "description=\"`../systemv/lpstat -l")
+                 ;; specify location of lpstat binary
+                 (("description=\"`lpstat -l")
+                  "description=\"`../systemv/lpstat -l")
 
-               ;; patch shebangs of embedded scripts
-               (("#!/bin/sh") (string-append "#!" (which "sh")))
+                 ;; patch shebangs of embedded scripts
+                 (("#!/bin/sh") (string-append "#!" (which "sh")))
 
-               ;; also link mime definitions from cups-filters
-               ;; to enable the additional filters for the test suite
-               (("ln -s \\$root/conf/mime\\.types")
-                (string-append
-                 "ln -s " filters
-                 "/share/cups/mime/cupsfilters.types $BASE/share/mime; "
-                 "ln -s $root/conf/mime.types"))
-               (("ln -s \\$root/conf/mime\\.convs")
-                (string-append
-                 "ln -s " filters
-                 "/share/cups/mime/cupsfilters.convs $BASE/share/mime; "
-                 "ln -s $root/conf/mime.convs")))
+                 ;; also link mime definitions from cups-filters
+                 ;; to enable the additional filters for the test suite
+                 (("ln -s \\$root/conf/mime\\.types")
+                  (string-append
+                   "ln -s " filters
+                   "/share/cups/mime/cupsfilters.types $BASE/share/mime; "
+                   "ln -s $root/conf/mime.types"))
+                 (("ln -s \\$root/conf/mime\\.convs")
+                  (string-append
+                   "ln -s " filters
+                   "/share/cups/mime/cupsfilters.convs $BASE/share/mime; "
+                   "ln -s $root/conf/mime.convs")))
 
-             ;; fix search path for "cat"
-             (substitute* "cups/testfile.c"
-               (("cupsFileFind\\(\"cat\", \"/bin\"")
-                (string-append "cupsFileFind(\"cat\", \"" catpath "\""))
-               (("cupsFileFind\\(\"cat\", \"/bin:/usr/bin\"")
-                (string-append "cupsFileFind(\"cat\", \"" catpath "\"")))))
-         (alist-cons-after
-          'install
-          'install-cups-filters-symlinks
-          (lambda* (#:key inputs outputs #:allow-other-keys)
-            (let ((out (assoc-ref outputs "out"))
-                  (cups-filters (assoc-ref inputs "cups-filters")))
-              ;; charsets
-              (symlink
-               (string-append cups-filters "/share/cups/charsets")
-               (string-append out "/share/charsets"))
+               ;; fix search path for "cat"
+               (substitute* "cups/testfile.c"
+                 (("cupsFileFind\\(\"cat\", \"/bin\"")
+                  (string-append "cupsFileFind(\"cat\", \"" catpath "\""))
+                 (("cupsFileFind\\(\"cat\", \"/bin:/usr/bin\"")
+                  (string-append "cupsFileFind(\"cat\", \"" catpath "\""))))))
+         (add-after 'install 'install-cups-filters-symlinks
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out"))
+                   (cups-filters (assoc-ref inputs "cups-filters")))
+               ;; charsets
+               (symlink
+                (string-append cups-filters "/share/cups/charsets")
+                (string-append out "/share/charsets"))
 
-              ;; mime types, driver file, ppds
-              (for-each
-               (lambda (f)
-                 (symlink (string-append cups-filters f)
-                          (string-append out f)))
-               '("/share/cups/mime/cupsfilters.types"
-                 "/share/cups/mime/cupsfilters.convs"
-                 "/share/cups/drv/cupsfilters.drv"
-                 "/share/ppd"))
+               ;; mime types, driver file, ppds
+               (for-each
+                (lambda (f)
+                  (symlink (string-append cups-filters f)
+                           (string-append out f)))
+                '("/share/cups/mime/cupsfilters.types"
+                  "/share/cups/mime/cupsfilters.convs"
+                  "/share/cups/drv/cupsfilters.drv"
+                  "/share/ppd"))
 
-              ;; filters
-              (for-each
-               (lambda (f)
-                 (symlink f
-                          (string-append out "/lib/cups/filter" (basename f))))
-               (find-files (string-append cups-filters "/lib/cups/filter")))
+               ;; filters
+               (for-each
+                (lambda (f)
+                  (symlink f
+                           (string-append out "/lib/cups/filter" (basename f))))
+                (find-files (string-append cups-filters "/lib/cups/filter")))
 
-              ;; backends
-              (for-each
-               (lambda (f)
-                 (symlink (string-append cups-filters f)
-                          (string-append out "/lib/cups/backend/"
-                                         (basename f))))
-               '("/lib/cups/backend/parallel"
-                 "/lib/cups/backend/serial"))
+               ;; backends
+               (for-each
+                (lambda (f)
+                  (symlink (string-append cups-filters f)
+                           (string-append out "/lib/cups/backend/"
+                                          (basename f))))
+                '("/lib/cups/backend/parallel"
+                  "/lib/cups/backend/serial"))
 
-              ;; banners
-              (let ((banners "/share/cups/banners"))
-                (delete-file-recursively (string-append out banners))
-                (symlink (string-append cups-filters banners)
-                         (string-append out banners)))
+               ;; banners
+               (let ((banners "/share/cups/banners"))
+                 (delete-file-recursively (string-append out banners))
+                 (symlink (string-append cups-filters banners)
+                          (string-append out banners)))
 
-              ;; assorted data
-              (let ((data "/share/cups/data"))
-                (delete-file-recursively (string-append out data))
-                (symlink (string-append cups-filters data)
-                         (string-append out data)))))
-          %standard-phases)))))
+               ;; assorted data
+               (let ((data "/share/cups/data"))
+                 (delete-file-recursively (string-append out data))
+                 (symlink (string-append cups-filters data)
+                          (string-append out data)))))))))
     (inputs
      `(("avahi" ,avahi)
        ("gnutls" ,gnutls)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 5cd80868f7..b267497c7c 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -40,15 +40,14 @@
 (define-public curl
   (package
    (name "curl")
-   (replacement curl-7.50.3)
-   (version "7.47.0")
+   (version "7.50.3")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://curl.haxx.se/download/curl-"
                                 version ".tar.lzma"))
             (sha256
              (base32
-              "1n284wdqzwb4bkmv0fnh36zl6lhlzy3clw2b7pn28kpgdy09ly7p"))))
+              "1spmk0345hq0sgpwxs8d410268lmg3wf1x9v23hxff7wxki5fm4c"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -84,10 +83,6 @@
          (lambda _
            (substitute* "tests/runtests.pl"
              (("/bin/sh") (which "sh")))
-           ;; Test #1135 requires extern-scan.pl, which is not part of the
-           ;; tarball due to a mistake.  It has been fixed upstream.  We can
-           ;; simply disable the test as it is specific to VMS and OS/400.
-           (delete-file "tests/data/test1135")
 
            ;; XXX FIXME: Test #1510 seems to work on some machines and not
            ;; others, possibly based on the kernel version.  It works on GuixSD
@@ -124,16 +119,3 @@ tunneling, and so on.")
    (license (license:non-copyleft "file://COPYING"
                                   "See COPYING in the distribution."))
    (home-page "http://curl.haxx.se/")))
-
-(define curl-7.50.3
-  (package
-    (inherit curl)
-    (source
-      (let ((version "7.50.3"))
-        (origin
-          (method url-fetch)
-          (uri (string-append "https://curl.haxx.se/download/curl-"
-                              version ".tar.lzma"))
-          (sha256
-           (base32
-            "1spmk0345hq0sgpwxs8d410268lmg3wf1x9v23hxff7wxki5fm4c")))))))
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 902b3f32fa..5219766133 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -91,7 +91,7 @@
        ("python" ,python-2)
        ("autoconf" ,autoconf)
        ("automake" ,automake)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("libtool" ,libtool)
        ("pcre" ,pcre "bin")                       ;for 'pcre-config'
        ("pkg-config" ,pkg-config)))
@@ -405,7 +405,24 @@ pictures, sounds, or video.")
                  #:configure-flags
                  (list (string-append "--with-bash-headers="
                                       (assoc-ref %build-inputs "bash:include")
-                                      "/include/bash"))))
+                                      "/include/bash"))
+
+                 #:phases (modify-phases %standard-phases
+                            (add-before 'build 'set-bash4.4-header-location
+                              (lambda _
+                                (substitute* "bash/Makefile.in"
+                                  ;; Adjust the header search path for Bash
+                                  ;; 4.4 in accordance with 'bash.pc'.
+                                  (("AM_CPPFLAGS = (.*)$" _ rest)
+                                   (string-append "AM_CPPFLAGS = "
+                                                  "-I$(BASH_HEADERS)/include "
+                                                  rest))
+
+                                  ;; Install to PREFIX/lib/bash to match Bash
+                                  ;; 4.4's search path.
+                                  (("^libdir = .*$")
+                                   "libdir = @libdir@/bash\n"))
+                                #t)))))
 
     (native-inputs `(("emacs" ,emacs-minimal)
                      ("bc" ,bc)
@@ -490,7 +507,7 @@ for example from a shell script.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.12.2")
+   (version "3.14.1")
    (source (origin
             (method url-fetch)
             ;; TODO: Download from sqlite.org once this bug :
@@ -521,15 +538,17 @@ for example from a shell script.")
                    ))
             (sha256
              (base32
-              "1fwss0i2lixv39b27gkqiibdd2syym90wh3qbiaxnfgxk867f07x"))))
+              "19j73j44akqgc6m82wm98yvnmm3mfzmfqr8mp3n7n080d53q4wdw"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
     `(#:configure-flags
-      ;; Add -DSQLITE_SECURE_DELETE and -DSQLITE_ENABLE_UNLOCK_NOTIFY to
-      ;; CFLAGS.  GNU Icecat will refuse to use the system SQLite unless these
-      ;; options are enabled.
-      '("CFLAGS=-O2 -DSQLITE_SECURE_DELETE -DSQLITE_ENABLE_UNLOCK_NOTIFY")))
+      ;; Add -DSQLITE_SECURE_DELETE, -DSQLITE_ENABLE_UNLOCK_NOTIFY and
+      ;; -DSQLITE_ENABLE_DBSTAT_VTAB to CFLAGS.  GNU Icecat will refuse
+      ;; to use the system SQLite unless these options are enabled.
+      (list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE "
+                           "-DSQLITE_ENABLE_UNLOCK_NOTIFY "
+                           "-DSQLITE_ENABLE_DBSTAT_VTAB"))))
    (home-page "http://www.sqlite.org/")
    (synopsis "The SQLite database management system")
    (description
diff --git a/gnu/packages/dav.scm b/gnu/packages/dav.scm
index be6c40f4ba..ba56d0d852 100644
--- a/gnu/packages/dav.scm
+++ b/gnu/packages/dav.scm
@@ -34,6 +34,14 @@
               (base32
                "1c5lv8qca21mndkx350wxv34qypqh6gb4rhzms4anr642clq3jg2"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'check
+           (lambda _
+             (zero? (system* "py.test")))))))
+    (native-inputs
+     `(("python-pytest" ,python-pytest)))
     (propagated-inputs
       ;; TODO: Add python-pam
      `(("python-requests" ,python-requests)))
diff --git a/gnu/packages/disk.scm b/gnu/packages/disk.scm
index a3ace8ab16..e75eb081ed 100644
--- a/gnu/packages/disk.scm
+++ b/gnu/packages/disk.scm
@@ -72,7 +72,7 @@
        ("readline" ,readline)
        ("util-linux" ,util-linux)))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ;; For the tests.
        ("perl" ,perl)
        ("python" ,python-2)))
@@ -97,7 +97,7 @@ tables.  It includes a library and command-line utility.")
         "04nd7civ561x2lwcmxhsqbprml3178jfc58fy1v7hzqg5k4nbhy3"))))
     (build-system gnu-build-system)
     (inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("guile" ,guile-1.8)
        ("util-linux" ,util-linux)
        ("parted" ,parted)))
@@ -123,7 +123,7 @@ tables, and it understands a variety of different formats.")
         "1izazbyv5n2d81qdym77i8mg9m870hiydmq4d0s51npx5vp8lk46"))))
     (build-system gnu-build-system)
     (inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("ncurses" ,ncurses)
        ("popt" ,popt)
        ("util-linux" ,util-linux))) ; libuuid
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index 080c0dba8e..bbc25e8797 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -126,7 +126,7 @@ and to some extent D.")
     (build-system gnu-build-system)
     (native-inputs
      `(("flex" ,flex)
-       ("gettext" ,gnu-gettext)))
+       ("gettext" ,gettext-minimal)))
     (home-page "http://docpp.sourceforge.net/")
     (synopsis "Documentation system for C, C++, IDL, and Java")
     (description
diff --git a/gnu/packages/education.scm b/gnu/packages/education.scm
index 14c1bac322..3a883079fe 100644
--- a/gnu/packages/education.scm
+++ b/gnu/packages/education.scm
@@ -59,7 +59,7 @@
         ("zlib" ,zlib)
         ("qtserialport" ,qtserialport)
         ("qtscript" ,qtscript)
-        ("gettext" ,gnu-gettext)))
+        ("gettext" ,gettext-minimal)))
     (native-inputs
       `(("qtbase" ,qtbase)                   ;Qt MOC is needed at compile time
         ("qttools" ,qttools)
diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index dad38e0310..c8391f0798 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -233,8 +233,7 @@ optimizer; and it can produce photorealistic and design review images.")
     (build-system gnu-build-system)
     (native-inputs
      `(("texlive" ,texlive)
-       ("ghostscript" ,ghostscript)
-       ("ghostscript" ,ghostscript-gs)))
+       ("ghostscript" ,ghostscript)))
     (arguments
      `(#:make-flags '("CC=gcc" "RM=rm" "SHELL=sh" "all")
        #:parallel-build? #f
@@ -444,7 +443,7 @@ ready for production.")
      `(("autoconf" ,autoconf)
        ("automake" ,automake)
        ("libtool" ,libtool)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("po4a" ,po4a)
        ("pkg-config" ,pkg-config)))
     (inputs
diff --git a/gnu/packages/enlightenment.scm b/gnu/packages/enlightenment.scm
index e8bd387ef3..f642943892 100644
--- a/gnu/packages/enlightenment.scm
+++ b/gnu/packages/enlightenment.scm
@@ -209,7 +209,7 @@ Libraries with some extra bells and whistles.")
     (arguments
      `(#:configure-flags '("--enable-mount-eeze")))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("alsa-lib" ,alsa-lib)
diff --git a/gnu/packages/fcitx.scm b/gnu/packages/fcitx.scm
index c89896eafe..dd8eead7fb 100644
--- a/gnu/packages/fcitx.scm
+++ b/gnu/packages/fcitx.scm
@@ -70,7 +70,7 @@
     (inputs
      `(("dbus"             ,dbus)
        ("enchant"          ,enchant)
-       ("gettext"          ,gnu-gettext)
+       ("gettext"          ,gettext-minimal)
        ("gtk2"             ,gtk+-2)
        ("gtk3"             ,gtk+)
        ("icu4c"            ,icu4c)
diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm
index 90e9a70626..a6239877a0 100644
--- a/gnu/packages/file.scm
+++ b/gnu/packages/file.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -27,14 +28,14 @@
 (define-public file
   (package
    (name "file")
-    (version "5.25")
+    (version "5.28")
     (source (origin
               (method url-fetch)
               (uri (string-append "ftp://ftp.astron.com/pub/file/file-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1jhfi5mivdnqvry5la5q919l503ahwdwbf3hjhiv97znccakhd9p"))))
+                "04p0w9ggqq6cqvwhyni0flji1z0rwrz896hmhkxd2mc6dca5xjqf"))))
    (build-system gnu-build-system)
 
    ;; When cross-compiling, this package depends upon a native install of
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 20aff196e9..c2135a1bc0 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -36,6 +36,7 @@
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/flex/flex-"
                                  version ".tar.bz2"))
+             (patches (search-patches "flex-CVE-2016-6354.patch"))
              (sha256
               (base32
                "1sdqx63yadindzafrq1w31ajblf9gl1c301g068s20s7bbpi3ri4"))))
diff --git a/gnu/packages/fonts.scm b/gnu/packages/fonts.scm
index c8642b72ae..22857e84b5 100644
--- a/gnu/packages/fonts.scm
+++ b/gnu/packages/fonts.scm
@@ -11,6 +11,7 @@
 ;;; Copyright © 2016 Jookia <166291@gmail.com>
 ;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016 Dmitry Nikolaev <cameltheman@gmail.com>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -126,7 +127,7 @@ TrueType (TTF) files.")
 (define-public font-dejavu
   (package
     (name "font-dejavu")
-    (version "2.35")
+    (version "2.37")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/dejavu/dejavu/"
@@ -134,7 +135,7 @@ TrueType (TTF) files.")
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "122d35y93r820zhi6d7m9xhakdib10z51v63lnlg67qhhrardmzn"))))
+               "1mqpds24wfs5cmfhj57fsfs07mji2z8812i5c4pi5pbi738s977s"))))
     (build-system trivial-build-system)
     (arguments
      `(#:modules ((guix build utils))
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index d6872d05fd..60cff2e330 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -223,15 +223,14 @@ fonts to/from the WOFF2 format.")
 (define-public fontconfig
   (package
    (name "fontconfig")
-   (replacement fontconfig/fixed)
-   (version "2.11.94")
+   (version "2.12.1")
    (source (origin
             (method url-fetch)
             (uri (string-append
                    "https://www.freedesktop.org/software/fontconfig/release/fontconfig-"
                    version ".tar.bz2"))
             (sha256 (base32
-                     "1psrl4b4gi4wmbvwwh43lk491wsl8lgvqj146prlcha3vwjc0qyp"))))
+                     "1wy7svvp7df6bjpg1m5vizb3ngd7rhb20vpclv3x3qa71khs6jdl"))))
    (build-system gnu-build-system)
    (propagated-inputs `(("expat" ,expat)
                         ("freetype" ,freetype)))
@@ -276,13 +275,6 @@ high quality, anti-aliased and subpixel rendered text on a display.")
                        "See COPYING in the distribution."))
    (home-page "http://www.freedesktop.org/wiki/Software/fontconfig")))
 
-(define fontconfig/fixed
-  (package
-    (inherit fontconfig)
-    (source (origin
-              (inherit (package-source fontconfig))
-              (patches (search-patches "fontconfig-CVE-2016-5384.patch"))))))
-
 (define-public t1lib
   (package
    (name "t1lib")
@@ -529,7 +521,7 @@ definitions.")
    (inputs `(("cairo"           ,cairo)
              ("fontconfig"      ,fontconfig) ;dlopen'd
              ("freetype"        ,freetype)
-             ("gettext"         ,gnu-gettext)
+             ("gettext"         ,gettext-minimal)
              ("glib"            ,glib) ;needed for pango detection
              ("libICE"          ,libice)
              ("libSM"           ,libsm)
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 84154b309b..4bef23c1ae 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -191,7 +191,7 @@ the freedesktop.org XDG Base Directory specification.")
                                         "/libexec/elogind/elogind\n"))))))))
     (native-inputs
      `(("intltool" ,intltool)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("docbook-xsl" ,docbook-xsl)
        ("docbook-xml" ,docbook-xml)
        ("xsltproc" ,libxslt)
diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm
index 17ca12bce6..e4c34d08a5 100644
--- a/gnu/packages/games.scm
+++ b/gnu/packages/games.scm
@@ -160,7 +160,7 @@ representation of the playing board.")
               ("libx11" ,libx11)
               ("guile" ,guile-2.0)
               ("gtkglext" ,gtkglext)))
-    (native-inputs `(("gettext" ,gnu-gettext)
+    (native-inputs `(("gettext" ,gettext-minimal)
                      ("pkg-config" ,pkg-config)))
     (home-page "https://www.gnu.org/software/gnubik/")
     (synopsis "3d Rubik's cube game")
@@ -358,7 +358,7 @@ interface or via an external visual interface such as GNU XBoard.")
                 "08c51imfjfcydm7h0va09z8qfw5nc837bi2x754ni2z737hb5kw2"))))
     (build-system gnu-build-system)
     (arguments `(#:configure-flags '("--disable-embedded-resources")))
-    (native-inputs `(("gettext" ,gnu-gettext)
+    (native-inputs `(("gettext" ,gettext-minimal)
                      ("pkg-config" ,pkg-config)))
     (inputs `(("sdl" ,sdl)
               ("sdl-image" ,sdl-image)
@@ -729,7 +729,7 @@ match, cannon keep, and grave-itation pit.")
        ("freetype" ,(@ (gnu packages fontutils) freetype))
        ("curl" ,curl)
        ("luajit" ,luajit)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("sqlite" ,sqlite)))
     (propagated-inputs
      `(("minetest-data" ,minetest-data)))
@@ -1027,7 +1027,7 @@ falling, themeable graphics and sounds, and replays.")
        ;;   cc1plus: all warnings being treated as errors
        '("-DENABLE_STRICT_COMPILATION=OFF")))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("boost" ,boost)
@@ -2550,7 +2550,7 @@ safety of the Chromium vessel.")
     (inputs
      `(("cairo" ,cairo)
        ("fribidi" ,fribidi)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("libpng" ,libpng)
        ("librsvg" ,librsvg)
        ("libpaper" ,libpaper)
@@ -2646,7 +2646,7 @@ with the \"Stamp\" tool within Tux Paint.")
          "1z12s46mvy87qs3vgq9m0ki9pp21zqc52mmgphahpihw3s7haf6v"))))
     (build-system gnu-build-system)
     (native-inputs
-     `(("gettext" ,gnu-gettext)))
+     `(("gettext" ,gettext-minimal)))
     (inputs
      `(("fltk" ,fltk)
        ("libpaper" ,libpaper)
diff --git a/gnu/packages/gawk.scm b/gnu/packages/gawk.scm
index c6d322b708..86f01335a8 100644
--- a/gnu/packages/gawk.scm
+++ b/gnu/packages/gawk.scm
@@ -29,37 +29,49 @@
 (define-public gawk
   (package
    (name "gawk")
-   (version "4.1.3")
+   (version "4.1.4")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/gawk/gawk-" version
                                 ".tar.xz"))
             (sha256
-             (base32 "09d6pmx6h3i2glafm0jd1v1iyrs03vcyv2rkz12jisii3vlmbkz3"))
-            (patches (search-patches "gawk-fts-test.patch"))))
+             (base32 "0rn2mmjxm767zliqzd67j7h2ncjn4j0321c60y9fy3grs3i89qak"))))
    (build-system gnu-build-system)
    (arguments
     `(#:parallel-tests? #f                ; test suite fails in parallel
 
-      #:phases (alist-cons-before
-                'configure 'set-shell-file-name
-                (lambda* (#:key inputs #:allow-other-keys)
-                  ;; Refer to the right shell.
-                  (let ((bash (assoc-ref inputs "bash")))
-                    (substitute* "io.c"
-                      (("/bin/sh")
-                       (string-append bash "/bin/bash")))
+      #:phases (modify-phases %standard-phases
+                 (add-before 'configure 'set-shell-file-name
+                   (lambda* (#:key inputs #:allow-other-keys)
+                     ;; Refer to the right shell.
+                     (let ((bash (assoc-ref inputs "bash")))
+                       (substitute* "io.c"
+                         (("/bin/sh")
+                          (string-append bash "/bin/bash")))
 
-                    ;; When cross-compiling, remove dependencies on the
-                    ;; `check-for-shared-lib-support' target, which tries to
-                    ;; run the cross-built `gawk'.
-                    ,@(if (%current-target-system)
-                          '((substitute* "extension/Makefile.in"
-                              (("^.*: check-for-shared-lib-support" match)
-                               (string-append "### " match))))
-                          '())))
+                       ;; When cross-compiling, remove dependencies on the
+                       ;; `check-for-shared-lib-support' target, which tries
+                       ;; to run the cross-built `gawk'.
+                       ,@(if (%current-target-system)
+                             '((substitute* "extension/Makefile.in"
+                                 (("^.*: check-for-shared-lib-support" match)
+                                  (string-append "### " match))))
+                             '()))))
+
+                 (add-before 'check 'adjust-test-infrastructure
+                   (lambda _
+                     ;; Remove dependency on 'more' (from util-linux), which
+                     ;; would needlessly complicate bootstrapping.
+                     (substitute* "test/Makefile"
+                       (("\\| more") ""))
+
+                     ;; Adjust the shebang in that file since it is then diff'd
+                     ;; against the actual test output.
+                     (substitute* "test/watchpoint1.ok"
+                       (("#! /usr/bin/gawk")
+                        (string-append "#!" (which "gawk"))))
+                     #t)))))
 
-                %standard-phases)))
    (inputs `(("libsigsegv" ,libsigsegv)
 
              ,@(if (%current-target-system)
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index c961c84fca..bed277b1e0 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2015 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -40,6 +40,7 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system trivial)
   #:use-module (guix utils)
+  #:use-module (srfi srfi-1)
   #:use-module (ice-9 regex))
 
 (define %gcc-infrastructure
@@ -328,32 +329,38 @@ Go.  It also includes runtime support libraries for these languages.")
               (sha256
                (base32
                 "08yggr18v373a1ihj0rg2vd6psnic42b518xcgp3r9k81xz1xyr2"))
-              (patches (search-patches "gcc-arm-link-spec-fix.patch"))))))
+              (patches (search-patches "gcc-arm-link-spec-fix.patch"))))
+
+    ;; Texinfo 6.3 fails to build the manual:
+    ;;   ../../gcc-4.8.5/gcc/doc/gcc.texi:208: no matching `@end tex'
+    ;; Use an older one.
+    (native-inputs `(("texinfo" ,texinfo-5)))))
 
 (define-public gcc-4.9
-  (package (inherit gcc-4.8)
-    (version "4.9.3")
+  (package (inherit gcc-4.7)
+    (version "4.9.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/gcc/gcc-"
                                   version "/gcc-" version ".tar.bz2"))
               (sha256
                (base32
-                "0zmnm00d2a1hsd41g34bhvxzvxisa2l584q3p447bd91lfjv4ci3"))
-              (patches (search-patches "gcc-libvtv-runpath.patch"))))))
+                "14l06m7nvcvb0igkbip58x59w3nq6315k6jcz3wr9ch1rn9d44bc"))
+              (patches (search-patches "gcc-arm-bug-71399.patch"
+                                       "gcc-libvtv-runpath.patch"))))))
 
 (define-public gcc-5
   ;; Note: GCC >= 5 ships with .info files but 'make install' fails to install
   ;; them in a VPATH build.
   (package (inherit gcc-4.9)
-    (version "5.3.0")
+    (version "5.4.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/gcc/gcc-"
                                   version "/gcc-" version ".tar.bz2"))
               (sha256
                (base32
-                "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"))
+                "0fihlcy5hnksdxk0sn6bvgnyq8gfrgs8m794b1jxwd1dxinzg3b0"))
               (patches (search-patches "gcc-5.0-libvtv-runpath.patch"))))))
 
 (define-public gcc-6
@@ -724,7 +731,8 @@ as the 'native-search-paths' field."
                                        name "-" version ".tar.gz")))
              (sha256
               (base32
-               "13d9cqa5rzhbjq0xf0b2dyxag7pqa72xj9dhsa03m8ccr1a4npq9"))))
+               "13d9cqa5rzhbjq0xf0b2dyxag7pqa72xj9dhsa03m8ccr1a4npq9"))
+             (patches (search-patches "isl-0.11.1-aarch64-support.patch"))))
     (build-system gnu-build-system)
     (inputs `(("gmp" ,gmp)))
     (home-page "http://isl.gforge.inria.fr/")
diff --git a/gnu/packages/gettext.scm b/gnu/packages/gettext.scm
index bf38543178..26ab6777fe 100644
--- a/gnu/packages/gettext.scm
+++ b/gnu/packages/gettext.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016 Alex Kost <alezost@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -27,28 +28,23 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
   #:use-module (gnu packages docbook)
+  #:use-module (gnu packages emacs)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages tex)
-  #:use-module (gnu packages xml))
+  #:use-module (gnu packages xml)
+  #:use-module (guix utils))
 
-;; Use that name to avoid clashes with Guile's 'gettext' procedure.
-;;
-;; We used to resort to #:renamer on the user side, but that prevented
-;; circular dependencies involving (gnu packages gettext).  This is because
-;; 'resolve-interface' (as of Guile 2.0.9) iterates eagerly over the used
-;; module when there's a #:renamer, and that module may be empty at that point
-;; in case or circular dependencies.
-(define-public gnu-gettext
+(define-public gettext-minimal
   (package
-    (name "gettext")
-    (version "0.19.8")
+    (name "gettext-minimal")
+    (version "0.19.8.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/gettext/gettext-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "13ylc6n3hsk919c7xl0yyibc3pfddzb53avdykn4hmk8g6yzd91x"))))
+               "0hsw28f9q9xaggjlsdp2qmbp2rbd1mp0njzan2ld9kiqwkq2m57z"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"))                            ;8 MiB of HTML
@@ -90,15 +86,41 @@
        ;; When tests fail, we want to know the details.
        #:make-flags '("VERBOSE=yes")))
     (home-page "http://www.gnu.org/software/gettext/")
-    (synopsis "Tools and documentation for translation")
+    (synopsis
+     "Tools and documentation for translation (used to build other packages)")
     (description
      "GNU Gettext is a package providing a framework for translating the
 textual output of programs into multiple languages.  It provides translators
-with the means to create message catalogs, as well as an Emacs mode to work
-with them, and a runtime library to load translated messages from the
-catalogs.  Nearly all GNU packages use Gettext.")
+with the means to create message catalogs, and a runtime library to load
+translated messages from the catalogs.  Nearly all GNU packages use Gettext.")
     (license gpl3+)))                             ;some files are under GPLv2+
 
+;; Use that name to avoid clashes with Guile's 'gettext' procedure.
+;;
+;; We used to resort to #:renamer on the user side, but that prevented
+;; circular dependencies involving (gnu packages gettext).  This is because
+;; 'resolve-interface' (as of Guile 2.0.9) iterates eagerly over the used
+;; module when there's a #:renamer, and that module may be empty at that point
+;; in case or circular dependencies.
+(define-public gnu-gettext
+  (package
+    (inherit gettext-minimal)
+    (name "gettext")
+    (arguments
+     (substitute-keyword-arguments (package-arguments gettext-minimal)
+       ((#:phases phases)
+        `(modify-phases ,phases
+           (add-after 'install 'add-emacs-autoloads
+             (lambda* (#:key outputs #:allow-other-keys)
+               ;; Make 'po-mode' and other things available by default.
+               (with-directory-excursion
+                   (string-append (assoc-ref outputs "out")
+                                  "/share/emacs/site-lisp")
+                 (symlink "start-po.el" "gettext-autoloads.el")
+                 #t)))))))
+    (native-inputs `(("emacs" ,emacs-minimal))) ; for Emacs tools
+    (synopsis "Tools and documentation for translation")))
+
 (define-public po4a
   (package
     (name "po4a")
@@ -140,7 +162,7 @@ catalogs.  Nearly all GNU packages use Gettext.")
                         (find-files bin "\\.*$"))
               #t))))))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("perl-module-build" ,perl-module-build)
        ("docbook-xsl" ,docbook-xsl)
        ("docbook-xml" ,docbook-xml) ;for tests
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 09b10f7741..87e4d0e3f2 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -127,7 +127,6 @@ printing, and psresize, for adjusting page sizes.")
   (package
    (name "ghostscript")
    (version "9.14.0")
-   (replacement ghostscript/fixed)
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/ghostscript/gnu-ghostscript-"
@@ -135,7 +134,12 @@ printing, and psresize, for adjusting page sizes.")
             (sha256
              (base32
               "0q4jj41p0qbr4mgcc9q78f5zs8cm1g57wgryhsm2yq4lfslm3ib1"))
-            (patches (search-patches "ghostscript-CVE-2015-3228.patch"
+            (patches (search-patches "ghostscript-CVE-2013-5653.patch"
+                                     "ghostscript-CVE-2015-3228.patch"
+                                     "ghostscript-CVE-2016-7976.patch"
+                                     "ghostscript-CVE-2016-7978.patch"
+                                     "ghostscript-CVE-2016-7979.patch"
+                                     "ghostscript-CVE-2016-8602.patch"
                                      "ghostscript-runpath.patch"))
             (modules '((guix build utils)))
             (snippet
@@ -183,7 +187,12 @@ printing, and psresize, for adjusting page sizes.")
                             (number->string (parallel-job-count))))))
         (replace 'install
           (lambda _
-            (zero? (system* "make" "soinstall")))))))
+            (zero? (system* "make" "soinstall"))))
+        (add-after 'install 'create-gs-symlink
+          (lambda* (#:key outputs #:allow-other-keys)
+            (let ((out (assoc-ref outputs "out")))
+              ;; some programs depend on having a 'gs' binary available
+              (symlink "gsc" (string-append out "/bin/gs"))))))))
    (synopsis "PostScript and PDF interpreter")
    (description
     "Ghostscript is an interpreter for the PostScript language and the PDF
@@ -193,61 +202,13 @@ output file formats and printers.")
    (license license:agpl3+)
    (home-page "http://www.gnu.org/software/ghostscript/")))
 
-(define ghostscript/fixed
-  (package
-    (inherit ghostscript)
-    (replacement #f)  ; Prevent ghostscript/x from inheriting the replacement
-    (source (origin
-              (inherit (package-source ghostscript))
-              (patches (search-patches "ghostscript-CVE-2013-5653.patch"
-                                       "ghostscript-CVE-2015-3228.patch"
-                                       "ghostscript-CVE-2016-7976.patch"
-                                       "ghostscript-CVE-2016-7978.patch"
-                                       "ghostscript-CVE-2016-7979.patch"
-                                       "ghostscript-CVE-2016-8602.patch"
-                                       "ghostscript-runpath.patch"))))))
-
 (define-public ghostscript/x
-  (package (inherit ghostscript/fixed)
+  (package (inherit ghostscript)
     (name (string-append (package-name ghostscript) "-with-x"))
     (inputs `(("libxext" ,libxext)
               ("libxt" ,libxt)
               ,@(package-inputs ghostscript)))))
 
-(define (ghostscript-wrapper name ghostscript)
-  ;; Return a GHOSTSCRIPT wrapper that provides the 'gs' command.
-  ;; See <https://lists.gnu.org/archive/html/guix-devel/2016-07/msg00987.html>.
-  (package
-    (name name)
-    (version (package-version ghostscript))
-    (source #f)
-    (build-system trivial-build-system)
-    (inputs `(("ghostscript" ,ghostscript)))
-    (arguments
-     `(#:modules ((guix build utils))
-       #:builder (begin
-                   (use-modules (guix build utils))
-
-                   (let* ((out (assoc-ref %outputs "out"))
-                          (bin (string-append out "/bin"))
-                          (gs  (assoc-ref %build-inputs "ghostscript")))
-                     (mkdir-p bin)
-                     (with-directory-excursion bin
-                       (symlink (string-append gs "/bin/gsc") "gs")
-                       #t)))))
-    (synopsis "Wrapper providing Ghostscript's 'gs' command")
-    (description
-     "This package provides the @command{gs} command, which used to be
-provided by Ghostscript itself and no longer is.")
-    (license (package-license ghostscript))
-    (home-page (package-home-page ghostscript))))
-
-(define-public ghostscript-gs
-  (ghostscript-wrapper "ghostscript-gs" ghostscript))
-
-(define-public ghostscript-gs/x
-  (ghostscript-wrapper "ghostscript-gs-with-x" ghostscript/x))
-
 (define-public ijs
   (package
    (name "ijs")
diff --git a/gnu/packages/gkrellm.scm b/gnu/packages/gkrellm.scm
index ed83186ae8..68853eb8fc 100644
--- a/gnu/packages/gkrellm.scm
+++ b/gnu/packages/gkrellm.scm
@@ -41,7 +41,7 @@
         "12rc6zaa7kb60b9744lbrlfkxxfniprm6x0mispv63h4kh75navh"))))
     (build-system gnu-build-system)
     (inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("gtk+" ,gtk+-2)
        ("libice" ,libice)
        ("libsm" ,libsm)))
diff --git a/gnu/packages/gl.scm b/gnu/packages/gl.scm
index a4ec3a3536..ee56998da7 100644
--- a/gnu/packages/gl.scm
+++ b/gnu/packages/gl.scm
@@ -195,7 +195,7 @@ also known as DXTn or DXTC) for Mesa.")
 (define-public mesa
   (package
     (name "mesa")
-    (version "11.0.9")
+    (version "12.0.1")
     (source
       (origin
         (method url-fetch)
@@ -203,44 +203,50 @@ also known as DXTn or DXTC) for Mesa.")
                             version "/mesa-" version ".tar.xz"))
         (sha256
          (base32
-          "009b3nq8ly5nzy9cxi9cxf4qasrhggjz0v0q87rwq5kaqvqjy9m1"))))
+          "12b3i59xdn2in2hchrkgh4fwij8zhznibx976l3pdj3qkyvlzcms"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("glproto" ,glproto)
         ;; The following are in the Requires.private field of gl.pc.
         ("libdrm" ,libdrm)
+        ("libvdpau" ,libvdpau)
         ("libx11" ,libx11)
         ("libxdamage" ,libxdamage)
         ("libxfixes" ,libxfixes)
         ("libxshmfence" ,libxshmfence)
         ("libxxf86vm" ,libxxf86vm)))
-    ;; TODO: Add vdpau.
     (inputs
-      `(("udev" ,eudev)
+      `(("expat" ,expat)
         ("dri2proto" ,dri2proto)
         ("dri3proto" ,dri3proto)
-        ("presentproto" ,presentproto)
-        ("expat" ,expat)
         ("libva" ,(force libva-without-mesa))
         ("libxml2" ,libxml2)
         ;; TODO: Add 'libxml2-python' for OpenGL ES 1.1 and 2.0 support
         ("libxvmc" ,libxvmc)
         ("makedepend" ,makedepend)
-        ("s2tc" ,s2tc)))
+        ("presentproto" ,presentproto)
+        ("s2tc" ,s2tc)
+        ("udev" ,eudev)
+        ("wayland" ,wayland)))
     (native-inputs
-      `(("pkg-config" ,pkg-config)))
+      `(("pkg-config" ,pkg-config)
+        ("python" ,python-2)))
     (arguments
      `(#:configure-flags
        '(;; drop r300 from default gallium drivers, as it requires llvm
-         "--with-gallium-drivers=r600,svga,swrast,nouveau"
+         "--with-gallium-drivers=r600,svga,swrast,nouveau,virgl"
          ;; Enable various optional features.  TODO: opencl requires libclc,
          ;; omx requires libomxil-bellagio
-         "--with-egl-platforms=x11,drm"
+         "--with-egl-platforms=x11,drm,wayland"
          "--enable-glx-tls"        ;Thread Local Storage, improves performance
          ;; "--enable-opencl"
          ;; "--enable-omx"
          "--enable-osmesa"
          "--enable-xa"
+         ;; features required by wayland
+         "--enable-gles2"
+         "--enable-gbm"
+         "--enable-shared-glapi"
 
          ;; on non-intel systems, drop i915 and i965
          ;; from the default dri drivers
@@ -249,41 +255,44 @@ also known as DXTn or DXTC) for Mesa.")
               '())
              (_
               '("--with-dri-drivers=nouveau,r200,radeon,swrast"))))
-       #:phases (alist-cons-after
-                 'unpack 'patch-create_test_cases
-                 (lambda _
-                   (substitute* "src/glsl/tests/lower_jumps/create_test_cases.py"
-                     (("/usr/bin/env bash") (which "bash"))))
-                 (alist-cons-before
-                  'build 'fix-dlopen-libnames
-                  (lambda* (#:key inputs outputs #:allow-other-keys)
-                    (let ((s2tc (assoc-ref inputs "s2tc"))
-                          (udev (assoc-ref inputs "udev"))
-                          (out (assoc-ref outputs "out")))
-                      ;; Remain agnostic to .so.X.Y.Z versions while doing
-                      ;; the substitutions so we're future-safe.
-                      (substitute*
-                          '("src/gallium/auxiliary/util/u_format_s3tc.c"
-                            "src/mesa/main/texcompress_s3tc.c")
-                        (("\"libtxc_dxtn\\.so")
-                         (string-append "\"" s2tc "/lib/libtxc_dxtn.so")))
-                      (substitute* "src/loader/loader.c"
-                        (("udev_handle = dlopen\\(name")
-                         (string-append "udev_handle = dlopen(\""
-                                        udev "/lib/libudev.so\"")))
-                      (substitute* "src/glx/dri_common.c"
-                        (("dlopen\\(\"libGL\\.so")
-                         (string-append "dlopen(\"" out "/lib/libGL.so")))
-                      (substitute* "src/egl/drivers/dri2/egl_dri2.c"
-                        (("\"libglapi\\.so")
-                         (string-append "\"" out "/lib/libglapi.so")))
-                      (substitute* "src/gbm/main/backend.c"
-                        ;; No need to patch the gbm_gallium_drm.so reference;
-                        ;; it's never installed since Mesa removed its
-                        ;; egl_gallium support.
-                        (("\"gbm_dri\\.so")
-                         (string-append "\"" out "/lib/dri/gbm_dri.so")))))
-                  %standard-phases))))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after
+           'unpack 'patch-create_test_cases
+           (lambda _
+             (substitute* "src/compiler/glsl/tests/lower_jumps/create_test_cases.py"
+               (("/usr/bin/env bash") (which "bash")))
+             (substitute* "src/intel/genxml/gen_pack_header.py"
+               (("/usr/bin/env python2") (which "python")))))
+         (add-before
+           'build 'fix-dlopen-libnames
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let ((s2tc (assoc-ref inputs "s2tc"))
+                   (udev (assoc-ref inputs "udev"))
+                   (out (assoc-ref outputs "out")))
+               ;; Remain agnostic to .so.X.Y.Z versions while doing
+               ;; the substitutions so we're future-safe.
+               (substitute*
+                   '("src/gallium/auxiliary/util/u_format_s3tc.c"
+                     "src/mesa/main/texcompress_s3tc.c")
+                 (("\"libtxc_dxtn\\.so")
+                  (string-append "\"" s2tc "/lib/libtxc_dxtn.so")))
+               (substitute* "src/loader/loader.c"
+                 (("udev_handle = dlopen\\(name")
+                  (string-append "udev_handle = dlopen(\""
+                                 udev "/lib/libudev.so\"")))
+               (substitute* "src/glx/dri_common.c"
+                 (("dlopen\\(\"libGL\\.so")
+                  (string-append "dlopen(\"" out "/lib/libGL.so")))
+               (substitute* "src/egl/drivers/dri2/egl_dri2.c"
+                 (("\"libglapi\\.so")
+                  (string-append "\"" out "/lib/libglapi.so")))
+               (substitute* "src/gbm/main/backend.c"
+                 ;; No need to patch the gbm_gallium_drm.so reference;
+                 ;; it's never installed since Mesa removed its
+                 ;; egl_gallium support.
+                 (("\"gbm_dri\\.so")
+                  (string-append "\"" out "/lib/dri/gbm_dri.so")))))))))
     (home-page "http://mesa3d.org/")
     (synopsis "OpenGL implementation")
     (description "Mesa is a free implementation of the OpenGL specification -
@@ -459,32 +468,32 @@ OpenGL graphics API.")
                 "1d1brhwfmlzgnphmdwlvn5wbcrxsdyzf1qfcf8nb89xqzznxs037"))))
     (arguments
      `(#:phases
-       (alist-cons-after
-        'unpack 'autoreconf
-        (lambda _
-          (zero? (system* "autoreconf" "-vif")))
-        (alist-cons-before
-         'configure 'patch-paths
-         (lambda* (#:key inputs #:allow-other-keys)
-           (let ((python (assoc-ref inputs "python"))
-                 (mesa (assoc-ref inputs "mesa")))
-             (substitute* "src/gen_dispatch.py"
-               (("/usr/bin/env python") python))
-             (substitute* (find-files "." "\\.[ch]$")
-               (("libGL.so.1") (string-append mesa "/lib/libGL.so.1"))
-               (("libEGL.so.1") (string-append mesa "/lib/libEGL.so.1")))
+       (modify-phases %standard-phases
+         (add-after
+           'unpack 'autoreconf
+           (lambda _
+             (zero? (system* "autoreconf" "-vif"))))
+         (add-before
+           'configure 'patch-paths
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let ((python (assoc-ref inputs "python"))
+                   (mesa (assoc-ref inputs "mesa")))
+               (substitute* "src/gen_dispatch.py"
+                 (("/usr/bin/env python") python))
+               (substitute* (find-files "." "\\.[ch]$")
+                 (("libGL.so.1") (string-append mesa "/lib/libGL.so.1"))
+                 (("libEGL.so.1") (string-append mesa "/lib/libEGL.so.1")))
 
-             ;; XXX On armhf systems, we must add "GLIBC_2.4" to the list of
-             ;; versions in test/dlwrap.c:dlwrap_real_dlsym.  It would be
-             ;; better to make this a normal patch, but for now we do it here
-             ;; to prevent rebuilding on other platforms.
-             ,@(if (string-prefix? "arm" (or (%current-target-system)
-                                             (%current-system)))
-                   '((substitute* '"test/dlwrap.c"
-                       (("\"GLIBC_2\\.0\"") "\"GLIBC_2.0\", \"GLIBC_2.4\"")))
-                   '())
-             #t))
-         %standard-phases))))
+               ;; XXX On armhf systems, we must add "GLIBC_2.4" to the list of
+               ;; versions in test/dlwrap.c:dlwrap_real_dlsym.  It would be
+               ;; better to make this a normal patch, but for now we do it here
+               ;; to prevent rebuilding on other platforms.
+               ,@(if (string-prefix? "arm" (or (%current-target-system)
+                                               (%current-system)))
+                     '((substitute* '"test/dlwrap.c"
+                         (("\"GLIBC_2\\.0\"") "\"GLIBC_2.0\", \"GLIBC_2.4\"")))
+                     '())
+               #t))))))
     (build-system gnu-build-system)
     (native-inputs
      `(("autoconf" ,autoconf)
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 802c809c26..9a1459ab09 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -65,7 +65,7 @@
   (package
     (name "dbus")
     (replacement dbus-1.10.12)
-    (version "1.10.8")
+    (version "1.10.10")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -73,7 +73,7 @@
                     version ".tar.gz"))
               (sha256
                (base32
-                "0560y3hxpgh346w6avcrcz79c8ansmn771y5xpcvvlr6m8mx5wxs"))
+                "0hwsfczhx2djmc9116vj5v230i7gpjihwh3vbljs1ldlk831v3wx"))
               (patches (search-patches "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -139,6 +139,7 @@ shared NFS home directories.")
     (source
       (let ((version "1.10.12"))
         (origin
+          (method url-fetch)
           (inherit (package-source dbus))
           (uri (string-append
                 "https://dbus.freedesktop.org/releases/dbus/dbus-"
@@ -150,7 +151,7 @@ shared NFS home directories.")
 (define glib
   (package
    (name "glib")
-   (version "2.48.0")
+   (version "2.48.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/"
@@ -158,7 +159,7 @@ shared NFS home directories.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0d3w2hblrw7vvpx60l1kbvb830ygn3v8zhwdz65cc5593j9ycjvl"))
+              "1x6kwrk1zyd3csv0ca3pmwc4bnkc33agn95cds15h6nbi4apappj"))
             (patches (search-patches "glib-tests-timer.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"           ; everything
@@ -172,7 +173,7 @@ shared NFS home directories.")
       ("zlib" ,zlib)
       ("tzdata" ,tzdata)))     ; for tests/gdatetime.c
    (native-inputs
-    `(("gettext" ,gnu-gettext)
+    `(("gettext" ,gettext-minimal)
       ("dbus" ,dbus)                              ; for GDBus tests
       ("pkg-config" ,pkg-config)
       ("python" ,python-wrapper)
@@ -362,7 +363,7 @@ bindings to call into the C library.")
     (propagated-inputs
      `(;; Propagate gettext because users expect it to be there, and so does
        ;; the `intltool-update' script.
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
 
        ("perl-xml-parser" ,perl-xml-parser)
        ("perl" ,perl)))
@@ -443,7 +444,7 @@ translated.")
 (define dbus-glib
   (package
     (name "dbus-glib")
-    (version "0.104")
+    (version "0.106")
     (source (origin
              (method url-fetch)
              (uri
@@ -451,7 +452,7 @@ translated.")
                              version ".tar.gz"))
              (sha256
               (base32
-               "1xi1v1msz75qs0s4lkyf1psrksdppa3hwkg0mznc6gpw5flg3hdz"))))
+               "0in0i6v68ixcy0ip28i84hdczf10ykq9x682qgcvls6gdmq552dk"))))
     (build-system gnu-build-system)
     (propagated-inputs ; according to dbus-glib-1.pc
      `(("dbus" ,dbus)
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 52d6cd4c82..a45f6589ac 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -243,7 +243,7 @@ commonly used macros.")
 (define-public gnome-desktop
   (package
     (name "gnome-desktop")
-    (version "3.20.1")
+    (version "3.20.2")
     (source
      (origin
       (method url-fetch)
@@ -252,7 +252,7 @@ commonly used macros.")
                           name "-" version ".tar.xz"))
       (sha256
        (base32
-        "0h6185lmkaf49dr43pb6gsb9yi25rc32n7dq5186hwln38mppb3f"))))
+        "1cp2c6q1ybirfq6rqyfj5lr5vyqdizy730bfg5jqnflcmakjsb29"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
@@ -465,7 +465,7 @@ forgotten when the session ends.")
 (define-public evince
   (package
     (name "evince")
-    (version "3.20.0")
+    (version "3.20.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnome/sources/" name "/"
@@ -473,7 +473,7 @@ forgotten when the session ends.")
                                  name "-" version ".tar.xz"))
              (sha256
               (base32
-               "1052lm4i5qq27sgk6ck5xc1cxh0qx4zzhifjhmzjlv38afj5i0yg"))))
+               "0m80s98k4i463dclpyk01fqb91cawbb6vvcz5vq2974k6qqc4ypw"))))
     (build-system glib-or-gtk-build-system)
     (arguments
      `(#:configure-flags '("--disable-nautilus")
@@ -481,7 +481,15 @@ forgotten when the session ends.")
        ;; FIXME: Tests fail with:
        ;;   ImportError: No module named gi.repository
        ;; Where should that module come from?
-       #:tests? #f))
+       #:tests? #f
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'install 'skip-gtk-update-icon-cache
+           ;; Don't create 'icon-theme.cache'.
+           (lambda _
+             (substitute* "data/Makefile"
+               (("gtk-update-icon-cache") "true"))
+             #t)))))
     (inputs
      `(("libspectre" ,libspectre)
        ("djvulibre" ,djvulibre)
@@ -638,9 +646,14 @@ update-desktop-database: updates the database containing a cache of MIME types
        (base32
         "0fjh9qmmgj34zlgxb09231ld7khys562qxbpsjlaplq2j85p57im"))))
     (build-system gnu-build-system)
+    (arguments
+     '(#:configure-flags
+       ;; Don't create 'icon-theme.cache'.
+       (let* ((coreutils (assoc-ref %build-inputs "coreutils"))
+              (true      (string-append coreutils "/bin/true")))
+         (list (string-append "GTK_UPDATE_ICON_CACHE=" true)))))
     (native-inputs
-     `(("gtk+" ,gtk+) ; for gtk-update-icon-cache
-       ("icon-naming-utils" ,icon-naming-utils)
+     `(("icon-naming-utils" ,icon-naming-utils)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)))
     (home-page "http://art.gnome.org/")
@@ -662,7 +675,9 @@ update-desktop-database: updates the database containing a cache of MIME types
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0ddfwwqx8s63qbqimmbb015lqsab4s0rvy1j81jdsh7k95rqh2ks"))))))
+                "0ddfwwqx8s63qbqimmbb015lqsab4s0rvy1j81jdsh7k95rqh2ks"))))
+    (native-inputs
+     `(("gtk-encode-symbolic-svg" ,gtk+ "bin")))))
 
 (define-public shared-mime-info
   (package
@@ -890,7 +905,7 @@ XML/CSS rendering engine.")
 (define-public libgsf
   (package
     (name "libgsf")
-    (version "1.14.36")
+    (version "1.14.40")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -898,7 +913,7 @@ XML/CSS rendering engine.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0h19ssxzz0cmznwga2xy55kjibm24mwxqarnpd0w7xy0hrzm1dvi"))))
+                "1q2i5p9s5zw0y0502risykrzkfma7p24n3mmh244scjy9f4kh1im"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("intltool" ,intltool)
@@ -923,7 +938,7 @@ dealing with different structured file formats.")
 (define-public librsvg
   (package
     (name "librsvg")
-    (version "2.40.15")
+    (version "2.40.16")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -931,7 +946,7 @@ dealing with different structured file formats.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1x05vd2llpmskq3prkp7kbpmshmpp9whj4kfl99ybipf4fhw9jnr"))))
+                "0bpz6gsq8xi1pb5k9ax6vinph460v14znch3y5yz167s0dmwz2yl"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
@@ -1478,14 +1493,14 @@ controls using the Bonobo component framework.")
 (define-public libwnck
   (package
     (name "libwnck")
-    (version "3.14.1")
+    (version "3.20.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
                                   (version-major+minor version) "/"
                                   name "-" version ".tar.xz"))
               (sha256
-               (base32 "1ymya8gkjygvg0i901wr3q6ihfqxx5yf4g4pb6fag2iw8af3qr5v"))))
+               (base32 "0wms3hli6y0b9l3cszq6maqi6fyy6kss9gryvzgmhw27phb3gc0w"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)
@@ -1524,14 +1539,14 @@ Hints specification (EWMH).")
 (define-public goffice
   (package
     (name "goffice")
-    (version "0.10.28")
+    (version "0.10.32")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
                                   (version-major+minor version)  "/"
                                   name "-" version ".tar.xz"))
               (sha256
-               (base32 "12rsgxrixkfpk420gv026i74pnlgqjzsvm6vffrmih54w46hd3q6"))))
+               (base32 "1hvs5558x98yzm43dc3f93v596x45lfmv1vkp4jjgfagynlpvcq2"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"))                            ;4.1 MiB of gtk-doc
@@ -1589,7 +1604,7 @@ Hints specification (EWMH).")
 (define-public gnumeric
   (package
     (name "gnumeric")
-    (version "1.12.31")
+    (version "1.12.32")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -1597,7 +1612,7 @@ Hints specification (EWMH).")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1rvadlgikklwb6rccqc3rlhqv3m9qx27rchm7znxr062fn7fgb68"))))
+                "1s3dxvdwzmppsp2dfg90rccilf4hknhwjdy7lazr9sys58zchyx0"))))
     (build-system gnu-build-system)
     (arguments
      `(;; The gnumeric developers don't worry much about failing tests.
@@ -1648,7 +1663,7 @@ engineering.")
 (define-public gnome-themes-standard
   (package
     (name "gnome-themes-standard")
-    (version "3.20")
+    (version "3.20.2")
     (source
      (origin
        (method url-fetch)
@@ -1657,8 +1672,14 @@ engineering.")
                            version ".tar.xz"))
        (sha256
         (base32
-         "1p1vvmzfky1ax3yv9ld10xgqwydhmglxpgq3skrfc4539nrq9phw"))))
+         "05br99z67f82i18nljpxnwssfnaqp7mph61w3hq0i44z5i5rq3cx"))))
     (build-system gnu-build-system)
+    (arguments
+     '(#:configure-flags
+       ;; Don't create 'icon-theme.cache'.
+       (let* ((coreutils (assoc-ref %build-inputs "coreutils"))
+              (true      (string-append coreutils "/bin/true")))
+         (list (string-append "GTK_UPDATE_ICON_CACHE=" true)))))
     (inputs
      `(("gtk+" ,gtk+)
        ("gtk+-2" ,gtk+-2)
@@ -1714,7 +1735,7 @@ passwords in the GNOME keyring.")
 (define-public vala
   (package
     (name "vala")
-    (version "0.32.0")
+    (version "0.32.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -1722,7 +1743,7 @@ passwords in the GNOME keyring.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0vpvq403vdd25irvgk7zibz3nw4x4i17m0dgnns8j1q4vr7am8h7"))))
+                "1ab1l44abf9fj1wznzq5956431ia136rl5049cggnk5393jlf3fx"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
@@ -1756,7 +1777,7 @@ libraries written in C.")
 (define-public vte
   (package
     (name "vte")
-    (version "0.44.1")
+    (version "0.44.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -1764,7 +1785,7 @@ libraries written in C.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0kjxzqcwqxky0l7bl8ydn9hl6fm1f0k2pl91wbbhyq4z6d4dabbi"))))
+                "0j899ccrkzh7208w29c835m1yms0cas5cxkck8x6l4xv2i45ksm1"))))
     (build-system gnu-build-system)
     (arguments
      ;; XXX: fails to compile tests with the default flags.
@@ -1930,7 +1951,7 @@ configuration storage systems.")
 (define-public json-glib
   (package
     (name "json-glib")
-    (version "1.2.0")
+    (version "1.2.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -1938,7 +1959,7 @@ configuration storage systems.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1lx7p1c7cl21byvfgw92n8dhm09vi6qxrs0zkx9dg3y096zdzmlr"))
+                "08d6449sgnwfh92x8rhwsm03g8frv0mvp3s4wl3cskw25asql4pa"))
               (modules '((guix build utils)))
               (snippet
                ;; Don't duplicate test names.
@@ -2037,7 +2058,7 @@ library.")
 (define-public glib-networking
   (package
     (name "glib-networking")
-    (version "2.48.1")
+    (version "2.48.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/glib-networking/"
@@ -2045,7 +2066,7 @@ library.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0jm4pr91kbq7rcyll08840zkagb9vfhhm2ymyrd1q0b0k2mj76fg"))
+                "111spcar6wbp6m0rdxzjscc7vfqx5nawscrfbxlvbf5jsr4hqp4j"))
               (patches
                (search-patches "glib-networking-ssl-cert-file.patch"))))
     (build-system gnu-build-system)
@@ -2237,7 +2258,7 @@ and other secrets.  It communicates with the \"Secret Service\" using DBus.")
 (define-public gnome-mines
   (package
     (name "gnome-mines")
-    (version "3.20.0")
+    (version "3.20.1")
     (source
      (origin
        (method url-fetch)
@@ -2246,7 +2267,7 @@ and other secrets.  It communicates with the \"Secret Service\" using DBus.")
                            name "-" version ".tar.xz"))
        (sha256
         (base32
-         "19khp4ckqbdgk6828gprxy52fsg8klf957dnwsin75nskk8whxbp"))))
+         "0frb1r0f55giz7yqxl9920vvzqlirdivz54ygc9d85r8v63fh5aq"))))
     (build-system glib-or-gtk-build-system)
     (arguments
      '(#:phases
@@ -2274,7 +2295,7 @@ floating in an ocean using only your brain and a little bit of luck.")
 (define-public gnome-sudoku
   (package
     (name "gnome-sudoku")
-    (version "3.20.0")
+    (version "3.20.5")
     (source
      (origin
        (method url-fetch)
@@ -2283,7 +2304,7 @@ floating in an ocean using only your brain and a little bit of luck.")
                            name "-" version ".tar.xz"))
        (sha256
         (base32
-         "1n8hp3pl56p9s0c5kldk11zg1vg7ykhgn3ndp8nf375h1q49ldh8"))))
+         "166bbv5k50v7pjp3wbl2rmxcmv1adwr14hxg5rw2ws8kams8151k"))))
     (build-system glib-or-gtk-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)
@@ -2309,7 +2330,7 @@ more fun.")
 (define-public gnome-terminal
   (package
     (name "gnome-terminal")
-    (version "3.20.1")
+    (version "3.20.2")
     (source
      (origin
        (method url-fetch)
@@ -2318,7 +2339,7 @@ more fun.")
                            name "-" version ".tar.xz"))
        (sha256
         (base32
-         "1508nm35znlfq9v1s2j4ypx5x608yq391c565b4hazxk2f5z9dwq"))))
+         "08ssch8h1y85wyhddkyr7ab4v8dnsn17z4ayyc5ff78gfdh30f7m"))))
     (build-system glib-or-gtk-build-system)
     (arguments
      '(#:configure-flags
@@ -2560,7 +2581,7 @@ service via the system message bus.")
 (define-public libgweather
   (package
     (name "libgweather")
-    (version "3.20.0")
+    (version "3.20.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -2568,7 +2589,7 @@ service via the system message bus.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1mmqg7wf0bhk450akyj0x71x75kh1v7j68isyivr75ydky79nqjj"))))
+                "15ycgvdvika57rhnb46j6pj1907nj5y5nyy7sgj0yvpjbqsiskzp"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -2701,7 +2722,7 @@ playlists in a variety of formats.")
 (define-public aisleriot
   (package
     (name "aisleriot")
-    (version "3.20.1")
+    (version "3.20.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -2709,7 +2730,7 @@ playlists in a variety of formats.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1nipky336jj81mhm8wwxp96zilgcrarihf95dnyj3r1pw8kpg7gy"))))
+                "0vhpi7bzm4gbraky1d3ma26rbwnylcqdakav82j67bpqd7f6n0v2"))))
     (build-system glib-or-gtk-build-system)
     (arguments
      '(#:configure-flags
@@ -3048,7 +3069,7 @@ GNOME Games, but it may be used by others.")
 (define-public gnome-klotski
   (package
     (name "gnome-klotski")
-    (version "3.20.1")
+    (version "3.20.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -3056,7 +3077,7 @@ GNOME Games, but it may be used by others.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1130v6sk9h74b3xgv0bq43anaw7xs9x8vdab3q7p9db6w0px02wj"))))
+                "14w40a1gjlg4l1vhcy0qcf3scmwm2v3vhxnxj269pfqlv8s7alaw"))))
     (build-system glib-or-gtk-build-system)
     (native-inputs
      `(("desktop-file-utils" ,desktop-file-utils)
@@ -3352,7 +3373,7 @@ supports playlists, song ratings, and any codecs installed through gstreamer.")
 (define-public eog
  (package
    (name "eog")
-   (version "3.20.1")
+   (version "3.20.4")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -3360,7 +3381,7 @@ supports playlists, song ratings, and any codecs installed through gstreamer.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0ll3vz1kyjagiqmrpypk1a4nwjhrjsapiz45bxblsjxjy641j0jg"))))
+              "1qsv3brhi8l8fr22nd3d0fwq5xhwspqw0bammhkkq3ga0z6791wn"))))
    (build-system glib-or-gtk-build-system)
    (arguments
     `(#:phases
@@ -3547,7 +3568,7 @@ USB transfers with your high-level application or system daemon.")
        ("gusb" ,gusb)
        ("libsane" ,sane-backends)))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("itstool" ,itstool)
        ("colord" ,colord)
        ("glib" ,glib "bin")                       ; glib-compile-schemas, etc.
@@ -3856,7 +3877,7 @@ metadata in photo and video files of various formats.")
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("itstool" ,itstool)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("itstool" ,itstool)
        ("vala" ,vala)))
     (inputs
@@ -3895,6 +3916,15 @@ share them with others via social networking and more.")
                (base32
                 "1sa46vjx78d670m6bikpibgz39a5zb6ri8yjmj632lmxqvj2sp3b"))))
     (build-system glib-or-gtk-build-system)
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         (add-before 'install 'skip-gtk-update-icon-cache
+           (lambda _
+             ;; Don't create 'icon-theme.cache'
+             (substitute* (find-files "data" "^Makefile$")
+               (("gtk-update-icon-cache") (which "true")))
+             #t)))))
     (native-inputs
      `(("intltool" ,intltool)
        ("pkg-config" ,pkg-config)))
@@ -4050,7 +4080,7 @@ javascript engine and the GObject introspection framework.")
 (define-public gedit
   (package
     (name "gedit")
-    (version "3.20.1")
+    (version "3.20.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -4058,7 +4088,7 @@ javascript engine and the GObject introspection framework.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1i0x1jd9x1vpv8lwdlzwf0ml8jxh3b3l6nlg6pbnfjw47w3y6iws"))))
+                "1y330hanqfld3kssf77wfphah2qpfg17pa109spsbm50f5m2g89j"))))
     (build-system glib-or-gtk-build-system)
     (arguments
      `(#:configure-flags '("--disable-spell") ; XXX: gspell not packaged yet
@@ -4121,7 +4151,7 @@ powerful general purpose text editor.")
                 "0j2sy6imwp41l75hy3fwr68n35drvanbwgmr42kc04zqjy9pbs02"))))
     (build-system gnu-build-system)
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("itstool" ,itstool)
        ("pkg-config" ,pkg-config)))
     (inputs
@@ -4137,7 +4167,7 @@ to display dialog boxes from the commandline and shell scripts.")
 (define-public mutter
   (package
     (name "mutter")
-    (version "3.20.1")
+    (version "3.20.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -4145,7 +4175,7 @@ to display dialog boxes from the commandline and shell scripts.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0752vkkmaaay8ziczqrf7z3735bq3brx2djw36arqsdhwawh6jba"))))
+                "05pr78vgq52bkkqpbfnp9mxw14ij2wk91l2yfa69dpjbvxqm4b0l"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -4187,7 +4217,7 @@ window manager.")
 (define-public gnome-online-accounts
   (package
     (name "gnome-online-accounts")
-    (version "3.20.1")
+    (version "3.20.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -4195,7 +4225,7 @@ window manager.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "14qcih1g136sn2aklzagv83jl82d3qc598rkdm8zac9gw70ynyn3"))))
+                "0ip0q539bik3wqwl867rjc63w2d5rjyvbqzwczkard70yd6c0kq9"))))
     (build-system glib-or-gtk-build-system)
     (native-inputs
      `(("glib:bin" ,glib "bin") ; for glib-compile-schemas, etc.
@@ -4225,7 +4255,7 @@ Exchange, Last.fm, IMAP/SMTP, Jabber, SIP and Kerberos.")
 (define-public evolution-data-server
   (package
     (name "evolution-data-server")
-    (version "3.20.1")
+    (version "3.20.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -4233,7 +4263,7 @@ Exchange, Last.fm, IMAP/SMTP, Jabber, SIP and Kerberos.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0lsbhzacr2bs90z8sx44vf403r0h2yqsy4l2svrh5hjnassgdyqx"))))
+                "0zmybf63y0d5zn48q3xjgkh2p2c3ka9xvzd6labp96bd6b6qc58d"))))
     (build-system gnu-build-system)
     (arguments
      '(;; XXX: fails with:
@@ -4289,7 +4319,7 @@ Evolution (hence the name), but is now used by other packages as well.")
 (define-public caribou
   (package
     (name "caribou")
-    (version "0.4.20")
+    (version "0.4.21")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -4297,7 +4327,7 @@ Evolution (hence the name), but is now used by other packages as well.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1nahpfs5ap9f9wsvn93kg8isqffk60v785f1q6k64awcd7an8ris"))))
+                "0mfychh1q3dx0b96pjz9a9y112bm9yqyim40yykzxx1hppsdjhww"))))
     (build-system glib-or-gtk-build-system)
     (arguments
      '(#:phases
@@ -4472,7 +4502,7 @@ services.")
 (define-public network-manager-applet
   (package
     (name "network-manager-applet")
-    (version "1.2.0")
+    (version "1.2.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -4480,7 +4510,7 @@ services.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0dhvk3dvy6djn6blpkv46dn6yfh28wsh6mpl0v53qxfip97j8kwk"))))
+                "0ym31m55hj65mmbq2yihy49z5x5z1qpx7jalk64kwx1rr5b2kxyz"))))
     (build-system glib-or-gtk-build-system)
     (arguments '(#:configure-flags '("--disable-migration")))
     (native-inputs
@@ -4608,7 +4638,7 @@ providing graphical log-ins and managing local and remote displays.")
 (define-public libgtop
   (package
     (name "libgtop")
-    (version "2.34.0")
+    (version "2.34.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -4616,7 +4646,7 @@ providing graphical log-ins and managing local and remote displays.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0apfnh9k6vmbdm8ms5wxyhagrrl8r88fv48k7q5qq70df2gf72ld"))))
+                "1qh9srg8pqmrsl12mwnclncs7agmjjvx3q6v5qwqvcb2cskpi6f8"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("gobject-introspection" ,gobject-introspection)
@@ -4635,7 +4665,7 @@ usage and information about running processes.")
 (define-public gnome-bluetooth
   (package
     (name "gnome-bluetooth")
-    (version "3.18.3")
+    (version "3.20.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -4643,7 +4673,7 @@ usage and information about running processes.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1qwc9q7x22sc71zhqv4db78rqzxl6fqfw6d978ydqap54c2bg0g4"))))
+                "0lzbwk2kn7kp39sv5bf4ja92mfkxkc27gxxk8k86i8a8ncbcmcwk"))))
     (build-system glib-or-gtk-build-system)
     (native-inputs
      `(("glib:bin" ,glib "bin") ; for gdbus-codegen, etc.
@@ -4738,7 +4768,7 @@ properties, screen resolution, and other GNOME parameters.")
 (define-public gnome-shell
   (package
     (name "gnome-shell")
-    (version "3.20.1")
+    (version "3.20.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -4746,7 +4776,7 @@ properties, screen resolution, and other GNOME parameters.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "08cgbr15cim3rgcngrv98rm48pkdxwj4nqx5za1lsnv376m4x5bs"))))
+                "0kd9y847pw9v3zl0g52ly7xdcjz0b9v37aqmi19iddfkxjjyn4qc"))))
     (build-system glib-or-gtk-build-system)
     (arguments
      '(#:phases
@@ -4820,7 +4850,7 @@ like switching to windows and launching applications.")
 (define-public gtk-vnc
   (package
     (name "gtk-vnc")
-    (version "0.5.4")
+    (version "0.6.0")
     (source
      (origin
        (method url-fetch)
@@ -4829,7 +4859,7 @@ like switching to windows and launching applications.")
                            name "-" version ".tar.xz"))
        (sha256
         (base32
-         "1rwwdh7lb16xdmy76ca6mpqfc3zfl3a4bkcr0qb6hs6ffrxak2j8"))))
+         "0cq42dghjp4bhsxlj9hd2nz5s5rhd53fx7snmq6i6kg60n438ncm"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--with-gtk=3.0")))
@@ -4858,7 +4888,7 @@ as SASL, TLS and VeNCrypt.  Additionally it supports encoding extensions.")
 (define-public nautilus
   (package
     (name "nautilus")
-    (version "3.20.1")
+    (version "3.20.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -4866,7 +4896,7 @@ as SASL, TLS and VeNCrypt.  Additionally it supports encoding extensions.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1s41bsihacs7cywm60vqgv46m22gmga4b0bwxnki4r02jjwhgagj"))))
+                "1bnalv0ljdjzqzvh3rfyg7r4z8vdbq1gdard5q68riqdi2dnfvld"))))
     (build-system glib-or-gtk-build-system)
     (arguments
      '(#:configure-flags
@@ -4994,7 +5024,7 @@ beautifying border effects.")
 (define-public dconf-editor
   (package
     (name "dconf-editor")
-    (version "3.20.1")
+    (version "3.20.3")
     (source
      (origin
        (method url-fetch)
@@ -5003,8 +5033,17 @@ beautifying border effects.")
                            name "-" version ".tar.xz"))
        (sha256
         (base32
-         "0pfpmvpv57a01nsd1fah3np33avihm5ic43fi6b60dyw6c5z953p"))))
+         "0yf553bd9l030shhs0jkl5gvkzkfxbxxm56xv0l0nmbplaci8wm8"))))
     (build-system glib-or-gtk-build-system)
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         (add-before 'install 'skip-gtk-update-icon-cache
+           (lambda _
+             ;; Don't create 'icon-theme.cache'.
+             (substitute* "editor/Makefile"
+               (("gtk-update-icon-cache") "true"))
+             #t)))))
     (native-inputs
      `(("glib:bin" ,glib "bin") ; for glib-compile-schemas, gio-2.0.
        ("intltool" ,intltool)
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 5fcc03a222..dd75ea5c34 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -52,7 +52,7 @@
 (define-public libgpg-error
   (package
     (name "libgpg-error")
-    (version "1.22")
+    (version "1.24")
     (source
      (origin
       (method url-fetch)
@@ -60,7 +60,7 @@
                           version ".tar.bz2"))
       (sha256
        (base32
-        "0ywxwswizmkyciy480kzczxn6nhbgzf3z8my4nk43nvv67k4x87j"))))
+        "0h75sf1ngr750c3fjfn4583q7wz40qm63jhg8vjfdrbx936f2s4j"))))
     (build-system gnu-build-system)
     (home-page "https://gnupg.org")
     (synopsis "Library of error values for GnuPG components")
@@ -76,15 +76,14 @@ Daemon and possibly more in the future.")
 (define-public libgcrypt
   (package
     (name "libgcrypt")
-    (replacement libgcrypt-1.7.3)
-    (version "1.7.0")
+    (version "1.7.3")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "14pspxwrqcgfklw3dgmywbxqwdzcym7fznfrqh9rk4vl8jkpxrmh"))))
+               "0wbh6fq5zi9wg2xcfvfpwh7dv52jihivx1vm4h91c2kx0w8n3b6x"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
@@ -110,22 +109,9 @@ generation.")
     (properties '((ftp-server . "ftp.gnupg.org")
                   (ftp-directory . "/gcrypt/libgcrypt")))))
 
-(define libgcrypt-1.7.3
-  (package
-    (inherit libgcrypt)
-    (version "1.7.3")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
-                                  version ".tar.bz2"))
-              (sha256
-               (base32
-                "0wbh6fq5zi9wg2xcfvfpwh7dv52jihivx1vm4h91c2kx0w8n3b6x"))))))
-
 (define-public libgcrypt-1.5
   (package (inherit libgcrypt)
-    (replacement libgcrypt-1.5.6)
-    (version "1.5.4")
+    (version "1.5.6")
     (source
      (origin
       (method url-fetch)
@@ -133,20 +119,7 @@ generation.")
                           version ".tar.bz2"))
       (sha256
        (base32
-        "0czvqxkzd5y872ipy6s010ifwdwv29sqbnqc4pf56sd486gqvy6m"))))))
-
-(define libgcrypt-1.5.6
-  (package
-    (inherit libgcrypt-1.5)
-    (source
-     (let ((version "1.5.6"))
-       (origin
-         (method url-fetch)
-         (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
-                             version ".tar.bz2"))
-         (sha256
-          (base32
-           "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h")))))))
+        "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h"))))))
 
 (define-public libassuan
   (package
@@ -238,15 +211,14 @@ compatible to GNU Pth.")
 (define-public gnupg
   (package
     (name "gnupg")
-    (version "2.1.13")
+    (version "2.1.15")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnupg/gnupg/gnupg-" version
                                   ".tar.bz2"))
-              (patches (search-patches "gnupg-fix-expired-test.patch"))
               (sha256
                (base32
-                "0xcn46vcb5x5qx0bc803vpzhzhnn6wfhp7x71w9n1ahx4ak877ag"))))
+                "1pgz02gd84ab94w4xdg67p9z8kvkyr9d523bvcxxd2hviwh1m362"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
@@ -272,6 +244,17 @@ compatible to GNU Pth.")
           (lambda _
             (substitute* "tests/openpgp/defs.inc"
               (("/bin/pwd") (which "pwd")))
+            #t))
+        (add-after 'build 'patch-scheme-tests
+          (lambda _
+            (substitute* (find-files "tests" ".\\.scm$")
+              (("/usr/bin/env gpgscm")
+               (string-append (getcwd) "/tests/gpgscm/gpgscm")))))
+        (add-before 'check 'set-home
+          ;; Some tests require write access to $HOME, otherwise leading to
+          ;; 'failed to create directory /homeless-shelter/.asy' error.
+          (lambda _
+            (setenv "HOME" "/tmp")
             #t)))))
     (home-page "https://gnupg.org/")
     (synopsis "GNU Privacy Guard")
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 4927a516e2..d15066cbd6 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -431,21 +431,7 @@ standards.")
        ("mit-krb5" ,mit-krb5)
        ("nspr" ,nspr)
        ("nss" ,nss)
-
-       ;; XXX Work around the fact that our 'sqlite' package was not built
-       ;;     with -DSQLITE_ENABLE_DBSTAT_VTAB.
-       ("sqlite" ,(package
-                    (inherit sqlite)
-                    (arguments
-                     `(#:configure-flags
-                       ;; Add -DSQLITE_SECURE_DELETE, -DSQLITE_ENABLE_UNLOCK_NOTIFY and
-                       ;; -DSQLITE_ENABLE_DBSTAT_VTAB to CFLAGS.  GNU Icecat will refuse
-                       ;; to use the system SQLite unless these options are enabled.
-                       (list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE "
-                                            "-DSQLITE_ENABLE_UNLOCK_NOTIFY "
-                                            "-DSQLITE_ENABLE_DBSTAT_VTAB"))))))
-       ;;("sqlite" ,sqlite)
-
+       ("sqlite" ,sqlite)
        ("startup-notification" ,startup-notification)
        ("unzip" ,unzip)
        ("yasm" ,yasm)
diff --git a/gnu/packages/grub.scm b/gnu/packages/grub.scm
index ffce1bf86b..b920be9ea2 100644
--- a/gnu/packages/grub.scm
+++ b/gnu/packages/grub.scm
@@ -128,8 +128,8 @@
                      #t)))))
     (inputs
      `(;; ("lvm2" ,lvm2)
+       ("gettext" ,gettext-minimal)
        ("mdadm" ,mdadm)
-       ("gettext" ,gnu-gettext)
        ("freetype" ,freetype)
        ;; ("libusb" ,libusb)
        ;; ("fuse" ,fuse)
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index df79239951..0de1409406 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -357,7 +357,7 @@ printing and other features typical of a source code editor.")
 (define-public gtksourceview
  (package
    (name "gtksourceview")
-   (version "3.20.2")
+   (version "3.20.4")
    (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnome/sources/" name "/"
@@ -365,7 +365,7 @@ printing and other features typical of a source code editor.")
                                  name "-" version ".tar.xz"))
              (sha256
               (base32
-               "03vxirdbjpgjrkl5ph0p9b1saq17xxr4kvhz1ijpg40a9jf3ci4y"))))
+               "009xag7df07ngav2wzs0rdrrx4s2m6ahx93pxzc2p1pkbz4nl3ks"))))
    (build-system gnu-build-system)
    (arguments
     '(#:phases
@@ -486,7 +486,7 @@ in the GNOME project.")
 (define-public at-spi2-core
   (package
    (name "at-spi2-core")
-   (version "2.20.1")
+   (version "2.20.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -494,7 +494,7 @@ in the GNOME project.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0039y6bj1zfzhmfjbj5g830dlczphbpvbgmkcab9mapmh7kmin3f"))))
+              "0hx12snd9as4cq99ka3bn056xdf13f87pd1ilp6177qk8ffxx948"))))
    (build-system gnu-build-system)
    (outputs '("out" "doc"))
    (arguments
@@ -594,7 +594,7 @@ is part of the GNOME accessibility project.")
       ("libxrandr" ,libxrandr)))
    (native-inputs
     `(("perl" ,perl)
-      ("gettext" ,gnu-gettext)
+      ("gettext" ,gettext-minimal)
       ("glib" ,glib "bin")
       ("gobject-introspection" ,gobject-introspection)
       ("pkg-config" ,pkg-config)
@@ -629,7 +629,7 @@ application suites.")
 (define-public gtk+
   (package (inherit gtk+-2)
    (name "gtk+")
-   (version "3.20.3")
+   (version "3.20.9")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -637,9 +637,10 @@ application suites.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "157nh9gg0p2avw765hrnkvr8lsh2w811397yxgjv6q5j4fzz6d1q"))
+              "05xcwvy68p7f4hdhi4bgdm3aycvqqr4pr5kkkr8ba91l5yx0k9l3"))
             (patches (search-patches "gtk3-respect-GUIX_GTK3_PATH.patch"
                                      "gtk3-respect-GUIX_GTK3_IM_MODULE_FILE.patch"))))
+   (outputs '("out" "bin" "doc"))
    (propagated-inputs
     `(("at-spi2-atk" ,at-spi2-atk)
       ("atk" ,atk)
@@ -662,7 +663,7 @@ application suites.")
    (native-inputs
     `(("perl" ,perl)
       ("glib" ,glib "bin")
-      ("gettext" ,gnu-gettext)
+      ("gettext" ,gettext-minimal)
       ("pkg-config" ,pkg-config)
       ("gobject-introspection" ,gobject-introspection)
       ("python-wrapper" ,python-wrapper)
@@ -684,7 +685,16 @@ application suites.")
             (substitute* "testsuite/Makefile.in"
               (("SUBDIRS = gdk gtk a11y css reftests")
                "SUBDIRS = gdk"))
-            #t)))))
+            #t))
+        (add-after 'install 'move-desktop-files
+          ;; Move desktop files into 'bin' to avoid cycle references.
+          (lambda* (#:key outputs #:allow-other-keys)
+            (let ((out (assoc-ref outputs "out"))
+                  (bin (assoc-ref outputs "bin")))
+              (mkdir-p (string-append bin "/share"))
+              (rename-file (string-append out "/share/applications")
+                           (string-append bin "/share/applications"))
+              #t))))))
    (native-search-paths
     (list (search-path-specification
            (variable "GUIX_GTK3_PATH")
@@ -928,7 +938,7 @@ library.")
 (define-public pangomm
   (package
     (name "pangomm")
-    (version "2.40.0")
+    (version "2.40.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnome/sources/" name "/"
@@ -936,7 +946,7 @@ library.")
                                  name "-" version ".tar.xz"))
              (sha256
               (base32
-               "03fpqdjp7plybf4zsgszbm8yhgl28vmajzfpmaqcsmyfvjlszl3x"))))
+               "1bz3gciff23bpw9bqc4v2l3lkq9w7394v3a4jxkvx0ap5lmfwqlp"))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)))
     (propagated-inputs
@@ -1177,7 +1187,7 @@ write GNOME applications.")
                (base32
                 "03wsxj27hvcbs3x96nah7j3paclifwlfag8kdph4kldl48srp9pb"))))
     (native-inputs `(("pkg-config" ,pkg-config)
-                     ("gettext" ,gnu-gettext)))
+                     ("gettext" ,gettext-minimal)))
     (inputs `(("gtk+" ,gtk+)
               ("check" ,check)))
     (arguments
@@ -1241,7 +1251,7 @@ information.")
      `(("pkg-config" ,pkg-config)
        ("itstool" ,itstool)
        ("libxml" ,libxml2)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("bc" ,bc)))
     (inputs
      `(("perl" ,perl)
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 43071e6968..691a7fe22e 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -131,15 +131,15 @@ without requiring the source code to be rewritten.")
 (define-public guile-2.0
   (package
    (name "guile")
-   (version "2.0.11")
+   (version "2.0.12")
+   (replacement guile-2.0.13)                 ;CVE-2016-8606 and CVE-2016-8605
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/guile/guile-" version
                                 ".tar.xz"))
             (sha256
              (base32
-              "1qh3j7308qvsjgwf7h94yqgckpbgz2k3yqdkzsyhqcafvfka9l5f"))
-            (patches (search-patches "guile-arm-fixes.patch"))))
+              "1sdpjq0jf1h65w29q0zprj4x6kdp5jskkvbnlwphy9lvdxrqg0fy"))))
    (build-system gnu-build-system)
    (native-inputs `(("pkgconfig" ,pkg-config)))
    (inputs `(("libffi" ,libffi)
@@ -184,7 +184,7 @@ without requiring the source code to be rewritten.")
            (files '("share/guile/site/2.0")))
           (search-path-specification
            (variable "GUILE_LOAD_COMPILED_PATH")
-           (files '("lib/guile/2.0/ccache"
+           (files '("lib/guile/2.0/site-ccache"
                     "share/guile/site/2.0")))))
 
    (synopsis "Scheme implementation intended especially for extensions")
@@ -200,12 +200,28 @@ without requiring the source code to be rewritten.")
 (define-public guile-2.0/fixed
   ;; A package of Guile 2.0 that's rarely changed.  It is the one used
   ;; in the `base' module, and thus changing it entails a full rebuild.
-  guile-2.0)
+  (package
+    (inherit guile-2.0)
+    (properties '((hidden? . #t)))          ;people should install 'guile-2.0'
+    (replacement #f)))
+
+(define guile-2.0.13
+  (package
+    (inherit guile-2.0)
+    (version "2.0.13")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/guile/guile-" version
+                                  ".tar.xz"))
+              (sha256
+               (base32
+                "12yqkr974y91ylgw6jnmci2v90i90s7h9vxa4zk0sai8vjnz4i1p"))))))
 
 (define-public guile-next
   (package (inherit guile-2.0)
     (name "guile-next")
     (version "2.1.4")
+    (replacement #f)
     (source (origin
               (method url-fetch)
               (uri (string-append "ftp://alpha.gnu.org/gnu/guile/guile-"
@@ -279,7 +295,7 @@ applicable."
        ("libtool" ,libtool)
        ("flex" ,flex)
        ("texinfo" ,texinfo)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ,@(package-native-inputs guile-next)))
     ;; Same as in guile-2.0
     (native-search-paths
@@ -495,23 +511,33 @@ format is also supported.")
 (define-public guile-lib
   (package
     (name "guile-lib")
-    (version "0.2.2")
+    (version "0.2.3")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://savannah/guile-lib/guile-lib-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "1f9n2b5b5r75lzjinyk6zp6g20g60msa0jpfrk5hhg4j8cy0ih4b"))))
+               "0pwdd52vakni1fabaiav8v0ad7xp3bx8x3brijbr1mpgamm9dxqc"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:phases (alist-cons-before
-                 'configure 'patch-module-dir
-                 (lambda _
-                   (substitute* "src/Makefile.in"
-                     (("^moddir[[:blank:]]*=[[:blank:]]*([[:graph:]]+)" _ rhs)
-                      (string-append "moddir = " rhs "/2.0\n"))))
-                 %standard-phases)))
+     '(#:phases (modify-phases %standard-phases
+                  (add-before 'configure 'patch-module-dir
+                    (lambda _
+                      (substitute* "src/Makefile.in"
+                        (("^moddir = ([[:graph:]]+)")
+                         "moddir = $(datadir)/guile/site/@GUILE_EFFECTIVE_VERSION@\n")
+                        (("^godir = ([[:graph:]]+)")
+                         "godir = \
+$(libdir)/guile/@GUILE_EFFECTIVE_VERSION@/site-ccache\n"))
+                      #t))
+                  (replace 'check
+                    (lambda _
+                      ;; Work around a harmless test failure involving
+                      ;; two-spaces-after-period rendering.
+                      (zero? (system* "make" "check" ;"-C" "unit-tests"
+                                      "XFAIL_TESTS=texinfo.serialize.scm")))))))
+    (native-inputs `(("pkg-config" ,pkg-config)))
     (inputs `(("guile" ,guile-2.0)))
     (home-page "http://www.nongnu.org/guile-lib/")
     (synopsis "Collection of useful Guile Scheme modules")
diff --git a/gnu/packages/gv.scm b/gnu/packages/gv.scm
index 240e3fc96c..e1e86a83a6 100644
--- a/gnu/packages/gv.scm
+++ b/gnu/packages/gv.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -39,7 +40,7 @@
             (sha256 (base32
                      "0q8s43z14vxm41pfa8s5h9kyyzk1fkwjhkiwbf2x70alm6rv6qi1"))))
    (build-system gnu-build-system)
-   (propagated-inputs `(("ghostscript" ,ghostscript-gs/x)))
+   (propagated-inputs `(("ghostscript" ,ghostscript/x)))
    (inputs `(("libx11" ,libx11)
              ("libxaw3d" ,libxaw3d)
              ("libxinerama" ,libxinerama)
diff --git a/gnu/packages/ibus.scm b/gnu/packages/ibus.scm
index 814984f16f..8dc5cdb742 100644
--- a/gnu/packages/ibus.scm
+++ b/gnu/packages/ibus.scm
@@ -265,7 +265,7 @@ Chinese pinyin input methods.")
                 '("ibus-engine-anthy" "ibus-setup-anthy"))
                #t))))))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("intltool" ,intltool)
        ("pkg-config" ,pkg-config)
        ("python" ,python)))
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 7455bb8889..4b05cca3b4 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -58,18 +58,18 @@
 (define-public libpng
   (package
    (name "libpng")
-   (version "1.5.26")
+   (version "1.6.25")
    (source (origin
             (method url-fetch)
 
             ;; Note: upstream removes older tarballs.
-            (uri (list (string-append "mirror://sourceforge/libpng/libpng15/"
+            (uri (list (string-append "mirror://sourceforge/libpng/libpng16/"
                                       version "/libpng-" version ".tar.xz")
                        (string-append
                         "ftp://ftp.simplesystems.org/pub/libpng/png/src"
                         "/libpng15/libpng-" version ".tar.xz")))
             (sha256
-             (base32 "0kbissyd7d4ahwdpm968nnzl7q15p6hadg44i9x0vrkrzdgdi93v"))))
+             (base32 "04c8inn745hw25wz2dc5vll5n5d2gsndj01i4srwzgz8861qvzh9"))))
    (build-system gnu-build-system)
 
    ;; libpng.la says "-lz", so propagate it.
@@ -101,13 +101,13 @@ library.  It supports almost all PNG features and is extensible.")
 (define-public libjpeg
   (package
    (name "libjpeg")
-   (version "9a")
+   (version "9b")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://www.ijg.org/files/jpegsrc.v"
                    version ".tar.gz"))
             (sha256 (base32
-                     "19q5zr4n60sjcvfbyv06n4pcl1mai3ipvnd2akflayciinj3wx9s"))))
+                     "0lnhpahgdwlrkd41lx6cr90r199f8mc6ydlh7jznj5klvacd63r4"))))
    (build-system gnu-build-system)
    (synopsis "Library for handling JPEG files")
    (description
@@ -186,7 +186,6 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (replacement libtiff/fixed)
    (version "4.0.6")
    (source (origin
             (method url-fetch)
@@ -197,7 +196,14 @@ extracting icontainer icon files.")
             (patches (search-patches
                       "libtiff-oob-accesses-in-decode.patch"
                       "libtiff-oob-write-in-nextdecode.patch"
-                      "libtiff-CVE-2015-8665+CVE-2015-8683.patch"))))
+                      "libtiff-CVE-2015-8665+CVE-2015-8683.patch"
+                      "libtiff-CVE-2016-3623.patch"
+                      "libtiff-CVE-2016-3945.patch"
+                      "libtiff-CVE-2016-3990.patch"
+                      "libtiff-CVE-2016-3991.patch"
+                      "libtiff-CVE-2016-5314.patch"
+                      "libtiff-CVE-2016-5321.patch"
+                      "libtiff-CVE-2016-5323.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                           ;1.3 MiB of HTML documentation
@@ -219,23 +225,6 @@ collection of tools for doing simple manipulations of TIFF images.")
                                   "See COPYRIGHT in the distribution."))
    (home-page "http://www.remotesensing.org/libtiff/")))
 
-(define libtiff/fixed
-  (package
-    (inherit libtiff)
-    (source (origin
-              (inherit (package-source libtiff))
-              (patches (search-patches
-                         "libtiff-oob-accesses-in-decode.patch"
-                         "libtiff-oob-write-in-nextdecode.patch"
-                         "libtiff-CVE-2015-8665+CVE-2015-8683.patch"
-                         "libtiff-CVE-2016-3623.patch"
-                         "libtiff-CVE-2016-3945.patch"
-                         "libtiff-CVE-2016-3990.patch"
-                         "libtiff-CVE-2016-3991.patch"
-                         "libtiff-CVE-2016-5314.patch"
-                         "libtiff-CVE-2016-5321.patch"
-                         "libtiff-CVE-2016-5323.patch"))))))
-
 (define-public libwmf
   (package
     (name "libwmf")
diff --git a/gnu/packages/irc.scm b/gnu/packages/irc.scm
index db398de530..a516629dbf 100644
--- a/gnu/packages/irc.scm
+++ b/gnu/packages/irc.scm
@@ -157,7 +157,7 @@ SILC and ICB protocols via plugins.")
                      ("libtool" ,libtool)))
     (inputs `(("ncurses" ,ncurses)
               ("diffutils" ,diffutils)
-              ("gettext" ,gnu-gettext)
+              ("gettext" ,gettext-minimal)
               ("libltdl" ,libltdl)
               ("libgcrypt" ,libgcrypt "out")
               ("zlib" ,zlib)
diff --git a/gnu/packages/iso-codes.scm b/gnu/packages/iso-codes.scm
index 0a9427cef2..dbdd868b3b 100644
--- a/gnu/packages/iso-codes.scm
+++ b/gnu/packages/iso-codes.scm
@@ -40,7 +40,7 @@
                "037hmfs5pk3g36psm378vap1mbrkk86vv8wsdnv65mzbnph52gv0"))))
     (build-system gnu-build-system)
     (inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("perl" ,perl)
        ("python" ,python-wrapper)))
     (home-page "https://pkg-isocodes.alioth.debian.org/")
diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
index 011f9e0deb..3790e8f63f 100644
--- a/gnu/packages/kde-frameworks.scm
+++ b/gnu/packages/kde-frameworks.scm
@@ -601,7 +601,7 @@ interfaces in the areas of colors, fonts, text, images, keyboard input.")
           "0cw24spmwsqa3ppkw03cm6yjd3sfll0dbbk2ya76fd4nw9hb00dv"))))
     (build-system cmake-build-system)
     (propagated-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("python" ,python)))
     (native-inputs
      `(("extra-cmake-modules" ,extra-cmake-modules)))
diff --git a/gnu/packages/kodi.scm b/gnu/packages/kodi.scm
index ec4e72e8ba..929894d61e 100644
--- a/gnu/packages/kodi.scm
+++ b/gnu/packages/kodi.scm
@@ -199,7 +199,7 @@ generator library for C++.")
        ("cmake" ,cmake)
        ("doxygen" ,doxygen)
        ("gawk" ,gawk)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("icedtea" ,icedtea) ; needed at build-time only, mandatory
        ("libtool" ,libtool)
        ("pkg-config" ,pkg-config)
diff --git a/gnu/packages/libidn.scm b/gnu/packages/libidn.scm
index 432c1fe675..0c9d0af3c8 100644
--- a/gnu/packages/libidn.scm
+++ b/gnu/packages/libidn.scm
@@ -27,14 +27,14 @@
 (define-public libidn
   (package
    (name "libidn")
-   (replacement libidn-1.33)
-   (version "1.32")
+   (version "1.33")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/libidn/libidn-" version
                                 ".tar.gz"))
-            (sha256 (base32
-                     "1xf4hphhahcjm2xwx147lfpsavjwv9l4c2gf6hx71zxywbz5lpds"))))
+            (sha256
+             (base32
+              "068fjg2arlppjqqpzd714n1lf6gxkpac9v5yyvp1qwmv6nvam9s4"))))
    (build-system gnu-build-system)
 ;; FIXME: No Java and C# libraries are currently built.
    (synopsis "Internationalized string processing library")
@@ -46,16 +46,3 @@ names.  It includes native C, C# and Java libraries.")
    ;; the command line tool is gpl3+.
    (license (list gpl2+ gpl3+ lgpl3+ fdl1.3+))
    (home-page "http://www.gnu.org/software/libidn/")))
-
-(define libidn-1.33
-  (package
-    (inherit libidn)
-    (source
-      (let ((version "1.33"))
-        (origin
-          (method url-fetch)
-          (uri (string-append "mirror://gnu/libidn/libidn-" version
-                              ".tar.gz"))
-          (sha256
-           (base32
-            "068fjg2arlppjqqpzd714n1lf6gxkpac9v5yyvp1qwmv6nvam9s4")))))))
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 08fd7ac9bb..53baa21fdd 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -15,6 +15,7 @@
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 David Craven <david@craven.ch>
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
+;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -110,17 +111,36 @@
          version "-gnu.tar.xz")))
 
 (define-public linux-libre-headers
-  (let* ((version "4.1.18")
-         (build-phase
-          (lambda (arch)
-            `(lambda _
-               (setenv "ARCH" ,(system->linux-architecture arch))
+  (package
+    (name "linux-libre-headers")
+    (version "4.4.18")
+    (source (origin
+             (method url-fetch)
+             (uri (linux-libre-urls version))
+             (sha256
+              (base32
+               "0k8k17in7dkjd9d8zg3i8l1ax466dba6bxw28flxizzyq8znljps"))))
+    (build-system gnu-build-system)
+    (native-inputs `(("perl" ,perl)))
+    (arguments
+     `(#:modules ((guix build gnu-build-system)
+                  (guix build utils)
+                  (srfi srfi-1))
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure)
+         (replace 'build
+           (lambda _
+             (let ((arch ,(system->linux-architecture
+                          (or (%current-target-system)
+                              (%current-system)))))
+               (setenv "ARCH" arch)
                (format #t "`ARCH' set to `~a'~%" (getenv "ARCH"))
 
                (and (zero? (system* "make" "defconfig"))
                     (zero? (system* "make" "mrproper" "headers_check"))))))
-         (install-phase
-          `(lambda* (#:key outputs #:allow-other-keys)
+         (replace 'install
+           (lambda* (#:key outputs #:allow-other-keys)
              (let ((out (assoc-ref outputs "out")))
                (and (zero? (system* "make"
                                     (string-append "INSTALL_HDR_PATH=" out)
@@ -140,33 +160,12 @@
                       (for-each delete-file (find-files out "\\.install"))
 
                       #t))))))
-   (package
-    (name "linux-libre-headers")
-    (version version)
-    (source (origin
-             (method url-fetch)
-             (uri (linux-libre-urls version))
-             (sha256
-              (base32
-               "1bddh2rg645lavhjkk9z75vflba5y0g73z2fjwgbfrj5jb44x9i7"))))
-    (build-system gnu-build-system)
-    (native-inputs `(("perl" ,perl)))
-    (arguments
-     `(#:modules ((guix build gnu-build-system)
-                  (guix build utils)
-                  (srfi srfi-1))
-       #:phases (alist-replace
-                 'build ,(build-phase (or (%current-target-system)
-                                          (%current-system)))
-                 (alist-replace
-                  'install ,install-phase
-                  (alist-delete 'configure %standard-phases)))
        #:allowed-references ()
        #:tests? #f))
+    (home-page "http://www.gnu.org/software/linux-libre")
     (synopsis "GNU Linux-Libre kernel headers")
     (description "Headers of the Linux-Libre kernel.")
-    (license license:gpl2)
-    (home-page "http://www.gnu.org/software/linux-libre/"))))
+    (license license:gpl2)))
 
 (define %boot-logo-patch
   ;; Linux-Libre boot logo featuring Freedo and a gnu.
@@ -359,17 +358,18 @@ It has been modified to remove all non-free binary blobs.")
 (define-public linux-pam
   (package
     (name "linux-pam")
-    (version "1.2.1")
+    (version "1.3.0")
     (source
      (origin
       (method url-fetch)
-      (uri (list (string-append "http://www.linux-pam.org/library/Linux-PAM-"
-                                version ".tar.bz2")
-                 (string-append "mirror://kernel.org/linux/libs/pam/library/Linux-PAM-"
-                                version ".tar.bz2")))
+      (uri (string-append
+            "http://www.linux-pam.org/library/"
+            "Linux-PAM-" version ".tar.bz2"))
       (sha256
        (base32
-        "1n9lnf9gjs72kbj1g354v1xhi2j27aqaah15vykh7cnkq08i4arl"))))
+        "1fyi04d5nsh8ivd0rn2y0z83ylgc0licz7kifbb6xxi2ylgfs6i4"))
+      (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+
     (build-system gnu-build-system)
     (native-inputs
      `(("flex" ,flex)
@@ -397,6 +397,21 @@ be used through the PAM API to perform tasks, like authenticating a user
 at login.  Local and dynamic reconfiguration are its key features.")
     (license license:bsd-3)))
 
+(define-public linux-pam-1.2
+  (package
+    (inherit linux-pam)
+    (version "1.2.1")
+    (source
+     (origin
+      (method url-fetch)
+      (uri (string-append
+            "http://www.linux-pam.org/library/"
+            "Linux-PAM-" version ".tar.bz2"))
+      (sha256
+       (base32
+        "1n9lnf9gjs72kbj1g354v1xhi2j27aqaah15vykh7cnkq08i4arl"))
+      (patches (search-patches "linux-pam-no-setfsuid.patch"))))))
+
 
 ;;;
 ;;; Miscellaneous.
@@ -428,7 +443,7 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
   (package
     (name "util-linux")
-    (version "2.27")
+    (version "2.28.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/utils/"
@@ -436,7 +451,7 @@ providing the system administrator with some help in common tasks.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1ivdx1bhjbakf77agm9dn3wyxia1wgz9lzxgd61zqxw3xzih9gzw"))
+                "03xnaw3c7pavxvvh1vnimcr44hlhhf25whawiyv8dxsflfj4xkiy"))
               (patches (search-patches "util-linux-tests.patch"))
               (modules '((guix build utils)))
               (snippet
@@ -511,16 +526,14 @@ block devices, UUIDs, TTYs, and many other tools.")
 (define-public procps
   (package
     (name "procps")
-    (version "3.3.11")
+    (version "3.3.12")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/procps-ng/Production/"
                                   "procps-ng-" version ".tar.xz"))
               (sha256
                (base32
-                "1va4n0mpsq327ca9dqp4hnrpgs6821rp0f2m0jyc1bfjl9lk2jg9"))
-              (patches
-               (list (search-patch "procps-non-linux.patch")))))
+                "1m57w6jmry84njd5sgk5afycbglql0al80grx027kwqqcfw5mmkf"))))
     (build-system gnu-build-system)
     (arguments
      '(#:modules ((guix build utils)
@@ -529,6 +542,15 @@ block devices, UUIDs, TTYs, and many other tools.")
                   (srfi srfi-26))
        #:phases
        (modify-phases %standard-phases
+         (add-before 'check 'disable-strtod-test
+           (lambda _
+             ;; Disable the 'strtod' test, which fails on 32-bit systems.
+             ;; This is what upstream does:
+             ;; <https://gitlab.com/procps-ng/procps/commit/100afbc1491be388f1429021ff65d969f4b1e08f>.
+             (substitute* "Makefile"
+               (("^(TESTS|check_PROGRAMS) = .*$" all)
+                (string-append "# " all "\n")))
+             #t))
          (add-after
           'install 'post-install
           ;; Remove commands and man pages redudant with
@@ -855,7 +877,7 @@ MIDI functionality to the Linux-based operating system.")
        ("ncurses" ,ncurses)
        ("alsa-lib" ,alsa-lib)
        ("xmlto" ,xmlto)
-       ("gettext" ,gnu-gettext)))
+       ("gettext" ,gettext-minimal)))
     (home-page "http://www.alsa-project.org/")
     (synopsis "Utilities for the Advanced Linux Sound Architecture (ALSA)")
     (description
@@ -1044,7 +1066,7 @@ manpages.")
                          (sha256
                           (base32
                            "0p93lsqx23v5fv4hpbrydmfvw1ha2rgqpn2zqbs2jhxkzhjc030p"))))))
-    (native-inputs `(("gettext" ,gnu-gettext)))
+    (native-inputs `(("gettext" ,gettext-minimal)))
 
     (synopsis "Tools for controlling the network subsystem in Linux")
     (description
@@ -1605,7 +1627,7 @@ from the module-init-tools project.")
   ;; The post-systemd fork, maintained by Gentoo.
   (package
     (name "eudev")
-    (version "3.1.5")
+    (version "3.2")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -1613,7 +1635,7 @@ from the module-init-tools project.")
                     version ".tar.gz"))
               (sha256
                (base32
-                "0akg9gcc3c2p56xbhlvbybqavcprly5q0bvk655zwl6d62j8an7p"))
+                "099w62ncq78nxpxizf910mx18hc8x4qvzw3azjd00fir89wmyjnq"))
               (patches (search-patches "eudev-rules-directory.patch"))))
     (build-system gnu-build-system)
     (native-inputs
@@ -2471,7 +2493,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
                #t))))))
     (native-inputs
      `(("pkg-config" ,pkg-config)
-       ("gettext" ,gnu-gettext)))
+       ("gettext" ,gettext-minimal)))
     (inputs
      `(("glib" ,glib)
        ("dbus" ,dbus)
@@ -2811,7 +2833,7 @@ from that to the system kernel's @file{/dev/random} machinery.")
                             "DEBUG=false"
                             "PACKAGE_BUGREPORT=bug-guix@gnu.org"))
        #:tests? #f)) ;no tests
-    (native-inputs `(("gettext" ,gnu-gettext)))
+    (native-inputs `(("gettext" ,gettext-minimal)))
     (inputs `(("pciutils" ,pciutils)))
     (home-page (package-home-page linux-libre))
     (synopsis "CPU frequency and voltage scaling tools for Linux")
diff --git a/gnu/packages/lout.scm b/gnu/packages/lout.scm
index 1355e0387a..f2c724ae07 100644
--- a/gnu/packages/lout.scm
+++ b/gnu/packages/lout.scm
@@ -88,8 +88,7 @@
     (build-system gnu-build-system)               ; actually, just a makefile
     (outputs '("out" "doc"))
     (native-inputs
-     `(("ghostscript" ,ghostscript)
-       ("ghostscript-gs" ,ghostscript-gs)))
+     `(("ghostscript" ,ghostscript)))
     (arguments `(#:modules ((guix build utils)
                             (guix build gnu-build-system)
                             (srfi srfi-1))        ; we need SRFI-1
diff --git a/gnu/packages/make-bootstrap.scm b/gnu/packages/make-bootstrap.scm
index def9c23b17..1b7352fc10 100644
--- a/gnu/packages/make-bootstrap.scm
+++ b/gnu/packages/make-bootstrap.scm
@@ -114,9 +114,6 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                                 (current-source-location)
                                 #:native-inputs native-inputs))
 
-(define %bash-static
-  (static-package bash-minimal))
-
 (define %static-inputs
   ;; Packages that are to be used as %BOOTSTRAP-INPUTS.
   (let ((coreutils (package (inherit coreutils)
@@ -184,7 +181,7 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                               (("-Wl,-export-dynamic") "")))
                           ,phases)))))
                 (inputs (if (%current-target-system)
-                            `(("bash" ,%bash-static))
+                            `(("bash" ,static-bash))
                             '()))))
         (finalize (compose static-package
                            package-with-relocatable-glibc)))
@@ -200,7 +197,7 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                ("sed" ,sed)
                ("grep" ,grep)
                ("gawk" ,gawk)))
-      ("bash" ,%bash-static))))
+      ("bash" ,static-bash))))
 
 (define %static-binaries
   (package
@@ -515,6 +512,7 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                     (patches patches)))
          (guile (package (inherit guile-2.0)
                   (name (string-append (package-name guile-2.0) "-static"))
+                  (replacement #f)
                   (source source)
                   (synopsis "Statically-linked and relocatable Guile")
 
diff --git a/gnu/packages/man.scm b/gnu/packages/man.scm
index cdefbdedbb..2d99438420 100644
--- a/gnu/packages/man.scm
+++ b/gnu/packages/man.scm
@@ -189,7 +189,7 @@ Linux kernel and C library interfaces employed by user-space programs.")
      `(("perl" ,perl)
        ;; TODO: Add these optional dependencies.
        ;; ("perl-LocaleGettext" ,perl-LocaleGettext)
-       ;; ("gettext" ,gnu-gettext)
+       ;; ("gettext" ,gettext-minimal)
        ))
     (home-page "http://www.gnu.org/software/help2man/")
     (synopsis "Automatically generate man pages from program --help")
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index 07934e3114..83f55c9f18 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -1982,7 +1982,7 @@ parts of it.")
 (define-public openblas
   (package
     (name "openblas")
-    (version "0.2.15")
+    (version "0.2.19")
     (source
      (origin
        (method url-fetch)
@@ -1991,7 +1991,7 @@ parts of it.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "1k5f6vjlk54qlplk5m7xkbaw6g2y7dl50lwwdv6xsbcsgsbxfcpy"))))
+         "071zqnmnxhh0c9phzyn3f198yxa0hjxda7016azdbq2056sm70w7"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? #f  ;no "check" target
@@ -2552,7 +2552,7 @@ evaluates expressions using the standard order of operations.")
                (base32
                 "15cd1cx1dyygw6g2nhjqq3bsfdj8sj8m4va9n75i0f3ryww3x7wq"))))
     (build-system gnu-build-system)
-    (native-inputs `(("gettext" ,gnu-gettext)))
+    (native-inputs `(("gettext" ,gettext-minimal)))
     (inputs `(("libx11" ,libx11)
               ("zlib" ,zlib)
               ("libpng" ,libpng)
diff --git a/gnu/packages/mit-krb5.scm b/gnu/packages/mit-krb5.scm
index 3d11f3a450..3299c7b5c4 100644
--- a/gnu/packages/mit-krb5.scm
+++ b/gnu/packages/mit-krb5.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2012, 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,8 +32,7 @@
 (define-public mit-krb5
   (package
     (name "mit-krb5")
-    (replacement mit-krb5-1.14.3)
-    (version "1.14.2")
+    (version "1.14.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/"
@@ -40,7 +40,7 @@
                                   "/krb5-" version ".tar.gz"))
               (sha256
                (base32
-                "09wbv969ak4fqlqr1ip5bi62fny1zlp1vwjarvj6a6cdfzkdgjkb"))))
+                "1jgjiyh1sp72lkxvk437lz5hzcibvw99jc4ihzfz03fg43aj0ind"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("bison" ,bison)
@@ -84,17 +84,3 @@ cryptography.")
     (license (non-copyleft "file://NOTICE"
                            "See NOTICE in the distribution."))
     (home-page "http://web.mit.edu/kerberos/")))
-
-(define mit-krb5-1.14.3
-  (package
-    (inherit mit-krb5)
-    (source
-      (let ((version "1.14.3"))
-        (origin
-          (method url-fetch)
-          (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/"
-                              (version-major+minor version)
-                              "/krb5-" version ".tar.gz"))
-          (sha256
-           (base32
-            "1jgjiyh1sp72lkxvk437lz5hzcibvw99jc4ihzfz03fg43aj0ind")))))))
diff --git a/gnu/packages/mono.scm b/gnu/packages/mono.scm
index 75e39afdf0..343cebc99f 100644
--- a/gnu/packages/mono.scm
+++ b/gnu/packages/mono.scm
@@ -44,7 +44,7 @@
                 "0jibyvyv2jy8dq5ij0j00iq3v74r0y90dcjc3dkspcfbnn37cphn"))))
     (build-system gnu-build-system)
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("glib" ,glib)
        ("libxslt" ,libxslt)
        ("perl" ,perl)
diff --git a/gnu/packages/mp3.scm b/gnu/packages/mp3.scm
index 37407cdc17..73a9a23efd 100644
--- a/gnu/packages/mp3.scm
+++ b/gnu/packages/mp3.scm
@@ -443,7 +443,7 @@ format.")
                (install-file "mpc123" bin)))))
        #:tests? #f))
     (native-inputs
-     `(("gettext" ,gnu-gettext)))
+     `(("gettext" ,gettext-minimal)))
     (inputs
      `(("libao" ,ao)
        ("libmpcdec" ,libmpcdec)))
diff --git a/gnu/packages/multiprecision.scm b/gnu/packages/multiprecision.scm
index 46540be5c4..23ae68a28f 100644
--- a/gnu/packages/multiprecision.scm
+++ b/gnu/packages/multiprecision.scm
@@ -31,7 +31,7 @@
 (define-public gmp
   (package
    (name "gmp")
-   (version "6.1.0")
+   (version "6.1.1")
    (source (origin
             (method url-fetch)
             (uri
@@ -39,7 +39,7 @@
                             version ".tar.xz"))
             (sha256
              (base32
-              "12b9s4jn48gbar6dbs5qrlmljdmnq43xy3ji9yjzic0mwp6dmnk8"))
+              "0cg84n482gcvl0s4xq4wgwsk4r0x0m8dnzpizwqdd2j8vw2rqvnk"))
             (patches (search-patches "gmp-faulty-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("m4" ,m4)))
diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index d5805b0403..bbae98532d 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -493,7 +493,7 @@ for path in [path for path in sys.path if 'site-packages' in path]: site.addsite
        ("python2-pyliblo" ,python2-pyliblo)
        ("python2-pygtk" ,python2-pygtk)))
     (native-inputs
-     `(("gettext" ,gnu-gettext)))
+     `(("gettext" ,gettext-minimal)))
     (home-page "http://das.nasophon.de/gtklick/")
     (synopsis "Simple metronome with an easy-to-use graphical interface")
     (description
@@ -555,7 +555,7 @@ interface.  It is implemented as a frontend to @code{klick}.")
        ("font-tex-gyre" ,font-tex-gyre)
        ("fontconfig" ,fontconfig)
        ("freetype" ,freetype)
-       ("ghostscript" ,ghostscript-gs)
+       ("ghostscript" ,ghostscript)
        ("pango" ,pango)
        ("python" ,python-2)))
     (native-inputs
@@ -564,7 +564,7 @@ interface.  It is implemented as a frontend to @code{klick}.")
        ("flex" ,flex)
        ("fontforge" ,fontforge)
        ("dblatex" ,dblatex)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("imagemagick" ,imagemagick)
        ("netpbm" ,netpbm) ;for pngtopnm
        ("texlive" ,texlive) ;metafont and metapost
@@ -712,7 +712,7 @@ for path in [path for path in sys.path if 'site-packages' in path]: site.addsite
     (inputs
      `(("python" ,python-2)
        ("pygtk" ,python2-pygtk)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("gtk" ,gtk+)
        ("lilypond" ,lilypond)
        ;; players needed at runtime
@@ -987,7 +987,7 @@ Laurens Hammond and Don Leslie.")
        ("flac" ,flac)
        ("alsa-lib" ,alsa-lib)
        ("libvorbis" ,libvorbis)
-       ("gettext" ,gnu-gettext)))
+       ("gettext" ,gettext-minimal)))
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("glib:bin" ,glib "bin")
@@ -1180,7 +1180,7 @@ export.")
      `(("autoconf" ,autoconf)
        ("automake" ,automake)
        ("libtool" ,libtool)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("tk" ,tk)
diff --git a/gnu/packages/nano.scm b/gnu/packages/nano.scm
index 3c4c699983..01ef5dc800 100644
--- a/gnu/packages/nano.scm
+++ b/gnu/packages/nano.scm
@@ -40,7 +40,7 @@
         "1hzazcrbwjqiw89jjvlj97q0wf385qqkzcm0870pdrixiv7yklax"))))
     (build-system gnu-build-system)
     (inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("ncurses" ,ncurses)))
     (home-page "http://www.nano-editor.org/")
     (synopsis "Small, user-friendly console text editor")
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 4b77aad792..cc843c97ff 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -488,7 +488,7 @@ network frames.")
          "1y7sbgkhgadmd93x1zafqc4yp26ssiv16ni5bbi9vmvvdl55m29y"))))
     (build-system gnu-build-system)
     (native-inputs
-     `(("gettext" ,gnu-gettext)))
+     `(("gettext" ,gettext-minimal)))
     (inputs
      `(("fftw" ,fftw)
        ("ncurses" ,ncurses)
diff --git a/gnu/packages/ocaml.scm b/gnu/packages/ocaml.scm
index f6f7308ff0..f1b4bdbf6f 100644
--- a/gnu/packages/ocaml.scm
+++ b/gnu/packages/ocaml.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2015 David Hashe <david.hashe@dhashe.com>
 ;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -573,7 +574,6 @@ libpanel, librsvg and quartz.")
     (native-inputs
      `(("ocaml" ,ocaml)
        ;; For documentation
-       ("ghostscript-gs" ,ghostscript-gs)
        ("ghostscript" ,ghostscript)
        ("texlive" ,texlive)
        ("hevea" ,hevea)
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 4bbc6a6bf8..627319bda8 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -55,14 +55,11 @@
               "0044p20hx07fwgw2mbwj1fkx04615hhs1qyx4mawj2bhqvrnppnp"))))
    (build-system gnu-build-system)
    (inputs `(("bdb" ,bdb-5.3)
-             ("openssl" ,openssl)
              ("cyrus-sasl" ,cyrus-sasl)
+             ("gnutls" ,gnutls)
              ("groff" ,groff)
              ("icu4c" ,icu4c)
              ("libgcrypt" ,libgcrypt)
-             ;; FIXME: currently, openldap requires openssl or gnutls<3, see
-             ;; http://www.openldap.org/its/index.cgi/Incoming?id=7430;page=17
-             ;; Once this is fixed, switch to gnutls.
              ("zlib" ,zlib)))
    (native-inputs `(("libtool" ,libtool)))
    (arguments
diff --git a/gnu/packages/openstack.scm b/gnu/packages/openstack.scm
index 62f1e84a3b..fc865d36e0 100644
--- a/gnu/packages/openstack.scm
+++ b/gnu/packages/openstack.scm
@@ -256,6 +256,7 @@ tested on Python version 3.2, 2.7 and 2.6.")
      `(("python-pbr" ,python-pbr)))
     (native-inputs
      `(("python-discover" ,python-discover)
+       ("python-docutils" ,python-docutils)
        ("python-fixtures" ,python-fixtures)
        ("python-mock" ,python-mock)
        ("python-sphinx" ,python-sphinx)
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 70a6a49921..34515f1d22 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -247,7 +247,7 @@ the Nix package manager.")
       (native-inputs
        `(("autoconf" ,(autoconf-wrapper))
          ("automake" ,automake)
-         ("gettext" ,gnu-gettext)
+         ("gettext" ,gettext-minimal)
          ("texinfo" ,texinfo)
          ("graphviz" ,graphviz)
          ("help2man" ,help2man)
diff --git a/gnu/packages/patches/ath9k-htc-firmware-binutils.patch b/gnu/packages/patches/ath9k-htc-firmware-binutils.patch
index edd411e1a8..aa253e135f 100644
--- a/gnu/packages/patches/ath9k-htc-firmware-binutils.patch
+++ b/gnu/packages/patches/ath9k-htc-firmware-binutils.patch
@@ -1,6 +1,12 @@
-This Binutils patch is from the ath9k-htc-firmware repository (version 1.3.2).
-Not applying it (apparently) leads to miscompiled firmware, and loading it
-fails with a "Target is unresponsive" message from the 'ath9k_htc' module.
+These Binutils patches are from the ath9k-htc-firmware repository
+(commit f6af791348b68ceadab375e4ed0f7bcda86cb3c0).
+
+Not applying the first patch (apparently) leads to miscompiled firmware,
+and loading it fails with a "Target is unresponsive" message from the
+'ath9k_htc' module.
+
+The final hunk, applied to 'gas/config/tc-xtensa.c', is copied from the
+upstream file 'local/patches/binutils-2.27_fixup.patch'.
 
 From dbca73446265ce01b8e11462c3346b25953e3399 Mon Sep 17 00:00:00 2001
 From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
@@ -28873,16 +28879,6 @@ diff --git a/include/xtensa-config.h b/include/xtensa-config.h
 index 30f4f41..fe9b051 100644
 --- a/include/xtensa-config.h
 +++ b/include/xtensa-config.h
-@@ -1,7 +1,7 @@
- /* Xtensa configuration settings.
--   Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010
-+   Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007
-    Free Software Foundation, Inc.
--   Contributed by Bob Wilson (bob.wilson@acm.org) at Tensilica.
-+   Contributed by Bob Wilson (bwilson@tensilica.com) at Tensilica.
- 
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
 @@ -44,10 +44,7 @@
  #define XCHAL_HAVE_L32R			1
  
@@ -28973,3 +28969,20 @@ index 30f4f41..fe9b051 100644
  #define XCHAL_MAX_INSTRUCTION_SIZE	3
 -- 
 1.8.1
+
+diff --git a/gas/config/tc-xtensa.c b/gas/config/tc-xtensa.c
+index d062044..ca261ae 100644
+--- a/gas/config/tc-xtensa.c
++++ b/gas/config/tc-xtensa.c
+@@ -2228,7 +2228,7 @@ xg_reverse_shift_count (char **cnt_argp)
+   cnt_arg = *cnt_argp;
+ 
+   /* replace the argument with "31-(argument)" */
+-  new_arg = concat ("31-(", cnt_argp, ")", (char *) NULL);
++  new_arg = concat ("31-(", cnt_arg, ")", (char *) NULL);
+ 
+   free (cnt_arg);
+   *cnt_argp = new_arg;
+-- 
+2.10.1
+
diff --git a/gnu/packages/patches/binutils-mips-bash-bug.patch b/gnu/packages/patches/binutils-mips-bash-bug.patch
new file mode 100644
index 0000000000..08d3a79749
--- /dev/null
+++ b/gnu/packages/patches/binutils-mips-bash-bug.patch
@@ -0,0 +1,22 @@
+Bash 4.2.0(1)-release, which we use during bootstrap, does not yield the
+"x" case in:
+
+  case x"$EMULATION_NAME" in x) ;; *) ;; esac
+
+when 'EMULATION_NAME' is undefined.  Bash 4.3.30(1)-release doesn't have this
+problem.  Work around it.
+
+This Bash bug was fixed
+in <http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-007>.
+
+--- a/ld/emulparams/elf32bmipn32-defs.sh
++++ b/ld/emulparams/elf32bmipn32-defs.sh
+@@ -13,7 +13,7 @@ LITTLE_OUTPUT_FORMAT="elf32-littlemips"
+ TEMPLATE_NAME=elf32
+ EXTRA_EM_FILE=mipself
+ 
+-case x"$EMULATION_NAME" in
++case "x$EMULATION_NAME" in
+ xelf32*n32*) ELFSIZE=32 ;;
+ xelf64*) ELFSIZE=64 ;;
+ x) ;;
diff --git a/gnu/packages/patches/cmake-fix-tests.patch b/gnu/packages/patches/cmake-fix-tests.patch
index f59e2cd625..732b0023ab 100644
--- a/gnu/packages/patches/cmake-fix-tests.patch
+++ b/gnu/packages/patches/cmake-fix-tests.patch
@@ -1,6 +1,17 @@
---- cmake-3.2.2.orig/Tests/CMakeLists.txt	2015-04-14 01:09:00.000000000 +0800
-+++ cmake-3.2.2/Tests/CMakeLists.txt	2015-04-28 15:02:34.913039742 +0800
-@@ -342,10 +342,12 @@
+From af0a62dadfb3db25880bc653e2e4c97435a604c9 Mon Sep 17 00:00:00 2001
+From: Efraim Flashner <efraim@flashner.co.il>
+Date: Mon, 29 Aug 2016 20:07:58 +0300
+Subject: [PATCH] cmake-fix-tests
+
+---
+ Tests/CMakeLists.txt | 83 ++++++++++++++++++++++++++++------------------------
+ 1 file changed, 44 insertions(+), 39 deletions(-)
+
+diff --git a/Tests/CMakeLists.txt b/Tests/CMakeLists.txt
+index f21e430..56014a2 100644
+--- a/Tests/CMakeLists.txt
++++ b/Tests/CMakeLists.txt
+@@ -416,10 +416,12 @@ if(BUILD_TESTING)
    endif()
  
    # run test for BundleUtilities on supported platforms/compilers
@@ -17,7 +28,7 @@
    if(NOT "${CMAKE_GENERATOR}" STREQUAL "Watcom WMake")
  
      add_test(BundleUtilities ${CMAKE_CTEST_COMMAND}
-@@ -2257,16 +2259,17 @@
+@@ -2481,30 +2483,32 @@ ${CMake_BINARY_DIR}/bin/cmake -DDIR=dev -P ${CMake_SOURCE_DIR}/Utilities/Release
      PASS_REGULAR_EXPRESSION "Could not find executable"
      FAIL_REGULAR_EXPRESSION "SegFault")
  
@@ -31,6 +42,20 @@
 -    )
 -  set_tests_properties(CTestTestUpload PROPERTIES
 -    PASS_REGULAR_EXPRESSION "Upload\\.xml")
+-
+-  configure_file(
+-    "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in"
+-    "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake"
+-    @ONLY ESCAPE_QUOTES)
+-  add_test(CTestCoverageCollectGCOV ${CMAKE_CTEST_COMMAND}
+-    -C \${CTEST_CONFIGURATION_TYPE}
+-    -S "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" -VV
+-    --output-log "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/testOut.log"
+-    )
+-  set_tests_properties(CTestCoverageCollectGCOV PROPERTIES
+-    PASS_REGULAR_EXPRESSION
+-    "PASSED with correct output.*Testing/CoverageInfo/main.cpp.gcov")
+-  set_property(TEST CTestCoverageCollectGCOV PROPERTY ENVIRONMENT CTEST_PARALLEL_LEVEL=)
 +# This test requires network connectivity: skip it.
 +#  configure_file(
 +#    "${CMake_SOURCE_DIR}/Tests/CTestTestUpload/test.cmake.in"
@@ -42,6 +67,54 @@
 +#    )
 +#  set_tests_properties(CTestTestUpload PROPERTIES
 +#    PASS_REGULAR_EXPRESSION "Upload\\.xml")
++
++# This test times out
++#  configure_file(
++#    "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in"
++#    "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake"
++#    @ONLY ESCAPE_QUOTES)
++#  add_test(CTestCoverageCollectGCOV ${CMAKE_CTEST_COMMAND}
++#    -C \${CTEST_CONFIGURATION_TYPE}
++#    -S "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake" -VV
++#    --output-log "${CMake_BINARY_DIR}/Tests/CTestCoverageCollectGCOV/testOut.log"
++#    )
++#  set_tests_properties(CTestCoverageCollectGCOV PROPERTIES
++#    PASS_REGULAR_EXPRESSION
++#    "PASSED with correct output.*Testing/CoverageInfo/main.cpp.gcov")
++#  set_property(TEST CTestCoverageCollectGCOV PROPERTY ENVIRONMENT CTEST_PARALLEL_LEVEL=)
+ 
+   configure_file(
+     "${CMake_SOURCE_DIR}/Tests/CTestTestEmptyBinaryDirectory/test.cmake.in"
+@@ -2860,17 +2864,18 @@ ${CMake_BINARY_DIR}/bin/cmake -DDIR=dev -P ${CMake_SOURCE_DIR}/Utilities/Release
+   set_tests_properties(CTestTestStopTime PROPERTIES
+     PASS_REGULAR_EXPRESSION "The stop time has been passed")
+ 
+-  configure_file(
+-    "${CMake_SOURCE_DIR}/Tests/CTestTestSubdir/test.cmake.in"
+-    "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake"
+-    @ONLY ESCAPE_QUOTES)
+-  add_test(CTestTestSubdir ${CMAKE_CTEST_COMMAND}
+-    -S "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" -V
+-    --output-log "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/testOutput.log"
+-    )
+-  #make sure all 3 subdirs were added
+-  set_tests_properties(CTestTestSubdir PROPERTIES
+-    PASS_REGULAR_EXPRESSION "0 tests failed out of 3")
++# This test fails to build 2 of the 3 tests
++#  configure_file(
++#    "${CMake_SOURCE_DIR}/Tests/CTestTestSubdir/test.cmake.in"
++#    "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake"
++#    @ONLY ESCAPE_QUOTES)
++#  add_test(CTestTestSubdir ${CMAKE_CTEST_COMMAND}
++#    -S "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/test.cmake" -V
++#    --output-log "${CMake_BINARY_DIR}/Tests/CTestTestSubdir/testOutput.log"
++#    )
++#  #make sure all 3 subdirs were added
++#  set_tests_properties(CTestTestSubdir PROPERTIES
++#    PASS_REGULAR_EXPRESSION "0 tests failed out of 3")
  
    configure_file(
-     "${CMake_SOURCE_DIR}/Tests/CTestCoverageCollectGCOV/test.cmake.in"
+     "${CMake_SOURCE_DIR}/Tests/CTestTestTimeout/test.cmake.in"
+-- 
+2.9.3
+
diff --git a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch b/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch
deleted file mode 100644
index edc43f84f1..0000000000
--- a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-Fix CVE-2012-6702 and CVE-2016-5300.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
-
-Patch copied from:
-https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u3/debian/patches/cve-2012-6702-plus-cve-2016-5300-v1.patch/
-
-From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Wed, 16 Mar 2016 15:30:12 +0100
-Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0)
-
-Squashed backport against vanilla Expat 2.1.1, addressing:
-* CVE-2012-6702 -- unanticipated internal calls to srand
-* CVE-2016-5300 -- use of too little entropy
-
-Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d
-(released with Expat 2.1.0) Expat called srand by itself
-from inside generate_hash_secret_salt for an instance
-of XML_Parser if XML_SetHashSalt was either (a) not called
-for that instance or if (b) salt 0 was passed to XML_SetHashSalt
-prior to parsing.  That call to srand passed (rather litle)
-entropy extracted from the current time as a seed for srand.
-
-That call to srand (1) broke repeatability for code calling
-srand with a non-random seed prior to parsing with Expat,
-and (2) resulted in a rather small set of hashing salts in
-Expat in total.
-
-For a short- to mid-term fix, the new approach avoids calling
-srand altogether, extracts more entropy out of the clock and
-other sources, too.
-
-For a long term fix, we may want to read sizeof(long) bytes
-from a source like getrandom(..) on Linux, and from similar
-sources on other supported architectures.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1197087
----
- CMakeLists.txt |  3 +++
- lib/xmlparse.c | 48 +++++++++++++++++++++++++++++++++++++++++-------
- 2 files changed, 44 insertions(+), 7 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 353627e..524d514 100755
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -41,6 +41,9 @@ include_directories(${CMAKE_BINARY_DIR} ${CMAKE_SOURCE_DIR}/lib)
- if(MSVC)

-     add_definitions(-D_CRT_SECURE_NO_WARNINGS -wd4996)

- endif(MSVC)

-+if(WIN32)

-+    add_definitions(-DCOMPILED_FROM_DSP)

-+endif(WIN32)

- 

- set(expat_SRCS

-     lib/xmlparse.c

-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index e308c79..c5f942f 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -6,7 +6,14 @@
- #include <string.h>                     /* memset(), memcpy() */
- #include <assert.h>
- #include <limits.h>                     /* UINT_MAX */
--#include <time.h>                       /* time() */
-+
-+#ifdef COMPILED_FROM_DSP
-+#define getpid GetCurrentProcessId
-+#else
-+#include <sys/time.h>                   /* gettimeofday() */
-+#include <sys/types.h>                  /* getpid() */
-+#include <unistd.h>                     /* getpid() */
-+#endif
- 
- #define XML_BUILDING_EXPAT 1
- 
-@@ -432,7 +439,7 @@ static ELEMENT_TYPE *
- getElementType(XML_Parser parser, const ENCODING *enc,
-                const char *ptr, const char *end);
- 
--static unsigned long generate_hash_secret_salt(void);
-+static unsigned long generate_hash_secret_salt(XML_Parser parser);
- static XML_Bool startParsing(XML_Parser parser);
- 
- static XML_Parser
-@@ -691,11 +698,38 @@ static const XML_Char implicitContext[] = {
- };
- 
- static unsigned long
--generate_hash_secret_salt(void)
-+gather_time_entropy(void)
- {
--  unsigned int seed = time(NULL) % UINT_MAX;
--  srand(seed);
--  return rand();
-+#ifdef COMPILED_FROM_DSP
-+  FILETIME ft;
-+  GetSystemTimeAsFileTime(&ft); /* never fails */
-+  return ft.dwHighDateTime ^ ft.dwLowDateTime;
-+#else
-+  struct timeval tv;
-+  int gettimeofday_res;
-+
-+  gettimeofday_res = gettimeofday(&tv, NULL);
-+  assert (gettimeofday_res == 0);
-+
-+  /* Microseconds time is <20 bits entropy */
-+  return tv.tv_usec;
-+#endif
-+}
-+
-+static unsigned long
-+generate_hash_secret_salt(XML_Parser parser)
-+{
-+  /* Process ID is 0 bits entropy if attacker has local access
-+   * XML_Parser address is few bits of entropy if attacker has local access */
-+  const unsigned long entropy =
-+      gather_time_entropy() ^ getpid() ^ (unsigned long)parser;
-+
-+  /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
-+  if (sizeof(unsigned long) == 4) {
-+    return entropy * 2147483647;
-+  } else {
-+    return entropy * 2305843009213693951;
-+  }
- }
- 
- static XML_Bool  /* only valid for root parser */
-@@ -703,7 +737,7 @@ startParsing(XML_Parser parser)
- {
-     /* hash functions must be initialized before setContext() is called */
-     if (hash_secret_salt == 0)
--      hash_secret_salt = generate_hash_secret_salt();
-+      hash_secret_salt = generate_hash_secret_salt(parser);
-     if (ns) {
-       /* implicit context only set for root parser, since child
-          parsers (i.e. external entity parsers) will inherit it
--- 
-2.8.2
-
diff --git a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
deleted file mode 100644
index fc8d6291f5..0000000000
--- a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Follow-up upstream fix for CVE-2015-1283 to not rely on undefined
-behavior.
-
-Adapted from a patch from Debian (found in Debian package version
-2.1.0-6+deb8u2) to apply to upstream code:
-
-https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2015-1283-refix.patch/
-
----
- lib/xmlparse.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 0f6f4cd..5c70c17 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -1727,7 +1727,8 @@ XML_GetBuffer(XML_Parser parser, int len)
-   }
- 
-   if (len > bufferLim - bufferEnd) {
--    int neededSize = len + (int)(bufferEnd - bufferPtr);
-+    /* Do not invoke signed arithmetic overflow: */
-+    int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
-     if (neededSize < 0) {
-       errorCode = XML_ERROR_NO_MEMORY;
-       return NULL;
-@@ -1759,7 +1760,8 @@ XML_GetBuffer(XML_Parser parser, int len)
-       if (bufferSize == 0)
-         bufferSize = INIT_BUFFER_SIZE;
-       do {
--        bufferSize *= 2;
-+        /* Do not invoke signed arithmetic overflow: */
-+        bufferSize = (int) (2U * (unsigned) bufferSize);
-       } while (bufferSize < neededSize && bufferSize > 0);
-       if (bufferSize <= 0) {
-         errorCode = XML_ERROR_NO_MEMORY;
--- 
-2.8.3
-
diff --git a/gnu/packages/patches/expat-CVE-2016-0718.patch b/gnu/packages/patches/expat-CVE-2016-0718.patch
deleted file mode 100644
index 22436c20cc..0000000000
--- a/gnu/packages/patches/expat-CVE-2016-0718.patch
+++ /dev/null
@@ -1,761 +0,0 @@
-Fix CVE-2016-0718.
-
-Copied from Debian, as found in Debian package version 2.1.0-6+deb8u2.
-
-https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2016-0718-v2-2-1.patch/
-
-From cdfcb1b5c95e93b00ae9e9d25708b4a3bee72c15 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Mon, 2 May 2016 00:02:44 +0200
-Subject: [PATCH] Address CVE-2016-0718 (/patch/ version 2.2.1)
-
-* Out of bounds memory access when doing text conversion on malformed input
-* Integer overflow related to memory allocation
-
-Reported by Gustavo Grieco
-
-Patch credits go to
-* Christian Heimes
-* Karl Waclawek
-* Gustavo Grieco
-* Sebastian Pipping
-* Pascal Cuoq
----
- expat/lib/xmlparse.c    |  34 +++++++++-----
- expat/lib/xmltok.c      | 115 +++++++++++++++++++++++++++++++++++-------------
- expat/lib/xmltok.h      |  10 ++++-
- expat/lib/xmltok_impl.c |  62 +++++++++++++-------------
- 4 files changed, 146 insertions(+), 75 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index e308c79..13e080d 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -2436,11 +2436,11 @@ doContent(XML_Parser parser,
-           for (;;) {
-             int bufSize;
-             int convLen;
--            XmlConvert(enc,
-+            const enum XML_Convert_Result convert_res = XmlConvert(enc,
-                        &fromPtr, rawNameEnd,
-                        (ICHAR **)&toPtr, (ICHAR *)tag->bufEnd - 1);
-             convLen = (int)(toPtr - (XML_Char *)tag->buf);
--            if (fromPtr == rawNameEnd) {
-+            if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE)) {
-               tag->name.strLen = convLen;
-               break;
-             }
-@@ -2661,11 +2661,11 @@ doContent(XML_Parser parser,
-           if (MUST_CONVERT(enc, s)) {
-             for (;;) {
-               ICHAR *dataPtr = (ICHAR *)dataBuf;
--              XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-+              const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-               *eventEndPP = s;
-               charDataHandler(handlerArg, dataBuf,
-                               (int)(dataPtr - (ICHAR *)dataBuf));
--              if (s == next)
-+              if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
-                 break;
-               *eventPP = s;
-             }
-@@ -3269,11 +3269,11 @@ doCdataSection(XML_Parser parser,
-           if (MUST_CONVERT(enc, s)) {
-             for (;;) {
-               ICHAR *dataPtr = (ICHAR *)dataBuf;
--              XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-+              const enum XML_Convert_Result convert_res = XmlConvert(enc, &s, next, &dataPtr, (ICHAR *)dataBufEnd);
-               *eventEndPP = next;
-               charDataHandler(handlerArg, dataBuf,
-                               (int)(dataPtr - (ICHAR *)dataBuf));
--              if (s == next)
-+              if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
-                 break;
-               *eventPP = s;
-             }
-@@ -5350,6 +5350,7 @@ reportDefault(XML_Parser parser, const ENCODING *enc,
-               const char *s, const char *end)
- {
-   if (MUST_CONVERT(enc, s)) {
-+    enum XML_Convert_Result convert_res;
-     const char **eventPP;
-     const char **eventEndPP;
-     if (enc == encoding) {
-@@ -5362,11 +5363,11 @@ reportDefault(XML_Parser parser, const ENCODING *enc,
-     }
-     do {
-       ICHAR *dataPtr = (ICHAR *)dataBuf;
--      XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
-+      convert_res = XmlConvert(enc, &s, end, &dataPtr, (ICHAR *)dataBufEnd);
-       *eventEndPP = s;
-       defaultHandler(handlerArg, dataBuf, (int)(dataPtr - (ICHAR *)dataBuf));
-       *eventPP = s;
--    } while (s != end);
-+    } while ((convert_res != XML_CONVERT_COMPLETED) && (convert_res != XML_CONVERT_INPUT_INCOMPLETE));
-   }
-   else
-     defaultHandler(handlerArg, (XML_Char *)s, (int)((XML_Char *)end - (XML_Char *)s));
-@@ -6169,8 +6170,8 @@ poolAppend(STRING_POOL *pool, const ENCODING *enc,
-   if (!pool->ptr && !poolGrow(pool))
-     return NULL;
-   for (;;) {
--    XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
--    if (ptr == end)
-+    const enum XML_Convert_Result convert_res = XmlConvert(enc, &ptr, end, (ICHAR **)&(pool->ptr), (ICHAR *)pool->end);
-+    if ((convert_res == XML_CONVERT_COMPLETED) || (convert_res == XML_CONVERT_INPUT_INCOMPLETE))
-       break;
-     if (!poolGrow(pool))
-       return NULL;
-@@ -6254,8 +6255,13 @@ poolGrow(STRING_POOL *pool)
-     }
-   }
-   if (pool->blocks && pool->start == pool->blocks->s) {
--    int blockSize = (int)(pool->end - pool->start)*2;
--    BLOCK *temp = (BLOCK *)
-+    BLOCK *temp;
-+    int blockSize = (int)((unsigned)(pool->end - pool->start)*2U);
-+
-+    if (blockSize < 0)
-+      return XML_FALSE;
-+
-+    temp = (BLOCK *)
-       pool->mem->realloc_fcn(pool->blocks,
-                              (offsetof(BLOCK, s)
-                               + blockSize * sizeof(XML_Char)));
-@@ -6270,6 +6276,10 @@ poolGrow(STRING_POOL *pool)
-   else {
-     BLOCK *tem;
-     int blockSize = (int)(pool->end - pool->start);
-+
-+    if (blockSize < 0)
-+      return XML_FALSE;
-+
-     if (blockSize < INIT_BLOCK_SIZE)
-       blockSize = INIT_BLOCK_SIZE;
-     else
-diff --git a/lib/xmltok.c b/lib/xmltok.c
-index bf09dfc..cb98ce1 100644
---- a/lib/xmltok.c
-+++ b/lib/xmltok.c
-@@ -318,39 +318,55 @@ enum {  /* UTF8_cvalN is value of masked first byte of N byte sequence */
-   UTF8_cval4 = 0xf0
- };
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- utf8_toUtf8(const ENCODING *enc,
-             const char **fromP, const char *fromLim,
-             char **toP, const char *toLim)
- {
-+  enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
-   char *to;
-   const char *from;
-   if (fromLim - *fromP > toLim - *toP) {
-     /* Avoid copying partial characters. */
-+    res = XML_CONVERT_OUTPUT_EXHAUSTED;
-     for (fromLim = *fromP + (toLim - *toP); fromLim > *fromP; fromLim--)
-       if (((unsigned char)fromLim[-1] & 0xc0) != 0x80)
-         break;
-   }
--  for (to = *toP, from = *fromP; from != fromLim; from++, to++)
-+  for (to = *toP, from = *fromP; (from < fromLim) && (to < toLim); from++, to++)
-     *to = *from;
-   *fromP = from;
-   *toP = to;
-+
-+  if ((to == toLim) && (from < fromLim))
-+    return XML_CONVERT_OUTPUT_EXHAUSTED;
-+  else
-+    return res;
- }
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- utf8_toUtf16(const ENCODING *enc,
-              const char **fromP, const char *fromLim,
-              unsigned short **toP, const unsigned short *toLim)
- {
-+  enum XML_Convert_Result res = XML_CONVERT_COMPLETED;
-   unsigned short *to = *toP;
-   const char *from = *fromP;
--  while (from != fromLim && to != toLim) {
-+  while (from < fromLim && to < toLim) {
-     switch (((struct normal_encoding *)enc)->type[(unsigned char)*from]) {
-     case BT_LEAD2:
-+      if (fromLim - from < 2) {
-+        res = XML_CONVERT_INPUT_INCOMPLETE;
-+        break;
-+      }
-       *to++ = (unsigned short)(((from[0] & 0x1f) << 6) | (from[1] & 0x3f));
-       from += 2;
-       break;
-     case BT_LEAD3:
-+      if (fromLim - from < 3) {
-+        res = XML_CONVERT_INPUT_INCOMPLETE;
-+        break;
-+      }
-       *to++ = (unsigned short)(((from[0] & 0xf) << 12)
-                                | ((from[1] & 0x3f) << 6) | (from[2] & 0x3f));
-       from += 3;
-@@ -358,8 +374,14 @@ utf8_toUtf16(const ENCODING *enc,
-     case BT_LEAD4:
-       {
-         unsigned long n;
--        if (to + 1 == toLim)
-+        if (toLim - to < 2) {
-+          res = XML_CONVERT_OUTPUT_EXHAUSTED;
-           goto after;
-+        }
-+        if (fromLim - from < 4) {
-+          res = XML_CONVERT_INPUT_INCOMPLETE;
-+          goto after;
-+        }
-         n = ((from[0] & 0x7) << 18) | ((from[1] & 0x3f) << 12)
-             | ((from[2] & 0x3f) << 6) | (from[3] & 0x3f);
-         n -= 0x10000;
-@@ -377,6 +399,7 @@ utf8_toUtf16(const ENCODING *enc,
- after:
-   *fromP = from;
-   *toP = to;
-+  return res;
- }
- 
- #ifdef XML_NS
-@@ -425,7 +448,7 @@ static const struct normal_encoding internal_utf8_encoding = {
-   STANDARD_VTABLE(sb_) NORMAL_VTABLE(utf8_)
- };
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- latin1_toUtf8(const ENCODING *enc,
-               const char **fromP, const char *fromLim,
-               char **toP, const char *toLim)
-@@ -433,30 +456,35 @@ latin1_toUtf8(const ENCODING *enc,
-   for (;;) {
-     unsigned char c;
-     if (*fromP == fromLim)
--      break;
-+      return XML_CONVERT_COMPLETED;
-     c = (unsigned char)**fromP;
-     if (c & 0x80) {
-       if (toLim - *toP < 2)
--        break;
-+        return XML_CONVERT_OUTPUT_EXHAUSTED;
-       *(*toP)++ = (char)((c >> 6) | UTF8_cval2);
-       *(*toP)++ = (char)((c & 0x3f) | 0x80);
-       (*fromP)++;
-     }
-     else {
-       if (*toP == toLim)
--        break;
-+        return XML_CONVERT_OUTPUT_EXHAUSTED;
-       *(*toP)++ = *(*fromP)++;
-     }
-   }
- }
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- latin1_toUtf16(const ENCODING *enc,
-                const char **fromP, const char *fromLim,
-                unsigned short **toP, const unsigned short *toLim)
- {
--  while (*fromP != fromLim && *toP != toLim)
-+  while (*fromP < fromLim && *toP < toLim)
-     *(*toP)++ = (unsigned char)*(*fromP)++;
-+
-+  if ((*toP == toLim) && (*fromP < fromLim))
-+    return XML_CONVERT_OUTPUT_EXHAUSTED;
-+  else
-+    return XML_CONVERT_COMPLETED;
- }
- 
- #ifdef XML_NS
-@@ -483,13 +511,18 @@ static const struct normal_encoding latin1_encoding = {
-   STANDARD_VTABLE(sb_)
- };
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- ascii_toUtf8(const ENCODING *enc,
-              const char **fromP, const char *fromLim,
-              char **toP, const char *toLim)
- {
--  while (*fromP != fromLim && *toP != toLim)
-+  while (*fromP < fromLim && *toP < toLim)
-     *(*toP)++ = *(*fromP)++;
-+
-+  if ((*toP == toLim) && (*fromP < fromLim))
-+    return XML_CONVERT_OUTPUT_EXHAUSTED;
-+  else
-+    return XML_CONVERT_COMPLETED;
- }
- 
- #ifdef XML_NS
-@@ -536,13 +569,14 @@ unicode_byte_type(char hi, char lo)
- }
- 
- #define DEFINE_UTF16_TO_UTF8(E) \
--static void  PTRCALL \
-+static enum XML_Convert_Result  PTRCALL \
- E ## toUtf8(const ENCODING *enc, \
-             const char **fromP, const char *fromLim, \
-             char **toP, const char *toLim) \
- { \
--  const char *from; \
--  for (from = *fromP; from != fromLim; from += 2) { \
-+  const char *from = *fromP; \
-+  fromLim = from + (((fromLim - from) >> 1) << 1);  /* shrink to even */ \
-+  for (; from < fromLim; from += 2) { \
-     int plane; \
-     unsigned char lo2; \
-     unsigned char lo = GET_LO(from); \
-@@ -552,7 +586,7 @@ E ## toUtf8(const ENCODING *enc, \
-       if (lo < 0x80) { \
-         if (*toP == toLim) { \
-           *fromP = from; \
--          return; \
-+          return XML_CONVERT_OUTPUT_EXHAUSTED; \
-         } \
-         *(*toP)++ = lo; \
-         break; \
-@@ -562,7 +596,7 @@ E ## toUtf8(const ENCODING *enc, \
-     case 0x4: case 0x5: case 0x6: case 0x7: \
-       if (toLim -  *toP < 2) { \
-         *fromP = from; \
--        return; \
-+        return XML_CONVERT_OUTPUT_EXHAUSTED; \
-       } \
-       *(*toP)++ = ((lo >> 6) | (hi << 2) |  UTF8_cval2); \
-       *(*toP)++ = ((lo & 0x3f) | 0x80); \
-@@ -570,7 +604,7 @@ E ## toUtf8(const ENCODING *enc, \
-     default: \
-       if (toLim -  *toP < 3)  { \
-         *fromP = from; \
--        return; \
-+        return XML_CONVERT_OUTPUT_EXHAUSTED; \
-       } \
-       /* 16 bits divided 4, 6, 6 amongst 3 bytes */ \
-       *(*toP)++ = ((hi >> 4) | UTF8_cval3); \
-@@ -580,7 +614,11 @@ E ## toUtf8(const ENCODING *enc, \
-     case 0xD8: case 0xD9: case 0xDA: case 0xDB: \
-       if (toLim -  *toP < 4) { \
-         *fromP = from; \
--        return; \
-+        return XML_CONVERT_OUTPUT_EXHAUSTED; \
-+      } \
-+      if (fromLim - from < 4) { \
-+        *fromP = from; \
-+        return XML_CONVERT_INPUT_INCOMPLETE; \
-       } \
-       plane = (((hi & 0x3) << 2) | ((lo >> 6) & 0x3)) + 1; \
-       *(*toP)++ = ((plane >> 2) | UTF8_cval4); \
-@@ -596,20 +634,32 @@ E ## toUtf8(const ENCODING *enc, \
-     } \
-   } \
-   *fromP = from; \
-+  if (from < fromLim) \
-+    return XML_CONVERT_INPUT_INCOMPLETE; \
-+  else \
-+    return XML_CONVERT_COMPLETED; \
- }
- 
- #define DEFINE_UTF16_TO_UTF16(E) \
--static void  PTRCALL \
-+static enum XML_Convert_Result  PTRCALL \
- E ## toUtf16(const ENCODING *enc, \
-              const char **fromP, const char *fromLim, \
-              unsigned short **toP, const unsigned short *toLim) \
- { \
-+  enum XML_Convert_Result res = XML_CONVERT_COMPLETED; \
-+  fromLim = *fromP + (((fromLim - *fromP) >> 1) << 1);  /* shrink to even */ \
-   /* Avoid copying first half only of surrogate */ \
-   if (fromLim - *fromP > ((toLim - *toP) << 1) \
--      && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) \
-+      && (GET_HI(fromLim - 2) & 0xF8) == 0xD8) { \
-     fromLim -= 2; \
--  for (; *fromP != fromLim && *toP != toLim; *fromP += 2) \
-+    res = XML_CONVERT_INPUT_INCOMPLETE; \
-+  } \
-+  for (; *fromP < fromLim && *toP < toLim; *fromP += 2) \
-     *(*toP)++ = (GET_HI(*fromP) << 8) | GET_LO(*fromP); \
-+  if ((*toP == toLim) && (*fromP < fromLim)) \
-+    return XML_CONVERT_OUTPUT_EXHAUSTED; \
-+  else \
-+    return res; \
- }
- 
- #define SET2(ptr, ch) \
-@@ -1288,7 +1338,7 @@ unknown_isInvalid(const ENCODING *enc, const char *p)
-   return (c & ~0xFFFF) || checkCharRefNumber(c) < 0;
- }
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- unknown_toUtf8(const ENCODING *enc,
-                const char **fromP, const char *fromLim,
-                char **toP, const char *toLim)
-@@ -1299,21 +1349,21 @@ unknown_toUtf8(const ENCODING *enc,
-     const char *utf8;
-     int n;
-     if (*fromP == fromLim)
--      break;
-+      return XML_CONVERT_COMPLETED;
-     utf8 = uenc->utf8[(unsigned char)**fromP];
-     n = *utf8++;
-     if (n == 0) {
-       int c = uenc->convert(uenc->userData, *fromP);
-       n = XmlUtf8Encode(c, buf);
-       if (n > toLim - *toP)
--        break;
-+        return XML_CONVERT_OUTPUT_EXHAUSTED;
-       utf8 = buf;
-       *fromP += (AS_NORMAL_ENCODING(enc)->type[(unsigned char)**fromP]
-                  - (BT_LEAD2 - 2));
-     }
-     else {
-       if (n > toLim - *toP)
--        break;
-+        return XML_CONVERT_OUTPUT_EXHAUSTED;
-       (*fromP)++;
-     }
-     do {
-@@ -1322,13 +1372,13 @@ unknown_toUtf8(const ENCODING *enc,
-   }
- }
- 
--static void PTRCALL
-+static enum XML_Convert_Result PTRCALL
- unknown_toUtf16(const ENCODING *enc,
-                 const char **fromP, const char *fromLim,
-                 unsigned short **toP, const unsigned short *toLim)
- {
-   const struct unknown_encoding *uenc = AS_UNKNOWN_ENCODING(enc);
--  while (*fromP != fromLim && *toP != toLim) {
-+  while (*fromP < fromLim && *toP < toLim) {
-     unsigned short c = uenc->utf16[(unsigned char)**fromP];
-     if (c == 0) {
-       c = (unsigned short)
-@@ -1340,6 +1390,11 @@ unknown_toUtf16(const ENCODING *enc,
-       (*fromP)++;
-     *(*toP)++ = c;
-   }
-+
-+  if ((*toP == toLim) && (*fromP < fromLim))
-+    return XML_CONVERT_OUTPUT_EXHAUSTED;
-+  else
-+    return XML_CONVERT_COMPLETED;
- }
- 
- ENCODING *
-@@ -1503,7 +1558,7 @@ initScan(const ENCODING * const *encodingTable,
- {
-   const ENCODING **encPtr;
- 
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   encPtr = enc->encPtr;
-   if (ptr + 1 == end) {
-diff --git a/lib/xmltok.h b/lib/xmltok.h
-index ca867aa..752007e 100644
---- a/lib/xmltok.h
-+++ b/lib/xmltok.h
-@@ -130,6 +130,12 @@ typedef int (PTRCALL *SCANNER)(const ENCODING *,
-                                const char *,
-                                const char **);
- 
-+enum XML_Convert_Result {
-+  XML_CONVERT_COMPLETED = 0,
-+  XML_CONVERT_INPUT_INCOMPLETE = 1,
-+  XML_CONVERT_OUTPUT_EXHAUSTED = 2  /* and therefore potentially input remaining as well */
-+};
-+
- struct encoding {
-   SCANNER scanners[XML_N_STATES];
-   SCANNER literalScanners[XML_N_LITERAL_TYPES];
-@@ -158,12 +164,12 @@ struct encoding {
-                             const char *ptr,
-                             const char *end,
-                             const char **badPtr);
--  void (PTRCALL *utf8Convert)(const ENCODING *enc,
-+  enum XML_Convert_Result (PTRCALL *utf8Convert)(const ENCODING *enc,
-                               const char **fromP,
-                               const char *fromLim,
-                               char **toP,
-                               const char *toLim);
--  void (PTRCALL *utf16Convert)(const ENCODING *enc,
-+  enum XML_Convert_Result (PTRCALL *utf16Convert)(const ENCODING *enc,
-                                const char **fromP,
-                                const char *fromLim,
-                                unsigned short **toP,
-diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
-index 9c2895b..6c5a3ba 100644
---- a/lib/xmltok_impl.c
-+++ b/lib/xmltok_impl.c
-@@ -93,13 +93,13 @@ static int PTRCALL
- PREFIX(scanComment)(const ENCODING *enc, const char *ptr,
-                     const char *end, const char **nextTokPtr)
- {
--  if (ptr != end) {
-+  if (ptr < end) {
-     if (!CHAR_MATCHES(enc, ptr, ASCII_MINUS)) {
-       *nextTokPtr = ptr;
-       return XML_TOK_INVALID;
-     }
-     ptr += MINBPC(enc);
--    while (ptr != end) {
-+    while (ptr < end) {
-       switch (BYTE_TYPE(enc, ptr)) {
-       INVALID_CASES(ptr, nextTokPtr)
-       case BT_MINUS:
-@@ -147,7 +147,7 @@ PREFIX(scanDecl)(const ENCODING *enc, const char *ptr,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     case BT_PERCNT:
-       if (ptr + MINBPC(enc) == end)
-@@ -233,7 +233,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_S: case BT_CR: case BT_LF:
-@@ -242,7 +242,7 @@ PREFIX(scanPi)(const ENCODING *enc, const char *ptr,
-         return XML_TOK_INVALID;
-       }
-       ptr += MINBPC(enc);
--      while (ptr != end) {
-+      while (ptr < end) {
-         switch (BYTE_TYPE(enc, ptr)) {
-         INVALID_CASES(ptr, nextTokPtr)
-         case BT_QUEST:
-@@ -305,7 +305,7 @@ static int PTRCALL
- PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr,
-                         const char *end, const char **nextTokPtr)
- {
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   if (MINBPC(enc) > 1) {
-     size_t n = end - ptr;
-@@ -348,7 +348,7 @@ PREFIX(cdataSectionTok)(const ENCODING *enc, const char *ptr,
-     ptr += MINBPC(enc);
-     break;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
-     case BT_LEAD ## n: \
-@@ -391,11 +391,11 @@ PREFIX(scanEndTag)(const ENCODING *enc, const char *ptr,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_S: case BT_CR: case BT_LF:
--      for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
-+      for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
-         switch (BYTE_TYPE(enc, ptr)) {
-         case BT_S: case BT_CR: case BT_LF:
-           break;
-@@ -432,7 +432,7 @@ static int PTRCALL
- PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr,
-                        const char *end, const char **nextTokPtr)
- {
--  if (ptr != end) {
-+  if (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     case BT_DIGIT:
-     case BT_HEX:
-@@ -441,7 +441,7 @@ PREFIX(scanHexCharRef)(const ENCODING *enc, const char *ptr,
-       *nextTokPtr = ptr;
-       return XML_TOK_INVALID;
-     }
--    for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
-+    for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
-       switch (BYTE_TYPE(enc, ptr)) {
-       case BT_DIGIT:
-       case BT_HEX:
-@@ -464,7 +464,7 @@ static int PTRCALL
- PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr,
-                     const char *end, const char **nextTokPtr)
- {
--  if (ptr != end) {
-+  if (ptr < end) {
-     if (CHAR_MATCHES(enc, ptr, ASCII_x))
-       return PREFIX(scanHexCharRef)(enc, ptr + MINBPC(enc), end, nextTokPtr);
-     switch (BYTE_TYPE(enc, ptr)) {
-@@ -474,7 +474,7 @@ PREFIX(scanCharRef)(const ENCODING *enc, const char *ptr,
-       *nextTokPtr = ptr;
-       return XML_TOK_INVALID;
-     }
--    for (ptr += MINBPC(enc); ptr != end; ptr += MINBPC(enc)) {
-+    for (ptr += MINBPC(enc); ptr < end; ptr += MINBPC(enc)) {
-       switch (BYTE_TYPE(enc, ptr)) {
-       case BT_DIGIT:
-         break;
-@@ -506,7 +506,7 @@ PREFIX(scanRef)(const ENCODING *enc, const char *ptr, const char *end,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_SEMI:
-@@ -529,7 +529,7 @@ PREFIX(scanAtts)(const ENCODING *enc, const char *ptr, const char *end,
- #ifdef XML_NS
-   int hadColon = 0;
- #endif
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- #ifdef XML_NS
-@@ -716,7 +716,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end,
-   hadColon = 0;
- #endif
-   /* we have a start-tag */
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
- #ifdef XML_NS
-@@ -740,7 +740,7 @@ PREFIX(scanLt)(const ENCODING *enc, const char *ptr, const char *end,
-     case BT_S: case BT_CR: case BT_LF:
-       {
-         ptr += MINBPC(enc);
--        while (ptr != end) {
-+        while (ptr < end) {
-           switch (BYTE_TYPE(enc, ptr)) {
-           CHECK_NMSTRT_CASES(enc, ptr, end, nextTokPtr)
-           case BT_GT:
-@@ -785,7 +785,7 @@ static int PTRCALL
- PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end,
-                    const char **nextTokPtr)
- {
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   if (MINBPC(enc) > 1) {
-     size_t n = end - ptr;
-@@ -832,7 +832,7 @@ PREFIX(contentTok)(const ENCODING *enc, const char *ptr, const char *end,
-     ptr += MINBPC(enc);
-     break;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
-     case BT_LEAD ## n: \
-@@ -895,7 +895,7 @@ PREFIX(scanPercent)(const ENCODING *enc, const char *ptr, const char *end,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_SEMI:
-@@ -921,7 +921,7 @@ PREFIX(scanPoundName)(const ENCODING *enc, const char *ptr, const char *end,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_CR: case BT_LF: case BT_S:
-@@ -941,7 +941,7 @@ PREFIX(scanLit)(int open, const ENCODING *enc,
-                 const char *ptr, const char *end,
-                 const char **nextTokPtr)
- {
--  while (ptr != end) {
-+  while (ptr < end) {
-     int t = BYTE_TYPE(enc, ptr);
-     switch (t) {
-     INVALID_CASES(ptr, nextTokPtr)
-@@ -973,7 +973,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
-                   const char **nextTokPtr)
- {
-   int tok;
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   if (MINBPC(enc) > 1) {
-     size_t n = end - ptr;
-@@ -1141,7 +1141,7 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
-     *nextTokPtr = ptr;
-     return XML_TOK_INVALID;
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     CHECK_NAME_CASES(enc, ptr, end, nextTokPtr)
-     case BT_GT: case BT_RPAR: case BT_COMMA:
-@@ -1204,10 +1204,10 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr,
-                           const char *end, const char **nextTokPtr)
- {
-   const char *start;
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   start = ptr;
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
-     case BT_LEAD ## n: ptr += n; break;
-@@ -1262,10 +1262,10 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr,
-                        const char *end, const char **nextTokPtr)
- {
-   const char *start;
--  if (ptr == end)
-+  if (ptr >= end)
-     return XML_TOK_NONE;
-   start = ptr;
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
- #define LEAD_CASE(n) \
-     case BT_LEAD ## n: ptr += n; break;
-@@ -1326,7 +1326,7 @@ PREFIX(ignoreSectionTok)(const ENCODING *enc, const char *ptr,
-       end = ptr + n;
-     }
-   }
--  while (ptr != end) {
-+  while (ptr < end) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     INVALID_CASES(ptr, nextTokPtr)
-     case BT_LT:
-@@ -1373,7 +1373,7 @@ PREFIX(isPublicId)(const ENCODING *enc, const char *ptr, const char *end,
- {
-   ptr += MINBPC(enc);
-   end -= MINBPC(enc);
--  for (; ptr != end; ptr += MINBPC(enc)) {
-+  for (; ptr < end; ptr += MINBPC(enc)) {
-     switch (BYTE_TYPE(enc, ptr)) {
-     case BT_DIGIT:
-     case BT_HEX:
-@@ -1760,7 +1760,7 @@ PREFIX(updatePosition)(const ENCODING *enc,
-     case BT_CR:
-       pos->lineNumber++;
-       ptr += MINBPC(enc);
--      if (ptr != end && BYTE_TYPE(enc, ptr) == BT_LF)
-+      if (ptr < end && BYTE_TYPE(enc, ptr) == BT_LF)
-         ptr += MINBPC(enc);
-       pos->columnNumber = (XML_Size)-1;
-       break;
--- 
-2.8.2
-
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch
new file mode 100644
index 0000000000..1f3cb028d4
--- /dev/null
+++ b/gnu/packages/patches/flex-CVE-2016-6354.patch
@@ -0,0 +1,30 @@
+Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
+https://security-tracker.debian.org/tracker/CVE-2016-6354
+
+Patch copied from upstream source repository:
+https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
+
+From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
+From: Will Estes <westes575@gmail.com>
+Date: Sat, 27 Feb 2016 11:56:05 -0500
+Subject: [PATCH] Fixed incorrect integer type
+
+---
+ src/flex.skl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/flex.skl b/src/flex.skl
+index 36a526a..64f853d 100644
+--- a/src/flex.skl
++++ b/src/flex.skl
+@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
+ 
+ 	else
+ 		{
+-			yy_size_t num_to_read =
++			int num_to_read =
+ 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+ 
+ 		while ( num_to_read <= 0 )
diff --git a/gnu/packages/patches/fontconfig-CVE-2016-5384.patch b/gnu/packages/patches/fontconfig-CVE-2016-5384.patch
deleted file mode 100644
index 617d5afbaf..0000000000
--- a/gnu/packages/patches/fontconfig-CVE-2016-5384.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-Fix CVE-2016-5384 (double-free resulting in arbitrary code execution):
-
-<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5384>
-
-Copied from upstream code repository:
-
-<https://cgit.freedesktop.org/fontconfig/commit/?id=7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940>
-
-From 7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sat, 25 Jun 2016 19:18:53 +0200
-Subject: Properly validate offsets in cache files.
-
-The cache files are insufficiently validated. Even though the magic
-number at the beginning of the file as well as time stamps are checked,
-it is not verified if contained offsets are in legal ranges or are
-even pointers.
-
-The lack of validation allows an attacker to trigger arbitrary free()
-calls, which in turn allows double free attacks and therefore arbitrary
-code execution. Due to the conversion from offsets into pointers through
-macros, this even allows to circumvent ASLR protections.
-
-This attack vector allows privilege escalation when used with setuid
-binaries like fbterm. A user can create ~/.fonts or any other
-system-defined user-private font directory, run fc-cache and adjust
-cache files in ~/.cache/fontconfig. The execution of setuid binaries will
-scan these files and therefore are prone to attacks.
-
-If it's not about code execution, an endless loop can be created by
-letting linked lists become circular linked lists.
-
-This patch verifies that:
-
-- The file is not larger than the maximum addressable space, which
-  basically only affects 32 bit systems. This allows out of boundary
-  access into unallocated memory.
-- Offsets are always positive or zero
-- Offsets do not point outside file boundaries
-- No pointers are allowed in cache files, every "pointer or offset"
-  field must be an offset or NULL
-- Iterating linked lists must not take longer than the amount of elements
-  specified. A violation of this rule can break a possible endless loop.
-
-If one or more of these points are violated, the cache is recreated.
-This is current behaviour.
-
-Even though this patch fixes many issues, the use of mmap() shall be
-forbidden in setuid binaries. It is impossible to guarantee with these
-checks that a malicious user does not change cache files after
-verification. This should be handled in a different patch.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-
-diff --git a/src/fccache.c b/src/fccache.c
-index 71e8f03..02ec301 100644
---- a/src/fccache.c
-+++ b/src/fccache.c
-@@ -27,6 +27,7 @@
- #include <fcntl.h>
- #include <dirent.h>
- #include <string.h>
-+#include <limits.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <assert.h>
-@@ -587,6 +588,82 @@ FcCacheTimeValid (FcConfig *config, FcCache *cache, struct stat *dir_stat)
-     return cache->checksum == (int) dir_stat->st_mtime && fnano;
- }
- 
-+static FcBool
-+FcCacheOffsetsValid (FcCache *cache)
-+{
-+    char		*base = (char *)cache;
-+    char		*end = base + cache->size;
-+    intptr_t		*dirs;
-+    FcFontSet		*fs;
-+    int			 i, j;
-+
-+    if (cache->dir < 0 || cache->dir > cache->size - sizeof (intptr_t) ||
-+        memchr (base + cache->dir, '\0', cache->size - cache->dir) == NULL)
-+        return FcFalse;
-+
-+    if (cache->dirs < 0 || cache->dirs >= cache->size ||
-+        cache->dirs_count < 0 ||
-+        cache->dirs_count > (cache->size - cache->dirs) / sizeof (intptr_t))
-+        return FcFalse;
-+
-+    dirs = FcCacheDirs (cache);
-+    if (dirs)
-+    {
-+        for (i = 0; i < cache->dirs_count; i++)
-+        {
-+            FcChar8	*dir;
-+
-+            if (dirs[i] < 0 ||
-+                dirs[i] > end - (char *) dirs - sizeof (intptr_t))
-+                return FcFalse;
-+
-+            dir = FcOffsetToPtr (dirs, dirs[i], FcChar8);
-+            if (memchr (dir, '\0', end - (char *) dir) == NULL)
-+                return FcFalse;
-+         }
-+    }
-+
-+    if (cache->set < 0 || cache->set > cache->size - sizeof (FcFontSet))
-+        return FcFalse;
-+
-+    fs = FcCacheSet (cache);
-+    if (fs)
-+    {
-+        if (fs->nfont > (end - (char *) fs) / sizeof (FcPattern))
-+            return FcFalse;
-+
-+        if (fs->fonts != 0 && !FcIsEncodedOffset(fs->fonts))
-+            return FcFalse;
-+
-+        for (i = 0; i < fs->nfont; i++)
-+        {
-+            FcPattern		*font = FcFontSetFont (fs, i);
-+            FcPatternElt	*e;
-+            FcValueListPtr	 l;
-+
-+            if ((char *) font < base ||
-+                (char *) font > end - sizeof (FcFontSet) ||
-+                font->elts_offset < 0 ||
-+                font->elts_offset > end - (char *) font ||
-+                font->num > (end - (char *) font - font->elts_offset) / sizeof (FcPatternElt))
-+                return FcFalse;
-+
-+
-+            e = FcPatternElts(font);
-+            if (e->values != 0 && !FcIsEncodedOffset(e->values))
-+                return FcFalse;
-+
-+            for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
-+                if (l->next != NULL && !FcIsEncodedOffset(l->next))
-+                    break;
-+            if (j < 0)
-+                return FcFalse;
-+        }
-+    }
-+
-+    return FcTrue;
-+}
-+
- /*
-  * Map a cache file into memory
-  */
-@@ -596,7 +673,8 @@ FcDirCacheMapFd (FcConfig *config, int fd, struct stat *fd_stat, struct stat *di
-     FcCache	*cache;
-     FcBool	allocated = FcFalse;
- 
--    if (fd_stat->st_size < (int) sizeof (FcCache))
-+    if (fd_stat->st_size > INTPTR_MAX ||
-+        fd_stat->st_size < (int) sizeof (FcCache))
- 	return NULL;
-     cache = FcCacheFindByStat (fd_stat);
-     if (cache)
-@@ -652,6 +730,7 @@ FcDirCacheMapFd (FcConfig *config, int fd, struct stat *fd_stat, struct stat *di
-     if (cache->magic != FC_CACHE_MAGIC_MMAP ||
- 	cache->version < FC_CACHE_VERSION_NUMBER ||
- 	cache->size != (intptr_t) fd_stat->st_size ||
-+        !FcCacheOffsetsValid (cache) ||
- 	!FcCacheTimeValid (config, cache, dir_stat) ||
- 	!FcCacheInsert (cache, fd_stat))
-     {
--- 
-cgit v0.10.2
-
diff --git a/gnu/packages/patches/gawk-fts-test.patch b/gnu/packages/patches/gawk-fts-test.patch
deleted file mode 100644
index de1f5c431c..0000000000
--- a/gnu/packages/patches/gawk-fts-test.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-This is upstream commit c9a018c.  We have observed random failures of
-this test on i686 that seem related to load.
-
-2015-05-21         Arnold D. Robbins     <arnold@skeeve.com>
-
-	* fts.awk: Really remove atime from the output. 
-	This avoids spurious failures on heavily loaded systems.
-
-diff --git a/test/fts.awk b/test/fts.awk
-index b1df060..dea5b68 100644
---- a/test/fts.awk
-+++ b/test/fts.awk
-@@ -50,6 +50,11 @@ function sort_traverse(data,	sorted, i)
- {
- 	asorti(data, sorted)
- 	for (i = 1; i in sorted; i++) {
-+		# 5/2015: skip for atime, since there can
-+		# occasionally be small differences.
-+		if (sorted[i] == "atime")
-+			continue
-+
- 		indent()
- 		printf("%s --> %s\n", sorted[i], data[sorted[i]]) > output
- 	}
-@@ -63,17 +68,20 @@ function traverse(data,         i)
- 			printf("%s:\n", i) > output
- 
- 			Level++
--			if (("mtime" in data[i]) && ! isarray(data[i][mtime])) {
-+			if (("mtime" in data[i]) && ! isarray(data[i]["mtime"])) {
- 				sort_traverse(data[i])
- 			} else {
- 				traverse(data[i])
- 			}
- 			Level--
--		} else if (data[i] != "atime") {
--			# 4/2015: skip for atime, since there can
--			# occasionally be small differences.
--			indent()
--			printf("%s --> %s\n", i, data[i]) > output
-+#		} else {
-+#			JUNK = 1
-+#			if (i != "atime") {
-+#				# 4/2015: skip for atime, since there can
-+#				# occasionally be small differences.
-+#				indent()
-+#				printf("%s --> %s\n", i, data[i]) > output
-+#			}
- 		}
- 	}
- }
diff --git a/gnu/packages/patches/gcc-arm-bug-71399.patch b/gnu/packages/patches/gcc-arm-bug-71399.patch
new file mode 100644
index 0000000000..6f04fece0e
--- /dev/null
+++ b/gnu/packages/patches/gcc-arm-bug-71399.patch
@@ -0,0 +1,55 @@
+Revert the following commit to work around a bootstrap comparison failure on
+ARMv7, as reported at <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71399>.
+
+commit f6ab85b7049a03962ea98924d00802da357a1ad3
+Author: renlin <renlin@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date:   Wed Dec 2 14:06:31 2015 +0000
+
+    [PR67383][ARM][4.9]Backport of "Allow any register for DImode values in Thumb2"
+    
+    This partially fix PR67383. It allows the reload more flexibility to choose
+    spilling pseudo registers.
+    
+    
+    gcc/ChangeLog:
+    
+    2015-12-02  Renlin Li  <renlin.li@arm.com>
+    
+            Backport from mainline.
+            2014-04-22  Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>
+    
+            * config/arm/arm.c (arm_hard_regno_mode_ok): Loosen
+            restrictions on core registers for DImode values in Thumb2.
+    
+    
+    git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-4_9-branch@231177 138bc75d-0d04-0410-961f-82ee72b054a4
+
+diff --git a/gcc/config/arm/arm.c b/gcc/config/arm/arm.c
+index 8ba6060..d9028a1 100644
+--- b/gcc/config/arm/arm.c
++++ a/gcc/config/arm/arm.c
+@@ -22624,19 +22624,12 @@
+     }
+ 
+   /* We allow almost any value to be stored in the general registers.
+-     Restrict doubleword quantities to even register pairs in ARM state
+-     so that we can use ldrd.  Do not allow very large Neon structure
+-     opaque modes in general registers; they would use too many.  */
++     Restrict doubleword quantities to even register pairs so that we can
++     use ldrd.  Do not allow very large Neon structure opaque modes in
++     general registers; they would use too many.  */
+   if (regno <= LAST_ARM_REGNUM)
+-    {
+-      if (ARM_NUM_REGS (mode) > 4)
+-	  return FALSE;
+-
+-      if (TARGET_THUMB2)
+-	return TRUE;
+-
+-      return !(TARGET_LDRD && GET_MODE_SIZE (mode) > 4 && (regno & 1) != 0);
+-    }
++    return !(TARGET_LDRD && GET_MODE_SIZE (mode) > 4 && (regno & 1) != 0)
++      && ARM_NUM_REGS (mode) <= 4;
+ 
+   if (regno == FRAME_POINTER_REGNUM
+       || regno == ARG_POINTER_REGNUM)
diff --git a/gnu/packages/patches/gnupg-fix-expired-test.patch b/gnu/packages/patches/gnupg-fix-expired-test.patch
deleted file mode 100644
index ac2564f50c..0000000000
--- a/gnu/packages/patches/gnupg-fix-expired-test.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-Fix a test that has an expiration date of 2016-09-17:
-
-https://bugs.gnupg.org/gnupg/issue2393
-
-Patch adapted from upstream source repository:
-
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=e584d6468a2e72cd01e55f46104f9f96b56c0b66
-
-The patch has been altered by commenting out a diff that does not apply
-to the version of GnuPG that we are applying it to, 2.1.13. This is
-what the patch author refers to below with "This commit includes changes
-to the old test as well, for those who need to backport it." We keep the
-old test and comment out the new test.
-
-From e584d6468a2e72cd01e55f46104f9f96b56c0b66 Mon Sep 17 00:00:00 2001
-From: Justus Winter <justus@g10code.com>
-Date: Thu, 23 Jun 2016 17:24:23 +0200
-Subject: [PATCH] tests/openpgp: Fake the system time for the tofu test.
-
-The keys in the tofu test are set to expire on 2016-09-17.  Fake the
-system time for this test.
-
-This commit includes changes to the old test as well, for those who
-need to backport it.
-
-* tests/openpgp/gpg-agent.conf.tmpl: Drop trailing newlines.
-* tests/openpgp/tofu.scm: Fake system time.
-* tests/openpgp/tofu.test: Likewise.
-
-GnuPG-bug-id: 2393
-Signed-off-by: Justus Winter <justus@g10code.com>
----
- tests/openpgp/gpg-agent.conf.tmpl | 2 --
- tests/openpgp/tofu.scm            | 4 +++-
- tests/openpgp/tofu.test           | 3 +++
- 3 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/tests/openpgp/gpg-agent.conf.tmpl b/tests/openpgp/gpg-agent.conf.tmpl
-index b3cb54f..70e1633 100644
---- a/tests/openpgp/gpg-agent.conf.tmpl
-+++ b/tests/openpgp/gpg-agent.conf.tmpl
-@@ -1,4 +1,2 @@
- allow-preset-passphrase
- no-grab
--
--
-#diff --git a/tests/openpgp/tofu.scm b/tests/openpgp/tofu.scm
-#index 24fa9df..38b6a0f 100755
-#--- a/tests/openpgp/tofu.scm
-#+++ b/tests/openpgp/tofu.scm
-#@@ -19,7 +19,9 @@
-# 
-# (load (with-path "defs.scm"))
-# 
-#-(define GPG `(,(tool 'gpg) --no-permission-warning)) ;; w/o --always-trust
-#+ ;; Redefine GPG without --always-trust and a fixed time.
-#+(define GPG `(,(tool 'gpg) --no-permission-warning
-#+	      --faked-system-time=1466684990))
-# (define GNUPGHOME (getenv "GNUPGHOME"))
-# (if (string=? "" GNUPGHOME)
-#     (error "GNUPGHOME not set"))
-diff --git a/tests/openpgp/tofu.test b/tests/openpgp/tofu.test
-index 18c1756..0d34af4 100755
---- a/tests/openpgp/tofu.test
-+++ b/tests/openpgp/tofu.test
-@@ -4,6 +4,9 @@
- 
- # set -x
- 
-+# Redefine GPG with a fixed time.
-+GPG="$GPG --faked-system-time=1466684990"
-+
- KEYS="2183839A BC15C85A EE37CF96"
- 
- # Make sure $srcdir is set.
--- 
-2.10.0
-
diff --git a/gnu/packages/patches/guile-relocatable.patch b/gnu/packages/patches/guile-relocatable.patch
index 077394cdde..2431495f24 100644
--- a/gnu/packages/patches/guile-relocatable.patch
+++ b/gnu/packages/patches/guile-relocatable.patch
@@ -1,8 +1,6 @@
 This patch changes Guile to use a default search path relative to the
 location of the `guile' binary, allowing it to be relocated.
 
-diff --git a/libguile/load.c b/libguile/load.c
-index af2ca45..19dd338 100644
 --- a/libguile/load.c
 +++ b/libguile/load.c
 @@ -26,6 +26,7 @@
@@ -12,8 +10,8 @@ index af2ca45..19dd338 100644
 +#include <libgen.h>
  
  #include "libguile/_scm.h"
- #include "libguile/private-gc.h" /* scm_getenv_int */
-@@ -255,6 +256,32 @@ scm_init_load_path ()
+ #include "libguile/alist.h"
+@@ -325,6 +326,32 @@
    SCM cpath = SCM_EOL;
  
  #ifdef SCM_LIBRARY_DIR
@@ -43,10 +41,10 @@ index af2ca45..19dd338 100644
 +  strcpy (ccache_dir, prefix);
 +  strcat (ccache_dir, "/lib/guile/2.0/ccache");
 +
-   env = getenv ("GUILE_SYSTEM_PATH");
+   env = scm_i_mirror_backslashes (getenv ("GUILE_SYSTEM_PATH"));
    if (env && strcmp (env, "") == 0)
      /* special-case interpret system-path=="" as meaning no system path instead
-@@ -263,10 +290,7 @@ scm_init_load_path ()
+@@ -333,10 +360,7 @@
    else if (env)
      path = scm_parse_path (scm_from_locale_string (env), path);
    else
@@ -56,9 +54,9 @@ index af2ca45..19dd338 100644
 -                       scm_from_locale_string (SCM_PKGDATA_DIR));
 +    path = scm_list_1 (scm_from_locale_string (module_dir));
  
-   env = getenv ("GUILE_SYSTEM_COMPILED_PATH");
+   env = scm_i_mirror_backslashes (getenv ("GUILE_SYSTEM_COMPILED_PATH"));
    if (env && strcmp (env, "") == 0)
-@@ -276,8 +300,7 @@ scm_init_load_path ()
+@@ -346,8 +370,7 @@
      cpath = scm_parse_path (scm_from_locale_string (env), cpath);
    else
      {
diff --git a/gnu/packages/patches/isl-0.11.1-aarch64-support.patch b/gnu/packages/patches/isl-0.11.1-aarch64-support.patch
new file mode 100644
index 0000000000..c5607fc80d
--- /dev/null
+++ b/gnu/packages/patches/isl-0.11.1-aarch64-support.patch
@@ -0,0 +1,40 @@
+Add aarch64 support to config.guess and config.sub, as would be found if using
+a more recent version of autoconf.
+---
+ config.guess          |    7 +++++++
+ config.sub            |    1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/config.guess b/config.guess
+index 40eaed4..baad294 100755
+--- a/config.guess
++++ b/config.guess
+@@ -861,6 +861,13 @@ EOF
+     i*86:Minix:*:*)
+ 	echo ${UNAME_MACHINE}-pc-minix
+ 	exit ;;
++    aarch64:Linux:*:*)
++	echo ${UNAME_MACHINE}-unknown-linux-gnu
++	exit ;;
++    aarch64_be:Linux:*:*)
++	UNAME_MACHINE=aarch64_be
++	echo ${UNAME_MACHINE}-unknown-linux-gnu
++	exit ;;
+     alpha:Linux:*:*)
+ 	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+ 	  EV5)   UNAME_MACHINE=alphaev5 ;;
+diff --git a/config.sub b/config.sub
+index 30fdca8..8f5b018 100755
+--- a/config.sub
++++ b/config.sub
+@@ -247,6 +247,7 @@ case $basic_machine in
+ 	# Some are omitted here because they have special meanings below.
+ 	1750a | 580 \
+ 	| a29k \
++	| aarch64 | aarch64_be \
+ 	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+ 	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+ 	| am33_2.0 \
+-- 
+2.9.0
+
diff --git a/gnu/packages/patches/libx11-CVE-2016-7942.patch b/gnu/packages/patches/libx11-CVE-2016-7942.patch
deleted file mode 100644
index 75770235ef..0000000000
--- a/gnu/packages/patches/libx11-CVE-2016-7942.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-Fix CVE-2016-7942:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17
-
-From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:25:25 +0200
-Subject: [PATCH] Validation of server responses in XGetImage()
-
-Check if enough bytes were received for specified image type and
-geometry. Otherwise GetPixel and other functions could trigger an
-out of boundary read later on.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/GetImage.c | 29 ++++++++++++++++++++---------
- 1 file changed, 20 insertions(+), 9 deletions(-)
-
-diff --git a/src/GetImage.c b/src/GetImage.c
-index c461abc..ff32d58 100644
---- a/src/GetImage.c
-+++ b/src/GetImage.c
-@@ -59,6 +59,7 @@ XImage *XGetImage (
- 	char *data;
- 	unsigned long nbytes;
- 	XImage *image;
-+	int planes;
- 	LockDisplay(dpy);
- 	GetReq (GetImage, req);
- 	/*
-@@ -91,18 +92,28 @@ XImage *XGetImage (
- 	    return (XImage *) NULL;
- 	}
-         _XReadPad (dpy, data, nbytes);
--        if (format == XYPixmap)
--	   image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
--		  Ones (plane_mask &
--			(((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
--		  format, 0, data, width, height, dpy->bitmap_pad, 0);
--	else /* format == ZPixmap */
--           image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
--		 rep.depth, ZPixmap, 0, data, width, height,
--		  _XGetScanlinePad(dpy, (int) rep.depth), 0);
-+        if (format == XYPixmap) {
-+	    image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
-+		Ones (plane_mask &
-+		    (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
-+		format, 0, data, width, height, dpy->bitmap_pad, 0);
-+	    planes = image->depth;
-+	} else { /* format == ZPixmap */
-+            image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
-+		rep.depth, ZPixmap, 0, data, width, height,
-+		    _XGetScanlinePad(dpy, (int) rep.depth), 0);
-+	    planes = 1;
-+	}
- 
- 	if (!image)
- 	    Xfree(data);
-+	if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
-+	    INT_MAX / image->height <= image->bytes_per_line ||
-+	    INT_MAX / planes <= image->height * image->bytes_per_line ||
-+	    nbytes < planes * image->height * image->bytes_per_line) {
-+	    XDestroyImage(image);
-+	    image = NULL;
-+	}
- 	UnlockDisplay(dpy);
- 	SyncHandle();
- 	return (image);
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libx11-CVE-2016-7943.patch b/gnu/packages/patches/libx11-CVE-2016-7943.patch
deleted file mode 100644
index 7bcbc58dd4..0000000000
--- a/gnu/packages/patches/libx11-CVE-2016-7943.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-Fix CVE-2016-7943:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7943.
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8c29f1607a31dac0911e45a0dd3d74173822b3c9
-
-From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:22:57 +0200
-Subject: [PATCH] The validation of server responses avoids out of boundary
- accesses.
-
-v2: FontNames.c  return a NULL list whenever a single
-length field from the server is incohent.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/FontNames.c | 23 +++++++++++++++++------
- src/ListExt.c   | 12 ++++++++----
- src/ModMap.c    |  3 ++-
- 3 files changed, 27 insertions(+), 11 deletions(-)
-
-diff --git a/src/FontNames.c b/src/FontNames.c
-index 21dcafe..e55f338 100644
---- a/src/FontNames.c
-+++ b/src/FontNames.c
-@@ -66,7 +66,7 @@ int *actualCount)	/* RETURN */
- 
-     if (rep.nFonts) {
- 	flist = Xmalloc (rep.nFonts * sizeof(char *));
--	if (rep.length < (INT_MAX >> 2)) {
-+	if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
- 	    rlen = rep.length << 2;
- 	    ch = Xmalloc(rlen + 1);
- 	    /* +1 to leave room for last null-terminator */
-@@ -93,11 +93,22 @@ int *actualCount)	/* RETURN */
- 	    if (ch + length < chend) {
- 		flist[i] = ch + 1;  /* skip over length */
- 		ch += length + 1;  /* find next length ... */
--		length = *(unsigned char *)ch;
--		*ch = '\0';  /* and replace with null-termination */
--		count++;
--	    } else
--		flist[i] = NULL;
-+		if (ch <= chend) {
-+		    length = *(unsigned char *)ch;
-+		    *ch = '\0';  /* and replace with null-termination */
-+		    count++;
-+		} else {
-+                    Xfree(flist);
-+                    flist = NULL;
-+                    count = 0;
-+                    break;
-+		}
-+	    } else {
-+                Xfree(flist);
-+                flist = NULL;
-+                count = 0;
-+                break;
-+            }
- 	}
-     }
-     *actualCount = count;
-diff --git a/src/ListExt.c b/src/ListExt.c
-index be6b989..0516e45 100644
---- a/src/ListExt.c
-+++ b/src/ListExt.c
-@@ -55,7 +55,7 @@ char **XListExtensions(
- 
- 	if (rep.nExtensions) {
- 	    list = Xmalloc (rep.nExtensions * sizeof (char *));
--	    if (rep.length < (INT_MAX >> 2)) {
-+	    if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
- 		rlen = rep.length << 2;
- 		ch = Xmalloc (rlen + 1);
-                 /* +1 to leave room for last null-terminator */
-@@ -80,9 +80,13 @@ char **XListExtensions(
- 		if (ch + length < chend) {
- 		    list[i] = ch+1;  /* skip over length */
- 		    ch += length + 1; /* find next length ... */
--		    length = *ch;
--		    *ch = '\0'; /* and replace with null-termination */
--		    count++;
-+		    if (ch <= chend) {
-+			length = *ch;
-+			*ch = '\0'; /* and replace with null-termination */
-+			count++;
-+		    } else {
-+			list[i] = NULL;
-+		    }
- 		} else
- 		    list[i] = NULL;
- 	    }
-diff --git a/src/ModMap.c b/src/ModMap.c
-index a809aa2..49a5d08 100644
---- a/src/ModMap.c
-+++ b/src/ModMap.c
-@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
-     GetEmptyReq(GetModifierMapping, req);
-     (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
- 
--    if (rep.length < (INT_MAX >> 2)) {
-+    if (rep.length < (INT_MAX >> 2) &&
-+	(rep.length >> 1) == rep.numKeyPerModifier) {
- 	nbytes = (unsigned long)rep.length << 2;
- 	res = Xmalloc(sizeof (XModifierKeymap));
- 	if (res)
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxfixes-CVE-2016-7944.patch b/gnu/packages/patches/libxfixes-CVE-2016-7944.patch
deleted file mode 100644
index 2ce463fc46..0000000000
--- a/gnu/packages/patches/libxfixes-CVE-2016-7944.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-Fix CVE-2016-7944:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7944
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e
-
-From 61c1039ee23a2d1de712843bed3480654d7ef42e Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:38:44 +0200
-Subject: [PATCH] Integer overflow on illegal server response
-
-The 32 bit field "rep.length" is not checked for validity, which allows
-an integer overflow on 32 bit systems.
-
-A malicious server could send INT_MAX as length, which gets multiplied
-by the size of XRectangle. In that case the client won't read the whole
-data from server, getting out of sync.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/Region.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/src/Region.c b/src/Region.c
-index cb0cf6e..59bcc1a 100644
---- a/src/Region.c
-+++ b/src/Region.c
-@@ -23,6 +23,7 @@
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
- #include "Xfixesint.h"
- 
- XserverRegion
-@@ -333,9 +334,17 @@ XFixesFetchRegionAndBounds (Display	    *dpy,
-     bounds->y = rep.y;
-     bounds->width = rep.width;
-     bounds->height = rep.height;
--    nbytes = (long) rep.length << 2;
--    nrects = rep.length >> 1;
--    rects = Xmalloc (nrects * sizeof (XRectangle));
-+
-+    if (rep.length < (INT_MAX >> 2)) {
-+	nbytes = (long) rep.length << 2;
-+	nrects = rep.length >> 1;
-+	rects = Xmalloc (nrects * sizeof (XRectangle));
-+    } else {
-+	nbytes = 0;
-+	nrects = 0;
-+	rects = NULL;
-+    }
-+
-     if (!rects)
-     {
- 	_XEatDataWords(dpy, rep.length);
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch b/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch
deleted file mode 100644
index ca899e34c0..0000000000
--- a/gnu/packages/patches/libxi-CVE-2016-7945-CVE-2016-7946.patch
+++ /dev/null
@@ -1,420 +0,0 @@
-Fix CVE-2016-7945:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7945
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=19a9cd607de73947fcfb104682f203ffe4e1f4e5
-
-From 19a9cd607de73947fcfb104682f203ffe4e1f4e5 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:31:34 +0200
-Subject: [PATCH] Properly validate server responses.
-
-By validating length fields from server responses, out of boundary
-accesses and endless loops can be mitigated.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XGMotion.c      |  3 ++-
- src/XGetBMap.c      |  3 ++-
- src/XGetDCtl.c      |  6 ++++--
- src/XGetFCtl.c      |  7 ++++++-
- src/XGetKMap.c      | 14 +++++++++++---
- src/XGetMMap.c      | 11 +++++++++--
- src/XIQueryDevice.c | 36 ++++++++++++++++++++++++++++++++++--
- src/XListDev.c      | 21 +++++++++++++++------
- src/XOpenDev.c      | 13 ++++++++++---
- src/XQueryDv.c      |  8 ++++++--
- 10 files changed, 99 insertions(+), 23 deletions(-)
-
-diff --git a/src/XGMotion.c b/src/XGMotion.c
-index 7785843..9433e29 100644
---- a/src/XGMotion.c
-+++ b/src/XGMotion.c
-@@ -114,7 +114,8 @@ XGetDeviceMotionEvents(
-     }
-     /* rep.axes is a CARD8, so assume max number of axes for bounds check */
-     if (rep.nEvents <
--	(INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
-+	(INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) &&
-+	rep.nEvents * (rep.axes + 1) <= rep.length) {
- 	size_t bsize = rep.nEvents *
- 	    (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
- 	bufp = Xmalloc(bsize);
-diff --git a/src/XGetBMap.c b/src/XGetBMap.c
-index 002daba..13bb8c6 100644
---- a/src/XGetBMap.c
-+++ b/src/XGetBMap.c
-@@ -92,7 +92,8 @@ XGetDeviceButtonMapping(
- 
-     status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
-     if (status == 1) {
--	if (rep.length <= (sizeof(mapping) >> 2)) {
-+	if (rep.length <= (sizeof(mapping) >> 2) &&
-+	    rep.nElts <= (rep.length << 2)) {
- 	    unsigned long nbytes = rep.length << 2;
- 	    _XRead(dpy, (char *)mapping, nbytes);
- 
-diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
-index c5d3b53..7f6b396 100644
---- a/src/XGetDCtl.c
-+++ b/src/XGetDCtl.c
-@@ -93,7 +93,8 @@ XGetDeviceControl(
-     if (rep.length > 0) {
- 	unsigned long nbytes;
- 	size_t size = 0;
--	if (rep.length < (INT_MAX >> 2)) {
-+	if (rep.length < (INT_MAX >> 2) &&
-+	    (rep.length << 2) >= sizeof(xDeviceState)) {
- 	    nbytes = (unsigned long) rep.length << 2;
- 	    d = Xmalloc(nbytes);
- 	}
-@@ -117,7 +118,8 @@ XGetDeviceControl(
- 	    size_t val_size;
- 
- 	    r = (xDeviceResolutionState *) d;
--	    if (r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
-+	    if (sizeof(xDeviceResolutionState) > nbytes ||
-+		r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
- 		goto out;
- 	    val_size = 3 * sizeof(int) * r->num_valuators;
- 	    if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
-diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
-index 7fd6d0e..82dcc64 100644
---- a/src/XGetFCtl.c
-+++ b/src/XGetFCtl.c
-@@ -73,6 +73,7 @@ XGetFeedbackControl(
-     XFeedbackState *Sav = NULL;
-     xFeedbackState *f = NULL;
-     xFeedbackState *sav = NULL;
-+    char *end = NULL;
-     xGetFeedbackControlReq *req;
-     xGetFeedbackControlReply rep;
-     XExtDisplayInfo *info = XInput_find_display(dpy);
-@@ -105,10 +106,12 @@ XGetFeedbackControl(
- 	    goto out;
- 	}
- 	sav = f;
-+	end = (char *)f + nbytes;
- 	_XRead(dpy, (char *)f, nbytes);
- 
- 	for (i = 0; i < *num_feedbacks; i++) {
--	    if (f->length > nbytes)
-+	    if ((char *)f + sizeof(*f) > end ||
-+	        f->length == 0 || f->length > nbytes)
- 		goto out;
- 	    nbytes -= f->length;
- 
-@@ -125,6 +128,8 @@ XGetFeedbackControl(
- 	    case StringFeedbackClass:
- 	    {
- 		xStringFeedbackState *strf = (xStringFeedbackState *) f;
-+		if ((char *)f + sizeof(*strf) > end)
-+		    goto out;
- 		size += sizeof(XStringFeedbackState) +
- 		    (strf->num_syms_supported * sizeof(KeySym));
- 	    }
-diff --git a/src/XGetKMap.c b/src/XGetKMap.c
-index 0540ce4..008a72b 100644
---- a/src/XGetKMap.c
-+++ b/src/XGetKMap.c
-@@ -54,6 +54,7 @@ SOFTWARE.
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <X11/extensions/XI.h>
- #include <X11/extensions/XIproto.h>
- #include <X11/Xlibint.h>
-@@ -93,9 +94,16 @@ XGetDeviceKeyMapping(register Display * dpy, XDevice * dev,
- 	return (KeySym *) NULL;
-     }
-     if (rep.length > 0) {
--	*syms_per_code = rep.keySymsPerKeyCode;
--	nbytes = (long)rep.length << 2;
--	mapping = (KeySym *) Xmalloc((unsigned)nbytes);
-+	if (rep.length < INT_MAX >> 2 &&
-+	    rep.length == rep.keySymsPerKeyCode * keycount) {
-+	    *syms_per_code = rep.keySymsPerKeyCode;
-+	    nbytes = (long)rep.length << 2;
-+	    mapping = (KeySym *) Xmalloc((unsigned)nbytes);
-+	} else {
-+	    *syms_per_code = 0;
-+	    nbytes = 0;
-+	    mapping = NULL;
-+	}
- 	if (mapping)
- 	    _XRead(dpy, (char *)mapping, nbytes);
- 	else
-diff --git a/src/XGetMMap.c b/src/XGetMMap.c
-index 246698c..33c114f 100644
---- a/src/XGetMMap.c
-+++ b/src/XGetMMap.c
-@@ -53,6 +53,7 @@ SOFTWARE.
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <X11/extensions/XI.h>
- #include <X11/extensions/XIproto.h>
- #include <X11/Xlibint.h>
-@@ -85,8 +86,14 @@ XGetDeviceModifierMapping(
- 	SyncHandle();
- 	return (XModifierKeymap *) NULL;
-     }
--    nbytes = (unsigned long)rep.length << 2;
--    res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap));
-+    if (rep.length < (INT_MAX >> 2) &&
-+	rep.numKeyPerModifier == rep.length >> 1) {
-+	nbytes = (unsigned long)rep.length << 2;
-+	res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap));
-+    } else {
-+	nbytes = 0;
-+	res = NULL;
-+    }
-     if (res) {
- 	res->modifiermap = (KeyCode *) Xmalloc(nbytes);
- 	if (res->modifiermap)
-diff --git a/src/XIQueryDevice.c b/src/XIQueryDevice.c
-index fb8504f..a457cd6 100644
---- a/src/XIQueryDevice.c
-+++ b/src/XIQueryDevice.c
-@@ -26,6 +26,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdint.h>
- #include <X11/Xlibint.h>
- #include <X11/extensions/XI2proto.h>
-@@ -43,6 +44,7 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
-     xXIQueryDeviceReq   *req;
-     xXIQueryDeviceReply reply;
-     char                *ptr;
-+    char                *end;
-     int                 i;
-     char                *buf;
- 
-@@ -60,14 +62,24 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
-     if (!_XReply(dpy, (xReply*) &reply, 0, xFalse))
-         goto error;
- 
--    *ndevices_return = reply.num_devices;
--    info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo));
-+    if (reply.length < INT_MAX / 4)
-+    {
-+	*ndevices_return = reply.num_devices;
-+	info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo));
-+    }
-+    else
-+    {
-+	*ndevices_return = 0;
-+	info = NULL;
-+    }
-+
-     if (!info)
-         goto error;
- 
-     buf = Xmalloc(reply.length * 4);
-     _XRead(dpy, buf, reply.length * 4);
-     ptr = buf;
-+    end = buf + reply.length * 4;
- 
-     /* info is a null-terminated array */
-     info[reply.num_devices].name = NULL;
-@@ -79,6 +91,9 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
-         XIDeviceInfo    *lib = &info[i];
-         xXIDeviceInfo   *wire = (xXIDeviceInfo*)ptr;
- 
-+        if (ptr + sizeof(xXIDeviceInfo) > end)
-+            goto error_loop;
-+
-         lib->deviceid    = wire->deviceid;
-         lib->use         = wire->use;
-         lib->attachment  = wire->attachment;
-@@ -87,12 +102,23 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
- 
-         ptr += sizeof(xXIDeviceInfo);
- 
-+        if (ptr + wire->name_len > end)
-+            goto error_loop;
-+
-         lib->name = Xcalloc(wire->name_len + 1, 1);
-+        if (lib->name == NULL)
-+            goto error_loop;
-         strncpy(lib->name, ptr, wire->name_len);
-+        lib->name[wire->name_len] = '\0';
-         ptr += ((wire->name_len + 3)/4) * 4;
- 
-         sz = size_classes((xXIAnyInfo*)ptr, nclasses);
-         lib->classes = Xmalloc(sz);
-+        if (lib->classes == NULL)
-+        {
-+            Xfree(lib->name);
-+            goto error_loop;
-+        }
-         ptr += copy_classes(lib, (xXIAnyInfo*)ptr, &nclasses);
-         /* We skip over unused classes */
-         lib->num_classes = nclasses;
-@@ -103,6 +129,12 @@ XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
-     SyncHandle();
-     return info;
- 
-+error_loop:
-+    while (--i >= 0)
-+    {
-+        Xfree(info[i].name);
-+        Xfree(info[i].classes);
-+    }
- error:
-     UnlockDisplay(dpy);
- error_unlocked:
-diff --git a/src/XListDev.c b/src/XListDev.c
-index b85ff3c..f850cd0 100644
---- a/src/XListDev.c
-+++ b/src/XListDev.c
-@@ -74,7 +74,7 @@ static int pad_to_xid(int base_size)
- }
- 
- static size_t
--SizeClassInfo(xAnyClassPtr *any, int num_classes)
-+SizeClassInfo(xAnyClassPtr *any, size_t len, int num_classes)
- {
-     int size = 0;
-     int j;
-@@ -90,6 +90,8 @@ SizeClassInfo(xAnyClassPtr *any, int num_classes)
-                 {
-                     xValuatorInfoPtr v;
- 
-+                    if (len < sizeof(v))
-+                        return 0;
-                     v = (xValuatorInfoPtr) *any;
-                     size += pad_to_xid(sizeof(XValuatorInfo) +
-                         (v->num_axes * sizeof(XAxisInfo)));
-@@ -98,6 +100,8 @@ SizeClassInfo(xAnyClassPtr *any, int num_classes)
-             default:
-                 break;
-         }
-+        if ((*any)->length > len)
-+            return 0;
-         *any = (xAnyClassPtr) ((char *)(*any) + (*any)->length);
-     }
- 
-@@ -170,7 +174,7 @@ XListInputDevices(
-     register Display	*dpy,
-     int			*ndevices)
- {
--    size_t size;
-+    size_t s, size;
-     xListInputDevicesReq *req;
-     xListInputDevicesReply rep;
-     xDeviceInfo *list, *slist = NULL;
-@@ -178,6 +182,7 @@ XListInputDevices(
-     XDeviceInfo *clist = NULL;
-     xAnyClassPtr any, sav_any;
-     XAnyClassPtr Any;
-+    char *end = NULL;
-     unsigned char *nptr, *Nptr;
-     int i;
-     unsigned long rlen;
-@@ -213,16 +218,20 @@ XListInputDevices(
- 
- 	any = (xAnyClassPtr) ((char *)list + (*ndevices * sizeof(xDeviceInfo)));
- 	sav_any = any;
-+	end = (char *)list + rlen;
- 	for (i = 0; i < *ndevices; i++, list++) {
--            size += SizeClassInfo(&any, (int)list->num_classes);
-+            s = SizeClassInfo(&any, end - (char *)any, (int)list->num_classes);
-+            if (!s)
-+                goto out;
-+            size += s;
- 	}
- 
--	Nptr = ((unsigned char *)list) + rlen + 1;
-+	Nptr = ((unsigned char *)list) + rlen;
- 	for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
-+	    if (nptr >= Nptr)
-+		goto out;
- 	    size += *nptr + 1;
- 	    nptr += (*nptr + 1);
--	    if (nptr > Nptr)
--		goto out;
- 	}
- 
- 	clist = (XDeviceInfoPtr) Xmalloc(size);
-diff --git a/src/XOpenDev.c b/src/XOpenDev.c
-index 029dec2..4b3c460 100644
---- a/src/XOpenDev.c
-+++ b/src/XOpenDev.c
-@@ -53,6 +53,7 @@ SOFTWARE.
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <X11/extensions/XI.h>
- #include <X11/extensions/XIproto.h>
- #include <X11/Xlibint.h>
-@@ -86,9 +87,15 @@ XOpenDevice(
- 	return (XDevice *) NULL;
-     }
- 
--    rlen = rep.length << 2;
--    dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes *
--			      sizeof(XInputClassInfo));
-+    if (rep.length < INT_MAX >> 2 &&
-+	(rep.length << 2) >= rep.num_classes * sizeof(xInputClassInfo)) {
-+	rlen = rep.length << 2;
-+	dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes *
-+				  sizeof(XInputClassInfo));
-+    } else {
-+	rlen = 0;
-+	dev = NULL;
-+    }
-     if (dev) {
- 	int dlen;	/* data length */
- 
-diff --git a/src/XQueryDv.c b/src/XQueryDv.c
-index de1c0e5..7ee2272 100644
---- a/src/XQueryDv.c
-+++ b/src/XQueryDv.c
-@@ -73,7 +73,7 @@ XQueryDeviceState(
-     xQueryDeviceStateReply rep;
-     XDeviceState *state = NULL;
-     XInputClass *any, *Any;
--    char *data = NULL;
-+    char *data = NULL, *end = NULL;
-     XExtDisplayInfo *info = XInput_find_display(dpy);
- 
-     LockDisplay(dpy);
-@@ -92,6 +92,7 @@ XQueryDeviceState(
- 	if (rep.length < (INT_MAX >> 2)) {
- 	    rlen = (unsigned long) rep.length << 2;
- 	    data = Xmalloc(rlen);
-+	    end = data + rlen;
- 	}
- 	if (!data) {
- 	    _XEatDataWords(dpy, rep.length);
-@@ -100,7 +101,8 @@ XQueryDeviceState(
- 	_XRead(dpy, data, rlen);
- 
- 	for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
--	    if (any->length > rlen)
-+	    if ((char *)any + sizeof(XInputClass) > end ||
-+		any->length == 0 || any->length > rlen)
- 		goto out;
- 	    rlen -= any->length;
- 
-@@ -114,6 +116,8 @@ XQueryDeviceState(
- 	    case ValuatorClass:
- 	    {
- 		xValuatorState *v = (xValuatorState *) any;
-+		if ((char *)any + sizeof(xValuatorState) > end)
-+		    goto out;
- 		size += (sizeof(XValuatorState) +
- 			 (v->num_valuators * sizeof(int)));
- 	    }
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch b/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch
deleted file mode 100644
index ece8b18309..0000000000
--- a/gnu/packages/patches/libxrandr-CVE-2016-7947-CVE-2016-7948.patch
+++ /dev/null
@@ -1,447 +0,0 @@
-Fix CVE-2016-7947 and CVE-2016-7948.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7947
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6
-
-From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:21:40 +0200
-Subject: [PATCH] Avoid out of boundary accesses on illegal responses
-
-The responses of the connected X server have to be properly checked
-to avoid out of boundary accesses that could otherwise be triggered
-by a malicious server.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XrrConfig.c   | 32 +++++++++++++--------
- src/XrrCrtc.c     | 83 ++++++++++++++++++++++++++++++++++++++++++-------------
- src/XrrMonitor.c  | 18 ++++++++++++
- src/XrrOutput.c   | 11 ++++++++
- src/XrrProvider.c | 28 ++++++++++++++++---
- src/XrrScreen.c   | 52 ++++++++++++++++++++++------------
- 6 files changed, 172 insertions(+), 52 deletions(-)
-
-diff --git a/src/XrrConfig.c b/src/XrrConfig.c
-index 2f0282b..e68c45a 100644
---- a/src/XrrConfig.c
-+++ b/src/XrrConfig.c
-@@ -29,6 +29,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy,
- 	rep.rate = 0;
- 	rep.nrateEnts = 0;
-     }
-+    if (rep.length < INT_MAX >> 2) {
-+	nbytes = (long) rep.length << 2;
- 
--    nbytes = (long) rep.length << 2;
-+	nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
-+			    ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */);
- 
--    nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
--			 ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */);
-+	/*
-+	 * first we must compute how much space to allocate for
-+	 * randr library's use; we'll allocate the structures in a single
-+	 * allocation, on cleanlyness grounds.
-+	 */
- 
--    /*
--     * first we must compute how much space to allocate for
--     * randr library's use; we'll allocate the structures in a single
--     * allocation, on cleanlyness grounds.
--     */
-+	rbytes = sizeof (XRRScreenConfiguration) +
-+	  (rep.nSizes * sizeof (XRRScreenSize) +
-+	   rep.nrateEnts * sizeof (int));
- 
--    rbytes = sizeof (XRRScreenConfiguration) +
--      (rep.nSizes * sizeof (XRRScreenSize) +
--       rep.nrateEnts * sizeof (int));
-+	scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
-+    } else {
-+	nbytes = 0;
-+	nbytesRead = 0;
-+	rbytes = 0;
-+	scp = NULL;
-+    }
- 
--    scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
-     if (scp == NULL) {
- 	_XEatData (dpy, (unsigned long) nbytes);
- 	return NULL;
-diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
-index 5ae35c5..6665092 100644
---- a/src/XrrCrtc.c
-+++ b/src/XrrCrtc.c
-@@ -24,6 +24,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
- 	return NULL;
-     }
- 
--    nbytes = (long) rep.length << 2;
-+    if (rep.length < INT_MAX >> 2)
-+    {
-+	nbytes = (long) rep.length << 2;
- 
--    nbytesRead = (long) (rep.nOutput * 4 +
--			 rep.nPossibleOutput * 4);
-+	nbytesRead = (long) (rep.nOutput * 4 +
-+			     rep.nPossibleOutput * 4);
- 
--    /*
--     * first we must compute how much space to allocate for
--     * randr library's use; we'll allocate the structures in a single
--     * allocation, on cleanlyness grounds.
--     */
-+	/*
-+	 * first we must compute how much space to allocate for
-+	 * randr library's use; we'll allocate the structures in a single
-+	 * allocation, on cleanlyness grounds.
-+	 */
- 
--    rbytes = (sizeof (XRRCrtcInfo) +
--	      rep.nOutput * sizeof (RROutput) +
--	      rep.nPossibleOutput * sizeof (RROutput));
-+	rbytes = (sizeof (XRRCrtcInfo) +
-+		  rep.nOutput * sizeof (RROutput) +
-+		  rep.nPossibleOutput * sizeof (RROutput));
-+
-+	xci = (XRRCrtcInfo *) Xmalloc(rbytes);
-+    }
-+    else
-+    {
-+	nbytes = 0;
-+	nbytesRead = 0;
-+	rbytes = 0;
-+	xci = NULL;
-+    }
- 
--    xci = (XRRCrtcInfo *) Xmalloc(rbytes);
-     if (xci == NULL) {
- 	_XEatDataWords (dpy, rep.length);
- 	UnlockDisplay (dpy);
-@@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
-     if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
- 	goto out;
- 
--    nbytes = (long) rep.length << 2;
-+    if (rep.length < INT_MAX >> 2)
-+    {
-+	nbytes = (long) rep.length << 2;
- 
--    /* three channels of CARD16 data */
--    nbytesRead = (rep.size * 2 * 3);
-+	/* three channels of CARD16 data */
-+	nbytesRead = (rep.size * 2 * 3);
- 
--    crtc_gamma = XRRAllocGamma (rep.size);
-+	crtc_gamma = XRRAllocGamma (rep.size);
-+    }
-+    else
-+    {
-+	nbytes = 0;
-+	nbytesRead = 0;
-+	crtc_gamma = NULL;
-+    }
- 
-     if (!crtc_gamma)
-     {
-@@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display	*dpy,
-     xRRGetCrtcTransformReq	*req;
-     int				major_version, minor_version;
-     XRRCrtcTransformAttributes	*attr;
--    char			*extra = NULL, *e;
-+    char			*extra = NULL, *end = NULL, *e;
-     int				p;
- 
-     *attributes = NULL;
-@@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display	*dpy,
- 	else
- 	{
- 	    int extraBytes = rep.length * 4 - CrtcTransformExtra;
--	    extra = Xmalloc (extraBytes);
-+	    if (rep.length < INT_MAX / 4 &&
-+		rep.length * 4 >= CrtcTransformExtra) {
-+		extra = Xmalloc (extraBytes);
-+		end = extra + extraBytes;
-+	    } else
-+		extra = NULL;
- 	    if (!extra) {
--		_XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
-+		if (rep.length > (CrtcTransformExtra >> 2))
-+		    _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
-+		else
-+		    _XEatDataWords (dpy, rep.length);
- 		UnlockDisplay (dpy);
- 		SyncHandle ();
- 		return False;
-@@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display	*dpy,
- 
-     e = extra;
- 
-+    if (e + rep.pendingNbytesFilter > end) {
-+	XFree (extra);
-+	return False;
-+    }
-     memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter);
-     attr->pendingFilter[rep.pendingNbytesFilter] = '\0';
-     e += (rep.pendingNbytesFilter + 3) & ~3;
-     for (p = 0; p < rep.pendingNparamsFilter; p++) {
- 	INT32	f;
-+	if (e + 4 > end) {
-+	    XFree (extra);
-+	    return False;
-+	}
- 	memcpy (&f, e, 4);
- 	e += 4;
- 	attr->pendingParams[p] = (XFixed) f;
-     }
-     attr->pendingNparams = rep.pendingNparamsFilter;
- 
-+    if (e + rep.currentNbytesFilter > end) {
-+	XFree (extra);
-+	return False;
-+    }
-     memcpy (attr->currentFilter, e, rep.currentNbytesFilter);
-     attr->currentFilter[rep.currentNbytesFilter] = '\0';
-     e += (rep.currentNbytesFilter + 3) & ~3;
-     for (p = 0; p < rep.currentNparamsFilter; p++) {
- 	INT32	f;
-+	if (e + 4 > end) {
-+	    XFree (extra);
-+	    return False;
-+	}
- 	memcpy (&f, e, 4);
- 	e += 4;
- 	attr->currentParams[p] = (XFixed) f;
-diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c
-index a9eaa7b..adc5330 100644
---- a/src/XrrMonitor.c
-+++ b/src/XrrMonitor.c
-@@ -24,6 +24,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
- 	return NULL;
-     }
- 
-+    if (rep.length > INT_MAX >> 2 ||
-+	rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) ||
-+	rep.noutputs > INT_MAX / 4 ||
-+	rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) {
-+	_XEatData (dpy, rep.length);
-+	UnlockDisplay (dpy);
-+	SyncHandle ();
-+	return NULL;
-+    }
-     nbytes = (long) rep.length << 2;
-     nmon = rep.nmonitors;
-     noutput = rep.noutputs;
-@@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
- 	    mon[m].outputs = output;
- 	    buf += SIZEOF (xRRMonitorInfo);
- 	    xoutput = (CARD32 *) buf;
-+	    if (xmon->noutput > rep.noutputs) {
-+	        Xfree(buf);
-+	        Xfree(mon);
-+	        UnlockDisplay (dpy);
-+	        SyncHandle ();
-+	        return NULL;
-+	    }
-+	    rep.noutputs -= xmon->noutput;
- 	    for (o = 0; o < xmon->noutput; o++)
- 		output[o] = xoutput[o];
- 	    output += xmon->noutput;
-diff --git a/src/XrrOutput.c b/src/XrrOutput.c
-index 85f0b6e..30f3d40 100644
---- a/src/XrrOutput.c
-+++ b/src/XrrOutput.c
-@@ -25,6 +25,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
- 	return NULL;
-     }
- 
-+    if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2))
-+    {
-+        if (rep.length > (OutputInfoExtra >> 2))
-+	    _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
-+	else
-+	    _XEatDataWords (dpy, rep.length);
-+	UnlockDisplay (dpy);
-+	SyncHandle ();
-+	return NULL;
-+    }
-     nbytes = ((long) (rep.length) << 2) - OutputInfoExtra;
- 
-     nbytesRead = (long) (rep.nCrtcs * 4 +
-diff --git a/src/XrrProvider.c b/src/XrrProvider.c
-index 9e620c7..d796cd0 100644
---- a/src/XrrProvider.c
-+++ b/src/XrrProvider.c
-@@ -25,6 +25,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Window window)
-       return NULL;
-     }
- 
--    nbytes = (long) rep.length << 2;
-+    if (rep.length < INT_MAX >> 2) {
-+	nbytes = (long) rep.length << 2;
- 
--    nbytesRead = (long) (rep.nProviders * 4);
-+	nbytesRead = (long) (rep.nProviders * 4);
- 
--    rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider));
--    xrpr = (XRRProviderResources *) Xmalloc(rbytes);
-+	rbytes = (sizeof(XRRProviderResources) + rep.nProviders *
-+		  sizeof(RRProvider));
-+	xrpr = (XRRProviderResources *) Xmalloc(rbytes);
-+    } else {
-+	nbytes = 0;
-+	nbytesRead = 0;
-+	rbytes = 0;
-+	xrpr = NULL;
-+    }
- 
-     if (xrpr == NULL) {
-        _XEatDataWords (dpy, rep.length);
-@@ -121,6 +130,17 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
- 	return NULL;
-     }
- 
-+    if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2)
-+    {
-+	if (rep.length < ProviderInfoExtra >> 2)
-+	    _XEatDataWords (dpy, rep.length);
-+	else
-+	    _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
-+	UnlockDisplay (dpy);
-+	SyncHandle ();
-+	return NULL;
-+    }
-+
-     nbytes = ((long) rep.length << 2) - ProviderInfoExtra;
- 
-     nbytesRead = (long)(rep.nCrtcs * 4 +
-diff --git a/src/XrrScreen.c b/src/XrrScreen.c
-index b8ce7e5..1f7ffe6 100644
---- a/src/XrrScreen.c
-+++ b/src/XrrScreen.c
-@@ -24,6 +24,7 @@
- #include <config.h>
- #endif
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <X11/Xlib.h>
- /* we need to be able to manipulate the Display structure on events */
-@@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Window window, int poll)
- 	xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version);
-     }
- 
--    nbytes = (long) rep.length << 2;
-+    if (rep.length < INT_MAX >> 2) {
-+	nbytes = (long) rep.length << 2;
- 
--    nbytesRead = (long) (rep.nCrtcs * 4 +
--			 rep.nOutputs * 4 +
--			 rep.nModes * SIZEOF (xRRModeInfo) +
--			 ((rep.nbytesNames + 3) & ~3));
-+	nbytesRead = (long) (rep.nCrtcs * 4 +
-+			     rep.nOutputs * 4 +
-+			     rep.nModes * SIZEOF (xRRModeInfo) +
-+			     ((rep.nbytesNames + 3) & ~3));
- 
--    /*
--     * first we must compute how much space to allocate for
--     * randr library's use; we'll allocate the structures in a single
--     * allocation, on cleanlyness grounds.
--     */
-+	/*
-+	 * first we must compute how much space to allocate for
-+	 * randr library's use; we'll allocate the structures in a single
-+	 * allocation, on cleanlyness grounds.
-+	 */
-+
-+	rbytes = (sizeof (XRRScreenResources) +
-+		  rep.nCrtcs * sizeof (RRCrtc) +
-+		  rep.nOutputs * sizeof (RROutput) +
-+		  rep.nModes * sizeof (XRRModeInfo) +
-+		  rep.nbytesNames + rep.nModes);    /* '\0' terminate names */
- 
--    rbytes = (sizeof (XRRScreenResources) +
--	      rep.nCrtcs * sizeof (RRCrtc) +
--	      rep.nOutputs * sizeof (RROutput) +
--	      rep.nModes * sizeof (XRRModeInfo) +
--	      rep.nbytesNames + rep.nModes);	/* '\0' terminate names */
-+	xrsr = (XRRScreenResources *) Xmalloc(rbytes);
-+	wire_names = (char *) Xmalloc (rep.nbytesNames);
-+    } else {
-+	nbytes = 0;
-+	nbytesRead = 0;
-+	rbytes = 0;
-+	xrsr = NULL;
-+	wire_names = NULL;
-+    }
- 
--    xrsr = (XRRScreenResources *) Xmalloc(rbytes);
--    wire_names = (char *) Xmalloc (rep.nbytesNames);
-     if (xrsr == NULL || wire_names == NULL) {
- 	Xfree (xrsr);
- 	Xfree (wire_names);
-@@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Window window, int poll)
-     wire_name = wire_names;
-     for (i = 0; i < rep.nModes; i++)  {
- 	xrsr->modes[i].name = names;
-+	if (xrsr->modes[i].nameLength > rep.nbytesNames) {
-+	    Xfree (xrsr);
-+	    Xfree (wire_names);
-+	    UnlockDisplay (dpy);
-+	    SyncHandle ();
-+	    return NULL;
-+	}
-+	rep.nbytesNames -= xrsr->modes[i].nameLength;
- 	memcpy (names, wire_name, xrsr->modes[i].nameLength);
- 	names[xrsr->modes[i].nameLength] = '\0';
- 	names += xrsr->modes[i].nameLength + 1;
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxrender-CVE-2016-7949.patch b/gnu/packages/patches/libxrender-CVE-2016-7949.patch
deleted file mode 100644
index 3a2be4ea8e..0000000000
--- a/gnu/packages/patches/libxrender-CVE-2016-7949.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-Fix CVE-2016-7949:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4
-
-From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:43:09 +0200
-Subject: [PATCH] Validate lengths while parsing server data.
-
-Individual lengths inside received server data can overflow
-the previously reserved memory.
-
-It is therefore important to validate every single length
-field to not overflow the previously agreed sum of all invidual
-length fields.
-
-v2: consume remaining bytes in the reply buffer on error.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb@laas.fr
----
- src/Xrender.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/src/Xrender.c b/src/Xrender.c
-index 3102eb2..71cf3e6 100644
---- a/src/Xrender.c
-+++ b/src/Xrender.c
-@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
- 	screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
- 	screen->subpixel = SubPixelUnknown;
- 	xDepth = (xPictDepth *) (xScreen + 1);
-+	if (screen->ndepths > rep.numDepths) {
-+	    Xfree (xri);
-+	    Xfree (xData);
-+	    _XEatDataWords (dpy, rep.length);
-+	    UnlockDisplay (dpy);
-+	    SyncHandle ();
-+	    return 0;
-+	}
-+	rep.numDepths -= screen->ndepths;
- 	for (nd = 0; nd < screen->ndepths; nd++)
- 	{
- 	    depth->depth = xDepth->depth;
- 	    depth->nvisuals = xDepth->nPictVisuals;
- 	    depth->visuals = visual;
- 	    xVisual = (xPictVisual *) (xDepth + 1);
-+	    if (depth->nvisuals > rep.numVisuals) {
-+		Xfree (xri);
-+		Xfree (xData);
-+		_XEatDataWords (dpy, rep.length);
-+		UnlockDisplay (dpy);
-+		SyncHandle ();
-+		return 0;
-+	    }
-+	    rep.numVisuals -= depth->nvisuals;
- 	    for (nv = 0; nv < depth->nvisuals; nv++)
- 	    {
- 		visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxrender-CVE-2016-7950.patch b/gnu/packages/patches/libxrender-CVE-2016-7950.patch
deleted file mode 100644
index 1a64b6e724..0000000000
--- a/gnu/packages/patches/libxrender-CVE-2016-7950.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-Fix CVE-2016-7950:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714
-
-From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:42:09 +0200
-Subject: [PATCH] Avoid OOB write in XRenderQueryFilters
-
-The memory for filter names is reserved right after receiving the reply.
-After that, filters are iterated and each individual filter name is
-stored in that reserved memory.
-
-The individual name lengths are not checked for validity, which means
-that a malicious server can reserve less memory than it will write to
-during each iteration.
-
-v2: consume remaining bytes in reply buffer on error.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/Filter.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/Filter.c b/src/Filter.c
-index edfa572..8d701eb 100644
---- a/src/Filter.c
-+++ b/src/Filter.c
-@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
-     char			*name;
-     char			len;
-     int				i;
--    unsigned long		nbytes, nbytesAlias, nbytesName;
-+    unsigned long		nbytes, nbytesAlias, nbytesName, reply_left;
- 
-     if (!RenderHasExtension (info))
- 	return NULL;
-@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
-      * Read the filter aliases
-      */
-     _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
-+    reply_left = 8 + rep.length - 2 * rep.numAliases;;
- 
-     /*
-      * Read the filter names
-@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
-     {
- 	int	l;
- 	_XRead (dpy, &len, 1);
-+	reply_left--;
- 	l = len & 0xff;
-+	if ((unsigned long)l + 1 > nbytesName) {
-+            _XEatDataWords(dpy, reply_left);
-+	    Xfree(filters);
-+	    UnlockDisplay (dpy);
-+	    SyncHandle ();
-+	    return NULL;
-+	}
-+	nbytesName -= l + 1;
- 	filters->filter[i] = name;
- 	_XRead (dpy, name, l);
-+        reply_left -= l;
- 	name[l] = '\0';
- 	name += l + 1;
-     }
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch b/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
deleted file mode 100644
index 9df6cf3f4d..0000000000
--- a/gnu/packages/patches/libxtst-CVE-2016-7951-CVE-2016-7952.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-Fix CVE-2016-7951 and CVE-2016-7952
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7951
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7952
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXtst/commit/?id=9556ad67af3129ec4a7a4f4b54a0d59701beeae3
-
-From 9556ad67af3129ec4a7a4f4b54a0d59701beeae3 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:37:01 +0200
-Subject: [PATCH] Out of boundary access and endless loop in libXtst
-
-A lack of range checks in libXtst allows out of boundary accesses.
-The checks have to be done in-place here, because it cannot be done
-without in-depth knowledge of the read data.
-
-If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied
-without a client sequence have attached data, an endless loop would
-occur. The do-while-loop continues until the current index reaches
-the end. But in these cases, the current index would not be
-incremented, leading to an endless processing.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XRecord.c | 43 +++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 39 insertions(+), 4 deletions(-)
-
-diff --git a/src/XRecord.c b/src/XRecord.c
-index 50420c0..fefd842 100644
---- a/src/XRecord.c
-+++ b/src/XRecord.c
-@@ -749,15 +749,23 @@ parse_reply_call_callback(
- 	switch (rep->category) {
- 	case XRecordFromServer:
- 	    if (rep->elementHeader&XRecordFromServerTime) {
-+		if (current_index + 4 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index,
- 			       data->server_time);
- 		current_index += 4;
- 	    }
-+	    if (current_index + 1 > rep->length << 2)
-+		return Error;
- 	    switch (reply->buf[current_index]) {
- 	    case X_Reply: /* reply */
-+		if (current_index + 8 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index+4, datum_bytes);
-+		if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8))
-+		    return Error;
- 		datum_bytes = (datum_bytes+8) << 2;
- 		break;
- 	    default: /* error or event */
-@@ -766,52 +774,73 @@ parse_reply_call_callback(
- 	    break;
- 	case XRecordFromClient:
- 	    if (rep->elementHeader&XRecordFromClientTime) {
-+		if (current_index + 4 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index,
- 			       data->server_time);
- 		current_index += 4;
- 	    }
- 	    if (rep->elementHeader&XRecordFromClientSequence) {
-+		if (current_index + 4 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index,
- 			       data->client_seq);
- 		current_index += 4;
- 	    }
-+	    if (current_index + 4 > rep->length<<2)
-+		return Error;
- 	    if (reply->buf[current_index+2] == 0
- 		&& reply->buf[current_index+3] == 0) /* needn't swap 0 */
- 	    {	/* BIG-REQUESTS */
-+		if (current_index + 8 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index+4, datum_bytes);
- 	    } else {
- 		EXTRACT_CARD16(rep->clientSwapped,
- 			       reply->buf+current_index+2, datum_bytes);
- 	    }
-+	    if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2)
-+		return Error;
- 	    datum_bytes <<= 2;
- 	    break;
- 	case XRecordClientStarted:
-+	    if (current_index + 8 > rep->length << 2)
-+		return Error;
- 	    EXTRACT_CARD16(rep->clientSwapped,
- 			   reply->buf+current_index+6, datum_bytes);
- 	    datum_bytes = (datum_bytes+2) << 2;
- 	    break;
- 	case XRecordClientDied:
- 	    if (rep->elementHeader&XRecordFromClientSequence) {
-+		if (current_index + 4 > rep->length << 2)
-+		    return Error;
- 		EXTRACT_CARD32(rep->clientSwapped,
- 			       reply->buf+current_index,
- 			       data->client_seq);
- 		current_index += 4;
--	    }
--	    /* fall through */
-+	    } else if (current_index < rep->length << 2)
-+		return Error;
-+	    datum_bytes = 0;
-+	    break;
- 	case XRecordStartOfData:
- 	case XRecordEndOfData:
-+	    if (current_index < rep->length << 2)
-+		return Error;
- 	    datum_bytes = 0;
-+	    break;
- 	}
- 
- 	if (datum_bytes > 0) {
--	    if (current_index + datum_bytes > rep->length << 2)
-+	    if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) {
- 		fprintf(stderr,
- 			"XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n",
--			(long)rep->length << 2, current_index + datum_bytes,
-+			(unsigned long)rep->length << 2, current_index + datum_bytes,
- 			dpy->last_request_read);
-+		return Error;
-+	    }
- 	    /*
- 	     * This assignment (and indeed the whole buffer sharing
- 	     * scheme) assumes arbitrary 4-byte boundaries are
-@@ -863,6 +892,12 @@ XRecordEnableContext(Display *dpy, XRecordContext context,
- 	    return 0;
- 	}
- 
-+	if (rep.length > INT_MAX >> 2) {
-+	    UnlockDisplay(dpy);
-+	    SyncHandle();
-+	    return 0;
-+	}
-+
- 	if (rep.length > 0) {
- 	    reply = alloc_reply_buffer(info, rep.length<<2);
- 	    if (!reply) {
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxv-CVE-2016-5407.patch b/gnu/packages/patches/libxv-CVE-2016-5407.patch
deleted file mode 100644
index e6a76c9f70..0000000000
--- a/gnu/packages/patches/libxv-CVE-2016-5407.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-Fix CVE-2016-5407:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5407
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=d9da580b46a28ab497de2e94fdc7b9ff953dab17
-
-From d9da580b46a28ab497de2e94fdc7b9ff953dab17 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:30:03 +0200
-Subject: [PATCH] Protocol handling issues in libXv - CVE-2016-5407
-
-The Xv query functions for adaptors and encodings suffer from out of
-boundary accesses if a hostile X server sends a maliciously crafted
-response.
-
-A previous fix already checks the received length against fixed values
-but ignores additional length specifications which are stored inside
-the received data.
-
-These lengths are accessed in a for-loop. The easiest way to guarantee
-a correct processing is by validating all lengths against the
-remaining size left before accessing referenced memory.
-
-This makes the previously applied check obsolete, therefore I removed
-it.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/Xv.c | 46 +++++++++++++++++++++++++++++-----------------
- 1 file changed, 29 insertions(+), 17 deletions(-)
-
-diff --git a/src/Xv.c b/src/Xv.c
-index e47093a..be450c4 100644
---- a/src/Xv.c
-+++ b/src/Xv.c
-@@ -158,6 +158,7 @@ XvQueryAdaptors(
-     size_t size;
-     unsigned int ii, jj;
-     char *name;
-+    char *end;
-     XvAdaptorInfo *pas = NULL, *pa;
-     XvFormat *pfs, *pf;
-     char *buffer = NULL;
-@@ -197,17 +198,13 @@ XvQueryAdaptors(
-     /* GET INPUT ADAPTORS */
- 
-     if (rep.num_adaptors == 0) {
--        /* If there's no adaptors, there's nothing more to do. */
-+        /* If there are no adaptors, there's nothing more to do. */
-         status = Success;
-         goto out;
-     }
- 
--    if (size < (rep.num_adaptors * sz_xvAdaptorInfo)) {
--        /* If there's not enough data for the number of adaptors,
--           then we have a problem. */
--        status = XvBadReply;
--        goto out;
--    }
-+    u.buffer = buffer;
-+    end = buffer + size;
- 
-     size = rep.num_adaptors * sizeof(XvAdaptorInfo);
-     if ((pas = Xmalloc(size)) == NULL) {
-@@ -225,9 +222,12 @@ XvQueryAdaptors(
-         pa++;
-     }
- 
--    u.buffer = buffer;
-     pa = pas;
-     for (ii = 0; ii < rep.num_adaptors; ii++) {
-+        if (u.buffer + sz_xvAdaptorInfo > end) {
-+            status = XvBadReply;
-+            goto out;
-+        }
-         pa->type = u.pa->type;
-         pa->base_id = u.pa->base_id;
-         pa->num_ports = u.pa->num_ports;
-@@ -239,6 +239,10 @@ XvQueryAdaptors(
-         size = u.pa->name_size;
-         u.buffer += pad_to_int32(sz_xvAdaptorInfo);
- 
-+        if (u.buffer + size > end) {
-+            status = XvBadReply;
-+            goto out;
-+        }
-         if ((name = Xmalloc(size + 1)) == NULL) {
-             status = XvBadAlloc;
-             goto out;
-@@ -259,6 +263,11 @@ XvQueryAdaptors(
- 
-         pf = pfs;
-         for (jj = 0; jj < pa->num_formats; jj++) {
-+            if (u.buffer + sz_xvFormat > end) {
-+                Xfree(pfs);
-+                status = XvBadReply;
-+                goto out;
-+            }
-             pf->depth = u.pf->depth;
-             pf->visual_id = u.pf->visual;
-             pf++;
-@@ -327,6 +336,7 @@ XvQueryEncodings(
-     size_t size;
-     unsigned int jj;
-     char *name;
-+    char *end;
-     XvEncodingInfo *pes = NULL, *pe;
-     char *buffer = NULL;
-     union {
-@@ -364,17 +374,13 @@ XvQueryEncodings(
-     /* GET ENCODINGS */
- 
-     if (rep.num_encodings == 0) {
--        /* If there's no encodings, there's nothing more to do. */
-+        /* If there are no encodings, there's nothing more to do. */
-         status = Success;
-         goto out;
-     }
- 
--    if (size < (rep.num_encodings * sz_xvEncodingInfo)) {
--        /* If there's not enough data for the number of adaptors,
--           then we have a problem. */
--        status = XvBadReply;
--        goto out;
--    }
-+    u.buffer = buffer;
-+    end = buffer + size;
- 
-     size = rep.num_encodings * sizeof(XvEncodingInfo);
-     if ((pes = Xmalloc(size)) == NULL) {
-@@ -391,10 +397,12 @@ XvQueryEncodings(
-         pe++;
-     }
- 
--    u.buffer = buffer;
--
-     pe = pes;
-     for (jj = 0; jj < rep.num_encodings; jj++) {
-+        if (u.buffer + sz_xvEncodingInfo > end) {
-+            status = XvBadReply;
-+            goto out;
-+        }
-         pe->encoding_id = u.pe->encoding;
-         pe->width = u.pe->width;
-         pe->height = u.pe->height;
-@@ -405,6 +413,10 @@ XvQueryEncodings(
-         size = u.pe->name_size;
-         u.buffer += pad_to_int32(sz_xvEncodingInfo);
- 
-+        if (u.buffer + size > end) {
-+            status = XvBadReply;
-+            goto out;
-+        }
-         if ((name = Xmalloc(size + 1)) == NULL) {
-             status = XvBadAlloc;
-             goto out;
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/libxvmc-CVE-2016-7953.patch b/gnu/packages/patches/libxvmc-CVE-2016-7953.patch
deleted file mode 100644
index 737abdeb9f..0000000000
--- a/gnu/packages/patches/libxvmc-CVE-2016-7953.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Fix CVE-2016-7953:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7953
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXvMC/commit/?id=2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb
-
-From 2cd95e7da8367cccdcdd5c9b160012d1dec5cbdb Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 22:34:27 +0200
-Subject: [PATCH] Avoid buffer underflow on empty strings.
-
-If an empty string is received from an x-server, do not underrun the
-buffer by accessing "rep.nameLen - 1" unconditionally, which could end
-up being -1.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/XvMC.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/XvMC.c b/src/XvMC.c
-index 7336760..3ee4212 100644
---- a/src/XvMC.c
-+++ b/src/XvMC.c
-@@ -576,9 +576,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
- 	if (*name && *busID && tmpBuf) {
- 	    _XRead(dpy, tmpBuf, realSize);
- 	    strncpy(*name,tmpBuf,rep.nameLen);
--	    (*name)[rep.nameLen - 1] = '\0';
-+	    (*name)[rep.nameLen == 0 ? 0 : rep.nameLen - 1] = '\0';
- 	    strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
--	    (*busID)[rep.busIDLen - 1] = '\0';
-+	    (*busID)[rep.busIDLen == 0 ? 0 : rep.busIDLen - 1] = '\0';
- 	    XFree(tmpBuf);
- 	} else {
- 	    XFree(*name);
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/linux-pam-no-setfsuid.patch b/gnu/packages/patches/linux-pam-no-setfsuid.patch
new file mode 100644
index 0000000000..f92fbc057a
--- /dev/null
+++ b/gnu/packages/patches/linux-pam-no-setfsuid.patch
@@ -0,0 +1,75 @@
+On systems without 'setfsuid', use 'setreuid' instead.
+
+The patch originates from the Debian project for GNU/Hurd.
+Authors: Steve Langasek <vorlon@debian.org>
+Upstream status: A ticket was opened to request apply the patch,
+ticket: 'https://fedorahosted.org/linux-pam/ticket/64'.
+
+--- Linux-PAM-1.2.1/libpam/pam_modutil_priv.c	2015-03-24 06:02:32.000000000 -0600
++++ pam_modutil_priv-mod.c	2016-09-20 13:36:53.150663205 -0500
+@@ -14,7 +14,9 @@
+ #include <syslog.h>
+ #include <pwd.h>
+ #include <grp.h>
++#ifdef HAVE_SYS_FSUID_H
+ #include <sys/fsuid.h>
++#endif /* HAVE_SYS_FSUID_H */
+ 
+ /*
+  * Two setfsuid() calls in a row are necessary to check
+@@ -22,17 +24,55 @@
+  */
+ static int change_uid(uid_t uid, uid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ 	uid_t tmp = setfsuid(uid);
+ 	if (save)
+ 		*save = tmp;
+ 	return (uid_t) setfsuid(uid) == uid ? 0 : -1;
++#else
++	uid_t euid = geteuid();
++	uid_t ruid = getuid();
++	if (save)
++		*save = ruid;
++	if (ruid == uid && uid != 0)
++		if (setreuid(euid, uid))
++			return -1;
++	else {
++		setreuid(0, -1);
++		if (setreuid(-1, uid)) {
++			setreuid(-1, 0);
++			setreuid(0, -1);
++			if (setreuid(-1, uid))
++				return -1;
++		}
++	}
++#endif
+ }
+ static int change_gid(gid_t gid, gid_t *save)
+ {
++#ifdef HAVE_SYS_FSUID_H
+ 	gid_t tmp = setfsgid(gid);
+ 	if (save)
+ 		*save = tmp;
+ 	return (gid_t) setfsgid(gid) == gid ? 0 : -1;
++#else
++	gid_t egid = getegid();
++	gid_t rgid = getgid();
++	if (save)
++		*save = rgid;
++	if (rgid == gid)
++		if (setregid(egid, gid))
++			return -1;
++	else {
++		setregid(0, -1);
++		if (setregid(-1, gid)) {
++			setregid(-1, 0);
++			setregid(0, -1);
++			if (setregid(-1, gid))
++				return -1;
++		}
++	}
++#endif
+ }
+ 
+ static int cleanup(struct pam_modutil_privs *p)
diff --git a/gnu/packages/patches/openssl-CVE-2016-2177.patch b/gnu/packages/patches/openssl-CVE-2016-2177.patch
deleted file mode 100644
index f6465aeaa7..0000000000
--- a/gnu/packages/patches/openssl-CVE-2016-2177.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-Fix CVE-2016-2177.
-
-<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177>
-
-Source:
-<https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7>
-
-From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Thu, 5 May 2016 11:10:26 +0100
-Subject: [PATCH] Avoid some undefined pointer arithmetic
-
-A common idiom in the codebase is:
-
-if (p + len > limit)
-{
-    return; /* Too long */
-}
-
-Where "p" points to some malloc'd data of SIZE bytes and
-limit == p + SIZE
-
-"len" here could be from some externally supplied data (e.g. from a TLS
-message).
-
-The rules of C pointer arithmetic are such that "p + len" is only well
-defined where len <= SIZE. Therefore the above idiom is actually
-undefined behaviour.
-
-For example this could cause problems if some malloc implementation
-provides an address for "p" such that "p + len" actually overflows for
-values of len that are too big and therefore p + len < limit!
-
-Issue reported by Guido Vranken.
-
-CVE-2016-2177
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- ssl/s3_srvr.c  | 14 +++++++-------
- ssl/ssl_sess.c |  2 +-
- ssl/t1_lib.c   | 56 ++++++++++++++++++++++++++++++--------------------------
- 3 files changed, 38 insertions(+), 34 deletions(-)
-
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index ab28702..ab7f690 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-         session_length = *(p + SSL3_RANDOM_SIZE);
- 
--        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
-+        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
-     /* get the session-id */
-     j = *(p++);
- 
--    if (p + j > d + n) {
-+    if ((d + n) - p < j) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
-@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
- 
-     if (SSL_IS_DTLS(s)) {
-         /* cookie stuff */
--        if (p + 1 > d + n) {
-+        if ((d + n) - p < 1) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-         }
-         cookie_len = *(p++);
- 
--        if (p + cookie_len > d + n) {
-+        if ((d + n ) - p < cookie_len) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
-         }
-     }
- 
--    if (p + 2 > d + n) {
-+    if ((d + n ) - p < 2) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
-@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
-     }
- 
-     /* i bytes of cipher data + 1 byte for compression length later */
--    if ((p + i + 1) > (d + n)) {
-+    if ((d + n) - p < i + 1) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-     /* compression */
-     i = *(p++);
--    if ((p + i) > (d + n)) {
-+    if ((d + n) - p < i) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
-index b182998..54ee783 100644
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
-     int r;
- #endif
- 
--    if (session_id + len > limit) {
-+    if (limit - session_id < len) {
-         fatal = 1;
-         goto err;
-     }
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index fb64607..cdac011 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         0x02, 0x03,             /* SHA-1/ECDSA */
-     };
- 
--    if (data >= (limit - 2))
-+    if (limit - data <= 2)
-         return;
-     data += 2;
- 
--    if (data > (limit - 4))
-+    if (limit - data < 4)
-         return;
-     n2s(data, type);
-     n2s(data, size);
-@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     if (type != TLSEXT_TYPE_server_name)
-         return;
- 
--    if (data + size > limit)
-+    if (limit - data < size)
-         return;
-     data += size;
- 
-@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         const size_t len1 = sizeof(kSafariExtensionsBlock);
-         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
- 
--        if (data + len1 + len2 != limit)
-+        if (limit - data != (int)(len1 + len2))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-             return;
-@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     } else {
-         const size_t len = sizeof(kSafariExtensionsBlock);
- 
--        if (data + len != limit)
-+        if (limit - data != (int)(len))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-             return;
-@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
-     if (data == limit)
-         goto ri_check;
- 
--    if (data > (limit - 2))
-+    if (limit - data < 2)
-         goto err;
- 
-     n2s(data, len);
- 
--    if (data + len != limit)
-+    if (limit - data != len)
-         goto err;
- 
--    while (data <= (limit - 4)) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (limit))
-+        if (limit - data < size)
-             goto err;
- # if 0
-         fprintf(stderr, "Received extension type %d size %d\n", type, size);
-@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
-     if (s->hit || s->cert->srv_ext.meths_count == 0)
-         return 1;
- 
--    if (data >= limit - 2)
-+    if (limit - data <= 2)
-         return 1;
-     n2s(data, len);
- 
--    if (data > limit - len)
-+    if (limit - data < len)
-         return 1;
- 
--    while (data <= limit - 4) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > limit)
-+        if (limit - data < size)
-             return 1;
-         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
-             return 0;
-@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
-                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- # endif
- 
--    if (data >= (d + n - 2))
-+    if ((d + n) - data <= 2)
-         goto ri_check;
- 
-     n2s(data, length);
--    if (data + length != d + n) {
-+    if ((d + n) - data != length) {
-         *al = SSL_AD_DECODE_ERROR;
-         return 0;
-     }
- 
--    while (data <= (d + n - 4)) {
-+    while ((d + n) - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (d + n))
-+        if ((d + n) - data < size)
-             goto ri_check;
- 
-         if (s->tlsext_debug_cb)
-@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-     /* Skip past DTLS cookie */
-     if (SSL_IS_DTLS(s)) {
-         i = *(p++);
--        p += i;
--        if (p >= limit)
-+
-+        if (limit - p <= i)
-             return -1;
-+
-+        p += i;
-     }
-     /* Skip past cipher list */
-     n2s(p, i);
--    p += i;
--    if (p >= limit)
-+    if (limit - p <= i)
-         return -1;
-+    p += i;
-+
-     /* Skip past compression algorithm list */
-     i = *(p++);
--    p += i;
--    if (p > limit)
-+    if (limit - p < i)
-         return -1;
-+    p += i;
-+
-     /* Now at start of extensions */
--    if ((p + 2) >= limit)
-+    if (limit - p <= 2)
-         return 0;
-     n2s(p, i);
--    while ((p + 4) <= limit) {
-+    while (limit - p >= 4) {
-         unsigned short type, size;
-         n2s(p, type);
-         n2s(p, size);
--        if (p + size > limit)
-+        if (limit - p < size)
-             return 0;
-         if (type == TLSEXT_TYPE_session_ticket) {
-             int r;
--- 
-2.8.4
-
diff --git a/gnu/packages/patches/openssl-CVE-2016-2178.patch b/gnu/packages/patches/openssl-CVE-2016-2178.patch
deleted file mode 100644
index 37cf2763af..0000000000
--- a/gnu/packages/patches/openssl-CVE-2016-2178.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-Fix CVE-2016-2178.
-
-<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178>
-
-Source:
-<https://git.openssl.org/?p=openssl.git;a=commit;h=621eaf49a289bfac26d4cbcdb7396e796784c534>
-<https://git.openssl.org/?p=openssl.git;a=commit;h=b7d0f2834e139a20560d64c73e2565e93715ce2b>
-
-From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001
-From: Cesar Pereida <cesar.pereida@aalto.fi>
-Date: Mon, 23 May 2016 12:45:25 +0300
-Subject: [PATCH 1/2] Fix DSA, preserve BN_FLG_CONSTTIME
-
-Operations in the DSA signing algorithm should run in constant time in
-order to avoid side channel attacks. A flaw in the OpenSSL DSA
-implementation means that a non-constant time codepath is followed for
-certain operations. This has been demonstrated through a cache-timing
-attack to be sufficient for an attacker to recover the private DSA key.
-
-CVE-2016-2178
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
----
- crypto/dsa/dsa_ossl.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index efc4f1b..b29eb4b 100644
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-         if (!BN_rand_range(&k, dsa->q))
-             goto err;
-     while (BN_is_zero(&k)) ;
--    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
--        BN_set_flags(&k, BN_FLG_CONSTTIME);
--    }
- 
-     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
-         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-         }
- 
-         K = &kq;
-+
-+        BN_set_flags(K, BN_FLG_CONSTTIME);
-     } else {
-         K = &k;
-     }
-+
-     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
-                    dsa->method_mont_p);
-     if (!BN_mod(r, r, dsa->q, ctx))
--- 
-2.8.4
-
-From b7d0f2834e139a20560d64c73e2565e93715ce2b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 7 Jun 2016 09:12:51 +0100
-Subject: [PATCH 2/2] More fix DSA, preserve BN_FLG_CONSTTIME
-
-The previous "fix" still left "k" exposed to constant time problems in
-the later BN_mod_inverse() call. Ensure both k and kq have the
-BN_FLG_CONSTTIME flag set at the earliest opportunity after creation.
-
-CVE-2016-2178
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- crypto/dsa/dsa_ossl.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index b29eb4b..58013a4 100644
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -247,7 +247,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-     do
-         if (!BN_rand_range(&k, dsa->q))
-             goto err;
--    while (BN_is_zero(&k)) ;
-+    while (BN_is_zero(&k));
-+
-+    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-+        BN_set_flags(&k, BN_FLG_CONSTTIME);
-+    }
-+
- 
-     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
-         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-@@ -261,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-         if (!BN_copy(&kq, &k))
-             goto err;
- 
-+        BN_set_flags(&kq, BN_FLG_CONSTTIME);
-+
-         /*
-          * We do not want timing information to leak the length of k, so we
-          * compute g^k using an equivalent exponent of fixed length. (This
-@@ -276,8 +283,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-         }
- 
-         K = &kq;
--
--        BN_set_flags(K, BN_FLG_CONSTTIME);
-     } else {
-         K = &k;
-     }
--- 
-2.8.4
-
diff --git a/gnu/packages/patches/perl-CVE-2015-8607.patch b/gnu/packages/patches/perl-CVE-2015-8607.patch
deleted file mode 100644
index 4c25d41740..0000000000
--- a/gnu/packages/patches/perl-CVE-2015-8607.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Tue, 15 Dec 2015 10:56:54 +1100
-Subject: ensure File::Spec::canonpath() preserves taint
-
-Previously the unix specific XS implementation of canonpath() would
-return an untainted path when supplied a tainted path.
-
-For the empty string case, newSVpvs() already sets taint as needed on
-its result.
-
-This issue was assigned CVE-2015-8607.
-
-Bug: https://rt.perl.org/Ticket/Display.html?id=126862
-Bug-Debian: https://bugs.debian.org/810719
-Origin: upstream
-Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff
----
- dist/PathTools/Cwd.xs    |  1 +
- dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
-index 9d4dcf0..3d018dc 100644
---- a/dist/PathTools/Cwd.xs
-+++ b/dist/PathTools/Cwd.xs
-@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
-     *o = 0;
-     SvPOK_on(retval);
-     SvCUR_set(retval, o - SvPVX(retval));
-+    SvTAINT(retval);
-     return retval;
- }
- 
-diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
-index 309b3e5..48f8c5b 100644
---- a/dist/PathTools/t/taint.t
-+++ b/dist/PathTools/t/taint.t
-@@ -12,7 +12,7 @@ use Test::More;
- BEGIN {
-     plan(
-         ${^TAINT}
--        ? (tests => 17)
-+        ? (tests => 21)
-         : (skip_all => "A perl without taint support")
-     );
- }
-@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
- 
- # Previous versions of Cwd tainted $^O
- is !tainted($^O), 1, "\$^O should not be tainted";
-+
-+{
-+    # [perl #126862] canonpath() loses taint
-+    my $tainted = substr($ENV{PATH}, 0, 0);
-+    # yes, getcwd()'s result should be tainted, and is tested above
-+    # but be sure
-+    ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
-+        "canonpath() keeps taint on non-empty string";
-+    ok tainted(File::Spec->canonpath($tainted)),
-+        "canonpath() keeps taint on empty string";
-+
-+    (Cwd::getcwd() =~ /^(.*)/);
-+    my $untainted = $1;
-+    ok !tainted($untainted), "make sure our untainted value is untainted";
-+    ok !tainted(File::Spec->canonpath($untainted)),
-+        "canonpath() doesn't add taint to untainted string";
-+}
diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch
deleted file mode 100644
index 99d1944a5d..0000000000
--- a/gnu/packages/patches/perl-CVE-2016-2381.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables).
-
-Copied from upstream:
-http://perl5.git.perl.org/perl.git/commit/ae37b791a73a9e78dedb89fb2429d2628cf58076
-
-References:
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
-http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html
-https://security-tracker.debian.org/tracker/CVE-2016-2381
-
----
-
-From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Wed, 27 Jan 2016 11:52:15 +1100
-Subject: remove duplicate environment variables from environ
-
-If we see duplicate environment variables while iterating over
-environ[]:
-
-a) make sure we use the same value in %ENV that getenv() returns.
-
-Previously on a duplicate, %ENV would have the last entry for the name
-from environ[], but a typical getenv() would return the first entry.
-
-Rather than assuming all getenv() implementations return the first entry
-explicitly call getenv() to ensure they agree.
-
-b) remove duplicate entries from environ
-
-Previously if there was a duplicate definition for a name in environ[]
-setting that name in %ENV could result in an unsafe value being passed
-to a child process, so ensure environ[] has no duplicates.
-
-Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff
----
- perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 49 insertions(+), 2 deletions(-)
-
-diff --git a/perl.c b/perl.c
-index 67d32ce..26aeb91 100644
---- a/perl.c
-+++ b/perl.c
-@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
- 	}
- 	if (env) {
- 	  char *s, *old_var;
-+          STRLEN nlen;
- 	  SV *sv;
-+          HV *dups = newHV();
-+
- 	  for (; *env; env++) {
- 	    old_var = *env;
- 
- 	    if (!(s = strchr(old_var,'=')) || s == old_var)
- 		continue;
-+            nlen = s - old_var;
- 
- #if defined(MSDOS) && !defined(DJGPP)
- 	    *s = '\0';
- 	    (void)strupr(old_var);
- 	    *s = '=';
- #endif
--	    sv = newSVpv(s+1, 0);
--	    (void)hv_store(hv, old_var, s - old_var, sv, 0);
-+            if (hv_exists(hv, old_var, nlen)) {
-+                const char *name = savepvn(old_var, nlen);
-+
-+                /* make sure we use the same value as getenv(), otherwise code that
-+                   uses getenv() (like setlocale()) might see a different value to %ENV
-+                 */
-+                sv = newSVpv(PerlEnv_getenv(name), 0);
-+
-+                /* keep a count of the dups of this name so we can de-dup environ later */
-+                if (hv_exists(dups, name, nlen))
-+                    ++SvIVX(*hv_fetch(dups, name, nlen, 0));
-+                else
-+                    (void)hv_store(dups, name, nlen, newSViv(1), 0);
-+
-+                Safefree(name);
-+            }
-+            else {
-+                sv = newSVpv(s+1, 0);
-+            }
-+	    (void)hv_store(hv, old_var, nlen, sv, 0);
- 	    if (env_is_not_environ)
- 	        mg_set(sv);
- 	  }
-+          if (HvKEYS(dups)) {
-+              /* environ has some duplicate definitions, remove them */
-+              HE *entry;
-+              hv_iterinit(dups);
-+              while ((entry = hv_iternext_flags(dups, 0))) {
-+                  STRLEN nlen;
-+                  const char *name = HePV(entry, nlen);
-+                  IV count = SvIV(HeVAL(entry));
-+                  IV i;
-+                  SV **valp = hv_fetch(hv, name, nlen, 0);
-+
-+                  assert(valp);
-+
-+                  /* try to remove any duplicate names, depending on the
-+                   * implementation used in my_setenv() the iteration might
-+                   * not be necessary, but let's be safe.
-+                   */
-+                  for (i = 0; i < count; ++i)
-+                      my_setenv(name, 0);
-+
-+                  /* and set it back to the value we set $ENV{name} to */
-+                  my_setenv(name, SvPV_nolen(*valp));
-+              }
-+          }
-+          SvREFCNT_dec_NN(dups);
-       }
- #endif /* USE_ENVIRON_ARRAY */
- #endif /* !PERL_MICRO */
diff --git a/gnu/packages/patches/perl-no-build-time.patch b/gnu/packages/patches/perl-no-build-time.patch
deleted file mode 100644
index 5d78e8f462..0000000000
--- a/gnu/packages/patches/perl-no-build-time.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Do not record the configuration and build time so that builds can be
-reproduced bit-for-bit.
-
---- perl-5.22.0/Configure	1970-01-01 01:00:00.000000000 +0100
-+++ perl-5.22.0/Configure	2015-12-13 00:14:43.148165080 +0100
-@@ -3834,6 +3817,7 @@ esac
- 
- : who configured the system
- cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1`
-+cf_time='Thu Jan  1 00:00:01 UTC 1970'
- case "$cf_by" in
- "")
- 	cf_by=`(logname) 2>/dev/null`
-
---- perl-5.22.0/perl.c	2015-12-13 00:25:30.269156627 +0100
-+++ perl-5.22.0/perl.c	2015-12-13 00:25:38.265218175 +0100
-@@ -1795,7 +1795,7 @@ S_Internals_V(pTHX_ CV *cv)
-     PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
- 			      sizeof(non_bincompat_options) - 1, SVs_TEMP));
- 
--#ifdef __DATE__
-+#if 0
- #  ifdef __TIME__
-     PUSHs(Perl_newSVpvn_flags(aTHX_
- 			      STR_WITH_LEN("Compiled at " __DATE__ " " __TIME__),
-
diff --git a/gnu/packages/patches/perl-reproducible-build-date.patch b/gnu/packages/patches/perl-reproducible-build-date.patch
new file mode 100644
index 0000000000..bf0d4b8f6d
--- /dev/null
+++ b/gnu/packages/patches/perl-reproducible-build-date.patch
@@ -0,0 +1,50 @@
+Don't encode the current timestamp.
+
+This affects the output of `perl -V`, specifically the message "Compiled
+at [...]".
+
+The 'cf_time' and 'cf_by' values show up in 'config.h' and
+in 'Config_heavy.pl'.
+
+Use the output of 'uname -s' instead of 'uname -a' to avoid recording
+the kernel version ('uname -o' leads to directory names like
+'x86_64-gnulinux' instead of 'x86_64-linux', which might cause breakage
+down the road.)
+
+diff --git a/perl.c b/perl.c
+index 228a0d8..ed38313 100644
+--- a/perl.c
++++ b/perl.c
+@@ -1825,6 +1825,7 @@ S_Internals_V(pTHX_ CV *cv)
+     PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
+ 			      sizeof(non_bincompat_options) - 1, SVs_TEMP));
+ 
++#define PERL_BUILD_DATE "Jan  1 1970 00:00:00"
+ #ifndef PERL_BUILD_DATE
+ #  ifdef __DATE__
+ #    ifdef __TIME__
+
+--- a/Configure	1970-01-01 01:00:00.000000000 +0100
++++ b/Configure	2016-10-01 14:47:20.017319739 +0200
+@@ -3276,7 +3276,7 @@ $eunicefix tr
+ : Try to determine whether config.sh was made on this system
+ case "$config_sh" in
+ '')
+-myuname=`$uname -a 2>/dev/null`
++myuname=`$uname -s 2>/dev/null`
+ $test -z "$myuname" && myuname=`hostname 2>/dev/null`
+ # Downcase everything to avoid ambiguity.
+ # Remove slashes and single quotes so we can use parts of this in
+@@ -3845,10 +3845,10 @@
+ . ./posthint.sh
+ 
+ : who configured the system
+-cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1`
++cf_time="1970-01-01"
+ case "$cf_by" in
+ "")
+-	cf_by=`(logname) 2>/dev/null`
++	cf_by="guix"
+ 	case "$cf_by" in
+ 	"")
+ 		cf_by=`(whoami) 2>/dev/null`
diff --git a/gnu/packages/patches/perl-source-date-epoch.patch b/gnu/packages/patches/perl-source-date-epoch.patch
deleted file mode 100644
index 37330c9537..0000000000
--- a/gnu/packages/patches/perl-source-date-epoch.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Adapted from <https://bugs.debian.org/801621>.
-Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable.
-
---- perl-5.22.0/cpan/podlators/lib/Pod/Man.pm	2015-12-12 22:33:03.321787590 +0100
-+++ perl-5.22.0/cpan/podlators/lib/Pod/Man.pm	2015-12-12 22:36:33.367361338 +0100
-@@ -884,7 +884,12 @@ sub devise_date {
-     my ($self) = @_;
-     my $input = $self->source_filename;
-     my $time;
--    if ($input) {
-+
-+    if (defined($ENV{SOURCE_DATE_EPOCH}) &&
-+        $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
-+        $time = $ENV{SOURCE_DATE_EPOCH};
-+    }
-+    elsif ($input) {
-         $time = (stat $input)[9] || time;
-     } else {
-         $time = time;
diff --git a/gnu/packages/patches/procps-non-linux.patch b/gnu/packages/patches/procps-non-linux.patch
deleted file mode 100644
index 9d369aeb2c..0000000000
--- a/gnu/packages/patches/procps-non-linux.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From aa9bd38d0a6fe53aff7f78fb2d9f61e55677c7b5 Mon Sep 17 00:00:00 2001
-From: Craig Small <csmall@enc.com.au>
-Date: Sun, 17 Apr 2016 09:09:41 +1000
-Subject: [PATCH] tests: Conditionally add prctl to test process
-
-prctl was already bypassed on Cygwin systems. This extends to
-non-Linux systems such as kFreeBSD and Hurd.
-
----
- lib/test_process.c | 4 ++--
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/lib/test_process.c b/lib/test_process.c
-index 6e652ed..6a4776c 100644
---- a/lib/test_process.c
-+++ b/lib/test_process.c
-@@ -21,7 +21,9 @@
- #include <stdlib.h>
- #include <unistd.h>
- #include <signal.h>
-+#ifdef __linux__
- #include <sys/prctl.h>
-+#endif
- #include "c.h"
- 
- #define DEFAULT_SLEEPTIME 300
-@@ -78,8 +80,10 @@
-     sigaction(SIGUSR1, &signal_action, NULL);
-     sigaction(SIGUSR2, &signal_action, NULL);
- 
-+#ifdef __linux__
-     /* set process name */
-     prctl(PR_SET_NAME, MY_NAME, NULL, NULL, NULL);
-+#endif
- 
-     while (sleep_time > 0) {
- 	sleep_time = sleep(sleep_time);
--- 
-2.8.2
-
diff --git a/gnu/packages/patches/python-3.4-fix-tests.patch b/gnu/packages/patches/python-3.4-fix-tests.patch
new file mode 100644
index 0000000000..d1f8138e79
--- /dev/null
+++ b/gnu/packages/patches/python-3.4-fix-tests.patch
@@ -0,0 +1,12 @@
+--- Lib/test/test_posixpath.py  2014-03-01 05:46:56.984311000 +0100
++++ Lib/test/test_posixpath.py  2014-03-07 00:59:20.888311000 +0100
+@@ -319,7 +319,11 @@
+                 del env['HOME']
+                 home = pwd.getpwuid(os.getuid()).pw_dir
+                 # $HOME can end with a trailing /, so strip it (see #17809)
+-                self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
++                # The Guix builders have '/' as a home directory, so
++                # home.rstrip("/") will be an empty string and the test will
++                # fail. Let's just disable it since it does not really make
++                # sense with such a bizarre setup.
++                # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
diff --git a/gnu/packages/patches/python-3.5-fix-tests.patch b/gnu/packages/patches/python-3.5-fix-tests.patch
new file mode 100644
index 0000000000..46d2a84efb
--- /dev/null
+++ b/gnu/packages/patches/python-3.5-fix-tests.patch
@@ -0,0 +1,46 @@
+Additional test fixes which affect Python 3.5 (and presumably later) but not
+prior revisions of Python.
+
+--- Lib/test/test_pathlib.py     2014-03-01 03:02:36.088311000 +0100
++++ Lib/test/test_pathlib.py     2014-03-01 04:56:37.768311000 +0100
+@@ -1986,8 +1986,9 @@
+         expect = set() if not support.fs_is_case_insensitive(BASE) else given
+         self.assertEqual(given, expect)
+         self.assertEqual(set(p.rglob("FILEd*")), set())
+ 
++    @unittest.skipIf(True, "Guix builder home is '/' which causes trouble for these tests")
+     def test_expanduser(self):
+         P = self.cls
+         support.import_module('pwd')
+         import pwd
+--- Lib/test/test_tarfile.py        2016-02-24 19:22:52.597208055 +0000
++++ Lib/test/test_tarfile.py     2016-02-24 20:50:48.941950135 +0000
+@@ -2305,11 +2305,14 @@
+     try:
+         import pwd, grp
+     except ImportError:
+         return False
+-    if pwd.getpwuid(0)[0] != 'root':
+-        return False
+-    if grp.getgrgid(0)[0] != 'root':
++    try:
++        if pwd.getpwuid(0)[0] != 'root':
++            return False
++        if grp.getgrgid(0)[0] != 'root':
++            return False
++    except KeyError:
+         return False
+     return True
+
+
+--- Lib/test/test_asyncio/test_base_events.py
++++ Lib/test/test_asyncio/test_base_events.py
+@@ -142,6 +142,8 @@ class BaseEventTests(test_utils.TestCase):
+             (INET, STREAM, TCP, '', ('1.2.3.4', 1)),
+             base_events._ipaddr_info('1.2.3.4', b'1', INET, STREAM, TCP))
+ 
++    @unittest.skipUnless(support.is_resource_enabled('network'),
++                         'network is not enabled')
+     def test_getaddrinfo_servname(self):
+         INET = socket.AF_INET
+         STREAM = socket.SOCK_STREAM
diff --git a/gnu/packages/patches/python-disable-ssl-test.patch b/gnu/packages/patches/python-disable-ssl-test.patch
deleted file mode 100644
index e351c77505..0000000000
--- a/gnu/packages/patches/python-disable-ssl-test.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Disable a test that fails with openssl-1.0.2b.
-
---- Lib/test/test_ssl.py.orig	2015-02-25 06:27:45.000000000 -0500
-+++ Lib/test/test_ssl.py	2015-06-12 03:14:09.395212502 -0400
-@@ -2718,6 +2718,7 @@
-                                        chatty=True, connectionchatty=True)
-             self.assertIs(stats['compression'], None)
- 
-+        @unittest.skipIf(True, "openssl 1.0.2b complains: dh key too small")
-         def test_dh_params(self):
-             # Check we can get a connection with ephemeral Diffie-Hellman
-             context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
diff --git a/gnu/packages/patches/python-fix-tests.patch b/gnu/packages/patches/python-fix-tests.patch
index 82c19980f9..e093307c51 100644
--- a/gnu/packages/patches/python-fix-tests.patch
+++ b/gnu/packages/patches/python-fix-tests.patch
@@ -20,21 +20,6 @@ http://bugs.python.org/issue20868 .
      def test_tarfile_root_owner(self):
          tmpdir, tmpdir2, base_name =  self._create_files()
 
---- Lib/test/test_posixpath.py	2014-03-01 05:46:56.984311000 +0100
-+++ Lib/test/test_posixpath.py	2014-03-07 00:59:20.888311000 +0100
-@@ -319,7 +319,11 @@
-                 del env['HOME']
-                 home = pwd.getpwuid(os.getuid()).pw_dir
-                 # $HOME can end with a trailing /, so strip it (see #17809)
--                self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
-+                # The Guix builders have '/' as a home directory, so
-+                # home.rstrip("/") will be an empty string and the test will
-+                # fail. Let's just disable it since it does not really make
-+                # sense with such a bizarre setup.
-+                # self.assertEqual(posixpath.expanduser("~"), home.rstrip("/"))
- 
-     def test_normpath(self):
-         self.assertEqual(posixpath.normpath(""), ".")
 --- Lib/test/test_socket.py.orig	2014-03-02 22:14:12.264311000 +0100
 +++ Lib/test/test_socket.py	2014-03-21 03:50:45.660311000 +0100
 @@ -819,6 +819,8 @@
diff --git a/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch b/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch
new file mode 100644
index 0000000000..1426883216
--- /dev/null
+++ b/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch
@@ -0,0 +1,33 @@
+Do not define BSDWAIT to avoid error "storage size of ‘w’ isn’t known".
+
+This is an adapted version of the upstream patch taken from here:
+https://github.com/tcsh-org/tcsh/commit/4689eb60a74bf13bc146ca3d76e9d7a124ab7b49.patch
+
+From 4689eb60a74bf13bc146ca3d76e9d7a124ab7b49 Mon Sep 17 00:00:00 2001
+From: christos <christos>
+Date: Fri, 23 Sep 2016 19:17:28 +0000
+Subject: [PATCH] Don't define BSDWAIT for linux anymore.
+
+---
+ sh.proc.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/sh.proc.c b/sh.proc.c
+index 49b199f..874d67c 100644
+--- sh.proc.c
++++ sh.proc.c
+@@ -47,11 +47,9 @@ RCSID("$tcsh$")
+ # define HZ 16
+ #endif /* aiws */
+ 
+-#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid) || defined(__linux__) || defined(__GNU__) || defined(__GLIBC__)
+-# if !defined(__ANDROID__)
+-#  define BSDWAIT
+-# endif
+-#endif /* _BSD || (IRIS4D && __STDC__) || __lucid || glibc */
++#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid)
++# define BSDWAIT
++#endif /* _BSD || (IRIS4D && __STDC__) || __lucid */
+ #ifndef WTERMSIG
+ # define WTERMSIG(w)	(((union wait *) &(w))->w_termsig)
+ # ifndef BSDWAIT
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 461472abe9..8bfe2c1a89 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
 ;;; Coypright © 2016 ng0 <ng0@we.make.ritual.n0.is>
+;;; Coypright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Coypright © 2016 Marius Bakke <mbakke@fastmail.com>
 ;;; Coypright © 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Coypright © 2016 Julien Lepiller <julien@lepiller.eu>
@@ -70,14 +71,14 @@
 (define-public poppler
   (package
    (name "poppler")
-   (version "0.43.0")
+   (version "0.47.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://poppler.freedesktop.org/poppler-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0mi4zf0pz3x3fx3ir7szz1n57nywgbpd4mp2r7mvf47f4rmf4867"))))
+              "0hnjkcqqk87dw3hlda4gh4l7brkslniax9a79g772jn3iwiffwmq"))))
    (build-system gnu-build-system)
    ;; FIXME:
    ;;  use libcurl:        no
@@ -109,19 +110,18 @@
         ;; Saves 8 MiB of .a files.
         "--disable-static")
       #:phases
-      (alist-cons-before
-       'configure 'setenv
-       (lambda _
-         (setenv "CPATH"
-                 (string-append (assoc-ref %build-inputs "openjpeg-1")
-                                "/include/openjpeg-1.5"
-                                ":" (or (getenv "CPATH") ""))))
-        %standard-phases)))
+      (modify-phases %standard-phases
+        (add-before 'configure 'setenv
+          (lambda _
+            (setenv "CPATH"
+                    (string-append (assoc-ref %build-inputs "openjpeg-1")
+                                   "/include/openjpeg-1.5"
+                                   ":" (or (getenv "CPATH") ""))))))))
    (synopsis "PDF rendering library")
    (description
     "Poppler is a PDF rendering library based on the xpdf-3.0 code base.")
    (license license:gpl2+)
-   (home-page "http://poppler.freedesktop.org/")))
+   (home-page "https://poppler.freedesktop.org/")))
 
 (define-public poppler-qt4
   (package (inherit poppler)
@@ -408,7 +408,7 @@ by using the poppler rendering engine.")
               (patches (search-patches
                         "zathura-plugindir-environment-variable.patch"))))
     (native-inputs `(("pkg-config" ,pkg-config)
-                     ("gettext" ,gnu-gettext)))
+                     ("gettext" ,gettext-minimal)))
     (inputs `(("girara" ,girara)
               ("sqlite" ,sqlite)
               ("gtk+" ,gtk+)))
@@ -541,13 +541,14 @@ and examining the file structure (pdfshow).")
 (define-public qpdf
   (package
    (name "qpdf")
-   (version "5.1.3")
+   (version "6.0.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://sourceforge/qpdf/qpdf/" version
                                 "/qpdf-" version ".tar.gz"))
-            (sha256 (base32
-                     "1lq1v7xghvl6p4hgrwbps3a13ad6lh4ib3myimb83hxgsgd4n5nm"))
+            (sha256
+             (base32
+              "0csj2p2gkxrc0rk8ykymlsdgfas96vzf1dip3y1x7z1q9plwgzd9"))
             (modules '((guix build utils)))
             (snippet
              ;; Replace shebang with the bi-lingual shell/Perl trick to remove
@@ -561,17 +562,17 @@ eval '(exit $?0)' && eval 'exec perl -wS \"$0\" ${1+\"$@\"}'
    (build-system gnu-build-system)
    (arguments
     `(#:disallowed-references (,perl)
-      #:phases (alist-cons-before
-                'configure 'patch-paths
-                (lambda _
-                  (substitute* "make/libtool.mk"
-                    (("SHELL=/bin/bash")
-                     (string-append "SHELL=" (which "bash"))))
-                  (substitute* (append
-                                '("qtest/bin/qtest-driver")
-                                (find-files "." "\\.test"))
-                    (("/usr/bin/env") (which "env"))))
-                %standard-phases)))
+      #:phases
+      (modify-phases %standard-phases
+        (add-before 'configure 'patch-paths
+          (lambda _
+            (substitute* "make/libtool.mk"
+              (("SHELL=/bin/bash")
+               (string-append "SHELL=" (which "bash"))))
+            (substitute* (append
+                          '("qtest/bin/qtest-driver")
+                          (find-files "." "\\.test"))
+              (("/usr/bin/env") (which "env"))))))))
    (native-inputs
     `(("pkg-config" ,pkg-config)
       ("perl" ,perl)))
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index ba6f71a412..ac7ac49ac2 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -45,55 +45,55 @@
   ;; Yeah, Perl...  It is required early in the bootstrap process by Linux.
   (package
     (name "perl")
-    (version "5.22.1")
+    (version "5.24.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "http://www.cpan.org/src/5.0/perl-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "09wg24w5syyafyv87l6z8pxwz4bjgcdj996bx5844k6m9445sirb"))
+               "00jj8zr8fnihrxxhl8h936ssczv5x86qb618yz1ig40d1rp0qhvy"))
              (patches (search-patches
                        "perl-no-sys-dirs.patch"
                        "perl-autosplit-default-time.patch"
-                       "perl-source-date-epoch.patch"
                        "perl-deterministic-ordering.patch"
-                       "perl-no-build-time.patch"
-                       "perl-CVE-2015-8607.patch"
-                       "perl-CVE-2016-2381.patch"))))
+                       "perl-reproducible-build-date.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f
+       #:configure-flags
+       (let ((out  (assoc-ref %outputs "out"))
+             (libc (assoc-ref %build-inputs "libc")))
+         (list
+          (string-append "-Dprefix=" out)
+          (string-append "-Dman1dir=" out "/share/man/man1")
+          (string-append "-Dman3dir=" out "/share/man/man3")
+          "-de" "-Dcc=gcc"
+          "-Uinstallusrbinperl"
+          "-Dinstallstyle=lib/perl5"
+          "-Duseshrplib"
+          (string-append "-Dlocincpth=" libc "/include")
+          (string-append "-Dloclibpth=" libc "/lib")
+          "-Dusethreads"))
        #:phases
        (modify-phases %standard-phases
-         (replace
-          'configure
-          (lambda* (#:key inputs outputs #:allow-other-keys)
-            (let ((out  (assoc-ref outputs "out"))
-                  (libc (assoc-ref inputs "libc")))
-              ;; Use the right path for `pwd'.
-              (substitute* "dist/PathTools/Cwd.pm"
-                (("/bin/pwd")
-                 (which "pwd")))
-
-              ;; Build in GNU89 mode to tolerate C++-style comment in libc's
-              ;; <bits/string3.h>.
-              (substitute* "cflags.SH"
-                (("-std=c89")
-                 "-std=gnu89"))
-
-              (zero?
-               (system* "./Configure"
-                        (string-append "-Dprefix=" out)
-                        (string-append "-Dman1dir=" out "/share/man/man1")
-                        (string-append "-Dman3dir=" out "/share/man/man3")
-                        "-de" "-Dcc=gcc"
-                        "-Uinstallusrbinperl"
-                        "-Dinstallstyle=lib/perl5"
-                        "-Duseshrplib"
-                        (string-append "-Dlocincpth=" libc "/include")
-                        (string-append "-Dloclibpth=" libc "/lib"))))))
-
+         (add-before 'configure 'setup-configure
+           (lambda _
+             ;; Use the right path for `pwd'.
+             (substitute* "dist/PathTools/Cwd.pm"
+               (("/bin/pwd")
+                (which "pwd")))
+
+             ;; Build in GNU89 mode to tolerate C++-style comment in libc's
+             ;; <bits/string3.h>.
+             (substitute* "cflags.SH"
+               (("-std=c89")
+                "-std=gnu89"))
+             #t))
+         (replace 'configure
+           (lambda* (#:key configure-flags #:allow-other-keys)
+             (format #t "Perl configure flags: ~s~%" configure-flags)
+             (zero? (apply system* "./Configure" configure-flags))))
          (add-before
           'strip 'make-shared-objects-writable
           (lambda* (#:key outputs #:allow-other-keys)
@@ -7009,7 +7009,7 @@ MYMETA.yml.")
 (define-public perl-module-build
   (package
     (name "perl-module-build")
-    (version "0.4211")
+    (version "0.4220")
     (source
      (origin
        (method url-fetch)
@@ -7017,7 +7017,7 @@ MYMETA.yml.")
                            "Module-Build-" version ".tar.gz"))
        (sha256
         (base32
-         "1c5hfhajr963w4mdjivsc7yz4vf4pz1rrfch5a93fbac1x2mr58h"))))
+         "18mm6k7d7cmj9l6na1c50vbc8hc1pwsz38yxi9x6ydlrwz3hf4pv"))))
     (build-system perl-build-system)
     (propagated-inputs
      `(("perl-cpan-meta" ,perl-cpan-meta)))
diff --git a/gnu/packages/plotutils.scm b/gnu/packages/plotutils.scm
index c913955975..74d209192f 100644
--- a/gnu/packages/plotutils.scm
+++ b/gnu/packages/plotutils.scm
@@ -186,8 +186,7 @@ colors, styles, options and details.")
     ;; "help" command in interactive mode, so adding a "doc" output is not
     ;; currently useful.
     (native-inputs
-     `(("gs" ,ghostscript-gs)           ;For tests
-       ("gs-2" ,ghostscript)             ;For dvipdfm
+     `(("gs" ,ghostscript)              ;For tests
        ("texinfo" ,texinfo)             ;For generating documentation
        ("texlive" ,texlive)             ;For tests and documentation
        ("emacs" ,emacs-minimal)
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index c5a39f49ee..0e648cd724 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -52,6 +52,7 @@
   #:use-module (gnu packages adns)
   #:use-module (gnu packages attr)
   #:use-module (gnu packages backup)
+  #:use-module (gnu packages bash)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages django)
@@ -106,7 +107,7 @@
 (define-public python-2.7
   (package
     (name "python")
-    (version "2.7.11")
+    (version "2.7.12")
     (source
      (origin
       (method url-fetch)
@@ -114,7 +115,7 @@
                           version "/Python-" version ".tar.xz"))
       (sha256
        (base32
-        "0iiz844riiznsyhhyy962710pz228gmhv8qi3yk4w4jhmx2lqawn"))
+        "0y7rl603vmwlxm6ilkhc51rx2mfj14ckcz40xxgs0ljnvlhp30yp"))
       (patches (search-patches "python-2.7-search-paths.patch"
                                "python-2-deterministic-build-info.patch"
                                "python-2.7-source-date-epoch.patch"))
@@ -126,6 +127,7 @@
        '(begin
           (for-each delete-file
                     '("Lib/test/test_compileall.py"
+                      "Lib/test/test_ctypes.py" ; fails on mips64el
                       "Lib/test/test_distutils.py"
                       "Lib/test/test_import.py"
                       "Lib/test/test_shutil.py"
@@ -201,13 +203,6 @@
            (lambda _
              ;; 'Lib/test/test_site.py' needs a valid $HOME
              (setenv "HOME" (getcwd))
-             ,@(if (string-prefix? "mips64el" (%current-system))
-
-                   ;; XXX: The following test fails on mips64el.
-                   '((false-if-exception
-                      (delete-file "Lib/test/test_ctypes.py")))
-
-                   '())
              #t))
           (add-after
            'unpack 'set-source-file-times-to-1980
@@ -289,7 +284,7 @@
      (list (search-path-specification
             (variable "PYTHONPATH")
             (files '("lib/python2.7/site-packages")))))
-    (home-page "http://python.org")
+    (home-page "https://www.python.org")
     (synopsis "High-level, dynamically-typed programming language")
     (description
      "Python is a remarkably powerful dynamic programming language that
@@ -304,23 +299,22 @@ data types.")
 ;; Current 2.x version.
 (define-public python-2 python-2.7)
 
-(define-public python-3.4
+(define-public python-3.5
   (package (inherit python-2)
-    (version "3.4.3")
+    (version "3.5.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.python.org/ftp/python/"
                                   version "/Python-" version ".tar.xz"))
               (patches (search-patches
                         "python-fix-tests.patch"
-                        ;; XXX Try removing this patch for python > 3.4.3
-                        "python-disable-ssl-test.patch"
+                        "python-3.5-fix-tests.patch"
                         "python-3-deterministic-build-info.patch"
                         "python-3-search-paths.patch"))
               (patch-flags '("-p0"))
               (sha256
                (base32
-                "1f4nm4z08sy0kqwisvv95l02crv6dyysdmx44p1mz3bn6csrdcxm"))))
+                "0h6a5fr7ram2s483lh0pnmc4ncijb8llnpfdxdcl5dxr01hza400"))))
     (arguments (substitute-keyword-arguments (package-arguments python-2)
                  ((#:tests? _) #t)))
     (native-search-paths
@@ -330,8 +324,25 @@ data types.")
                                         (version-major+minor version)
                                         "/site-packages"))))))))
 
+(define-public python-3.4
+  (package (inherit python-3.5)
+    (version "3.4.5")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://www.python.org/ftp/python/"
+                                  version "/Python-" version ".tar.xz"))
+              (patches (search-patches
+                        "python-fix-tests.patch"
+                        "python-3.4-fix-tests.patch"
+                        "python-3-deterministic-build-info.patch"
+                        "python-3-search-paths.patch"))
+              (patch-flags '("-p0"))
+              (sha256
+               (base32
+                "12l9klp778wklxmckhghniy5hklss8r26995pyd00qbllk4b2r7f"))))))
+
 ;; Current 3.x version.
-(define-public python-3 python-3.4)
+(define-public python-3 python-3.5)
 
 ;; Current major version.
 (define-public python python-3)
@@ -353,14 +364,12 @@ data types.")
   (package (inherit python)
     (name "python-minimal")
     (outputs '("out"))
-    (arguments
-     (substitute-keyword-arguments (package-arguments python)
-       ((#:configure-flags cf)
-        `(append ,cf '("--without-system-ffi")))))
 
+    ;; Build fails due to missing ctypes without libffi.
     ;; OpenSSL is a mandatory dependency of Python 3.x, for urllib;
     ;; zlib is required by 'zipimport', used by pip.
-    (inputs `(("openssl" ,openssl)
+    (inputs `(("libffi" ,libffi)
+              ("openssl" ,openssl)
               ("zlib" ,zlib)))))
 
 (define* (wrap-python3 python
@@ -371,6 +380,7 @@ data types.")
     (source #f)
     (build-system trivial-build-system)
     (outputs '("out"))
+    (inputs `(("bash" ,bash)))
     (propagated-inputs `(("python" ,python)))
     (arguments
      `(#:modules ((guix build utils))
@@ -384,8 +394,20 @@ data types.")
                   (lambda (old new)
                     (symlink (string-append python old)
                              (string-append bin "/" new)))
-                  '("python3" "pydoc3" "idle3")
-                  '("python"  "pydoc"  "idle"))))))
+                  `("python3" ,"pydoc3" ,"idle3" ,"pip3")
+                  `("python"  ,"pydoc"  ,"idle"  ,"pip"))
+                ;; python-config outputs search paths based upon its location,
+                ;; use a bash wrapper to avoid changing its outputs.
+                (let ((bash (string-append (assoc-ref %build-inputs "bash")
+                                           "/bin/bash"))
+                      (old  (string-append python "python3-config"))
+                      (new  (string-append bin "/python-config")))
+                  (with-output-to-file new
+                    (lambda ()
+                      (format #t "#!~a~%" bash)
+                      (format #t "exec \"~a\" \"$@\"~%" old)
+                      (chmod new #o755)
+                      #t)))))))
     (synopsis "Wrapper for the Python 3 commands")
     (description
      "This package provides wrappers for the commands of Python@tie{}3.x such
@@ -6208,6 +6230,20 @@ responses, rather than doing any computation.")
         (base32
          "1a85l548w5vvq3yhz0az7ajg2ijixzp6gagapw6wgrqvq28ghgs2"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-before 'check 'disable-failing-test
+           (lambda _
+             ;; This test is known to fail with OpenSSL >= 1.0.2i and older
+             ;; versions of python-cryptography:
+             ;; https://github.com/pyca/cryptography/issues/3196
+             ;; TODO: Try re-enabling the test when upgrading
+             ;; python-cryptography.
+             (substitute* "tests/hazmat/backends/test_openssl.py"
+               (("def test_numeric_string_x509_name_entry")
+                 "@pytest.mark.xfail\n    def test_numeric_string_x509_name_entry"))
+             #t)))))
     (inputs
      `(("openssl" ,openssl)))
     (propagated-inputs
@@ -6443,10 +6479,16 @@ Python's @code{ctypes} foreign function interface (FFI).")
     (synopsis "Python bindings to the libmagic file type guesser.  Note that
 this module and the python-magic module both provide a \"magic.py\" file;
 these two modules, which are different and were developed separately, both
-serve the same purpose: provide Python bindings for libmagic.")))
+serve the same purpose: provide Python bindings for libmagic.")
+    (properties `((python2-variant . ,(delay python2-file))))))
 
 (define-public python2-file
-  (package-with-python2 python-file))
+  (let ((base (package-with-python2 (strip-python2-variant python-file))))
+    (package
+      (inherit base)
+      (native-inputs
+       `(("python2-setuptools" ,python2-setuptools)
+         ,@(package-native-inputs base))))))
 
 (define-public python-debian
   (package
@@ -7066,6 +7108,9 @@ be set via config files and/or environment variables.")
                 (base32
                   "0x32ibixm3vv5m9xfk83xsqm8xcqw4dd0khbh6qbri6rxgymbhg8"))))
     (build-system python-build-system)
+    (arguments
+     '(;; The tests appear to require networking.
+       #:tests? #f))
     (propagated-inputs
      `(("python-pyopenssl" ,python-pyopenssl)))
     (synopsis "HTTPS support for Python's httplib and urllib2")
@@ -7201,6 +7246,10 @@ for atomic file system operations.")
               (base32
                "15q9nrgp85nqlr4kdz1zvj8z2npafi2sr12y7fqgxbkq28j1aci6"))))
     (build-system python-build-system)
+    (native-inputs
+     `(("python-betamax" ,python-betamax)
+       ("python-mock" ,python-mock)
+       ("python-pytest" ,python-pytest)))
     (propagated-inputs
      `(("python-requests" ,python-requests)))
     (synopsis "Extensions to python-requests")
@@ -7289,8 +7338,14 @@ pure Python module that works on virtually all Python versions.")
               (base32
                "1rpk1vyclhg911p3hql0m0nrpq7q7mysxnaaw6vs29cpa6kx8vgn"))))
     (build-system python-build-system)
+    (arguments
+     `(;; 2 failed, 275 passed, 670 skipped, 4 xfailed
+       ;; The two test failures are caused by the lack of an `ssh` executable.
+       ;; The test suite can be run with pytest after the 'install' phase.
+       #:tests? #f))
     (native-inputs
-     `(("python-setuptools-scm" ,python-setuptools-scm)))
+     `(("python-pytest" ,python-pytest)
+       ("python-setuptools-scm" ,python-setuptools-scm)))
     (inputs
      `(("python-apipkg" ,python-apipkg)))
     (synopsis "Rapid multi-Python deployment")
@@ -7394,7 +7449,8 @@ framework which enables you to test server connections locally.")
     (build-system python-build-system)
     (native-inputs
      `(("python-pytest" ,python-pytest)
-       ("python-six" ,python-six)))
+       ("python-six" ,python-six)
+       ("python-urllib3" ,python-urllib3)))
     (propagated-inputs
      `(("python-httplib2" ,python-httplib2)
        ("python-requests" ,python-requests)))
@@ -8422,21 +8478,22 @@ alternative when librabbitmq is not available.")
 (define-public python-kombu
   (package
     (name "python-kombu")
-    (version "3.0.33")
+    (version "3.0.37")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "kombu" version))
        (sha256
         (base32
-         "16brjx2lgwbj2a37d0pjbfb84nvld6irghmqrs3qfncajp51hgc5"))))
+         "0l16chb314gpq2v7fh94a22c30lcv6w3ylmhsa60bldlcq6a0r70"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-mock" ,python-mock)
        ("python-nose" ,python-nose)))
     (propagated-inputs
      `(("python-anyjson" ,python-anyjson)
-       ("python-amqp" ,python-amqp)))
+       ("python-amqp" ,python-amqp)
+       ("python-redis" ,python-redis)))
     (home-page "http://kombu.readthedocs.org")
     (synopsis "Message passing library for Python")
     (description "The aim of Kombu is to make messaging in Python as easy as
@@ -8460,14 +8517,14 @@ RabbitMQ messaging server is the most popular implementation.")
 (define-public python-billiard
   (package
     (name "python-billiard")
-    (version "3.3.0.22")
+    (version "3.3.0.23")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "billiard" version))
        (sha256
         (base32
-         "0zp7h6a58alrb3mwdw61jds07395j4j0mj6iqsb8czrihw9ih5nj"))))
+         "02wxsc6bhqvzh8j6w758kvgqbnj14l796mvmrcms8fgfamd2lak9"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-nose" ,python-nose)))
@@ -8495,15 +8552,24 @@ Python 2.4 and 2.5, and will draw its fixes/improvements from python-trunk.")
 (define-public python-celery
   (package
     (name "python-celery")
-    (version "3.1.20")
+    (version "3.1.24")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "celery" version))
        (sha256
         (base32
-         "1md6ywg1s0946qyp8ndnsd677wm0yax933h2sb4m3a4j7lf1jbyh"))))
+         "0yh2prhdnx2dgkb67a5drj12hh2zvzx5f611p7mqqg01ydghif4r"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         ;; These tests break with Python 3.5:
+         ;; https://github.com/celery/celery/issues/2897#issuecomment-253066295
+         (replace 'check
+           (lambda _
+             (zero?
+               (system* "nosetests" "--exclude=^test_safe_to_remove.*")))))))
     (native-inputs
      `(("python-nose" ,python-nose)))
     (inputs
@@ -8686,6 +8752,9 @@ introspection of @code{zope.interface} instances in code.")
                (base32
                 "1qfnwlx8qwkgr6nf5wvl6ff1r3kll53dh3z6nyp173nmlhhhqccb"))))
     (build-system python-build-system)
+    (arguments
+     '(;; The test suite relies on some non-portable Windows interfaces.
+       #:tests? #f))
     (inputs
      `(("python-dateutil-2" ,python-dateutil-2)
        ("python-pyicu" ,python-pyicu)))
@@ -11058,3 +11127,35 @@ with an associated set of resolve methods that know how to fetch data.")
 provide extendible implementations of common aspects of a cloud so that you can
 focus on building massively scalable web applications.")
     (license license:expat)))
+
+(define-public python-betamax
+  (package
+    (name "python-betamax")
+    (version "0.8.0")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (pypi-uri "betamax" version))
+        (sha256
+         (base32
+          "18f8v5gng3j773jlbbzx4rg1i4y2zw3m2l1zpmbvp8bh5a2q1i42"))))
+    (build-system python-build-system)
+    (arguments
+     '(;; Many tests fail because they require networking.
+       #:tests? #f))
+    (inputs
+     `(("python-requests" ,python-requests)))
+    (home-page "https://github.com/sigmavirus24/betamax")
+    (synopsis "Record HTTP interactions with python-requests")
+    (description "Betamax will record your test suite's HTTP interactions and
+replay them during future tests.  It is designed to work with python-requests.")
+    (license license:expat)
+    (properties `((python2-variant . ,(delay python2-betamax))))))
+
+(define-public python2-betamax
+  (let ((base (package-with-python2 (strip-python2-variant python-betamax))))
+    (package
+      (inherit base)
+      (native-inputs
+       `(("python2-setuptools" ,python2-setuptools)
+         ,@(package-native-inputs base))))))
diff --git a/gnu/packages/readline.scm b/gnu/packages/readline.scm
index 169a7386c4..6435e98234 100644
--- a/gnu/packages/readline.scm
+++ b/gnu/packages/readline.scm
@@ -40,14 +40,14 @@
                         (find-files lib "\\.a"))))))
     (package
       (name "readline")
-      (version "6.3")
+      (version "7.0")
       (source (origin
                (method url-fetch)
                (uri (string-append "mirror://gnu/readline/readline-"
                                    version ".tar.gz"))
                (sha256
                 (base32
-                 "0hzxr9jxqqx5sxsv9vmlxdnvlr9vi4ih1avjb869hbs6p5qn1fjn"))
+                 "0d13sg9ksf982rrrmv5mb6a2p4ys9rvg9r71d6il0vr8hmql63bm"))
                (patches (search-patches "readline-link-ncurses.patch"))
                (patch-flags '("-p0"))))
       (build-system gnu-build-system)
diff --git a/gnu/packages/sawfish.scm b/gnu/packages/sawfish.scm
index 9b09b6171e..54b72ffe03 100644
--- a/gnu/packages/sawfish.scm
+++ b/gnu/packages/sawfish.scm
@@ -152,7 +152,7 @@ backend of Sawfish.")
                            "/lib/sawfish/sawfish-menu")))
          %standard-phases))))
     (native-inputs
-     `(("gettext"     ,gnu-gettext)
+     `(("gettext"     ,gettext-minimal)
        ("makeinfo"    ,texinfo)
        ("pkg-config"  ,pkg-config)
        ("which"       ,which)))
diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 9597473ad4..9ad9e707e7 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -633,7 +633,7 @@ threads.")
        ("stex" ,stex)))
     (native-inputs
      `(("texlive" ,texlive)
-       ("ghostscript" ,ghostscript-gs)
+       ("ghostscript" ,ghostscript)
        ("netpbm" ,netpbm)))
     (outputs '("out" "doc"))
     (arguments
diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
index 6d510c2e4c..78ff1730c9 100644
--- a/gnu/packages/shells.scm
+++ b/gnu/packages/shells.scm
@@ -185,7 +185,8 @@ has a small feature set similar to a traditional Bourne shell.")
               (sha256
                (base32
                 "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q"))
-              (patches (search-patches "tcsh-fix-autotest.patch"))
+              (patches (search-patches "tcsh-fix-autotest.patch"
+                                       "tcsh-do-not-define-BSDWAIT.patch"))
               (patch-flags '("-p0"))))
     (build-system gnu-build-system)
     (inputs
@@ -304,6 +305,11 @@ ksh, and tcsh.")
               (("'xonsh\\.ply',") ""))
             #t))))
     (build-system python-build-system)
+    (arguments
+     '(;; TODO Try running run the test suite.
+       ;; See 'requirements-tests.txt' in the source distribution for more
+       ;; information.
+       #:tests? #f))
     (inputs
      `(("python-ply" ,python-ply)))
     (home-page "http://xon.sh/")
diff --git a/gnu/packages/shishi.scm b/gnu/packages/shishi.scm
index 30351fb517..7e02843d38 100644
--- a/gnu/packages/shishi.scm
+++ b/gnu/packages/shishi.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2012 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -48,7 +49,7 @@
     (inputs
      `(("gnutls" ,gnutls)
        ("libidn" ,libidn)
-       ("linux-pam" ,linux-pam)
+       ("linux-pam" ,linux-pam-1.2)
        ("zlib" ,zlib)
        ;; libgcrypt 1.6 fails because of the following test:
        ;;  #include <gcrypt.h>
diff --git a/gnu/packages/skribilo.scm b/gnu/packages/skribilo.scm
index 40bf659297..52ed1c34e3 100644
--- a/gnu/packages/skribilo.scm
+++ b/gnu/packages/skribilo.scm
@@ -63,8 +63,7 @@
 
        #:parallel-build? #f))
 
-    (native-inputs `(("pkg-config" ,pkg-config)
-                     ("ghostscript-gs" , ghostscript-gs)))
+    (native-inputs `(("pkg-config" ,pkg-config)))
 
     (inputs `(("guile" ,guile-2.0)
               ("imagemagick" ,imagemagick)
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index 959251d84c..0748b5d860 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -75,7 +75,7 @@
     (build-system gnu-build-system)
     (inputs
      `(("cairo" ,cairo)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("gsl" ,gsl)
        ("libxml2" ,libxml2)
        ("pango" ,pango)
@@ -101,7 +101,7 @@ be output in text, PostScript, PDF or HTML.")
 (define-public r
   (package
     (name "r")
-    (version "3.3.0")
+    (version "3.3.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://cran/src/base/R-"
@@ -109,7 +109,7 @@ be output in text, PostScript, PDF or HTML.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1r0i0cqs3p0vrpiwq0zg5kbrmja9rmaijyzf9f23v6d5n5ab2mlj"))))
+                "1qm9znh8akfy9fkzzi6f1vz2w1dd0chsr6qn7kw80lqzhgjrmi9x"))))
     (build-system gnu-build-system)
     (arguments
      `(#:make-flags
@@ -137,6 +137,7 @@ be output in text, PostScript, PDF or HTML.")
           (lambda _ (zero? (system* "make" "install-info")))))
        #:configure-flags
        '("--with-cairo"
+         "--with-blas=-lopenblas"
          "--with-libpng"
          "--with-jpeglib"
          "--with-libtiff"
@@ -171,6 +172,7 @@ be output in text, PostScript, PDF or HTML.")
        ("pango" ,pango)
        ("curl" ,curl)
        ("tzdata" ,tzdata)
+       ("openblas" ,openblas)
        ("gfortran" ,gfortran)
        ("icu4c" ,icu4c)
        ("libjpeg" ,libjpeg)
diff --git a/gnu/packages/terminals.scm b/gnu/packages/terminals.scm
index ef80371ecb..97dd0a82bd 100644
--- a/gnu/packages/terminals.scm
+++ b/gnu/packages/terminals.scm
@@ -69,7 +69,7 @@
     (native-inputs
      `(("autoconf" ,autoconf)
        ("automake" ,automake)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("pkg-config" ,pkg-config)))
     (inputs
      `(("glib" ,glib "bin")
diff --git a/gnu/packages/texinfo.scm b/gnu/packages/texinfo.scm
index 5b22e84fb8..d21394e74f 100644
--- a/gnu/packages/texinfo.scm
+++ b/gnu/packages/texinfo.scm
@@ -32,14 +32,14 @@
 (define-public texinfo
   (package
     (name "texinfo")
-    (version "6.1")
+    (version "6.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/texinfo/texinfo-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "1ll3d0l8izygdxqz96wfr2631kxahifwdknpgsx2090vw963js5c"))))
+                "0fpr9kdjjl6nj2pc50k2zr7134hvqz8bi8pfqa7131a9lpzz6v14"))))
     (build-system gnu-build-system)
     (native-inputs `(("procps" ,procps)))  ;one of the tests needs pgrep
     (inputs `(("ncurses" ,ncurses)
@@ -62,18 +62,6 @@ their source and the command-line Info reader.  The emphasis of the language
 is on expressing the content semantically, avoiding physical markup commands.")
     (license gpl3+)))
 
-(define-public texinfo-6.3
-  (package
-    (inherit texinfo)
-    (version "6.3")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/texinfo/texinfo-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "0fpr9kdjjl6nj2pc50k2zr7134hvqz8bi8pfqa7131a9lpzz6v14"))))))
-
 (define-public texinfo-5
   (package (inherit texinfo)
     (version "5.2")
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index b85fdde524..e965ca92cd 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
-;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2015, 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
 ;;; Copyright © 2016 Hartmut Goebel <h.goebel@crazy-compilers.com>
@@ -50,7 +50,7 @@
 (define-public libtasn1
   (package
     (name "libtasn1")
-    (version "4.8")
+    (version "4.9")
     (source
      (origin
       (method url-fetch)
@@ -58,7 +58,7 @@
                           version ".tar.gz"))
       (sha256
        (base32
-        "04y5m29pqmvkfdbppmsdifyx89v8xclxzklpfc7a1fkr9p4jz07s"))))
+        "0869cp6jx7cajgv6cnddsh3vc7bimmdkdjn80y1jpb4iss7plvsg"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (home-page "http://www.gnu.org/software/libtasn1/")
@@ -100,7 +100,7 @@ in intelligent transportation networks.")
 (define-public p11-kit
   (package
     (name "p11-kit")
-    (version "0.23.1")
+    (version "0.23.2")
     (source
      (origin
       (method url-fetch)
@@ -108,7 +108,7 @@ in intelligent transportation networks.")
                           version ".tar.gz"))
       (sha256
        (base32
-        "1i3a1wdpagm0p3y1bwaz5x5rjhcpqbcrnhkcp10p259vkxk72wz5"))
+        "1w7szm190phlkg7qx05ychlj2dbvkgkhx9gw6dx4d5rw62l6wwms"))
       (modules '((guix build utils))) ; for substitute*
       (snippet
         '(begin
@@ -138,8 +138,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
-    (replacement gnutls-3.5.4)
-    (version "3.5.2")
+    (version "3.5.4")
     (source (origin
              (method url-fetch)
              (uri
@@ -150,7 +149,7 @@ living in the same process.")
                              "/gnutls-" version ".tar.xz"))
              (sha256
               (base32
-               "10l5pv7qc5c850aamih3pdkbqpc4v2a6g164dzd7c7fjpxffji9b"))))
+               "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -212,25 +211,10 @@ required structures.")
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
-(define gnutls-3.5.4
-  (package
-    (inherit gnutls)
-    (source
-      (let ((version "3.5.4"))
-        (origin
-          (method url-fetch)
-          (uri (string-append "mirror://gnupg/gnutls/v"
-                              (version-major+minor version)
-                              "/gnutls-" version ".tar.xz"))
-          (sha256
-           (base32
-            "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f")))))))
-
 (define-public openssl
   (package
    (name "openssl")
-   (replacement openssl-1.0.2j)
-   (version "1.0.2h")
+   (version "1.0.2j")
    (source (origin
              (method url-fetch)
              (uri (list (string-append "ftp://ftp.openssl.org/source/"
@@ -240,11 +224,9 @@ required structures.")
                                        "/" name "-" version ".tar.gz")))
              (sha256
               (base32
-               "06996ds1rk8xhnyb5y273a7xkcxhggp4bq1g02rab55d7bjhfh0x"))
+               "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7"))
              (patches (search-patches "openssl-runpath.patch"
-                                      "openssl-c-rehash-in.patch"
-                                      "openssl-CVE-2016-2177.patch"
-                                      "openssl-CVE-2016-2178.patch"))))
+                                      "openssl-c-rehash-in.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"                               ;1.5MiB of man3 pages
@@ -331,6 +313,7 @@ required structures.")
                                        (string-append target "/"
                                                       (basename file))))
                         (find-files man3))
+              (delete-file-recursively man3)
               #t)))
         (add-before
          'patch-source-shebangs 'patch-tests
@@ -368,29 +351,10 @@ required structures.")
    (license license:openssl)
    (home-page "http://www.openssl.org/")))
 
-(define openssl-1.0.2j
-  (package
-    (inherit openssl)
-    (name "openssl")
-    (version "1.0.2j")
-    (source (origin
-              (method url-fetch)
-              (uri (list (string-append "ftp://ftp.openssl.org/source/"
-                                        name "-" version ".tar.gz")
-                         (string-append "ftp://ftp.openssl.org/source/old/"
-                                        (string-trim-right version char-set:letter)
-                                        "/" name "-" version ".tar.gz")))
-              (sha256
-               (base32
-                "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7"))
-              (patches (search-patches "openssl-runpath.patch"
-                                       "openssl-c-rehash-in.patch"))))))
-
 (define-public openssl-next
   (package
     (inherit openssl)
     (name "openssl")
-    (replacement #f)
     (version "1.1.0b")
     (source (origin
              (method url-fetch)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 47383b71d4..4ca5a97311 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -89,7 +89,7 @@
     (inputs
      ;; Note: 'tools/packaging/lp-upload-release' and 'tools/weavemerge.sh'
      ;; require Zsh.
-     `(("gettext" ,gnu-gettext)))
+     `(("gettext" ,gettext-minimal)))
     (arguments
      `(#:tests? #f ; no test target
        #:python ,python-2   ; Python 3 apparently not yet supported, see
@@ -123,7 +123,7 @@ as well as the classic centralized workflow.")
    (build-system gnu-build-system)
    (native-inputs
     `(("native-perl" ,perl)
-      ("gettext" ,gnu-gettext)
+      ("gettext" ,gettext-minimal)
       ("git-manpages"
        ,(origin
           (method url-fetch)
@@ -938,7 +938,7 @@ accessed and migrated on modern systems.")
        ("file" ,file)
        ("libxml2" ,libxml2)
        ("zlib" ,zlib)
-       ("gettext" ,gnu-gettext)))
+       ("gettext" ,gettext-minimal)))
     (native-inputs
      `(("bison" ,bison)
        ("groff" ,groff)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 3ddf8587f6..6d59ccc490 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -353,7 +353,7 @@ SMPTE 314M.")
 (define-public libva
   (package
     (name "libva")
-    (version "1.7.0")
+    (version "1.7.1")
     (source
      (origin
        (method url-fetch)
@@ -361,7 +361,7 @@ SMPTE 314M.")
              "https://www.freedesktop.org/software/vaapi/releases/libva/libva-"
              version".tar.bz2"))
        (sha256
-        (base32 "0py9igf4kicj7ji22bjawkpd6my013qpg0s4ir2np9l1rk5vr2d6"))))
+        (base32 "1j8mb3p9kafhp30r3kmndnrklvzycc2ym0w6xdqz6m7jap626028"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
@@ -943,7 +943,8 @@ access to mpv's powerful playback capabilities.")
      ;; So, we need pass the prefix directly.  In addition, make sure the Bash
      ;; completion file is called 'youtube-dl' rather than
      ;; 'youtube-dl.bash-completion'.
-     `(#:phases (modify-phases %standard-phases
+     `(#:tests? #f ; Many tests fail. The test suite can be run with pytest.
+       #:phases (modify-phases %standard-phases
                   (add-before 'install 'fix-the-data-directories
                     (lambda* (#:key outputs #:allow-other-keys)
                       (let ((prefix (assoc-ref outputs "out")))
diff --git a/gnu/packages/vpn.scm b/gnu/packages/vpn.scm
index 477b05189c..6449f0d57a 100644
--- a/gnu/packages/vpn.scm
+++ b/gnu/packages/vpn.scm
@@ -130,7 +130,7 @@ Only \"Universal TUN/TAP device driver support\" is needed in the kernel.")
       ("vpnc" ,vpnc)
       ("zlib" ,zlib)))
    (native-inputs
-    `(("gettext" ,gnu-gettext)
+    `(("gettext" ,gettext-minimal)
       ("pkg-config" ,pkg-config)))
    (arguments
     `(#:configure-flags
diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm
index e7dd583c11..afda239356 100644
--- a/gnu/packages/w3m.scm
+++ b/gnu/packages/w3m.scm
@@ -69,7 +69,7 @@
        ("openssl" ,openssl)
        ("zlib" ,zlib)))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)))
     (home-page "http://w3m.sourceforge.net/")
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index 46ae30aa9a..fde5ff2c6f 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -87,7 +87,7 @@
                                    "/include/gstreamer-1.0")))))))
     (native-inputs
      `(("bison" ,bison)
-       ("gettext" ,gnu-gettext)
+       ("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin") ; for glib-mkenums, etc.
        ("gobject-introspection" ,gobject-introspection)
        ("gperf" ,gperf)
diff --git a/gnu/packages/wicd.scm b/gnu/packages/wicd.scm
index f9aa657e56..e70bf736a5 100644
--- a/gnu/packages/wicd.scm
+++ b/gnu/packages/wicd.scm
@@ -52,7 +52,7 @@
                  "wicd-urwid-1.3.patch"
                  "wicd-wpa2-ttls.patch"))))
     (build-system python-build-system)
-    (native-inputs `(("gettext" ,gnu-gettext)))
+    (native-inputs `(("gettext" ,gettext-minimal)))
     (inputs `(("dbus-glib" ,dbus-glib)
               ("python2-dbus" ,python2-dbus)
               ("python2-pygtk" ,python2-pygtk)
diff --git a/gnu/packages/wine.scm b/gnu/packages/wine.scm
index 03a896b8e1..9a1bd56608 100644
--- a/gnu/packages/wine.scm
+++ b/gnu/packages/wine.scm
@@ -63,7 +63,7 @@
                 "1nmd65knzyh8b0yhxlqqvzai5rpnmhhm0c46n789zr5hj74jm6fg"))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)
-                     ("gettext" ,gnu-gettext)
+                     ("gettext" ,gettext-minimal)
                      ("flex" ,flex)
                      ("bison" ,bison)
                      ("perl" ,perl)))
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 323ff111d4..a26c716866 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -90,7 +90,7 @@
              #t)))))
     (inputs `(("pygtk" ,python2-pygtk)
               ("xrandr" ,xrandr)))
-    (native-inputs `(("gettext"           ,gnu-gettext)
+    (native-inputs `(("gettext"           ,gettext-minimal)
                      ("python-docutils"   ,python2-docutils)
                      ("python-setuptools" ,python2-setuptools)))
     (home-page "https://christian.amsuess.com/tools/arandr/")
@@ -266,7 +266,7 @@ rasterisation.")
 (define-public libdrm
   (package
     (name "libdrm")
-    (version "2.4.67")
+    (version "2.4.68")
     (source
       (origin
         (method url-fetch)
@@ -275,8 +275,8 @@ rasterisation.")
                version
                ".tar.bz2"))
         (sha256
-          (base32
-            "1gnf206zs8dwszvkv4z2hbvh23045z0q29kms127bqrv27hp2nzf"))
+         (base32
+          "1px91j6imaaq2fy8ksvgldmv0cdz3w379jqiciqvqa99jajxjjsv"))
         (patches (search-patches "libdrm-symbol-check.patch"))))
     (build-system gnu-build-system)
     (inputs
@@ -1010,7 +1010,7 @@ by name.")
        ("libxrandr" ,libxrandr)
        ("startup-notification" ,startup-notification)))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("pkg-config" ,pkg-config)))
     (home-page "https://gitlab.com/o9000/tint2")
     (synopsis "Lightweight task bar")
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 879b37a337..94a017d1d5 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -52,18 +52,16 @@
 (define-public expat
   (package
     (name "expat")
-    (replacement expat/fixed)
-    (version "2.1.1")
+    (version "2.2.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/expat/expat/"
                                  version "/expat-" version ".tar.bz2"))
-             (patches (search-patches "expat-CVE-2012-6702-and-CVE-2016-5300.patch"
-                                      "expat-CVE-2015-1283-refix.patch"
-                                      "expat-CVE-2016-0718.patch"))
+             (patches
+               (search-patches "expat-CVE-2016-0718-fix-regression.patch"))
              (sha256
               (base32
-               "0ryyjgvy7jq0qb7a9mhc1giy3bzn56aiwrs8dpydqngplbjq9xdg"))))
+               "1zq4lnwjlw8s9mmachwfvfjf2x3lk24jm41746ykhdcvs7r0zrfr"))))
     (build-system gnu-build-system)
     (home-page "http://www.libexpat.org/")
     (synopsis "Stream-oriented XML parser library written in C")
@@ -73,17 +71,6 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
-(define expat/fixed
-  (package
-    (inherit expat)
-    (source (origin
-              (inherit (package-source expat))
-              (patches (search-patches
-                         "expat-CVE-2012-6702-and-CVE-2016-5300.patch"
-                         "expat-CVE-2015-1283-refix.patch"
-                         "expat-CVE-2016-0718.patch"
-                         "expat-CVE-2016-0718-fix-regression.patch"))))))
-
 (define-public libxml2
   (package
     (name "libxml2")
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index aa2b99a720..9f9549b6b9 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015 Eric Bavier <bavier@member.fsf.org>
-;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Eric Dvorsak <eric@dvorsak.fr>
 ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
 ;;; Copyright © 2015 Cyrill Schenkel <cyrill.schenkel@gmail.com>
@@ -999,7 +999,7 @@ authentication records.")
 (define-public inputproto
   (package
     (name "inputproto")
-    (version "2.3.1")
+    (version "2.3.2")
     (source
       (origin
         (method url-fetch)
@@ -1009,7 +1009,7 @@ authentication records.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1lf1jlxp0fc8h6fjdffhd084dqab94966l1zm3rwwsis0mifwiss"))))
+            "07gk7v006zqn3dcfh16l06gnccy7xnqywf3vl9c209ikazsnlfl9"))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)))
     (home-page "https://www.x.org/wiki/")
@@ -1432,7 +1432,7 @@ treat it as part of their software base when porting.")
             "07041q4k8m4nirzl7lrqn8by2zylx0xvh6n0za301qqs3njszgf5"))))
     (build-system gnu-build-system)
     (inputs
-      `(("gettext" ,gnu-gettext)
+      `(("gettext" ,gettext-minimal)
         ("libxt" ,libxt)
         ("xproto" ,xproto)
         ("libxext" ,libxext)))
@@ -1920,7 +1920,7 @@ generate new versions of their configure scripts with autoconf.")
 (define-public videoproto
   (package
     (name "videoproto")
-    (version "2.3.2")
+    (version "2.3.3")
     (source
       (origin
         (method url-fetch)
@@ -1930,7 +1930,7 @@ generate new versions of their configure scripts with autoconf.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1dnlkd9nb0m135lgd6hd61vc29sdyarsyya8aqpx7z10p261dbld"))))
+            "00m7rh3pwmsld4d5fpii3xfk5ciqn17kkk38gfpzrrh8zn4ki067"))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)))
     (home-page "https://www.x.org/wiki/")
@@ -3675,7 +3675,7 @@ alternative implementations like XRandR or TwinView.")
 (define xkbcomp-intermediate ; used as input for xkeyboard-config
   (package
     (name "xkbcomp-intermediate")
-    (version "1.3.0")
+    (version "1.3.1")
     (source
       (origin
         (method url-fetch)
@@ -3684,8 +3684,8 @@ alternative implementations like XRandR or TwinView.")
                version
                ".tar.bz2"))
         (sha256
-          (base32
-            "0aibcbhhjlwcrxh943xg2dswwx5bz1x0pmhs28b55gzsg0vrgb6g"))))
+         (base32
+          "0gcjy70ppmcl610z8gxc7sydsx93f8cm8pggm4qhihaa1ngdq103"))))
     (build-system gnu-build-system)
     (inputs
       `(("xproto" ,xproto)
@@ -3789,7 +3789,7 @@ extension to the X11 protocol.  It includes:
 (define-public xkeyboard-config
   (package
     (name "xkeyboard-config")
-    (version "2.17")
+    (version "2.18")
     (source
       (origin
         (method url-fetch)
@@ -3799,10 +3799,10 @@ extension to the X11 protocol.  It includes:
               ".tar.bz2"))
         (sha256
           (base32
-            "00878f1v3034ki78pjpf2db0bh7jsmszsnxr3bf5qxripm2bxiny"))))
+            "1l6x2w357ja8vm94ns79s7yj9a5dlr01r9dxrjvzwncadiyr27f4"))))
     (build-system gnu-build-system)
     (inputs
-      `(("gettext" ,gnu-gettext)
+      `(("gettext" ,gettext-minimal)
         ("libx11" ,libx11)
         ("xkbcomp-intermediate" ,xkbcomp-intermediate)))
     (native-inputs
@@ -4008,7 +4008,7 @@ Font Description (XLFD) full name for a font.")
        ("libxmu" ,libxmu)
        ("libxrender" ,libxrender)))
     (native-inputs
-     `(("gettext" ,gnu-gettext)
+     `(("gettext" ,gettext-minimal)
        ("pkg-config" ,pkg-config)))
     (home-page "https://www.x.org/wiki/")
     (synopsis "Display all the characters in an X font")
@@ -4602,8 +4602,7 @@ cannot be adequately worked around on the client side of the wire.")
 (define-public libxrender
   (package
     (name "libxrender")
-    (replacement libxrender/fixed)
-    (version "0.9.9")
+    (version "0.9.10")
     (source
       (origin
         (method url-fetch)
@@ -4613,7 +4612,7 @@ cannot be adequately worked around on the client side of the wire.")
                ".tar.bz2"))
         (sha256
           (base32
-            "06myx7044qqdswxndsmd82fpp670klnizkgzdm194h51h1wyabzw"))))
+            "0j89cnb06g8x79wmmnwzykgkkfdhin9j7hjpvsxwlr3fz1wmjvf0"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("renderproto" ,renderproto)))
@@ -4627,20 +4626,10 @@ cannot be adequately worked around on the client side of the wire.")
     (description "Library for the Render Extension to the X11 protocol.")
     (license license:x11)))
 
-(define libxrender/fixed
-  (package
-    (inherit libxrender)
-    (source (origin
-              (inherit (package-source libxrender))
-              (patches (search-patches
-                         "libxrender-CVE-2016-7949.patch"
-                         "libxrender-CVE-2016-7950.patch"))))))
-
 (define-public libxtst
   (package
     (name "libxtst")
-    (replacement libxtst/fixed)
-    (version "1.2.2")
+    (version "1.2.3")
     (source
       (origin
         (method url-fetch)
@@ -4650,7 +4639,7 @@ cannot be adequately worked around on the client side of the wire.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1ngn161nq679ffmbwl81i2hn75jjg5b3ffv6n4jilpvyazypy2pg"))))
+            "012jpyj7xfm653a9jcfqbzxyywdmwb2b5wr1dwylx14f3f54jma6"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("recordproto" ,recordproto)
@@ -4675,19 +4664,10 @@ The RECORD extension supports the recording and reporting of all core X
 protocol and arbitrary X extension protocol.")
     (license license:x11)))
 
-(define libxtst/fixed
-  (package
-    (inherit libxtst)
-    (source (origin
-              (inherit (package-source libxtst))
-              (patches (search-patches
-                         "libxtst-CVE-2016-7951-CVE-2016-7952.patch"))))))
-
 (define-public libxv
   (package
     (name "libxv")
-    (replacement libxv/fixed)
-    (version "1.0.10")
+    (version "1.0.11")
     (source
       (origin
         (method url-fetch)
@@ -4697,7 +4677,7 @@ protocol and arbitrary X extension protocol.")
                ".tar.bz2"))
         (sha256
           (base32
-            "09a5j6bisysiipd0nw6s352565bp0n6gbyhv5hp63s3cd3w95zjm"))))
+            "125hn06bd3d8y97hm2pbf5j55gg4r2hpd3ifad651i4sr7m16v6j"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("videoproto" ,videoproto)))
@@ -4712,14 +4692,6 @@ protocol and arbitrary X extension protocol.")
     (description "Library for the X Video Extension to the X11 protocol.")
     (license license:x11)))
 
-(define libxv/fixed
-  (package
-    (inherit libxv)
-    (source (origin
-              (inherit (package-source libxv))
-              (patches (search-patches
-                         "libxv-CVE-2016-5407.patch"))))))
-
 (define-public mkfontdir
   (package
     (name "mkfontdir")
@@ -4761,7 +4733,7 @@ script around the mkfontscale program.")
 (define-public xproto
   (package
     (name "xproto")
-    (version "7.0.28")
+    (version "7.0.29")
     (source
       (origin
         (method url-fetch)
@@ -4771,7 +4743,7 @@ script around the mkfontscale program.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1jpnvm33vi2dar5y5zgz7jjh0m8fpkcxm0f0lbwfx37ns5l5bs19"))))
+            "12lzpa9mrzkyrhrphzpi1014np3328qg7mdq08wj6wyaj9q4f6kc"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("util-macros" ,util-macros))) ; to get util-macros in (almost?) all package inputs
@@ -4848,8 +4820,7 @@ an X Window System display.")
 (define-public libxfixes
   (package
     (name "libxfixes")
-    (replacement libxfixes/fixed)
-    (version "5.0.1")
+    (version "5.0.3")
     (source
       (origin
         (method url-fetch)
@@ -4859,7 +4830,7 @@ an X Window System display.")
                ".tar.bz2"))
         (sha256
           (base32
-            "0rs7qgzr6dpr62db7sd91c1b47hzhzfr010qwnpcm8sg122w1gk3"))))
+            "1miana3y4hwdqdparsccmygqr3ic3hs5jrqfzp70hvi2zwxd676y"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("fixesproto" ,fixesproto)))
@@ -4873,14 +4844,6 @@ an X Window System display.")
     (description "Library for the XFixes Extension to the X11 protocol.")
     (license license:x11)))
 
-(define libxfixes/fixed
-  (package
-    (inherit libxfixes)
-    (source (origin
-              (inherit (package-source libxfixes))
-              (patches (search-patches
-                         "libxfixes-CVE-2016-7944.patch"))))))
-
 (define-public libxfont
   (package
     (name "libxfont")
@@ -4921,8 +4884,7 @@ new API's in libXft, or the legacy API's in libX11.")
 (define-public libxi
   (package
     (name "libxi")
-    (replacement libxi/fixed)
-    (version "1.7.6")
+    (version "1.7.7")
     (source
       (origin
         (method url-fetch)
@@ -4932,7 +4894,7 @@ new API's in libXft, or the legacy API's in libX11.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1b5p0l19ynmd6blnqr205wyngh6fagl35nqb4v05dw60rr9aachz"))))
+            "0c70n4aq0ba628wr88ih4740nci9d9f6y3v96sx376vvlm7q6vwr"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("inputproto" ,inputproto)
@@ -4948,19 +4910,10 @@ new API's in libXft, or the legacy API's in libX11.")
     (description "Library for the XInput Extension to the X11 protocol.")
     (license license:x11)))
 
-(define libxi/fixed
-  (package
-    (inherit libxi)
-    (source (origin
-              (inherit (package-source libxi))
-              (patches (search-patches
-                         "libxi-CVE-2016-7945-CVE-2016-7946.patch"))))))
-
 (define-public libxrandr
   (package
     (name "libxrandr")
-    (replacement libxrandr/fixed)
-    (version "1.5.0")
+    (version "1.5.1")
     (source
       (origin
         (method url-fetch)
@@ -4970,7 +4923,7 @@ new API's in libXft, or the legacy API's in libX11.")
                ".tar.bz2"))
         (sha256
           (base32
-            "0n6ycs1arf4wb1cal9il6v7vbxbf21qhs9sbfl8xndgwnxclk1kg"))))
+            "06pmphx8lp3iywqnh88fvbfb0d8xgkx0qpvan49akpja1vxfgy8z"))))
     (build-system gnu-build-system)
     (propagated-inputs
       ;; In accordance with xrandr.pc.
@@ -4987,19 +4940,10 @@ new API's in libXft, or the legacy API's in libX11.")
      "Library for the Resize and Rotate Extension to the X11 protocol.")
     (license license:x11)))
 
-(define libxrandr/fixed
-  (package
-    (inherit libxrandr)
-    (source (origin
-              (inherit (package-source libxrandr))
-              (patches (search-patches
-                         "libxrandr-CVE-2016-7947-CVE-2016-7948.patch"))))))
-
 (define-public libxvmc
   (package
     (name "libxvmc")
-    (replacement libxvmc/fixed)
-    (version "1.0.9")
+    (version "1.0.10")
     (source
       (origin
         (method url-fetch)
@@ -5009,7 +4953,7 @@ new API's in libXft, or the legacy API's in libX11.")
                ".tar.bz2"))
         (sha256
           (base32
-            "0mjp1b21dvkaz7r0iq085r92nh5vkpmx99awfgqq9hgzyvgxf0q7"))))
+            "0bpffxr5dal90a8miv2w0rif61byqxq2f5angj4z1bnznmws00g5"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("libxv" ,libxv)))
@@ -5024,14 +4968,6 @@ new API's in libXft, or the legacy API's in libX11.")
     (description "Xorg XvMC library.")
     (license license:x11)))
 
-(define libxvmc/fixed
-  (package
-    (inherit libxvmc)
-    (source (origin
-              (inherit (package-source libxvmc))
-              (patches (search-patches
-                         "libxvmc-CVE-2016-7953.patch"))))))
-
 (define-public libxxf86vm
   (package
     (name "libxxf86vm")
@@ -5067,7 +5003,7 @@ protocol.")
 (define-public libxcb
   (package
     (name "libxcb")
-    (version "1.11")
+    (version "1.11.1")
     (source
       (origin
         (method url-fetch)
@@ -5075,7 +5011,7 @@ protocol.")
                             name "-" version ".tar.bz2"))
         (sha256
           (base32
-            "1xqgc81krx14f2c8yl5chzg5g2l26mhm2rwffy8dx7jv0iq5sqq3"))))
+           "0c4xyvdyx5adh8dzyhnrmvwwz24gri4z1czxmxqm63i0gmngs85p"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("libpthread-stubs" ,libpthread-stubs)
@@ -5111,7 +5047,7 @@ over Xlib, including:
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "1.18.1")
+    (version "1.18.4")
     (source
       (origin
         (method url-fetch)
@@ -5120,7 +5056,7 @@ over Xlib, including:
               name "-" version ".tar.bz2"))
         (sha256
          (base32
-          "17bq40als48v12ld81jysc0gj5g572zkjkyzbhlm3ac9xgdmdv45"))))
+          "1j1i3n5xy1wawhk95kxqdc54h34kg7xp4nnramba2q8xqfr5k117"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("dri2proto" ,dri2proto)
@@ -5169,7 +5105,13 @@ over Xlib, including:
         ("xkbcomp" ,xkbcomp)
         ("xkeyboard-config" ,xkeyboard-config)
         ("xtrans" ,xtrans)
-        ("zlib" ,zlib)))
+        ("zlib" ,zlib)
+        ;; Inputs for Xephyr
+        ("xcb-util" ,xcb-util)
+        ("xcb-util-image" ,xcb-util-image)
+        ("xcb-util-keysyms" ,xcb-util-keysyms)
+        ("xcb-util-renderutil" ,xcb-util-renderutil)
+        ("xcb-util-wm" ,xcb-util-wm)))
     (native-inputs
        `(("python" ,python-minimal-wrapper)
          ("pkg-config" ,pkg-config)))
@@ -5185,9 +5127,17 @@ over Xlib, including:
              (string-append "--with-xkb-bin-directory="
                             (assoc-ref %build-inputs "xkbcomp")
                             "/bin")
+             ;; By default, it ends up with invalid '${prefix}/...', causes:
+             ;;   _FontTransOpen: Unable to Parse address ${prefix}/share/...
+             ;; It's not used anyway, so set it to empty.
+             "--with-default-font-path="
+
 
              ;; For the log file, etc.
-             "--localstatedir=/var")
+             "--localstatedir=/var"
+             ;; For sddm
+             "--enable-kdrive"
+             "--enable-xephyr")
 
        #:phases (alist-cons-before
                  'configure 'pre-configure
@@ -5238,8 +5188,7 @@ draggable titlebars and borders.")
 (define-public libx11
   (package
     (name "libx11")
-    (replacement libx11/fixed)
-    (version "1.6.3")
+    (version "1.6.4")
     (source
       (origin
         (method url-fetch)
@@ -5249,7 +5198,7 @@ draggable titlebars and borders.")
                ".tar.bz2"))
         (sha256
           (base32
-            "04c1vj53xq2xgyxx5vhln3wm2d76hh1n95fvs3myhligkz1sfcfg"))))
+            "0hg46i6h92pmb7xp1cis2j43zq3fkdz89p0yv35w4vm17az4iixp"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"))                            ;8 MiB of man pages + XML
@@ -5271,15 +5220,6 @@ draggable titlebars and borders.")
     (description "Xorg Core X11 protocol client library.")
     (license license:x11)))
 
-(define libx11/fixed
-  (package
-    (inherit libx11)
-    (source (origin
-              (inherit (package-source libx11))
-              (patches (search-patches
-                         "libx11-CVE-2016-7942.patch"
-                         "libx11-CVE-2016-7943.patch"))))))
-
 ;; packages of height 5 in the propagated-inputs tree
 
 (define-public libxcursor
diff --git a/gnu/services/cups.scm b/gnu/services/cups.scm
new file mode 100644
index 0000000000..7542ee26c0
--- /dev/null
+++ b/gnu/services/cups.scm
@@ -0,0 +1,1166 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016 Andy Wingo <wingo@pobox.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services cups)
+  #:use-module (gnu services)
+  #:use-module (gnu services shepherd)
+  #:use-module (gnu system shadow)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu packages cups)
+  #:use-module (gnu packages tls)
+  #:use-module (guix packages)
+  #:use-module (guix records)
+  #:use-module (guix gexp)
+  #:use-module (texinfo)
+  #:use-module (texinfo serialize)
+  #:use-module (ice-9 match)
+  #:use-module ((srfi srfi-1) #:select (append-map))
+  #:use-module (srfi srfi-34)
+  #:use-module (srfi srfi-35)
+  #:export (&cups-configuation-error
+            cups-configuration-error?
+
+            cups-service-type
+            cups-configuration
+            opaque-cups-configuration
+
+            files-configuration
+            policy-configuration
+            location-access-control
+            operation-access-control
+            method-access-control))
+
+;;; Commentary:
+;;;
+;;; Service defininition for the CUPS printing system.
+;;;
+;;; Code:
+
+(define-condition-type &cups-configuration-error &error
+  cups-configuration-error?)
+
+(define (cups-error message)
+  (raise (condition (&message (message message))
+                    (&cups-configuration-error))))
+(define (cups-configuration-field-error field val)
+  (cups-error
+   (format #f "Invalid value for field ~a: ~s" field val)))
+(define (cups-configuration-missing-field kind field)
+  (cups-error
+   (format #f "~a configuration missing required field ~a" kind field)))
+
+(define-record-type* <configuration-field>
+  configuration-field make-configuration-field configuration-field?
+  (name configuration-field-name)
+  (type configuration-field-type)
+  (getter configuration-field-getter)
+  (predicate configuration-field-predicate)
+  (serializer configuration-field-serializer)
+  (default-value-thunk configuration-field-default-value-thunk)
+  (documentation configuration-field-documentation))
+
+(define (serialize-configuration config fields)
+  (for-each (lambda (field)
+              ((configuration-field-serializer field)
+               (configuration-field-name field)
+               ((configuration-field-getter field) config)))
+            fields))
+
+(define (validate-configuration config fields)
+  (for-each (lambda (field)
+              (let ((val ((configuration-field-getter field) config)))
+                (unless ((configuration-field-predicate field) val)
+                  (cups-configuration-field-error
+                   (configuration-field-name field) val))))
+            fields))
+
+(define-syntax define-configuration
+  (lambda (stx)
+    (define (id ctx part . parts)
+      (let ((part (syntax->datum part)))
+        (datum->syntax
+         ctx
+         (match parts
+           (() part)
+           (parts (symbol-append part
+                                 (syntax->datum (apply id ctx parts))))))))
+    (syntax-case stx ()
+      ((_ stem (field (field-type def) doc) ...)
+       (with-syntax (((field-getter ...)
+                      (map (lambda (field)
+                             (id #'stem #'stem #'- field))
+                           #'(field ...)))
+                     ((field-predicate ...)
+                      (map (lambda (type)
+                             (id #'stem type #'?))
+                           #'(field-type ...)))
+                     ((field-serializer ...)
+                      (map (lambda (type)
+                             (id #'stem #'serialize- type))
+                           #'(field-type ...))))
+           #`(begin
+               (define-record-type* #,(id #'stem #'< #'stem #'>)
+                 #,(id #'stem #'% #'stem)
+                 #,(id #'stem #'make- #'stem)
+                 #,(id #'stem #'stem #'?)
+                 (field field-getter (default def))
+                 ...)
+               (define #,(id #'stem #'stem #'-fields)
+                 (list (configuration-field
+                        (name 'field)
+                        (type 'field-type)
+                        (getter field-getter)
+                        (predicate field-predicate)
+                        (serializer field-serializer)
+                        (default-value-thunk (lambda () def))
+                        (documentation doc))
+                       ...))
+               (define-syntax-rule (stem arg (... ...))
+                 (let ((conf (#,(id #'stem #'% #'stem) arg (... ...))))
+                   (validate-configuration conf
+                                           #,(id #'stem #'stem #'-fields))
+                   conf))))))))
+
+(define %cups-accounts
+  (list (user-group (name "lp") (system? #t))
+        (user-group (name "lpadmin") (system? #t))
+        (user-account
+         (name "lp")
+         (group "lp")
+         (system? #t)
+         (comment "System user for invoking printing helper programs")
+         (home-directory "/var/empty")
+         (shell (file-append shadow "/sbin/nologin")))))
+
+(define (uglify-field-name field-name)
+  (let ((str (symbol->string field-name)))
+    (string-concatenate
+     (map string-titlecase
+          (string-split (if (string-suffix? "?" str)
+                            (substring str 0 (1- (string-length str)))
+                            str)
+                        #\-)))))
+
+(define (serialize-field field-name val)
+  (format #t "~a ~a\n" (uglify-field-name field-name) val))
+
+(define (serialize-package field-name val)
+  #f)
+
+(define (serialize-string field-name val)
+  (serialize-field field-name val))
+
+(define (multiline-string-list? val)
+  (and (list? val)
+       (and-map (lambda (x)
+                  (and (string? x) (not (string-index x #\space))))
+                val)))
+(define (serialize-multiline-string-list field-name val)
+  (for-each (lambda (str) (serialize-field field-name str)) val))
+
+(define (space-separated-string-list? val)
+  (and (list? val)
+       (and-map (lambda (x)
+                  (and (string? x) (not (string-index x #\space))))
+                val)))
+(define (serialize-space-separated-string-list field-name val)
+  (serialize-field field-name (string-join val " ")))
+
+(define (space-separated-symbol-list? val)
+  (and (list? val) (and-map symbol? val)))
+(define (serialize-space-separated-symbol-list field-name val)
+  (serialize-field field-name (string-join (map symbol->string val) " ")))
+
+(define (file-name? val)
+  (and (string? val)
+       (string-prefix? "/" val)))
+(define (serialize-file-name field-name val)
+  (serialize-string field-name val))
+
+(define (serialize-boolean field-name val)
+  (serialize-string field-name (if val "yes" "no")))
+
+(define (non-negative-integer? val)
+  (and (exact-integer? val) (not (negative? val))))
+(define (serialize-non-negative-integer field-name val)
+  (serialize-field field-name val))
+
+(define-syntax define-enumerated-field-type
+  (lambda (x)
+    (define (id-append ctx . parts)
+      (datum->syntax ctx (apply symbol-append (map syntax->datum parts))))
+    (syntax-case x ()
+      ((_ name (option ...))
+       #`(begin
+           (define (#,(id-append #'name #'name #'?) x)
+             (memq x '(option ...)))
+           (define (#,(id-append #'name #'serialize- #'name) field-name val)
+             (serialize-field field-name val)))))))
+
+(define-enumerated-field-type access-log-level
+  (config actions all))
+(define-enumerated-field-type browse-local-protocols
+  (all dnssd none))
+(define-enumerated-field-type default-auth-type
+  (Basic Negotiate))
+(define-enumerated-field-type default-encryption
+  (Never IfRequested Required))
+(define-enumerated-field-type error-policy
+  (abort-job retry-job retry-this-job stop-printer))
+(define-enumerated-field-type log-level
+  (none emerg alert crit error warn notice info debug debug2))
+(define-enumerated-field-type log-time-format
+  (standard usecs))
+(define-enumerated-field-type server-tokens
+  (None ProductOnly Major Minor Minimal OS Full))
+(define-enumerated-field-type method
+  (DELETE GET HEAD OPTIONS POST PUT TRACE))
+(define-enumerated-field-type sandboxing
+  (relaxed strict))
+
+(define (method-list? val)
+  (and (list? val) (and-map method? val)))
+(define (serialize-method-list field-name val)
+  (serialize-field field-name (string-join (map symbol->string val) " ")))
+
+(define (host-name-lookups? val)
+  (memq val '(#f #t 'double)))
+(define (serialize-host-name-lookups field-name val)
+  (serialize-field field-name
+                   (match val (#f "No") (#t "Yes") ('double "Double"))))
+  
+(define (host-name-list-or-*? x)
+    (or (eq? x '*)
+        (and (list? x) (and-map string? x))))
+(define (serialize-host-name-list-or-* field-name val)
+  (serialize-field field-name (match val
+                                ('* '*)
+                                (names (string-join names " ")))))
+
+(define (boolean-or-non-negative-integer? x)
+  (or (boolean? x) (non-negative-integer? x)))
+(define (serialize-boolean-or-non-negative-integer field-name x)
+  (if (boolean? x)
+      (serialize-boolean field-name x)
+      (serialize-non-negative-integer field-name x)))
+
+(define (ssl-options? x)
+  (and (list? x)
+       (and-map (lambda (elt) (memq elt '(AllowRC4 AllowSSL3))) x)))
+(define (serialize-ssl-options field-name val)
+  (serialize-field field-name
+                   (match val
+                     (() "None")
+                     (opts (string-join (map symbol->string opts) " ")))))
+
+(define (serialize-access-control x)
+  (display x)
+  (newline))
+(define (serialize-access-control-list field-name val)
+  (for-each serialize-access-control val))
+(define (access-control-list? val)
+  (and (list? val) (and-map string? val)))
+
+(define-configuration operation-access-control
+  (operations
+   (space-separated-symbol-list '())
+   "IPP operations to which this access control applies.")
+  (access-controls
+   (access-control-list '())
+   "Access control directives, as a list of strings.  Each string should be one directive, such as \"Order allow,deny\"."))
+
+(define-configuration method-access-control
+  (reverse?
+   (boolean #f)
+   "If @code{#t}, apply access controls to all methods except the listed
+methods.  Otherwise apply to only the listed methods.")
+  (methods
+   (method-list '())
+   "Methods to which this access control applies.")
+  (access-controls
+   (access-control-list '())
+   "Access control directives, as a list of strings.  Each string should be one directive, such as \"Order allow,deny\"."))
+
+(define (serialize-operation-access-control x)
+  (format #t "<Limit ~a>\n"
+          (string-join (map symbol->string
+                            (operation-access-control-operations x)) " "))
+  (serialize-configuration
+   x
+   (filter (lambda (field)
+             (not (eq? (configuration-field-name field) 'operations)))
+           operation-access-control-fields))
+  (format #t "</Limit>\n"))
+
+(define (serialize-method-access-control x)
+  (let ((limit (if (method-access-control-reverse? x) "LimitExcept" "Limit")))
+    (format #t "<~a ~a>\n" limit
+            (string-join (map symbol->string
+                              (method-access-control-methods x)) " "))
+    (serialize-configuration
+     x
+     (filter (lambda (field)
+               (case (configuration-field-name field)
+                 ((reverse? methods) #f)
+                 (else #t)))
+             method-access-control-fields))
+    (format #t "</~a>\n" limit)))
+
+(define (operation-access-control-list? val)
+  (and (list? val) (and-map operation-access-control? val)))
+(define (serialize-operation-access-control-list field-name val)
+  (for-each serialize-operation-access-control val))
+
+(define (method-access-control-list? val)
+  (and (list? val) (and-map method-access-control? val)))
+(define (serialize-method-access-control-list field-name val)
+  (for-each serialize-method-access-control val))
+
+(define-configuration location-access-control
+  (path
+   (file-name (cups-configuration-missing-field 'location-access-control 'path))
+   "Specifies the URI path to which the access control applies.")
+  (access-controls
+   (access-control-list '())
+   "Access controls for all access to this path, in the same format as the
+@code{access-controls} of @code{operation-access-control}.")
+  (method-access-controls
+   (method-access-control-list '())
+   "Access controls for method-specific access to this path."))
+
+(define (serialize-location-access-control x)
+  (format #t "<Location ~a>\n" (location-access-control-path x))
+  (serialize-configuration
+   x
+   (filter (lambda (field)
+             (not (eq? (configuration-field-name field) 'path)))
+           location-access-control-fields))
+  (format #t "</Location>\n"))
+
+(define (location-access-control-list? val)
+  (and (list? val) (and-map location-access-control? val)))
+(define (serialize-location-access-control-list field-name val)
+  (for-each serialize-location-access-control val))
+
+(define-configuration policy-configuration
+  (name
+   (string (cups-configuration-missing-field 'policy-configuration 'name))
+   "Name of the policy.")
+  (job-private-access
+   (string "@OWNER @SYSTEM")
+   "Specifies an access list for a job's private values.  @code{@@ACL} maps to
+the printer's requesting-user-name-allowed or requesting-user-name-denied
+values.  @code{@@OWNER} maps to the job's owner.  @code{@@SYSTEM} maps to the
+groups listed for the @code{system-group} field of the @code{files-config}
+configuration, which is reified into the @code{cups-files.conf(5)} file.
+Other possible elements of the access list include specific user names, and
+@code{@@@var{group}} to indicate members of a specific group.  The access list
+may also be simply @code{all} or @code{default}.")
+  (job-private-values
+   (string (string-join '("job-name" "job-originating-host-name"
+                          "job-originating-user-name" "phone")))
+   "Specifies the list of job values to make private, or @code{all},
+@code{default}, or @code{none}.")
+
+  (subscription-private-access
+   (string "@OWNER @SYSTEM")
+   "Specifies an access list for a subscription's private values.
+@code{@@ACL} maps to the printer's requesting-user-name-allowed or
+requesting-user-name-denied values.  @code{@@OWNER} maps to the job's owner.
+@code{@@SYSTEM} maps to the groups listed for the @code{system-group} field of
+the @code{files-config} configuration, which is reified into the
+@code{cups-files.conf(5)} file.  Other possible elements of the access list
+include specific user names, and @code{@@@var{group}} to indicate members of a
+specific group.  The access list may also be simply @code{all} or
+@code{default}.")
+  (subscription-private-values
+   (string (string-join '("notify-events" "notify-pull-method"
+                          "notify-recipient-uri" "notify-subscriber-user-name"
+                          "notify-user-data")
+                        " "))
+   "Specifies the list of job values to make private, or @code{all},
+@code{default}, or @code{none}.")
+
+  (access-controls
+   (operation-access-control-list '())
+   "Access control by IPP operation."))
+
+(define (serialize-policy-configuration x)
+  (format #t "<Policy ~a>\n" (policy-configuration-name x))
+  (serialize-configuration
+   x
+   (filter (lambda (field)
+             (not (eq? (configuration-field-name field) 'name)))
+           policy-configuration-fields))
+  (format #t "</Policy>\n"))
+
+(define (policy-configuration-list? x)
+  (and (list? x) (and-map policy-configuration? x)))
+(define (serialize-policy-configuration-list field-name x)
+  (for-each serialize-policy-configuration x))
+
+(define (log-location? x)
+  (or (file-name? x)
+      (eq? x 'stderr)
+      (eq? x 'syslog)))
+(define (serialize-log-location field-name x)
+  (if (string? x)
+      (serialize-file-name field-name x)
+      (serialize-field field-name x)))
+
+(define-configuration files-configuration
+  (access-log
+   (log-location "/var/log/cups/access_log")
+   "Defines the access log filename.  Specifying a blank filename disables
+access log generation.  The value @code{stderr} causes log entries to be sent
+to the standard error file when the scheduler is running in the foreground, or
+to the system log daemon when run in the background.  The value @code{syslog}
+causes log entries to be sent to the system log daemon.  The server name may
+be included in filenames using the string @code{%s}, as in
+@code{/var/log/cups/%s-access_log}.")
+  (cache-dir
+   (file-name "/var/cache/cups")
+   "Where CUPS should cache data.")
+  (config-file-perm
+   (string "0640")
+   "Specifies the permissions for all configuration files that the scheduler
+writes.
+
+Note that the permissions for the printers.conf file are currently masked to
+only allow access from the scheduler user (typically root).  This is done
+because printer device URIs sometimes contain sensitive authentication
+information that should not be generally known on the system.  There is no way
+to disable this security feature.")
+  ;; Not specifying data-dir and server-bin options as we handle these
+  ;; manually.  For document-root, the CUPS package has that path
+  ;; preconfigured.
+  (error-log
+   (log-location "/var/log/cups/error_log")
+   "Defines the error log filename.  Specifying a blank filename disables
+access log generation.  The value @code{stderr} causes log entries to be sent
+to the standard error file when the scheduler is running in the foreground, or
+to the system log daemon when run in the background.  The value @code{syslog}
+causes log entries to be sent to the system log daemon.  The server name may
+be included in filenames using the string @code{%s}, as in
+@code{/var/log/cups/%s-error_log}.")
+  (fatal-errors
+   (string "all -browse")
+   "Specifies which errors are fatal, causing the scheduler to exit.  The kind
+strings are:
+@table @code
+@item none
+No errors are fatal.
+@item all
+All of the errors below are fatal.
+@item browse
+Browsing initialization errors are fatal, for example failed connections to
+the DNS-SD daemon.
+@item config
+Configuration file syntax errors are fatal.
+@item listen
+Listen or Port errors are fatal, except for IPv6 failures on the loopback or
+@code{any} addresses.
+@item log
+Log file creation or write errors are fatal.
+@item permissions
+Bad startup file permissions are fatal, for example shared TLS certificate and
+key files with world-read permissions.
+@end table")
+  (file-device?
+   (boolean #f)
+   "Specifies whether the file pseudo-device can be used for new printer
+queues.  The URI @url{file:///dev/null} is always allowed.")
+  (group
+   (string "lp")
+   "Specifies the group name or ID that will be used when executing external
+programs.")
+  (log-file-perm
+   (string "0644")
+   "Specifies the permissions for all log files that the scheduler writes.")
+  (page-log
+   (log-location "/var/log/cups/page_log")
+   "Defines the page log filename.  Specifying a blank filename disables
+access log generation.  The value @code{stderr} causes log entries to be sent
+to the standard error file when the scheduler is running in the foreground, or
+to the system log daemon when run in the background.  The value @code{syslog}
+causes log entries to be sent to the system log daemon.  The server name may
+be included in filenames using the string @code{%s}, as in
+@code{/var/log/cups/%s-page_log}.")
+  (remote-root
+   (string "remroot")
+   "Specifies the username that is associated with unauthenticated accesses by
+clients claiming to be the root user.  The default is @code{remroot}.")
+  (request-root
+   (file-name "/var/spool/cups")
+   "Specifies the directory that contains print jobs and other HTTP request
+data.")
+  (sandboxing
+   (sandboxing 'strict)
+   "Specifies the level of security sandboxing that is applied to print
+filters, backends, and other child processes of the scheduler; either
+@code{relaxed} or @code{strict}.  This directive is currently only
+used/supported on macOS.")
+  (server-keychain
+   (file-name "/etc/cups/ssl")
+   "Specifies the location of TLS certificates and private keys.  CUPS will
+look for public and private keys in this directory: a @code{.crt} files for
+PEM-encoded certificates and corresponding @code{.key} files for PEM-encoded
+private keys.")
+  (server-root
+   (file-name "/etc/cups")
+   "Specifies the directory containing the server configuration files.")
+  (sync-on-close?
+   (boolean #f)
+   "Specifies whether the scheduler calls fsync(2) after writing configuration
+or state files.")
+  (system-group
+   (space-separated-string-list '("lpadmin" "wheel" "root"))
+   "Specifies the group(s) to use for @code{@@SYSTEM} group authentication.")
+  (temp-dir
+   (file-name "/var/spool/cups/tmp")
+   "Specifies the directory where temporary files are stored.")
+  (user
+   (string "lp")
+   "Specifies the user name or ID that is used when running external
+programs."))
+
+(define (serialize-files-configuration field-name val)
+  #f)
+
+(define (environment-variables? vars)
+  (space-separated-string-list? vars))
+(define (serialize-environment-variables field-name vars)
+  (unless (null? vars)
+    (serialize-space-separated-string-list field-name vars)))
+
+(define (package-list? val)
+  (and (list? val) (and-map package? val)))
+(define (serialize-package-list field-name val)
+  #f)
+
+(define-configuration cups-configuration
+  (cups
+   (package cups)
+   "The CUPS package.")
+  (extensions
+   (package-list (list cups-filters))
+   "Drivers and other extensions to the CUPS package.")
+  (files-configuration
+   (files-configuration (files-configuration))
+   "Configuration of where to write logs, what directories to use for print
+spools, and related privileged configuration parameters.")
+  (access-log-level
+   (access-log-level 'actions)
+   "Specifies the logging level for the AccessLog file.  The @code{config}
+level logs when printers and classes are added, deleted, or modified and when
+configuration files are accessed or updated.  The @code{actions} level logs
+when print jobs are submitted, held, released, modified, or canceled, and any
+of the conditions for @code{config}.  The @code{all} level logs all
+requests.")
+  (auto-purge-jobs?
+   (boolean #f)
+   "Specifies whether to purge job history data automatically when it is no
+longer required for quotas.")
+  (browse-local-protocols
+   (browse-local-protocols 'dnssd)
+   "Specifies which protocols to use for local printer sharing.")
+  (browse-web-if?
+   (boolean #f)
+   "Specifies whether the CUPS web interface is advertised.")
+  (browsing?
+   (boolean #f)
+   "Specifies whether shared printers are advertised.")
+  (classification
+   (string "")
+   "Specifies the security classification of the server.
+Any valid banner name can be used, including \"classified\", \"confidential\",
+\"secret\", \"topsecret\", and \"unclassified\", or the banner can be omitted
+to disable secure printing functions.")
+  (classify-override?
+   (boolean #f)
+   "Specifies whether users may override the classification (cover page) of
+individual print jobs using the @code{job-sheets} option.")
+  (default-auth-type
+    (default-auth-type 'Basic)
+    "Specifies the default type of authentication to use.")
+  (default-encryption
+    (default-encryption 'Required)
+    "Specifies whether encryption will be used for authenticated requests.")
+  (default-language
+    (string "en")
+    "Specifies the default language to use for text and web content.")
+  (default-paper-size
+    (string "Auto")
+    "Specifies the default paper size for new print queues.  @samp{\"Auto\"}
+uses a locale-specific default, while @samp{\"None\"} specifies there is no
+default paper size.  Specific size names are typically @samp{\"Letter\"} or
+@samp{\"A4\"}.")
+  (default-policy
+    (string "default")
+    "Specifies the default access policy to use.")
+  (default-shared?
+    (boolean #t)
+    "Specifies whether local printers are shared by default.")
+  (dirty-clean-interval
+   (non-negative-integer 30)
+   "Specifies the delay for updating of configuration and state files, in
+seconds.  A value of 0 causes the update to happen as soon as possible,
+typically within a few milliseconds.")
+  (error-policy
+   (error-policy 'stop-printer)
+   "Specifies what to do when an error occurs.  Possible values are
+@code{abort-job}, which will discard the failed print job; @code{retry-job},
+which will retry the job at a later time; @code{retry-this-job}, which retries
+the failed job immediately; and @code{stop-printer}, which stops the
+printer.")
+  (filter-limit
+   (non-negative-integer 0)
+   "Specifies the maximum cost of filters that are run concurrently, which can
+be used to minimize disk, memory, and CPU resource problems.  A limit of 0
+disables filter limiting.  An average print to a non-PostScript printer needs
+a filter limit of about 200.  A PostScript printer needs about half
+that (100).  Setting the limit below these thresholds will effectively limit
+the scheduler to printing a single job at any time.")
+  (filter-nice
+   (non-negative-integer 0)
+   "Specifies the scheduling priority of filters that are run to print a job.
+The nice value ranges from 0, the highest priority, to 19, the lowest
+priority.")
+  ;; Add this option if the package is built with Kerberos support.
+  ;; (gss-service-name
+  ;;  (string "http")
+  ;;  "Specifies the service name when using Kerberos authentication.")
+  (host-name-lookups
+   (host-name-lookups #f)
+   "Specifies whether to do reverse lookups on connecting clients.
+The @code{double} setting causes @code{cupsd} to verify that the hostname
+resolved from the address matches one of the addresses returned for that
+hostname.  Double lookups also prevent clients with unregistered addresses
+from connecting to your server.  Only set this option to @code{#t} or
+@code{double} if absolutely required.")
+  ;; Add this option if the package is built with launchd/systemd support.
+  ;;   (idle-exit-timeout
+  ;;    (non-negative-integer 60)
+  ;;    "Specifies the length of time to wait before shutting down due to
+  ;; inactivity.  Note: Only applicable when @code{cupsd} is run on-demand
+  ;; (e.g., with @code{-l}).")
+  (job-kill-delay
+   (non-negative-integer 30)
+   "Specifies the number of seconds to wait before killing the filters and
+backend associated with a canceled or held job.")
+  (job-retry-interval
+   (non-negative-integer 30)
+   "Specifies the interval between retries of jobs in seconds.  This is
+typically used for fax queues but can also be used with normal print queues
+whose error policy is @code{retry-job} or @code{retry-current-job}.")
+  (job-retry-limit
+   (non-negative-integer 5)
+   "Specifies the number of retries that are done for jobs.  This is typically
+used for fax queues but can also be used with normal print queues whose error
+policy is @code{retry-job} or @code{retry-current-job}.")
+  (keep-alive?
+   (boolean #t)
+   "Specifies whether to support HTTP keep-alive connections.")
+  (keep-alive-timeout
+   (non-negative-integer 30)
+   "Specifies how long an idle client connection remains open, in seconds.")
+  (limit-request-body
+   (non-negative-integer 0)
+   "Specifies the maximum size of print files, IPP requests, and HTML form
+data.  A limit of 0 disables the limit check.")
+  (listen
+   (multiline-string-list '("localhost:631" "/var/run/cups/cups.sock"))
+   "Listens on the specified interfaces for connections.  Valid values are of
+the form @var{address}:@var{port}, where @var{address} is either an IPv6
+address enclosed in brackets, an IPv4 address, or @code{*} to indicate all
+addresses.  Values can also be file names of local UNIX domain sockets.  The
+Listen directive is similar to the Port directive but allows you to restrict
+access to specific interfaces or networks.")
+  (listen-back-log
+   (non-negative-integer 128)
+   "Specifies the number of pending connections that will be allowed.  This
+normally only affects very busy servers that have reached the MaxClients
+limit, but can also be triggered by large numbers of simultaneous connections.
+When the limit is reached, the operating system will refuse additional
+connections until the scheduler can accept the pending ones.")
+  (location-access-controls
+   (location-access-control-list
+    (list (location-access-control
+           (path "/")
+           (access-controls '("Order allow,deny"
+                              "Allow localhost")))
+          (location-access-control
+           (path "/admin")
+           (access-controls '("Order allow,deny"
+                              "Allow localhost")))
+          (location-access-control
+           (path "/admin/conf")
+           (access-controls '("Order allow,deny"
+                              "AuthType Basic"
+                              "Require user @SYSTEM"
+                              "Allow localhost")))))
+   "Specifies a set of additional access controls.")
+  (log-debug-history
+   (non-negative-integer 100)
+   "Specifies the number of debugging messages that are retained for logging
+if an error occurs in a print job.  Debug messages are logged regardless of
+the LogLevel setting.")
+  (log-level
+   (log-level 'info)
+   "Specifies the level of logging for the ErrorLog file.  The value
+@code{none} stops all logging while @code{debug2} logs everything.")
+  (log-time-format
+   (log-time-format 'standard)
+   "Specifies the format of the date and time in the log files.  The value
+@code{standard} logs whole seconds while @code{usecs} logs microseconds.")
+  (max-clients
+   (non-negative-integer 100)
+   "Specifies the maximum number of simultaneous clients that are allowed by
+the scheduler.")
+  (max-clients-per-host
+   (non-negative-integer 100)
+   "Specifies the maximum number of simultaneous clients that are allowed from
+a single address.")
+  (max-copies
+   (non-negative-integer 9999)
+   "Specifies the maximum number of copies that a user can print of each
+job.")
+  (max-hold-time
+   (non-negative-integer 0)
+   "Specifies the maximum time a job may remain in the @code{indefinite} hold
+state before it is canceled.  A value of 0 disables cancellation of held
+jobs.")
+  (max-jobs
+   (non-negative-integer 500)
+   "Specifies the maximum number of simultaneous jobs that are allowed.  Set
+to 0 to allow an unlimited number of jobs.")
+  (max-jobs-per-printer
+   (non-negative-integer 0)
+   "Specifies the maximum number of simultaneous jobs that are allowed per
+printer.  A value of 0 allows up to MaxJobs jobs per printer.")
+  (max-jobs-per-user
+   (non-negative-integer 0)
+   "Specifies the maximum number of simultaneous jobs that are allowed per
+user.  A value of 0 allows up to MaxJobs jobs per user.")
+  (max-job-time
+   (non-negative-integer 10800)
+   "Specifies the maximum time a job may take to print before it is canceled,
+in seconds.  Set to 0 to disable cancellation of \"stuck\" jobs.")
+  (max-log-size
+   (non-negative-integer 1048576)
+   "Specifies the maximum size of the log files before they are rotated, in
+bytes.  The value 0 disables log rotation.")
+  (multiple-operation-timeout
+   (non-negative-integer 300)
+   "Specifies the maximum amount of time to allow between files in a multiple
+file print job, in seconds.")
+  (page-log-format
+   (string "")
+   "Specifies the format of PageLog lines.  Sequences beginning with
+percent (@samp{%}) characters are replaced with the corresponding information,
+while all other characters are copied literally.  The following percent
+sequences are recognized:
+
+@table @samp
+@item %%
+insert a single percent character
+@item %@{name@}
+insert the value of the specified IPP attribute
+@item %C
+insert the number of copies for the current page
+@item %P
+insert the current page number
+@item %T
+insert the current date and time in common log format
+@item %j
+insert the job ID
+@item %p
+insert the printer name
+@item %u
+insert the username
+@end table
+
+A value of the empty string disables page logging.  The string @code{%p %u %j
+%T %P %C %@{job-billing@} %@{job-originating-host-name@} %@{job-name@}
+%@{media@} %@{sides@}} creates a page log with the standard items.")
+  (environment-variables
+   (environment-variables '())
+   "Passes the specified environment variable(s) to child processes; a list of
+strings.")
+  (policies
+   (policy-configuration-list
+    (list (policy-configuration
+           (name "default")
+           (access-controls
+            (list
+             (operation-access-control
+              (operations
+               '(Send-Document
+                 Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
+                 Cancel-Job Close-Job Cancel-My-Jobs Set-Job-Attributes
+                 Create-Job-Subscription Renew-Subscription
+                 Cancel-Subscription Get-Notifications
+                 Reprocess-Job Cancel-Current-Job Suspend-Current-Job
+                 Resume-Job CUPS-Move-Job Validate-Job
+                 CUPS-Get-Document))
+              (access-controls '("Require user @OWNER @SYSTEM"
+                                 "Order deny,allow")))
+             (operation-access-control
+              (operations
+               '(Pause-Printer
+                 Cancel-Jobs
+                 Resume-Printer Set-Printer-Attributes Enable-Printer
+                 Disable-Printer Pause-Printer-After-Current-Job
+                 Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer
+                 Activate-Printer Restart-Printer Shutdown-Printer
+                 Startup-Printer Promote-Job Schedule-Job-After
+                 CUPS-Authenticate-Job CUPS-Add-Printer
+                 CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class
+                 CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default))
+              (access-controls '("AuthType Basic"
+                                 "Require user @SYSTEM"
+                                 "Order deny,allow")))
+             (operation-access-control
+              (operations '(All))
+              (access-controls '("Order deny,allow"))))))))
+   "Specifies named access control policies.")
+  #;
+  (port
+   (non-negative-integer 631)
+   "Listens to the specified port number for connections.")
+  (preserve-job-files
+   (boolean-or-non-negative-integer 86400)
+   "Specifies whether job files (documents) are preserved after a job is
+printed.  If a numeric value is specified, job files are preserved for the
+indicated number of seconds after printing.  Otherwise a boolean value applies
+indefinitely.")
+  (preserve-job-history
+   (boolean-or-non-negative-integer #t)
+   "Specifies whether the job history is preserved after a job is printed.
+If a numeric value is specified, the job history is preserved for the
+indicated number of seconds after printing.  If @code{#t}, the job history is
+preserved until the MaxJobs limit is reached.")
+  (reload-timeout
+   (non-negative-integer 30)
+   "Specifies the amount of time to wait for job completion before restarting
+the scheduler.")
+  (rip-cache
+   (string "128m")
+   "Specifies the maximum amount of memory to use when converting documents into bitmaps for a printer.")
+  (server-admin
+   (string "root@localhost.localdomain")
+   "Specifies the email address of the server administrator.")
+  (server-alias
+   (host-name-list-or-* '*)
+   "The ServerAlias directive is used for HTTP Host header validation when
+clients connect to the scheduler from external interfaces.  Using the special
+name @code{*} can expose your system to known browser-based DNS rebinding
+attacks, even when accessing sites through a firewall.  If the auto-discovery
+of alternate names does not work, we recommend listing each alternate name
+with a ServerAlias directive instead of using @code{*}.")
+  (server-name
+   (string "localhost")
+   "Specifies the fully-qualified host name of the server.")
+  (server-tokens
+   (server-tokens 'Minimal)
+   "Specifies what information is included in the Server header of HTTP
+responses.  @code{None} disables the Server header.  @code{ProductOnly}
+reports @code{CUPS}.  @code{Major} reports @code{CUPS 2}.  @code{Minor}
+reports @code{CUPS 2.0}.  @code{Minimal} reports @code{CUPS 2.0.0}.  @code{OS}
+reports @code{CUPS 2.0.0 (@var{uname})} where @var{uname} is the output of the
+@code{uname} command.  @code{Full} reports @code{CUPS 2.0.0 (@var{uname})
+IPP/2.0}.")
+  (set-env
+   (string "variable value")
+   "Set the specified environment variable to be passed to child processes.")
+  (ssl-listen
+   (multiline-string-list '())
+   "Listens on the specified interfaces for encrypted connections.  Valid
+values are of the form @var{address}:@var{port}, where @var{address} is either
+an IPv6 address enclosed in brackets, an IPv4 address, or @code{*} to indicate
+all addresses.")
+  (ssl-options
+   (ssl-options '())
+   "Sets encryption options.
+By default, CUPS only supports encryption using TLS v1.0 or higher using known
+secure cipher suites.  The @code{AllowRC4} option enables the 128-bit RC4
+cipher suites, which are required for some older clients that do not implement
+newer ones.  The @code{AllowSSL3} option enables SSL v3.0, which is required
+for some older clients that do not support TLS v1.0.")
+  #;
+  (ssl-port
+   (non-negative-integer 631)
+   "Listens on the specified port for encrypted connections.")
+  (strict-conformance?
+   (boolean #f)
+   "Specifies whether the scheduler requires clients to strictly adhere to the
+IPP specifications.")
+  (timeout
+   (non-negative-integer 300)
+   "Specifies the HTTP request timeout, in seconds.")
+  (web-interface?
+   (boolean #f)
+   "Specifies whether the web interface is enabled."))
+
+(define-configuration opaque-cups-configuration
+  (cups
+   (package cups)
+   "The CUPS package.")
+  (extensions
+   (package-list '())
+   "Drivers and other extensions to the CUPS package.")
+  (cupsd.conf
+   (string (cups-configuration-missing-field 'opaque-cups-configuration
+                                             'cupsd.conf))
+   "The contents of the @code{cupsd.conf} to use.")
+  (cups-files.conf
+   (string (cups-configuration-missing-field 'opaque-cups-configuration
+                                             'cups-files.conf))
+   "The contents of the @code{cups-files.conf} to use."))
+
+(define %cups-activation
+  ;; Activation gexp.
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (define (mkdir-p/perms directory owner perms)
+          (mkdir-p directory)
+          (chown "/var/run/cups" (passwd:uid owner) (passwd:gid owner))
+          (chmod directory perms))
+        (define (build-subject parameters)
+          (string-concatenate
+           (map (lambda (pair)
+                  (let ((k (car pair)) (v (cdr pair)))
+                    (define (escape-char str chr)
+                      (string-join (string-split str chr) (string #\\ chr)))
+                    (string-append "/" k "="
+                                   (escape-char (escape-char v #\=) #\/))))
+                (filter (lambda (pair) (cdr pair)) parameters))))
+        (define* (create-self-signed-certificate-if-absent
+                  #:key private-key public-key (owner (getpwnam "root"))
+                  (common-name (gethostname))
+                  (organization-name "GuixSD")
+                  (organization-unit-name "Default Self-Signed Certificate")
+                  (subject-parameters `(("CN" . ,common-name)
+                                        ("O" . ,organization-name)
+                                        ("OU" . ,organization-unit-name)))
+                  (subject (build-subject subject-parameters)))
+          ;; Note that by default, OpenSSL outputs keys in PEM format.  This
+          ;; is what we want.
+          (unless (file-exists? private-key)
+            (cond
+             ((zero? (system* (string-append #$openssl "/bin/openssl")
+                              "genrsa" "-out" private-key "2048"))
+              (chown private-key (passwd:uid owner) (passwd:gid owner))
+              (chmod private-key #o400))
+             (else
+              (format (current-error-port)
+                      "Failed to create private key at ~a.\n" private-key))))
+          (unless (file-exists? public-key)
+            (cond
+             ((zero? (system* (string-append #$openssl "/bin/openssl")
+                              "req" "-new" "-x509" "-key" private-key
+                              "-out" public-key "-days" "3650"
+                              "-batch" "-subj" subject))
+              (chown public-key (passwd:uid owner) (passwd:gid owner))
+              (chmod public-key #o444))
+             (else
+              (format (current-error-port)
+                      "Failed to create public key at ~a.\n" public-key)))))
+        (let ((user (getpwnam "lp")))
+          (mkdir-p/perms "/var/run/cups" user #o755)
+          (mkdir-p/perms "/var/spool/cups" user #o755)
+          (mkdir-p/perms "/var/spool/cups/tmp" user #o755)
+          (mkdir-p/perms "/var/log/cups" user #o755)
+          (mkdir-p/perms "/etc/cups" user #o755)
+          (mkdir-p/perms "/etc/cups/ssl" user #o700)
+          ;; This certificate is used for HTTPS connections to the CUPS web
+          ;; interface.
+          (create-self-signed-certificate-if-absent
+           #:private-key "/etc/cups/ssl/localhost.key"
+           #:public-key "/etc/cups/ssl/localhost.crt"
+           #:owner (getpwnam "root")
+           #:common-name (format #f "CUPS service on ~a" (gethostname)))))))
+
+(define (union-directory name packages paths)
+  (computed-file
+   name
+   (with-imported-modules '((guix build utils))
+     #~(begin
+         (use-modules (guix build utils)
+                      (srfi srfi-1))
+         (mkdir #$output)
+         (for-each
+          (lambda (package)
+            (for-each
+             (lambda (path)
+               (for-each
+                (lambda (src)
+                  (let* ((tail (substring src (string-length package)))
+                         (dst (string-append #$output tail)))
+                    (mkdir-p (dirname dst))
+                    ;; CUPS currently symlinks in some data from cups-filters
+                    ;; to its output dir.  Probably we should stop doing this
+                    ;; and instead rely only on the CUPS service to union the
+                    ;; relevant set of CUPS packages.
+                    (if (file-exists? dst)
+                        (format (current-error-port) "warning: ~a exists\n" dst)
+                        (symlink src dst))))
+                (find-files (string-append package path))))
+             (list #$@paths)))
+          (list #$@packages))
+         #t))))
+
+(define (cups-server-bin-directory extensions)
+  "Return the CUPS ServerBin directory, containing binaries for CUPS and all
+extensions that it uses."
+  (union-directory "cups-server-bin" extensions
+                   ;; /bin
+                   '("/lib/cups" "/share/ppd" "/share/cups")))
+
+(define (cups-shepherd-service config)
+  "Return a list of <shepherd-service> for CONFIG."
+  (let* ((cupsd.conf-str
+          (cond
+           ((opaque-cups-configuration? config)
+            (opaque-cups-configuration-cupsd.conf config))
+           (else
+            (with-output-to-string
+              (lambda ()
+                (serialize-configuration config
+                                         cups-configuration-fields))))))
+         (cups-files.conf-str
+          (cond
+           ((opaque-cups-configuration? config)
+            (opaque-cups-configuration-cups-files.conf config))
+           (else
+            (with-output-to-string
+              (lambda ()
+                (serialize-configuration
+                 (cups-configuration-files-configuration config)
+                 files-configuration-fields))))))
+         (cups (if (opaque-cups-configuration? config)
+                   (opaque-cups-configuration-cups config)
+                   (cups-configuration-cups config)))
+         (server-bin
+          (cups-server-bin-directory
+           (cons cups
+                 (cond
+                  ((opaque-cups-configuration? config)
+                   (opaque-cups-configuration-extensions config))
+                  (else
+                   (cups-configuration-extensions config))))))
+         ;;"SetEnv PATH " server-bin "/bin" "\n"
+         (cupsd.conf
+          (plain-file "cupsd.conf" cupsd.conf-str))
+         (cups-files.conf
+          (mixed-text-file
+           "cups-files.conf"
+           cups-files.conf-str
+           "CacheDir /var/cache/cups\n"
+           "StateDir /var/run/cups\n"
+           "DataDir " server-bin "/share/cups" "\n"
+           "ServerBin " server-bin "/lib/cups" "\n")))
+    (list (shepherd-service
+           (documentation "Run the CUPS print server.")
+           (provision '(cups))
+           (requirement '(networking))
+           (start #~(make-forkexec-constructor
+                     (list (string-append #$cups "/sbin/cupsd")
+                           "-f" "-c" #$cupsd.conf "-s" #$cups-files.conf)))
+           (stop #~(make-kill-destructor))))))
+
+(define cups-service-type
+  (service-type (name 'cups)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          cups-shepherd-service)
+                       (service-extension activation-service-type
+                                          (const %cups-activation))
+                       (service-extension account-service-type
+                                          (const %cups-accounts))))
+
+                ;; Extensions consist of lists of packages (representing CUPS
+                ;; drivers, etc) that we just concatenate.
+                (compose append)
+
+                ;; Add extension packages by augmenting the cups-configuration
+                ;; 'extensions' field.
+                (extend
+                 (lambda (config extensions)
+                   (cond
+                    ((cups-configuration? config)
+                     (cups-configuration
+                      (inherit config)
+                      (extensions
+                       (append (cups-configuration-extensions config)
+                               extensions))))
+                    (else
+                     (opaque-cups-configuration
+                      (inherit config)
+                      (extensions
+                       (append (opaque-cups-configuration-extensions config)
+                               extensions)))))))))
+
+;; A little helper to make it easier to document all those fields.
+(define (generate-documentation)
+  (define documentation
+    `((cups-configuration
+       ,cups-configuration-fields
+       (files-configuration files-configuration)
+       (policies policy-configuration)
+       (location-access-controls location-access-controls))
+      (files-configuration ,files-configuration-fields)
+      (policy-configuration
+       ,policy-configuration-fields
+       (operation-access-controls operation-access-controls))
+      (location-access-controls
+       ,location-access-control-fields
+       (method-access-controls method-access-controls))
+      (operation-access-controls ,operation-access-control-fields)
+      (method-access-controls ,method-access-control-fields)))
+  (define (str x) (object->string x))
+  (define (generate configuration-name)
+    (match (assq-ref documentation configuration-name)
+      ((fields . sub-documentation)
+       `((para "Available " (code ,(str configuration-name)) " fields are:")
+         ,@(map
+            (lambda (f)
+              (let ((field-name (configuration-field-name f))
+                    (field-type (configuration-field-type f))
+                    (field-docs (cdr (texi-fragment->stexi
+                                      (configuration-field-documentation f))))
+                    (default (catch #t
+                               (configuration-field-default-value-thunk f)
+                               (lambda _ '%invalid))))
+                (define (show-default? val)
+                  (or (string? default) (number? default) (boolean? default)
+                      (and (symbol? val) (not (eq? val '%invalid)))
+                      (and (list? val) (and-map show-default? val))))
+                `(deftypevr (% (category
+                                (code ,(str configuration-name)) " parameter")
+                               (data-type ,(str field-type))
+                               (name ,(str field-name)))
+                   ,@field-docs
+                   ,@(if (show-default? default)
+                         `((para "Defaults to " (samp ,(str default)) "."))
+                         '())
+                   ,@(append-map
+                      generate
+                      (or (assq-ref sub-documentation field-name) '())))))
+            fields)))))
+  (stexi->texi `(*fragment* . ,(generate 'cups-configuration))))
diff --git a/gnu/system.scm b/gnu/system.scm
index 38ae8f1771..43117b1714 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -562,12 +562,7 @@ use 'plain-file' instead~%")
 
     ;; By default, applications that use D-Bus, such as Emacs, abort at startup
     ;; when /etc/machine-id is missing.  Make sure these warnings are non-fatal.
-    ("DBUS_FATAL_WARNINGS" . "0")
-
-    ;; XXX: Normally we wouldn't need to do this, but our glibc@2.23 package
-    ;; looks things up in 'PREFIX/lib/locale' instead of
-    ;; '/run/current-system/locale' as was intended.
-    ("GUIX_LOCPATH" . "/run/current-system/locale")))
+    ("DBUS_FATAL_WARNINGS" . "0")))
 
 (define %setuid-programs
   ;; Default set of setuid-root programs.
diff --git a/guix/build/gnu-build-system.scm b/guix/build/gnu-build-system.scm
index 34edff7f40..1dfd85450c 100644
--- a/guix/build/gnu-build-system.scm
+++ b/guix/build/gnu-build-system.scm
@@ -172,22 +172,23 @@ files such as `.in' templates.  Most scripts honor $SHELL and
 $CONFIG_SHELL, but some don't, such as `mkinstalldirs' or Automake's
 `missing' script."
   (for-each patch-shebang
-            (remove (lambda (file)
-                      (or (not (file-exists? file)) ;dangling symlink
-                          (file-is-directory? file)))
-                    (find-files "."))))
+            (find-files "."
+                        (lambda (file stat)
+                          ;; Filter out symlinks.
+                          (eq? 'regular (stat:type stat)))
+                        #:stat lstat)))
 
 (define (patch-generated-file-shebangs . rest)
   "Patch shebangs in generated files, including `SHELL' variables in
 makefiles."
-  ;; Patch executable files, some of which might have been generated by
-  ;; `configure'.
+  ;; Patch executable regular files, some of which might have been generated
+  ;; by `configure'.
   (for-each patch-shebang
-            (filter (lambda (file)
-                      (and (file-exists? file)
-                           (executable-file? file)
-                           (not (file-is-directory? file))))
-                    (find-files ".")))
+            (find-files "."
+                        (lambda (file stat)
+                          (and (eq? 'regular (stat:type stat))
+                               (not (zero? (logand (stat:mode stat) #o100)))))
+                        #:stat lstat))
 
   ;; Patch `SHELL' in generated makefiles.
   (for-each patch-makefile-SHELL (find-files "." "^(GNU)?[mM]akefile$")))
@@ -386,26 +387,17 @@ makefiles."
     (when debug-output
       (format #t "debugging output written to ~s using ~s~%"
               debug-output objcopy-command))
-    (file-system-fold (const #t)
-                      (lambda (path stat result)  ; leaf
-                        (and (file-exists? path)  ;discard dangling symlinks
-                             (or (elf-file? path) (ar-file? path))
-                             (or (not debug-output)
-                                 (make-debug-file path))
-                             (zero? (apply system* strip-command
-                                           (append strip-flags (list path))))
-                             (or (not debug-output)
-                                 (add-debug-link path))))
-                      (const #t)                  ; down
-                      (const #t)                  ; up
-                      (const #t)                  ; skip
-                      (lambda (path stat errno result)
-                        (format (current-error-port)
-                                "strip: failed to access `~a': ~a~%"
-                                path (strerror errno))
-                        #f)
-                      #t
-                      dir))
+
+    (for-each (lambda (file)
+                (and (file-exists? file)          ;discard dangling symlinks
+                     (or (elf-file? file) (ar-file? file))
+                     (or (not debug-output)
+                         (make-debug-file file))
+                     (zero? (apply system* strip-command
+                                   (append strip-flags (list file))))
+                     (or (not debug-output)
+                         (add-debug-link file))))
+              (find-files dir)))
 
   (or (not strip-binaries?)
       (every strip-dir
@@ -552,6 +544,47 @@ DOCUMENTATION-COMPRESSOR-FLAGS."
             outputs)
   #t)
 
+
+(define* (patch-dot-desktop-files #:key outputs inputs #:allow-other-keys)
+  "Replace any references to executables in '.desktop' files with their
+absolute file names."
+  (define bin-directories
+    (append-map (match-lambda
+                  ((_ . directory)
+                   (list (string-append directory "/bin")
+                         (string-append directory "/sbin"))))
+                outputs))
+
+  (define (which program)
+    (or (search-path bin-directories program)
+        (begin
+          (format (current-error-port)
+                  "warning: '.desktop' file refers to '~a', \
+which cannot be found~%"
+                  program)
+          program)))
+
+  (for-each (match-lambda
+              ((_ . directory)
+               (let ((applications (string-append directory
+                                                  "/share/applications")))
+                 (when (directory-exists? applications)
+                   (let ((files (find-files applications "\\.desktop$")))
+                     (format #t "adjusting ~a '.desktop' files in ~s~%"
+                             (length files) applications)
+
+                     ;; '.desktop' files contain translations and are always
+                     ;; UTF-8-encoded.
+                     (with-fluids ((%default-port-encoding "UTF-8"))
+                       (substitute* files
+                         (("^Exec=([^/[:blank:]\r\n]*)(.*)$" _ binary rest)
+                          (string-append "Exec=" (which binary) rest))
+                         (("^TryExec=([^/[:blank:]\r\n]*)(.*)$" _ binary rest)
+                          (string-append "TryExec="
+                                         (which binary) rest)))))))))
+            outputs)
+  #t)
+
 (define %standard-phases
   ;; Standard build phases, as a list of symbol/procedure pairs.
   (let-syntax ((phases (syntax-rules ()
@@ -564,6 +597,7 @@ DOCUMENTATION-COMPRESSOR-FLAGS."
             validate-runpath
             validate-documentation-location
             delete-info-dir-file
+            patch-dot-desktop-files
             compress-documentation)))
 
 
diff --git a/guix/build/utils.scm b/guix/build/utils.scm
index 2988193fce..bc6f114152 100644
--- a/guix/build/utils.scm
+++ b/guix/build/utils.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
@@ -518,8 +518,8 @@ following forms:
   (add-before <old-phase-name> <new-phase-name> <new-phase>)
   (add-after <old-phase-name> <new-phase-name> <new-phase>)
 
-Where every <*-phase-name> is an automatically quoted symbol, and <new-phase>
-an expression evaluating to a procedure."
+Where every <*-phase-name> is an expression evaluating to a symbol, and
+<new-phase> an expression evaluating to a procedure."
   (let* ((phases* phases)
          (phases* (%modify-phases phases* mod-spec))
          ...)
@@ -944,64 +944,76 @@ This is useful for scripts that expect particular programs to be in $PATH, for
 programs that expect particular shared libraries to be in $LD_LIBRARY_PATH, or
 modules in $GUILE_LOAD_PATH, etc.
 
-If PROG has previously been wrapped by wrap-program the wrapper will point to
-the previous wrapper."
-  (define (wrapper-file-name number)
-    (format #f "~a/.~a-wrap-~2'0d" (dirname prog) (basename prog) number))
-  (define (next-wrapper-number)
-    (let ((wrappers
-           (find-files (dirname prog)
-                       (string-append "\\." (basename prog) "-wrap-.*"))))
-      (if (null? wrappers)
-          0
-          (string->number (string-take-right (last wrappers) 2)))))
-  (define (wrapper-target number)
-    (if (zero? number)
-        (let ((prog-real (string-append (dirname prog) "/."
-                                        (basename prog) "-real")))
-          (rename-file prog prog-real)
-          prog-real)
-        (wrapper-file-name number)))
-
-  (let* ((number   (next-wrapper-number))
-         (target   (wrapper-target number))
-         (wrapper  (wrapper-file-name (1+ number)))
-         (prog-tmp (string-append target "-tmp")))
-    (define (export-variable lst)
-      ;; Return a string that exports an environment variable.
-      (match lst
-        ((var sep '= rest)
-         (format #f "export ~a=\"~a\""
-                 var (string-join rest sep)))
-        ((var sep 'prefix rest)
-         (format #f "export ~a=\"~a${~a~a+~a}$~a\""
-                 var (string-join rest sep) var sep sep var))
-        ((var sep 'suffix rest)
-         (format #f "export ~a=\"$~a${~a~a+~a}~a\""
-                 var var var sep sep (string-join rest sep)))
-        ((var '= rest)
-         (format #f "export ~a=\"~a\""
-                 var (string-join rest ":")))
-        ((var 'prefix rest)
-         (format #f "export ~a=\"~a${~a:+:}$~a\""
-                 var (string-join rest ":") var var))
-        ((var 'suffix rest)
-         (format #f "export ~a=\"$~a${~a:+:}~a\""
-                 var var var (string-join rest ":")))))
-
-    (with-output-to-file prog-tmp
-      (lambda ()
-        (format #t
-                "#!~a~%~a~%exec -a \"$0\" \"~a\" \"$@\"~%"
-                (which "bash")
-                (string-join (map export-variable vars)
-                             "\n")
-                (canonicalize-path target))))
-
-    (chmod prog-tmp #o755)
-    (rename-file prog-tmp wrapper)
-    (symlink wrapper prog-tmp)
-    (rename-file prog-tmp prog)))
+If PROG has previously been wrapped by 'wrap-program', the wrapper is extended
+with definitions for VARS."
+  (define wrapped-file
+    (string-append (dirname prog) "/." (basename prog) "-real"))
+
+  (define already-wrapped?
+    (file-exists? wrapped-file))
+
+  (define (last-line port)
+    ;; Return the last line read from PORT and leave PORT's cursor right
+    ;; before it.
+    (let loop ((previous-line-offset 0)
+               (previous-line "")
+               (position (seek port 0 SEEK_CUR)))
+      (match (read-line port 'concat)
+        ((? eof-object?)
+         (seek port previous-line-offset SEEK_SET)
+         previous-line)
+        ((? string? line)
+         (loop position line (+ (string-length line) position))))))
+
+  (define (export-variable lst)
+    ;; Return a string that exports an environment variable.
+    (match lst
+      ((var sep '= rest)
+       (format #f "export ~a=\"~a\""
+               var (string-join rest sep)))
+      ((var sep 'prefix rest)
+       (format #f "export ~a=\"~a${~a~a+~a}$~a\""
+               var (string-join rest sep) var sep sep var))
+      ((var sep 'suffix rest)
+       (format #f "export ~a=\"$~a${~a~a+~a}~a\""
+               var var var sep sep (string-join rest sep)))
+      ((var '= rest)
+       (format #f "export ~a=\"~a\""
+               var (string-join rest ":")))
+      ((var 'prefix rest)
+       (format #f "export ~a=\"~a${~a:+:}$~a\""
+               var (string-join rest ":") var var))
+      ((var 'suffix rest)
+       (format #f "export ~a=\"$~a${~a:+:}~a\""
+               var var var (string-join rest ":")))))
+
+  (if already-wrapped?
+
+      ;; PROG is already a wrapper: add the new "export VAR=VALUE" lines just
+      ;; before the last line.
+      (let* ((port (open-file prog "r+"))
+             (last (last-line port)))
+        (for-each (lambda (var)
+                    (display (export-variable var) port)
+                    (newline port))
+                  vars)
+        (display last port)
+        (close-port port))
+
+      ;; PROG is not wrapped yet: create a shell script that sets VARS.
+      (let ((prog-tmp (string-append wrapped-file "-tmp")))
+        (link prog wrapped-file)
+
+        (call-with-output-file prog-tmp
+          (lambda (port)
+            (format port
+                    "#!~a~%~a~%exec -a \"$0\" \"~a\" \"$@\"~%"
+                    (which "bash")
+                    (string-join (map export-variable vars) "\n")
+                    (canonicalize-path wrapped-file))))
+
+        (chmod prog-tmp #o755)
+        (rename-file prog-tmp prog))))
 
 
 ;;;
diff --git a/guix/packages.scm b/guix/packages.scm
index a3fab4dc13..beb958f156 100644
--- a/guix/packages.scm
+++ b/guix/packages.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2016 Alex Kost <alezost@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -493,9 +494,11 @@ specifies modules in scope when evaluating SNIPPET."
               (format (current-error-port) "applying '~a'...~%" patch)
 
               ;; Use '--force' so that patches that do not apply perfectly are
-              ;; rejected.
+              ;; rejected.  Use '--no-backup-if-mismatch' to prevent making
+              ;; "*.orig" file if a patch is applied with offset.
               (zero? (system* (string-append #+patch "/bin/patch")
-                              "--force" #+@flags "--input" patch)))
+                              "--force" "--no-backup-if-mismatch"
+                              #+@flags "--input" patch)))
 
             (define (first-file directory)
               ;; Return the name of the first file in DIRECTORY.
diff --git a/guix/profiles.scm b/guix/profiles.scm
index e7319a8a10..d162f6241b 100644
--- a/guix/profiles.scm
+++ b/guix/profiles.scm
@@ -680,7 +680,18 @@ MANIFEST.  Single-file bundles are required by programs such as Git and Lynx."
 (define (gtk-icon-themes manifest)
   "Return a derivation that unions all icon themes from manifest entries and
 creates the GTK+ 'icon-theme.cache' file for each theme."
-  (mlet %store-monad ((gtk+ (manifest-lookup-package manifest "gtk+")))
+  (define gtk+  ; lazy reference
+    (module-ref (resolve-interface '(gnu packages gtk)) 'gtk+))
+
+  (mlet %store-monad ((%gtk+ (manifest-lookup-package manifest "gtk+"))
+                      ;; XXX: Can't use gtk-update-icon-cache corresponding
+                      ;; to the gtk+ referenced by 'manifest'.  Because
+                      ;; '%gtk+' can be either a package or store path, and
+                      ;; there's no way to get the "bin" output for the later.
+                      (gtk-update-icon-cache
+                       -> #~(string-append #+gtk+:bin
+                                           "/bin/gtk-update-icon-cache")))
+
     (define build
       (with-imported-modules '((guix build utils)
                                (guix build union)
@@ -697,9 +708,7 @@ creates the GTK+ 'icon-theme.cache' file for each theme."
             (let* ((destdir  (string-append #$output "/share/icons"))
                    (icondirs (filter file-exists?
                                      (map (cut string-append <> "/share/icons")
-                                          '#$(manifest-inputs manifest))))
-                   (update-icon-cache (string-append
-                                       #+gtk+ "/bin/gtk-update-icon-cache")))
+                                          '#$(manifest-inputs manifest)))))
 
               ;; Union all the icons.
               (mkdir-p (string-append #$output "/share"))
@@ -714,11 +723,11 @@ creates the GTK+ 'icon-theme.cache' file for each theme."
                    ;; "abiword_48.png".  Ignore these.
                    (when (file-is-directory? dir)
                      (ensure-writable-directory dir)
-                     (system* update-icon-cache "-t" dir "--quiet"))))
+                     (system* #+gtk-update-icon-cache "-t" dir "--quiet"))))
                (scandir destdir (negate (cut member <> '("." "..")))))))))
 
     ;; Don't run the hook when there's nothing to do.
-    (if gtk+
+    (if %gtk+
         (gexp->derivation "gtk-icon-themes" build
                           #:local-build? #t
                           #:substitutable? #f)
diff --git a/m4/guix.m4 b/m4/guix.m4
index 949ae4ca7c..6d8ec2e4e0 100644
--- a/m4/guix.m4
+++ b/m4/guix.m4
@@ -74,6 +74,9 @@ AC_DEFUN([GUIX_SYSTEM_TYPE], [
        linux-gnu*)
 	  # For backward compatibility, strip the `-gnu' part.
 	  guix_system="$machine_name-linux";;
+       gnu*)
+          # Always use i586 for GNU/Hurd.
+          guix_system="i586-gnu";;
        *)
 	  # Strip the version number from names such as `gnu0.3',
 	  # `darwin10.2.0', etc.
diff --git a/tests/build-utils.scm b/tests/build-utils.scm
index cc96738e36..7d49446f66 100644
--- a/tests/build-utils.scm
+++ b/tests/build-utils.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -19,12 +19,9 @@
 
 (define-module (test-build-utils)
   #:use-module (guix tests)
-  #:use-module (guix store)
-  #:use-module (guix derivations)
   #:use-module (guix build utils)
-  #:use-module (guix packages)
-  #:use-module (guix build-system)
-  #:use-module (guix build-system trivial)
+  #:use-module ((guix utils)
+                #:select (%current-system call-with-temporary-directory))
   #:use-module (gnu packages)
   #:use-module (gnu packages bootstrap)
   #:use-module (srfi srfi-34)
@@ -32,9 +29,6 @@
   #:use-module (rnrs io ports)
   #:use-module (ice-9 popen))
 
-(define %store
-  (open-connection-for-tests))
-
 
 (test-begin "build-utils")
 
@@ -95,49 +89,37 @@
                           port
                           cons)))))
 
-(test-assert "wrap-program, one input, multiple calls"
-  (let* ((p (package
-              (name "test-wrap-program") (version "0") (source #f)
-              (synopsis #f) (description #f) (license #f) (home-page #f)
-              (build-system trivial-build-system)
-              (arguments
-               `(#:guile ,%bootstrap-guile
-                 #:modules ((guix build utils))
-                 #:builder
-                 (let* ((out  (assoc-ref %outputs "out"))
-                        (bash (assoc-ref %build-inputs "bash"))
-                        (foo  (string-append out "/foo")))
-                   (begin
-                     (use-modules (guix build utils))
-                     (mkdir out)
-                     (call-with-output-file foo
-                       (lambda (p)
-                         (format p
-                                 "#!~a~%echo \"${GUIX_FOO} ${GUIX_BAR}\"~%"
-                                 bash)))
-                     (chmod foo #o777)
-                     ;; wrap-program uses `which' to find bash for the wrapper
-                     ;; shebang, but it can't know about the bootstrap bash in
-                     ;; the store, since it's not named "bash".  Help it out a
-                     ;; bit by providing a symlink it this package's output.
-                     (symlink bash (string-append out "/bash"))
-                     (setenv "PATH" out)
-                     (wrap-program foo `("GUIX_FOO" prefix ("hello")))
-                     (wrap-program foo `("GUIX_BAR" prefix ("world")))
-                     #t))))
-              (inputs `(("bash" ,(search-bootstrap-binary "bash"
-                                                          (%current-system)))))))
-         (d (package-derivation %store p)))
-
-    ;; The bootstrap Bash is linked against an old libc and would abort with
-    ;; an assertion failure when trying to load incompatible locale data.
-    (unsetenv "LOCPATH")
-
-    (and (build-derivations %store (pk 'drv d (list d)))
-         (let* ((p    (derivation->output-path d))
-                (foo  (string-append p "/foo"))
-                (pipe (open-input-pipe foo))
-                (str  (get-string-all pipe)))
-           (equal? str "hello world\n")))))
+(test-equal "wrap-program, one input, multiple calls"
+  "hello world\n"
+  (call-with-temporary-directory
+   (lambda (directory)
+     (let ((bash (search-bootstrap-binary "bash" (%current-system)))
+           (foo  (string-append directory "/foo")))
+
+       (call-with-output-file foo
+         (lambda (p)
+           (format p
+                   "#!~a~%echo \"${GUIX_FOO} ${GUIX_BAR}\"~%"
+                   bash)))
+       (chmod foo #o777)
+
+       ;; wrap-program uses `which' to find bash for the wrapper shebang, but
+       ;; it can't know about the bootstrap bash in the store, since it's not
+       ;; named "bash".  Help it out a bit by providing a symlink it this
+       ;; package's output.
+       (setenv "PATH" (dirname bash))
+       (wrap-program foo `("GUIX_FOO" prefix ("hello")))
+       (wrap-program foo `("GUIX_BAR" prefix ("world")))
+
+       ;; The bootstrap Bash is linked against an old libc and would abort with
+       ;; an assertion failure when trying to load incompatible locale data.
+       (unsetenv "LOCPATH")
+
+       (let* ((pipe (open-input-pipe foo))
+              (str  (get-string-all pipe)))
+         (with-directory-excursion directory
+           (for-each delete-file '("foo" ".foo-real")))
+         (and (zero? (close-pipe pipe))
+              str))))))
 
 (test-end)