summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am1
-rw-r--r--build-aux/download.scm20
-rw-r--r--build-aux/hydra/gnu-system.scm2
-rw-r--r--doc/guix.texi7
-rw-r--r--gnu/build/activation.scm5
-rw-r--r--gnu/local.mk56
-rw-r--r--gnu/packages/admin.scm9
-rw-r--r--gnu/packages/attr.scm2
-rw-r--r--gnu/packages/autotools.scm37
-rw-r--r--gnu/packages/avahi.scm4
-rw-r--r--gnu/packages/backup.scm9
-rw-r--r--gnu/packages/base.scm99
-rw-r--r--gnu/packages/bash.scm65
-rw-r--r--gnu/packages/bdw-gc.scm36
-rw-r--r--gnu/packages/boost.scm4
-rw-r--r--gnu/packages/bootloaders.scm6
-rw-r--r--gnu/packages/bootstrap.scm35
-rwxr-xr-xgnu/packages/bootstrap/aarch64-linux/bashbin0 -> 1162056 bytes
-rwxr-xr-xgnu/packages/bootstrap/aarch64-linux/mkdirbin0 -> 558216 bytes
-rwxr-xr-xgnu/packages/bootstrap/aarch64-linux/tarbin0 -> 1085128 bytes
-rwxr-xr-xgnu/packages/bootstrap/aarch64-linux/xzbin0 -> 738576 bytes
-rw-r--r--gnu/packages/cmake.scm52
-rw-r--r--gnu/packages/commencement.scm56
-rw-r--r--gnu/packages/compression.scm34
-rw-r--r--gnu/packages/cross-base.scm2
-rw-r--r--gnu/packages/cups.scm26
-rw-r--r--gnu/packages/curl.scm20
-rw-r--r--gnu/packages/cyrus-sasl.scm9
-rw-r--r--gnu/packages/databases.scm86
-rw-r--r--gnu/packages/documentation.scm18
-rw-r--r--gnu/packages/ed.scm9
-rw-r--r--gnu/packages/elf.scm28
-rw-r--r--gnu/packages/flex.scm64
-rw-r--r--gnu/packages/fontutils.scm20
-rw-r--r--gnu/packages/freedesktop.scm14
-rw-r--r--gnu/packages/gawk.scm2
-rw-r--r--gnu/packages/gcc.scm45
-rw-r--r--gnu/packages/gd.scm55
-rw-r--r--gnu/packages/ghostscript.scm50
-rw-r--r--gnu/packages/gl.scm42
-rw-r--r--gnu/packages/glib.scm4
-rw-r--r--gnu/packages/gnupg.scm8
-rw-r--r--gnu/packages/gperf.scm4
-rw-r--r--gnu/packages/gtk.scm14
-rw-r--r--gnu/packages/guile.scm18
-rw-r--r--gnu/packages/icu4c.scm25
-rw-r--r--gnu/packages/image.scm93
-rw-r--r--gnu/packages/kde-frameworks.scm12
-rw-r--r--gnu/packages/kerberos.scm6
-rw-r--r--gnu/packages/libevent.scm6
-rw-r--r--gnu/packages/libunistring.scm11
-rw-r--r--gnu/packages/linux.scm66
-rw-r--r--gnu/packages/m4.scm8
-rw-r--r--gnu/packages/make-bootstrap.scm18
-rw-r--r--gnu/packages/multiprecision.scm8
-rw-r--r--gnu/packages/ncurses.scm23
-rw-r--r--gnu/packages/nettle.scm6
-rw-r--r--gnu/packages/patches/alsa-lib-mips-atomic-fix.patch42
-rw-r--r--gnu/packages/patches/coreutils-fix-cross-compilation.patch15
-rw-r--r--gnu/packages/patches/eudev-conflicting-declaration.patch31
-rw-r--r--gnu/packages/patches/flex-CVE-2016-6354.patch30
-rw-r--r--gnu/packages/patches/fontconfig-charwidth-symbol-conflict.patch82
-rw-r--r--gnu/packages/patches/fontconfig-path-max.patch124
-rw-r--r--gnu/packages/patches/gcc-5-source-date-epoch-1.patch190
-rw-r--r--gnu/packages/patches/gcc-5-source-date-epoch-2.patch353
-rw-r--r--gnu/packages/patches/gcc-libiberty-printf-decl.patch28
-rw-r--r--gnu/packages/patches/gd-CVE-2016-7568.patch44
-rw-r--r--gnu/packages/patches/gd-CVE-2016-8670.patch38
-rw-r--r--gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch102
-rw-r--r--gnu/packages/patches/gd-fix-truecolor-format-correction.patch95
-rw-r--r--gnu/packages/patches/gd-freetype-test-failure.patch59
-rw-r--r--gnu/packages/patches/gd-php-73968-Fix-109-XBM-reading.patch121
-rw-r--r--gnu/packages/patches/gdk-pixbuf-list-dir.patch35
-rw-r--r--gnu/packages/patches/glibc-bootstrap-system.patch2
-rw-r--r--gnu/packages/patches/guile-repl-server-test.patch48
-rw-r--r--gnu/packages/patches/lcms-CVE-2016-10165.patch (renamed from gnu/packages/patches/lcms-fix-out-of-bounds-read.patch)4
-rw-r--r--gnu/packages/patches/libarchive-7zip-heap-overflow.patch77
-rw-r--r--gnu/packages/patches/libarchive-fix-filesystem-attacks.patch445
-rw-r--r--gnu/packages/patches/libarchive-fix-symlink-check.patch60
-rw-r--r--gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch44
-rw-r--r--gnu/packages/patches/libdrm-symbol-check.patch27
-rw-r--r--gnu/packages/patches/libepoxy-gl-null-checks.patch54
-rw-r--r--gnu/packages/patches/libevent-2.0-CVE-2016-10195.patch (renamed from gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch)5
-rw-r--r--gnu/packages/patches/libevent-2.0-CVE-2016-10196.patch (renamed from gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch)5
-rw-r--r--gnu/packages/patches/libevent-2.0-CVE-2016-10197.patch (renamed from gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch)5
-rw-r--r--gnu/packages/patches/libpng-CVE-2016-10087.patch37
-rw-r--r--gnu/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch33
-rw-r--r--gnu/packages/patches/libxcb-python-3.5-compat.patch64
-rw-r--r--gnu/packages/patches/pcre-CVE-2016-3191.patch151
-rw-r--r--gnu/packages/patches/sed-hurd-path-max.patch34
-rw-r--r--gnu/packages/patches/tar-CVE-2016-6321.patch51
-rw-r--r--gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch33
-rw-r--r--gnu/packages/patches/tcsh-fix-autotest.patch113
-rw-r--r--gnu/packages/patches/xcb-proto-python3-print.patch75
-rw-r--r--gnu/packages/patches/xcb-proto-python3-whitespace.patch217
-rw-r--r--gnu/packages/patches/xf86-input-wacom-xorg-abi-25.patch46
-rw-r--r--gnu/packages/pcre.scm5
-rw-r--r--gnu/packages/pdf.scm23
-rw-r--r--gnu/packages/php.scm29
-rw-r--r--gnu/packages/pkg-config.scm6
-rw-r--r--gnu/packages/pth.scm10
-rw-r--r--gnu/packages/pulseaudio.scm9
-rw-r--r--gnu/packages/python.scm6
-rw-r--r--gnu/packages/shells.scm73
-rw-r--r--gnu/packages/ssh.scm14
-rw-r--r--gnu/packages/tcl.scm8
-rw-r--r--gnu/packages/tls.scm62
-rw-r--r--gnu/packages/version-control.scm3
-rw-r--r--gnu/packages/video.scm9
-rw-r--r--gnu/packages/xdisorg.scm16
-rw-r--r--gnu/packages/xiph.scm8
-rw-r--r--gnu/packages/xml.scm25
-rw-r--r--gnu/packages/xorg.scm123
-rw-r--r--guix/build/gnu-build-system.scm34
-rw-r--r--guix/build/make-bootstrap.scm2
-rw-r--r--guix/build/perl-build-system.scm6
-rw-r--r--guix/build/profiles.scm24
-rw-r--r--guix/build/utils.scm44
-rw-r--r--guix/scripts/package.scm2
-rw-r--r--guix/search-paths.scm28
-rw-r--r--m4/guix.m43
-rw-r--r--tests/guix-package-net.sh4
-rw-r--r--tests/packages.scm51
-rw-r--r--tests/search-paths.scm48
124 files changed, 2763 insertions, 2290 deletions
diff --git a/Makefile.am b/Makefile.am
index ec1bd2eb8b..cda49bd9ec 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -280,6 +280,7 @@ SCM_TESTS =					\
   tests/nar.scm					\
   tests/union.scm				\
   tests/profiles.scm				\
+  tests/search-paths.scm			\
   tests/syscalls.scm				\
   tests/gremlin.scm				\
   tests/bournish.scm				\
diff --git a/build-aux/download.scm b/build-aux/download.scm
index 1e91e4b87c..e0b40e6f26 100644
--- a/build-aux/download.scm
+++ b/build-aux/download.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -45,13 +46,18 @@
   "Return the URI for FILE."
   (match (string-tokenize file (char-set-complement (char-set #\/)))
     ((_ ... system basename)
-     (string->uri (string-append %url-base "/" system
-                                 (match system
-                                   ("armhf-linux"
-                                    "/20150101/")
-                                   (_
-                                    "/20131110/"))
-                                 basename)))))
+     (string->uri
+       (match system
+        ("aarch64-linux"
+         (string-append "http://flashner.co.il/guix/bootstrap/aarch64-linux"
+                        "/20170217/" basename))
+        (_ (string-append %url-base "/" system
+                          (match system
+                                 ("armhf-linux"
+                                  "/20150101/")
+                                 (_
+                                  "/20131110/"))
+                          basename)))))))
 
 (match (command-line)
   ((_ file expected-hash)
diff --git a/build-aux/hydra/gnu-system.scm b/build-aux/hydra/gnu-system.scm
index 04a9d0508a..a4893f198c 100644
--- a/build-aux/hydra/gnu-system.scm
+++ b/build-aux/hydra/gnu-system.scm
@@ -124,6 +124,8 @@ SYSTEM."
     "mips64el-linux-gnuabi64"
     "arm-linux-gnueabihf"
     "aarch64-linux-gnu"
+    "powerpc-linux-gnu"
+    "i586-pc-gnu"                                 ;aka. GNU/Hurd
     "i686-w64-mingw32"))
 
 (define %guixsd-supported-systems
diff --git a/doc/guix.texi b/doc/guix.texi
index 732f4312a4..a537433bf6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -24,7 +24,7 @@ Copyright @copyright{} 2015, 2016, 2017 Leo Famulari@*
 Copyright @copyright{} 2015, 2016 Ricardo Wurmus@*
 Copyright @copyright{} 2016 Ben Woodcroft@*
 Copyright @copyright{} 2016 Chris Marusich@*
-Copyright @copyright{} 2016 Efraim Flashner@*
+Copyright @copyright{} 2016, 2017 Efraim Flashner@*
 Copyright @copyright{} 2016 John Darrington@*
 Copyright @copyright{} 2016 ng0@*
 Copyright @copyright{} 2016 Jan Nieuwenhuizen@*
@@ -6717,6 +6717,11 @@ ARMv7-A architecture with hard float, Thumb-2 and NEON,
 using the EABI hard-float application binary interface (ABI),
 and Linux-Libre kernel.
 
+@item aarch64-linux
+little-endian 64-bit ARMv8-A processors, Linux-Libre kernel.  This is
+currently in an experimental stage, with limited support.  See
+@xref{Contributing}, for how to help!
+
 @item mips64el-linux
 little-endian 64-bit MIPS processors, specifically the Loongson series,
 n32 ABI, and Linux-Libre kernel.
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index c4ed40e0de..beee56d437 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -79,11 +79,6 @@
 (define (dot-or-dot-dot? file)
   (member file '("." "..")))
 
-(define (make-file-writable file)
-  "Make FILE writable for its owner.."
-  (let ((stat (lstat file)))                      ;XXX: symlinks
-    (chmod file (logior #o600 (stat:perms stat)))))
-
 (define* (copy-account-skeletons home
                                  #:key
                                  (directory %skeleton-directory)
diff --git a/gnu/local.mk b/gnu/local.mk
index cbd61e0972..3356c9e34c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -9,6 +9,8 @@
 # Copyright © 2016 Adonay "adfeno" Felipe Nogueira <https://libreplanet.org/wiki/User:Adfeno> <adfeno@openmailbox.org>
 # Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 # Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>
+# Copyright © 2016, 2017 Alex Vong <alexvong1995@gmail.com>
+# Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 #
 # This file is part of GNU Guix.
 #
@@ -479,7 +481,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/aegis-test-fixup-1.patch            	\
   %D%/packages/patches/aegis-test-fixup-2.patch            	\
   %D%/packages/patches/agg-am_c_prototype.patch			\
-  %D%/packages/patches/alsa-lib-mips-atomic-fix.patch		\
   %D%/packages/patches/antiword-CVE-2014-8123.patch			\
   %D%/packages/patches/apr-skip-getservbyname-test.patch	\
   %D%/packages/patches/artanis-fix-Makefile.in.patch		\
@@ -512,6 +513,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/clx-remove-demo.patch			\
   %D%/packages/patches/cmake-fix-tests.patch			\
   %D%/packages/patches/coda-use-system-libs.patch		\
+  %D%/packages/patches/coreutils-fix-cross-compilation.patch    \
   %D%/packages/patches/cpio-CVE-2016-2037.patch			\
   %D%/packages/patches/cpufrequtils-fix-aclocal.patch		\
   %D%/packages/patches/cracklib-CVE-2016-6318.patch		\
@@ -538,6 +540,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/emacs-scheme-complete-scheme-r5rs-info.patch	\
   %D%/packages/patches/emacs-source-date-epoch.patch		\
   %D%/packages/patches/eudev-rules-directory.patch		\
+  %D%/packages/patches/eudev-conflicting-declaration.patch	\
   %D%/packages/patches/evilwm-lost-focus-bug.patch		\
   %D%/packages/patches/expat-CVE-2016-0718-fix-regression.patch	\
   %D%/packages/patches/fastcap-mulGlobal.patch			\
@@ -551,10 +554,11 @@ dist_patch_DATA =						\
   %D%/packages/patches/fcgi-2.4.0-poll.patch			\
   %D%/packages/patches/findutils-localstatedir.patch		\
   %D%/packages/patches/findutils-test-xargs.patch		\
-  %D%/packages/patches/flex-CVE-2016-6354.patch			\
   %D%/packages/patches/flint-ldconfig.patch			\
   %D%/packages/patches/fltk-shared-lib-defines.patch		\
   %D%/packages/patches/fltk-xfont-on-demand.patch		\
+  %D%/packages/patches/fontconfig-charwidth-symbol-conflict.patch	\
+  %D%/packages/patches/fontconfig-path-max.patch		\
   %D%/packages/patches/fontforge-svg-modtime.patch		\
   %D%/packages/patches/freeimage-CVE-2015-0852.patch		\
   %D%/packages/patches/freeimage-CVE-2016-5684.patch		\
@@ -562,19 +566,21 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcc-arm-bug-71399.patch			\
   %D%/packages/patches/gcc-arm-link-spec-fix.patch		\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
+  %D%/packages/patches/gcc-libiberty-printf-decl.patch		\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-strmov-store-file-names.patch	\
   %D%/packages/patches/gcc-4.9.3-mingw-gthr-default.patch	\
   %D%/packages/patches/gcc-5.0-libvtv-runpath.patch		\
+  %D%/packages/patches/gcc-5-source-date-epoch-1.patch		\
+  %D%/packages/patches/gcc-5-source-date-epoch-2.patch		\
   %D%/packages/patches/gcc-6-arm-none-eabi-multilib.patch	\
   %D%/packages/patches/gcc-6-cross-environment-variables.patch	\
   %D%/packages/patches/gcj-arm-mode.patch			\
-  %D%/packages/patches/gd-CVE-2016-7568.patch			\
-  %D%/packages/patches/gd-CVE-2016-8670.patch			\
-  %D%/packages/patches/gd-fix-chunk-size-on-boundaries.patch	\
+  %D%/packages/patches/gdk-pixbuf-list-dir.patch		\
   %D%/packages/patches/gd-fix-gd2-read-test.patch		\
   %D%/packages/patches/gd-fix-tests-on-i686.patch		\
-  %D%/packages/patches/gd-fix-truecolor-format-correction.patch	\
+  %D%/packages/patches/gd-freetype-test-failure.patch		\
+  %D%/packages/patches/gd-php-73968-Fix-109-XBM-reading.patch		\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch	\
@@ -611,7 +617,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/guile-linux-syscalls.patch		\
   %D%/packages/patches/guile-present-coding.patch		\
   %D%/packages/patches/guile-relocatable.patch			\
-  %D%/packages/patches/guile-repl-server-test.patch		\
   %D%/packages/patches/guile-rsvg-pkgconfig.patch		\
   %D%/packages/patches/gtk2-respect-GUIX_GTK2_PATH.patch	\
   %D%/packages/patches/gtk2-respect-GUIX_GTK2_IM_MODULE_FILE.patch \
@@ -658,7 +663,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/kobodeluxe-midicon-segmentation-fault.patch	\
   %D%/packages/patches/kobodeluxe-graphics-window-signed-char.patch	\
   %D%/packages/patches/laby-make-install.patch			\
-  %D%/packages/patches/lcms-fix-out-of-bounds-read.patch	\
+  %D%/packages/patches/lcms-CVE-2016-10165.patch		\
   %D%/packages/patches/ldc-disable-tests.patch			\
   %D%/packages/patches/ldc-1.1.0-disable-dmd-tests.patch	\
   %D%/packages/patches/ldc-1.1.0-disable-phobos-tests.patch	\
@@ -666,19 +671,14 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-link-with-libm.patch		\
   %D%/packages/patches/liba52-set-soname.patch			\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
-  %D%/packages/patches/libarchive-7zip-heap-overflow.patch	\
-  %D%/packages/patches/libarchive-fix-symlink-check.patch	\
-  %D%/packages/patches/libarchive-fix-filesystem-attacks.patch	\
-  %D%/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch	\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
   %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
   %D%/packages/patches/libcmis-fix-test-onedrive.patch		\
   %D%/packages/patches/libdrm-symbol-check.patch		\
-  %D%/packages/patches/libepoxy-gl-null-checks.patch		\
   %D%/packages/patches/libevent-dns-tests.patch			\
-  %D%/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch	\
-  %D%/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch	\
-  %D%/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch	\
+  %D%/packages/patches/libevent-2.0-CVE-2016-10195.patch	\
+  %D%/packages/patches/libevent-2.0-CVE-2016-10196.patch	\
+  %D%/packages/patches/libevent-2.0-CVE-2016-10197.patch	\
   %D%/packages/patches/libevent-2.1-dns-tests.patch		\
   %D%/packages/patches/libevent-2.1-skip-failing-test.patch	\
   %D%/packages/patches/libextractor-ffmpeg-3.patch		\
@@ -691,7 +691,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libmad-armv7-thumb-pt2.patch		\
   %D%/packages/patches/libmad-frame-length.patch		\
   %D%/packages/patches/libmad-mips-newgcc.patch			\
-  %D%/packages/patches/libpng-CVE-2016-10087.patch		\
+  %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch	\
   %D%/packages/patches/libtar-CVE-2013-4420.patch \
   %D%/packages/patches/libtheora-config-guess.patch		\
   %D%/packages/patches/libtiff-CVE-2016-10092.patch		\
@@ -726,6 +726,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch	\
   %D%/packages/patches/libwmf-CVE-2015-4695.patch		\
   %D%/packages/patches/libwmf-CVE-2015-4696.patch		\
+  %D%/packages/patches/libxcb-python-3.5-compat.patch		\
   %D%/packages/patches/libxml2-CVE-2016-4658.patch		\
   %D%/packages/patches/libxml2-CVE-2016-5131.patch		\
   %D%/packages/patches/libxslt-generated-ids.patch		\
@@ -810,7 +811,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/patchelf-rework-for-arm.patch		\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   %D%/packages/patches/patch-hurd-path-max.patch		\
-  %D%/packages/patches/pcre-CVE-2016-3191.patch			\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
   %D%/packages/patches/perl-deterministic-ordering.patch	\
   %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
@@ -898,7 +898,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/ruby-puma-ignore-broken-test.patch       \
   %D%/packages/patches/ruby-rack-ignore-failing-test.patch      \
   %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\
-  %D%/packages/patches/sed-hurd-path-max.patch			\
   %D%/packages/patches/scheme48-tests.patch			\
   %D%/packages/patches/scotch-test-threading.patch		\
   %D%/packages/patches/sdl-libx11-1.6.patch			\
@@ -925,10 +924,10 @@ dist_patch_DATA =						\
   %D%/packages/patches/t1lib-CVE-2010-2642.patch		\
   %D%/packages/patches/t1lib-CVE-2011-0764.patch		\
   %D%/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch		\
+  %D%/packages/patches/tar-CVE-2016-6321.patch			\
   %D%/packages/patches/tar-skip-unreliable-tests.patch		\
   %D%/packages/patches/tcl-mkindex-deterministic.patch		\
   %D%/packages/patches/tclxml-3.2-install.patch			\
-  %D%/packages/patches/tcsh-do-not-define-BSDWAIT.patch		\
   %D%/packages/patches/tcsh-fix-autotest.patch			\
   %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch	\
   %D%/packages/patches/teensy-loader-cli-help.patch		\
@@ -979,8 +978,11 @@ dist_patch_DATA =						\
   %D%/packages/patches/wordnet-CVE-2008-2149.patch			\
   %D%/packages/patches/wordnet-CVE-2008-3908-pt1.patch			\
   %D%/packages/patches/wordnet-CVE-2008-3908-pt2.patch			\
+  %D%/packages/patches/xcb-proto-python3-print.patch		\
+  %D%/packages/patches/xcb-proto-python3-whitespace.patch	\
   %D%/packages/patches/wxwidgets-fix-windowGTK.patch		\
   %D%/packages/patches/xdotool-fix-makefile.patch               \
+  %D%/packages/patches/xf86-input-wacom-xorg-abi-25.patch	\
   %D%/packages/patches/xf86-video-ark-remove-mibstore.patch	\
   %D%/packages/patches/xf86-video-ast-remove-mibstore.patch	\
   %D%/packages/patches/xf86-video-geode-glibc-2.20.patch	\
@@ -1005,6 +1007,7 @@ bootstrapdir = $(guilemoduledir)/%D%/packages/bootstrap
 bootstrap_x86_64_linuxdir = $(bootstrapdir)/x86_64-linux
 bootstrap_i686_linuxdir = $(bootstrapdir)/i686-linux
 bootstrap_armhf_linuxdir = $(bootstrapdir)/armhf-linux
+bootstrap_aarch64_linuxdir = $(bootstrapdir)/aarch64-linux
 bootstrap_mips64el_linuxdir = $(bootstrapdir)/mips64el-linux
 
 dist_bootstrap_x86_64_linux_DATA =		\
@@ -1025,6 +1028,12 @@ dist_bootstrap_armhf_linux_DATA =		\
   %D%/packages/bootstrap/armhf-linux/tar	\
   %D%/packages/bootstrap/armhf-linux/xz
 
+dist_bootstrap_aarch64_linux_DATA =		\
+  %D%/packages/bootstrap/aarch64-linux/bash	\
+  %D%/packages/bootstrap/aarch64-linux/mkdir	\
+  %D%/packages/bootstrap/aarch64-linux/tar	\
+  %D%/packages/bootstrap/aarch64-linux/xz
+
 dist_bootstrap_mips64el_linux_DATA =		\
   %D%/packages/bootstrap/mips64el-linux/bash	\
   %D%/packages/bootstrap/mips64el-linux/mkdir	\
@@ -1039,6 +1048,8 @@ nodist_bootstrap_i686_linux_DATA =					\
   %D%/packages/bootstrap/i686-linux/guile-2.0.9.tar.xz
 nodist_bootstrap_armhf_linux_DATA =					\
   %D%/packages/bootstrap/armhf-linux/guile-2.0.11.tar.xz
+nodist_bootstrap_aarch64_linux_DATA =					\
+  %D%/packages/bootstrap/aarch64-linux/guile-2.0.14.tar.xz
 nodist_bootstrap_mips64el_linux_DATA =					\
   %D%/packages/bootstrap/mips64el-linux/guile-2.0.9.tar.xz
 
@@ -1051,6 +1062,7 @@ DISTCLEANFILES =				\
   $(nodist_bootstrap_x86_64_linux_DATA)		\
   $(nodist_bootstrap_i686_linux_DATA)		\
   $(nodist_bootstrap_armhf_linux_DATA)		\
+  $(nodist_bootstrap_aarch64_linux_DATA)		\
   $(nodist_bootstrap_mips64el_linux_DATA)
 
 # Method to download a file from an external source.
@@ -1071,6 +1083,10 @@ DOWNLOAD_FILE =								\
 	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
 	$(DOWNLOAD_FILE) "$@"			\
 	  "e551d05d4d385d6706ab8d574856a087758294dc90ab4c06e70a157a685e23d6"
+%D%/packages/bootstrap/aarch64-linux/guile-2.0.14.tar.xz:
+	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
+	$(DOWNLOAD_FILE) "$@"			\
+	  "3939909f24dcb955621aa7f81ecde6844bea8a083969c2d275c55699af123ebe"
 %D%/packages/bootstrap/mips64el-linux/guile-2.0.9.tar.xz:
 	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
 	$(DOWNLOAD_FILE) "$@" 			\
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index e7364f6e53..3d9226299b 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -112,20 +112,23 @@ usual file attributes can be checked for inconsistencies.")
 (define-public progress
   (package
     (name "progress")
-    (version "0.13")
+    (version "0.13.1")
     (source (origin
       (method url-fetch)
       (uri (string-append "https://github.com/Xfennec/"
                           name "/archive/v" version ".tar.gz"))
       (sha256
-       (base32 "133iar4vq5vlklydb4cyazjy6slmpbndrws474mg738bd8avc30n"))
+       (base32 "199rk6608q9m6l0fbjm0xl2w1c5krf8245dqnksdp4rqp7l9ak06"))
       (file-name (string-append name "-" version ".tar.gz"))))
     (build-system gnu-build-system)
+    (native-inputs
+     `(("pkg-config" ,pkg-config)
+       ("which" ,which)))
     (inputs
      `(("ncurses" ,ncurses)))
     (arguments
      `(#:tests? #f ; There is no test suite.
-       #:make-flags (list "CC=gcc" "LDFLAGS+=-lncurses"
+       #:make-flags (list "CC=gcc"
                           (string-append "PREFIX=" (assoc-ref %outputs "out")))
        #:phases
        (modify-phases %standard-phases
diff --git a/gnu/packages/attr.scm b/gnu/packages/attr.scm
index 907a568bdd..4dbe09ceca 100644
--- a/gnu/packages/attr.scm
+++ b/gnu/packages/attr.scm
@@ -54,7 +54,7 @@
              ;; Use the right shell.
              (substitute* "test/run"
                (("/bin/sh")
-                (which "bash")))
+                (which "sh")))
 
              ;; When building natively, run the tests.
              (unless target
diff --git a/gnu/packages/autotools.scm b/gnu/packages/autotools.scm
index 72492e70eb..442c87c1f1 100644
--- a/gnu/packages/autotools.scm
+++ b/gnu/packages/autotools.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2014 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016 David Thompson <davet@gnu.org>
+;;; Copyright © 2017 ng0 <ng0@libertad.pw>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -26,6 +27,7 @@
   #:use-module (gnu packages)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages m4)
+  #:use-module (gnu packages man)
   #:use-module (gnu packages bash)
   #:use-module (guix utils)
   #:use-module (guix packages)
@@ -300,6 +302,7 @@ Makefile, simplifying the entire process for the developer.")
     (propagated-inputs `(("m4" ,m4)))
     (native-inputs `(("m4" ,m4)
                      ("perl" ,perl)
+                     ("help2man" ,help2man) ;because we modify ltmain.sh
                      ("automake" ,automake)      ;some tests rely on 'aclocal'
                      ("autoconf" ,(autoconf-wrapper)))) ;others on 'autom4te'
 
@@ -313,21 +316,27 @@ Makefile, simplifying the entire process for the developer.")
                                       (or (%current-target-system)
                                           (%current-system))))
 
-       #:phases (alist-cons-before
-                 'check 'pre-check
-                 (lambda* (#:key inputs #:allow-other-keys)
-                   ;; Run the test suite in parallel, if possible.
-                   (setenv "TESTSUITEFLAGS"
-                           (string-append
-                            "-j"
-                            (number->string (parallel-job-count))))
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'check 'pre-check
+           (lambda* (#:key inputs #:allow-other-keys)
+             ;; Run the test suite in parallel, if possible.
+             (setenv "TESTSUITEFLAGS"
+                     (string-append
+                      "-j"
+                      (number->string (parallel-job-count))))
+           ;; Patch references to /bin/sh.
+           (let ((bash (assoc-ref inputs "bash")))
+             (substitute* "tests/testsuite"
+               (("/bin/sh")
+                (string-append bash "/bin/sh")))
+             #t)))
+         (add-after 'patch-source-shebangs 'restore-ltmain-shebang
+           (lambda* (#:key inputs #:allow-other-keys)
+             (substitute* "build-aux/ltmain.in"
+               (("^#!.*/bin/sh$") "#!/bin/sh"))
+             #t)))))
 
-                   ;; Path references to /bin/sh.
-                   (let ((bash (assoc-ref inputs "bash")))
-                     (substitute* "tests/testsuite"
-                       (("/bin/sh")
-                        (string-append bash "/bin/bash")))))
-                 %standard-phases)))
     (synopsis "Generic shared library support tools")
     (description
      "GNU Libtool helps in the creation and use of shared libraries, by
diff --git a/gnu/packages/avahi.scm b/gnu/packages/avahi.scm
index 5740ab2ff8..73e63ab0dc 100644
--- a/gnu/packages/avahi.scm
+++ b/gnu/packages/avahi.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -25,6 +25,7 @@
   #:use-module (gnu packages)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages libdaemon)
+  #:use-module (gnu packages linux)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages glib)
   #:use-module (gnu packages xml))
@@ -59,6 +60,7 @@
        ("glib" ,glib)
        ("dbus" ,dbus)
        ("gdbm" ,gdbm)
+       ("libcap" ,libcap)            ;to enable chroot support in avahi-daemon
        ("libdaemon" ,libdaemon)))
     (native-inputs
      `(("intltool" ,intltool)
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 8eaab8a871..923b0ba9ed 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -185,20 +185,15 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
-    (version "3.2.1")
+    (version "3.2.2")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "http://libarchive.org/downloads/libarchive-"
                            version ".tar.gz"))
-       (patches (search-patches
-                  "libarchive-7zip-heap-overflow.patch"
-                  "libarchive-fix-symlink-check.patch"
-                  "libarchive-fix-filesystem-attacks.patch"
-                  "libarchive-safe_fprintf-buffer-overflow.patch"))
        (sha256
         (base32
-         "1lngng84k1kkljl74q0cdqc3s82vn2kimfm02dgm4d6m7x71mvkj"))))
+         "03q6y428rg723c9fj1vidzjw46w1vf8z0h95lkvz1l9jw571j739"))))
     (build-system gnu-build-system)
     ;; TODO: Add -L/path/to/nettle in libarchive.pc.
     (inputs
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index c75e038289..c452385a90 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
@@ -78,14 +78,14 @@ command-line arguments, multiple languages, and so on.")
 (define-public grep
   (package
    (name "grep")
-   (version "2.25")
+   (version "3.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/grep/grep-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0c38b67cnwchwzv4wq2gpz6smkhdxrac2hhssv8f0l04qnx867p2"))
+              "1dcasjp3a578nrvzrcn38mpizb8w1q6mvfzhjmcqqgkf0nsivj72"))
             (patches (search-patches "grep-timing-sensitive-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))             ;some of the tests require it
@@ -118,30 +118,36 @@ including, for example, recursive directory searching.")
 (define-public sed
   (package
    (name "sed")
-   (version "4.2.2")
+   (version "4.4")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/sed/sed-" version
-                                ".tar.bz2"))
+                                ".tar.xz"))
             (sha256
              (base32
-              "1myvrmh99jsvk7v3d7crm0gcrq51hmmm1r2kjyyci152in1x2j7h"))
-            (patches (search-patches "sed-hurd-path-max.patch"))))
+              "0fv88bcnraixc8jvpacvxshi30p5x9m7yb8ns1hfv07hmb2ypmnb"))))
    (build-system gnu-build-system)
    (synopsis "Stream editor")
    (arguments
-    (if (%current-target-system)
-        '()
-        `(#:phases (alist-cons-before
-                    'patch-source-shebangs 'patch-test-suite
-                    (lambda* (#:key inputs #:allow-other-keys)
-                      (let ((bash (assoc-ref inputs "bash")))
-                        (patch-makefile-SHELL "testsuite/Makefile.tests")
-                        (substitute* '("testsuite/bsd.sh"
-                                       "testsuite/bug-regex9.c")
-                          (("/bin/sh")
-                           (string-append bash "/bin/bash")))))
-                    %standard-phases))))
+    `(#:phases
+      (modify-phases %standard-phases
+        (add-after 'unpack 'dont-rebuild-sed.1
+          (lambda _
+            ;; Make sure we do not attempt to rebuild 'doc/sed.1', which does
+            ;; not work when cross-compiling because we cannot run 'sed'.
+            ;; This is fixed upstream as commit a0a25e3.
+            (substitute* "Makefile.in"
+              (("^doc/sed\\.1:.*")
+               "doc/sed.1:\n"))
+            #t))
+        (add-before 'patch-source-shebangs 'patch-test-suite
+          (lambda* (#:key inputs #:allow-other-keys)
+            (patch-makefile-SHELL "testsuite/Makefile.tests")
+            (substitute* '("testsuite/bsd.sh"
+                           "testsuite/bug-regex9.c")
+              (("/bin/sh")
+               (which "sh")))
+            #t)))))
    (description
     "Sed is a non-interactive, text stream editor.  It receives a text
 input from a file or from standard input and it then applies a series of text
@@ -149,7 +155,7 @@ editing commands to the stream and prints its output to standard output.  It
 is often used for substituting text patterns in a stream.  The GNU
 implementation offers several extensions over the standard utility.")
    (license gpl3+)
-   (home-page "http://www.gnu.org/software/sed/")))
+   (home-page "https://www.gnu.org/software/sed/")))
 
 (define-public tar
   (package
@@ -162,7 +168,8 @@ implementation offers several extensions over the standard utility.")
             (sha256
              (base32
               "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"))
-            (patches (search-patches "tar-skip-unreliable-tests.patch"))))
+            (patches (search-patches "tar-CVE-2016-6321.patch"
+                                     "tar-skip-unreliable-tests.patch"))))
    (build-system gnu-build-system)
    ;; Note: test suite requires ~1GiB of disk space.
    (arguments
@@ -277,14 +284,15 @@ used to apply commands with arbitrarily long arguments.")
 (define-public coreutils
   (package
    (name "coreutils")
-   (version "8.25")
+   (version "8.26")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/coreutils/coreutils-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii"))))
+              "13lspazc7xkviy93qz7ks9jv4sldvgmwpq36ghrbrqpq93br8phm"))
+            (patches (search-patches "coreutils-fix-cross-compilation.patch"))))
    (build-system gnu-build-system)
    (inputs `(("acl"  ,acl)                        ; TODO: add SELinux
              ("gmp"  ,gmp)                        ;bignums in 'expr', yay!
@@ -305,6 +313,7 @@ used to apply commands with arbitrarily long arguments.")
    (outputs '("out" "debug"))
    (arguments
     `(#:parallel-build? #f            ; help2man may be called too early
+      #:parallel-tests? #f            ; race condition fixed after 8.26
       #:phases (alist-cons-before
                 'build 'patch-shell-references
                 (lambda* (#:key inputs #:allow-other-keys)
@@ -362,7 +371,7 @@ functionality beyond that which is outlined in the POSIX standard.")
             (let ((bash (assoc-ref inputs "bash")))
               (substitute* "job.c"
                 (("default_shell =.*$")
-                 (format #f "default_shell = \"~a/bin/bash\";\n"
+                 (format #f "default_shell = \"~a/bin/sh\";\n"
                          bash)))))))))
    (synopsis "Remake files automatically")
    (description
@@ -501,14 +510,14 @@ store.")
 (define-public glibc/linux
   (package
    (name "glibc")
-   (version "2.24")
+   (version "2.25")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/glibc/glibc-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))
+              "1813dzkgw6v8q8q1m4v96yfis7vjqc9pslqib6j9mrwh6fxxjyq6"))
             (snippet
              ;; Disable 'ldconfig' and /etc/ld.so.cache.  The latter is
              ;; required on LFS distros to avoid loading the distro's libc.so
@@ -619,14 +628,14 @@ store.")
                       ;; Same for `popen'.
                       (substitute* "libio/iopopen.c"
                         (("/bin/sh")
-                         (string-append bash "/bin/bash")))
+                         (string-append bash "/bin/sh")))
 
                       ;; Same for the shell used by the 'exec' functions for
                       ;; scripts that lack a shebang.
                       (substitute* (find-files "." "^paths\\.h$")
                         (("#define[[:blank:]]+_PATH_BSHELL[[:blank:]].*$")
                          (string-append "#define _PATH_BSHELL \""
-                                        bash "/bin/bash\"\n")))
+                                        bash "/bin/sh\"\n")))
 
                       ;; Nscd uses __DATE__ and __TIME__ to create a string to
                       ;; make sure the client and server come from the same
@@ -715,7 +724,21 @@ with the Linux kernel.")
              ;; Use the right 'pwd'.
              (substitute* "configure"
                (("/bin/pwd") "pwd")))
-          ,original-phases)))
+           (alist-replace
+            'build
+            (lambda _
+              ;; Force mach/hurd/libpthread subdirs to build first in order to avoid
+              ;; linking errors.
+              ;; See <https://lists.gnu.org/archive/html/bug-hurd/2016-11/msg00045.html>
+              (let ((-j (list "-j" (number->string (parallel-job-count)))))
+                (let-syntax ((make (syntax-rules ()
+                                     ((_ target)
+                                      (zero? (apply system* "make" target -j))))))
+                  (and (make "mach/subdir_lib")
+                       (make "hurd/subdir_lib")
+                       (make "libpthread/subdir_lib")
+                       (zero? (apply system* "make" -j))))))
+            ,original-phases))))
         ((#:configure-flags original-configure-flags)
         `(append (list "--host=i586-pc-gnu"
 
@@ -750,6 +773,18 @@ GLIBC/HURD for a Hurd host"
 ;; Below are old libc versions, which we use mostly to build locale data in
 ;; the old format (which the new libc cannot cope with.)
 
+(define-public glibc-2.24
+  (package
+    (inherit glibc)
+    (version "2.24")
+    (source (origin
+              (inherit (package-source glibc))
+              (uri (string-append "mirror://gnu/glibc/glibc-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))))))
+
 (define-public glibc-2.23
   (package
     (inherit glibc)
@@ -943,7 +978,7 @@ command.")
 (define-public tzdata
   (package
     (name "tzdata")
-    (version "2016j")
+    (version "2017a")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -951,7 +986,7 @@ command.")
                    version ".tar.gz"))
              (sha256
               (base32
-               "1j4xycpwhs57qnkcxwh3np8wnf3km69n3cf4w6p2yv2z247lxvpm"))))
+               "1mmv4rvcs12lrvgghw4fidczvb69yv69cmzknghcvw1c196mqfnz"))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f
@@ -999,7 +1034,7 @@ command.")
                                 version ".tar.gz"))
                           (sha256
                            (base32
-                            "1dxhrk4z0n2di8p0yd6q00pa6bwyz5xqbrfbasiz8785ni7zrvxr"))))))
+                            "1b1q7gnlsh5hjgs5065pvajd37rmbc3k9b8cgzad1vcrifswdwh2"))))))
     (home-page "https://www.iana.org/time-zones")
     (synopsis "Database of current and historical time zones")
     (description "The Time Zone Database (often called tz or zoneinfo)
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index 388f5271c1..24afd66825 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -1,7 +1,8 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2015, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -58,7 +59,19 @@
 (define %patch-series-4.4
   ;; This is the current patches series for 4.4, generated using
   ;; 'download-patches' below.
-  (patch-series))
+  (patch-series
+   (1 "03vzy7qwjdd5qvl3ydg99naazas2qmyd0yhnrflgjbbm64axja1y")
+   (2 "0lrwq6vyqism3yqv9s7kzaf3dsl4q5w9r5svcqz279qp7qca083h")
+   (3 "1chqww2rj6g42b8s60q5zlzy0jzp684jkpsbrbfy1vzxja8mmpsi")
+   (4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
+   (5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")
+   (6 "1f24wgqngmj2mrj9yibwvc2zvlmn5xi53mnw777g3l40c4m2x3ka")
+   (7 "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y") ;CVE-2017-5932
+   (8 "1firw915mjm03hbbw9a70ch3cpgrgnvqjpllgdnn6csr8q04f546")
+   (9 "0g1l56kvw61rpw7dqa9fcl9llkl693h73g631hrhxlm030ddssqb")
+   (10 "01lfhrkdsdkdz8ypzapr614ras23x7ckjnr60aa5bzkaqprccrc4")
+   (11 "038p7mhnq9m65g505hi3827jkf9f35nd1cy00w8mwafpyxp44mnx")
+   (12 "0gh6lbb1rwpk44pvbamm6vzdfi50xnwkqd9v7s8cjwk3pz973hps")))
 
 (define (download-patches store count)
   "Download COUNT Bash patches into store.  Return a list of
@@ -99,7 +112,6 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
          (version "4.4"))
     (package
      (name "bash")
-     (replacement bash/fixed)
      (source (origin
               (method url-fetch)
               (uri (string-append
@@ -164,6 +176,13 @@ number/base32-hash tuples, directly usable in the 'patch-series' form."
                 (rename-file (string-append out "/lib/pkgconfig")
                              (string-append include
                                             "/lib/pkgconfig"))
+
+                ;; Don't capture the absolute file name of 'install' to avoid
+                ;; retaining a dependency on Coreutils.
+                (substitute* (string-append (lib include)
+                                            "/Makefile.inc")
+                  (("^INSTALL =.*")
+                   "INSTALL = install -c\n"))
                 #t))))))
 
      (native-search-paths
@@ -186,7 +205,6 @@ without modification.")
   ;; A stripped-down Bash for non-interactive use.
   (package (inherit bash)
     (name "bash-minimal")
-    (replacement #f) ;not vulnerable to CVE-2017-5932 since it lacks completion
     (inputs '())                                ; no readline, no curses
 
     ;; No "include" output because there's no support for loadable modules.
@@ -242,45 +260,6 @@ without modification.")
                    (delete-file-recursively (string-append out "/share"))
                    #t))))))))))
 
-(define* (url-fetch/reset-patch-level url hash-algo hash
-                                      #:optional name
-                                      #:key (system (%current-system)))
-  "Fetch the Bash patch from URL and reset its 'PATCHLEVEL' definition so it
-can apply to a patch-level 0 Bash."
-  ;; Note: Forcefully use %BOOTSTRAP-GUILE here to work around bootstrapping
-  ;; issues when using a daemon that lacks the "download" built-in.  See
-  ;; <https://bugs.gnu.org/25775>.
-  (mlet* %store-monad ((name -> (or name (basename url)))
-                       (patch (url-fetch url hash-algo hash
-                                         (string-append name ".orig")
-                                         #:system system
-                                         #:guile %bootstrap-guile)))
-    (gexp->derivation name
-                      (with-imported-modules '((guix build utils))
-                        #~(begin
-                            (use-modules (guix build utils))
-                            (copy-file #$patch #$output)
-                            (substitute* #$output
-                              (("PATCHLEVEL [0-6]+")
-                               "PATCHLEVEL 0"))))
-                      #:system system)))
-
-(define bash/fixed                        ;CVE-2017-5932 (RCE with completion)
-  (package
-    (inherit bash)
-    (version "4.4.A")                             ;4.4.0 + patch #7
-    (replacement #f)
-    (source
-     (origin
-       (inherit (package-source bash))
-       (patches (cons (origin
-                        (method url-fetch/reset-patch-level)
-                        (uri (patch-url 7))
-                        (sha256
-                         (base32
-                          "1bzdsnqaf05gdbqpsixhan8vygjxpcxlz1dd8d9f5jdznw3wq76y")))
-                      (origin-patches (package-source bash))))))))
-
 (define-public bash-completion
   (package
     (name "bash-completion")
diff --git a/gnu/packages/bdw-gc.scm b/gnu/packages/bdw-gc.scm
index 992a11bac0..b9732374d7 100644
--- a/gnu/packages/bdw-gc.scm
+++ b/gnu/packages/bdw-gc.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -24,24 +25,23 @@
   #:use-module (guix build-system gnu)
   #:use-module (gnu packages pkg-config))
 
-(define-public libgc-7.2
+(define-public libgc
   (package
    (name "libgc")
-   (version "7.2f")
+   (version "7.6.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://www.hboehm.info/gc/gc_source/gc-"
                                 version ".tar.gz"))
             (sha256
              (base32
-              "119x7p1cqw40mpwj80xfq879l9m1dkc7vbc1f3bz3kvkf8bf6p16"))))
+              "143x7g0d0k6250ai6m2x3l4y352mzizi4wbgrmahxscv2aqjhjm1"))))
    (build-system gnu-build-system)
    (arguments
-    ;; Make it so that we don't rely on /proc.  This is especially useful in
-    ;; an initrd run before /proc is mounted.
-    '(#:configure-flags '("CPPFLAGS=-DUSE_LIBC_PRIVATES"
-                          ;; Install gc_cpp.h et al.
+    '(#:configure-flags '(;; Install gc_cpp.h et al.
                           "--enable-cplusplus")))
+   (native-inputs `(("pkg-config" ,pkg-config)))
+   (inputs `(("libatomic-ops" ,libatomic-ops)))
    (outputs '("out" "debug"))
    (synopsis "The Boehm-Demers-Weiser conservative garbage collector
 for C and C++")
@@ -67,7 +67,7 @@ C or C++ programs, though that is not its primary goal.")
 (define-public libatomic-ops
   (package
     (name "libatomic-ops")
-    (version "7.4.2")
+    (version "7.4.4")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -75,7 +75,7 @@ C or C++ programs, though that is not its primary goal.")
                     version ".tar.gz"))
               (sha256
                (base32
-                "1pdm0h1y7bgkczr8byg20r6bq15m5072cqm5pny4f9crc9gn3yh4"))))
+                "13vg5fqwil17zpf4hj4h8rh3blzmym693lkdjgvwpgni1mh0l8dz"))))
     (build-system gnu-build-system)
     (outputs '("out" "debug"))
     (synopsis "Accessing hardware atomic memory update operations")
@@ -88,21 +88,3 @@ lock-free code, experiment with thread programming paradigms, etc.")
 
     ;; Some source files are X11-style, others are GPLv2+.
     (license gpl2+)))
-
-(define-public libgc
-  (package (inherit libgc-7.2)
-    (version "7.4.2")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "http://www.hboehm.info/gc/gc_source/gc-"
-                                  version ".tar.gz"))
-              (sha256
-               (base32
-                "18mg28rr6kwr5clc65k4l4hkyy4kd16amx831sjf8q2lqkbhlck3"))))
-
-    ;; New dependencies.
-    (native-inputs `(("pkg-config" ,pkg-config)))
-    (inputs `(("libatomic-ops" ,libatomic-ops)))
-
-    ;; 'USE_LIBC_PRIVATES' is now the default.
-    (arguments '(#:configure-flags '("--enable-cplusplus")))))
diff --git a/gnu/packages/boost.scm b/gnu/packages/boost.scm
index e6abf4d5e3..b3fccdf2eb 100644
--- a/gnu/packages/boost.scm
+++ b/gnu/packages/boost.scm
@@ -34,7 +34,7 @@
 (define-public boost
   (package
     (name "boost")
-    (version "1.61.0")
+    (version "1.63.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -43,7 +43,7 @@
                     ".tar.bz2"))
               (sha256
                (base32
-                "0h5nk7pgxf7xsvvshj9qfpsfp9wx6gq9r78n3nx736pxq83bsix5"))))
+                "1c5kzhcqahnic55dxcnw7r80qvwx5sfa2sa97yzv7xjrywljbbmy"))))
     (build-system gnu-build-system)
     (inputs `(("zlib" ,zlib)))
     (native-inputs
diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index 16cb7b4c0b..86a776910a 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -27,7 +27,6 @@
   #:use-module (gnu packages admin)
   #:use-module ((gnu packages algebra) #:select (bc))
   #:use-module (gnu packages assembly)
-  #:use-module (gnu packages flex)
   #:use-module (gnu packages disk)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages cdrom)
@@ -115,7 +114,10 @@
     (native-inputs
      `(("unifont" ,unifont)
        ("bison" ,bison)
-       ("flex" ,flex)
+       ;; Due to a bug in flex >= 2.6.2, GRUB must be built with an older flex:
+       ;; <http://lists.gnu.org/archive/html/grub-devel/2017-02/msg00133.html>
+       ;; TODO Try building with flex > 2.6.3.
+       ("flex" ,flex-2.6.1)
        ("texinfo" ,texinfo)
        ("help2man" ,help2man)
 
diff --git a/gnu/packages/bootstrap.scm b/gnu/packages/bootstrap.scm
index b4847094ba..048fe26f1a 100644
--- a/gnu/packages/bootstrap.scm
+++ b/gnu/packages/bootstrap.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -28,6 +29,7 @@
   #:use-module ((guix store) #:select (add-to-store add-text-to-store))
   #:use-module ((guix derivations) #:select (derivation))
   #:use-module ((guix utils) #:select (gnu-triplet->nix-system))
+  #:use-module ((guix build utils) #:select (elf-file?))
   #:use-module (guix memoization)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
@@ -167,6 +169,7 @@ successful, or false to signal an error."
         ((string=? system "i586-gnu") "/lib/ld.so.1")
         ((string=? system "i686-gnu") "/lib/ld.so.1")
         ((string=? system "aarch64-linux") "/lib/ld-linux-aarch64.so.1")
+        ((string=? system "powerpc-linux") "/lib/ld.so.1")
         ((string=? system "alpha-linux") "/lib/ld-linux.so.2")
 
         ;; XXX: This one is used bare-bones, without a libc, so add a case
@@ -202,6 +205,8 @@ successful, or false to signal an error."
          (guile (->store (match system
                            ("armhf-linux"
                             "guile-2.0.11.tar.xz")
+                           ("aarch64-linux"
+                            "guile-2.0.14.tar.xz")
                            (_
                             "guile-2.0.9.tar.xz"))))
          ;; The following code, run by the bootstrap guile after it is
@@ -290,7 +295,8 @@ $out/bin/guile --version~%"
   ;; This is where the initial binaries come from.
   '("ftp://alpha.gnu.org/gnu/guix/bootstrap"
     "http://alpha.gnu.org/gnu/guix/bootstrap"
-    "http://www.fdn.fr/~lcourtes/software/guix/packages"))
+    "http://www.fdn.fr/~lcourtes/software/guix/packages"
+    "http://flashner.co.il/guix/bootstrap"))
 
 (define %bootstrap-coreutils&co
   (package-from-tarball "bootstrap-binaries"
@@ -301,6 +307,8 @@ $out/bin/guile --version~%"
                                           (match system
                                             ("armhf-linux"
                                              "/20150101/static-binaries.tar.xz")
+                                            ("aarch64-linux"
+                                             "/20170217/static-binaries.tar.xz")
                                             (_
                                              "/20131110/static-binaries.tar.xz")))
                                      %bootstrap-base-urls))
@@ -315,6 +323,9 @@ $out/bin/guile --version~%"
                               ("armhf-linux"
                                (base32
                                 "0gf0fn2kbpxkjixkmx5f4z6hv6qpmgixl69zgg74dbsfdfj8jdv5"))
+                              ("aarch64-linux"
+                               (base32
+                                "18dfiq6c6xhsdpbidigw6480wh0vdgsxqq3xindq4lpdgqlccpfh"))
                               ("mips64el-linux"
                                (base32
                                 "072y4wyfsj1bs80r6vbybbafy8ya4vfy7qj25dklwk97m6g71753"))))))
@@ -325,6 +336,13 @@ $out/bin/guile --version~%"
                            (chmod "bin" #o755)
                            (patch-shebang "bin/egrep" path)
                            (patch-shebang "bin/fgrep" path)
+                           ;; Starting with grep@2.25 'egrep' and 'fgrep' are shell files
+                           ;; that call 'grep'.  If the bootstrap 'egrep' and 'fgrep'
+                           ;; are not binaries then patch them to execute 'grep' via its
+                           ;; absolute file name instead of searching for it in $PATH.
+                           (if (not (elf-file? "bin/egrep"))
+                             (substitute* '("bin/egrep" "bin/fgrep")
+                               (("^exec grep") (string-append (getcwd) "/bin/grep"))))
                            (chmod "bin" #o555)
                            #t)))
 
@@ -337,6 +355,8 @@ $out/bin/guile --version~%"
                                           (match system
                                             ("armhf-linux"
                                              "/20150101/binutils-2.25.tar.xz")
+                                            ("aarch64-linux"
+                                             "/20170217/binutils-2.27.tar.xz")
                                             (_
                                              "/20131110/binutils-2.23.2.tar.xz")))
                                      %bootstrap-base-urls))
@@ -351,6 +371,9 @@ $out/bin/guile --version~%"
                               ("armhf-linux"
                                (base32
                                 "1v7dj6bzn6m36f20gw31l99xaabq4xrhrx3gwqkhhig0mdlmr69q"))
+                              ("aarch64-linux"
+                               (base32
+                                "111s7ilfiby033rczc71797xrmaa3qlv179wdvsaq132pd51xv3n"))
                               ("mips64el-linux"
                                (base32
                                 "1x8kkhcxmfyzg1ddpz2pxs6fbdl6412r7x0nzbmi5n7mj8zw2gy7"))))))
@@ -398,6 +421,8 @@ $out/bin/guile --version~%"
                                     (match (%current-system)
                                       ("armhf-linux"
                                        "/20150101/glibc-2.20.tar.xz")
+                                      ("aarch64-linux"
+                                       "/20170217/glibc-2.25.tar.xz")
                                       (_
                                        "/20131110/glibc-2.18.tar.xz")))
                                %bootstrap-base-urls))
@@ -412,6 +437,9 @@ $out/bin/guile --version~%"
                         ("armhf-linux"
                          (base32
                           "18cmgvpllqfpn6khsmivqib7ys8ymnq0hdzi3qp24prik0ykz8gn"))
+                        ("aarch64-linux"
+                         (base32
+                          "07nx3x8598i2924rjnlrncg6rm61c9bmcczbbcpbx0fb742nvv5c"))
                         ("mips64el-linux"
                          (base32
                           "0k97a3whzx3apsi9n2cbsrr79ad6lh00klxph9hw4fqyp1abkdsg")))))))))
@@ -476,6 +504,8 @@ exec ~a/bin/.gcc-wrapped -B~a/lib \
                                     (match (%current-system)
                                       ("armhf-linux"
                                        "/20150101/gcc-4.8.4.tar.xz")
+                                      ("aarch64-linux"
+                                       "/20170217/gcc-5.4.0.tar.xz")
                                       (_
                                        "/20131110/gcc-4.8.2.tar.xz")))
                                %bootstrap-base-urls))
@@ -490,6 +520,9 @@ exec ~a/bin/.gcc-wrapped -B~a/lib \
                         ("armhf-linux"
                          (base32
                           "0ghz825yzp43fxw53kd6afm8nkz16f7dxi9xi40bfwc8x3nbbr8v"))
+                        ("aarch64-linux"
+                         (base32
+                          "1ar3vdzyqbfm0z36kmvazvfswxhcihlacl2dzdjgiq25cqnq9ih1"))
                         ("mips64el-linux"
                          (base32
                           "1m5miqkyng45l745n0sfafdpjkqv9225xf44jqkygwsipj2cv9ks")))))))))
diff --git a/gnu/packages/bootstrap/aarch64-linux/bash b/gnu/packages/bootstrap/aarch64-linux/bash
new file mode 100755
index 0000000000..0bfb9d1824
--- /dev/null
+++ b/gnu/packages/bootstrap/aarch64-linux/bash
Binary files differdiff --git a/gnu/packages/bootstrap/aarch64-linux/mkdir b/gnu/packages/bootstrap/aarch64-linux/mkdir
new file mode 100755
index 0000000000..35cd1815fd
--- /dev/null
+++ b/gnu/packages/bootstrap/aarch64-linux/mkdir
Binary files differdiff --git a/gnu/packages/bootstrap/aarch64-linux/tar b/gnu/packages/bootstrap/aarch64-linux/tar
new file mode 100755
index 0000000000..7e68edb0be
--- /dev/null
+++ b/gnu/packages/bootstrap/aarch64-linux/tar
Binary files differdiff --git a/gnu/packages/bootstrap/aarch64-linux/xz b/gnu/packages/bootstrap/aarch64-linux/xz
new file mode 100755
index 0000000000..5aa18c9234
--- /dev/null
+++ b/gnu/packages/bootstrap/aarch64-linux/xz
Binary files differdiff --git a/gnu/packages/cmake.scm b/gnu/packages/cmake.scm
index cd82978de2..a4e2d38e36 100644
--- a/gnu/packages/cmake.scm
+++ b/gnu/packages/cmake.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -22,7 +23,7 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (gnu packages cmake)
-  #:use-module ((guix licenses) #:select (bsd-3))
+  #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix utils)
@@ -32,13 +33,14 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages curl)
   #:use-module (gnu packages file)
+  #:use-module (gnu packages libevent)
   #:use-module (gnu packages ncurses)
   #:use-module (gnu packages xml))
 
 (define-public cmake
   (package
     (name "cmake")
-    (version "3.6.1")
+    (version "3.7.2")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://www.cmake.org/files/v"
@@ -46,8 +48,24 @@
                                  "/cmake-" version ".tar.gz"))
              (sha256
               (base32
-               "04ggm9c0zklxypm6df1v4klrrd85m6vpv13kasj42za283n9ivi8"))
-             (patches (search-patches "cmake-fix-tests.patch"))))
+               "1q6a60695prpzzsmczm2xrgxdb61fyjznb04dr6yls6iwv24c4nw"))
+             (patches (search-patches "cmake-fix-tests.patch"))
+             (modules '((guix build utils)))
+             (snippet
+              '(begin
+                 ;; Drop bundled software.
+                 (with-directory-excursion "Utilities"
+                   (for-each delete-file-recursively
+                             '("cmbzip2"
+                               ;"cmcompress"
+                               "cmcurl"
+                               "cmexpat"
+                               ;"cmjsoncpp"
+                               ;"cmlibarchive"
+                               "cmliblzma"
+                               "cmlibuv"
+                               "cmzlib"))
+                   #t)))))
     (build-system gnu-build-system)
     (arguments
      `(#:test-target "test"
@@ -67,20 +85,19 @@
                  "Source/CTest/cmCTestBatchTestHandler.cxx"
                  "Source/cmLocalUnixMakefileGenerator3.cxx"
                  "Source/cmExecProgramCommand.cxx"
-                 "Utilities/cmbzip2/Makefile-libbz2_so"
                  "Utilities/Release/release_cmake.cmake"
                  "Utilities/cmlibarchive/libarchive/archive_write_set_format_shar.c"
                  "Tests/CMakeLists.txt"
                  "Tests/RunCMake/File_Generate/RunCMakeTest.cmake")
-               (("/bin/sh") (which "sh")))))
+               (("/bin/sh") (which "sh")))
+           #t))
          (add-before 'configure 'set-paths
            (lambda _
              ;; Help cmake's bootstrap process to find system libraries
              (begin
                (setenv "CMAKE_LIBRARY_PATH" (getenv "LIBRARY_PATH"))
                (setenv "CMAKE_INCLUDE_PATH" (getenv "C_INCLUDE_PATH"))
-               ;; Get verbose output from failed tests
-               (setenv "CTEST_OUTPUT_ON_FAILURE" "TRUE"))))
+               #t)))
          (replace 'configure
            (lambda* (#:key outputs #:allow-other-keys)
              (let ((out (assoc-ref outputs "out")))
@@ -88,7 +105,7 @@
                        "./configure"
                        (string-append "--prefix=" out)
                        "--system-libs"
-                       "--no-system-jsoncpp" ; not packaged yet
+                       "--no-system-jsoncpp" ; FIXME: Circular dependency.
                        ;; By default, the man pages and other docs land
                        ;; in PREFIX/man and PREFIX/doc, but we want them
                        ;; in share/{man,doc}.  Note that unlike
@@ -98,7 +115,15 @@
                        "--mandir=share/man"
                        ,(string-append
                          "--docdir=share/doc/cmake-"
-                         (version-major+minor version))))))))))
+                         (version-major+minor version)))))))
+         (add-before 'check 'set-test-environment
+           (lambda _
+             ;; Get verbose output from failed tests.
+             (setenv "CTEST_OUTPUT_ON_FAILURE" "TRUE")
+             ;; Run tests in parallel.
+             (setenv "CTEST_PARALLEL_LEVEL"
+                     (number->string (parallel-job-count)))
+             #t)))))
     (inputs
      `(("file"       ,file)
        ("curl"       ,curl)
@@ -106,6 +131,7 @@
        ("expat"      ,expat)
        ("bzip2"      ,bzip2)
        ("ncurses"    ,ncurses) ; required for ccmake
+       ("libuv"      ,libuv)
        ("libarchive" ,libarchive)))
     (native-search-paths
      (list (search-path-specification
@@ -118,4 +144,8 @@
 CMake is used to control the software compilation process using simple platform
 and compiler independent configuration files.  CMake generates native makefiles
 and workspaces that can be used in the compiler environment of your choice.")
-    (license bsd-3)))
+    (license (list license:bsd-3             ; cmake
+                   license:bsd-4             ; cmcompress
+                   license:bsd-2             ; cmlibarchive
+                   license:expat             ; cmjsoncpp is dual MIT/public domain
+                   license:public-domain)))) ; cmlibarchive/archive_getdate.c
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 7df1d3fca9..675852fb57 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
@@ -172,6 +172,26 @@
                     ,cf)))))
      (inputs %boot0-inputs))))
 
+(define libstdc++-boot0
+  ;; GCC's libcc1 is always built as a shared library (the top-level
+  ;; 'Makefile.def' forcefully adds --enable-shared) and thus needs to refer
+  ;; to libstdc++.so.  We cannot build libstdc++-5.3 because it relies on
+  ;; C++14 features missing in our bootstrap compiler.
+  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc-4.9))))
+    (package
+      (inherit lib)
+      (name "libstdc++-boot0")
+      (arguments
+       `(#:guile ,%bootstrap-guile
+         #:implicit-inputs? #f
+
+         ;; XXX: libstdc++.so NEEDs ld.so for some reason.
+         #:validate-runpath? #f
+
+         ,@(package-arguments lib)))
+      (inputs %boot0-inputs)
+      (native-inputs '()))))
+
 (define gcc-boot0
   (package-with-bootstrap-guile
    (package (inherit gcc)
@@ -257,6 +277,9 @@
                ("mpc-source" ,(package-source mpc))
                ("binutils-cross" ,binutils-boot0)
 
+               ;; The libstdc++ that libcc1 links against.
+               ("libstdc++" ,libstdc++-boot0)
+
                ;; Call it differently so that the builder can check whether
                ;; the "libc" input is #f.
                ("libc-native" ,@(assoc-ref %boot0-inputs "libc"))
@@ -424,14 +447,8 @@ the bootstrap environment."
 (define ld-wrapper-boot0
   ;; We need this so binaries on Hurd will have libmachuser and libhurduser
   ;; in their RUNPATH, otherwise validate-runpath will fail.
-  ;;
-  ;; XXX: Work around <http://bugs.gnu.org/24832> by fixing the name and
-  ;; triplet on GNU/Linux.  For GNU/Hurd, use the right triplet.
-  (make-ld-wrapper (string-append "ld-wrapper-" "x86_64-guix-linux-gnu")
-                   #:target (lambda (system)
-                              (if (string-suffix? "-linux" system)
-                                  "x86_64-guix-linux-gnu"
-                                  (boot-triplet system)))
+  (make-ld-wrapper "ld-wrapper-boot0"
+                   #:target boot-triplet
                    #:binutils binutils-boot0
                    #:guile %bootstrap-guile
                    #:bash (car (assoc-ref %boot0-inputs "bash"))))
@@ -783,12 +800,17 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
 (define bash-final
   ;; Link with `-static-libgcc' to make sure we don't retain a reference
   ;; to the bootstrap GCC.
-  ;; FIXME: This depends on 'bootstrap-binaries' via Makefile.in.
-  (package-with-bootstrap-guile
-   (package-with-explicit-inputs (static-libgcc-package bash)
-                                 %boot3-inputs
-                                 (current-source-location)
-                                 #:guile %bootstrap-guile)))
+  (let ((bash (package
+                (inherit bash)
+                (arguments
+                 `(#:disallowed-references
+                   ,(assoc-ref %boot3-inputs "coreutils&co")
+                   ,@(package-arguments bash))))))
+    (package-with-bootstrap-guile
+     (package-with-explicit-inputs (static-libgcc-package bash)
+                                   %boot3-inputs
+                                   (current-source-location)
+                                   #:guile %bootstrap-guile))))
 
 (define %boot4-inputs
   ;; Now use the final Bash.
@@ -987,10 +1009,10 @@ and binaries, plus debugging symbols in the 'debug' output), and Binutils.")
   (gcc-toolchain gcc-4.8))
 
 (define-public gcc-toolchain-4.9
-  (gcc-toolchain gcc-final))
+  (gcc-toolchain gcc-4.9))
 
 (define-public gcc-toolchain-5
-  (gcc-toolchain gcc-5))
+  (gcc-toolchain gcc-final))
 
 (define-public gcc-toolchain-6
   (gcc-toolchain gcc-6))
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 88f8f0d84e..4e6a248e8e 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -55,7 +55,7 @@
 (define-public zlib
   (package
     (name "zlib")
-    (version "1.2.8")
+    (version "1.2.11")
     (source
      (origin
       (method url-fetch)
@@ -65,24 +65,24 @@
                                 version "/zlib-" version ".tar.gz")))
       (sha256
        (base32
-        "039agw5rqvqny92cpkrfn243x2gd4xn13hs3xi6isk55d2vqqr9n"))))
+        "18dighcs333gsvajvvgqp8l4cx7h1x7yx9gd5xacnk80spyykrf3"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:phases (alist-replace
-                 'configure
-                 (lambda* (#:key outputs #:allow-other-keys)
-                   ;; Zlib's home-made `configure' fails when passed
-                   ;; extra flags like `--enable-fast-install', so we need to
-                   ;; invoke it with just what it understand.
-                   (let ((out (assoc-ref outputs "out")))
-                     ;; 'configure' doesn't understand '--host'.
-                     ,@(if (%current-target-system)
-                           `((setenv "CHOST" ,(%current-target-system)))
-                           '())
-                     (zero?
-                      (system* "./configure"
-                               (string-append "--prefix=" out)))))
-                 %standard-phases)))
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'configure
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; Zlib's home-made `configure' fails when passed
+             ;; extra flags like `--enable-fast-install', so we need to
+             ;; invoke it with just what it understand.
+             (let ((out (assoc-ref outputs "out")))
+               ;; 'configure' doesn't understand '--host'.
+               ,@(if (%current-target-system)
+                     `((setenv "CHOST" ,(%current-target-system)))
+                     '())
+               (zero?
+                (system* "./configure"
+                         (string-append "--prefix=" out)))))))))
     (home-page "http://zlib.net/")
     (synopsis "Compression library")
     (description
diff --git a/gnu/packages/cross-base.scm b/gnu/packages/cross-base.scm
index a3dfb8f477..47e0958193 100644
--- a/gnu/packages/cross-base.scm
+++ b/gnu/packages/cross-base.scm
@@ -281,7 +281,7 @@ GCC that does not target a libc; otherwise, target that libc."
               (setenv "ARCH" ,(system->linux-architecture target))
               (format #t "`ARCH' set to `~a' (cross compiling)~%" (getenv "ARCH"))
 
-              (and (zero? (system* "make" "defconfig"))
+              (and (zero? (system* "make" ,(system->defconfig target)))
                    (zero? (system* "make" "mrproper" "headers_check"))))
             ,phases))))
       (native-inputs `(("cross-gcc" ,xgcc)
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index 39ab41c192..dc070fff83 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -52,7 +52,6 @@
 (define-public cups-filters
   (package
     (name "cups-filters")
-    (replacement cups-filters/fixed)
     (version "1.13.1")
     (source(origin
               (method url-fetch)
@@ -88,6 +87,7 @@
      `(#:make-flags (list (string-append "PREFIX=" %output))
        #:configure-flags
        `("--disable-driverless" ; TODO: enable this
+         "--disable-mutool"     ; depends on yet another PDF library (mupdf)
          ,(string-append "--with-test-font-path="
                          (assoc-ref %build-inputs "font-dejavu")
                          "/share/fonts/truetype/DejaVuSans.ttf")
@@ -114,7 +114,6 @@
        ("libjpeg"      ,libjpeg)
        ("libpng"       ,libpng)
        ("libtiff"      ,libtiff)
-       ("mupdf"        ,mupdf)
        ("glib"         ,glib)
        ("qpdf"         ,qpdf)
        ("poppler"      ,poppler)
@@ -135,13 +134,6 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
                    license:lgpl2.0+
                    license:expat))))
 
-(define mupdf/fixed-instead-of-mupdf
-  (package-input-rewriting `((,mupdf . ,(@@ (gnu packages pdf) mupdf/fixed)))))
-
-;;; Fix CVE-2016-10132 and CVE-2016-10133. See mupdf/fixed for more information.
-(define cups-filters/fixed
-  (mupdf/fixed-instead-of-mupdf cups-filters))
-
 ;; CUPS on non-MacOS systems requires cups-filters.  Since cups-filters also
 ;; depends on CUPS libraries and binaries, cups-minimal has been added to
 ;; satisfy this dependency.
@@ -174,6 +166,14 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
              (substitute* "Makedefs.in"
                (("INITDIR.*=.*@INITDIR@") "INITDIR = @prefix@/@INITDIR@")
                (("/bin/sh") (which "sh")))))
+         ;; Make the compressed manpages writable so that the
+         ;; reset-gzip-timestamps phase does not error out.
+         (add-before 'reset-gzip-timestamps 'make-manpages-writable
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (man (string-append out "/share/man")))
+               (for-each (lambda (file) (chmod file #o644))
+                         (find-files man "\\.gz")))))
          (add-before 'build 'patch-tests
            (lambda _
              (substitute* "test/ippserver.c"
@@ -275,6 +275,14 @@ device-specific programs to convert and print many types of files.")
                   (string-append "cupsFileFind(\"cat\", \"" catpath "\""))
                  (("cupsFileFind\\(\"cat\", \"/bin:/usr/bin\"")
                   (string-append "cupsFileFind(\"cat\", \"" catpath "\""))))))
+         ;; Make the compressed manpages writable so that the
+         ;; reset-gzip-timestamps phase does not error out.
+         (add-before 'reset-gzip-timestamps 'make-manpages-writable
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (man (string-append out "/share/man")))
+               (for-each (lambda (file) (chmod file #o644))
+                         (find-files man "\\.gz")))))
          (add-after 'install 'install-cups-filters-symlinks
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let ((out (assoc-ref outputs "out"))
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 13e0686519..22e18389e7 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz>
 ;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -40,15 +40,14 @@
 (define-public curl
   (package
    (name "curl")
-   (replacement curl-7.53.0)
-   (version "7.50.3")
+   (version "7.53.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://curl.haxx.se/download/curl-"
                                 version ".tar.lzma"))
             (sha256
              (base32
-              "1spmk0345hq0sgpwxs8d410268lmg3wf1x9v23hxff7wxki5fm4c"))))
+              "1k0i31xygb804c61llhin5wbpcscg4gfqmbxcfkpdr1alwh7igrq"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -120,16 +119,3 @@ tunneling, and so on.")
    (license (license:non-copyleft "file://COPYING"
                                   "See COPYING in the distribution."))
    (home-page "https://curl.haxx.se/")))
-
-(define curl-7.53.0
-  (package
-    (inherit curl)
-    (source
-      (let ((version "7.53.0"))
-        (origin
-          (method url-fetch)
-          (uri (string-append "https://curl.haxx.se/download/curl-"
-                              version ".tar.lzma"))
-          (sha256
-           (base32
-            "1k0i31xygb804c61llhin5wbpcscg4gfqmbxcfkpdr1alwh7igrq")))))))
diff --git a/gnu/packages/cyrus-sasl.scm b/gnu/packages/cyrus-sasl.scm
index 62bd718ab9..b48505e5f3 100644
--- a/gnu/packages/cyrus-sasl.scm
+++ b/gnu/packages/cyrus-sasl.scm
@@ -31,7 +31,6 @@
 (define-public cyrus-sasl
   (package
    (name "cyrus-sasl")
-   (replacement cyrus-sasl/fixed)
    (version "2.1.26")
    (source (origin
             (method url-fetch)
@@ -41,6 +40,7 @@
                        (string-append
                         "ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-"
                         version ".tar.gz")))
+            (patches (search-patches "cyrus-sasl-CVE-2013-4122.patch"))
             (sha256 (base32
                      "1hvvbcsg21nlncbgs0cgn3iwlnb3vannzwsp6rwvnn9ba4v53g4g"))))
    (build-system gnu-build-system)
@@ -66,10 +66,3 @@ server writers.")
    (license (license:non-copyleft "file://COPYING"
                                   "See COPYING in the distribution."))
    (home-page "http://cyrusimap.web.cmu.edu")))
-
-(define cyrus-sasl/fixed
-  (package
-    (inherit cyrus-sasl)
-    (source (origin
-              (inherit (package-source cyrus-sasl))
-              (patches (search-patches "cyrus-sasl-CVE-2013-4122.patch"))))))
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 5199d0c4f1..4b637f0c70 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -7,7 +7,7 @@
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2016 David Craven <david@craven.ch>
@@ -210,7 +210,44 @@ SQL, Key/Value, XML/XQuery or Java Object storage for their data model.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0a1n5hbl7027fbz5lm0vp0zzfp1hmxnz14wx3zl9563h83br5ag0"))))))
+                "0a1n5hbl7027fbz5lm0vp0zzfp1hmxnz14wx3zl9563h83br5ag0"))))
+    (arguments
+     `(#:tests? #f                            ; no check target available
+       #:disallowed-references ("doc")
+       #:phases
+       (alist-replace
+        'configure
+        (lambda* (#:key outputs #:allow-other-keys)
+          (let ((out (assoc-ref outputs "out"))
+                (doc (assoc-ref outputs "doc")))
+            ;; '--docdir' is not honored, so we need to patch.
+            (substitute* "dist/Makefile.in"
+              (("docdir[[:blank:]]*=.*")
+               (string-append "docdir = " doc "/share/doc/bdb")))
+
+            (zero?
+             (system* "./dist/configure"
+                      (string-append "--prefix=" out)
+                      (string-append "CONFIG_SHELL=" (which "bash"))
+                      (string-append "SHELL=" (which "bash"))
+
+                      ;; Bdb doesn't recognize aarch64 as an architecture.
+                      ,@(if (string=? "aarch64-linux" (%current-system))
+                            '("--build=aarch64-unknown-linux-gnu")
+                            '())
+
+                      ;; Remove 7 MiB of .a files.
+                      "--disable-static"
+
+                      ;; The compatibility mode is needed by some packages,
+                      ;; notably iproute2.
+                      "--enable-compat185"
+
+                      ;; The following flag is needed so that the inclusion
+                      ;; of db_cxx.h into C++ files works; it leads to
+                      ;; HAVE_CXX_STDHEADERS being defined in db_cxx.h.
+                      "--enable-cxx"))))
+                 %standard-phases)))))
 
 (define-public leveldb
   (package
@@ -665,12 +702,9 @@ for example from a shell script.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.14.1")
+   (version "3.17.0")
    (source (origin
             (method url-fetch)
-            ;; TODO: Download from sqlite.org once this bug :
-            ;; http://lists.gnu.org/archive/html/bug-guile/2013-01/msg00027.html
-            ;; has been fixed.
             (uri (let ((numeric-version
                         (match (string-split version #\.)
                           ((first-digit other-digits ...)
@@ -680,23 +714,11 @@ for example from a shell script.")
                                             (map (cut string-pad <> 2 #\0)
                                                  other-digits))
                                            6 #\0))))))
-                   (list
-                    (string-append
-                     "https://fossies.org/linux/misc/sqlite-autoconf-"
-                     numeric-version ".tar.gz")
-                    (string-append
-                     "http://distfiles.gentoo.org/distfiles/"
-                     "/sqlite-autoconf-" numeric-version ".tar.gz"))
-
-                   ;; XXX: As of 2015-09-08, SourceForge is squatting the URL
-                   ;; below, returning 200 and showing an advertising page.
-                   ;; (string-append
-                   ;;  "mirror://sourceforge/sqlite.mirror/SQLite%20" version
-                   ;;  "/sqlite-autoconf-" numeric-version ".tar.gz")
-                   ))
+                   (string-append "https://sqlite.org/2017/sqlite-autoconf-"
+                                  numeric-version ".tar.gz")))
             (sha256
              (base32
-              "19j73j44akqgc6m82wm98yvnmm3mfzmfqr8mp3n7n080d53q4wdw"))))
+              "0k472gq0p706jq4529p60znvw02hdf172qxgbdv59q0n7anqbr54"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
@@ -707,7 +729,7 @@ for example from a shell script.")
       (list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE "
                            "-DSQLITE_ENABLE_UNLOCK_NOTIFY "
                            "-DSQLITE_ENABLE_DBSTAT_VTAB"))))
-   (home-page "http://www.sqlite.org/")
+   (home-page "https://www.sqlite.org/")
    (synopsis "The SQLite database management system")
    (description
     "SQLite is a software library that implements a self-contained, serverless,
@@ -716,26 +738,6 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license license:public-domain)))
 
-(define-public sqlite-3.15.1
-  (package (inherit sqlite)
-           (version "3.15.1")
-           (source (origin
-                     (method url-fetch)
-                     (uri (let ((numeric-version
-                                 (match (string-split version #\.)
-                                   ((first-digit other-digits ...)
-                                    (string-append first-digit
-                                                   (string-pad-right
-                                                    (string-concatenate
-                                                     (map (cut string-pad <> 2 #\0)
-                                                          other-digits))
-                                                    6 #\0))))))
-                            (string-append "https://sqlite.org/2016/sqlite-autoconf-"
-                                           numeric-version ".tar.gz")))
-                     (sha256
-                      (base32
-                       "1ig2d9jzzixiifmgqsl6kjcvy17jwxby3s24gfnc5qvyd6vqkyjx"))))))
-
 (define-public tdb
   (package
     (name "tdb")
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index bbc25e8797..cd42bc0f35 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2014, 2016 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
+;;; Copyright © 2016 Thomas Danckaert <post@thomasdanckaert.be>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -26,6 +27,7 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system cmake)
   #:use-module (gnu packages)
+  #:use-module (gnu packages bash)
   #:use-module (gnu packages python)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages docbook)
@@ -84,14 +86,14 @@ markup) can be customized and extended by the user.")
 (define-public doxygen
   (package
     (name "doxygen")
-    (version "1.8.11")
+    (version "1.8.13")
     (source (origin
              (method url-fetch)
              (uri (string-append "http://ftp.stack.nl/pub/users/dimitri/"
                                  name "-" version ".src.tar.gz"))
              (sha256
               (base32
-               "0ja02pm3fpfhc5dkry00kq8mn141cqvdqqpmms373ncbwi38pl35"))
+               "0srzawqn3apzrg8hwycwrawdylmmjrndij4spw6xr1vspn3phrmg"))
              (patches (search-patches "doxygen-test.patch"))))
     (build-system cmake-build-system)
     (native-inputs
@@ -99,8 +101,18 @@ markup) can be customized and extended by the user.")
        ("flex" ,flex)
        ("libxml2" ,libxml2) ; provides xmllint for the tests
        ("python" ,python-2))) ; for creating the documentation
+    (inputs
+     `(("bash" ,bash-minimal)))
     (arguments
-     `(#:test-target "tests"))
+     `(#:test-target "tests"
+       #:phases (modify-phases %standard-phases
+                  (add-before 'configure 'patch-sh
+                              (lambda* (#:key inputs #:allow-other-keys)
+                                (substitute* "src/portable.cpp"
+                                  (("/bin/sh")
+                                   (string-append
+                                    (assoc-ref inputs "bash") "/bin/sh")))
+                                #t)))))
     (home-page "http://www.stack.nl/~dimitri/doxygen/")
     (synopsis "Generate documentation from annotated sources")
     (description "Doxygen is the de facto standard tool for generating
diff --git a/gnu/packages/ed.scm b/gnu/packages/ed.scm
index 3668aac19a..5014229952 100644
--- a/gnu/packages/ed.scm
+++ b/gnu/packages/ed.scm
@@ -28,14 +28,14 @@
 (define-public ed
   (package
     (name "ed")
-    (version "1.13")
+    (version "1.14.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/ed/ed-"
                                  version ".tar.lz"))
              (sha256
               (base32
-               "1ly7i1iw02vbcd0zrx084z577ngxnarffmkm45dg6vndad5carnd"))))
+               "0ajm69pma7gigddlrq2qi4dsllz9vhm8gqwpkcdagdd2yaw7xfgz"))))
     (build-system gnu-build-system)
     (native-inputs `(("lzip" ,lzip)))
     (arguments
@@ -45,8 +45,9 @@
          (add-before 'patch-source-shebangs 'patch-test-suite
                      (lambda _
                        (substitute* "testsuite/check.sh"
-                         (("/bin/sh") (which "sh"))))))))
-    (home-page "http://www.gnu.org/software/ed/")
+                         (("/bin/sh") (which "sh")))
+                       #t)))))
+    (home-page "https://www.gnu.org/software/ed/")
     (synopsis "Line-oriented text editor")
     (description
      "Ed is a line-oriented text editor: rather than offering an overview of
diff --git a/gnu/packages/elf.scm b/gnu/packages/elf.scm
index 35b644906b..c68604cf83 100644
--- a/gnu/packages/elf.scm
+++ b/gnu/packages/elf.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -78,17 +79,22 @@ addr2line, and more.")
               (base32
                "0vf7s9dwk2xkmhb79aigqm0x0yfbw1j0b9ksm51207qwr179n6jr"))))
     (build-system gnu-build-system)
-    (arguments '(#:phases (alist-replace
-                           'configure
-                           (lambda* (#:key outputs #:allow-other-keys)
-                             ;; This old `configure' script doesn't support
-                             ;; variables passed as arguments.
-                             (let ((out (assoc-ref outputs "out")))
-                               (setenv "CONFIG_SHELL" (which "bash"))
-                               (zero?
-                                (system* "./configure"
-                                         (string-append "--prefix=" out)))))
-                           %standard-phases)))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'configure
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; This old `configure' script doesn't support
+             ;; variables passed as arguments.
+             (let ((out (assoc-ref outputs "out")))
+               (setenv "CONFIG_SHELL" (which "bash"))
+               (zero?
+                (system* "./configure"
+                         (string-append "--prefix=" out)
+                       ,@(if (string=? "aarch64-linux"
+                                       (%current-system))
+                             '("--host=aarch64-unknown-linux-gnu")
+                             '())))))))))
     (home-page "http://www.mr511.de/software/english.html")
     (synopsis "ELF object file access library")
     (description "Libelf is a C library to access ELF object files.")
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index c1f74d65ad..1470b967da 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -24,6 +24,7 @@
   #:use-module (guix build-system gnu)
   #:use-module (gnu packages)
   #:use-module (gnu packages m4)
+  #:use-module (gnu packages man)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages indent)
   #:use-module (srfi srfi-1))
@@ -31,29 +32,32 @@
 (define-public flex
   (package
     (name "flex")
-    (version "2.6.0")
+    (version "2.6.3")
     (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://sourceforge/flex/flex-"
-                                 version ".tar.bz2"))
-             (patches (search-patches "flex-CVE-2016-6354.patch"))
-             (sha256
-              (base32
-               "1sdqx63yadindzafrq1w31ajblf9gl1c301g068s20s7bbpi3ri4"))))
+              (method url-fetch)
+              (uri (string-append
+                    "https://github.com/westes/flex"
+                    "/releases/download/v" version "/"
+                    "flex-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1an2cn2z85mkpgqcinh1fhhcd7993qm2lil1yxic8iz76ci79ck8"))))
     (build-system gnu-build-system)
     (inputs
      (let ((bison-for-tests
             ;; Work around an incompatibility with Bison 3.0:
             ;; <http://lists.gnu.org/archive/html/bug-bison/2013-09/msg00014.html>.
-            (package (inherit bison)
+            (package
+              (inherit bison)
               (version "2.7.1")
               (source (origin
-                       (method url-fetch)
-                       (uri (string-append "mirror://gnu/bison/bison-"
-                                           version ".tar.xz"))
-                       (sha256
-                        (base32
-                         "1yx7isx67sdmyijvihgyra1f59fwdz7sqriginvavfj5yb5ss2dl"))))
+                        (method url-fetch)
+                        (uri (string-append
+                              "mirror://gnu/bison/"
+                              "bison-" version ".tar.xz"))
+                        (sha256
+                         (base32
+                          "1yx7isx67sdmyijvihgyra1f59fwdz7sqriginvavfj5yb5ss2dl"))))
 
               ;; Unlike Bison 3.0, this version did not need Flex for its
               ;; tests, so it allows us to break the cycle.
@@ -61,9 +65,11 @@
        `(("bison" ,bison-for-tests)
          ("indent" ,indent))))
     ;; m4 is not present in PATH when cross-building
-    (native-inputs `(("m4" ,m4)))
+    (native-inputs
+     `(("help2man" ,help2man)
+       ("m4" ,m4)))
     (propagated-inputs `(("m4" ,m4)))
-    (home-page "http://flex.sourceforge.net/")
+    (home-page "https://github.com/westes/flex")
     (synopsis "Fast lexical analyser generator")
     (description
      "Flex is a tool for generating scanners.  A scanner, sometimes
@@ -78,23 +84,21 @@ is run, it analyzes its input for occurrences of text matching the
 regular expressions for each rule.  Whenever it finds a match, it
 executes the corresponding C code.")
     (license (non-copyleft "file://COPYING"
-                        "See COPYING in the distribution."))))
+                           "See COPYING in the distribution."))))
 
+;;; Many packages fail to build with flex > 2.6.1, due to this bug in flex:
+;;; <https://github.com/westes/flex/issues/162>
+;;; We must not use a flex before 2.6.1, due to CVE-2016-6354.
+;;; TODO Try using flex > 2.6.3.
 (define-public flex-2.6.1
-  ;; The kservice and solid packages use flex.  extra-cmake-modules
-  ;; forces C89 for all C files for compatibility with windows.
-  ;; Flex 2.6.0 generates a lexer containing a single line comment.  Single
-  ;; line comments are part of the C99 standard, so the lexer won't compile
-  ;; if C89 is used.
   (package
     (inherit flex)
     (version "2.6.1")
     (source (origin
               (method url-fetch)
-              (uri (string-append
-                    "https://github.com/westes/flex"
-                    "/releases/download/v" version "/"
-                    "flex-" version ".tar.gz"))
-              (sha256
-               (base32
-                "0fy14c35yz2m1n1m4f02by3501fn0cca37zn7jp8lpp4b3kgjhrw"))))))
+              (uri (string-append "https://github.com/westes/flex"
+                                  "/releases/download/v" version "/"
+                                  "flex-" version ".tar.xz"))
+             (sha256
+              (base32
+               "0gqhk4vkwy4gl9xbpgkljph8c0a5kpijz6wd0p5r9q202qn42yic"))))))
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index 15109bfe13..46c658b667 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -2,7 +2,8 @@
 ;;; Copyright © 2013, 2014, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -46,13 +47,13 @@
 (define-public freetype
   (package
    (name "freetype")
-   (version "2.6.3")
+   (version "2.7.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://savannah/freetype/freetype-"
                                 version ".tar.bz2"))
             (sha256 (base32
-                     "18k3b026762lmyrxfil5xv8qwnvj7hc12gz9bjqzbb12lmx707ip"))))
+                     "121gm15ayfg3rglby8ifh8384mcjb9dhmx9j40zl7yszw72b4frs"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("pkg-config" ,pkg-config)))
@@ -69,7 +70,7 @@ It supports both bitmap and scalable formats, including TrueType, OpenType,
 Type1, CID, CFF, Windows FON/FNT, X11 PCF, and others.  It supports high-speed
 anti-aliased glyph bitmap generation with 256 gray levels.")
    (license license:freetype)           ; some files have other licenses
-   (home-page "http://www.freetype.org/")))
+   (home-page "https://www.freetype.org/")))
 
 (define-public ttfautohint
   (package
@@ -229,6 +230,8 @@ fonts to/from the WOFF2 format.")
             (uri (string-append
                    "https://www.freedesktop.org/software/fontconfig/release/fontconfig-"
                    version ".tar.bz2"))
+            (patches (search-patches "fontconfig-charwidth-symbol-conflict.patch"
+                                     "fontconfig-path-max.patch"))
             (sha256 (base32
                      "1wy7svvp7df6bjpg1m5vizb3ngd7rhb20vpclv3x3qa71khs6jdl"))))
    (build-system gnu-build-system)
@@ -254,6 +257,11 @@ fonts to/from the WOFF2 format.")
             "PYTHON=false")
       #:phases
       (modify-phases %standard-phases
+        (add-after 'unpack 'fix-tests-for-freetype-2.7.1
+          (lambda _
+            (substitute* "test/run-test.sh"
+              (("\\\| sort") "| cut -d' ' -f2 | sort"))
+            #t))
         (replace 'install
                  (lambda _
                    ;; Don't try to create /var/cache/fontconfig.
@@ -366,7 +374,7 @@ applications should be.")
 (define-public graphite2
   (package
    (name "graphite2")
-   (version "1.3.8")
+   (version "1.3.9")
    (source
      (origin
        (method url-fetch)
@@ -374,7 +382,7 @@ applications should be.")
                            "download/" version "/" name "-" version ".tgz"))
        (sha256
         (base32
-         "1hlc9j7w7gihy6gvzfa7902pr6yxq1sr1xkp5rwf0p29m2rjagwz"))))
+         "0rs5h7m340z75kygx8d72cps0q6yvvqa9i788vym7585cfv8a0gc"))))
    (build-system cmake-build-system)
    (native-inputs
     `(("python" ,python-2) ; because of "import imap" in tests
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 4c15d4b2b0..20a104f623 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -274,14 +274,14 @@ Python.")
 (define-public wayland
   (package
     (name "wayland")
-    (version "1.11.0")
+    (version "1.13.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://wayland.freedesktop.org/releases/"
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1c0d5ivy9n44hykvw2ggrvqrnn7naw3wg11vbvgwzgi8g5gr4h4m"))))
+                "0lgywr1m0d79vr4s8aimj8a307nss29hhy68gjpqj7m667055c39"))))
     (build-system gnu-build-system)
     (arguments `(#:parallel-tests? #f))
     (native-inputs
@@ -331,7 +331,7 @@ applications, X servers (rootless or fullscreen) or other display servers.")
 (define-public weston
   (package
     (name "weston")
-    (version "1.11.0")
+    (version "2.0.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -339,7 +339,7 @@ applications, X servers (rootless or fullscreen) or other display servers.")
                     "weston-" version ".tar.xz"))
               (sha256
                (base32
-                "09biddxw3ar797kxf9mywjkb2iwky6my39gpp51ni846y7lqdq05"))))
+                "1n35acsknwqfhsni854q5mjq2gnbnfdvinh92rpij67i4yn4dr5l"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)
@@ -372,9 +372,11 @@ applications, X servers (rootless or fullscreen) or other display servers.")
              ;; Use elogind instead of systemd
              (substitute* "configure"
                (("libsystemd-login >= 198") "libelogind"))
-             (substitute* '("src/launcher-logind.c" "src/weston-launch.c")
+             (substitute* '("libweston/launcher-logind.c"
+                            "libweston/weston-launch.c")
                (("#include <systemd/sd-login.h>")
-                "#include <elogind/sd-login.h>"))))
+                "#include <elogind/sd-login.h>"))
+             #t))
          (add-after 'configure 'patch-confdefs.h
            (lambda _
              (system "echo \"#define HAVE_SYSTEMD_LOGIN_209 1\" >> confdefs.h")))
diff --git a/gnu/packages/gawk.scm b/gnu/packages/gawk.scm
index 86f01335a8..280e3d3cff 100644
--- a/gnu/packages/gawk.scm
+++ b/gnu/packages/gawk.scm
@@ -47,7 +47,7 @@
                      (let ((bash (assoc-ref inputs "bash")))
                        (substitute* "io.c"
                          (("/bin/sh")
-                          (string-append bash "/bin/bash")))
+                          (string-append bash "/bin/sh")))
 
                        ;; When cross-compiling, remove dependencies on the
                        ;; `check-for-shared-lib-support' target, which tries
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index cfd33f85ab..9376679f14 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2014, 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016 Carlos Sánchez de La Lama <csanchezdll@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -204,17 +205,18 @@ where the OS part is overloaded to denote a specific ABI---into GCC
                 (for-each
                  (lambda (x)
                    (substitute* (find-files "gcc/config"
-                                            "^linux(64|-elf|-eabi)?\\.h$")
-                     (("(#define GLIBC_DYNAMIC_LINKER.*)\\\\\n$" _ line)
+                                            "^(linux|gnu|sysv4)(64|-elf|-eabi)?\\.h$")
+                     (("(#define (GLIBC|GNU_USER)_DYNAMIC_LINKER.*)\\\\\n$" _ line)
                       line)))
                  '(1 2 3))
 
                 ;; Fix the dynamic linker's file name.
                 (substitute* (find-files "gcc/config"
-                                         "^(linux|gnu)(64|-elf|-eabi)?\\.h$")
-                  (("#define GLIBC_DYNAMIC_LINKER([^ ]*).*$" _ suffix)
-                   (format #f "#define GLIBC_DYNAMIC_LINKER~a \"~a\"~%"
-                           suffix
+                                         "^(linux|gnu|sysv4)(64|-elf|-eabi)?\\.h$")
+                  (("#define (GLIBC|GNU_USER)_DYNAMIC_LINKER([^ ]*).*$"
+                    _ gnu-user suffix)
+                   (format #f "#define ~a_DYNAMIC_LINKER~a \"~a\"~%"
+                           gnu-user suffix
                            (string-append libc ,(glibc-dynamic-linker)))))
 
                 ;; Tell where to find libstdc++, libc, and `?crt*.o', except
@@ -240,13 +242,33 @@ where the OS part is overloaded to denote a specific ABI---into GCC
                    (format #f "#define STANDARD_STARTFILE_PREFIX_1 \"~a/lib\"
 #define STANDARD_STARTFILE_PREFIX_2 \"\"
 ~a"
-                           libc line))))
+                           libc line)))
+
+              ;; The rs6000 (a.k.a. powerpc) config in GCC does not use
+              ;; GNU_USER_* defines.  Do the above for this case.
+              (substitute*
+                  "gcc/config/rs6000/sysv4.h"
+                (("#define LIB_LINUX_SPEC (.*)$" _ suffix)
+                 (format #f "#define LIB_LINUX_SPEC \
+\"-L~a/lib %{!static:-rpath=~a/lib %{!static-libgcc:-rpath=~a/lib -lgcc_s}} \" ~a"
+                         libc libc libdir suffix))
+                (("#define	STARTFILE_LINUX_SPEC.*$" line)
+                 (format #f "#define STANDARD_STARTFILE_PREFIX_1 \"~a/lib\"
+#define STANDARD_STARTFILE_PREFIX_2 \"\"
+~a"
+                         libc line))))
 
               ;; Don't retain a dependency on the build-time sed.
               (substitute* "fixincludes/fixincl.x"
                 (("static char const sed_cmd_z\\[\\] =.*;")
                  "static char const sed_cmd_z[] = \"sed\";"))
 
+              ;; Aarch64 support didn't land in GCC until the 4.8 series.
+              (when (file-exists? "gcc/config/aarch64")
+                ;; Force Aarch64 libdir to be /lib and not /lib64
+                (substitute* "gcc/config/aarch64/t-aarch64-linux"
+                  (("lib64") "lib")))
+
               (when (file-exists? "libbacktrace")
                 ;; GCC 4.8+ comes with libbacktrace.  By default it builds
                 ;; with -Werror, which fails with a -Wcast-qual error in glibc
@@ -358,8 +380,11 @@ Go.  It also includes runtime support libraries for these languages.")
               (sha256
                (base32
                 "0fihlcy5hnksdxk0sn6bvgnyq8gfrgs8m794b1jxwd1dxinzg3b0"))
-              (patches (search-patches "gcc-strmov-store-file-names.patch"
-                                       "gcc-5.0-libvtv-runpath.patch"))))))
+              (patches (search-patches "gcc-arm-bug-71399.patch"
+                                       "gcc-strmov-store-file-names.patch"
+                                       "gcc-5.0-libvtv-runpath.patch"
+                                       "gcc-5-source-date-epoch-1.patch"
+                                       "gcc-5-source-date-epoch-2.patch"))))))
 
 (define-public gcc-6
   (package
@@ -377,7 +402,7 @@ Go.  It also includes runtime support libraries for these languages.")
 
 ;; Note: When changing the default gcc version, update
 ;;       the gcc-toolchain-* definitions accordingly.
-(define-public gcc gcc-4.9)
+(define-public gcc gcc-5)
 
 (define-public (make-libstdc++ gcc)
   "Return a libstdc++ package based on GCC.  The primary use case is when
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 713f7ae91e..62c8fd8588 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -36,12 +37,11 @@
 (define-public gd
   (package
     (name "gd")
-    (replacement gd-2.2.4)
 
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
-    (version "2.2.3")
+    (version "2.2.4")
 
     (source (origin
              (method url-fetch)
@@ -50,12 +50,27 @@
                    version "/libgd-" version ".tar.xz"))
              (sha256
               (base32
-               "0g3xz8jpz1pl2zzmssglrpa9nxiaa7rmcmvgpbrjz8k9cyynqsvl"))
-             (patches (search-patches "gd-CVE-2016-7568.patch"
-                                      "gd-CVE-2016-8670.patch"
-                                      "gd-fix-gd2-read-test.patch"
-                                      "gd-fix-tests-on-i686.patch"))))
+               "1rp4v7n1dq38b92kl7gkvpvqqkw7nvdfnz6d5kip5klkxfki6zqk"))
+             (patches (search-patches "gd-fix-gd2-read-test.patch"
+                                      "gd-fix-tests-on-i686.patch"
+                                      "gd-freetype-test-failure.patch"
+                                      "gd-php-73968-Fix-109-XBM-reading.patch"))))
     (build-system gnu-build-system)
+    (arguments
+      ;; As recommended by github.com/libgd/libgd/issues/278 to fix rounding
+      ;; issues on aarch64 and other architectures.
+     `(#:make-flags '("CFLAGS=-ffp-contract=off")
+       #:phases
+       (modify-phases %standard-phases
+         ;; This test is known to fail on i686-linux:
+         ;; https://github.com/libgd/libgd/issues/359
+         ;; TODO Replace this substitution with an upstream bug fix.
+         (add-after 'unpack 'disable-failing-test
+           (lambda _
+             (substitute* "tests/gdimagegrayscale/basic.c"
+               (("return gdNumFailures\\(\\)")
+                 "return 0"))
+             #t)))))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (inputs
@@ -78,32 +93,6 @@ most common applications of GD involve website development.")
                            "See COPYING file in the distribution."))
     (properties '((cpe-name . "libgd")))))
 
-(define gd-2.2.4
-  (package
-    (inherit gd)
-    (version "2.2.4")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append "https://github.com/libgd/libgd/releases/download/"
-                            "gd-" version "/libgd-" version ".tar.xz"))
-        (patches (search-patches "gd-fix-gd2-read-test.patch"
-                                 "gd-fix-tests-on-i686.patch"))
-        (sha256
-         (base32
-          "1rp4v7n1dq38b92kl7gkvpvqqkw7nvdfnz6d5kip5klkxfki6zqk"))))
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         ;; This test is known to fail on i686-linux:
-         ;; https://github.com/libgd/libgd/issues/359
-         ;; TODO Replace this substitution with an upstream bug fix.
-         (add-after 'unpack 'disable-failing-test
-           (lambda _
-             (substitute* "tests/gdimagegrayscale/basic.c"
-               (("return gdNumFailures\\(\\)")
-                 "return 0")))))))))
-
 (define-public perl-gd
   (package
     (name "perl-gd")
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 2c7b86c042..a6403e67a9 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -3,6 +3,8 @@
 ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2013, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -39,14 +41,14 @@
 (define-public lcms
   (package
    (name "lcms")
-   (replacement lcms/fixed)
-   (version "2.6")
+   (version "2.8")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://sourceforge/lcms/lcms/" version
                                 "/lcms2-" version ".tar.gz"))
+            (patches (search-patches "lcms-CVE-2016-10165.patch"))
             (sha256 (base32
-                     "1c8lgq8gfs3nyplvbx9k8wzfj6r2bqi3f611vb1m8z3476454wji"))))
+                     "08pvl289g0mbznzx5l6ibhaldsgx41kwvdn2c974ga9fkli2pl36"))))
    (build-system gnu-build-system)
    (inputs `(("libjpeg-8" ,libjpeg-8)
              ("libtiff" ,libtiff)
@@ -60,14 +62,6 @@ Consortium standard (ICC), approved as ISO 15076-1.")
    (home-page "http://www.littlecms.com/")
    (properties '((cpe-name . "little_cms_color_engine")))))
 
-(define lcms/fixed
-  (package
-    (inherit lcms)
-    (source
-      (origin
-        (inherit (package-source lcms))
-        (patches (search-patches "lcms-fix-out-of-bounds-read.patch"))))))
-
 (define-public libpaper
   (package
    (name "libpaper")
@@ -178,9 +172,9 @@ printing, and psresize, for adjusting page sizes.")
         (add-after 'configure 'patch-config-files
                    (lambda _
                      (substitute* "base/all-arch.mak"
-                       (("/bin/sh") (which "bash")))
+                       (("/bin/sh") (which "sh")))
                      (substitute* "base/unixhead.mak"
-                       (("/bin/sh") (which "bash")))))
+                       (("/bin/sh") (which "sh")))))
         (add-after 'configure 'remove-doc-reference
                    (lambda _
                      ;; Don't retain a reference to the 'doc' output in 'gs'.
@@ -279,25 +273,19 @@ architecture.")
    (build-system gnu-build-system)
    (arguments
     `(#:tests? #f ; nothing to check, just files to copy
-      #:modules ((guix build gnu-build-system)
-                 (guix build utils)
-                 (srfi srfi-1)) ; for alist-delete
       #:phases
-       (alist-delete
-        'configure
-       (alist-delete
-        'build
-       (alist-replace
-        'install
-        (lambda* (#:key outputs #:allow-other-keys)
-          (let* ((out (assoc-ref outputs "out"))
-                 (dir (string-append out "/share/fonts/type1/ghostscript")))
-            (mkdir-p dir)
-            (for-each
-              (lambda (file)
-                (copy-file file (string-append dir "/" file)))
-              (find-files "." "pfb|afm"))))
-       %standard-phases)))))
+      (modify-phases %standard-phases
+        (delete 'configure)
+        (delete 'build)
+        (replace 'install
+          (lambda* (#:key outputs #:allow-other-keys)
+            (let* ((out (assoc-ref outputs "out"))
+                   (dir (string-append out "/share/fonts/type1/ghostscript")))
+              (mkdir-p dir)
+              (for-each
+                (lambda (file)
+                  (copy-file file (string-append dir "/" file)))
+                (find-files "." "pfb|afm"))))))))
    (synopsis "Free replacements for the PostScript fonts")
    (description
     "Ghostscript fonts provides fonts and font metrics customarily distributed with
diff --git a/gnu/packages/gl.scm b/gnu/packages/gl.scm
index a3862f1ec3..fce44b43e2 100644
--- a/gnu/packages/gl.scm
+++ b/gnu/packages/gl.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2014, 2016 David Thompson <davet@gnu.org>
 ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
-;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 David Thompson <davet@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -33,6 +33,7 @@
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages llvm)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages video)
@@ -197,7 +198,7 @@ also known as DXTn or DXTC) for Mesa.")
 (define-public mesa
   (package
     (name "mesa")
-    (version "13.0.3")
+    (version "13.0.5")
     (source
       (origin
         (method url-fetch)
@@ -205,7 +206,7 @@ also known as DXTn or DXTC) for Mesa.")
                             version "/mesa-" version ".tar.xz"))
         (sha256
          (base32
-          "03m4gc6qc50lb0ic06f83r3yl0x4lmj2zjq3sl60vl3nq7jqpanr"))
+          "11zgynii1wz17131ml1mmblpwib8m88zz2jwi5h5llh1r3iagkmz"))
         (patches
          (search-patches "mesa-wayland-egl-symbols-check-mips.patch"))))
     (build-system gnu-build-system)
@@ -230,14 +231,15 @@ also known as DXTn or DXTC) for Mesa.")
         ("makedepend" ,makedepend)
         ("presentproto" ,presentproto)
         ("s2tc" ,s2tc)
+        ("llvm" ,llvm)
         ("wayland" ,wayland)))
     (native-inputs
       `(("pkg-config" ,pkg-config)
         ("python" ,python-2)))
     (arguments
      `(#:configure-flags
-       '(;; drop r300 from default gallium drivers, as it requires llvm
-         "--with-gallium-drivers=r600,svga,swrast,nouveau,virgl"
+       '("--with-gallium-drivers=i915,r300,r600,svga,swrast,nouveau,virgl"
+         "--enable-gallium-llvm"
          ;; Enable various optional features.  TODO: opencl requires libclc,
          ;; omx requires libomxil-bellagio
          "--with-egl-platforms=x11,drm,wayland"
@@ -456,25 +458,20 @@ OpenGL graphics API.")
 (define-public libepoxy
   (package
     (name "libepoxy")
-    (version "1.3.1")
+    (version "1.4.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
-                    "https://github.com/anholt/libepoxy/archive/v"
+                    "https://github.com/anholt/libepoxy/releases/download/v"
+                    (version-major+minor version) "/libepoxy-"
                     version
-                    ".tar.gz"))
-              (file-name (string-append name "-" version ".tar.gz"))
+                    ".tar.xz"))
               (sha256
                (base32
-                "1d1brhwfmlzgnphmdwlvn5wbcrxsdyzf1qfcf8nb89xqzznxs037"))
-              (patches (search-patches "libepoxy-gl-null-checks.patch"))))
+                "0hdbaapbxjjfdqsdvag460kfjvs800da5sngi2sc46wj9aqhda95"))))
     (arguments
      `(#:phases
        (modify-phases %standard-phases
-         (add-after
-           'unpack 'autoreconf
-           (lambda _
-             (zero? (system* "autoreconf" "-vif"))))
          (add-before
            'configure 'patch-paths
            (lambda* (#:key inputs #:allow-other-keys)
@@ -485,23 +482,10 @@ OpenGL graphics API.")
                (substitute* (find-files "." "\\.[ch]$")
                  (("libGL.so.1") (string-append mesa "/lib/libGL.so.1"))
                  (("libEGL.so.1") (string-append mesa "/lib/libEGL.so.1")))
-
-               ;; XXX On armhf systems, we must add "GLIBC_2.4" to the list of
-               ;; versions in test/dlwrap.c:dlwrap_real_dlsym.  It would be
-               ;; better to make this a normal patch, but for now we do it here
-               ;; to prevent rebuilding on other platforms.
-               ,@(if (string-prefix? "arm" (or (%current-target-system)
-                                               (%current-system)))
-                     '((substitute* '"test/dlwrap.c"
-                         (("\"GLIBC_2\\.0\"") "\"GLIBC_2.0\", \"GLIBC_2.4\"")))
-                     '())
                #t))))))
     (build-system gnu-build-system)
     (native-inputs
-     `(("autoconf" ,autoconf)
-       ("automake" ,automake)
-       ("libtool" ,libtool)
-       ("pkg-config" ,pkg-config)
+     `(("pkg-config" ,pkg-config)
        ("python" ,python)))
     (inputs
      `(("mesa" ,mesa)))
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 9dd46d60b1..1a794db253 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -67,7 +67,7 @@
 (define dbus
   (package
     (name "dbus")
-    (version "1.10.14")
+    (version "1.10.16")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -75,7 +75,7 @@
                     version ".tar.gz"))
               (sha256
                (base32
-                "10x0wvv2ly4lyyfd42k4xw0ar5qdbi9cksw3l5fcwf1y6mq8y8r3"))
+                "121kqkjsd3vgf8vca8364xl44qa5086h7qy5zs5f1l78ldpbmc57"))
               (patches (search-patches "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 4fc9f38521..1b59cf7ecf 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -58,7 +58,7 @@
 (define-public libgpg-error
   (package
     (name "libgpg-error")
-    (version "1.24")
+    (version "1.26")
     (source
      (origin
       (method url-fetch)
@@ -66,7 +66,7 @@
                           version ".tar.bz2"))
       (sha256
        (base32
-        "0h75sf1ngr750c3fjfn4583q7wz40qm63jhg8vjfdrbx936f2s4j"))))
+        "0sgfia0syq78k1c9h10rkhc1nfv5v097icrprlx2x4qn074wnjsc"))))
     (build-system gnu-build-system)
     (home-page "https://gnupg.org")
     (synopsis "Library of error values for GnuPG components")
@@ -82,14 +82,14 @@ Daemon and possibly more in the future.")
 (define-public libgcrypt
   (package
     (name "libgcrypt")
-    (version "1.7.3")
+    (version "1.7.6")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0wbh6fq5zi9wg2xcfvfpwh7dv52jihivx1vm4h91c2kx0w8n3b6x"))))
+               "1g05prhgqw4ryd0w433q8nhds0h93kf47hfjagi2r7dghkpaysk2"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
diff --git a/gnu/packages/gperf.scm b/gnu/packages/gperf.scm
index 9d9aaba3ce..5e55f8d86f 100644
--- a/gnu/packages/gperf.scm
+++ b/gnu/packages/gperf.scm
@@ -25,7 +25,7 @@
 (define-public gperf
   (package
     (name "gperf")
-    (version "3.0.4")
+    (version "3.1")
     (source
      (origin
       (method url-fetch)
@@ -33,7 +33,7 @@
                           version ".tar.gz"))
       (sha256
        (base32
-        "0gnnm8iqcl52m8iha3sxrzrl9mcyhg7lfrhhqgdn4zj00ji14wbn"))))
+        "1qispg6i508rq8pkajh26cznwimbnj06wq9sd85vg95v8nwld1aq"))))
     (build-system gnu-build-system)
     (arguments '(#:parallel-tests? #f))
     (home-page "http://www.gnu.org/software/gperf/")
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 0a291370e7..057c808597 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -168,7 +168,7 @@ affine transformation (scale, rotation, shear, etc.).")
 (define-public harfbuzz
   (package
    (name "harfbuzz")
-   (version "1.4.1")
+   (version "1.4.3")
    (source (origin
              (method url-fetch)
              (uri (string-append "https://www.freedesktop.org/software/"
@@ -176,7 +176,7 @@ affine transformation (scale, rotation, shear, etc.).")
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "1g8mndf0p0fzjfvxrprga84zvqq186gbddnw6wbna7cscfmpz8l5"))))
+               "08akv3qzwnf48xajb60dfcchkmfdjkpp65a0xd8s98w81901g343"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "bin")) ; 160K, only hb-view depend on cairo
@@ -432,7 +432,8 @@ highlighting and other features typical of a source code editor.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "1v1rssjd8p5s3lymsfhiq5mbs2pc0h1r6jd0asrwdbrign7i68sj"))))
+              "1v1rssjd8p5s3lymsfhiq5mbs2pc0h1r6jd0asrwdbrign7i68sj"))
+            (patches (search-patches "gdk-pixbuf-list-dir.patch"))))
    (build-system gnu-build-system)
    (arguments
     '(#:configure-flags '("--with-x11")
@@ -688,9 +689,12 @@ application suites.")
       ("pkg-config" ,pkg-config)
       ("gobject-introspection" ,gobject-introspection)
       ("python-wrapper" ,python-wrapper)
-      ("xorg-server" ,xorg-server)))
+      ;; By using a special xorg-server for GTK+'s tests, we reduce the impact
+      ;; of updating xorg-server directly on the master branch.
+      ("xorg-server" ,xorg-server-1.19.2)))
    (arguments
-    `(;; 47 MiB goes to "out" (24 of which is locale data!), and 26 MiB goes
+    `(#:disallowed-references (,xorg-server-1.19.2)
+      ;; 47 MiB goes to "out" (24 of which is locale data!), and 26 MiB goes
       ;; to "doc".
       #:configure-flags (list (string-append "--with-html-dir="
                                              (assoc-ref %outputs "doc")
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index a9fd471cd9..8fdd85add9 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -137,15 +137,14 @@ without requiring the source code to be rewritten.")
 (define-public guile-2.0
   (package
    (name "guile")
-   (version "2.0.12")
-   (replacement guile-2.0.13)                 ;CVE-2016-8606 and CVE-2016-8605
+   (version "2.0.14")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/guile/guile-" version
                                 ".tar.xz"))
             (sha256
              (base32
-              "1sdpjq0jf1h65w29q0zprj4x6kdp5jskkvbnlwphy9lvdxrqg0fy"))))
+              "10lxc6l5alf3lzbs3ihnbfy6dfcrsyf8667wa57f26vf4mk2ai78"))))
    (build-system gnu-build-system)
    (native-inputs `(("pkgconfig" ,pkg-config)))
    (inputs `(("libffi" ,libffi)
@@ -218,19 +217,6 @@ without requiring the source code to be rewritten.")
     (properties '((hidden? . #t)))          ;people should install 'guile-2.0'
     (replacement #f)))
 
-(define guile-2.0.13
-  (package
-    (inherit guile-2.0)
-    (version "2.0.13")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/guile/guile-" version
-                                  ".tar.xz"))
-              (sha256
-               (base32
-                "12yqkr974y91ylgw6jnmci2v90i90s7h9vxa4zk0sai8vjnz4i1p"))
-              (patches (search-patches "guile-repl-server-test.patch"))))))
-
 (define-public guile-next
   (package (inherit guile-2.0)
     (name "guile-next")
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index 13723bf585..d842f03b4e 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -28,20 +29,17 @@
 (define-public icu4c
   (package
    (name "icu4c")
-   (version "55.1")
+   (version "58.2")
    (source (origin
             (method url-fetch)
             (uri (string-append
-                  "mirror://sourceforge/icu/ICU4C/"
+                  "http://download.icu-project.org/files/icu4c/"
                   version
                   "/icu4c-"
                   (string-map (lambda (x) (if (char=? x #\.) #\_ x)) version)
                   "-src.tgz"))
             (sha256
-             (base32 "0ys5f5spizg45qlaa31j2lhgry0jka2gfha527n4ndfxxz5j4sz1"))
-            (patches (search-patches "icu4c-CVE-2014-6585.patch"
-                                     "icu4c-CVE-2015-1270.patch"
-                                     "icu4c-CVE-2015-4760.patch"))))
+             (base32 "036shcb3f8bm1lynhlsb4kpjm9s9c2vdiir01vg216rs2l8482ib"))))
    (build-system gnu-build-system)
    (inputs
     `(("perl" ,perl)))
@@ -55,18 +53,9 @@
               '("--with-data-packaging=archive")
               '()))
       #:phases
-      (alist-cons-after
-       'unpack 'chdir-to-source
-       (lambda _ (chdir "source"))
-       (alist-cons-before
-        'configure 'patch-configure
-        (lambda _
-          ;; patch out two occurrences of /bin/sh from configure script
-          ;; that might have disappeared in a release later than 54.1
-          (substitute* "configure"
-            (("`/bin/sh")
-             (string-append "`" (which "bash")))))
-        %standard-phases))))
+      (modify-phases %standard-phases
+        (add-after 'unpack 'chdir-to-source
+          (lambda _ (chdir "source") #t)))))
    (synopsis "International Components for Unicode")
    (description
     "ICU is a set of C/C++ and Java libraries providing Unicode and
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 53ed69a84e..fd2eefab0d 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -65,19 +65,19 @@
 (define-public libpng
   (package
    (name "libpng")
-   (replacement libpng/fixed)
-   (version "1.6.25")
+   (version "1.6.28")
    (source (origin
             (method url-fetch)
-
-            ;; Note: upstream removes older tarballs.
             (uri (list (string-append "mirror://sourceforge/libpng/libpng16/"
                                       version "/libpng-" version ".tar.xz")
                        (string-append
                         "ftp://ftp.simplesystems.org/pub/libpng/png/src"
-                        "/libpng15/libpng-" version ".tar.xz")))
+                        "/libpng16/libpng-" version ".tar.xz")
+                       (string-append
+                        "ftp://ftp.simplesystems.org/pub/libpng/png/src/history"
+                        "/libpng16/libpng-" version ".tar.xz")))
             (sha256
-             (base32 "04c8inn745hw25wz2dc5vll5n5d2gsndj01i4srwzgz8861qvzh9"))))
+             (base32 "0ylgyx93hnk38haqrh8prd3ax5ngzwvjqw5cxw7p9nxmwsfyrlyq"))))
    (build-system gnu-build-system)
 
    ;; libpng.la says "-lz", so propagate it.
@@ -90,27 +90,20 @@ library.  It supports almost all PNG features and is extensible.")
    (license license:zlib)
    (home-page "http://www.libpng.org/pub/png/libpng.html")))
 
-(define libpng/fixed
-  (package
-    (inherit libpng)
-    (source
-      (origin
-        (inherit (package-source libpng))
-        (patches (search-patches "libpng-CVE-2016-10087.patch"))))))
-
 (define-public libpng-1.2
   (package
     (inherit libpng)
-    (replacement #f)
     (version "1.2.57")
     (source
      (origin
        (method url-fetch)
-       ;; Note: upstream removes older tarballs.
        (uri (list (string-append "mirror://sourceforge/libpng/libpng12/"
                                  version "/libpng-" version ".tar.xz")
                   (string-append
                    "ftp://ftp.simplesystems.org/pub/libpng/png/src"
+                   "/libpng12/libpng-" version ".tar.xz")
+                  (string-append
+                   "ftp://ftp.simplesystems.org/pub/libpng/png/src/history"
                    "/libpng12/libpng-" version ".tar.xz")))
        (sha256
         (base32 "1n2lrzjkm5jhfg2bs10q398lkwbbx742fi27zgdgx0x23zhj0ihg"))))))
@@ -259,12 +252,27 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (replacement libtiff/fixed)
    (version "4.0.7")
    (source (origin
             (method url-fetch)
             (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
                                 version ".tar.gz"))
+            (patches (search-patches "libtiff-heap-overflow-tiffcp.patch"
+                                     "libtiff-null-dereference.patch"
+                                     "libtiff-heap-overflow-tif-dirread.patch"
+                                     "libtiff-heap-overflow-pixarlog-luv.patch"
+                                     "libtiff-divide-by-zero.patch"
+                                     "libtiff-divide-by-zero-ojpeg.patch"
+                                     "libtiff-tiffcp-underflow.patch"
+                                     "libtiff-invalid-read.patch"
+                                     "libtiff-CVE-2016-10092.patch"
+                                     "libtiff-heap-overflow-tiffcrop.patch"
+                                     "libtiff-divide-by-zero-tiffcrop.patch"
+                                     "libtiff-CVE-2016-10093.patch"
+                                     "libtiff-divide-by-zero-tiffcp.patch"
+                                     "libtiff-assertion-failure.patch"
+                                     "libtiff-CVE-2016-10094.patch"
+                                     "libtiff-CVE-2017-5225.patch"))
             (sha256
              (base32
               "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
@@ -292,29 +300,6 @@ collection of tools for doing simple manipulations of TIFF images.")
                                   "See COPYRIGHT in the distribution."))
    (home-page "http://www.simplesystems.org/libtiff/")))
 
-(define libtiff/fixed
-  (package
-    (inherit libtiff)
-    (source
-      (origin
-        (inherit (package-source libtiff))
-        (patches (search-patches "libtiff-heap-overflow-tiffcp.patch"
-                                 "libtiff-null-dereference.patch"
-                                 "libtiff-heap-overflow-tif-dirread.patch"
-                                 "libtiff-heap-overflow-pixarlog-luv.patch"
-                                 "libtiff-divide-by-zero.patch"
-                                 "libtiff-divide-by-zero-ojpeg.patch"
-                                 "libtiff-tiffcp-underflow.patch"
-                                 "libtiff-invalid-read.patch"
-                                 "libtiff-CVE-2016-10092.patch"
-                                 "libtiff-heap-overflow-tiffcrop.patch"
-                                 "libtiff-divide-by-zero-tiffcrop.patch"
-                                 "libtiff-CVE-2016-10093.patch"
-                                 "libtiff-divide-by-zero-tiffcp.patch"
-                                 "libtiff-assertion-failure.patch"
-                                 "libtiff-CVE-2016-10094.patch"
-                                 "libtiff-CVE-2017-5225.patch"))))))
-
 (define-public libwmf
   (package
     (name "libwmf")
@@ -446,8 +431,7 @@ work.")
 (define-public openjpeg
   (package
     (name "openjpeg")
-    (replacement openjpeg-2.1.2)
-    (version "2.1.1")
+    (version "2.1.2")
     (source
       (origin
         (method url-fetch)
@@ -457,9 +441,11 @@ work.")
         (file-name (string-append name "-" version ".tar.gz"))
         (sha256
          (base32
-          "1anv0rjkbxw9kx91wvlfpb3dhppibda6kb1papny46bjzi3pzhl2"))
+          "19yz4g0c45sm8y1z01j9djsrl1mkz3pmw7fykc6hkvrqymp7prsc"))
         (patches (search-patches "openjpeg-CVE-2016-5157.patch"
-                                 "openjpeg-CVE-2016-7163.patch"))))
+                                 "openjpeg-CVE-2016-7163.patch"
+                                 "openjpeg-CVE-2016-9850-CVE-2016-9851.patch"
+                                 "openjpeg-CVE-2016-9572-CVE-2016-9573.patch"))))
     (build-system cmake-build-system)
     (arguments
       ;; Trying to run `$ make check' results in a no rule fault.
@@ -483,28 +469,9 @@ error-resilience, a Java-viewer for j2k-images, ...")
     (home-page "https://github.com/uclouvain/openjpeg")
     (license license:bsd-2)))
 
-(define openjpeg-2.1.2
-  (package
-    (inherit openjpeg)
-    (name "openjpeg")
-    (version "2.1.2")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append "https://github.com/uclouvain/openjpeg/archive/v"
-                            version ".tar.gz"))
-        (file-name (string-append name "-" version ".tar.gz"))
-        (sha256
-         (base32
-          "19yz4g0c45sm8y1z01j9djsrl1mkz3pmw7fykc6hkvrqymp7prsc"))
-        (patches
-          (search-patches "openjpeg-CVE-2016-9850-CVE-2016-9851.patch"
-                          "openjpeg-CVE-2016-9572-CVE-2016-9573.patch"))))))
-
 (define-public openjpeg-1
   (package (inherit openjpeg)
     (name "openjpeg")
-    (replacement #f)
     (version "1.5.2")
     (source
      (origin
diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
index ba4ead2d67..8bb05453da 100644
--- a/gnu/packages/kde-frameworks.scm
+++ b/gnu/packages/kde-frameworks.scm
@@ -1117,11 +1117,7 @@ which are used in DBus communication.")
     (native-inputs
      `(("bison" ,bison)
        ("extra-cmake-modules" ,extra-cmake-modules)
-       ;; extra-cmake-modules forces C89 for all C files for compatibility with
-       ;; Windows.  Flex 2.6.0 generates a lexer containing a single line
-       ;; comment.  Single line comments are part of the C99 standard, so the
-       ;; lexer won't compile if C89 is used.
-       ("flex" ,flex-2.6.1)
+       ("flex" ,flex)
        ("qttools" ,qttools)))
     (inputs
      `(("qtbase" ,qtbase)
@@ -2536,11 +2532,7 @@ typed.")
     (native-inputs
      `(("bison" ,bison)
        ("extra-cmake-modules" ,extra-cmake-modules)
-       ;; extra-cmake-modules forces C89 for all C files for compatibility with
-       ;; Windows.  Flex 2.6.0 generates a lexer containing a single line
-       ;; comment.  Single line comments are part of the C99 standard, so the
-       ;; lexer won't compile if C89 is used.
-       ("flex" ,flex-2.6.1)))
+       ("flex" ,flex)))
     (inputs
      `(("kcrash" ,kcrash)
        ("kdbusaddons" ,kdbusaddons)
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index b6d25f4a23..9f042bd707 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -42,7 +42,7 @@
 (define-public mit-krb5
   (package
     (name "mit-krb5")
-    (version "1.14.3")
+    (version "1.14.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/"
@@ -50,7 +50,7 @@
                                   "/krb5-" version ".tar.gz"))
               (sha256
                (base32
-                "1jgjiyh1sp72lkxvk437lz5hzcibvw99jc4ihzfz03fg43aj0ind"))))
+                "158bgq9xcg5ljgzia1880ak7m9g6vf2r009rzdqif5n9h111m9h3"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("bison" ,bison)
@@ -78,7 +78,7 @@
              (let ((perl (assoc-ref inputs "perl")))
                (substitute* "plugins/kdb/db2/libdb2/test/run.test"
                  (("/bin/cat") (string-append perl "/bin/perl"))
-                 (("D/bin/sh") (string-append "D" (which "bash")))
+                 (("D/bin/sh") (string-append "D" (which "sh")))
                  (("bindir=/bin/.") (string-append "bindir=" perl "/bin"))))
 
              ;; avoid service names since /etc/services is unavailable
diff --git a/gnu/packages/libevent.scm b/gnu/packages/libevent.scm
index dd5f7c4067..551fbf7206 100644
--- a/gnu/packages/libevent.scm
+++ b/gnu/packages/libevent.scm
@@ -83,9 +83,9 @@ loop.")
             "18qz9qfwrkakmazdlwxvjmw8p76g70n3faikwvdwznns1agw9hki"))
           (patches (search-patches
                     "libevent-dns-tests.patch"
-                    "libevent-2.0-evdns-fix-remote-stack-overread.patch"
-                    "libevent-2.0-evutil-fix-buffer-overflow.patch"
-                    "libevent-2.0-evdns-fix-searching-empty-hostnames.patch"))))))
+                    "libevent-2.0-CVE-2016-10195.patch"
+                    "libevent-2.0-CVE-2016-10196.patch"
+                    "libevent-2.0-CVE-2016-10197.patch"))))))
 
 (define-public libev
   (package
diff --git a/gnu/packages/libunistring.scm b/gnu/packages/libunistring.scm
index a9779d4ffd..212bec4b49 100644
--- a/gnu/packages/libunistring.scm
+++ b/gnu/packages/libunistring.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -28,15 +29,15 @@
 (define-public libunistring
   (package
    (name "libunistring")
-   (version "0.9.6")
+   (version "0.9.7")
    (source (origin
             (method url-fetch)
             (uri (string-append
                   "mirror://gnu/libunistring/libunistring-"
-                  version ".tar.gz"))
+                  version ".tar.xz"))
             (sha256
              (base32
-              "0ixxmgpgh2v8ifm6hbwsjxl023myk3dfnj7wnvmqjivza31fw9cn"))))
+              "15z76qrmrvkc3c6hfq2lzzqysgd21s682f2smycfab5g598n8drf"))))
    (propagated-inputs (libiconv-if-needed))
    (build-system gnu-build-system)
    (arguments
@@ -49,5 +50,5 @@
     "GNU libunistring is a library providing functions to manipulate
 Unicode strings and for manipulating C strings according to the Unicode
 standard.")
-   (home-page "http://www.gnu.org/software/libunistring/")
-   (license lgpl3+)))
+   (home-page "https://www.gnu.org/software/libunistring/")
+   (license (list lgpl3+ gpl2))))
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index de0fd71776..53b0f2a678 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Federico Beffa <beffa@fbengineering.ch>
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
-;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org>
 ;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2016, 2017 Alex Kost <alezost@gmail.com>
@@ -17,6 +17,7 @@
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
+;;; Copyright © 2016 Carlos Sánchez de La Lama <csanchezdll@gmail.com>
 ;;; Copyright © 2016 ng0 <ng0@libertad.pw>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 José Miguel Sánchez García <jmi2k@openmailbox.com>
@@ -109,6 +110,13 @@
           ((string-prefix? "alpha" arch) "alpha")
           (else arch))))
 
+(define-public (system->defconfig system)
+  "Some systems (notably powerpc-linux) require a special target for kernel
+defconfig.  Return the appropiate make target if applicable, otherwise return
+\"defconfig\"."
+  (cond ((string-prefix? "powerpc-" system) "pmac32_defconfig")
+        (else "defconfig")))
+
 (define (linux-libre-urls version)
   "Return a list of URLs for Linux-Libre VERSION."
   (list (string-append
@@ -128,13 +136,13 @@
 (define-public linux-libre-headers
   (package
     (name "linux-libre-headers")
-    (version "4.4.18")
+    (version "4.4.47")
     (source (origin
              (method url-fetch)
              (uri (linux-libre-urls version))
              (sha256
               (base32
-               "0k8k17in7dkjd9d8zg3i8l1ax466dba6bxw28flxizzyq8znljps"))))
+               "00zdq7swhvzbbnnhzizq6m34q5k4fycpcp215bmkbxh1ic76v7bs"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (arguments
@@ -148,11 +156,13 @@
            (lambda _
              (let ((arch ,(system->linux-architecture
                           (or (%current-target-system)
-                              (%current-system)))))
+                              (%current-system))))
+                   (defconfig ,(system->defconfig
+                                (or (%current-target-system)
+                                    (%current-system)))))
                (setenv "ARCH" arch)
                (format #t "`ARCH' set to `~a'~%" (getenv "ARCH"))
-
-               (and (zero? (system* "make" "defconfig"))
+               (and (zero? (system* "make" defconfig))
                     (zero? (system* "make" "mrproper" "headers_check"))))))
          (replace 'install
            (lambda* (#:key outputs #:allow-other-keys)
@@ -475,8 +485,7 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
   (package
     (name "util-linux")
-    (replacement util-linux/fixed)
-    (version "2.28.1")
+    (version "2.29.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/utils/"
@@ -484,7 +493,7 @@ providing the system administrator with some help in common tasks.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "03xnaw3c7pavxvvh1vnimcr44hlhhf25whawiyv8dxsflfj4xkiy"))
+                "1qz81w8vzrmy8xn9yx7ls4amkbgwx6vr62pl6kv9g7r0g3ba9kmc"))
               (patches (search-patches "util-linux-tests.patch"))
               (modules '((guix build utils)))
               (snippet
@@ -500,7 +509,7 @@ providing the system administrator with some help in common tasks.")
                "static"))      ; >2 MiB of static .a libraries
     (arguments
      `(#:configure-flags (list "--disable-use-tty-group"
-
+                               "--enable-fs-paths-default=/run/current-system/profile/sbin"
                                ;; Install completions where our
                                ;; bash-completion package expects them.
                                (string-append "--with-bashcompletiondir="
@@ -556,17 +565,6 @@ block devices, UUIDs, TTYs, and many other tools.")
     (license (list license:gpl3+ license:gpl2+ license:gpl2 license:lgpl2.0+
                    license:bsd-4 license:public-domain))))
 
-(define util-linux/fixed
-  (package
-    (inherit util-linux)
-    (source
-      (origin
-        (inherit (package-source util-linux))
-        (patches
-          (append
-            (origin-patches (package-source util-linux))
-            (search-patches "util-linux-CVE-2017-2616.patch")))))))
-
 (define-public procps
   (package
     (name "procps")
@@ -885,7 +883,7 @@ intercept and print the system calls executed by the program.")
 (define-public alsa-lib
   (package
     (name "alsa-lib")
-    (version "1.0.27.1")
+    (version "1.1.3")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -893,10 +891,9 @@ intercept and print the system calls executed by the program.")
                    version ".tar.bz2"))
              (sha256
               (base32
-               "0fx057746dj7rjdi0jnvx2m9b0y1lgdkh1hks87d8w32xyihf3k9"))
-             (patches (search-patches "alsa-lib-mips-atomic-fix.patch"))))
+               "174n2psp0328xcy2f1ayls67598bxli6q9cf00d2qnac3012aa3i"))))
     (build-system gnu-build-system)
-    (home-page "http://www.alsa-project.org/")
+    (home-page "https://www.alsa-project.org/")
     (synopsis "The Advanced Linux Sound Architecture libraries")
     (description
      "The Advanced Linux Sound Architecture (ALSA) provides audio and
@@ -1207,7 +1204,7 @@ advanced aspects of IP configuration (iptunnel, ipmaddr).")
 (define-public libcap
   (package
     (name "libcap")
-    (version "2.24")
+    (version "2.25")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -1215,7 +1212,7 @@ advanced aspects of IP configuration (iptunnel, ipmaddr).")
                    "libcap2/libcap-" version ".tar.xz"))
              (sha256
               (base32
-               "0rbc9qbqs5bp9am9s9g83wxj5k4ixps2agy9dxr1v1fwg27mdr6f"))))
+               "0qjiqc5pknaal57453nxcbz3mn1r4hkyywam41wfcglq3v2qlg39"))))
     (build-system gnu-build-system)
     (arguments '(#:phases
                  (modify-phases %standard-phases
@@ -1709,7 +1706,7 @@ to use Linux' inotify mechanism, which allows file accesses to be monitored.")
 (define-public kmod
   (package
     (name "kmod")
-    (version "23")
+    (version "24")
     (source (origin
               (method url-fetch)
               (uri
@@ -1717,7 +1714,7 @@ to use Linux' inotify mechanism, which allows file accesses to be monitored.")
                               "kmod-" version ".tar.xz"))
               (sha256
                (base32
-                "0mc12sx06p8il1ym3hdmgxxb37apn9yv7xij26gddjdfkx8xa0yk"))
+                "15xkkkzvca9flvkm48gkh8y8f13vlm3sl7nz9ydc7b3jy4fqs2v1"))
               (patches (search-patches "kmod-module-directory.patch"))))
     (build-system gnu-build-system)
     (native-inputs
@@ -1754,7 +1751,7 @@ from the module-init-tools project.")
   ;; The post-systemd fork, maintained by Gentoo.
   (package
     (name "eudev")
-    (version "3.2")
+    (version "3.2.1")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -1762,8 +1759,9 @@ from the module-init-tools project.")
                     version ".tar.gz"))
               (sha256
                (base32
-                "099w62ncq78nxpxizf910mx18hc8x4qvzw3azjd00fir89wmyjnq"))
-              (patches (search-patches "eudev-rules-directory.patch"))))
+                "06gyyl90n85x8i7lfhns514y1kg1ians13l467admyzy3kjxkqsp"))
+              (patches (search-patches "eudev-rules-directory.patch"
+                                       "eudev-conflicting-declaration.patch"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)
@@ -2639,7 +2637,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
 (define-public bluez
   (package
     (name "bluez")
-    (version "5.43")
+    (version "5.44")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -2647,7 +2645,7 @@ Bluetooth audio output devices like headphones or loudspeakers.")
                     version ".tar.xz"))
               (sha256
                (base32
-                "05cdnpz0w2lwq2x5ba87q1h2wgb4lfnpbnbh6p7499hx59fw1j8n"))))
+                "11bc6pndivd0rkqr3c8a1xd9ar9bb60gx79piskycicb3wliwchc"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
diff --git a/gnu/packages/m4.scm b/gnu/packages/m4.scm
index d1ba928768..3ee8142e7a 100644
--- a/gnu/packages/m4.scm
+++ b/gnu/packages/m4.scm
@@ -26,14 +26,14 @@
 (define-public m4
   (package
    (name "m4")
-   (version "1.4.17")
+   (version "1.4.18")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/m4/m4-"
-                                version ".tar.bz2"))
+                                version ".tar.xz"))
             (sha256
              (base32
-              "0w0da1chh12mczxa5lnwzjk9czi3dq6gnnndbpa6w4rj76b1yklf"))))
+              "01sfjd5a4waqw83bibvmn522g69qfqvwig9i2qlgy154l1nfihgj"))))
    (build-system gnu-build-system)
    (arguments
     `(;; Explicitly disable tests when cross-compiling, otherwise 'make check'
@@ -50,7 +50,7 @@
                     (substitute* (find-files "tests"
                                              "posix_spawn")
                       (("/bin/sh")
-                       (format #f "~a/bin/bash" bash)))))
+                       (format #f "~a/bin/sh" bash)))))
                 %standard-phases)))
    (synopsis "Macro processor")
    (description
diff --git a/gnu/packages/make-bootstrap.scm b/gnu/packages/make-bootstrap.scm
index e5c614cee7..5cc2ac51d9 100644
--- a/gnu/packages/make-bootstrap.scm
+++ b/gnu/packages/make-bootstrap.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -206,7 +207,17 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                ("patch" ,patch)
                ("coreutils" ,coreutils)
                ("sed" ,sed)
-               ("grep" ,grep)
+               ;; We don't want to retain a reference to /gnu/store in the
+               ;; bootstrap versions of egrep/fgrep, so we remove the custom
+               ;; phase added since grep@2.25. The effect is 'egrep' and
+               ;; 'fgrep' look for 'grep' in $PATH.
+               ("grep" ,(package
+                          (inherit grep)
+                          (arguments
+                            (substitute-keyword-arguments (package-arguments grep)
+                              ((#:phases phases)
+                               `(modify-phases ,phases
+                                  (delete 'fix-egrep-and-fgrep)))))))
                ("gawk" ,gawk)))
       ("bash" ,static-bash))))
 
@@ -416,8 +427,9 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                  ;; the 'pre-configure phase of our main gcc package, because
                  ;; that shared library is not present in this static gcc.  See
                  ;; <https://lists.gnu.org/archive/html/guix-devel/2015-01/msg00008.html>.
-                 (substitute* (find-files "gcc/config"
-                                          "^gnu-user.*\\.h$")
+                 (substitute* (cons "gcc/config/rs6000/sysv4.h"
+                                    (find-files "gcc/config"
+                                                "^gnu-user.*\\.h$"))
                    ((" -lgcc_s}}") "}}")))
                ,phases)))))
      (native-inputs
diff --git a/gnu/packages/multiprecision.scm b/gnu/packages/multiprecision.scm
index 36e35ca00c..b6d2d7f4af 100644
--- a/gnu/packages/multiprecision.scm
+++ b/gnu/packages/multiprecision.scm
@@ -32,7 +32,7 @@
 (define-public gmp
   (package
    (name "gmp")
-   (version "6.1.1")
+   (version "6.1.2")
    (source (origin
             (method url-fetch)
             (uri
@@ -40,7 +40,7 @@
                             version ".tar.xz"))
             (sha256
              (base32
-              "0cg84n482gcvl0s4xq4wgwsk4r0x0m8dnzpizwqdd2j8vw2rqvnk"))
+              "04hrwahdxyqdik559604r7wrj9ffklwvipgfxgj4ys4skbl6bdc7"))
             (patches (search-patches "gmp-faulty-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("m4" ,m4)))
@@ -87,13 +87,13 @@ cryptography and computational algebra.")
 (define-public mpfr
   (package
    (name "mpfr")
-   (version "3.1.4")
+   (version "3.1.5")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/mpfr/mpfr-" version
                                 ".tar.xz"))
             (sha256 (base32
-                     "1x8pcnpn1vxfzfsr0js07rwhwyq27fmdzcfjpzi5773ldnqi653n"))))
+                     "1g32l2fg8f62lcyzzh88y3fsh6rk539qc6ahhdgvx7wpnf1dwpq1"))))
    (build-system gnu-build-system)
    (outputs '("out" "debug"))
    (propagated-inputs `(("gmp" ,gmp)))            ; <mpfr.h> refers to <gmp.h>
diff --git a/gnu/packages/ncurses.scm b/gnu/packages/ncurses.scm
index 6949e1e03f..d725a71c0d 100644
--- a/gnu/packages/ncurses.scm
+++ b/gnu/packages/ncurses.scm
@@ -30,6 +30,7 @@
   #:use-module (guix build-system perl)
   #:use-module (gnu packages)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages swig)
   #:use-module (guix utils))
 
@@ -87,7 +88,7 @@
                (let ((out (assoc-ref outputs "out")))
                  ;; When building a wide-character (Unicode) build, create backward
                  ;; compatibility links from the the "normal" libraries to the
-                 ;; wide-character libraries (e.g. libncurses.so to libncursesw.so).
+                 ;; wide-character ones (e.g. libncurses.so to libncursesw.so).
                  ,@(if (target-mingw?)
                        '( ;; TODO: create .la files to link to the .dll?
                          (with-directory-excursion (string-append out "/bin")
@@ -116,7 +117,11 @@
                                        (define lib.so.x
                                          (string-append "lib" lib ".so.6"))
                                        (define lib.so
-                                         (string-append "lib" lib ".so")))
+                                         (string-append "lib" lib ".so"))
+                                       (define packagew.pc
+                                         (string-append lib "w.pc"))
+                                       (define package.pc
+                                         (string-append lib ".pc")))
                                      '())
 
                                (when (file-exists? libw.a)
@@ -127,7 +132,12 @@
                                          (false-if-exception (delete-file lib.so))
                                          (call-with-output-file lib.so
                                            (lambda (p)
-                                             (format p "INPUT (-l~aw)~%" lib))))
+                                             (format p "INPUT (-l~aw)~%" lib)))
+                                         (with-directory-excursion "pkgconfig"
+                                           (format #t "creating symlink for `~a'~%"
+                                                   package.pc)
+                                           (when (file-exists? packagew.pc)
+                                             (symlink packagew.pc package.pc))))
                                        '())))
                              '("curses" "ncurses" "form" "panel" "menu")))))))
        `(#:configure-flags
@@ -135,6 +145,11 @@
            'quasiquote
            `(("--with-shared" "--without-debug" "--enable-widec"
               
+              "--enable-pc-files"
+              ,(list 'unquote '(string-append "--with-pkg-config-libdir="
+                                              (assoc-ref %outputs "out")
+                                              "/lib/pkgconfig"))
+
               ;; By default headers land in an `ncursesw' subdir, which is not
               ;; what users expect.
               ,(list 'unquote '(string-append "--includedir=" (assoc-ref %outputs "out")
@@ -157,6 +172,8 @@
                     (add-after 'unpack 'remove-unneeded-shebang
                       ,remove-shebang-phase)))))
     (self-native-input? #t)           ; for `tic'
+     (native-inputs
+      `(("pkg-config" ,pkg-config)))
     (native-search-paths
      (list (search-path-specification
             (variable "TERMINFO_DIRS")
diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm
index d1203dfe75..e4e0eedc05 100644
--- a/gnu/packages/nettle.scm
+++ b/gnu/packages/nettle.scm
@@ -47,7 +47,7 @@
     (outputs '("out" "debug"))
     (native-inputs `(("m4" ,m4)))
     (propagated-inputs `(("gmp" ,gmp)))
-    (home-page "http://www.lysator.liu.se/~nisse/nettle/")
+    (home-page "https://www.lysator.liu.se/~nisse/nettle/")
     (synopsis "C library for low-level cryptographic functionality")
     (description
      "GNU Nettle is a low-level cryptographic library.  It is designed to
@@ -60,14 +60,14 @@ themselves.")
   ;; This version is not API-compatible with version 2.  In particular, lsh
   ;; cannot use it yet.  So keep it separate.
   (package (inherit nettle-2)
-    (version "3.2")
+    (version "3.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/nettle/nettle-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "15wxhk52yc62rx0pddmry66hqm6z5brrrkx4npd3wh9nybg86hpa"))))
+                "07mif3af077763vc35s1x8vzhzlgqcgxh67c1xr13jnhslkjd526"))))
     (arguments
      (substitute-keyword-arguments (package-arguments nettle-2)
        ((#:configure-flags flags)
diff --git a/gnu/packages/patches/alsa-lib-mips-atomic-fix.patch b/gnu/packages/patches/alsa-lib-mips-atomic-fix.patch
deleted file mode 100644
index 8c37bd3ac4..0000000000
--- a/gnu/packages/patches/alsa-lib-mips-atomic-fix.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Fix the declarations of inlined atomic ops for mips.
-
-This patch was copied from Debian.
-
---- alsa-lib/include/iatomic.h.orig	2013-05-21 04:48:28.000000000 -0400
-+++ alsa-lib/include/iatomic.h	2013-10-29 13:01:37.055995968 -0400
-@@ -720,7 +720,7 @@
-  * Atomically adds @i to @v.  Note that the guaranteed useful range
-  * of an atomic_t is only 24 bits.
-  */
--extern __inline__ void atomic_add(int i, atomic_t * v)
-+static __inline__ void atomic_add(int i, atomic_t * v)
- {
- 	unsigned long temp;
- 
-@@ -744,7 +744,7 @@
-  * Atomically subtracts @i from @v.  Note that the guaranteed
-  * useful range of an atomic_t is only 24 bits.
-  */
--extern __inline__ void atomic_sub(int i, atomic_t * v)
-+static __inline__ void atomic_sub(int i, atomic_t * v)
- {
- 	unsigned long temp;
- 
-@@ -763,7 +763,7 @@
- /*
-  * Same as above, but return the result value
-  */
--extern __inline__ int atomic_add_return(int i, atomic_t * v)
-+static __inline__ int atomic_add_return(int i, atomic_t * v)
- {
- 	unsigned long temp, result;
- 
-@@ -784,7 +784,7 @@
- 	return result;
- }
- 
--extern __inline__ int atomic_sub_return(int i, atomic_t * v)
-+static __inline__ int atomic_sub_return(int i, atomic_t * v)
- {
- 	unsigned long temp, result;
- 
diff --git a/gnu/packages/patches/coreutils-fix-cross-compilation.patch b/gnu/packages/patches/coreutils-fix-cross-compilation.patch
new file mode 100644
index 0000000000..3f0d35c33e
--- /dev/null
+++ b/gnu/packages/patches/coreutils-fix-cross-compilation.patch
@@ -0,0 +1,15 @@
+Coreutils fails to cross compile for other platforms because cu_install_program
+is not being evaluated properly. This patch fixes it.
+See <https://lists.gnu.org/archive/html/coreutils/2017-01/msg00039.html>
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -5023,7 +5023,7 @@ pr = progs-readme
+ @CROSS_COMPILING_FALSE@cu_install_program = src/ginstall
+ 
+ # Use the just-built 'ginstall', when not cross-compiling.
+-@CROSS_COMPILING_TRUE@cu_install_program = @INSTALL_PROGRAM@
++@CROSS_COMPILING_TRUE@cu_install_program := @INSTALL@
+ info_TEXINFOS = doc/coreutils.texi
+ doc_coreutils_TEXINFOS = \
+   doc/perm.texi \
+
diff --git a/gnu/packages/patches/eudev-conflicting-declaration.patch b/gnu/packages/patches/eudev-conflicting-declaration.patch
new file mode 100644
index 0000000000..f5399e20d3
--- /dev/null
+++ b/gnu/packages/patches/eudev-conflicting-declaration.patch
@@ -0,0 +1,31 @@
+Fix build failure due to conflicting declaration of
+keyboard_lookup_key() in gperf-3.1:
+
+https://bugs.gentoo.org/show_bug.cgi?id=604864
+
+Patch copied from upstream source repository:
+
+https://github.com/gentoo/eudev/commit/5bab4d8de0dcbb8e2e7d4d5125b4aea1652a0d60
+
+From 5bab4d8de0dcbb8e2e7d4d5125b4aea1652a0d60 Mon Sep 17 00:00:00 2001
+From: "Anthony G. Basile" <blueness@gentoo.org>
+Date: Thu, 5 Jan 2017 16:21:17 -0500
+Subject: [PATCH] src/udev/udev-builtin-keyboard.c: fix build with gperf 3.1
+
+Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
+---
+ src/udev/udev-builtin-keyboard.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/udev/udev-builtin-keyboard.c b/src/udev/udev-builtin-keyboard.c
+index 73171c3..fad3520 100644
+--- a/src/udev/udev-builtin-keyboard.c
++++ b/src/udev/udev-builtin-keyboard.c
+@@ -28,7 +28,6 @@
+ 
+ #include "udev.h"
+ 
+-static const struct key *keyboard_lookup_key(const char *str, unsigned len);
+ #include "keyboard-keys-from-name.h"
+ #include "keyboard-keys-to-name.h"
+ 
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch
deleted file mode 100644
index 1f3cb028d4..0000000000
--- a/gnu/packages/patches/flex-CVE-2016-6354.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
-https://security-tracker.debian.org/tracker/CVE-2016-6354
-
-Patch copied from upstream source repository:
-https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
-
-From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
-From: Will Estes <westes575@gmail.com>
-Date: Sat, 27 Feb 2016 11:56:05 -0500
-Subject: [PATCH] Fixed incorrect integer type
-
----
- src/flex.skl | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/flex.skl b/src/flex.skl
-index 36a526a..64f853d 100644
---- a/src/flex.skl
-+++ b/src/flex.skl
-@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
- 
- 	else
- 		{
--			yy_size_t num_to_read =
-+			int num_to_read =
- 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
- 
- 		while ( num_to_read <= 0 )
diff --git a/gnu/packages/patches/fontconfig-charwidth-symbol-conflict.patch b/gnu/packages/patches/fontconfig-charwidth-symbol-conflict.patch
new file mode 100644
index 0000000000..8ebe33bc6c
--- /dev/null
+++ b/gnu/packages/patches/fontconfig-charwidth-symbol-conflict.patch
@@ -0,0 +1,82 @@
+The first patch is copied from the upstream source repository:
+
+https://cgit.freedesktop.org/fontconfig/commit/?id=1ab5258f7c2abfafcd63a760ca08bf93591912da
+
+The second patch is adapted from a message to from the OpenEmbedded mailing list:
+
+http://lists.openembedded.org/pipermail/openembedded-core/2016-December/130213.html
+
+From 1ab5258f7c2abfafcd63a760ca08bf93591912da Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 14 Dec 2016 16:11:05 -0800
+Subject: Avoid conflicts with integer width macros from TS 18661-1:2014
+
+glibc 2.25+ has now defined these macros in <limits.h>
+https://sourceware.org/git/?p=glibc.git;a=commit;h=5b17fd0da62bf923cb61d1bb7b08cf2e1f1f9c1a
+
+Create an alias for FC_CHAR_WIDTH for ABI compatibility
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+diff --git a/fontconfig/fontconfig.h b/fontconfig/fontconfig.h
+index 5c72b22..070a557 100644
+--- a/fontconfig/fontconfig.h
++++ b/fontconfig/fontconfig.h
+@@ -128,7 +128,8 @@ typedef int		FcBool;
+ #define FC_USER_CACHE_FILE	    ".fonts.cache-" FC_CACHE_VERSION
+ 
+ /* Adjust outline rasterizer */
+-#define FC_CHAR_WIDTH	    "charwidth"	/* Int */
++#define FC_CHARWIDTH	    "charwidth"	/* Int */
++#define FC_CHAR_WIDTH	    FC_CHARWIDTH
+ #define FC_CHAR_HEIGHT	    "charheight"/* Int */
+ #define FC_MATRIX	    "matrix"    /* FcMatrix */
+ 
+diff --git a/src/fcobjs.h b/src/fcobjs.h
+index 1fc4f65..d27864b 100644
+--- a/src/fcobjs.h
++++ b/src/fcobjs.h
+@@ -51,7 +51,7 @@ FC_OBJECT (DPI,			FcTypeDouble,	NULL)
+ FC_OBJECT (RGBA,		FcTypeInteger,	NULL)
+ FC_OBJECT (SCALE,		FcTypeDouble,	NULL)
+ FC_OBJECT (MINSPACE,		FcTypeBool,	NULL)
+-FC_OBJECT (CHAR_WIDTH,		FcTypeInteger,	NULL)
++FC_OBJECT (CHARWIDTH,		FcTypeInteger,	NULL)
+ FC_OBJECT (CHAR_HEIGHT,		FcTypeInteger,	NULL)
+ FC_OBJECT (MATRIX,		FcTypeMatrix,	NULL)
+ FC_OBJECT (CHARSET,		FcTypeCharSet,	FcCompareCharSet)
+-- 
+cgit v0.10.2
+
+From 20cddc824c6501c2082cac41b162c34cd5fcc530 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem at gmail.com>
+Date: Sun, 11 Dec 2016 14:32:00 -0800
+Subject: [PATCH] Avoid conflicts with integer width macros from TS
+ 18661-1:2014
+
+glibc 2.25+ has now defined these macros in <limits.h>
+https://sourceware.org/git/?p=glibc.git;a=commit;h=5b17fd0da62bf923cb61d1bb7b08cf2e1f1f9c1a
+
+Signed-off-by: Khem Raj <raj.khem at gmail.com>
+---
+Upstream-Status: Submitted
+
+ fontconfig/fontconfig.h | 2 +-
+ src/fcobjs.h            | 2 +-
+ src/fcobjshash.gperf    | 2 +-
+ src/fcobjshash.h        | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+Index: fontconfig-2.12.1/src/fcobjshash.h
+===================================================================
+--- fontconfig-2.12.1.orig/src/fcobjshash.h
++++ fontconfig-2.12.1/src/fcobjshash.h
+@@ -284,7 +284,7 @@ FcObjectTypeLookup (register const char
+       {(int)(long)&((struct FcObjectTypeNamePool_t *)0)->FcObjectTypeNamePool_str43,FC_CHARSET_OBJECT},
+       {-1},
+ #line 47 "fcobjshash.gperf"
+-      {(int)(long)&((struct FcObjectTypeNamePool_t *)0)->FcObjectTypeNamePool_str45,FC_CHAR_WIDTH_OBJECT},
++      {(int)(long)&((struct FcObjectTypeNamePool_t *)0)->FcObjectTypeNamePool_str45,FC_CHARWIDTH_OBJECT},
+ #line 48 "fcobjshash.gperf"
+       {(int)(long)&((struct FcObjectTypeNamePool_t *)0)->FcObjectTypeNamePool_str46,FC_CHAR_HEIGHT_OBJECT},
+ #line 55 "fcobjshash.gperf"
diff --git a/gnu/packages/patches/fontconfig-path-max.patch b/gnu/packages/patches/fontconfig-path-max.patch
new file mode 100644
index 0000000000..e12f60ef00
--- /dev/null
+++ b/gnu/packages/patches/fontconfig-path-max.patch
@@ -0,0 +1,124 @@
+This patch fix the build on GNU/Hurd, due to PATH_MAX isn't defined.
+
+The patch was adapted from upstream source repository:
+'<https://cgit.freedesktop.org/fontconfig/commit/?id=abdb6d658e1a16410dd1c964e365a3ebd5039e7c>'
+Commit: abdb6d658e1a16410dd1c964e365a3ebd5039e7c
+
+---
+ src/fcdefault.c | 34 +++++++++++++++++++++++++++-------
+ src/fcint.h     |  6 ++++++
+ src/fcstat.c    | 12 +++++++++++-
+ 3 files changed, 44 insertions(+), 8 deletions(-)
+
+diff --git a/src/fcdefault.c b/src/fcdefault.c
+index 6647a8f..5afd7ec 100644
+--- a/src/fcdefault.c
++++ b/src/fcdefault.c
+@@ -148,17 +148,34 @@ retry:
+ 	    prgname = FcStrdup ("");
+ #else
+ # if defined (HAVE_GETEXECNAME)
+-	const char *p = getexecname ();
++	char *p = FcStrdup(getexecname ());
+ # elif defined (HAVE_READLINK)
+-	char buf[PATH_MAX + 1];
+-	int len;
++	size_t size = FC_PATH_MAX;
+ 	char *p = NULL;
+ 
+-	len = readlink ("/proc/self/exe", buf, sizeof (buf) - 1);
+-	if (len != -1)
++	while (1)
+ 	{
+-	    buf[len] = '\0';
+-	    p = buf;
++	    char *buf = malloc (size);
++	    ssize_t len;
++
++	    if (!buf)
++		break;
++
++	    len = readlink ("/proc/self/exe", buf, size - 1);
++	    if (len < 0)
++	    {
++		free (buf);
++		break;
++	    }
++	    if (len < size - 1)
++	    {
++		buf[len] = 0;
++		p = buf;
++		break;
++	    }
++
++	    free (buf);
++	    size *= 2;
+ 	}
+ # else
+ 	char *p = NULL;
+@@ -176,6 +193,9 @@ retry:
+ 
+ 	if (!prgname)
+ 	    prgname = FcStrdup ("");
++
++	if (p)
++	    free (p);
+ #endif
+ 
+ 	if (!fc_atomic_ptr_cmpexch (&default_prgname, NULL, prgname)) {
+diff --git a/src/fcint.h b/src/fcint.h
+index ac911ad..dad34c5 100644
+--- a/src/fcint.h
++++ b/src/fcint.h
+@@ -70,6 +70,12 @@ extern pfnSHGetFolderPathA pSHGetFolderPathA;
+ #  define FC_DIR_SEPARATOR_S       "/"
+ #endif
+ 
++#ifdef PATH_MAX
++#define FC_PATH_MAX	PATH_MAX
++#else
++#define FC_PATH_MAX	128
++#endif
++
+ #if __GNUC__ >= 4
+ #define FC_UNUSED	__attribute__((unused))
+ #else
+diff --git a/src/fcstat.c b/src/fcstat.c
+index 1734fa4..f6e1aaa 100644
+--- a/src/fcstat.c
++++ b/src/fcstat.c
+@@ -278,8 +278,13 @@ FcDirChecksum (const FcChar8 *dir, time_t *checksum)
+ 	{
+ #endif
+ 	struct stat statb;
+-	char f[PATH_MAX + 1];
++	char *f = malloc (len + 1 + dlen + 1);
+ 
++	if (!f)
++	{
++	    ret = -1;
++	    goto bail;
++	}
+ 	memcpy (f, dir, len);
+ 	f[len] = FC_DIR_SEPARATOR;
+ 	memcpy (&f[len + 1], files[n]->d_name, dlen);
+@@ -287,11 +292,16 @@ FcDirChecksum (const FcChar8 *dir, time_t *checksum)
+ 	if (lstat (f, &statb) < 0)
+ 	{
+ 	    ret = -1;
++	    free (f);
+ 	    goto bail;
+ 	}
+ 	if (S_ISDIR (statb.st_mode))
++	{
++	    free (f);
+ 	    goto bail;
++	}
+ 
++	free (f);
+ 	dtype = statb.st_mode;
+ #ifdef HAVE_STRUCT_DIRENT_D_TYPE
+ 	}
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/gcc-5-source-date-epoch-1.patch b/gnu/packages/patches/gcc-5-source-date-epoch-1.patch
new file mode 100644
index 0000000000..8c94a026b3
--- /dev/null
+++ b/gnu/packages/patches/gcc-5-source-date-epoch-1.patch
@@ -0,0 +1,190 @@
+Make GCC respect SOURCE_DATE_EPOCH in __DATE__ and __TIME__ macros.
+
+Patch adapted from upstream source repository:
+
+https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e3e8c48c4a494d9da741c1c8ea6c4c0b7c4ff934
+
+From e3e8c48c4a494d9da741c1c8ea6c4c0b7c4ff934 Mon Sep 17 00:00:00 2001
+From: doko <doko@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 28 Apr 2016 09:12:05 +0000
+Subject: [PATCH] gcc/c-family/ChangeLog:
+
+diff --git a/gcc/c-family/c-common.c b/gcc/c-family/c-common.c
+index 1bf5d080034..6f0898a38d7 100644
+--- a/gcc/c-family/c-common.c
++++ b/gcc/c-family/c-common.c
+@@ -12318,4 +12318,37 @@ pointer_to_zero_sized_aggr_p (tree t)
+   return (TYPE_SIZE (t) && integer_zerop (TYPE_SIZE (t)));
+ }
+ 
++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
++   timestamp to replace embedded current dates to get reproducible
++   results.  Returns -1 if SOURCE_DATE_EPOCH is not defined.  */
++time_t
++get_source_date_epoch ()
++{
++  char *source_date_epoch;
++  long long epoch;
++  char *endptr;
++
++  source_date_epoch = getenv ("SOURCE_DATE_EPOCH");
++  if (!source_date_epoch)
++    return (time_t) -1;
++
++  errno = 0;
++  epoch = strtoll (source_date_epoch, &endptr, 10);
++  if ((errno == ERANGE && (epoch == LLONG_MAX || epoch == LLONG_MIN))
++      || (errno != 0 && epoch == 0))
++    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++		 "strtoll: %s\n", xstrerror(errno));
++  if (endptr == source_date_epoch)
++    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++		 "no digits were found: %s\n", endptr);
++  if (*endptr != '\0')
++    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++		 "trailing garbage: %s\n", endptr);
++  if (epoch < 0)
++    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
++		 "value must be nonnegative: %lld \n", epoch);
++
++  return (time_t) epoch;
++}
++
+ #include "gt-c-family-c-common.h"
+diff --git a/gcc/c-family/c-common.h b/gcc/c-family/c-common.h
+index fdb227f85c3..ba0a5d7df50 100644
+--- a/gcc/c-family/c-common.h
++++ b/gcc/c-family/c-common.h
+@@ -1437,4 +1437,10 @@ extern bool contains_cilk_spawn_stmt (tree);
+ extern tree cilk_for_number_of_iterations (tree);
+ extern bool check_no_cilk (tree, const char *, const char *,
+ 		           location_t loc = UNKNOWN_LOCATION);
++
++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
++   timestamp to replace embedded current dates to get reproducible
++   results.  Returns -1 if SOURCE_DATE_EPOCH is not defined.  */
++extern time_t get_source_date_epoch (void);
++
+ #endif /* ! GCC_C_COMMON_H */
+diff --git a/gcc/c-family/c-lex.c b/gcc/c-family/c-lex.c
+index bb55be8063e..e68471b9d2b 100644
+--- a/gcc/c-family/c-lex.c
++++ b/gcc/c-family/c-lex.c
+@@ -402,6 +402,9 @@ c_lex_with_flags (tree *value, location_t *loc, unsigned char *cpp_flags,
+   enum cpp_ttype type;
+   unsigned char add_flags = 0;
+   enum overflow_type overflow = OT_NONE;
++  time_t source_date_epoch = get_source_date_epoch ();
++
++  cpp_init_source_date_epoch (parse_in, source_date_epoch);
+ 
+   timevar_push (TV_CPP);
+  retry:
+diff --git a/gcc/doc/cppenv.texi b/gcc/doc/cppenv.texi
+index 100811dc637..3b5317beb53 100644
+--- a/gcc/doc/cppenv.texi
++++ b/gcc/doc/cppenv.texi
+@@ -79,4 +79,21 @@ main input file is omitted.
+ @ifclear cppmanual
+ @xref{Preprocessor Options}.
+ @end ifclear
++
++@item SOURCE_DATE_EPOCH
++
++If this variable is set, its value specifies a UNIX timestamp to be
++used in replacement of the current date and time in the @code{__DATE__}
++and @code{__TIME__} macros, so that the embedded timestamps become
++reproducible.
++
++The value of @env{SOURCE_DATE_EPOCH} must be a UNIX timestamp,
++defined as the number of seconds (excluding leap seconds) since
++01 Jan 1970 00:00:00 represented in ASCII, identical to the output of
++@samp{@command{date +%s}}.
++
++The value should be a known timestamp such as the last modification
++time of the source or package and it should be set by the build
++process.
++
+ @end vtable
+diff --git a/libcpp/include/cpplib.h b/libcpp/include/cpplib.h
+index 1b731d1a3ad..7a5481219be 100644
+--- a/libcpp/include/cpplib.h
++++ b/libcpp/include/cpplib.h
+@@ -775,6 +775,9 @@ extern void cpp_init_special_builtins (cpp_reader *);
+ /* Set up built-ins like __FILE__.  */
+ extern void cpp_init_builtins (cpp_reader *, int);
+ 
++/* Initialize the source_date_epoch value.  */
++extern void cpp_init_source_date_epoch (cpp_reader *, time_t);
++
+ /* This is called after options have been parsed, and partially
+    processed.  */
+ extern void cpp_post_options (cpp_reader *);
+diff --git a/libcpp/init.c b/libcpp/init.c
+index 45a4d13ffa3..a8d00f4628b 100644
+--- a/libcpp/init.c
++++ b/libcpp/init.c
+@@ -530,6 +530,13 @@ cpp_init_builtins (cpp_reader *pfile, int hosted)
+     _cpp_define_builtin (pfile, "__OBJC__ 1");
+ }
+ 
++/* Initialize the source_date_epoch value.  */
++void
++cpp_init_source_date_epoch (cpp_reader *pfile, time_t source_date_epoch)
++{
++  pfile->source_date_epoch = source_date_epoch; 
++}
++
+ /* Sanity-checks are dependent on command-line options, so it is
+    called as a subroutine of cpp_read_main_file ().  */
+ #if ENABLE_CHECKING
+diff --git a/libcpp/internal.h b/libcpp/internal.h
+index c2d08168945..8507eba1747 100644
+--- a/libcpp/internal.h
++++ b/libcpp/internal.h
+@@ -502,6 +502,10 @@ struct cpp_reader
+   const unsigned char *date;
+   const unsigned char *time;
+ 
++  /* Externally set timestamp to replace current date and time useful for
++     reproducibility.  */
++  time_t source_date_epoch;
++
+   /* EOF token, and a token forcing paste avoidance.  */
+   cpp_token avoid_paste;
+   cpp_token eof;
+diff --git a/libcpp/macro.c b/libcpp/macro.c
+index eb32a6f8c98..3f3b278e97d 100644
+--- a/libcpp/macro.c
++++ b/libcpp/macro.c
+@@ -350,13 +350,20 @@ _cpp_builtin_macro_text (cpp_reader *pfile, cpp_hashnode *node)
+ 	  time_t tt;
+ 	  struct tm *tb = NULL;
+ 
+-	  /* (time_t) -1 is a legitimate value for "number of seconds
+-	     since the Epoch", so we have to do a little dance to
+-	     distinguish that from a genuine error.  */
+-	  errno = 0;
+-	  tt = time(NULL);
+-	  if (tt != (time_t)-1 || errno == 0)
+-	    tb = localtime (&tt);
++	  /* Set a reproducible timestamp for __DATE__ and __TIME__ macro
++	     usage if SOURCE_DATE_EPOCH is defined.  */
++	  if (pfile->source_date_epoch != (time_t) -1)
++	     tb = gmtime (&pfile->source_date_epoch);
++	  else
++	    {
++	      /* (time_t) -1 is a legitimate value for "number of seconds
++		 since the Epoch", so we have to do a little dance to
++		 distinguish that from a genuine error.  */
++	      errno = 0;
++	      tt = time (NULL);
++	      if (tt != (time_t)-1 || errno == 0)
++		tb = localtime (&tt);
++	    }
+ 
+ 	  if (tb)
+ 	    {
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/gcc-5-source-date-epoch-2.patch b/gnu/packages/patches/gcc-5-source-date-epoch-2.patch
new file mode 100644
index 0000000000..ed2580679a
--- /dev/null
+++ b/gnu/packages/patches/gcc-5-source-date-epoch-2.patch
@@ -0,0 +1,353 @@
+Continuation of the SOURCE_DATE_EPOCH patch.
+
+Patch adapted from upstream source repository:
+
+https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=dfa5c0d3f3e23e4fdb14857a42de376d9ff8601c
+
+From dfa5c0d3f3e23e4fdb14857a42de376d9ff8601c Mon Sep 17 00:00:00 2001
+From: doko <doko@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Wed, 1 Jun 2016 16:42:41 +0000
+Subject: [PATCH] gcc/c-family/ChangeLog:
+
+diff --git a/gcc/c-family/c-common.c b/gcc/c-family/c-common.c
+index 6f0898a38d7..efbc78ef218 100644
+--- a/gcc/c-family/c-common.c
++++ b/gcc/c-family/c-common.c
+@@ -12321,8 +12321,9 @@ pointer_to_zero_sized_aggr_p (tree t)
+ /* Read SOURCE_DATE_EPOCH from environment to have a deterministic
+    timestamp to replace embedded current dates to get reproducible
+    results.  Returns -1 if SOURCE_DATE_EPOCH is not defined.  */
++
+ time_t
+-get_source_date_epoch ()
++cb_get_source_date_epoch (cpp_reader *pfile ATTRIBUTE_UNUSED)
+ {
+   char *source_date_epoch;
+   long long epoch;
+@@ -12334,19 +12335,14 @@ get_source_date_epoch ()
+ 
+   errno = 0;
+   epoch = strtoll (source_date_epoch, &endptr, 10);
+-  if ((errno == ERANGE && (epoch == LLONG_MAX || epoch == LLONG_MIN))
+-      || (errno != 0 && epoch == 0))
+-    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+-		 "strtoll: %s\n", xstrerror(errno));
+-  if (endptr == source_date_epoch)
+-    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+-		 "no digits were found: %s\n", endptr);
+-  if (*endptr != '\0')
+-    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+-		 "trailing garbage: %s\n", endptr);
+-  if (epoch < 0)
+-    fatal_error (UNKNOWN_LOCATION, "environment variable $SOURCE_DATE_EPOCH: "
+-		 "value must be nonnegative: %lld \n", epoch);
++  if (errno != 0 || endptr == source_date_epoch || *endptr != '\0'
++      || epoch < 0 || epoch > MAX_SOURCE_DATE_EPOCH)
++    {
++      error_at (input_location, "environment variable SOURCE_DATE_EPOCH must "
++	        "expand to a non-negative integer less than or equal to %wd",
++		MAX_SOURCE_DATE_EPOCH);
++      return (time_t) -1;
++    }
+ 
+   return (time_t) epoch;
+ }
+diff --git a/gcc/c-family/c-common.h b/gcc/c-family/c-common.h
+index ba0a5d7df50..977ae9df5ea 100644
+--- a/gcc/c-family/c-common.h
++++ b/gcc/c-family/c-common.h
+@@ -1063,6 +1063,16 @@ extern vec<tree, va_gc> *make_tree_vector_copy (const vec<tree, va_gc> *);
+    c_register_builtin_type.  */
+ extern GTY(()) tree registered_builtin_types;
+ 
++/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
++   timestamp to replace embedded current dates to get reproducible
++   results.  Returns -1 if SOURCE_DATE_EPOCH is not defined.  */
++extern time_t cb_get_source_date_epoch (cpp_reader *pfile);
++
++/* The value (as a unix timestamp) corresponds to date
++   "Dec 31 9999 23:59:59 UTC", which is the latest date that __DATE__ and
++   __TIME__ can store.  */
++#define MAX_SOURCE_DATE_EPOCH HOST_WIDE_INT_C (253402300799)
++
+ /* In c-gimplify.c  */
+ extern void c_genericize (tree);
+ extern int c_gimplify_expr (tree *, gimple_seq *, gimple_seq *);
+@@ -1438,9 +1448,4 @@ extern tree cilk_for_number_of_iterations (tree);
+ extern bool check_no_cilk (tree, const char *, const char *,
+ 		           location_t loc = UNKNOWN_LOCATION);
+ 
+-/* Read SOURCE_DATE_EPOCH from environment to have a deterministic
+-   timestamp to replace embedded current dates to get reproducible
+-   results.  Returns -1 if SOURCE_DATE_EPOCH is not defined.  */
+-extern time_t get_source_date_epoch (void);
+-
+ #endif /* ! GCC_C_COMMON_H */
+diff --git a/gcc/c-family/c-lex.c b/gcc/c-family/c-lex.c
+index e68471b9d2b..3f78073f640 100644
+--- a/gcc/c-family/c-lex.c
++++ b/gcc/c-family/c-lex.c
+@@ -97,6 +97,7 @@ init_c_lex (void)
+   cb->valid_pch = c_common_valid_pch;
+   cb->read_pch = c_common_read_pch;
+   cb->has_attribute = c_common_has_attribute;
++  cb->get_source_date_epoch = cb_get_source_date_epoch;
+ 
+   /* Set the debug callbacks if we can use them.  */
+   if ((debug_info_level == DINFO_LEVEL_VERBOSE
+@@ -402,9 +403,6 @@ c_lex_with_flags (tree *value, location_t *loc, unsigned char *cpp_flags,
+   enum cpp_ttype type;
+   unsigned char add_flags = 0;
+   enum overflow_type overflow = OT_NONE;
+-  time_t source_date_epoch = get_source_date_epoch ();
+-
+-  cpp_init_source_date_epoch (parse_in, source_date_epoch);
+ 
+   timevar_push (TV_CPP);
+  retry:
+diff --git a/gcc/doc/cppenv.texi b/gcc/doc/cppenv.texi
+index 3b5317beb53..7b4cf6adc11 100644
+--- a/gcc/doc/cppenv.texi
++++ b/gcc/doc/cppenv.texi
+@@ -81,7 +81,6 @@ main input file is omitted.
+ @end ifclear
+ 
+ @item SOURCE_DATE_EPOCH
+-
+ If this variable is set, its value specifies a UNIX timestamp to be
+ used in replacement of the current date and time in the @code{__DATE__}
+ and @code{__TIME__} macros, so that the embedded timestamps become
+@@ -89,8 +88,9 @@ reproducible.
+ 
+ The value of @env{SOURCE_DATE_EPOCH} must be a UNIX timestamp,
+ defined as the number of seconds (excluding leap seconds) since
+-01 Jan 1970 00:00:00 represented in ASCII, identical to the output of
+-@samp{@command{date +%s}}.
++01 Jan 1970 00:00:00 represented in ASCII; identical to the output of
++@samp{@command{date +%s}} on GNU/Linux and other systems that support the
++@code{%s} extension in the @code{date} command.
+ 
+ The value should be a known timestamp such as the last modification
+ time of the source or package and it should be set by the build
+diff --git a/gcc/gcc.c b/gcc/gcc.c
+index d956c36b151..2709f295734 100644
+--- a/gcc/gcc.c
++++ b/gcc/gcc.c
+@@ -3328,6 +3328,29 @@ save_switch (const char *opt, size_t n_args, const char *const *args,
+   n_switches++;
+ }
+ 
++/* Set the SOURCE_DATE_EPOCH environment variable to the current time if it is
++   not set already.  */
++
++static void
++set_source_date_epoch_envvar ()
++{
++  /* Array size is 21 = ceil(log_10(2^64)) + 1 to hold string representations
++     of 64 bit integers.  */
++  char source_date_epoch[21];
++  time_t tt;
++
++  errno = 0;
++  tt = time (NULL);
++  if (tt < (time_t) 0 || errno != 0)
++    tt = (time_t) 0;
++
++  snprintf (source_date_epoch, 21, "%llu", (unsigned long long) tt);
++  /* Using setenv instead of xputenv because we want the variable to remain
++     after finalizing so that it's still set in the second run when using
++     -fcompare-debug.  */
++  setenv ("SOURCE_DATE_EPOCH", source_date_epoch, 0);
++}
++
+ /* Handle an option DECODED that is unknown to the option-processing
+    machinery.  */
+ 
+@@ -3628,6 +3651,7 @@ driver_handle_option (struct gcc_options *opts,
+       else
+ 	compare_debug_opt = arg;
+       save_switch (compare_debug_replacement_opt, 0, NULL, validated, true);
++      set_source_date_epoch_envvar ();
+       return true;
+ 
+     case OPT_fdiagnostics_color_:
+diff --git a/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c
+new file mode 100644
+index 00000000000..f6aa1a360ff
+--- /dev/null
++++ b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-1.c
+@@ -0,0 +1,11 @@
++/* { dg-do run } */
++/* { dg-set-compiler-env-var SOURCE_DATE_EPOCH "630333296" } */
++
++int
++main(void)
++{
++  __builtin_printf ("%s %s\n", __DATE__, __TIME__);
++  return 0;
++}
++
++/* { dg-output "^Dec 22 1989 12:34:56\n$" } */
+diff --git a/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c
+new file mode 100644
+index 00000000000..ae18362ae87
+--- /dev/null
++++ b/gcc/testsuite/gcc.dg/cpp/source_date_epoch-2.c
+@@ -0,0 +1,12 @@
++/* { dg-do compile } */
++/* { dg-set-compiler-env-var SOURCE_DATE_EPOCH "AAA" } */
++
++/* Make sure that SOURCE_DATE_EPOCH is only parsed once */
++
++int
++main(void)
++{
++  __builtin_printf ("%s %s\n", __DATE__, __TIME__); /* { dg-error "SOURCE_DATE_EPOCH must expand" } */
++  __builtin_printf ("%s %s\n", __DATE__, __TIME__);
++  return 0;
++}
+diff --git a/gcc/testsuite/lib/gcc-dg.exp b/gcc/testsuite/lib/gcc-dg.exp
+index 4fa433d9954..7656b2254a1 100644
+--- a/gcc/testsuite/lib/gcc-dg.exp
++++ b/gcc/testsuite/lib/gcc-dg.exp
+@@ -324,6 +324,38 @@ proc restore-target-env-var { } {
+     }
+ }
+ 
++proc dg-set-compiler-env-var { args } {
++    global set_compiler_env_var
++    global saved_compiler_env_var
++    if { [llength $args] != 3 } {
++	error "dg-set-compiler-env-var: need two arguments"
++	return
++    }
++    set var [lindex $args 1]
++    set value [lindex $args 2]
++    if [info exists ::env($var)] {
++      lappend saved_compiler_env_var [list $var 1 $::env($var)]
++    } else {
++      lappend saved_compiler_env_var [list $var 0]
++    }
++    setenv $var $value
++    lappend set_compiler_env_var [list $var $value]
++}
++
++proc restore-compiler-env-var { } {
++    global saved_compiler_env_var
++    for { set env_vari [llength $saved_compiler_env_var] } {
++          [incr env_vari -1] >= 0 } {} {
++	set env_var [lindex $saved_compiler_env_var $env_vari]
++	set var [lindex $env_var 0]
++	if [lindex $env_var 1] {
++	    setenv $var [lindex $env_var 2]
++	} else {
++	    unsetenv $var
++	}
++    }
++}
++
+ # Utility routines.
+ 
+ #
+@@ -785,6 +817,11 @@ if { [info procs saved-dg-test] == [list] } {
+ 	if [info exists set_target_env_var] {
+ 	    unset set_target_env_var
+ 	}
++	if [info exists set_compiler_env_var] {
++	    restore-compiler-env-var
++	    unset set_compiler_env_var
++	    unset saved_compiler_env_var
++	}
+ 	unset_timeout_vars
+ 	if [info exists compiler_conditional_xfail_data] {
+ 	    unset compiler_conditional_xfail_data
+diff --git a/libcpp/include/cpplib.h b/libcpp/include/cpplib.h
+index 7a5481219be..867aeebc39f 100644
+--- a/libcpp/include/cpplib.h
++++ b/libcpp/include/cpplib.h
+@@ -585,6 +585,9 @@ struct cpp_callbacks
+ 
+   /* Callback that can change a user builtin into normal macro.  */
+   bool (*user_builtin_macro) (cpp_reader *, cpp_hashnode *);
++
++  /* Callback to parse SOURCE_DATE_EPOCH from environment.  */
++  time_t (*get_source_date_epoch) (cpp_reader *);
+ };
+ 
+ #ifdef VMS
+@@ -775,9 +778,6 @@ extern void cpp_init_special_builtins (cpp_reader *);
+ /* Set up built-ins like __FILE__.  */
+ extern void cpp_init_builtins (cpp_reader *, int);
+ 
+-/* Initialize the source_date_epoch value.  */
+-extern void cpp_init_source_date_epoch (cpp_reader *, time_t);
+-
+ /* This is called after options have been parsed, and partially
+    processed.  */
+ extern void cpp_post_options (cpp_reader *);
+diff --git a/libcpp/init.c b/libcpp/init.c
+index a8d00f4628b..61c9bbbf945 100644
+--- a/libcpp/init.c
++++ b/libcpp/init.c
+@@ -254,6 +254,9 @@ cpp_create_reader (enum c_lang lang, cpp_hash_table *table,
+   /* Do not force token locations by default.  */
+   pfile->forced_token_location_p = NULL;
+ 
++  /* Initialize source_date_epoch to -2 (not yet set).  */
++  pfile->source_date_epoch = (time_t) -2;
++
+   /* The expression parser stack.  */
+   _cpp_expand_op_stack (pfile);
+ 
+@@ -530,13 +533,6 @@ cpp_init_builtins (cpp_reader *pfile, int hosted)
+     _cpp_define_builtin (pfile, "__OBJC__ 1");
+ }
+ 
+-/* Initialize the source_date_epoch value.  */
+-void
+-cpp_init_source_date_epoch (cpp_reader *pfile, time_t source_date_epoch)
+-{
+-  pfile->source_date_epoch = source_date_epoch; 
+-}
+-
+ /* Sanity-checks are dependent on command-line options, so it is
+    called as a subroutine of cpp_read_main_file ().  */
+ #if ENABLE_CHECKING
+diff --git a/libcpp/internal.h b/libcpp/internal.h
+index 8507eba1747..226ae328e76 100644
+--- a/libcpp/internal.h
++++ b/libcpp/internal.h
+@@ -503,7 +503,8 @@ struct cpp_reader
+   const unsigned char *time;
+ 
+   /* Externally set timestamp to replace current date and time useful for
+-     reproducibility.  */
++     reproducibility.  It should be initialized to -2 (not yet set) and
++     set to -1 to disable it or to a non-negative value to enable it.  */
+   time_t source_date_epoch;
+ 
+   /* EOF token, and a token forcing paste avoidance.  */
+diff --git a/libcpp/macro.c b/libcpp/macro.c
+index 3f3b278e97d..756c7c6e0c6 100644
+--- a/libcpp/macro.c
++++ b/libcpp/macro.c
+@@ -351,9 +351,13 @@ _cpp_builtin_macro_text (cpp_reader *pfile, cpp_hashnode *node)
+ 	  struct tm *tb = NULL;
+ 
+ 	  /* Set a reproducible timestamp for __DATE__ and __TIME__ macro
+-	     usage if SOURCE_DATE_EPOCH is defined.  */
+-	  if (pfile->source_date_epoch != (time_t) -1)
+-	     tb = gmtime (&pfile->source_date_epoch);
++	     if SOURCE_DATE_EPOCH is defined.  */
++	  if (pfile->source_date_epoch == (time_t) -2
++	      && pfile->cb.get_source_date_epoch != NULL)
++	    pfile->source_date_epoch = pfile->cb.get_source_date_epoch (pfile);
++
++	  if (pfile->source_date_epoch >= (time_t) 0)
++	    tb = gmtime (&pfile->source_date_epoch);
+ 	  else
+ 	    {
+ 	      /* (time_t) -1 is a legitimate value for "number of seconds
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/gcc-libiberty-printf-decl.patch b/gnu/packages/patches/gcc-libiberty-printf-decl.patch
new file mode 100644
index 0000000000..a612c9e00e
--- /dev/null
+++ b/gnu/packages/patches/gcc-libiberty-printf-decl.patch
@@ -0,0 +1,28 @@
+This patch makes the exeception specifier of libiberty's 'asprintf'
+and 'vasprintf' declarations match those of glibc to work around the
+problem described at <https://gcc.gnu.org/ml/gcc-help/2016-04/msg00039.html>.
+
+The problem in part stems from the fact that libiberty is configured
+without _GNU_SOURCE (thus, it sets HAVE_DECL_ASPRINTF to 0), whereas libcc1
+is configured and built with _GNU_SOURCE, hence the conflicting declarations.
+
+--- gcc-5.3.0/include/libiberty.h	2016-04-23 22:45:46.262709079 +0200
++++ gcc-5.3.0/include/libiberty.h	2016-04-23 22:45:37.110635439 +0200
+@@ -625,7 +625,7 @@ extern int pwait (int, int *, int);
+ /* Like sprintf but provides a pointer to malloc'd storage, which must
+    be freed by the caller.  */
+ 
+-extern int asprintf (char **, const char *, ...) ATTRIBUTE_PRINTF_2;
++extern int asprintf (char **, const char *, ...) __THROWNL ATTRIBUTE_PRINTF_2;
+ #endif
+ 
+ /* Like asprintf but allocates memory without fail. This works like
+@@ -637,7 +637,7 @@ extern char *xasprintf (const char *, ..
+ /* Like vsprintf but provides a pointer to malloc'd storage, which
+    must be freed by the caller.  */
+ 
+-extern int vasprintf (char **, const char *, va_list) ATTRIBUTE_PRINTF(2,0);
++extern int vasprintf (char **, const char *, va_list) __THROWNL ATTRIBUTE_PRINTF(2,0);
+ #endif
+ 
+ /* Like vasprintf but allocates memory without fail. This works like
diff --git a/gnu/packages/patches/gd-CVE-2016-7568.patch b/gnu/packages/patches/gd-CVE-2016-7568.patch
deleted file mode 100644
index 6a1a63296c..0000000000
--- a/gnu/packages/patches/gd-CVE-2016-7568.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Fix CVE-2016-7568 (integer overflow in gdImageWebpCtx()):
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7568
-
-Patch copied from upstream source repository:
-
-https://github.com/libgd/libgd/commit/2806adfdc27a94d333199345394d7c302952b95f
-
-From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001
-From: trylab <trylab@users.noreply.github.com>
-Date: Tue, 6 Sep 2016 18:35:32 +0800
-Subject: [PATCH] Fix integer overflow in gdImageWebpCtx
-
-Integer overflow can be happened in expression gdImageSX(im) * 4 *
-gdImageSY(im). It could lead to heap buffer overflow in the following
-code. This issue has been reported to the PHP Bug Tracking System. The
-proof-of-concept file will be supplied some days later. This issue was
-discovered by Ke Liu of Tencent's Xuanwu LAB.
----
- src/gd_webp.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/gd_webp.c b/src/gd_webp.c
-index 8eb4dee..9886399 100644
---- a/src/gd_webp.c
-+++ b/src/gd_webp.c
-@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
- 		quality = 80;
- 	}
- 
-+	if (overflow2(gdImageSX(im), 4)) {
-+		return;
-+	}
-+
-+	if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
-+		return;
-+	}
-+
- 	argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
- 	if (!argb) {
- 		return;
--- 
-2.10.0
-
diff --git a/gnu/packages/patches/gd-CVE-2016-8670.patch b/gnu/packages/patches/gd-CVE-2016-8670.patch
deleted file mode 100644
index 39ee99ac31..0000000000
--- a/gnu/packages/patches/gd-CVE-2016-8670.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Fix CVE-2016-8670 (buffer overflow in dynamicGetbuf()):
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670
-http://seclists.org/oss-sec/2016/q4/138
-
-Patch copied from upstream source repository:
-
-https://github.com/libgd/libgd/commit/53110871935244816bbb9d131da0bccff734bfe9
-
-From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Wed, 12 Oct 2016 11:15:32 +0200
-Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
-
-We make sure to never pass a negative `rlen` as size to memcpy(). See
-also <https://bugs.php.net/bug.php?id=73280>.
-
-Patch provided by Emmanuel Law.
----
- src/gd_io_dp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
-index 135eda3..228bfa5 100644
---- a/src/gd_io_dp.c
-+++ b/src/gd_io_dp.c
-@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
- 	if(remain >= len) {
- 		rlen = len;
- 	} else {
--		if(remain == 0) {
-+		if(remain <= 0) {
- 			/* 2.0.34: EOF is incorrect. We use 0 for
- 			 * errors and EOF, just like fileGetbuf,
- 			 * which is a simple fread() wrapper.
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch b/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch
deleted file mode 100644
index e395c66d89..0000000000
--- a/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-This fixes PHP bug #73155: https://bugs.php.net/bug.php?id=73155
-
-Patch adapted from upstream source repository:
-
-https://github.com/libgd/libgd/commit/8067a8ac336dfe0acbe96ec2eb24572209a7f279
-
-(.gitignore change removed)
-
-From 8067a8ac336dfe0acbe96ec2eb24572209a7f279 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Fri, 23 Sep 2016 18:29:52 +0200
-Subject: [PATCH] Fix #309: gdImageGd2() writes wrong chunk sizes on boundaries
-
-(cherry picked from commit bb1998a16e30d542ab22eba5501911a9aa066edb)
----
- src/gd_gd2.c             |  4 ++--
- tests/gd2/CMakeLists.txt |  1 +
- tests/gd2/Makemodule.am  |  1 +
- tests/gd2/bug00309.c     | 37 +++++++++++++++++++++++++++++++++++++
- 4 files changed, 41 insertions(+), 2 deletions(-)
- create mode 100644 tests/gd2/bug00309.c
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index 75e5e1f..b9b2f93 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -938,8 +938,8 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
- 	};
- 
- 	/* Work out number of chunks. */
--	ncx = im->sx / cs + 1;
--	ncy = im->sy / cs + 1;
-+	ncx = (im->sx + cs - 1) / cs;
-+	ncy = (im->sy + cs - 1) / cs;
- 
- 	/* Write the standard header. */
- 	_gd2PutHeader (im, out, cs, fmt, ncx, ncy);
-diff --git a/tests/gd2/CMakeLists.txt b/tests/gd2/CMakeLists.txt
-index 3b650ad..247b466 100644
---- a/tests/gd2/CMakeLists.txt
-+++ b/tests/gd2/CMakeLists.txt
-@@ -1,5 +1,6 @@
- SET(TESTS_FILES
- 	bug_289
-+	bug00309
- 	gd2_empty_file
- 	gd2_im2im
- 	gd2_null
-diff --git a/tests/gd2/Makemodule.am b/tests/gd2/Makemodule.am
-index b8ee946..d69aee0 100644
---- a/tests/gd2/Makemodule.am
-+++ b/tests/gd2/Makemodule.am
-@@ -1,5 +1,6 @@
- libgd_test_programs += \
- 	gd2/bug_289 \
-+	gd2/bug00309 \
- 	gd2/gd2_empty_file \
- 	gd2/php_bug_72339 \
- 	gd2/gd2_read_corrupt
-diff --git a/tests/gd2/bug00309.c b/tests/gd2/bug00309.c
-new file mode 100644
-index 0000000..b649cdc
---- /dev/null
-+++ b/tests/gd2/bug00309.c
-@@ -0,0 +1,37 @@
-+/**
-+ * Regression test for <https://github.com/libgd/libgd/issues/309>.
-+ *
-+ * We test that an image with 64x64 pixels reports only a single chunk in the
-+ * GD2 image header when the chunk size is 64.
-+ */
-+
-+
-+#include "gd.h"
-+#include "gdtest.h"
-+
-+
-+int main()
-+{
-+    gdImagePtr im;
-+    unsigned char *buf;
-+    int size, word;
-+
-+    im = gdImageCreate(64, 64);
-+    gdImageColorAllocate(im, 0, 0, 0);
-+
-+    buf = gdImageGd2Ptr(im, 64, 1, &size);
-+
-+    gdImageDestroy(im);
-+
-+    word = buf[10] << 8 | buf[11];
-+    gdTestAssertMsg(word == 64, "chunk size is %d, but expected 64\n", word);
-+    word = buf[14] << 8 | buf[15];
-+    gdTestAssertMsg(word == 1, "x chunk count is %d, but expected 1\n", word);
-+    word = buf[16] << 8 | buf[17];
-+    gdTestAssertMsg(word == 1, "y chunk count is %d, but expected 1\n", word);
-+    gdTestAssertMsg(size == 5145, "file size is %d, but expected 5145\n", size);
-+
-+    gdFree(buf);
-+
-+    return gdNumFailures();
-+}
diff --git a/gnu/packages/patches/gd-fix-truecolor-format-correction.patch b/gnu/packages/patches/gd-fix-truecolor-format-correction.patch
deleted file mode 100644
index be3eff9327..0000000000
--- a/gnu/packages/patches/gd-fix-truecolor-format-correction.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-This fixes PHP bug #73159: https://bugs.php.net/bug.php?id=73159
-
-Patch lifted from upstream source repository:
-
-https://github.com/libgd/libgd/commit/e1f61a4141d2e0937a13b8bfb1992b9f29eb05f5
-
-From e1f61a4141d2e0937a13b8bfb1992b9f29eb05f5 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Mon, 15 Aug 2016 17:49:40 +0200
-Subject: [PATCH] Fix #289: Passing unrecognized formats to gdImageGd2 results
- in corrupted files
-
-We must not apply the format correction twice for truecolor images.
-
-(cherry picked from commit 09090c125658e23a4ae2a2e002646bb7278bd89e)
----
- src/gd_gd2.c             |  2 +-
- tests/gd2/CMakeLists.txt |  1 +
- tests/gd2/Makemodule.am  |  1 +
- tests/gd2/bug_289.c      | 33 +++++++++++++++++++++++++++++++++
- 4 files changed, 36 insertions(+), 1 deletion(-)
- create mode 100644 tests/gd2/bug_289.c
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index 86c881e..75e5e1f 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -918,7 +918,7 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
- 	/* Force fmt to a valid value since we don't return anything. */
- 	/* */
- 	if ((fmt != GD2_FMT_RAW) && (fmt != GD2_FMT_COMPRESSED)) {
--		fmt = im->trueColor ? GD2_FMT_TRUECOLOR_COMPRESSED : GD2_FMT_COMPRESSED;
-+		fmt = GD2_FMT_COMPRESSED;
- 	};
- 	if (im->trueColor) {
- 		fmt += 2;
-diff --git a/tests/gd2/CMakeLists.txt b/tests/gd2/CMakeLists.txt
-index 8aecacc..3b650ad 100644
---- a/tests/gd2/CMakeLists.txt
-+++ b/tests/gd2/CMakeLists.txt
-@@ -1,4 +1,5 @@
- SET(TESTS_FILES
-+	bug_289
- 	gd2_empty_file
- 	gd2_im2im
- 	gd2_null
-diff --git a/tests/gd2/Makemodule.am b/tests/gd2/Makemodule.am
-index 754a284..b8ee946 100644
---- a/tests/gd2/Makemodule.am
-+++ b/tests/gd2/Makemodule.am
-@@ -1,4 +1,5 @@
- libgd_test_programs += \
-+	gd2/bug_289 \
- 	gd2/gd2_empty_file \
- 	gd2/php_bug_72339 \
- 	gd2/gd2_read_corrupt
-diff --git a/tests/gd2/bug_289.c b/tests/gd2/bug_289.c
-new file mode 100644
-index 0000000..ad311e9
---- /dev/null
-+++ b/tests/gd2/bug_289.c
-@@ -0,0 +1,33 @@
-+/**
-+ * Passing an unrecognized format to gdImageGd2() should result in
-+ * GD2_FMT_TRUECOLOR_COMPRESSED for truecolor images.
-+ *
-+ * See <https://github.com/libgd/libgd/issues/289>.
-+ */
-+
-+#include "gd.h"
-+#include "gdtest.h"
-+
-+
-+#define GD2_FMT_UNRECOGNIZED 0
-+#define GD2_FMT_TRUECOLOR_COMPRESSED 4
-+
-+#define MSG "expected %s byte to be %d, but got %d\n"
-+
-+
-+int main()
-+{
-+    gdImagePtr im;
-+    char *buffer;
-+    int size;
-+
-+    im = gdImageCreateTrueColor(10, 10);
-+    gdTestAssert(im != NULL);
-+    buffer = (char *) gdImageGd2Ptr(im, 128, GD2_FMT_UNRECOGNIZED, &size);
-+    gdTestAssert(buffer != NULL);
-+    gdImageDestroy(im);
-+    gdTestAssertMsg(buffer[12] == 0, MSG, "1st", 0, buffer[12]);
-+    gdTestAssertMsg(buffer[13] == GD2_FMT_TRUECOLOR_COMPRESSED, MSG, "2nd", GD2_FMT_TRUECOLOR_COMPRESSED, buffer[13]);
-+
-+    return gdNumFailures();
-+}
diff --git a/gnu/packages/patches/gd-freetype-test-failure.patch b/gnu/packages/patches/gd-freetype-test-failure.patch
new file mode 100644
index 0000000000..49c16ca089
--- /dev/null
+++ b/gnu/packages/patches/gd-freetype-test-failure.patch
@@ -0,0 +1,59 @@
+Fix a test failure with freetype 2.7:
+
+https://github.com/libgd/libgd/commit/a5570d3ed30ff76c2a8bdd54f4ab1825acca0143
+
+Patch copied from upstream source repository:
+
+https://github.com/libgd/libgd/commit/a5570d3ed30ff76c2a8bdd54f4ab1825acca0143
+
+From a5570d3ed30ff76c2a8bdd54f4ab1825acca0143 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sun, 29 Jan 2017 17:07:50 +0100
+Subject: [PATCH] Fix #302: Test suite fails with freetype 2.7
+
+Actually, the test failures are not necessarily related to freetype
+2.7, but rather are caused by subpixel hinting which is enabled by
+default in freetype 2.7. Subpixel hinting is, however, already
+available in freetype 2.5 and in versions having the "Infinality"
+patch.
+
+To get the expected results in all environments, we have to disable
+subpixel hinting, what is easily done by setting a respective
+environment variable.
+
+See also:
+* https://www.freetype.org/freetype2/docs/subpixel-hinting.html
+* https://www.freetype.org/freetype2/docs/reference/ft2-tt_driver.html
+---
+ tests/freetype/bug00132.c                    | 3 +++
+ tests/gdimagestringft/gdimagestringft_bbox.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/tests/freetype/bug00132.c b/tests/freetype/bug00132.c
+index 713dd2d..42ed5b1 100644
+--- a/tests/freetype/bug00132.c
++++ b/tests/freetype/bug00132.c
+@@ -11,6 +11,9 @@ int main()
+ 	char *path;
+ 	char *ret = NULL;
+ 
++	/* disable subpixel hinting */
++	putenv("FREETYPE_PROPERTIES=truetype:interpreter-version=35");
++
+ 	im = gdImageCreateTrueColor(50, 30);
+ 
+ 	if (!im) {
+diff --git a/tests/gdimagestringft/gdimagestringft_bbox.c b/tests/gdimagestringft/gdimagestringft_bbox.c
+index 0161ec8..1596a9e 100644
+--- a/tests/gdimagestringft/gdimagestringft_bbox.c
++++ b/tests/gdimagestringft/gdimagestringft_bbox.c
+@@ -38,6 +38,9 @@ int main()
+ 	int error = 0;
+ 	FILE *fp;
+ 
++	/* disable subpixel hinting */
++	putenv("FREETYPE_PROPERTIES=truetype:interpreter-version=35");
++
+ 	path = gdTestFilePath("freetype/DejaVuSans.ttf");
+ 	im = gdImageCreate(800, 800);
+ 	gdImageColorAllocate(im, 0xFF, 0xFF, 0xFF); /* allocate white for background color */
diff --git a/gnu/packages/patches/gd-php-73968-Fix-109-XBM-reading.patch b/gnu/packages/patches/gd-php-73968-Fix-109-XBM-reading.patch
new file mode 100644
index 0000000000..a926c1455c
--- /dev/null
+++ b/gnu/packages/patches/gd-php-73968-Fix-109-XBM-reading.patch
@@ -0,0 +1,121 @@
+This bug was first reported to php on https://bugs.php.net/bug.php?id=73968.
+php then reported it to gd in https://github.com/libgd/libgd/issues/109.
+
+Patch adapted from upstream source repository:
+
+https://github.com/libgd/libgd/commit/082c5444838ea0d84f9fb6441aefdb44d78d9bba
+
+Binary diffs have been removed from the patch because our patch
+procedure doesn't support them.
+
+From 082c5444838ea0d84f9fb6441aefdb44d78d9bba Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 20 Jan 2017 22:48:20 +0100
+Subject: [PATCH] Fix #109: XBM reading fails with printed error
+
+When calculating the number of required bytes of an XBM image, we have
+to take the line padding into account.
+---
+ src/gd_xbm.c                     |   2 +-
+ tests/xbm/CMakeLists.txt         |   1 +
+ tests/xbm/Makemodule.am          |   5 ++++-
+ tests/xbm/github_bug_109.c       |  35 +++++++++++++++++++++++++++++++++++
+ tests/xbm/github_bug_109.xbm     |   5 +++++
+ 5 files changed, 47 insertions(+), 2 deletions(-)
+ create mode 100644 tests/xbm/github_bug_109.c
+ create mode 100644 tests/xbm/github_bug_109.xbm
+ create mode 100644 tests/xbm/github_bug_109_exp.png
+
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 5f09b56..c2ba2ad 100644
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -108,7 +108,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ 				max_bit = 32768;
+ 			}
+ 			if (max_bit) {
+-				bytes = (width * height / 8) + 1;
++                bytes = (width + 7) / 8 * height;
+ 				if (!bytes) {
+ 					return 0;
+ 				}
+diff --git a/tests/xbm/CMakeLists.txt b/tests/xbm/CMakeLists.txt
+index 183cf5e..08576e0 100644
+--- a/tests/xbm/CMakeLists.txt
++++ b/tests/xbm/CMakeLists.txt
+@@ -1,4 +1,5 @@
+ LIST(APPEND TESTS_FILES
++	github_bug_109
+ 	github_bug_170
+ )
+ 
+diff --git a/tests/xbm/Makemodule.am b/tests/xbm/Makemodule.am
+index ba1eabd..0f5beb6 100644
+--- a/tests/xbm/Makemodule.am
++++ b/tests/xbm/Makemodule.am
+@@ -1,5 +1,8 @@
+ libgd_test_programs += \
++	xbm/github_bug_109 \
+ 	xbm/github_bug_170
+ 
+ EXTRA_DIST += \
+-	xbm/CMakeLists.txt
++	xbm/CMakeLists.txt \
++	xbm/github_bug_109.xbm \
++	xbm/github_bug_109_exp.png
+diff --git a/tests/xbm/github_bug_109.c b/tests/xbm/github_bug_109.c
+new file mode 100644
+index 0000000..1a020c6
+--- /dev/null
++++ b/tests/xbm/github_bug_109.c
+@@ -0,0 +1,35 @@
++/**
++ * Test reading of XBM images with a width that is not a multiple of 8
++ *
++ * We're reading such an XBM image, and check that we got what we've expected,
++ * instead of an error message.
++ *
++ * See also <https://github.com/libgd/libgd/issues/109>.
++ */
++
++
++#include "gd.h"
++#include "gdtest.h"
++
++
++int main()
++{
++    gdImagePtr im;
++    FILE *fp;
++    char *path;
++
++    fp = gdTestFileOpen2("xbm", "github_bug_109.xbm");
++    im = gdImageCreateFromXbm(fp);
++    fclose(fp);
++    gdTestAssert(im != NULL);
++    gdTestAssert(gdImageGetTrueColorPixel(im, 0, 0) == 0);
++    gdTestAssert(gdImageGetTrueColorPixel(im, 0, 1) == 0xffffff);
++
++    path = gdTestFilePath2("xbm", "github_bug_109_exp.png");
++    gdAssertImageEqualsToFile(path, im);
++    gdFree(path);
++
++    gdImageDestroy(im);
++
++    return gdNumFailures();
++}
+diff --git a/tests/xbm/github_bug_109.xbm b/tests/xbm/github_bug_109.xbm
+new file mode 100644
+index 0000000..f427d86
+--- /dev/null
++++ b/tests/xbm/github_bug_109.xbm
+@@ -0,0 +1,5 @@
++#define test_width 10
++#define test_height 10
++static unsigned char test_bits[] = {
++  0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00, 
++  0xFF, 0x03, 0x00, 0x00, 0xFF, 0x03, 0x00, 0x00};
+
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/gdk-pixbuf-list-dir.patch b/gnu/packages/patches/gdk-pixbuf-list-dir.patch
new file mode 100644
index 0000000000..137914a19c
--- /dev/null
+++ b/gnu/packages/patches/gdk-pixbuf-list-dir.patch
@@ -0,0 +1,35 @@
+Sort directory entries so that the output of
+‘gdk-pixbuf-query-loaders’ is deterministic.
+
+See: https://bugzilla.gnome.org/show_bug.cgi?id=777332
+--- gdk-pixbuf-2.34.0/gdk-pixbuf/queryloaders.c.orig	2017-01-11 00:17:32.865843062 +0100
++++ gdk-pixbuf-2.34.0/gdk-pixbuf/queryloaders.c	2017-01-16 16:12:03.420667874 +0100
+@@ -354,16 +354,27 @@
+ 
+                 dir = g_dir_open (path, 0, NULL);
+                 if (dir) {
++                        GList *entries = NULL;
+                         const char *dent;
+ 
+                         while ((dent = g_dir_read_name (dir))) {
+                                 gint len = strlen (dent);
+                                 if (len > SOEXT_LEN &&
+                                     strcmp (dent + len - SOEXT_LEN, SOEXT) == 0) {
+-                                        query_module (contents, path, dent);
++                                        entries = g_list_append (entries, g_strdup (dent));
+                                 }
+                         }
+                         g_dir_close (dir);
++                        /* Sort directory entries so that the output of
++                           ‘gdk-pixbuf-query-loaders’ is deterministic. */
++                        entries = g_list_sort (entries, (GCompareFunc) strcmp);
++                        GList *xentries;
++                        for (xentries = entries; xentries; xentries = g_list_next (xentries)) {
++                                dent = xentries->data;
++                                query_module (contents, path, dent);
++                                g_free (xentries->data);
++                        }
++                        g_list_free (entries);
+                 }
+ #else
+                 g_string_append_printf (contents, "# dynamic loading of modules not supported\n");
diff --git a/gnu/packages/patches/glibc-bootstrap-system.patch b/gnu/packages/patches/glibc-bootstrap-system.patch
index 7208cce3f4..2f8e7da7e1 100644
--- a/gnu/packages/patches/glibc-bootstrap-system.patch
+++ b/gnu/packages/patches/glibc-bootstrap-system.patch
@@ -26,3 +26,5 @@ instead uses the hard-coded absolute file name of `bash'.
        _IO__exit (127);
      }
    _IO_close (child_end);
+
+
diff --git a/gnu/packages/patches/guile-repl-server-test.patch b/gnu/packages/patches/guile-repl-server-test.patch
deleted file mode 100644
index 81e724ecc4..0000000000
--- a/gnu/packages/patches/guile-repl-server-test.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-commit 8d6209ea56241bb1890c142539927c9ef3fb5a13
-Author: Ludovic Courtès <ludo@gnu.org>
-Date:   Fri Nov 4 22:44:32 2016 +0100
-
-    tests: Throw 'unresolved when the REPL server is too slow.
-
-commit 2fbde7f02adb8c6585e9baf6e293ee49cd23d4c4
-Author: Ludovic Courtès <ludo@gnu.org>
-Date:   Fri Nov 4 22:45:51 2016 +0100
-
-    tests: Avoid race condition in REPL server test.
-
-index ca389ba..4b5ec0c 100644
---- a/test-suite/tests/00-repl-server.test
-+++ b/test-suite/tests/00-repl-server.test
-@@ -61,10 +61,11 @@ socket connected to that server."
-                (lambda ()
-                  (connect client-socket sockaddr))
-                (lambda args
--                 (when (and (memv (system-error-errno args)
--                                  (list ENOENT ECONNREFUSED))
--                            (< tries 3))
--                   (sleep 1)
-+                 (when (memv (system-error-errno args)
-+                             (list ENOENT ECONNREFUSED))
-+                   (when (> tries 30)
-+                     (throw 'unresolved))
-+                   (usleep 100)
-                    (loop (+ tries 1))))))
- 
-            (proc client-socket))
-@@ -104,8 +105,14 @@ reached."
-       "scheme@(repl-server)> $1 = 42\n"
-     (with-repl-server socket
-       (read-until-prompt socket %last-line-before-prompt)
--      (display "(+ 40 2)\n(quit)\n" socket)
--      (read-string socket)))
-+
-+      ;; Wait until 'repl-reader' in boot-9 has written the prompt.
-+      ;; Otherwise, if we write too quickly, 'repl-reader' checks for
-+      ;; 'char-ready?' and doesn't print the prompt.
-+      (match (select (list socket) '() (list socket) 3)
-+        (((_) () ())
-+         (display "(+ 40 2)\n(quit)\n" socket)
-+         (read-string socket)))))
- 
-   (pass-if "HTTP inter-protocol attack"           ;CVE-2016-8606
-     (with-repl-server socket
diff --git a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch b/gnu/packages/patches/lcms-CVE-2016-10165.patch
index d9f7ac6a36..fa4d75c9ee 100644
--- a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch
+++ b/gnu/packages/patches/lcms-CVE-2016-10165.patch
@@ -1,7 +1,9 @@
-Fix an out-of-bounds heap read in Type_MLU_Read():
+Fix CVE-2016-10165, an out-of-bounds heap read in Type_MLU_Read():
 
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10165
 http://seclists.org/oss-sec/2016/q3/288
 https://bugzilla.redhat.com/show_bug.cgi?id=1367357
+https://security-tracker.debian.org/tracker/CVE-2016-10165
 
 Patch copied from upstream source repository:
 
diff --git a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch b/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
deleted file mode 100644
index bef628f0a8..0000000000
--- a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-Fix buffer overflow reading 7Zip files:
-
-https://github.com/libarchive/libarchive/issues/761
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126
-
-From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 18 Sep 2016 18:14:58 -0700
-Subject: [PATCH] Issue 761:  Heap overflow reading corrupted 7Zip files
-
-The sample file that demonstrated this had multiple 'EmptyStream'
-attributes.  The first one ended up being used to calculate
-certain statistics, then was overwritten by the second which
-was incompatible with those statistics.
-
-The fix here is to reject any header with multiple EmptyStream
-attributes.  While here, also reject headers with multiple
-EmptyFile, AntiFile, Name, or Attributes markers.
----
- libarchive/archive_read_support_format_7zip.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
-index 1dfe52b..c0a536c 100644
---- a/libarchive/archive_read_support_format_7zip.c
-+++ b/libarchive/archive_read_support_format_7zip.c
-@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 
- 		switch (type) {
- 		case kEmptyStream:
-+			if (h->emptyStreamBools != NULL)
-+				return (-1);
- 			h->emptyStreamBools = calloc((size_t)zip->numFiles,
- 			    sizeof(*h->emptyStreamBools));
- 			if (h->emptyStreamBools == NULL)
-@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 					return (-1);
- 				break;
- 			}
-+			if (h->emptyFileBools != NULL)
-+				return (-1);
- 			h->emptyFileBools = calloc(empty_streams,
- 			    sizeof(*h->emptyFileBools));
- 			if (h->emptyFileBools == NULL)
-@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 					return (-1);
- 				break;
- 			}
-+			if (h->antiBools != NULL)
-+				return (-1);
- 			h->antiBools = calloc(empty_streams,
- 			    sizeof(*h->antiBools));
- 			if (h->antiBools == NULL)
-@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 			if ((ll & 1) || ll < zip->numFiles * 4)
- 				return (-1);
- 
-+			if (zip->entry_names != NULL)
-+				return (-1);
- 			zip->entry_names = malloc(ll);
- 			if (zip->entry_names == NULL)
- 				return (-1);
-@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 			if ((p = header_bytes(a, 2)) == NULL)
- 				return (-1);
- 			allAreDefined = *p;
-+			if (h->attrBools != NULL)
-+				return (-1);
- 			h->attrBools = calloc((size_t)zip->numFiles,
- 			    sizeof(*h->attrBools));
- 			if (h->attrBools == NULL)
--- 
-2.10.0
-
diff --git a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch b/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
deleted file mode 100644
index bce63d5e4e..0000000000
--- a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
+++ /dev/null
@@ -1,445 +0,0 @@
-This patch fixes two bugs that allow attackers to overwrite or change
-the permissions of arbitrary files:
-
-https://github.com/libarchive/libarchive/issues/745
-https://github.com/libarchive/libarchive/issues/746
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
-
-From dfd6b54ce33960e420fb206d8872fb759b577ad9 Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 11 Sep 2016 13:21:57 -0700
-Subject: [PATCH] Fixes for Issue #745 and Issue #746 from Doran Moppert.
-
----
- libarchive/archive_write_disk_posix.c | 294 ++++++++++++++++++++++++++--------
- 1 file changed, 227 insertions(+), 67 deletions(-)
-
-diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
-index 8f0421e..abe1a86 100644
---- a/libarchive/archive_write_disk_posix.c
-+++ b/libarchive/archive_write_disk_posix.c
-@@ -326,12 +326,14 @@ struct archive_write_disk {
- 
- #define HFS_BLOCKS(s)	((s) >> 12)
- 
-+static int	check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
- static int	check_symlinks(struct archive_write_disk *);
- static int	create_filesystem_object(struct archive_write_disk *);
- static struct fixup_entry *current_fixup(struct archive_write_disk *, const char *pathname);
- #if defined(HAVE_FCHDIR) && defined(PATH_MAX)
- static void	edit_deep_directories(struct archive_write_disk *ad);
- #endif
-+static int	cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
- static int	cleanup_pathname(struct archive_write_disk *);
- static int	create_dir(struct archive_write_disk *, char *);
- static int	create_parent_dir(struct archive_write_disk *, char *);
-@@ -2014,6 +2016,10 @@ create_filesystem_object(struct archive_write_disk *a)
- 	const char *linkname;
- 	mode_t final_mode, mode;
- 	int r;
-+	/* these for check_symlinks_fsobj */
-+	char *linkname_copy;	/* non-const copy of linkname */
-+	struct archive_string error_string;
-+	int error_number;
- 
- 	/* We identify hard/symlinks according to the link names. */
- 	/* Since link(2) and symlink(2) don't handle modes, we're done here. */
-@@ -2022,6 +2028,27 @@ create_filesystem_object(struct archive_write_disk *a)
- #if !HAVE_LINK
- 		return (EPERM);
- #else
-+		archive_string_init(&error_string);
-+		linkname_copy = strdup(linkname);
-+		if (linkname_copy == NULL) {
-+		    return (EPERM);
-+		}
-+		/* TODO: consider using the cleaned-up path as the link target? */
-+		r = cleanup_pathname_fsobj(linkname_copy, &error_number, &error_string, a->flags);
-+		if (r != ARCHIVE_OK) {
-+			archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+			free(linkname_copy);
-+			/* EPERM is more appropriate than error_number for our callers */
-+			return (EPERM);
-+		}
-+		r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags);
-+		if (r != ARCHIVE_OK) {
-+			archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+			free(linkname_copy);
-+			/* EPERM is more appropriate than error_number for our callers */
-+			return (EPERM);
-+		}
-+		free(linkname_copy);
- 		r = link(linkname, a->name) ? errno : 0;
- 		/*
- 		 * New cpio and pax formats allow hardlink entries
-@@ -2362,115 +2389,228 @@ current_fixup(struct archive_write_disk *a, const char *pathname)
-  * recent paths.
-  */
- /* TODO: Extend this to support symlinks on Windows Vista and later. */
-+
-+/*
-+ * Checks the given path to see if any elements along it are symlinks.  Returns
-+ * ARCHIVE_OK if there are none, otherwise puts an error in errmsg.
-+ */
- static int
--check_symlinks(struct archive_write_disk *a)
-+check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
- {
- #if !defined(HAVE_LSTAT)
- 	/* Platform doesn't have lstat, so we can't look for symlinks. */
- 	(void)a; /* UNUSED */
-+	(void)path; /* UNUSED */
-+	(void)error_number; /* UNUSED */
-+	(void)error_string; /* UNUSED */
-+	(void)flags; /* UNUSED */
- 	return (ARCHIVE_OK);
- #else
--	char *pn;
-+	int res = ARCHIVE_OK;
-+	char *tail;
-+	char *head;
-+	int last;
- 	char c;
- 	int r;
- 	struct stat st;
-+	int restore_pwd;
-+
-+	/* Nothing to do here if name is empty */
-+	if(path[0] == '\0')
-+	    return (ARCHIVE_OK);
- 
- 	/*
- 	 * Guard against symlink tricks.  Reject any archive entry whose
- 	 * destination would be altered by a symlink.
-+	 *
-+	 * Walk the filename in chunks separated by '/'.  For each segment:
-+	 *  - if it doesn't exist, continue
-+	 *  - if it's symlink, abort or remove it
-+	 *  - if it's a directory and it's not the last chunk, cd into it
-+	 * As we go:
-+	 *  head points to the current (relative) path
-+	 *  tail points to the temporary \0 terminating the segment we're currently examining
-+	 *  c holds what used to be in *tail
-+	 *  last is 1 if this is the last tail
- 	 */
--	/* Whatever we checked last time doesn't need to be re-checked. */
--	pn = a->name;
--	if (archive_strlen(&(a->path_safe)) > 0) {
--		char *p = a->path_safe.s;
--		while ((*pn != '\0') && (*p == *pn))
--			++p, ++pn;
--	}
-+	restore_pwd = open(".", O_RDONLY | O_BINARY | O_CLOEXEC);
-+	__archive_ensure_cloexec_flag(restore_pwd);
-+	if (restore_pwd < 0)
-+		return (ARCHIVE_FATAL);
-+	head = path;
-+	tail = path;
-+	last = 0;
-+	/* TODO: reintroduce a safe cache here? */
- 	/* Skip the root directory if the path is absolute. */
--	if(pn == a->name && pn[0] == '/')
--		++pn;
--	c = pn[0];
--	/* Keep going until we've checked the entire name. */
--	while (pn[0] != '\0' && (pn[0] != '/' || pn[1] != '\0')) {
-+	if(tail == path && tail[0] == '/')
-+		++tail;
-+	/* Keep going until we've checked the entire name.
-+	 * head, tail, path all alias the same string, which is
-+	 * temporarily zeroed at tail, so be careful restoring the
-+	 * stashed (c=tail[0]) for error messages.
-+	 * Exiting the loop with break is okay; continue is not.
-+	 */
-+	while (!last) {
-+		/* Skip the separator we just consumed, plus any adjacent ones */
-+		while (*tail == '/')
-+		    ++tail;
- 		/* Skip the next path element. */
--		while (*pn != '\0' && *pn != '/')
--			++pn;
--		c = pn[0];
--		pn[0] = '\0';
-+		while (*tail != '\0' && *tail != '/')
-+			++tail;
-+		/* is this the last path component? */
-+		last = (tail[0] == '\0') || (tail[0] == '/' && tail[1] == '\0');
-+		/* temporarily truncate the string here */
-+		c = tail[0];
-+		tail[0] = '\0';
- 		/* Check that we haven't hit a symlink. */
--		r = lstat(a->name, &st);
-+		r = lstat(head, &st);
- 		if (r != 0) {
-+			tail[0] = c;
- 			/* We've hit a dir that doesn't exist; stop now. */
- 			if (errno == ENOENT) {
- 				break;
- 			} else {
--				/* Note: This effectively disables deep directory
-+				/* Treat any other error as fatal - best to be paranoid here
-+				 * Note: This effectively disables deep directory
- 				 * support when security checks are enabled.
- 				 * Otherwise, very long pathnames that trigger
- 				 * an error here could evade the sandbox.
- 				 * TODO: We could do better, but it would probably
- 				 * require merging the symlink checks with the
- 				 * deep-directory editing. */
--				return (ARCHIVE_FAILED);
-+				if (error_number) *error_number = errno;
-+				if (error_string)
-+					archive_string_sprintf(error_string,
-+							"Could not stat %s",
-+							path);
-+				res = ARCHIVE_FAILED;
-+				break;
-+			}
-+		} else if (S_ISDIR(st.st_mode)) {
-+			if (!last) {
-+				if (chdir(head) != 0) {
-+					tail[0] = c;
-+					if (error_number) *error_number = errno;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Could not chdir %s",
-+								path);
-+					res = (ARCHIVE_FATAL);
-+					break;
-+				}
-+				/* Our view is now from inside this dir: */
-+				head = tail + 1;
- 			}
- 		} else if (S_ISLNK(st.st_mode)) {
--			if (c == '\0') {
-+			if (last) {
- 				/*
- 				 * Last element is symlink; remove it
- 				 * so we can overwrite it with the
- 				 * item being extracted.
- 				 */
--				if (unlink(a->name)) {
--					archive_set_error(&a->archive, errno,
--					    "Could not remove symlink %s",
--					    a->name);
--					pn[0] = c;
--					return (ARCHIVE_FAILED);
-+				if (unlink(head)) {
-+					tail[0] = c;
-+					if (error_number) *error_number = errno;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Could not remove symlink %s",
-+								path);
-+					res = ARCHIVE_FAILED;
-+					break;
- 				}
--				a->pst = NULL;
- 				/*
- 				 * Even if we did remove it, a warning
- 				 * is in order.  The warning is silly,
- 				 * though, if we're just replacing one
- 				 * symlink with another symlink.
- 				 */
--				if (!S_ISLNK(a->mode)) {
--					archive_set_error(&a->archive, 0,
--					    "Removing symlink %s",
--					    a->name);
-+				tail[0] = c;
-+				/* FIXME:  not sure how important this is to restore
-+				if (!S_ISLNK(path)) {
-+					if (error_number) *error_number = 0;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Removing symlink %s",
-+								path);
- 				}
-+				*/
- 				/* Symlink gone.  No more problem! */
--				pn[0] = c;
--				return (0);
--			} else if (a->flags & ARCHIVE_EXTRACT_UNLINK) {
-+				res = ARCHIVE_OK;
-+				break;
-+			} else if (flags & ARCHIVE_EXTRACT_UNLINK) {
- 				/* User asked us to remove problems. */
--				if (unlink(a->name) != 0) {
--					archive_set_error(&a->archive, 0,
--					    "Cannot remove intervening symlink %s",
--					    a->name);
--					pn[0] = c;
--					return (ARCHIVE_FAILED);
-+				if (unlink(head) != 0) {
-+					tail[0] = c;
-+					if (error_number) *error_number = 0;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Cannot remove intervening symlink %s",
-+								path);
-+					res = ARCHIVE_FAILED;
-+					break;
- 				}
--				a->pst = NULL;
-+				tail[0] = c;
- 			} else {
--				archive_set_error(&a->archive, 0,
--				    "Cannot extract through symlink %s",
--				    a->name);
--				pn[0] = c;
--				return (ARCHIVE_FAILED);
-+				tail[0] = c;
-+				if (error_number) *error_number = 0;
-+				if (error_string)
-+					archive_string_sprintf(error_string,
-+							"Cannot extract through symlink %s",
-+							path);
-+				res = ARCHIVE_FAILED;
-+				break;
- 			}
- 		}
--		pn[0] = c;
--		if (pn[0] != '\0')
--			pn++; /* Advance to the next segment. */
-+		/* be sure to always maintain this */
-+		tail[0] = c;
-+		if (tail[0] != '\0')
-+			tail++; /* Advance to the next segment. */
- 	}
--	pn[0] = c;
--	/* We've checked and/or cleaned the whole path, so remember it. */
--	archive_strcpy(&a->path_safe, a->name);
--	return (ARCHIVE_OK);
-+	/* Catches loop exits via break */
-+	tail[0] = c;
-+#ifdef HAVE_FCHDIR
-+	/* If we changed directory above, restore it here. */
-+	if (restore_pwd >= 0) {
-+		r = fchdir(restore_pwd);
-+		if (r != 0) {
-+			if(error_number) *error_number = errno;
-+			if(error_string)
-+				archive_string_sprintf(error_string,
-+						"chdir() failure");
-+		}
-+		close(restore_pwd);
-+		restore_pwd = -1;
-+		if (r != 0) {
-+			res = (ARCHIVE_FATAL);
-+		}
-+	}
-+#endif
-+	/* TODO: reintroduce a safe cache here? */
-+	return res;
- #endif
- }
- 
-+/*
-+ * Check a->name for symlinks, returning ARCHIVE_OK if its clean, otherwise
-+ * calls archive_set_error and returns ARCHIVE_{FATAL,FAILED}
-+ */
-+static int
-+check_symlinks(struct archive_write_disk *a)
-+{
-+	struct archive_string error_string;
-+	int error_number;
-+	int rc;
-+	archive_string_init(&error_string);
-+	rc = check_symlinks_fsobj(a->name, &error_number, &error_string, a->flags);
-+	if (rc != ARCHIVE_OK) {
-+		archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+	}
-+	archive_string_free(&error_string);
-+	a->pst = NULL;	/* to be safe */
-+	return rc;
-+}
-+
-+
- #if defined(__CYGWIN__)
- /*
-  * 1. Convert a path separator from '\' to '/' .
-@@ -2544,15 +2684,17 @@ cleanup_pathname_win(struct archive_write_disk *a)
-  * is set) if the path is absolute.
-  */
- static int
--cleanup_pathname(struct archive_write_disk *a)
-+cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
- {
- 	char *dest, *src;
- 	char separator = '\0';
- 
--	dest = src = a->name;
-+	dest = src = path;
- 	if (*src == '\0') {
--		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
--		    "Invalid empty pathname");
-+		if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+		if (error_string)
-+		    archive_string_sprintf(error_string,
-+			    "Invalid empty pathname");
- 		return (ARCHIVE_FAILED);
- 	}
- 
-@@ -2561,9 +2703,11 @@ cleanup_pathname(struct archive_write_disk *a)
- #endif
- 	/* Skip leading '/'. */
- 	if (*src == '/') {
--		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
--			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
--			                  "Path is absolute");
-+		if (flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
-+			if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+			if (error_string)
-+			    archive_string_sprintf(error_string,
-+				    "Path is absolute");
- 			return (ARCHIVE_FAILED);
- 		}
- 
-@@ -2590,10 +2734,11 @@ cleanup_pathname(struct archive_write_disk *a)
- 			} else if (src[1] == '.') {
- 				if (src[2] == '/' || src[2] == '\0') {
- 					/* Conditionally warn about '..' */
--					if (a->flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
--						archive_set_error(&a->archive,
--						    ARCHIVE_ERRNO_MISC,
--						    "Path contains '..'");
-+					if (flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
-+						if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+						if (error_string)
-+						    archive_string_sprintf(error_string,
-+							    "Path contains '..'");
- 						return (ARCHIVE_FAILED);
- 					}
- 				}
-@@ -2624,7 +2769,7 @@ cleanup_pathname(struct archive_write_disk *a)
- 	 * We've just copied zero or more path elements, not including the
- 	 * final '/'.
- 	 */
--	if (dest == a->name) {
-+	if (dest == path) {
- 		/*
- 		 * Nothing got copied.  The path must have been something
- 		 * like '.' or '/' or './' or '/././././/./'.
-@@ -2639,6 +2784,21 @@ cleanup_pathname(struct archive_write_disk *a)
- 	return (ARCHIVE_OK);
- }
- 
-+static int
-+cleanup_pathname(struct archive_write_disk *a)
-+{
-+	struct archive_string error_string;
-+	int error_number;
-+	int rc;
-+	archive_string_init(&error_string);
-+	rc = cleanup_pathname_fsobj(a->name, &error_number, &error_string, a->flags);
-+	if (rc != ARCHIVE_OK) {
-+		archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+	}
-+	archive_string_free(&error_string);
-+	return rc;
-+}
-+
- /*
-  * Create the parent directory of the specified path, assuming path
-  * is already in mutable storage.
diff --git a/gnu/packages/patches/libarchive-fix-symlink-check.patch b/gnu/packages/patches/libarchive-fix-symlink-check.patch
deleted file mode 100644
index f042c31a84..0000000000
--- a/gnu/packages/patches/libarchive-fix-symlink-check.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-Make sure to check for symlinks even if the pathname is very long:
-
-https://github.com/libarchive/libarchive/issues/744
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a
-
-From 1fa9c7bf90f0862036a99896b0501c381584451a Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 21 Aug 2016 17:11:45 -0700
-Subject: [PATCH] Issue #744 (part of Issue #743): Enforce sandbox with very
- long pathnames
-
-Because check_symlinks is handled separately from the deep-directory
-support, very long pathnames cause problems.  Previously, the code
-ignored most failures to lstat() a path component.  In particular,
-this led to check_symlinks always passing for very long paths, which
-in turn provides a way to evade the symlink checks in the sandboxing
-code.
-
-We now fail on unrecognized lstat() failures, which plugs this
-hole at the cost of disabling deep directory support when the
-user requests sandboxing.
-
-TODO:  This probably cannot be completely fixed without
-entirely reimplementing the deep directory support to
-integrate the symlink checks.  I want to reimplement the
-deep directory hanlding someday anyway; openat() and
-related system calls now provide a much cleaner way to
-handle deep directories than the chdir approach used by this
-code.
----
- libarchive/archive_write_disk_posix.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
-index 39ee3b6..8f0421e 100644
---- a/libarchive/archive_write_disk_posix.c
-+++ b/libarchive/archive_write_disk_posix.c
-@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk *a)
- 		r = lstat(a->name, &st);
- 		if (r != 0) {
- 			/* We've hit a dir that doesn't exist; stop now. */
--			if (errno == ENOENT)
-+			if (errno == ENOENT) {
- 				break;
-+			} else {
-+				/* Note: This effectively disables deep directory
-+				 * support when security checks are enabled.
-+				 * Otherwise, very long pathnames that trigger
-+				 * an error here could evade the sandbox.
-+				 * TODO: We could do better, but it would probably
-+				 * require merging the symlink checks with the
-+				 * deep-directory editing. */
-+				return (ARCHIVE_FAILED);
-+			}
- 		} else if (S_ISLNK(st.st_mode)) {
- 			if (c == '\0') {
- 				/*
diff --git a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch b/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch
deleted file mode 100644
index 0e70ac90ce..0000000000
--- a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Fixes this buffer overflow:
-https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
-
-Patch copied from upstream source repository:
-https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
-
-From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 21 Aug 2016 10:51:43 -0700
-Subject: [PATCH] Issue #767:  Buffer overflow printing a filename
-
-The safe_fprintf function attempts to ensure clean output for an
-arbitrary sequence of bytes by doing a trial conversion of the
-multibyte characters to wide characters -- if the resulting wide
-character is printable then we pass through the corresponding bytes
-unaltered, otherwise, we convert them to C-style ASCII escapes.
-
-The stack trace in Issue #767 suggest that the 20-byte buffer
-was getting overflowed trying to format a non-printable multibyte
-character.  This should only happen if there is a valid multibyte
-character of more than 5 bytes that was unprintable.  (Each byte
-would get expanded to a four-charcter octal-style escape of the form
-"\123" resulting in >20 characters for the >5 byte multibyte character.)
-
-I've not been able to reproduce this, but have expanded the conversion
-buffer to 128 bytes on the belief that no multibyte character set
-has a single character of more than 32 bytes.
----
- tar/util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tar/util.c b/tar/util.c
-index 9ff22f2..2b4aebe 100644
---- a/tar/util.c
-+++ b/tar/util.c
-@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...)
- 		}
- 
- 		/* If our output buffer is full, dump it and keep going. */
--		if (i > (sizeof(outbuff) - 20)) {
-+		if (i > (sizeof(outbuff) - 128)) {
- 			outbuff[i] = '\0';
- 			fprintf(f, "%s", outbuff);
- 			i = 0;
diff --git a/gnu/packages/patches/libdrm-symbol-check.patch b/gnu/packages/patches/libdrm-symbol-check.patch
index 676024beb4..69c67e778d 100644
--- a/gnu/packages/patches/libdrm-symbol-check.patch
+++ b/gnu/packages/patches/libdrm-symbol-check.patch
@@ -1,5 +1,5 @@
 Augment the list of expected symbols to fix the symbol-check tests on
-mips64el-linux and armhf-linux.
+mips64el-linux, armhf-linux and aarch64-linux.
 
 --- libdrm-2.4.65/freedreno/freedreno-symbol-check.orig	2015-09-04 11:07:40.000000000 -0400
 +++ libdrm-2.4.65/freedreno/freedreno-symbol-check	2015-10-18 23:57:15.288416229 -0400
@@ -193,3 +193,28 @@ mips64el-linux and armhf-linux.
  drm_tegra_bo_get_flags
  drm_tegra_bo_get_handle
  drm_tegra_bo_get_tiling
+
+--- libdrm-2.4.65/radeon/radeon-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
++++ libdrm-2.4.65/radeon/radeon-symbol-check	2015-10-18 23:57:00.756759698 -0400
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+-# The following symbols (past the first five) are taken from the public headers.
++# The following symbols (past the first 12) are taken from the public headers.
+ # A list of the latter should be available Makefile.sources/LIBDRM_RADEON_H_FILES
+ 
+ FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do
+@@ -10,6 +10,13 @@
+ _end
+ _fini
+ _init
++_fbss
++_fdata
++_ftext
++__bss_start__
++__bss_end__
++_bss_end__
++__end__
+ radeon_bo_debug
+ radeon_bo_get_handle
+ radeon_bo_get_src_domain
diff --git a/gnu/packages/patches/libepoxy-gl-null-checks.patch b/gnu/packages/patches/libepoxy-gl-null-checks.patch
deleted file mode 100644
index bdc4b05989..0000000000
--- a/gnu/packages/patches/libepoxy-gl-null-checks.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-This patch from <https://bugzilla.redhat.com/show_bug.cgi?id=1395366> adds NULL
-checks to avoid crashes when GL support is missing, as is the case when running
-Xvfb.
-
-Upstream issue: <https://github.com/anholt/libepoxy/issues/72>.
-
-diff -ur libepoxy-1.3.1/src/dispatch_common.c libepoxy-1.3.1/src/dispatch_common.c
---- libepoxy-1.3.1/src/dispatch_common.c	2015-07-15 19:46:36.000000000 -0400
-+++ libepoxy-1.3.1/src/dispatch_common.c	2016-11-16 09:03:52.809066247 -0500
-@@ -348,6 +348,8 @@
- epoxy_extension_in_string(const char *extension_list, const char *ext)
- {
-     const char *ptr = extension_list;
-+    if (! ptr) return false;
-+    if (! ext) return false;
-     int len = strlen(ext);
- 
-     /* Make sure that don't just find an extension with our name as a prefix. */
-@@ -380,6 +382,7 @@
- 
-         for (i = 0; i < num_extensions; i++) {
-             const char *gl_ext = (const char *)glGetStringi(GL_EXTENSIONS, i);
-+            if (! gl_ext) return false;
-             if (strcmp(ext, gl_ext) == 0)
-                 return true;
-         }
-diff -ur libepoxy-1.3.1/src/dispatch_egl.c libepoxy-1.3.1/src/dispatch_egl.c
---- libepoxy-1.3.1/src/dispatch_egl.c	2015-07-15 19:46:36.000000000 -0400
-+++ libepoxy-1.3.1/src/dispatch_egl.c	2016-11-16 08:40:34.069358709 -0500
-@@ -46,6 +46,7 @@
-     int ret;
- 
-     version_string = eglQueryString(dpy, EGL_VERSION);
-+    if (! version_string) return 0;
-     ret = sscanf(version_string, "%d.%d", &major, &minor);
-     assert(ret == 2);
-     return major * 10 + minor;
-diff -ur libepoxy-1.3.1/src/dispatch_glx.c libepoxy-1.3.1/src/dispatch_glx.c
---- libepoxy-1.3.1/src/dispatch_glx.c	2015-07-15 19:46:36.000000000 -0400
-+++ libepoxy-1.3.1/src/dispatch_glx.c	2016-11-16 08:41:03.065730370 -0500
-@@ -57,11 +57,13 @@
-     int ret;
- 
-     version_string = glXQueryServerString(dpy, screen, GLX_VERSION);
-+    if (! version_string) return 0;
-     ret = sscanf(version_string, "%d.%d", &server_major, &server_minor);
-     assert(ret == 2);
-     server = server_major * 10 + server_minor;
- 
-     version_string = glXGetClientString(dpy, GLX_VERSION);
-+    if (! version_string) return 0;
-     ret = sscanf(version_string, "%d.%d", &client_major, &client_minor);
-     assert(ret == 2);
-     client = client_major * 10 + client_minor;
diff --git a/gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch b/gnu/packages/patches/libevent-2.0-CVE-2016-10195.patch
index f1907d53e2..bffe2c454c 100644
--- a/gnu/packages/patches/libevent-2.0-evdns-fix-remote-stack-overread.patch
+++ b/gnu/packages/patches/libevent-2.0-CVE-2016-10195.patch
@@ -1,7 +1,6 @@
-Fix buffer overread in libevents DNS code.
-
-Upstream bug report:
+Fix CVE-2016-10195 (buffer overread in libevent's DNS code):
 
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10195
 https://github.com/libevent/libevent/issues/317
 
 Patch copied from upstream source repository:
diff --git a/gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch b/gnu/packages/patches/libevent-2.0-CVE-2016-10196.patch
index 4d16a4b917..03f96e938b 100644
--- a/gnu/packages/patches/libevent-2.0-evutil-fix-buffer-overflow.patch
+++ b/gnu/packages/patches/libevent-2.0-CVE-2016-10196.patch
@@ -1,7 +1,6 @@
-Fix buffer overflow in evutil.
-
-Upstream bug report:
+Fix CVE-2016-10196 (buffer overflow in evutil):
 
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10196
 https://github.com/libevent/libevent/issues/318
 
 Patch copied from upstream source repository:
diff --git a/gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch b/gnu/packages/patches/libevent-2.0-CVE-2016-10197.patch
index c4ad0a1a4a..c62a328627 100644
--- a/gnu/packages/patches/libevent-2.0-evdns-fix-searching-empty-hostnames.patch
+++ b/gnu/packages/patches/libevent-2.0-CVE-2016-10197.patch
@@ -1,7 +1,6 @@
-Fix OOB read on empty hostnames in evdns.
-
-Upstream bug report:
+Fix CVE-2016-10197 (out of bounds read on empty hostnames in evdns):
 
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10197
 https://github.com/libevent/libevent/issues/332
 
 Patch copied from upstream source repository:
diff --git a/gnu/packages/patches/libpng-CVE-2016-10087.patch b/gnu/packages/patches/libpng-CVE-2016-10087.patch
deleted file mode 100644
index 8093b3e448..0000000000
--- a/gnu/packages/patches/libpng-CVE-2016-10087.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Fix CVE-2016-10087, a null pointer dereference in png_set_text_2():
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087
-http://seclists.org/oss-sec/2016/q4/777
-
-Patch adapted from upstream source repository:
-
-https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb/
-
-From 812768d7a9c973452222d454634496b25ed415eb Mon Sep 17 00:00:00 2001
-From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
-Date: Thu, 29 Dec 2016 07:51:33 -0600
-Subject: [PATCH] [libpng16] Fixed a potential null pointer dereference in
- png_set_text_2()
-
-(bug report and patch by Patrick Keshishian).
----
- ANNOUNCE | 2 ++
- CHANGES  | 2 ++
- png.c    | 1 +
- 3 files changed, 5 insertions(+)
-
-diff --git a/png.c b/png.c
-index 8afc28fc2..2e05de159 100644
---- a/png.c
-+++ b/png.c
-@@ -477,6 +477,7 @@ png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
-          png_free(png_ptr, info_ptr->text);
-          info_ptr->text = NULL;
-          info_ptr->num_text = 0;
-+         info_ptr->max_text = 0;
-       }
-    }
- #endif
--- 
-2.11.0
-
diff --git a/gnu/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch b/gnu/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch
new file mode 100644
index 0000000000..4133be7fc9
--- /dev/null
+++ b/gnu/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch
@@ -0,0 +1,33 @@
+This fixes a regression introduced in 1.8.0 where libssh2 fails to build
+with the gcrypt backend.
+
+Upstream bug URL:
+
+https://github.com/libssh2/libssh2/issues/150
+
+Patch copied from upstream source repository:
+
+https://github.com/libssh2/libssh2/commit/ced924b78a40126606797ef57a74066eb3b4b83f
+
+From ced924b78a40126606797ef57a74066eb3b4b83f Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <siarheit@google.com>
+Date: Mon, 31 Oct 2016 09:04:33 +0000
+Subject: [PATCH] acinclude.m4: fix ./configure --with-libgcrypt
+
+diff --git a/acinclude.m4 b/acinclude.m4
+index 734ef07..c78260c 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -412,9 +412,9 @@ AC_DEFUN([LIBSSH2_CHECKFOR_GCRYPT], [
+ 
+   old_LDFLAGS=$LDFLAGS
+   old_CFLAGS=$CFLAGS
+-  if test -n "$use_libgcrypt" && test "$use_libgcrypt" != "no"; then
+-    LDFLAGS="$LDFLAGS -L$use_libgcrypt/lib"
+-    CFLAGS="$CFLAGS -I$use_libgcrypt/include"
++  if test -n "$with_libgcrypt_prefix" && test "$use_libgcrypt" != "no"; then
++    LDFLAGS="$LDFLAGS -L$with_libgcrypt_prefix/lib"
++    CFLAGS="$CFLAGS -I$with_libgcrypt_prefix/include"
+   fi
+   AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [
+     #include <gcrypt.h>
diff --git a/gnu/packages/patches/libxcb-python-3.5-compat.patch b/gnu/packages/patches/libxcb-python-3.5-compat.patch
new file mode 100644
index 0000000000..f652498aad
--- /dev/null
+++ b/gnu/packages/patches/libxcb-python-3.5-compat.patch
@@ -0,0 +1,64 @@
+Fix compatibility issue with Python 3.5.
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xcb/libxcb/commit/?id=8740a288ca468433141341347aa115b9544891d3
+
+From 8740a288ca468433141341347aa115b9544891d3 Mon Sep 17 00:00:00 2001
+From: Thomas Klausner <wiz@NetBSD.org>
+Date: Thu, 19 May 2016 17:31:18 +0200
+Subject: [PATCH] Fix inconsistent use of tabs vs. space.
+
+Needed for at least python-3.5.x.
+
+Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
+Signed-off-by: Uli Schlachter <psychon@znc.in>
+---
+ src/c_client.py | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/c_client.py b/src/c_client.py
+index 57de3fb..043338d 100644
+--- a/src/c_client.py
++++ b/src/c_client.py
+@@ -1364,7 +1364,7 @@ def _c_serialize(context, self):
+             _c('    unsigned int xcb_align_to = 0;')
+         if self.is_switch:
+             _c('    unsigned int xcb_padding_offset = %d;',
+-	       self.get_align_offset() )
++               self.get_align_offset() )
+         prefix = [('_aux', '->', self)]
+         aux_ptr = 'xcb_out'
+ 
+@@ -1390,7 +1390,7 @@ def _c_serialize(context, self):
+         _c('    unsigned int xcb_align_to = 0;')
+         if self.is_switch:
+             _c('    unsigned int xcb_padding_offset = %d;',
+-	       self.get_align_offset() )
++               self.get_align_offset() )
+ 
+     elif 'sizeof' == context:
+         param_names = [p[2] for p in params]
+@@ -1930,14 +1930,14 @@ def _c_accessors_list(self, field):
+                     # from the request size and divide that by the member size
+                     return '(((R->length * 4) - sizeof('+ self.c_type + '))/'+'sizeof('+field.type.member.c_wiretype+'))'
+                 else:
+-		    # use the accessor to get the start of the list, then
+-		    # compute the length of it by subtracting it from
++                    # use the accessor to get the start of the list, then
++                    # compute the length of it by subtracting it from
+                     # the adress of the first byte after the end of the
+                     # request
+-		    after_end_of_request = '(((char*)R) + R->length * 4)'
+-		    start_of_list = '%s(R)' % (field.c_accessor_name)
++                    after_end_of_request = '(((char*)R) + R->length * 4)'
++                    start_of_list = '%s(R)' % (field.c_accessor_name)
+                     bytesize_of_list = '%s - (char*)(%s)' % (after_end_of_request, start_of_list)
+-		    return '(%s) / sizeof(%s)' % (bytesize_of_list, field.type.member.c_wiretype)
++                    return '(%s) / sizeof(%s)' % (bytesize_of_list, field.type.member.c_wiretype)
+             else:
+                 raise Exception(
+                     "lengthless lists with varsized members are not supported. Fieldname '%s'"
+-- 
+2.11.1
+
diff --git a/gnu/packages/patches/pcre-CVE-2016-3191.patch b/gnu/packages/patches/pcre-CVE-2016-3191.patch
deleted file mode 100644
index 89cce2a36f..0000000000
--- a/gnu/packages/patches/pcre-CVE-2016-3191.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-Fix for CVE-2016-3191.
-See <https://bugzilla.redhat.com/show_bug.cgi?id=1311503>.
-This is svn r1631 at <svn://vcs.exim.org/pcre/code>.
-
-Index: trunk/testdata/testoutput11-16
-===================================================================
---- trunk/testdata/testoutput11-16	(revision 1630)
-+++ trunk/testdata/testoutput11-16	(revision 1631)
-@@ -765,4 +765,7 @@
-  25     End
- ------------------------------------------------------------------
- 
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: regular expression is too complicated at offset 490
-+
- /-- End of testinput11 --/
-Index: trunk/testdata/testinput11
-===================================================================
---- trunk/testdata/testinput11	(revision 1630)
-+++ trunk/testdata/testinput11	(revision 1631)
-@@ -138,4 +138,6 @@
- 
- /.((?2)(?R)\1)()/B
- 
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+
- /-- End of testinput11 --/
-Index: trunk/testdata/testoutput11-8
-===================================================================
---- trunk/testdata/testoutput11-8	(revision 1630)
-+++ trunk/testdata/testoutput11-8	(revision 1631)
-@@ -765,4 +765,7 @@
-  38     End
- ------------------------------------------------------------------
- 
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: missing ) at offset 509
-+
- /-- End of testinput11 --/
-Index: trunk/testdata/testoutput11-32
-===================================================================
---- trunk/testdata/testoutput11-32	(revision 1630)
-+++ trunk/testdata/testoutput11-32	(revision 1631)
-@@ -765,4 +765,7 @@
-  25     End
- ------------------------------------------------------------------
- 
-+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
-+Failed: missing ) at offset 509
-+
- /-- End of testinput11 --/
-Index: trunk/pcre_internal.h
-===================================================================
---- trunk/pcre_internal.h	(revision 1630)
-+++ trunk/pcre_internal.h	(revision 1631)
-@@ -7,7 +7,7 @@
- and semantics are as close as possible to those of the Perl 5 language.
- 
-                        Written by Philip Hazel
--           Copyright (c) 1997-2014 University of Cambridge
-+           Copyright (c) 1997-2016 University of Cambridge
- 
- -----------------------------------------------------------------------------
- Redistribution and use in source and binary forms, with or without
-@@ -2289,7 +2289,7 @@
-        ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59,
-        ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69,
-        ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79,
--       ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT };
-+       ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT };
- 
- /* JIT compiling modes. The function list is indexed by them. */
- 
-Index: trunk/pcre_compile.c
-===================================================================
---- trunk/pcre_compile.c	(revision 1630)
-+++ trunk/pcre_compile.c	(revision 1631)
-@@ -6,7 +6,7 @@
- and semantics are as close as possible to those of the Perl 5 language.
- 
-                        Written by Philip Hazel
--           Copyright (c) 1997-2014 University of Cambridge
-+           Copyright (c) 1997-2016 University of Cambridge
- 
- -----------------------------------------------------------------------------
- Redistribution and use in source and binary forms, with or without
-@@ -560,6 +560,7 @@
-   /* 85 */
-   "parentheses are too deeply nested (stack check)\0"
-   "digits missing in \\x{} or \\o{}\0"
-+  "regular expression is too complicated\0"
-   ;
- 
- /* Table to identify digits and hex digits. This is used when compiling
-@@ -4591,7 +4592,8 @@
-     if (code > cd->start_workspace + cd->workspace_size -
-         WORK_SIZE_SAFETY_MARGIN)                       /* Check for overrun */
-       {
--      *errorcodeptr = ERR52;
-+      *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)?
-+        ERR52 : ERR87;
-       goto FAILED;
-       }
- 
-@@ -6626,8 +6628,21 @@
-             cd->had_accept = TRUE;
-             for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-               {
--              *code++ = OP_CLOSE;
--              PUT2INC(code, 0, oc->number);
-+              if (lengthptr != NULL)
-+                {
-+#ifdef COMPILE_PCRE8
-+                *lengthptr += 1 + IMM2_SIZE;
-+#elif defined COMPILE_PCRE16
-+                *lengthptr += 2 + IMM2_SIZE;
-+#elif defined COMPILE_PCRE32
-+                *lengthptr += 4 + IMM2_SIZE;
-+#endif
-+                }
-+              else
-+                {
-+                *code++ = OP_CLOSE;
-+                PUT2INC(code, 0, oc->number);
-+                }
-               }
-             setverb = *code++ =
-               (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
-Index: trunk/pcreposix.c
-===================================================================
---- trunk/pcreposix.c	(revision 1630)
-+++ trunk/pcreposix.c	(revision 1631)
-@@ -6,7 +6,7 @@
- and semantics are as close as possible to those of the Perl 5 language.
- 
-                        Written by Philip Hazel
--           Copyright (c) 1997-2014 University of Cambridge
-+           Copyright (c) 1997-2016 University of Cambridge
- 
- -----------------------------------------------------------------------------
- Redistribution and use in source and binary forms, with or without
-@@ -173,7 +173,8 @@
-   REG_BADPAT,  /* group name must start with a non-digit */
-   /* 85 */
-   REG_BADPAT,  /* parentheses too deeply nested (stack check) */
--  REG_BADPAT   /* missing digits in \x{} or \o{} */
-+  REG_BADPAT,  /* missing digits in \x{} or \o{} */
-+  REG_BADPAT   /* pattern too complicated */
- };
- 
- /* Table of texts corresponding to POSIX error codes */
diff --git a/gnu/packages/patches/sed-hurd-path-max.patch b/gnu/packages/patches/sed-hurd-path-max.patch
deleted file mode 100644
index 5226cba4cb..0000000000
--- a/gnu/packages/patches/sed-hurd-path-max.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-7bb8d35d0330161a5af5341471d0c183a067e8c2
-Author: Jose E. Marchesi <jemarch@gnu.org>
-Date:   Sun Oct 6 14:43:38 2013 +0200
-
-    Set PATH_MAX to some constant in case it is not defined in system
-    headers.
-    
-    2013-10-06  Jose E. Marchesi  <jemarch@gnu.org>
-    
-    	* basicdefs.h (PATH_MAX): Defined to some constant in case it is
-    	not defined by system headers.
-    	* sed/utils.c: Do not include pathmax.h anymore.
-    	* bootstrap.conf (gnulib_modules): Do not use the gnulib module
-    	pathmax.
-
-diff --git a/basicdefs.h b/basicdefs.h
-index 0d28a97..09f5beb 100644
---- a/basicdefs.h
-+++ b/basicdefs.h
-@@ -40,6 +41,13 @@ typedef unsigned long countT;
- #define obstack_chunk_alloc  ck_malloc
- #define obstack_chunk_free   free
- 
-+/* MAX_PATH is not defined in some platforms, most notably GNU/Hurd.
-+   In that case we define it here to some constant.  Note however that
-+   this relies in the fact that sed does reallocation if a buffer
-+   needs to be larger than PATH_MAX.  */
-+#ifndef PATH_MAX
-+# define PATH_MAX 200
-+#endif
- 
- /* handle misdesigned <ctype.h> macros (snarfed from lib/regex.c) */
- /* Jim Meyering writes:
- 
diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch
new file mode 100644
index 0000000000..b79be9bc94
--- /dev/null
+++ b/gnu/packages/patches/tar-CVE-2016-6321.patch
@@ -0,0 +1,51 @@
+Fix CVE-2016-6321:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
+https://security-tracker.debian.org/tracker/CVE-2016-6321
+
+Patch adapted from upstream source repository (the changes to 'NEWS'
+don't apply to the Tar 1.29 release tarball).
+
+http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
+
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: [PATCH] When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+---
+ NEWS          | 8 +++++++-
+ src/extract.c | 8 ++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/extract.c b/src/extract.c
+index f982433..7904148 100644
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++		      && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++    ERROR ((0, 0, _("%s: Member name contains '..'"),
++	    quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++      || skip_dotdot_name
+       || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+     {
+-- 
+2.11.0
+
diff --git a/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch b/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch
deleted file mode 100644
index 1426883216..0000000000
--- a/gnu/packages/patches/tcsh-do-not-define-BSDWAIT.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Do not define BSDWAIT to avoid error "storage size of ‘w’ isn’t known".
-
-This is an adapted version of the upstream patch taken from here:
-https://github.com/tcsh-org/tcsh/commit/4689eb60a74bf13bc146ca3d76e9d7a124ab7b49.patch
-
-From 4689eb60a74bf13bc146ca3d76e9d7a124ab7b49 Mon Sep 17 00:00:00 2001
-From: christos <christos>
-Date: Fri, 23 Sep 2016 19:17:28 +0000
-Subject: [PATCH] Don't define BSDWAIT for linux anymore.
-
----
- sh.proc.c | 8 +++-----
- 1 file changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/sh.proc.c b/sh.proc.c
-index 49b199f..874d67c 100644
---- sh.proc.c
-+++ sh.proc.c
-@@ -47,11 +47,9 @@ RCSID("$tcsh$")
- # define HZ 16
- #endif /* aiws */
- 
--#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid) || defined(__linux__) || defined(__GNU__) || defined(__GLIBC__)
--# if !defined(__ANDROID__)
--#  define BSDWAIT
--# endif
--#endif /* _BSD || (IRIS4D && __STDC__) || __lucid || glibc */
-+#if defined(_BSD) || (defined(IRIS4D) && __STDC__) || defined(__lucid)
-+# define BSDWAIT
-+#endif /* _BSD || (IRIS4D && __STDC__) || __lucid */
- #ifndef WTERMSIG
- # define WTERMSIG(w)	(((union wait *) &(w))->w_termsig)
- # ifndef BSDWAIT
diff --git a/gnu/packages/patches/tcsh-fix-autotest.patch b/gnu/packages/patches/tcsh-fix-autotest.patch
index a16980161c..78444a1b2a 100644
--- a/gnu/packages/patches/tcsh-fix-autotest.patch
+++ b/gnu/packages/patches/tcsh-fix-autotest.patch
@@ -1,6 +1,6 @@
---- tests/commands.at	2011-01-22 01:04:02.000000000 +0100
-+++ tests/commands.at	2013-02-04 10:57:24.000000000 +0100
-@@ -919,26 +919,27 @@
+--- tests/commands.at
++++ tests/commands.at
+@@ -921,26 +921,27 @@ AT_CLEANUP
  TCSH_UNTESTED([notify])
  
  
@@ -48,27 +48,9 @@
  
  
  AT_SETUP([popd])
-@@ -1203,11 +1204,12 @@
- AT_DATA([script.csh],
- [[set var=$1
- ]])
--AT_CHECK([[tcsh -f -c 'source -h script.csh foo; history' \
--	   | sed 's/	[^	]*	/ TIME /']], ,
--[     1 TIME source -h script.csh foo ; history
--     2 TIME set var=$1
--])
-+# XXX: Not sure why this fails. The output is : "1 TIME set var=$1"
-+#AT_CHECK([[tcsh -f -c 'source -h script.csh foo; history' \
-+#	   | sed 's/	[^	]*	/ TIME /']], ,
-+#[     1 TIME source -h script.csh foo ; history
-+#     2 TIME set var=$1
-+#])
- 
- AT_CHECK([tcsh -f -c 'source -h script.csh foo; echo $var'], 1, [],
- [var: Undefined variable.
---- tests/lexical.at	2011-12-27 22:50:52.000000000 +0100
-+++ tests/lexical.at	2013-02-04 10:53:21.000000000 +0100
-@@ -33,9 +33,9 @@
+--- tests/lexical.at
++++ tests/lexical.at
+@@ -35,9 +35,9 @@ AT_CHECK([if [ ! -t 0 ]; then exit 77; fi],, [Skipping comment tests])
  AT_CHECK([echo 'echo OK@%:@comment' | tcsh -f], , [OK
  ])
  
@@ -81,9 +63,33 @@
  
  AT_DATA([comment2.csh],
  [[echo testing...@%:@\
---- tests/subst.at	2011-12-27 22:50:52.000000000 +0100
-+++ tests/subst.at	2013-02-01 08:14:25.000000000 +0100
-@@ -54,7 +54,7 @@
+@@ -567,10 +567,10 @@ run=3
+# Adapt to changes in sed 4.3:
+# https://github.com/tcsh-org/tcsh/commit/2ad4fc1705893207598ed5cd21713ddf3f17bba0
+ ]])
+ AT_DATA([uniformity_test.csh],
+ [[
+-set SERVICE_NAME_LOG = `cat batchsystem.properties | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[:blank:]*\([^$]*\)$/\1/p' | perl -pe 's/\s//g'  |  perl -pe 's/\)/\\\)/g' | perl -pe 's/\(/\\\(/g'`
++set SERVICE_NAME_LOG = `cat batchsystem.properties | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[[:blank:]]*\([^$]*\)$/\1/p' | perl -pe 's/\s//g'  |  perl -pe 's/\)/\\\)/g' | perl -pe 's/\(/\\\(/g'`
+ echo -n "$SERVICE_NAME_LOG" > ./output1
+ 
+-cat batchsystem.properties | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[:blank:]*\([^$]*\)$/\1/p' | perl -pe 's/\s//g'  |  perl -pe 's/\)/\\\)/g' | perl -pe 's/\(/\\\(/g' > ./output2
++cat batchsystem.properties | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[[:blank:]]*\([^$]*\)$/\1/p' | perl -pe 's/\s//g'  |  perl -pe 's/\)/\\\)/g' | perl -pe 's/\(/\\\(/g' > ./output2
+ 
+ diff -uprN ./output1 ./output2 >& /dev/null
+ 
+@@ -587,7 +587,7 @@ AT_DATA([quoting_result_test.csh],
+ echo "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP\)(HOST=db\)(PORT=1521\)\)(CONNECT_DATA=(SERVER=DEDICATED\)(SERVICE_NAME=bns03\)\)\)" > ./expected_result
+ 
+ set string = "jdbc_url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=db)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=bns03)))"
+-set SERVICE_NAME_LOG  = `echo "$string" | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[:blank:]*\([^$]*\)$/\1/p' | perl -pe 's/\)/\\\)/g'`
++set SERVICE_NAME_LOG  = `echo "$string" | grep '^jdbc_url' | sed -ne 's/^[^=]*=[^@]*@[[:blank:]]*\([^$]*\)$/\1/p' | perl -pe 's/\)/\\\)/g'`
+ 
+ echo "$SERVICE_NAME_LOG" > ./actual_result
+ 
+--- tests/subst.at
++++ tests/subst.at
+@@ -54,7 +54,7 @@ AT_CHECK([echo 'echo ~; echo "$HOME"' | tcsh -f | uniq | wc -l | tr -d ' \t'],
  , [1
  ])
  
@@ -92,39 +98,9 @@
  	  | wc -l | tr -d ' \t'], , [1
  ])
  
---- tests/variables.at	2011-12-27 22:50:52.000000000 +0100
-+++ tests/variables.at	2013-02-04 11:40:35.000000000 +0100
-@@ -317,17 +317,18 @@
- AT_CLEANUP
- 
- 
--AT_SETUP([$ edit])
--
--AT_CHECK([TERM=something tcsh -f -c 'echo $?edit'], ,
--[1
--])
--
--AT_CHECK([TERM=dumb tcsh -f -c 'echo $?edit'], ,
--[0
--])
--
--AT_CLEANUP
-+# XXX
-+#AT_SETUP([$ edit])
-+#
-+#AT_CHECK([TERM=something tcsh -f -c 'echo $?edit'], ,
-+#[1
-+#])
-+#
-+#AT_CHECK([TERM=dumb tcsh -f -c 'echo $?edit'], ,
-+#[0
-+#])
-+#
-+#AT_CLEANUP
- 
- 
- AT_SETUP([$ ellipsis])
-@@ -642,7 +643,8 @@
+--- tests/variables.at
++++ tests/variables.at
+@@ -666,7 +666,8 @@ set listflags=(-xA $cwd/args.sh)
  ls-F -something .
  ]])
  AT_DATA([args.sh],
@@ -134,7 +110,22 @@
  ]])
  chmod a+x args.sh
  AT_CHECK([tcsh -f listflags.csh], ,
-@@ -695,55 +697,57 @@
+@@ -704,9 +705,9 @@ AT_CHECK([tcsh -f mail.csh], ,
+# This test fails by trying to change to the build user's home
+# directory, which does not exist.
+ AT_CLEANUP
+ 
+ 
+-AT_SETUP([$ cdtohome])
+-AT_CHECK([tcsh -f -c 'cd'], 0)
+-AT_CLEANUP
++#AT_SETUP([$ cdtohome])
++#AT_CHECK([tcsh -f -c 'cd'], 0)
++#AT_CLEANUP
+ AT_SETUP([$ noimplicithome])
+ AT_CHECK([tcsh -f -c 'unset cdtohome; cd'], 1, , [cd: Too few arguments.
+ ])
+@@ -728,55 +729,57 @@ TCSH_UNTESTED([$ oid])
  AT_SETUP([$ owd])
  
  AT_DATA([owd.csh],
diff --git a/gnu/packages/patches/xcb-proto-python3-print.patch b/gnu/packages/patches/xcb-proto-python3-print.patch
new file mode 100644
index 0000000000..7d5dc9bc27
--- /dev/null
+++ b/gnu/packages/patches/xcb-proto-python3-print.patch
@@ -0,0 +1,75 @@
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xcb/proto/commit/?id=bea5e1c85bdc0950913790364e18228f20395a3d
+
+From bea5e1c85bdc0950913790364e18228f20395a3d Mon Sep 17 00:00:00 2001
+From: Thomas Klausner <wiz@NetBSD.org>
+Date: Thu, 19 May 2016 17:30:05 +0200
+Subject: [PATCH] print() is a function and needs parentheses.
+
+Fixes build with python-3.x.
+
+Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
+Signed-off-by: Uli Schlachter <psychon@znc.in>
+---
+ xcbgen/xtypes.py | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/xcbgen/xtypes.py b/xcbgen/xtypes.py
+index c3b5758..b83b119 100644
+--- a/xcbgen/xtypes.py
++++ b/xcbgen/xtypes.py
+@@ -501,7 +501,7 @@ class ComplexType(Type):
+                 int(required_start_align_element.get('align', "4"), 0),
+                 int(required_start_align_element.get('offset', "0"), 0))
+             if verbose_align_log:
+-                print "Explicit start-align for %s: %s\n" % (self, self.required_start_align)
++                print ("Explicit start-align for %s: %s\n" % (self, self.required_start_align))
+ 
+     def resolve(self, module):
+         if self.resolved:
+@@ -592,7 +592,7 @@ class ComplexType(Type):
+                 if verbose_align_log:
+                     print ("calc_required_start_align: %s has start-align %s"
+                         % (str(self), str(self.required_start_align)))
+-                    print "Details:\n" + str(log)
++                    print ("Details:\n" + str(log))
+                 if self.required_start_align.offset != 0:
+                     print (("WARNING: %s\n\thas start-align with non-zero offset: %s"
+                         + "\n\tsuggest to add explicit definition with:"
+@@ -619,12 +619,12 @@ class ComplexType(Type):
+             for offset in range(0,align):
+                 align_candidate = Alignment(align, offset)
+                 if verbose_align_log:
+-                    print "trying %s for %s" % (str(align_candidate), str(self))
++                    print ("trying %s for %s" % (str(align_candidate), str(self)))
+                 my_log = AlignmentLog()
+                 if self.is_possible_start_align(align_candidate, callstack, my_log):
+                     log.append(my_log)
+                     if verbose_align_log:
+-                        print "found start-align %s for %s" % (str(align_candidate), str(self))
++                        print ("found start-align %s for %s" % (str(align_candidate), str(self)))
+                     return align_candidate
+                 else:
+                     my_ok_count = my_log.ok_count()
+@@ -641,7 +641,7 @@ class ComplexType(Type):
+         # none of the candidates applies
+         # this type has illegal internal aligns for all possible start_aligns
+         if verbose_align_log:
+-            print "didn't find start-align for %s" % str(self)
++            print ("didn't find start-align for %s" % str(self))
+         log.append(best_log)
+         return None
+ 
+@@ -900,7 +900,7 @@ class SwitchType(ComplexType):
+     # aux function for unchecked_get_alignment_after
+     def get_align_for_selected_case_field(self, case_field, start_align, callstack, log):
+         if verbose_align_log:
+-            print "get_align_for_selected_case_field: %s, case_field = %s" % (str(self), str(case_field))
++            print ("get_align_for_selected_case_field: %s, case_field = %s" % (str(self), str(case_field)))
+         total_align = start_align
+         for field in self.bitcases:
+             my_callstack = callstack[:]
+-- 
+2.11.1
+
diff --git a/gnu/packages/patches/xcb-proto-python3-whitespace.patch b/gnu/packages/patches/xcb-proto-python3-whitespace.patch
new file mode 100644
index 0000000000..f0509138b2
--- /dev/null
+++ b/gnu/packages/patches/xcb-proto-python3-whitespace.patch
@@ -0,0 +1,217 @@
+Fixes compatibility issue with python > 3.5.
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/xcb/proto/commit/?id=ea7a3ac6c658164690e0febb55f4467cb9e0bcac
+
+From ea7a3ac6c658164690e0febb55f4467cb9e0bcac Mon Sep 17 00:00:00 2001
+From: Thomas Klausner <wiz@NetBSD.org>
+Date: Thu, 19 May 2016 17:30:04 +0200
+Subject: [PATCH] Make whitespace use consistent.
+
+At least python-3.5.x complains about this forcefully.
+
+Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
+Signed-off-by: Uli Schlachter <psychon@znc.in>
+---
+ xcbgen/align.py | 96 ++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 48 insertions(+), 48 deletions(-)
+
+diff --git a/xcbgen/align.py b/xcbgen/align.py
+index 5e31838..d4c12ee 100644
+--- a/xcbgen/align.py
++++ b/xcbgen/align.py
+@@ -16,12 +16,12 @@ class Alignment(object):
+         return self.align == other.align and self.offset == other.offset
+ 
+     def __str__(self):
+-	return "(align=%d, offset=%d)" % (self.align, self.offset)
++        return "(align=%d, offset=%d)" % (self.align, self.offset)
+ 
+     @staticmethod
+     def for_primitive_type(size):
+-	# compute the required start_alignment based on the size of the type
+-	if size % 8 == 0:
++        # compute the required start_alignment based on the size of the type
++        if size % 8 == 0:
+             # do 8-byte primitives require 8-byte alignment in X11?
+             return Alignment(8,0)
+         elif size % 4 == 0:
+@@ -33,7 +33,7 @@ class Alignment(object):
+ 
+ 
+     def align_after_fixed_size(self, size):
+-	new_offset = (self.offset + size) % self.align
++        new_offset = (self.offset + size) % self.align
+         return Alignment(self.align, new_offset)
+ 
+ 
+@@ -41,7 +41,7 @@ class Alignment(object):
+         '''
+         Assuming the given external_align, checks whether
+         self is fulfilled for all cases.
+-	Returns True if yes, False otherwise.
++        Returns True if yes, False otherwise.
+         '''
+         if self.align == 1 and self.offset == 0:
+             # alignment 1 with offset 0 is always fulfilled
+@@ -55,9 +55,9 @@ class Alignment(object):
+             # the external align guarantees less alignment -> not guaranteed
+             return False
+ 
+-	if external_align.align % self.align != 0:
++        if external_align.align % self.align != 0:
+             # the external align cannot be divided by our align
+-	    # -> not guaranteed
++            # -> not guaranteed
+             # (this can only happen if there are alignments that are not
+             # a power of 2, which is highly discouraged. But better be
+             # safe and check for it)
+@@ -72,7 +72,7 @@ class Alignment(object):
+ 
+     def combine_with(self, other):
+         # returns the alignment that is guaranteed when
+-	# both, self or other, can happen
++        # both, self or other, can happen
+         new_align = gcd(self.align, other.align)
+         new_offset_candidate1 = self.offset % new_align
+         new_offset_candidate2 = other.offset % new_align
+@@ -83,8 +83,8 @@ class Alignment(object):
+             new_align = gcd(new_align, offset_diff)
+             new_offset_candidate1 = self.offset % new_align
+             new_offset_candidate2 = other.offset % new_align
+-	    assert new_offset_candidate1 == new_offset_candidate2
+-	    new_offset = new_offset_candidate1
++            assert new_offset_candidate1 == new_offset_candidate2
++            new_offset = new_offset_candidate1
+         # return the result
+         return Alignment(new_align, new_offset)
+ 
+@@ -92,44 +92,44 @@ class Alignment(object):
+ class AlignmentLog(object):
+ 
+     def __init__(self):
+-	self.ok_list = []
+-	self.fail_list = []
+-	self.verbosity = 1
++        self.ok_list = []
++        self.fail_list = []
++        self.verbosity = 1
+ 
+     def __str__(self):
+-	result = ""
++        result = ""
+ 
+-	# output the OK-list
+-	for (align_before, field_name, type_obj, callstack, align_after) in self.ok_list:
+-	    stacksize = len(callstack)
++        # output the OK-list
++        for (align_before, field_name, type_obj, callstack, align_after) in self.ok_list:
++            stacksize = len(callstack)
+             indent = '  ' * stacksize
+-	    if self.ok_callstack_is_relevant(callstack):
++            if self.ok_callstack_is_relevant(callstack):
+                 if field_name is None or field_name == "":
+-	            result += ("    %sok: %s:\n\t%sbefore: %s, after: %s\n"
+-		        % (indent, str(type_obj), indent, str(align_before), str(align_after)))
+-	        else:
+-		    result += ("    %sok: field \"%s\" in %s:\n\t%sbefore: %s, after: %s\n"
+-		        % (indent, str(field_name), str(type_obj),
+-		           indent, str(align_before), str(align_after)))
++                    result += ("    %sok: %s:\n\t%sbefore: %s, after: %s\n"
++                        % (indent, str(type_obj), indent, str(align_before), str(align_after)))
++                else:
++                    result += ("    %sok: field \"%s\" in %s:\n\t%sbefore: %s, after: %s\n"
++                        % (indent, str(field_name), str(type_obj),
++                           indent, str(align_before), str(align_after)))
+                 if self.verbosity >= 1:
+-		    result += self.callstack_to_str(indent, callstack)
++                    result += self.callstack_to_str(indent, callstack)
+ 
+-	# output the fail-list
+-	for (align_before, field_name, type_obj, callstack, reason) in self.fail_list:
+-	    stacksize = len(callstack)
++        # output the fail-list
++        for (align_before, field_name, type_obj, callstack, reason) in self.fail_list:
++            stacksize = len(callstack)
+             indent = '  ' * stacksize
+-	    if field_name is None or field_name == "":
+-	        result += ("    %sfail: align %s is incompatible with\n\t%s%s\n\t%sReason: %s\n"
+-		    % (indent, str(align_before), indent, str(type_obj), indent, reason))
+-	    else:
+-		result += ("    %sfail: align %s is incompatible with\n\t%sfield \"%s\" in %s\n\t%sReason: %s\n"
+-		    % (indent, str(align_before), indent, str(field_name), str(type_obj), indent, reason))
++            if field_name is None or field_name == "":
++                result += ("    %sfail: align %s is incompatible with\n\t%s%s\n\t%sReason: %s\n"
++                    % (indent, str(align_before), indent, str(type_obj), indent, reason))
++            else:
++                result += ("    %sfail: align %s is incompatible with\n\t%sfield \"%s\" in %s\n\t%sReason: %s\n"
++                    % (indent, str(align_before), indent, str(field_name), str(type_obj), indent, reason))
+ 
+             if self.verbosity >= 1:
+-	        result += self.callstack_to_str(indent, callstack)
++                result += self.callstack_to_str(indent, callstack)
+ 
+ 
+-	return result
++        return result
+ 
+ 
+     def callstack_to_str(self, indent, callstack):
+@@ -137,41 +137,41 @@ class AlignmentLog(object):
+         for stack_elem in callstack:
+             result += "\t  %s%s\n" % (indent, str(stack_elem))
+         result += "\t%s]\n" % indent
+-	return result
++        return result
+ 
+ 
+     def ok_callstack_is_relevant(self, ok_callstack):
+         # determine whether an ok callstack is relevant for logging
+-	if self.verbosity >= 2:
+-	    return True
++        if self.verbosity >= 2:
++            return True
+ 
+         # empty callstacks are always relevant
+-	if len(ok_callstack) == 0:
++        if len(ok_callstack) == 0:
+             return True
+ 
+-	# check whether the ok_callstack is a subset or equal to a fail_callstack
++        # check whether the ok_callstack is a subset or equal to a fail_callstack
+         for (align_before, field_name, type_obj, fail_callstack, reason) in self.fail_list:
+             if len(ok_callstack) <= len(fail_callstack):
+                 zipped = zip(ok_callstack, fail_callstack[:len(ok_callstack)])
+-		is_subset = all([i == j for i, j in zipped])
+-		if is_subset:
++                is_subset = all([i == j for i, j in zipped])
++                if is_subset:
+                     return True
+ 
+         return False
+ 
+ 
+     def ok(self, align_before, field_name, type_obj, callstack, align_after):
+-	self.ok_list.append((align_before, field_name, type_obj, callstack, align_after))
++        self.ok_list.append((align_before, field_name, type_obj, callstack, align_after))
+ 
+     def fail(self, align_before, field_name, type_obj, callstack, reason):
+-	self.fail_list.append((align_before, field_name, type_obj, callstack, reason))
++        self.fail_list.append((align_before, field_name, type_obj, callstack, reason))
+ 
+     def append(self, other):
+-	self.ok_list.extend(other.ok_list)
+-	self.fail_list.extend(other.fail_list)
++        self.ok_list.extend(other.ok_list)
++        self.fail_list.extend(other.fail_list)
+ 
+     def ok_count(self):
+-	return len(self.ok_list)
++        return len(self.ok_list)
+ 
+ 
+ 
+-- 
+2.11.1
+
diff --git a/gnu/packages/patches/xf86-input-wacom-xorg-abi-25.patch b/gnu/packages/patches/xf86-input-wacom-xorg-abi-25.patch
new file mode 100644
index 0000000000..dc594bdccb
--- /dev/null
+++ b/gnu/packages/patches/xf86-input-wacom-xorg-abi-25.patch
@@ -0,0 +1,46 @@
+Resolves a test compatibility issue with xorg >= 1.19.
+
+Upstream bug report:
+
+https://sourceforge.net/p/linuxwacom/bugs/329/
+
+Patch copied from upstream source repository:
+
+https://sourceforge.net/p/linuxwacom/xf86-input-wacom/ci/f0dedf7a610ac97bc45738492b98ce4f1e0514ec/
+
+From f0dedf7a610ac97bc45738492b98ce4f1e0514ec Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Wed, 18 Jan 2017 09:00:10 -0800
+Subject: [PATCH] tests: Fix compilation under ABI 25 and greater
+
+diff --git a/test/fake-symbols.c b/test/fake-symbols.c
+index 6f2c10a..e649fb9 100644
+--- a/test/fake-symbols.c
++++ b/test/fake-symbols.c
+@@ -493,6 +493,7 @@ void TimerFree(OsTimerPtr timer)
+ {
+ }
+ 
++#if GET_ABI_MAJOR(ABI_XINPUT_VERSION) < 24
+ int
+ xf86BlockSIGIO (void)
+ {
+@@ -503,6 +504,15 @@ void
+ xf86UnblockSIGIO (int wasset)
+ {
+ }
++#else
++void input_lock (void)
++{
++}
++
++void input_unlock (void)
++{
++}
++#endif
+ 
+ /* This is not the same as the X server one, but it'll do for the tests */
+ #if GET_ABI_MAJOR(ABI_XINPUT_VERSION) >= 14
+-- 
+2.11.1
+
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 8b92e47a4d..011a30dd38 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -32,7 +32,7 @@
 (define-public pcre
   (package
    (name "pcre")
-   (version "8.38")
+   (version "8.40")
    (source (origin
             (method url-fetch)
             (uri (list
@@ -43,8 +43,7 @@
                                  version "/pcre-" version ".tar.bz2")))
             (sha256
              (base32
-              "1pvra19ljkr5ky35y2iywjnsckrs9ch2anrf5b0dc91hw8v2vq5r"))
-            (patches (list (search-patch "pcre-CVE-2016-3191.patch")))))
+              "1x7lpjn7jhk0n3sdvggxrlrhab8kkfjwl7qix0ypw9nlx8lpmqh0"))))
    (build-system gnu-build-system)
    (outputs '("out"           ;library & headers
               "bin"           ;depends on Readline (adds 20MiB to the closure)
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 873100cd78..ef63f58f64 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -74,14 +74,14 @@
 (define-public poppler
   (package
    (name "poppler")
-   (version "0.50.0")
+   (version "0.52.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://poppler.freedesktop.org/poppler-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0dmwnh59m75vhii6dw63x8l0qa0ha733pb8bdqzr7lw9nwc37jf9"))))
+              "14hrrac2f1phi5j0qn283457w06vsp9gr075yqjrm7w370bnd2sj"))))
    (build-system gnu-build-system)
    ;; FIXME:
    ;;  use libcurl:        no
@@ -482,7 +482,6 @@ extracting content or merging files.")
 (define-public mupdf
   (package
     (name "mupdf")
-    (replacement mupdf/fixed)
     (version "1.10a")
     (source
       (origin
@@ -492,7 +491,9 @@ extracting content or merging files.")
         (sha256
          (base32
           "0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a"))
-        (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"))
+        (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
+                                 "mupdf-mujs-CVE-2016-10132.patch"
+                                 "mupdf-mujs-CVE-2016-10133.patch"))
         (modules '((guix build utils)))
         (snippet
             ;; Delete all the bundled libraries except for mujs, which is
@@ -541,20 +542,6 @@ line tools for batch rendering (pdfdraw), rewriting files (pdfclean),
 and examining the file structure (pdfshow).")
     (license license:agpl3+)))
 
-(define mupdf/fixed
-  (package
-    (inherit mupdf)
-    (source
-      (origin
-        (inherit (package-source mupdf))
-        (patches
-          (append
-            (origin-patches (package-source mupdf))
-            (search-patches "mupdf-mujs-CVE-2016-10132.patch"
-                            "mupdf-mujs-CVE-2016-10133.patch"
-                            "mupdf-CVE-2017-5896.patch"
-                            "mupdf-CVE-2017-5991.patch")))))))
-
 (define-public qpdf
   (package
    (name "qpdf")
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
index a84ff43d77..0dfee36c1b 100644
--- a/gnu/packages/php.scm
+++ b/gnu/packages/php.scm
@@ -50,21 +50,10 @@
   #:use-module (guix build-system gnu)
   #:use-module ((guix licenses) #:prefix license:))
 
-;; This fixes PHP bugs 73155 and 73159. Remove when gd
-;; is updated to > 2.2.3.
-(define gd-for-php
-  (package (inherit gd)
-           (source
-            (origin
-              (inherit (package-source gd))
-              (patches (search-patches
-                        "gd-fix-truecolor-format-correction.patch"
-                        "gd-fix-chunk-size-on-boundaries.patch"))))))
-
 (define-public php
   (package
     (name "php")
-    (version "7.0.14")
+    (version "7.1.2")
     (home-page "https://secure.php.net/")
     (source (origin
               (method url-fetch)
@@ -72,7 +61,7 @@
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "12ccgbrfchgvmcfb88rcknq7xmrf19c5ysdr4v8jxk51j9izy78g"))
+                "0wg9ng230w724rpwsrhcg4pw41xm1xhz0zx76haanyymkz1s05fq"))
               (modules '((guix build utils)))
               (snippet
                '(with-directory-excursion "ext"
@@ -179,6 +168,13 @@
                             "ext/standard/tests/general_functions/bug44667.phpt"
                             "ext/standard/tests/general_functions/proc_open.phpt")
                (("/bin/cat") (which "cat")))
+
+             ;; These tests fail because they include a file whose modification
+             ;; time is 0. Touch them to make the test pass. The issue is reported
+             ;; upstream as #74137.
+             (utime "sapi/phpdbg/tests/include.inc" 1 1)
+             (utime "sapi/phpdbg/tests/phpdbg_get_executable_stream_wrapper.inc" 1 1)
+
              ;; The encoding of this file is not recognized, so we simply drop it.
              (delete-file "ext/mbstring/tests/mb_send_mail07.phpt")
 
@@ -257,8 +253,10 @@
                          ;; The test expects an Array, but instead get the contents(?).
                          "ext/gd/tests/bug43073.phpt"
                          ;; imagettftext() returns wrong coordinates.
+                         "ext/gd/tests/bug48732-mb.phpt"
                          "ext/gd/tests/bug48732.phpt"
                          ;; Similarly for imageftbbox().
+                         "ext/gd/tests/bug48801-mb.phpt"
                          "ext/gd/tests/bug48801.phpt"
                          ;; Different expected output from imagecolorallocate().
                          "ext/gd/tests/bug53504.phpt"
@@ -291,10 +289,11 @@
        ("curl" ,curl)
        ("cyrus-sasl" ,cyrus-sasl)
        ("freetype" ,freetype)
-       ("gd" ,gd-for-php)
+       ("gd" ,gd)
        ("gdbm" ,gdbm)
        ("glibc" ,glibc)
        ("gmp" ,gmp)
+       ("gnutls" ,gnutls)
        ("libgcrypt" ,libgcrypt)
        ("libjpeg" ,libjpeg)
        ("libpng" ,libpng)
@@ -309,7 +308,7 @@
        ("pcre" ,pcre)
        ("postgresql" ,postgresql)
        ("readline" ,readline)
-       ("sqlite" ,sqlite-3.15.1)
+       ("sqlite" ,sqlite)
        ("tidy" ,tidy)
        ("zip" ,zip)
        ("zlib" ,zlib)))
diff --git a/gnu/packages/pkg-config.scm b/gnu/packages/pkg-config.scm
index d7cc454e03..01069d27a5 100644
--- a/gnu/packages/pkg-config.scm
+++ b/gnu/packages/pkg-config.scm
@@ -30,7 +30,7 @@
 (define-public %pkg-config
   (package
    (name "pkg-config")
-   (version "0.29")
+   (version "0.29.1")
    (source (origin
             (method url-fetch)
             (uri (list
@@ -46,14 +46,14 @@
                    version ".tar.gz")))
             (sha256
              (base32
-              "0sq09a39wj4cxf8l2jvkq067g08ywfma4v6nhprnf351s82pfl68"))))
+              "00dh1jn8rbppmgbhhgqhmbh3c58b0gccy39rsjdlcma50sg3rd5y"))))
    (build-system gnu-build-system)
    (arguments `(#:configure-flags '("--with-internal-glib")))
    (native-search-paths
     (list (search-path-specification
            (variable "PKG_CONFIG_PATH")
            (files '("lib/pkgconfig" "lib64/pkgconfig" "share/pkgconfig")))))
-   (home-page "http://www.freedesktop.org/wiki/Software/pkg-config")
+   (home-page "https://www.freedesktop.org/wiki/Software/pkg-config")
    (license gpl2+)
    (synopsis "Helper tool used when compiling applications and libraries")
    (description
diff --git a/gnu/packages/pth.scm b/gnu/packages/pth.scm
index 50385b14f8..ed6637b330 100644
--- a/gnu/packages/pth.scm
+++ b/gnu/packages/pth.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -37,8 +38,13 @@
         "0ckjqw5kz5m30srqi87idj7xhpw6bpki43mj07bazjm2qmh3cdbj"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:parallel-build? #f))
-    (home-page "http://www.gnu.org/software/pth")
+     `(#:parallel-build? #f
+       #:configure-flags (list 
+                           ,@(if (string=? "aarch64-linux"
+                                           (%current-system))
+                               '("--host=aarch64-unknown-linux-gnu")
+                               '()))))
+    (home-page "https://www.gnu.org/software/pth")
     (synopsis "Portable thread library")
     (description
      "GNU Pth is a portable library providing non-preemptive, priority-based
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 9a22b38ec2..a12f8d8494 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -42,14 +42,14 @@
 (define-public libsndfile
   (package
     (name "libsndfile")
-    (version "1.0.26")
+    (version "1.0.27")
     (source (origin
              (method url-fetch)
              (uri (string-append "http://www.mega-nerd.com/libsndfile/files/libsndfile-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "14jhla289cj45946h0hq2an0a9g4wkwb3v4571bla6ixfvn20rfd"))))
+               "1h7s61nhf7vklh9sdsbbqzb6x287q4x4j1jc5gmjragl4wprb4d3"))))
     (build-system gnu-build-system)
     (inputs
      `(("libvorbis" ,libvorbis)
@@ -113,7 +113,7 @@ rates.")
 (define-public pulseaudio
   (package
     (name "pulseaudio")
-    (version "9.0")
+    (version "10.0")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -121,7 +121,7 @@ rates.")
                    name "-" version ".tar.xz"))
              (sha256
               (base32
-               "11j682g2mn723sz3bh4i44ggq29z053zcggy0glzn63zh9mxdly3"))
+               "0mrg8qvpwm4ifarzphl3749p7p050kdx1l6mvsaj03czvqj6h653"))
              (modules '((guix build utils)))
              (snippet
               ;; Disable console-kit support by default since it's deprecated
@@ -155,7 +155,6 @@ rates.")
      `(("alsa-lib" ,alsa-lib)
        ("bluez" ,bluez)
        ("sbc" ,sbc)
-       ("json-c" ,json-c)
        ("speex" ,speex)
        ("libsndfile" ,libsndfile)
        ("libsamplerate" ,libsamplerate)
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 15c8a8eff4..8326de679d 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -173,6 +173,7 @@
        (list "--enable-shared"                    ;allow embedding
              "--with-system-ffi"                  ;build ctypes
              "--with-ensurepip=install"           ;install pip and setuptools
+             "--enable-unicode=ucs4"
              (string-append "LDFLAGS=-Wl,-rpath="
                             (assoc-ref %outputs "out") "/lib"))
 
@@ -329,7 +330,10 @@ data types.")
               (patch-flags '("-p0"))
               (sha256
                (base32
-                "0h6a5fr7ram2s483lh0pnmc4ncijb8llnpfdxdcl5dxr01hza400"))))
+                "0h6a5fr7ram2s483lh0pnmc4ncijb8llnpfdxdcl5dxr01hza400"))
+              (snippet
+               '(delete-file
+                  "Lib/ctypes/test/test_win32.py")))) ; fails on aarch64
     (arguments (substitute-keyword-arguments (package-arguments python-2)
                  ((#:tests? _) #t)))
     (native-search-paths
diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
index 2ea23acd33..0cbd3a53e1 100644
--- a/gnu/packages/shells.scm
+++ b/gnu/packages/shells.scm
@@ -218,8 +218,7 @@ written by Paul Haahr and Byron Rakitzis.")
 (define-public tcsh
   (package
     (name "tcsh")
-    (replacement tcsh/fixed)
-    (version "6.18.01")
+    (version "6.20.00")
     (source (origin
               (method url-fetch)
               ;; Old tarballs are moved to old/.
@@ -229,43 +228,44 @@ written by Paul Haahr and Byron Rakitzis.")
                                         "old/tcsh-" version ".tar.gz")))
               (sha256
                (base32
-                "1a4z9kwgx1iqqzvv64si34m60gj34p7lp6rrcrb59s7ka5wa476q"))
+                "17ggxkkn5skl0v1x0j6hbv5l0sgnidfzwv16992sqkdm983fg7dq"))
               (patches (search-patches "tcsh-fix-autotest.patch"
-                                       "tcsh-do-not-define-BSDWAIT.patch"))
+                                       "tcsh-fix-out-of-bounds-read.patch"))
               (patch-flags '("-p0"))))
     (build-system gnu-build-system)
-    (inputs
+    (native-inputs
      `(("autoconf" ,autoconf)
-       ("coreutils" ,coreutils)
-       ("ncurses" ,ncurses)))
+       ("perl" ,perl)))
+    (inputs
+     `(("ncurses" ,ncurses)))
     (arguments
      `(#:phases
-       (alist-cons-before
-        'check 'patch-test-scripts
-        (lambda _
-          ;; Take care of pwd
-          (substitute* '("tests/commands.at" "tests/variables.at")
-            (("/bin/pwd") (which "pwd")))
-          ;; The .at files create shell scripts without shebangs. Erk.
-          (substitute* "tests/commands.at"
-            (("./output.sh") "/bin/sh output.sh"))
-          (substitute* "tests/syntax.at"
-            (("; other_script.csh") "; /bin/sh other_script.csh"))
-          ;; Now, let's generate the test suite and patch it
-          (system* "make" "tests/testsuite")
+        (modify-phases %standard-phases
+          (add-before 'check 'patch-test-scripts
+            (lambda _
+              ;; Take care of pwd
+              (substitute* '("tests/commands.at" "tests/variables.at")
+                (("/bin/pwd") (which "pwd")))
+              ;; The .at files create shell scripts without shebangs. Erk.
+              (substitute* "tests/commands.at"
+                (("./output.sh") "/bin/sh output.sh"))
+              (substitute* "tests/syntax.at"
+                (("; other_script.csh") "; /bin/sh other_script.csh"))
+              ;; Now, let's generate the test suite and patch it
+              (system* "make" "tests/testsuite")
 
-          ;; This file is ISO-8859-1 encoded.
-          (with-fluids ((%default-port-encoding #f))
-            (substitute* "tests/testsuite"
-              (("/bin/sh") (which "sh")))))
-        (alist-cons-after
-         'install 'post-install
-         (lambda* (#:key inputs outputs #:allow-other-keys)
-          (let* ((out (assoc-ref %outputs "out"))
-                 (bin (string-append out "/bin")))
-           (with-directory-excursion bin
-             (symlink "tcsh" "csh"))))
-         %standard-phases))))
+              ;; This file is ISO-8859-1 encoded.
+              (with-fluids ((%default-port-encoding #f))
+                (substitute* "tests/testsuite"
+                  (("/bin/sh") (which "sh"))))
+              #t))
+          (add-after 'install 'post-install
+            (lambda* (#:key inputs outputs #:allow-other-keys)
+              (let* ((out (assoc-ref %outputs "out"))
+                     (bin (string-append out "/bin")))
+                (with-directory-excursion bin
+                  (symlink "tcsh" "csh"))
+                #t))))))
     (home-page "http://www.tcsh.org/")
     (synopsis "Unix shell based on csh")
     (description
@@ -276,15 +276,6 @@ command-line editor, programmable word completion, spelling correction, a
 history mechanism, job control and a C-like syntax.")
     (license bsd-4)))
 
-(define tcsh/fixed
-  (package
-    (inherit tcsh)
-    (name "tcsh")
-    (source (origin
-              (inherit (package-source tcsh))
-              (patches (cons (search-patch "tcsh-fix-out-of-bounds-read.patch")
-                             (origin-patches (package-source tcsh))))))))
-
 (define-public zsh
   (package
     (name "zsh")
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index be4d2a7ade..eaa832269d 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -85,7 +85,7 @@ remote applications.")
 (define-public libssh2
   (package
    (name "libssh2")
-   (version "1.7.0")
+   (version "1.8.0")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -93,13 +93,21 @@ remote applications.")
                    version ".tar.gz"))
             (sha256
              (base32
-              "116mh112w48vv9k3f15ggp5kxw5sj4b88dzb5j69llsh7ba1ymp4"))))
+              "1m3n8spv79qhjq4yi0wgly5s5rc8783jb1pyra9bkx1md0plxwrr"))
+            (patches
+             (search-patches "libssh2-fix-build-failure-with-gcrypt.patch"))))
    (build-system gnu-build-system)
    ;; The installed libssh2.pc file does not include paths to libgcrypt and
    ;; zlib libraries, so we need to propagate the inputs.
    (propagated-inputs `(("libgcrypt" ,libgcrypt)
                         ("zlib" ,zlib)))
-   (arguments '(#:configure-flags `("--with-libgcrypt")))
+   (arguments '(#:configure-flags `("--with-libgcrypt")
+                #:phases (modify-phases %standard-phases
+                           (add-before 'configure 'autoreconf
+                             (lambda _
+                               (zero? (system* "autoreconf" "-v")))))))
+   (native-inputs `(("autoconf" ,autoconf)
+                    ("automake" ,automake)))
    (synopsis "Client-side C library implementing the SSH2 protocol")
    (description
     "libssh2 is a library intended to allow software developers access to
diff --git a/gnu/packages/tcl.scm b/gnu/packages/tcl.scm
index 4cd94299df..f9a23c3230 100644
--- a/gnu/packages/tcl.scm
+++ b/gnu/packages/tcl.scm
@@ -37,14 +37,14 @@
 (define-public tcl
   (package
     (name "tcl")
-    (version "8.6.4")
+    (version "8.6.6")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/tcl/Tcl/"
                                   version "/tcl" version "-src.tar.gz"))
               (sha256
                (base32
-                "13cwa4bc85ylf5gfj9vk182lvgy60qni3f7gbxghq78wk16djvly"))
+                "01zypqhy57wvh1ikk28bg733sk5kf4q568pq9v6fvcz4h6bl0rd2"))
               (patches (search-patches "tcl-mkindex-deterministic.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -135,14 +135,14 @@ X11 GUIs.")
 (define-public tk
   (package
     (name "tk")
-    (version "8.6.4")
+    (version "8.6.6")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/tcl/Tcl/"
                                  version "/tk" version "-src.tar.gz"))
              (sha256
               (base32
-               "1h96vp15zl5xz0d4qp6wjyrchqmrmdm3q5k22wkw9jaxbvw9vy88"))
+               "17diivcfcwdhp4v5zi6j9nkxncccjqkivhp363c4wx5lf4d3fb6n"))
              (patches (search-patches "tk-find-library.patch"))))
     (build-system gnu-build-system)
     (arguments
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 32aa7a61dc..9796c18c7d 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -52,7 +52,7 @@
 (define-public libtasn1
   (package
     (name "libtasn1")
-    (version "4.9")
+    (version "4.10")
     (source
      (origin
       (method url-fetch)
@@ -60,7 +60,7 @@
                           version ".tar.gz"))
       (sha256
        (base32
-        "0869cp6jx7cajgv6cnddsh3vc7bimmdkdjn80y1jpb4iss7plvsg"))))
+        "00jsix5hny0g768zv4hk78dib7w0qmk5fbizf4jj37r51nd4s6k8"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (home-page "http://www.gnu.org/software/libtasn1/")
@@ -140,8 +140,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
-    (version "3.5.4")
-    (replacement gnutls-3.5.8)
+    (version "3.5.9")
     (source (origin
              (method url-fetch)
              (uri
@@ -152,7 +151,7 @@ living in the same process.")
                              "/gnutls-" version ".tar.xz"))
              (sha256
               (base32
-               "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f"))))
+               "0l9971841jsfdcvcyhas17sk5rsby6x5vvwcmmj4x3zi9q60zcc2"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -195,12 +194,11 @@ living in the same process.")
        ("pkg-config" ,pkg-config)
        ("which" ,which)))
     (inputs
-     `(("guile" ,guile-2.0)
-       ("perl" ,perl)))
+     `(("guile" ,guile-2.0)))
     (propagated-inputs
      ;; These are all in the 'Requires.private' field of gnutls.pc.
      `(("libtasn1" ,libtasn1)
-       ("libidn" ,libidn)
+       ("libidn2" ,libidn2)
        ("nettle" ,nettle)
        ("zlib" ,zlib)))
     (home-page "https://www.gnu.org/software/gnutls/")
@@ -214,38 +212,23 @@ required structures.")
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
-(define gnutls-3.5.8                              ;fixes GNUTLS-SA-2017-{1,2}
-  (package
-    (inherit gnutls)
-    (version "3.5.8")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnupg/gnutls/v"
-                                  (version-major+minor version)
-                                  "/gnutls-" version ".tar.xz"))
-              (sha256
-               (base32
-                "1zyl2z63s68hx1dpxqx0lykmlf3rwrzlrf44sq3h7dvjmr1z55qf"))))
-    (replacement #f)))
-
 (define-public gnutls/guile-2.2
   ;; GnuTLS for Guile 2.2.  This is supported by GnuTLS >= 3.5.5.
   (package
-    (inherit gnutls-3.5.8)
+    (inherit gnutls)
     (name "guile2.2-gnutls")
     (arguments
      ;; Remove '--with-guile-site-dir=…/2.0'.
-     (substitute-keyword-arguments (package-arguments gnutls-3.5.8)
+     (substitute-keyword-arguments (package-arguments gnutls)
        ((#:configure-flags flags)
         `(cdr ,flags))))
     (inputs `(("guile" ,guile-next)
-              ,@(alist-delete "guile" (package-inputs gnutls-3.5.8))))))
+              ,@(alist-delete "guile" (package-inputs gnutls))))))
 
 (define-public openssl
   (package
    (name "openssl")
-   (replacement openssl-1.0.2k)
-   (version "1.0.2j")
+   (version "1.0.2k")
    (source (origin
              (method url-fetch)
              (uri (list (string-append "ftp://ftp.openssl.org/source/"
@@ -255,7 +238,7 @@ required structures.")
                                        "/" name "-" version ".tar.gz")))
              (sha256
               (base32
-               "0cf4ar97ijfc7mg35zdgpad6x8ivkdx9qii6mz35khi1ps9g5bz7"))
+               "1h6qi35w6hv6rd73p4cdgdzg732pdrfgpp37cgwz1v9a3z37ffbb"))
              (patches (search-patches "openssl-runpath.patch"
                                       "openssl-c-rehash-in.patch"))))
    (build-system gnu-build-system)
@@ -325,7 +308,6 @@ required structures.")
                    (lib    (string-append out "/lib"))
                    (static (assoc-ref outputs "static"))
                    (slib   (string-append static "/lib")))
-              (mkdir-p slib)
               (for-each (lambda (file)
                           (install-file file slib)
                           (delete-file file))
@@ -352,7 +334,7 @@ required structures.")
            (let ((bash (assoc-ref (or native-inputs inputs) "bash")))
              (substitute* (find-files "test" ".*")
                (("/bin/sh")
-                (string-append bash "/bin/bash"))
+                (string-append bash "/bin/sh"))
                (("/bin/rm")
                 "rm"))
              #t)))
@@ -382,29 +364,9 @@ required structures.")
    (license license:openssl)
    (home-page "http://www.openssl.org/")))
 
-(define openssl-1.0.2k
-  (package
-    (inherit openssl)
-    (name "openssl")
-    (version "1.0.2k")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (list (string-append "ftp://ftp.openssl.org/source/"
-                                  name "-" version ".tar.gz")
-                   (string-append "ftp://ftp.openssl.org/source/old/"
-                                  (string-trim-right version char-set:letter)
-                                  "/" name "-" version ".tar.gz")))
-        (sha256
-         (base32
-          "1h6qi35w6hv6rd73p4cdgdzg732pdrfgpp37cgwz1v9a3z37ffbb"))
-        (patches (search-patches "openssl-runpath.patch"
-                                 "openssl-c-rehash-in.patch"))))))
-
 (define-public openssl-next
   (package
     (inherit openssl)
-    (replacement #f)
     (name "openssl")
     (version "1.1.0e")
     (source (origin
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index ccda00173d..7f352d0b0b 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -288,13 +288,14 @@ as well as the classic centralized workflow.")
    (native-search-paths
     ;; For HTTPS access, Git needs a single-file certificate bundle, specified
     ;; with $GIT_SSL_CAINFO.
-    ;; FIXME: This variable designates a single file; it is not a search path.
     (list (search-path-specification
            (variable "GIT_SSL_CAINFO")
            (file-type 'regular)
+           (separator #f)                         ;single entry
            (files '("etc/ssl/certs/ca-certificates.crt")))
           (search-path-specification
            (variable "GIT_EXEC_PATH")
+           (separator #f)                         ;single entry
            (files '("libexec/git-core")))))
 
    (synopsis "Distributed version control system")
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index ec390d4db9..9f73a7ad59 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -136,6 +136,11 @@
                                                       (%current-system))
                                             '("--host=mips64el-unknown-linux-gnu")
                                             '())
+                                      ;; The same is also true with aarch64.
+                                      ,@(if (string=? "aarch64-linux"
+                                                      (%current-system))
+                                            '("--host=aarch64-unknown-linux-gnu")
+                                            '())
                                       (string-append "--with-ncurses="
                                                      ncurses)))))))))
     (home-page "http://aa-project.sourceforge.net/aalib/")
@@ -394,7 +399,7 @@ SMPTE 314M.")
 (define-public libva
   (package
     (name "libva")
-    (version "1.7.1")
+    (version "1.7.3")
     (source
      (origin
        (method url-fetch)
@@ -402,7 +407,7 @@ SMPTE 314M.")
              "https://www.freedesktop.org/software/vaapi/releases/libva/libva-"
              version".tar.bz2"))
        (sha256
-        (base32 "1j8mb3p9kafhp30r3kmndnrklvzycc2ym0w6xdqz6m7jap626028"))))
+        (base32 "1ndrf136rlw03xag7j1xpmf9015d1h0dpnv6v587jnh6k2a17g12"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 5afc495ad7..783bce0d56 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -142,14 +142,14 @@ avoiding password prompts when X11 forwarding has already been setup.")
 (define-public libxkbcommon
   (package
     (name "libxkbcommon")
-    (version "0.6.1")
+    (version "0.7.1")
     (source (origin
              (method url-fetch)
-             (uri (string-append "http://xkbcommon.org/download/" name "-"
+             (uri (string-append "https://xkbcommon.org/download/" name "-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "0q47xa1szlxwgvwmhv4b7xwawnykz1hnc431d84nj8dlh2q8f22v"))))
+               "12z6hih3n1r0asp2hzp9qsiwdfkfz46jwp06x8kprr0r5rfk0nds"))))
     (build-system gnu-build-system)
     (inputs
      `(("libx11" ,libx11)
@@ -166,7 +166,7 @@ avoiding password prompts when X11 forwarding has already been setup.")
              (string-append "--with-x-locale-root="
                             (assoc-ref %build-inputs "libx11")
                             "/share/X11/locale"))))
-    (home-page "http://xkbcommon.org/")
+    (home-page "https://xkbcommon.org/")
     (synopsis "Library to handle keyboard descriptions")
     (description "Xkbcommon is a library to handle keyboard descriptions,
 including loading them from disk, parsing them and handling their
@@ -277,7 +277,7 @@ rasterisation.")
 (define-public libdrm
   (package
     (name "libdrm")
-    (version "2.4.68")
+    (version "2.4.75")
     (source
       (origin
         (method url-fetch)
@@ -287,7 +287,7 @@ rasterisation.")
                ".tar.bz2"))
         (sha256
          (base32
-          "1px91j6imaaq2fy8ksvgldmv0cdz3w379jqiciqvqa99jajxjjsv"))
+          "0kq5hmck0gq7b29fr8jp94njc7jpkpbyws12s63w4b21xw750nid"))
         (patches (search-patches "libdrm-symbol-check.patch"))))
     (build-system gnu-build-system)
     (inputs
@@ -830,7 +830,9 @@ Wacom tablet applet.")
                     name "-" version ".tar.bz2"))
               (sha256
                (base32
-                "0idhkigl0pnyp08sqm6bqfb4h20v6rjrb71z1gdv59gk7d7qwpgi"))))
+                "0idhkigl0pnyp08sqm6bqfb4h20v6rjrb71z1gdv59gk7d7qwpgi"))
+              (patches
+               (search-patches "xf86-input-wacom-xorg-abi-25.patch"))))
     (arguments
      `(#:configure-flags
        (list (string-append "--with-sdkdir="
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index ec84bdeedb..5ad504604a 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -127,7 +127,7 @@ compressed video format.")
 (define speex
   (package
     (name "speex")
-    (version "1.2rc1")
+    (version "1.2.0")
     (source
      (origin
       (method url-fetch)
@@ -135,7 +135,7 @@ compressed video format.")
                           version ".tar.gz"))
       (sha256
        (base32
-        "19mpkhbz3s08snvndn0h1dk2j139max6b0rr86nnsjmxazf30brl"))))
+        "150047wnllz4r94whb9r73l5qf0z5z3rlhy98bawfbblmkq8mbpa"))))
     (build-system gnu-build-system)
     (inputs `(("libogg" ,libogg)))
     (home-page "https://gnu.org/software/speex")
@@ -202,14 +202,14 @@ It currently supports:
 (define flac
   (package
    (name "flac")
-   (version "1.3.1")
+   (version "1.3.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://downloads.xiph.org/releases/flac/flac-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0v65w7ph6ldwp5a8fbhp0a3w8f737ck468fr7yb7sxmskl4w0ws7"))))
+              "0gymm2j3276kr9nz6vmgfwsdfrq6c449n40a0mzz8h6wc7nw7kwi"))))
    (build-system gnu-build-system)
    (arguments
     `(#:parallel-tests? #f))
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 66eb63ade4..a818cb8d4e 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -8,7 +8,7 @@
 ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015 Raimon Grau <raimonster@gmail.com>
 ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
-;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
@@ -74,12 +74,13 @@ things the parser might find in the XML document (like start tags).")
 (define-public libxml2
   (package
     (name "libxml2")
-    (replacement libxml2/fixed)
     (version "2.9.4")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
                                  version ".tar.gz"))
+             (patches (search-patches "libxml2-CVE-2016-4658.patch"
+                                      "libxml2-CVE-2016-5131.patch"))
              (sha256
               (base32
                "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))
@@ -102,19 +103,9 @@ things the parser might find in the XML document (like start tags).")
 project (but it is usable outside of the Gnome platform).")
     (license license:x11)))
 
-(define libxml2/fixed
-  (package
-    (inherit libxml2)
-    (source
-      (origin
-        (inherit (package-source libxml2))
-        (patches (search-patches "libxml2-CVE-2016-4658.patch"
-                                 "libxml2-CVE-2016-5131.patch"))))))
-
 (define-public python-libxml2
   (package (inherit libxml2)
     (name "python-libxml2")
-    (replacement #f)
     (build-system python-build-system)
     (arguments
      `(;; XXX: Tests are specified in 'Makefile.am', but not in 'setup.py'.
@@ -144,12 +135,12 @@ project (but it is usable outside of the Gnome platform).")
 (define-public libxslt
   (package
     (name "libxslt")
-    (replacement libxslt/fixed)
     (version "1.1.29")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxslt/libxslt-"
                                  version ".tar.gz"))
+             (patches (search-patches "libxslt-CVE-2016-4738.patch"))
              (sha256
               (base32
                "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
@@ -166,14 +157,6 @@ project (but it is usable outside of the Gnome platform).")
 based on libxml for XML parsing, tree manipulation and XPath support.")
     (license license:x11)))
 
-(define libxslt/fixed
-  (package
-    (inherit libxslt)
-    (name "libxslt")
-    (source (origin
-              (inherit (package-source libxslt))
-              (patches (search-patches "libxslt-CVE-2016-4738.patch"))))))
-
 (define-public perl-graph-readwrite
   (package
     (name "perl-graph-readwrite")
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index d300f232d4..18354271ee 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -49,6 +49,7 @@
   #:use-module (gnu packages gnupg)
   #:use-module (gnu packages gperf)
   #:use-module (gnu packages image)
+  #:use-module (gnu packages libbsd)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages m4)
   #:use-module (gnu packages ncurses)
@@ -176,7 +177,7 @@ directory tree.")
             "09i03sk878cmx2i40lkpsysn7zqcvlczb30j7x3lryb11jz4gx1q"))))
     (build-system gnu-build-system)
     (inputs
-      `(("libxfont" ,libxfont)))
+      `(("libxfont2" ,libxfont2)))
     (native-inputs
        `(("pkg-config" ,pkg-config)))
     (home-page "https://www.x.org/wiki/")
@@ -1248,7 +1249,8 @@ with the Cygwin XWin server when running X11 in a rootless mode.")
             "1qp4yhxbfnpj34swa0fj635kkihdkwaiw7kf55cg5zqqg630kzl1"))))
     (build-system gnu-build-system)
     (inputs
-      `(("xproto" ,xproto)))
+      `(("libbsd" ,libbsd)
+        ("xproto" ,xproto)))
     (native-inputs
        `(("pkg-config" ,pkg-config)))
     (home-page "https://www.x.org/wiki/")
@@ -2054,21 +2056,24 @@ emulate a TI-30 or an HP-10C.")
 (define-public xcb-proto
   (package
     (name "xcb-proto")
-    (version "1.11")
+    (version "1.12")
     (source
       (origin
         (method url-fetch)
         (uri (string-append
-               "mirror://xorg/individual/xcb/xcb-proto-"
+               "https://xcb.freedesktop.org/dist/xcb-proto-"
                version
                ".tar.bz2"))
         (sha256
           (base32
-            "0bp3f53l9fy5x3mn1rkj1g81aiyzl90wacwvqdgy831aa3kfxb5l"))))
+           "01j91946q8f34l1mbvmmgvyc393sm28ym4lxlacpiav4qsjan8jr"))
+        (patches
+         (search-patches "xcb-proto-python3-whitespace.patch"
+                         "xcb-proto-python3-print.patch"))))
     (build-system gnu-build-system)
     (native-inputs
       `(("pkg-config" ,pkg-config) ("python" ,python-minimal-wrapper)))
-    (home-page "https://www.x.org/wiki/")
+    (home-page "https://xcb.freedesktop.org/")
     (synopsis "XML-XCB protocol descriptions")
     (description
      "XCB-Proto provides the XML-XCB protocol descriptions that libxcb
@@ -2697,7 +2702,7 @@ framebuffer device.")
 (define-public xf86-video-geode
   (package
     (name "xf86-video-geode")
-    (version "2.11.18")
+    (version "2.11.19")
     (source
       (origin
         (method url-fetch)
@@ -2707,7 +2712,7 @@ framebuffer device.")
                ".tar.bz2"))
         (sha256
           (base32
-           "1s59kdj573v38sb14xfhp1l926aypbhy11vaz36y72x6calfkv6n"))
+           "0zn9gb49grds5mcs1dlrx241k2w1sgqmx4i5x7v6159xxqhlqsf6"))
         (patches (search-patches "xf86-video-geode-glibc-2.20.patch"))))
     (build-system gnu-build-system)
     (inputs `(("xorg-server" ,xorg-server)))
@@ -2825,7 +2830,7 @@ X server.")
       (inputs `(("mesa" ,mesa)
                 ("udev" ,eudev)
                 ("libx11" ,libx11)
-                ("libxfont" ,libxfont)
+                ("libxfont" ,libxfont2)
                 ("xorg-server" ,xorg-server)))
       (native-inputs
        `(("pkg-config" ,pkg-config)
@@ -3057,7 +3062,7 @@ UniChrome Pro and Chrome9 integrated graphics processors.")
     (build-system gnu-build-system)
     (inputs
       `(("fontsproto" ,fontsproto)
-        ("libxfont" ,libxfont)
+        ("libxfont" ,libxfont2)
         ("spice-protocol" ,spice-protocol)
         ("xf86dgaproto" ,xf86dgaproto)
         ("xorg-server" ,xorg-server)
@@ -3730,7 +3735,7 @@ extension to the X11 protocol.  It includes:
 (define-public xkeyboard-config
   (package
     (name "xkeyboard-config")
-    (version "2.18")
+    (version "2.20")
     (source
       (origin
         (method url-fetch)
@@ -3740,7 +3745,7 @@ extension to the X11 protocol.  It includes:
               ".tar.bz2"))
         (sha256
           (base32
-            "1l6x2w357ja8vm94ns79s7yj9a5dlr01r9dxrjvzwncadiyr27f4"))))
+            "0d619g4r0w1f6q5qmaqjnsc0956gi02fqgpisqffzqy4acjwggyi"))))
     (build-system gnu-build-system)
     (inputs
       `(("gettext" ,gettext-minimal)
@@ -4650,7 +4655,7 @@ script around the mkfontscale program.")
 (define-public xproto
   (package
     (name "xproto")
-    (version "7.0.29")
+    (version "7.0.31")
     (source
       (origin
         (method url-fetch)
@@ -4660,7 +4665,7 @@ script around the mkfontscale program.")
                ".tar.bz2"))
         (sha256
           (base32
-            "12lzpa9mrzkyrhrphzpi1014np3328qg7mdq08wj6wyaj9q4f6kc"))))
+            "0ivpxz0rx2a7nahkpkhfgymz7j0pwzaqvyqpdgw9afmxl1yp9yf6"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("util-macros" ,util-macros))) ; to get util-macros in (almost?) all package inputs
@@ -4699,7 +4704,8 @@ common definitions and porting layer.")
     (propagated-inputs
       `(("xproto" ,xproto)))
     (inputs
-      `(("xtrans" ,xtrans)))
+      `(("libbsd" ,libbsd)
+        ("xtrans" ,xtrans)))
     (native-inputs
       `(("pkg-config" ,pkg-config)))
     (home-page "https://www.x.org/wiki/")
@@ -4797,11 +4803,22 @@ not be used by normal X11 clients.  X11 clients access fonts via either the
 new API's in libXft, or the legacy API's in libX11.")
     (license license:x11)))
 
+(define-public libxfont2
+  (package
+    (inherit libxfont)
+    (version "2.0.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://xorg/individual/lib/libXfont2-"
+                                  version ".tar.bz2"))
+              (sha256
+               (base32
+                "0znvwk36nhmyqpmhbm9mzisgixp1mp5qkfald8x1n5yxbm3vpyz9"))))))
 
 (define-public libxi
   (package
     (name "libxi")
-    (version "1.7.8")
+    (version "1.7.9")
     (source
       (origin
         (method url-fetch)
@@ -4811,7 +4828,7 @@ new API's in libXft, or the legacy API's in libX11.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1fr7mi4nbcxsa88qin9g2ipmzh595ydxy9qnabzl270laf6zmwnq"))))
+            "0idg1wc01hndvaa820fvfs7phvd1ymf0lldmq6386i7rhkzvirn2"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("inputproto" ,inputproto)
@@ -4920,15 +4937,17 @@ protocol.")
 (define-public libxcb
   (package
     (name "libxcb")
-    (version "1.11.1")
+    (version "1.12")
     (source
       (origin
         (method url-fetch)
-        (uri (string-append "mirror://xorg/individual/xcb/"
+        (uri (string-append "https://xcb.freedesktop.org/dist/"
                             name "-" version ".tar.bz2"))
         (sha256
           (base32
-           "0c4xyvdyx5adh8dzyhnrmvwwz24gri4z1czxmxqm63i0gmngs85p"))))
+           "0nvv0la91cf8p5qqlb3r5xnmg1jn2wphn4fb5jfbr6byqsvv3psa"))
+        (patches
+         (search-patches "libxcb-python-3.5-compat.patch"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("libpthread-stubs" ,libpthread-stubs)
@@ -4942,7 +4961,7 @@ protocol.")
         ("python" ,python-minimal-wrapper)))
     (arguments
      `(#:configure-flags '("--enable-xkb")))
-    (home-page "https://www.x.org/wiki/")
+    (home-page "https://xcb.freedesktop.org/")
     (synopsis "The X C Binding (XCB) library")
     (description
      "libxcb provides an interface to the X Window System protocol,
@@ -4964,7 +4983,7 @@ over Xlib, including:
 (define-public xorg-server
   (package
     (name "xorg-server")
-    (version "1.18.4")
+    (version "1.19.2")
     (source
       (origin
         (method url-fetch)
@@ -4973,7 +4992,7 @@ over Xlib, including:
               name "-" version ".tar.bz2"))
         (sha256
          (base32
-          "1j1i3n5xy1wawhk95kxqdc54h34kg7xp4nnramba2q8xqfr5k117"))))
+          "1fw4b2lf75nsqkiyhn95b1c2if1l3cw5a188a1szx1d8l7sbk2jg"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("dri2proto" ,dri2proto)
@@ -5002,12 +5021,13 @@ over Xlib, including:
         ("dbus" ,dbus)
         ("dmxproto" ,dmxproto)
         ("libdmx" ,libdmx)
+        ("libepoxy" ,libepoxy)
         ("libgcrypt" ,libgcrypt)
         ("libxau" ,libxau)
         ("libxaw" ,libxaw)
         ("libxdmcp" ,libxdmcp)
         ("libxfixes" ,libxfixes)
-        ("libxfont" ,libxfont)
+        ("libxfont2" ,libxfont2)
         ("libxkbfile" ,libxkbfile)
         ("libxrender" ,libxrender)
         ("libxres" ,libxres)
@@ -5031,7 +5051,12 @@ over Xlib, including:
         ("xcb-util-wm" ,xcb-util-wm)))
     (native-inputs
        `(("python" ,python-minimal-wrapper)
-         ("pkg-config" ,pkg-config)))
+         ("pkg-config" ,pkg-config)
+         ;; XXX Bootstrapping inputs for 1.19.2. Remove for > 1.19.2.
+         ("font-util" ,font-util)
+         ("libtool" ,libtool)
+         ("autoconf" ,autoconf)
+         ("automake" ,automake)))
     (arguments
      `(#:parallel-tests? #f
        #:configure-flags
@@ -5056,17 +5081,23 @@ over Xlib, including:
              "--enable-kdrive"
              "--enable-xephyr")
 
-       #:phases (alist-cons-before
-                 'configure 'pre-configure
-                 (lambda _
-                   (substitute* (find-files "." "\\.c$")
-                     (("/bin/sh") (which "sh")))
-
-                   ;; Don't try to 'mkdir /var'.
-                   (substitute* "hw/xfree86/Makefile.in"
-                     (("\\$\\(MKDIR_P\\).*logdir.*")
-                      "true\n")))
-                 %standard-phases)))
+       #:phases
+       (modify-phases %standard-phases
+         ;; XXX The 1.19.2 release of xorg-server was not bootstrapped:
+         ;; <https://lists.x.org/archives/xorg-announce/2017-March/002780.html>
+         (add-before 'configure 'bootstrap
+           (lambda _ (zero? (system* "autoreconf" "-vfi"))))
+         (add-before
+          'configure 'pre-configure
+          (lambda _
+            (substitute* (find-files "." "\\.c$")
+              (("/bin/sh") (which "sh")))
+
+            ;; Don't try to 'mkdir /var'.
+            (substitute* "hw/xfree86/Makefile.in"
+              (("\\$\\(MKDIR_P\\).*logdir.*")
+               "true\n"))
+            #t)))))
     (home-page "https://www.x.org/wiki/")
     (synopsis "Xorg implementation of the X Window System")
     (description
@@ -5081,6 +5112,22 @@ communicates with the user via graphical controls such as buttons and
 draggable titlebars and borders.")
     (license license:x11)))
 
+;;; This package is intended to be used when building GTK+.
+(define-public xorg-server-1.19.2
+  (package
+    (inherit xorg-server)
+    (name "xorg-server")
+    (version "1.19.2")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (string-append
+              "mirror://xorg/individual/xserver/"
+              name "-" version ".tar.bz2"))
+        (sha256
+         (base32
+          "1fw4b2lf75nsqkiyhn95b1c2if1l3cw5a188a1szx1d8l7sbk2jg"))))))
+
 (define-public xorg-server-xwayland
   (package
     (inherit xorg-server)
@@ -5105,7 +5152,7 @@ draggable titlebars and borders.")
 (define-public libx11
   (package
     (name "libx11")
-    (version "1.6.4")
+    (version "1.6.5")
     (source
       (origin
         (method url-fetch)
@@ -5115,7 +5162,7 @@ draggable titlebars and borders.")
                ".tar.bz2"))
         (sha256
           (base32
-            "0hg46i6h92pmb7xp1cis2j43zq3fkdz89p0yv35w4vm17az4iixp"))))
+            "0pa3cfp6h9rl2vxmkph65250gfqyki0ccqyaan6bl9d25gdr0f2d"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"))                            ;8 MiB of man pages + XML
diff --git a/guix/build/gnu-build-system.scm b/guix/build/gnu-build-system.scm
index 1dfd85450c..1786e2e3c9 100644
--- a/guix/build/gnu-build-system.scm
+++ b/guix/build/gnu-build-system.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -389,15 +389,23 @@ makefiles."
               debug-output objcopy-command))
 
     (for-each (lambda (file)
-                (and (file-exists? file)          ;discard dangling symlinks
-                     (or (elf-file? file) (ar-file? file))
+                (and (or (elf-file? file) (ar-file? file))
                      (or (not debug-output)
                          (make-debug-file file))
+
+                     ;; Ensure the file is writable.
+                     (begin (make-file-writable file) #t)
+
                      (zero? (apply system* strip-command
                                    (append strip-flags (list file))))
                      (or (not debug-output)
                          (add-debug-link file))))
-              (find-files dir)))
+              (find-files dir
+                          (lambda (file stat)
+                            ;; Ignore symlinks such as:
+                            ;; libfoo.so -> libfoo.so.0.0.
+                            (eq? 'regular (stat:type stat)))
+                          #:stat lstat)))
 
   (or (not strip-binaries?)
       (every strip-dir
@@ -476,6 +484,23 @@ and 'man/'.  This phase moves directories to the right place if needed."
      (for-each validate-output directories)))
   #t)
 
+(define* (reset-gzip-timestamps #:key outputs #:allow-other-keys)
+  "Reset embedded timestamps in gzip files found in OUTPUTS."
+  (define (process-directory directory)
+    (let ((files (find-files directory
+                             (lambda (file stat)
+                               (and (eq? 'regular (stat:type stat))
+                                    (or (string-suffix? ".gz" file)
+                                        (string-suffix? ".tgz" file))
+                                    (gzip-file? file)))
+                             #:stat lstat)))
+      (for-each reset-gzip-timestamp files)))
+
+  (match outputs
+    (((names . directories) ...)
+     (for-each process-directory directories)))
+  #t)
+
 (define* (compress-documentation #:key outputs
                                  (compress-documentation? #t)
                                  (documentation-compressor "gzip")
@@ -598,6 +623,7 @@ which cannot be found~%"
             validate-documentation-location
             delete-info-dir-file
             patch-dot-desktop-files
+            reset-gzip-timestamps
             compress-documentation)))
 
 
diff --git a/guix/build/make-bootstrap.scm b/guix/build/make-bootstrap.scm
index 21c78cc8f5..43b136248f 100644
--- a/guix/build/make-bootstrap.scm
+++ b/guix/build/make-bootstrap.scm
@@ -55,7 +55,7 @@ when producing a bootstrap libc."
                                 (string-append incdir "/linux")))
                 '("limits.h" "errno.h" "socket.h" "kernel.h"
                   "sysctl.h" "param.h" "ioctl.h" "types.h"
-                  "posix_types.h" "stddef.h"))
+                  "posix_types.h" "stddef.h" "falloc.h"))
 
       (copy-recursively (string-append kernel-headers "/include/asm")
                         (string-append incdir "/asm"))
diff --git a/guix/build/perl-build-system.scm b/guix/build/perl-build-system.scm
index 8f480eae16..b2024e4406 100644
--- a/guix/build/perl-build-system.scm
+++ b/guix/build/perl-build-system.scm
@@ -42,7 +42,11 @@
                    "--installdirs=site" ,@module-build-flags))
                 ((file-exists? "Makefile.PL")
                  `("Makefile.PL" ,(string-append "PREFIX=" out)
-                   "INSTALLDIRS=site" ,@make-maker-flags))
+                   ;; Prevent installation of 'perllocal.pod' files for
+                   ;; determinism.  These are typically used to build a
+                   ;; catalogue of installed packages, but does not provide
+                   ;; any useful information when installed with a module.
+                   "INSTALLDIRS=site" "NO_PERLLOCAL=1" ,@make-maker-flags))
                 (else (error "no Build.PL or Makefile.PL found")))))
     (format #t "running `perl' with arguments ~s~%" args)
     (zero? (apply system* "perl" args))))
diff --git a/guix/build/profiles.scm b/guix/build/profiles.scm
index 6e316d5d2c..42eabfaf19 100644
--- a/guix/build/profiles.scm
+++ b/guix/build/profiles.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -39,17 +39,21 @@
 'GUIX_PROFILE' environment variable.  This allows users to specify what the
 user-friendly name of the profile is, for instance ~/.guix-profile rather than
 /gnu/store/...-profile."
-  (let ((replacement (string-append "${GUIX_PROFILE:-" profile "}")))
+  (let ((replacement (string-append "${GUIX_PROFILE:-" profile "}"))
+        (crop        (cute string-drop <> (string-length profile))))
     (match-lambda
       ((search-path . value)
-       (let* ((separator (search-path-specification-separator search-path))
-              (items     (string-tokenize* value separator))
-              (crop      (cute string-drop <> (string-length profile))))
-         (cons search-path
-               (string-join (map (lambda (str)
-                                   (string-append replacement (crop str)))
-                                 items)
-                            separator)))))))
+       (match (search-path-specification-separator search-path)
+         (#f
+          (cons search-path
+                (string-append replacement (crop value))))
+         ((? string? separator)
+          (let ((items (string-tokenize* value separator)))
+            (cons search-path
+                  (string-join (map (lambda (str)
+                                      (string-append replacement (crop str)))
+                                    items)
+                               separator)))))))))
 
 (define (write-environment-variable-definition port)
   "Write the given environment variable definition to PORT."
diff --git a/guix/build/utils.scm b/guix/build/utils.scm
index bc6f114152..e8efb0653a 100644
--- a/guix/build/utils.scm
+++ b/guix/build/utils.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
@@ -45,9 +45,12 @@
             call-with-ascii-input-file
             elf-file?
             ar-file?
+            gzip-file?
+            reset-gzip-timestamp
             with-directory-excursion
             mkdir-p
             install-file
+            make-file-writable
             copy-recursively
             delete-file-recursively
             file-name-predicate
@@ -195,6 +198,29 @@ with the bytes in HEADER, a bytevector."
 (define ar-file?
   (file-header-match %ar-magic-bytes))
 
+(define %gzip-magic-bytes
+  ;; Magic bytes of gzip file.  Beware, it's a small header so there could be
+  ;; false positives.
+  #vu8(#x1f #x8b))
+
+(define gzip-file?
+  (file-header-match %gzip-magic-bytes))
+
+(define* (reset-gzip-timestamp file #:key (keep-mtime? #t))
+  "If FILE is a gzip file, reset its embedded timestamp (as with 'gzip
+--no-name') and return true.  Otherwise return #f.  When KEEP-MTIME? is true,
+preserve FILE's modification time."
+  (let ((stat (stat file))
+        (port (open file O_RDWR)))
+    (dynamic-wind
+      (const #t)
+      (lambda ()
+        (and (= 4 (seek port 4 SEEK_SET))
+             (put-bytevector port #vu8(0 0 0 0))))
+      (lambda ()
+        (close-port port)
+        (set-file-time file stat)))))
+
 (define-syntax-rule (with-directory-excursion dir body ...)
   "Run BODY with DIR as the process's current directory."
   (let ((init (getcwd)))
@@ -237,6 +263,11 @@ name."
   (mkdir-p directory)
   (copy-file file (string-append directory "/" (basename file))))
 
+(define (make-file-writable file)
+  "Make FILE writable for its owner."
+  (let ((stat (lstat file)))                      ;XXX: symlinks
+    (chmod file (logior #o600 (stat:perms stat)))))
+
 (define* (copy-recursively source destination
                            #:key
                            (log (current-output-port))
@@ -400,10 +431,17 @@ for under the directories designated by FILES.  For example:
               (delete-duplicates input-dirs)))
 
 (define (list->search-path-as-string lst separator)
-  (string-join lst separator))
+  (if separator
+      (string-join lst separator)
+      (match lst
+        ((head rest ...) head)
+        (() ""))))
 
 (define* (search-path-as-string->list path #:optional (separator #\:))
-  (string-tokenize path (char-set-complement (char-set separator))))
+  (if separator
+      (string-tokenize path
+                       (char-set-complement (char-set separator)))
+      (list path)))
 
 (define* (set-path-environment-variable env-var files input-dirs
                                         #:key
diff --git a/guix/scripts/package.scm b/guix/scripts/package.scm
index 9e5b7f3c75..6be9d00aec 100644
--- a/guix/scripts/package.scm
+++ b/guix/scripts/package.scm
@@ -667,7 +667,7 @@ processed, #f otherwise."
                                         (_              #f))
                                       opts)
                      (() (list %current-profile))
-                     (lst lst)))
+                     (lst (reverse lst))))
          (profile  (match profiles
                      ((head tail ...) head))))
     (match (assoc-ref opts 'query)
diff --git a/guix/search-paths.scm b/guix/search-paths.scm
index 7a6fe67959..4bf0e44389 100644
--- a/guix/search-paths.scm
+++ b/guix/search-paths.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -55,7 +55,7 @@
   search-path-specification?
   (variable     search-path-specification-variable) ;string
   (files        search-path-specification-files)    ;list of strings
-  (separator    search-path-specification-separator ;string
+  (separator    search-path-specification-separator ;string | #f
                 (default ":"))
   (file-type    search-path-specification-file-type ;symbol
                 (default 'directory))
@@ -131,11 +131,23 @@ like `string-tokenize', but SEPARATOR is a string."
 DIRECTORIES, a list of directory names, and return a list of
 specification/value pairs.  Use GETENV to determine the current settings and
 report only settings not already effective."
-  (define search-path-definition
-    (match-lambda
-      ((and spec
-            ($ <search-path-specification> variable files separator
-                                           type pattern))
+  (define (search-path-definition spec)
+    (match spec
+      (($ <search-path-specification> variable files #f type pattern)
+       ;; Separator is #f so return the first match.
+       (match (with-null-error-port
+               (search-path-as-list files directories
+                                    #:type type
+                                    #:pattern pattern))
+         (()
+          #f)
+         ((head . _)
+          (let ((value (getenv variable)))
+            (if (and value (string=? value head))
+                #f                         ;VARIABLE already set appropriately
+                (cons spec head))))))
+      (($ <search-path-specification> variable files separator
+                                      type pattern)
        (let* ((values (or (and=> (getenv variable)
                                  (cut string-tokenize* <> separator))
                           '()))
@@ -164,7 +176,7 @@ current value), or 'suffix (return the definition where VALUE is added as a
 suffix to VARIABLE's current value.)  In the case of 'prefix and 'suffix,
 SEPARATOR is used as the separator between VARIABLE's current value and its
 prefix/suffix."
-  (match kind
+  (match (if (not separator) 'exact kind)
     ('exact
      (format #f "export ~a=\"~a\"" variable value))
     ('prefix
diff --git a/m4/guix.m4 b/m4/guix.m4
index 6630598416..e546b8f4dd 100644
--- a/m4/guix.m4
+++ b/m4/guix.m4
@@ -1,6 +1,7 @@
 dnl GNU Guix --- Functional package management for GNU
 dnl Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 dnl Copyright © 2014 Mark H Weaver <mhw@netris.org>
+dnl Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 dnl
 dnl This file is part of GNU Guix.
 dnl
@@ -105,7 +106,7 @@ courageous and port the GNU System distribution to it (see
   # Currently only Linux-based systems are supported, and only on some
   # platforms.
   case "$guix_system" in
-    x86_64-linux|i686-linux|armhf-linux|mips64el-linux)
+    x86_64-linux|i686-linux|armhf-linux|aarch64-linux|mips64el-linux)
       ;;
     *)
       if test "x$guix_courageous" = "xyes"; then
diff --git a/tests/guix-package-net.sh b/tests/guix-package-net.sh
index 35ef6ff1a0..1eff6abba3 100644
--- a/tests/guix-package-net.sh
+++ b/tests/guix-package-net.sh
@@ -1,5 +1,5 @@
 # GNU Guix --- Functional package management for GNU
-# Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+# Copyright © 2012, 2013, 2014, 2015, 2017 Ludovic Courtès <ludo@gnu.org>
 # Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 #
 # This file is part of GNU Guix.
@@ -165,7 +165,7 @@ guix package --bootstrap -p "$profile_alt" -i gcc-bootstrap
 if guix package -p "$profile" --search-paths | grep LIBRARY_PATH
 then false; fi
 guix package -p "$profile" -p "$profile_alt" --search-paths \
-     | grep "LIBRARY_PATH.*$profile/lib"
+     | grep "LIBRARY_PATH.*$profile/lib.$profile_alt/lib"
 
 #
 # Try with the default profile.
diff --git a/tests/packages.scm b/tests/packages.scm
index 247f75cc43..aa29758830 100644
--- a/tests/packages.scm
+++ b/tests/packages.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -42,6 +42,7 @@
   #:use-module (gnu packages base)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages bootstrap)
+  #:use-module (gnu packages version-control)
   #:use-module (gnu packages xml)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
@@ -379,6 +380,8 @@
   (let* ((file   (search-bootstrap-binary (match (%current-system)
                                             ("armhf-linux"
                                              "guile-2.0.11.tar.xz")
+                                            ("aarch64-linux"
+                                             "guile-2.0.14.tar.xz")
                                             (_
                                              "guile-2.0.9.tar.xz"))
                                           (%current-system)))
@@ -979,6 +982,52 @@
                       (guix-package "-p" (derivation->output-path prof)
                                     "--search-paths"))))))
 
+(test-assert "--search-paths with single-item search path"
+  ;; Make sure 'guix package --search-paths' correctly reports environment
+  ;; variables for things like 'GIT_SSL_CAINFO' that have #f as their
+  ;; separator, meaning that the first match wins.
+  (let* ((p1 (dummy-package "foo"
+               (build-system trivial-build-system)
+               (arguments
+                `(#:guile ,%bootstrap-guile
+                  #:modules ((guix build utils))
+                  #:builder (begin
+                              (use-modules (guix build utils))
+                              (let ((out (assoc-ref %outputs "out")))
+                                (mkdir-p (string-append out "/etc/ssl/certs"))
+                                (call-with-output-file
+                                    (string-append
+                                     out "/etc/ssl/certs/ca-certificates.crt")
+                                  (const #t))))))))
+         (p2 (package (inherit p1) (name "bar")))
+         (p3 (dummy-package "git"
+               ;; Provide a fake Git to avoid building the real one.
+               (build-system trivial-build-system)
+               (arguments
+                `(#:guile ,%bootstrap-guile
+                  #:builder (mkdir (assoc-ref %outputs "out"))))
+               (native-search-paths (package-native-search-paths git))))
+         (prof1 (run-with-store %store
+                  (profile-derivation
+                   (packages->manifest (list p1 p3))
+                   #:hooks '()
+                   #:locales? #f)
+                  #:guile-for-build (%guile-for-build)))
+         (prof2 (run-with-store %store
+                  (profile-derivation
+                   (packages->manifest (list p2 p3))
+                   #:hooks '()
+                   #:locales? #f)
+                  #:guile-for-build (%guile-for-build))))
+    (build-derivations %store (list prof1 prof2))
+    (string-match (format #f "^export GIT_SSL_CAINFO=\"~a/etc/ssl/certs/ca-certificates.crt"
+                          (regexp-quote (derivation->output-path prof1)))
+                  (with-output-to-string
+                    (lambda ()
+                      (guix-package "-p" (derivation->output-path prof1)
+                                    "-p" (derivation->output-path prof2)
+                                    "--search-paths"))))))
+
 (test-equal "specification->package when not found"
   'quit
   (catch 'quit
diff --git a/tests/search-paths.scm b/tests/search-paths.scm
new file mode 100644
index 0000000000..2a4c18dd76
--- /dev/null
+++ b/tests/search-paths.scm
@@ -0,0 +1,48 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (test-search-paths)
+  #:use-module (guix search-paths)
+  #:use-module (ice-9 match)
+  #:use-module (srfi srfi-64))
+
+(define %top-srcdir
+  (dirname (search-path %load-path "guix.scm")))
+
+
+(test-begin "search-paths")
+
+(test-equal "evaluate-search-paths, separator is #f"
+  (string-append %top-srcdir
+                 "/gnu/packages/bootstrap/armhf-linux")
+
+  ;; The following search path spec should evaluate to a single item: the
+  ;; first directory that matches the "-linux$" pattern in
+  ;; gnu/packages/bootstrap.
+  (let ((spec (search-path-specification
+               (variable "CHBOUIB")
+               (files '("gnu/packages/bootstrap"))
+               (file-type 'directory)
+               (separator #f)
+               (file-pattern "-linux$"))))
+    (match (evaluate-search-paths (list spec)
+                                  (list %top-srcdir))
+      (((spec* . value))
+       (and (eq? spec* spec) value)))))
+
+(test-end "search-paths")