summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--doc/guix.texi197
-rw-r--r--gnu/build/linux-container.scm19
-rw-r--r--gnu/local.mk15
-rw-r--r--gnu/packages/audio.scm35
-rw-r--r--gnu/packages/bioinformatics.scm20
-rw-r--r--gnu/packages/databases.scm10
-rw-r--r--gnu/packages/gcc.scm6
-rw-r--r--gnu/packages/guile.scm37
-rw-r--r--gnu/packages/image.scm3
-rw-r--r--gnu/packages/imagemagick.scm4
-rw-r--r--gnu/packages/inkscape.scm15
-rw-r--r--gnu/packages/kde.scm58
-rw-r--r--gnu/packages/libusb.scm2
-rw-r--r--gnu/packages/linux.scm91
-rw-r--r--gnu/packages/llvm.scm11
-rw-r--r--gnu/packages/lua.scm13
-rw-r--r--gnu/packages/mail.scm4
-rw-r--r--gnu/packages/maths.scm6
-rw-r--r--gnu/packages/messaging.scm4
-rw-r--r--gnu/packages/music.scm4
-rw-r--r--gnu/packages/nano.scm6
-rw-r--r--gnu/packages/ncurses.scm43
-rw-r--r--gnu/packages/openstack.scm12
-rw-r--r--gnu/packages/owncloud.scm32
-rw-r--r--gnu/packages/package-management.scm6
-rw-r--r--gnu/packages/password-utils.scm5
-rw-r--r--gnu/packages/patches/gcc-strmov-store-file-names.patch66
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-9273.patch41
-rw-r--r--gnu/packages/patches/libxslt-CVE-2016-4738.patch39
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-7504.patch99
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-7505.patch32
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-7506.patch42
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-7563.patch37
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-7564.patch34
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-9017.patch46
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-9136.patch32
-rw-r--r--gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch17
-rw-r--r--gnu/packages/pdf.scm112
-rw-r--r--gnu/packages/perl.scm25
-rw-r--r--gnu/packages/python.scm123
-rw-r--r--gnu/packages/qt.scm114
-rw-r--r--gnu/packages/ruby.scm120
-rw-r--r--gnu/packages/statistics.scm14
-rw-r--r--gnu/packages/syndication.scm75
-rw-r--r--gnu/packages/tex.scm5
-rw-r--r--gnu/packages/uml.scm91
-rw-r--r--gnu/packages/version-control.scm4
-rw-r--r--gnu/packages/vim.scm64
-rw-r--r--gnu/packages/wordnet.scm24
-rw-r--r--gnu/packages/xml.scm9
-rw-r--r--gnu/services/kerberos.scm67
-rw-r--r--gnu/system/file-systems.scm11
-rw-r--r--gnu/system/grub.scm1
-rw-r--r--gnu/system/linux-container.scm16
-rw-r--r--guix/build/download.scm125
-rw-r--r--guix/download.scm17
-rw-r--r--guix/http-client.scm8
-rw-r--r--guix/scripts/download.scm14
-rw-r--r--guix/scripts/environment.scm2
-rw-r--r--guix/scripts/lint.scm34
-rwxr-xr-xguix/scripts/substitute.scm19
-rw-r--r--guix/scripts/system.scm4
-rw-r--r--po/guix/fr.po66
-rw-r--r--tests/containers.scm13
-rw-r--r--tests/cpan.scm4
-rw-r--r--tests/cran.scm4
66 files changed, 2049 insertions, 279 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index b4b7763cb4..9a95e1821d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -221,6 +221,7 @@ Services
 * Desktop Services::            D-Bus and desktop services.
 * Database Services::           SQL databases.
 * Mail Services::               IMAP, POP3, SMTP, and all that.
+* Kerberos Services::           Kerberos services.
 * Web Services::                Web servers.
 * Network File System::         NFS related services.
 * Miscellaneous Services::      Other services.
@@ -285,7 +286,7 @@ users (@pxref{Setting Up the Daemon}) and for downloading pre-built
 binaries from authorized sources (@pxref{Substitutes}).
 
 @cindex extensibility of the distribution
-@cindex customization of packages
+@cindex customization, of packages
 Guix includes package definitions for many GNU and non-GNU packages, all
 of which @uref{https://www.gnu.org/philosophy/free-sw.html, respect the
 user's computing freedom}.  It is @emph{extensible}: users can write
@@ -339,6 +340,7 @@ garbage collection of packages (@pxref{Features}).
 @node Installation
 @chapter Installation
 
+@cindex installing Guix
 GNU Guix is available for download from its website at
 @url{http://www.gnu.org/software/guix/}.  This section describes the
 software requirements of Guix, as well as how to install it and get
@@ -368,6 +370,7 @@ system, such as @file{/etc}, are left untouched.
 @node Binary Installation
 @section Binary Installation
 
+@cindex installing Guix from binaries
 This section describes how to install Guix on an arbitrary system from a
 self-contained tarball providing binaries for Guix and for all its
 dependencies.  This is often quicker than installing from source, which
@@ -378,6 +381,7 @@ Installing goes along these lines:
 
 @enumerate
 @item
+@cindex downloading Guix binary
 Download the binary tarball from
 @indicateurl{ftp://alpha.gnu.org/gnu/guix/guix-binary-@value{VERSION}.@var{system}.tar.xz},
 where @var{system} is @code{x86_64-linux} for an @code{x86_64} machine
@@ -493,6 +497,7 @@ Directories,,, texinfo, GNU Texinfo}, for more details on changing the
 Info search path.)
 
 @item
+@cindex substitutes, authorization thereof
 To use substitutes from @code{hydra.gnu.org} or one of its mirrors
 (@pxref{Substitutes}), authorize them:
 
@@ -576,6 +581,7 @@ following packages are also needed:
 C++11 standard.
 @end itemize
 
+@cindex state directory
 When configuring Guix on a system that already has a Guix installation,
 be sure to specify the same state directory as the existing installation
 using the @code{--localstatedir} option of the @command{configure}
@@ -584,6 +590,7 @@ GNU Coding Standards}).  The @command{configure} script protects against
 unintended misconfiguration of @var{localstatedir} so you do not
 inadvertently corrupt your store (@pxref{The Store}).
 
+@cindex Nix, compatibility
 When a working installation of @url{http://nixos.org/nix/, the Nix package
 manager} is available, you
 can instead configure Guix with @code{--disable-daemon}.  In that case,
@@ -602,6 +609,7 @@ your goal is to share the store with Nix.
 @node Running the Test Suite
 @section Running the Test Suite
 
+@cindex test suite
 After a successful @command{configure} and @code{make} run, it is a good
 idea to run the test suite.  It can help catch issues with the setup or
 environment, or bugs in Guix itself---and really, reporting test
@@ -687,6 +695,7 @@ the daemon to download pre-built binaries.
 @node Build Environment Setup
 @subsection Build Environment Setup
 
+@cindex build environment
 In a standard multi-user setup, Guix and its daemon---the
 @command{guix-daemon} program---are installed by the system
 administrator; @file{/gnu/store} is owned by @code{root} and
@@ -1202,6 +1211,7 @@ versions may be incompatible.
 
 @subsection X11 Fonts
 
+@cindex fonts
 The majority of graphical applications use Fontconfig to locate and
 load fonts and perform X11-client-side rendering.  The @code{fontconfig}
 package in Guix looks for fonts in @file{$HOME/.guix-profile}
@@ -1221,6 +1231,7 @@ for Chinese languages:
 guix package -i font-adobe-source-han-sans:cn
 @end example
 
+@cindex @code{xterm}
 Older programs such as @command{xterm} do not use Fontconfig and instead
 rely on server-side font rendering.  Such programs require to specify a
 full name of a font using XLFD (X Logical Font Description), like this:
@@ -1236,11 +1247,13 @@ your Guix profile, you need to extend the font path of the X server:
 xset +fp ~/.guix-profile/share/fonts/truetype
 @end example
 
+@cindex @code{xlsfonts}
 After that, you can run @code{xlsfonts} (from @code{xlsfonts} package)
 to make sure your TrueType fonts are listed there.
 
 @subsection X.509 Certificates
 
+@cindex @code{nss-certs}
 The @code{nss-certs} package provides X.509 certificates, which allow
 programs to authenticate Web servers accessed over HTTPS.
 
@@ -1251,6 +1264,7 @@ information.
 
 @subsection Emacs Packages
 
+@cindex @code{emacs}
 When you install Emacs packages with Guix, the elisp files may be placed
 either in @file{$HOME/.guix-profile/share/emacs/site-lisp/} or in
 sub-directories of
@@ -1274,6 +1288,7 @@ option (@pxref{Init File,,, emacs, The GNU Emacs Manual}).
 @node Package Management
 @chapter Package Management
 
+@cindex packages
 The purpose of GNU Guix is to allow users to easily install, upgrade, and
 remove software packages, without having to know about their build
 procedures or dependencies.  Guix also goes beyond this obvious set of
@@ -1321,6 +1336,7 @@ The @command{guix package} command is the central tool to manage
 packages (@pxref{Invoking guix package}).  It operates on the per-user
 profiles, and can be used @emph{with normal user privileges}.
 
+@cindex transactions
 The command provides the obvious install, remove, and upgrade
 operations.  Each invocation is actually a @emph{transaction}: either
 the specified operation succeeds, or nothing happens.  Thus, if the
@@ -1376,6 +1392,10 @@ package into their profile (@pxref{Invoking guix environment}).
 @node Invoking guix package
 @section Invoking @command{guix package}
 
+@cindex installing packages
+@cindex removing packages
+@cindex package installation
+@cindex package removal
 The @command{guix package} command is the tool that allows users to
 install, upgrade, and remove packages, as well as rolling back to
 previous configurations.  It operates only on the user's own profile,
@@ -1385,7 +1405,7 @@ is:
 @example
 guix package @var{options}
 @end example
-
+@cindex transactions
 Primarily, @var{options} specifies the operations to be performed during
 the transaction.  Upon completion, a new profile is created, but
 previous @dfn{generations} of the profile remain available, should the user
@@ -1403,6 +1423,7 @@ whereby the user specifies the exact set of packages to be available and
 passes it @i{via} the @option{--manifest} option
 (@pxref{profile-manifest, @option{--manifest}}).
 
+@cindex profile
 For each user, a symlink to the user's default profile is automatically
 created in @file{$HOME/.guix-profile}.  This symlink always points to the
 current generation of the user's default profile.  Thus, users can add
@@ -1509,6 +1530,7 @@ and/or output name in addition to the package name.  For instance,
 
 @item --upgrade[=@var{regexp} @dots{}]
 @itemx -u [@var{regexp} @dots{}]
+@cindex upgrading packages
 Upgrade all the installed packages.  If one or more @var{regexp}s are
 specified, upgrade only installed packages whose name matches a
 @var{regexp}.  Also see the @code{--do-not-upgrade} option below.
@@ -1557,6 +1579,9 @@ of packages:
 @end example
 
 @item --roll-back
+@cindex rolling back
+@cindex undoing transactions
+@cindex transactions, undoing
 Roll back to the previous @dfn{generation} of the profile---i.e., undo
 the last transaction.
 
@@ -1573,6 +1598,7 @@ generations in a profile is always linear.
 
 @item --switch-generation=@var{pattern}
 @itemx -S @var{pattern}
+@cindex generations
 Switch to a particular generation defined by @var{pattern}.
 
 @var{pattern} may be either a generation number or a number prefixed
@@ -1754,6 +1780,7 @@ Multiple Outputs}), and the source location of its definition.
 
 @item --list-generations[=@var{pattern}]
 @itemx -l [@var{pattern}]
+@cindex generations
 Return a list of generations along with their creation dates; for each
 generation, show the installed packages, with the most recently
 installed packages shown last.  Note that the zeroth generation is never
@@ -1855,6 +1882,7 @@ your system has unpatched security vulnerabilities.
 
 @cindex security
 @cindex digital signatures
+@cindex substitutes, authorization thereof
 To allow Guix to download substitutes from @code{hydra.gnu.org} or a
 mirror thereof, you
 must add its public key to the access control list (ACL) of archive
@@ -1964,6 +1992,7 @@ like to discuss this project, join us on @email{guix-devel@@gnu.org}.
 
 @cindex multiple-output packages
 @cindex package outputs
+@cindex outputs
 
 Often, packages defined in Guix have a single @dfn{output}---i.e., the
 source package leads to exactly one directory in the store.  When running
@@ -1986,6 +2015,7 @@ which contains everything but the documentation, one would run:
 guix package -i glib
 @end example
 
+@cindex documentation
 The command to install its documentation is:
 
 @example
@@ -2015,6 +2045,7 @@ guix package}).
 @section Invoking @command{guix gc}
 
 @cindex garbage collector
+@cindex disk space
 Packages that are installed, but not used, may be @dfn{garbage-collected}.
 The @command{guix gc} command allows users to explicitly run the garbage
 collector to reclaim space from the @file{/gnu/store} directory.  It is
@@ -2097,6 +2128,7 @@ In addition, the references among existing store files can be queried:
 
 @item --references
 @itemx --referrers
+@cindex package dependencies
 List the references (respectively, the referrers) of store files given
 as arguments.
 
@@ -2159,6 +2191,9 @@ this option is primarily useful when the daemon was running with
 @node Invoking guix pull
 @section Invoking @command{guix pull}
 
+@cindex upgrading Guix
+@cindex @command{guix pull}
+@cindex pull
 Packages are installed or upgraded to the latest version available in
 the distribution currently available on your local machine.  To update
 that distribution, along with the Guix tools, you must run @command{guix
@@ -2201,11 +2236,14 @@ useful to Guix developers.
 @node Invoking guix archive
 @section Invoking @command{guix archive}
 
+@cindex @command{guix archive}
+@cindex archive
 The @command{guix archive} command allows users to @dfn{export} files
 from the store into a single archive, and to later @dfn{import} them.
 In particular, it allows store files to be transferred from one machine
 to the store on another machine.
 
+@cindex exporting store items
 To export store files as an archive to standard output, run:
 
 @example
@@ -2729,6 +2767,7 @@ A one-line description of the package.
 A more elaborate description of the package.
 
 @item @code{license}
+@cindex license, of packages
 The license of the package; a value from @code{(guix licenses)},
 or a list of such values.
 
@@ -4266,6 +4305,8 @@ the Scheme programming interface of Guix in a convenient way.
 @node Invoking guix build
 @section Invoking @command{guix build}
 
+@cindex package building
+@cindex @command{guix build}
 The @command{guix build} command builds packages or derivations and
 their dependencies, and prints the resulting store paths.  Note that it
 does not modify the user's profile---this is the job of the
@@ -4720,6 +4761,7 @@ You can freely access a huge library of build logs!
 @node Invoking guix edit
 @section Invoking @command{guix edit}
 
+@cindex @command{guix edit}
 @cindex package definition, editing
 So many packages, so many source files!  The @command{guix edit} command
 facilitates the life of users and packagers by pointing their editor at
@@ -4750,6 +4792,8 @@ guix-search-by-name} and similar commands (@pxref{Emacs Commands}).
 @node Invoking guix download
 @section Invoking @command{guix download}
 
+@cindex @command{guix download}
+@cindex downloading package sources
 When writing a package definition, developers typically need to download
 a source tarball, compute its SHA256 hash, and write that
 hash in the package definition (@pxref{Defining Packages}).  The
@@ -4772,18 +4816,32 @@ they are not available, an error is raised.  @xref{Guile Preparations,
 how to install the GnuTLS bindings for Guile,, gnutls-guile,
 GnuTLS-Guile}, for more information.
 
-The following option is available:
+@command{guix download} verifies HTTPS server certificates by loading
+the certificates of X.509 authorities from the directory pointed to by
+the @code{SSL_CERT_DIR} environment variable (@pxref{X.509
+Certificates}), unless @option{--no-check-certificate} is used.
+
+The following options are available:
 
 @table @code
 @item --format=@var{fmt}
 @itemx -f @var{fmt}
 Write the hash in the format specified by @var{fmt}.  For more
 information on the valid values for @var{fmt}, @pxref{Invoking guix hash}.
+
+@item --no-check-certificate
+Do not validate the X.509 certificates of HTTPS servers.
+
+When using this option, you have @emph{absolutely no guarantee} that you
+are communicating with the authentic server responsible for the given
+URL, which makes you vulnerable to ``man-in-the-middle'' attacks.
+
 @end table
 
 @node Invoking guix hash
 @section Invoking @command{guix hash}
 
+@cindex @command{guix hash}
 The @command{guix hash} command computes the SHA256 hash of a file.
 It is primarily a convenience tool for anyone contributing to the
 distribution: it computes the cryptographic hash of a file, which can be
@@ -4848,6 +4906,7 @@ $ guix hash -rx .
 @cindex importing packages
 @cindex package import
 @cindex package conversion
+@cindex Invoking @command{guix import}
 The @command{guix import} command is useful for people who would like to
 add a package to the distribution with as little work as
 possible---a legitimate demand.  The command knows of a few
@@ -5068,6 +5127,12 @@ are:
 @uref{http://elpa.gnu.org/packages, GNU}, selected by the @code{gnu}
 identifier.  This is the default.
 
+Packages from @code{elpa.gnu.org} are signed with one of the keys
+contained in the GnuPG keyring at
+@file{share/emacs/25.1/etc/package-keyring.gpg} (or similar) in the
+@code{emacs} package (@pxref{Package Installation, ELPA package
+signatures,, emacs, The GNU Emacs Manual}).
+
 @item
 @uref{http://stable.melpa.org/packages, MELPA-Stable}, selected by the
 @code{melpa-stable} identifier.
@@ -5086,6 +5151,7 @@ is welcome here (@pxref{Contributing}).
 @node Invoking guix refresh
 @section Invoking @command{guix refresh}
 
+@cindex @command {guix refresh}
 The primary audience of the @command{guix refresh} command is developers
 of the GNU software distribution.  By default, it reports any packages
 provided by the distribution that are outdated compared to the latest
@@ -5289,6 +5355,9 @@ otherwise.
 
 @node Invoking guix lint
 @section Invoking @command{guix lint}
+
+@cindex @command{guix lint}
+@cindex package, checking for errors
 The @command{guix lint} command is meant to help package developers avoid
 common errors and use a consistent style.  It runs a number of checks on
 a given set of packages in order to find common mistakes in their
@@ -5376,6 +5445,10 @@ names returned by @code{--list-checkers}.
 @node Invoking guix size
 @section Invoking @command{guix size}
 
+@cindex size
+@cindex package size
+@cindex closure
+@cindex @command{guix size}
 The @command{guix size} command helps package developers profile the
 disk usage of packages.  It is easy to overlook the impact of an
 additional dependency added to a package, or the impact of using a
@@ -5479,6 +5552,8 @@ Consider packages for @var{system}---e.g., @code{x86_64-linux}.
 @section Invoking @command{guix graph}
 
 @cindex DAG
+@cindex @command{guix graph}
+@cindex package dependencies
 Packages and their dependencies form a @dfn{graph}, specifically a
 directed acyclic graph (DAG).  It can quickly become difficult to have a
 mental model of the package DAG, so the @command{guix graph} command
@@ -5621,6 +5696,8 @@ guix graph -e '(@@@@ (gnu packages commencement) gnu-make-final)'
 
 @cindex reproducible build environments
 @cindex development environments
+@cindex @command{guix environment}
+@cindex environment, package build environment
 The purpose of @command{guix environment} is to assist hackers in
 creating reproducible development environments without polluting their
 package profile.  The @command{guix environment} tool takes one or more
@@ -5867,6 +5944,7 @@ build} supports (@pxref{Common Build Options}).
 @node Invoking guix publish
 @section Invoking @command{guix publish}
 
+@cindex @command{guix publish}
 The purpose of @command{guix publish} is to enable users to easily share
 their store with others, who can then use it as a substitute server
 (@pxref{Substitutes}).
@@ -5977,7 +6055,8 @@ of the @code{operating-system} declaration (@pxref{guix-publish-service,
 
 @cindex reproducible builds
 @cindex verifiable builds
-
+@cindex @command{guix challenge}
+@cindex challenge
 Do the binaries provided by this server really correspond to the source
 code it claims to build?  Is a package build process deterministic?
 These are the questions the @command{guix challenge} command attempts to
@@ -6102,7 +6181,7 @@ URLs to compare to.
 @node Invoking guix container
 @section Invoking @command{guix container}
 @cindex container
-
+@cindex @command{guix container}
 @quotation Note
 As of version @value{VERSION}, this tool is experimental.  The interface
 is subject to radical change in the future.
@@ -6228,6 +6307,7 @@ to join!  @xref{Contributing}, for information about how you can help.
 @node System Installation
 @section System Installation
 
+@cindex installing GuixSD
 @cindex Guix System Distribution
 This section explains how to install the Guix System Distribution (GuixSD)
 on a machine.  The Guix package manager can
@@ -6471,6 +6551,8 @@ ifconfig @var{interface} up
 @end example
 
 @item Wireless connection
+@cindex wireless
+@cindex WiFi
 To configure wireless networking, you can create a configuration file
 for the @command{wpa_supplicant} configuration tool (its location is not
 important) using one of the available text editors such as
@@ -6503,6 +6585,7 @@ wpa_supplicant -c wpa_supplicant.conf -i @var{interface} -B
 Run @command{man wpa_supplicant} for more information.
 @end table
 
+@cindex DHCP
 At this point, you need to acquire an IP address.  On a network where IP
 addresses are automatically assigned @i{via} DHCP, you can run:
 
@@ -6711,6 +6794,7 @@ that.
 @node Building the Installation Image
 @subsection Building the Installation Image
 
+@cindex installation image
 The installation image described above was built using the @command{guix
 system} command, specifically:
 
@@ -6825,6 +6909,7 @@ version:
 
 @unnumberedsubsubsec System Services
 
+@cindex services
 @vindex %base-services
 The @code{services} field lists @dfn{system services} to be made
 available when the system starts (@pxref{Services}).
@@ -6979,6 +7064,8 @@ the command-line of the kernel---e.g., @code{("console=ttyS0")}.
 The system bootloader configuration object.  @xref{GRUB Configuration}.
 
 @item @code{initrd} (default: @code{base-initrd})
+@cindex initrd
+@cindex initial RAM disk
 A two-argument monadic procedure that returns an initial RAM disk for
 the Linux kernel.  @xref{Initial RAM Disk}.
 
@@ -7370,6 +7457,9 @@ automatically later.
 @node User Accounts
 @subsection User Accounts
 
+@cindex users
+@cindex accounts
+@cindex user accounts
 User accounts and groups are entirely managed through the
 @code{operating-system} declaration.  They are specified with the
 @code{user-account} and @code{user-group} forms:
@@ -7403,6 +7493,7 @@ be specified:
 The name of the user account.
 
 @item @code{group}
+@cindex groups
 This is the name (a string) or identifier (a number) of the user group
 this account belongs to.
 
@@ -7451,6 +7542,7 @@ Manual}, for information on Guile's @code{crypt} procedure.
 @end table
 @end deftp
 
+@cindex groups
 User group declarations are even simpler:
 
 @example
@@ -7693,6 +7785,7 @@ declaration.
 * Desktop Services::            D-Bus and desktop services.
 * Database Services::           SQL databases.
 * Mail Services::               IMAP, POP3, SMTP, and all that.
+* Kerberos Services::           Kerberos services.
 * Web Services::                Web servers.
 * Network File System::         NFS related services.
 * Miscellaneous Services::      Other services.
@@ -7738,6 +7831,7 @@ This is the data type representing the configuration of login.
 @table @asis
 
 @item @code{motd}
+@cindex message of the day
 A file-like object containing the ``message of the day''.
 
 @item @code{allow-empty-passwords?} (default: @code{#t})
@@ -7908,6 +8002,8 @@ external name servers do not even need to be queried.
 @end defvr
 
 @anchor{syslog-configuration-type}
+@cindex syslog
+@cindex logging
 @deftp {Data Type} syslog-configuration
 This data type represents the configuration of the syslog daemon.
 
@@ -7922,6 +8018,7 @@ The syslog configuration file to use.
 @end deftp
 
 @anchor{syslog-service}
+@cindex syslog
 @deffn {Scheme Procedure} syslog-service @var{config}
 Return a service that runs a syslog daemon according to @var{config}.
 
@@ -7945,6 +8042,7 @@ Name of the group for build user accounts.
 Number of build user accounts to create.
 
 @item @code{authorize-key?} (default: @code{#t})
+@cindex substitutes, authorization thereof
 Whether to authorize the substitute keys listed in
 @code{authorized-keys}---by default that of @code{hydra.gnu.org}
 (@pxref{Substitutes}).
@@ -7991,6 +8089,8 @@ This is the name of the file where some random bytes are saved by
 It defaults to @file{/var/lib/random-seed}.
 @end defvr
 
+@cindex keymap
+@cindex keyboard
 @deffn {Scheme Procedure} console-keymap-service @var{files} ...
 @cindex keyboard layout
 Return a service to load console keymaps from @var{files} using
@@ -8012,6 +8112,8 @@ See @code{man loadkeys} for details.
 
 @end deffn
 
+@cindex mouse
+@cindex gpm
 @deffn {Scheme Procedure} gpm-service [#:gpm @var{gpm}] @
           [#:options]
 Run @var{gpm}, the general-purpose mouse daemon, with the given
@@ -8073,6 +8175,7 @@ commonly used for real-time audio systems.
 @subsubsection Scheduled Job Execution
 
 @cindex cron
+@cindex mcron
 @cindex scheduling jobs
 The @code{(gnu services mcron)} module provides an interface to
 GNU@tie{}mcron, a daemon to run jobs at scheduled times (@pxref{Top,,,
@@ -8168,6 +8271,7 @@ specifications,, mcron, GNU@tie{}mcron}).
 
 @cindex rottlog
 @cindex log rotation
+@cindex logging
 Log files such as those found in @file{/var/log} tend to grow endlessly,
 so it's a good idea to @dfn{rotate} them once in a while---i.e., archive
 their contents in separate files, possibly compressed.  The @code{(gnu
@@ -8262,6 +8366,8 @@ gateway.
 @end deffn
 
 @cindex wicd
+@cindex wireless
+@cindex WiFi
 @cindex network management
 @deffn {Scheme Procedure} wicd-service [#:wicd @var{wicd}]
 Return a service that runs @url{https://launchpad.net/wicd,Wicd}, a network
@@ -8291,6 +8397,8 @@ several the @command{connmanctl} command to interact with the daemon and
 configure networking."
 @end deffn
 
+@cindex NTP
+@cindex real time clock
 @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @
   [#:servers @var{%ntp-servers}] @
   [#:allow-large-adjustment? #f]
@@ -8305,6 +8413,7 @@ make an initial adjustment of more than 1,000 seconds.
 List of host names used as the default NTP servers.
 @end defvr
 
+@cindex Tor
 @deffn {Scheme Procedure} tor-service [@var{config-file}] [#:tor @var{tor}]
 Return a service to run the @uref{https://torproject.org, Tor} anonymous
 networking daemon.
@@ -8352,6 +8461,8 @@ configuration file.
 @end deffn
 
 Furthermore, @code{(gnu services ssh)} provides the following services.
+@cindex SSH
+@cindex SSH server
 
 @deffn {Scheme Procedure} lsh-service [#:host-key "/etc/lsh/host-key"] @
        [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] @
@@ -8389,6 +8500,8 @@ root.
 The other options should be self-descriptive.
 @end deffn
 
+@cindex SSH
+@cindex SSH server
 @deffn {Scheme Variable} openssh-service-type
 This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
 shell daemon, @command{sshd}.  Its value must be an
@@ -8552,6 +8665,8 @@ sockets.
 @node X Window
 @subsubsection X Window
 
+@cindex X11
+@cindex X Window System
 Support for the X Window graphical display system---specifically
 Xorg---is provided by the @code{(gnu services xorg)} module.  Note that
 there is no @code{xorg-service} procedure.  Instead, the X server is
@@ -8649,6 +8764,7 @@ Relogin after logout.
 @end table
 @end deftp
 
+@cindex login manager
 @deffn {Scheme Procedure} sddm-service config
 Return a service that spawns the SDDM graphical login manager for config of
 type @code{<sddm-configuration>}.
@@ -9826,6 +9942,8 @@ Users need to be in the @code{lp} group to access the D-Bus service.
 @node Database Services
 @subsubsection Database Services
 
+@cindex database
+@cindex SQL
 The @code{(gnu services databases)} module provides the following services.
 
 @deffn {Scheme Procedure} postgresql-service [#:postgresql postgresql] @
@@ -9862,6 +9980,8 @@ For MariaDB, the root password is empty.
 @node Mail Services
 @subsubsection Mail Services
 
+@cindex mail
+@cindex email
 The @code{(gnu services mail)} module provides Guix service definitions
 for mail services.  Currently the only implemented service is Dovecot,
 an IMAP, POP3, and LMTP server.
@@ -11228,9 +11348,46 @@ could instantiate a dovecot service like this:
                   (string "")))
 @end example
 
+
+@node Kerberos Services
+@subsubsection Kerberos Services
+@cindex Kerberos
+
+The @code{(gnu services Kerberos)} module provides services relating to
+the authentication protocol @dfn{Kerberos}.
+
+@subsubheading PAM krb5 Service
+@cindex pam-krb5
+
+The pam-krb5 service allows for login authentication and password
+management via Kerberos.
+You will need this service if you want PAM enabled applications to authenticate
+users using Kerberos.
+
+@defvr {Scheme Variable} pam-krb5-service-type
+A service type for the Kerberos 5 PAM module.
+@end defvr
+
+@deftp {Data Type} pam-krb5-configuration
+Data type representing the configuration of the Kerberos 5 PAM module
+This type has the following parameters:
+@table @asis
+@item @code{pam-krb5} (default: @code{pam-krb5})
+The pam-krb5 package to use.
+
+@item @code{minimum-uid} (default: @code{1000})
+The smallest user ID for which Kerberos authentications should be attempted.
+Local accounts with lower values will silently fail to authenticate.
+@end table
+@end deftp
+
+
 @node Web Services
 @subsubsection Web Services
 
+@cindex web
+@cindex www
+@cindex HTTP
 The @code{(gnu services web)} module provides the following service:
 
 @deffn {Scheme Procedure} nginx-service [#:nginx nginx] @
@@ -11361,7 +11518,7 @@ The @dfn{global security system} (GSS) daemon provides strong security for RPC
 based protocols.
 Before exchanging RPC requests an RPC client must establish a security
 context.  Typically this is done using the Kerberos command @command{kinit}
-or automatically at login time using PAM services.
+or automatically at login time using PAM services (@pxref{Kerberos Services}).
 
 @defvr {Scheme Variable} gss-service-type
 A service type for the Global Security System (GSS) daemon.
@@ -11446,6 +11603,7 @@ resolution when the graphical console window resizes.
 @end deffn
 
 @subsubsection Dictionary Services
+@cindex dictionary
 The @code{(gnu services dict)} module provides the following service:
 
 @deffn {Scheme Procedure} dicod-service [#:config (dicod-configuration)]
@@ -11737,8 +11895,8 @@ Reference Manual}).  For example:
 @node Initial RAM Disk
 @subsection Initial RAM Disk
 
-@cindex initial RAM disk (initrd)
-@cindex initrd (initial RAM disk)
+@cindex initrd
+@cindex initial RAM disk
 For bootstrapping purposes, the Linux-Libre kernel is passed an
 @dfn{initial RAM disk}, or @dfn{initrd}.  An initrd contains a temporary
 root file system as well as an initialization script.  The latter is
@@ -11814,6 +11972,8 @@ Now that you know all the features that initial RAM disks produced by
 @code{base-initrd} provide, here is how to use it and customize it
 further.
 
+@cindex initrd
+@cindex initial RAM disk
 @deffn {Monadic Procedure} base-initrd @var{file-systems} @
        [#:qemu-networking? #f] [#:virtio? #t] [#:volatile-root? #f] @
        [#:extra-modules '()] [#:mapped-devices '()]
@@ -12016,6 +12176,7 @@ once @command{reconfigure} has completed.
 @end quotation
 
 @item switch-generation
+@cindex generations
 Switch to an existing system generation.  This action atomically
 switches the system profile to the specified system generation.  It also
 rearranges the system's existing GRUB menu entries.  It makes the menu
@@ -12052,6 +12213,7 @@ deactivating services.
 This action will fail if the specified generation does not exist.
 
 @item roll-back
+@cindex rolling back
 Switch to the preceding system generation.  The next time the system
 boots, it will use the preceding system generation.  This is the inverse
 of @command{reconfigure}, and it is exactly the same as invoking
@@ -12271,11 +12433,13 @@ example graph.
 @node Running GuixSD in a VM
 @subsection Running GuixSD in a Virtual Machine
 
+@cindex virtual machine
 One way to run GuixSD in a virtual machine (VM) is to build a GuixSD
 virtual machine image using @command{guix system vm-image}
 (@pxref{Invoking guix system}).  The returned image is in qcow2 format,
 which the @uref{http://qemu.org/, QEMU emulator} can efficiently use.
 
+@cindex QEMU
 To run the image in QEMU, copy it out of the store (@pxref{The Store})
 and give yourself permission to write to the copy.  When invoking QEMU,
 you must choose a system emulator that is suitable for your hardware
@@ -12331,6 +12495,8 @@ network connectivity, like for example @command{curl}.
 
 @subsubsection Connecting Through SSH
 
+@cindex SSH
+@cindex SSH server
 To enable SSH inside a VM you need to add a SSH server like @code{(dropbear-service)}
 or @code{(lsh-service)} to your VM.  The @code{(lsh-service}) doesn't currently
 boot unsupervised.  It requires you to type some characters to initialize the
@@ -12769,6 +12935,7 @@ extend it by passing it lists of packages to add to the system profile.
 @node Shepherd Services
 @subsubsection Shepherd Services
 
+@cindex shepherd services
 @cindex PID 1
 @cindex init system
 The @code{(gnu services shepherd)} module provides a way to define
@@ -13093,6 +13260,7 @@ bootstrap)} module.  For more information on bootstrapping,
 @node Packaging Guidelines
 @section Packaging Guidelines
 
+@cindex packages, creating
 The GNU distribution is nascent and may well lack some of your favorite
 packages.  This section describes how you can help make the distribution
 grow.  @xref{Contributing}, for additional information on how you can
@@ -13170,7 +13338,7 @@ needed is to review and apply the patch.
 @subsection Software Freedom
 
 @c Adapted from http://www.gnu.org/philosophy/philosophy.html.
-
+@cindex free software
 The GNU operating system has been developed so that users can have
 freedom in their computing.  GNU is @dfn{free software}, meaning that
 users have the @url{http://www.gnu.org/philosophy/free-sw.html,four
@@ -13197,6 +13365,7 @@ upstream source.
 @node Package Naming
 @subsection Package Naming
 
+@cindex package name
 A package has actually two names associated with it:
 First, there is the name of the @emph{Scheme variable}, the one following
 @code{define-public}.  By this name, the package can be made known in the
@@ -13221,6 +13390,7 @@ Font package names are handled differently, @pxref{Fonts}.
 @node Version Numbers
 @subsection Version Numbers
 
+@cindex package version
 We usually package only the latest version of a given free software
 project.  But sometimes, for instance for incompatible library versions,
 two (or more) versions of the same package are needed.  These require
@@ -13313,6 +13483,8 @@ definition may look like this:
 @node Synopses and Descriptions
 @subsection Synopses and Descriptions
 
+@cindex package description
+@cindex package synopsis
 As we have seen before, each package in GNU@tie{}Guix includes a
 synopsis and a description (@pxref{Defining Packages}).  Synopses and
 descriptions are important: They are what @command{guix package
@@ -13379,6 +13551,7 @@ for the X11 resize-and-rotate (RandR) extension. @dots{}")
 @node Python Modules
 @subsection Python Modules
 
+@cindex python
 We currently package Python 2 and Python 3, under the Scheme variable names
 @code{python-2} and @code{python} as explained in @ref{Version Numbers}.
 To avoid confusion and naming clashes with other programming languages, it
@@ -13449,6 +13622,7 @@ size}}).
 @node Perl Modules
 @subsection Perl Modules
 
+@cindex perl
 Perl programs standing for themselves are named as any other package,
 using the lowercase upstream name.
 For Perl packages containing a single class, we use the lowercase class name,
@@ -13464,6 +13638,7 @@ prefix.  For instance, @code{libwww-perl} becomes @code{perl-libwww}.
 @node Java Packages
 @subsection Java Packages
 
+@cindex java
 Java programs standing for themselves are named as any other package,
 using the lowercase upstream name.
 
@@ -13483,6 +13658,7 @@ dashes and prepend the prefix @code{java-}.  So the class
 @node Fonts
 @subsection Fonts
 
+@cindex fonts
 For fonts that are in general not installed by a user for typesetting
 purposes, or that are distributed as part of a larger software package,
 we rely on the general packaging rules for software; for instance, this
@@ -13656,6 +13832,7 @@ implicitly used by any package that uses @code{gnu-build-system}
 
 @unnumberedsubsec Building the Bootstrap Binaries
 
+@cindex bootstrap binaries
 Because the final tool chain does not depend on the bootstrap binaries,
 those rarely need to be updated.  Nevertheless, it is useful to have an
 automated way to produce them, should an update occur, and this is what
@@ -13751,7 +13928,7 @@ providing artwork and themes, making suggestions, and more---thank you!
 @c *********************************************************************
 @node GNU Free Documentation License
 @appendix GNU Free Documentation License
-
+@cindex license, GNU Free Documentation License
 @include fdl-1.3.texi
 
 @c *********************************************************************
diff --git a/gnu/build/linux-container.scm b/gnu/build/linux-container.scm
index 3fccc9addb..b71d6a5f88 100644
--- a/gnu/build/linux-container.scm
+++ b/gnu/build/linux-container.scm
@@ -24,6 +24,7 @@
   #:use-module (guix utils)
   #:use-module (guix build utils)
   #:use-module (guix build syscalls)
+  #:use-module (gnu system file-systems)          ;<file-system>
   #:use-module ((gnu build file-systems) #:select (mount-file-system))
   #:export (user-namespace-supported?
             unprivileged-user-namespace-supported?
@@ -72,8 +73,9 @@ exists."
 ;; specification:
 ;; https://raw.githubusercontent.com/docker/libcontainer/master/SPEC.md
 (define* (mount-file-systems root mounts #:key mount-/sys? mount-/proc?)
-  "Mount the essential file systems and the those in the MOUNTS list relative
-to ROOT, then make ROOT the new root directory for the process."
+  "Mount the essential file systems and the those in MOUNTS, a list of
+<file-system> objects, relative to ROOT; then make ROOT the new root directory
+for the process."
   (define (scope dir)
     (string-append root dir))
 
@@ -141,8 +143,9 @@ to ROOT, then make ROOT the new root directory for the process."
   (symlink "/proc/self/fd/2" (scope "/dev/stderr"))
 
   ;; Mount user-specified file systems.
-  (for-each (lambda (spec)
-              (mount-file-system spec #:root root))
+  (for-each (lambda (file-system)
+              (mount-file-system (file-system->spec file-system)
+                                 #:root root))
             mounts)
 
   ;; Jail the process inside the container's root file system.
@@ -197,8 +200,8 @@ corresponds to the symbols in NAMESPACES."
 
 (define (run-container root mounts namespaces host-uids thunk)
   "Run THUNK in a new container process and return its PID.  ROOT specifies
-the root directory for the container.  MOUNTS is a list of file system specs
-that specify the mapping of host file systems into the container.  NAMESPACES
+the root directory for the container.  MOUNTS is a list of <file-system>
+objects that specify file systems to mount inside the container.  NAMESPACES
 is a list of symbols that correspond to the possible Linux namespaces: mnt,
 ipc, uts, user, and net.  HOST-UIDS specifies the number of
 host user identifiers to map into the user namespace."
@@ -256,8 +259,8 @@ host user identifiers to map into the user namespace."
 (define* (call-with-container mounts thunk #:key (namespaces %namespaces)
                               (host-uids 1))
   "Run THUNK in a new container process and return its exit status.
-MOUNTS is a list of file system specs that specify the mapping of host file
-systems into the container.  NAMESPACES is a list of symbols corresponding to
+MOUNTS is a list of <file-system> objects that specify file systems to mount
+inside the container.  NAMESPACES is a list of symbols corresponding to
 the identifiers for Linux namespaces: mnt, ipc, uts, pid, user, and net.  By
 default, all namespaces are used.  HOST-UIDS is the number of host user
 identifiers to map into the container's user namespace, if there is one.  By
diff --git a/gnu/local.mk b/gnu/local.mk
index e1fd8ce8a9..ce0fdebe03 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -8,6 +8,7 @@
 # Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
 # Copyright © 2016 Adonay "adfeno" Felipe Nogueira <https://libreplanet.org/wiki/User:Adfeno> <adfeno@openmailbox.org>
 # Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
+# Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>
 #
 # This file is part of GNU Guix.
 #
@@ -348,6 +349,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/packages/swig.scm				\
   %D%/packages/sxiv.scm				\
   %D%/packages/synergy.scm			\
+  %D%/packages/syndication.scm			\
   %D%/packages/task-management.scm		\
   %D%/packages/tbb.scm				\
   %D%/packages/tcl.scm				\
@@ -361,6 +363,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/packages/tmux.scm				\
   %D%/packages/tor.scm				\
   %D%/packages/tv.scm				\
+  %D%/packages/uml.scm				\
   %D%/packages/unrtf.scm			\
   %D%/packages/upnp.scm				\
   %D%/packages/uucp.scm				\
@@ -401,6 +404,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/services/dbus.scm				\
   %D%/services/desktop.scm			\
   %D%/services/dict.scm				\
+  %D%/services/kerberos.scm			\
   %D%/services/lirc.scm				\
   %D%/services/mail.scm				\
   %D%/services/mcron.scm			\
@@ -541,6 +545,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcc-arm-link-spec-fix.patch		\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
+  %D%/packages/patches/gcc-strmov-store-file-names.patch	\
   %D%/packages/patches/gcc-5.0-libvtv-runpath.patch		\
   %D%/packages/patches/gcc-6-arm-none-eabi-multilib.patch	\
   %D%/packages/patches/gcc-6-cross-environment-variables.patch	\
@@ -661,6 +666,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libtiff-CVE-2016-5321.patch		\
   %D%/packages/patches/libtiff-CVE-2016-5323.patch		\
   %D%/packages/patches/libtiff-CVE-2016-5652.patch		\
+  %D%/packages/patches/libtiff-CVE-2016-9273.patch		\
   %D%/packages/patches/libtiff-oob-accesses-in-decode.patch	\
   %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch	\
   %D%/packages/patches/libtool-skip-tests2.patch		\
@@ -681,6 +687,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libwmf-CVE-2015-4695.patch		\
   %D%/packages/patches/libwmf-CVE-2015-4696.patch		\
   %D%/packages/patches/libxslt-generated-ids.patch		\
+  %D%/packages/patches/libxslt-CVE-2016-4738.patch		\
   %D%/packages/patches/linux-pam-no-setfsuid.patch		\
   %D%/packages/patches/lirc-localstatedir.patch			\
   %D%/packages/patches/llvm-for-extempore.patch			\
@@ -713,7 +720,14 @@ dist_patch_DATA =						\
   %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch	\
   %D%/packages/patches/mupdf-CVE-2016-6265.patch		\
   %D%/packages/patches/mupdf-CVE-2016-6525.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-7504.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-7505.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-7506.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-7563.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-7564.patch		\
   %D%/packages/patches/mupdf-CVE-2016-8674.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-9017.patch		\
+  %D%/packages/patches/mupdf-CVE-2016-9136.patch		\
   %D%/packages/patches/mupen64plus-ui-console-notice.patch	\
   %D%/packages/patches/musl-CVE-2016-8859.patch			\
   %D%/packages/patches/mutt-store-references.patch		\
@@ -822,6 +836,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ruby-rack-ignore-failing-test.patch      \
   %D%/packages/patches/ruby-symlinkfix.patch                    \
   %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\
+  %D%/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch \
   %D%/packages/patches/sed-hurd-path-max.patch			\
   %D%/packages/patches/scheme48-tests.patch			\
   %D%/packages/patches/scotch-test-threading.patch		\
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index 994c6e4e04..7d2e2d2a4b 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -47,6 +47,7 @@
   #:use-module (gnu packages compression)
   #:use-module (gnu packages curl)
   #:use-module (gnu packages databases)
+  #:use-module (gnu packages emacs)
   #:use-module (gnu packages file)
   #:use-module (gnu packages flex)
   #:use-module (gnu packages fltk)
@@ -55,11 +56,13 @@
   #:use-module (gnu packages glib)
   #:use-module (gnu packages gtk)
   #:use-module (gnu packages gnome)
+  #:use-module (gnu packages gnunet) ; libmicrohttpd
   #:use-module (gnu packages gperf)
   #:use-module (gnu packages image)
   #:use-module (gnu packages ncurses)
   #:use-module (gnu packages qt)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages llvm)
   #:use-module (gnu packages mp3) ;taglib
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
@@ -67,7 +70,9 @@
   #:use-module (gnu packages python)
   #:use-module (gnu packages rdf)
   #:use-module (gnu packages readline)
+  #:use-module (gnu packages tls)
   #:use-module (gnu packages video)
+  #:use-module (gnu packages vim) ;xxd
   #:use-module (gnu packages webkit)
   #:use-module (gnu packages xiph)
   #:use-module (gnu packages xml)
@@ -928,6 +933,36 @@ PS, and DAB+.")
      "Faust is a programming language for realtime audio signal processing.")
     (license license:gpl2+)))
 
+(define-public faust-2
+  (package
+    (inherit faust)
+    (version "2.0.a51")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "mirror://sourceforge/faudiostream/faust-" version ".tgz"))
+              (sha256
+               (base32
+                "1yryjqfqmxs7lxy95hjgmrncvl9kig3rcsmg0v49ghzz7vs7haxf"))))
+    (build-system gnu-build-system)
+    (arguments
+     (substitute-keyword-arguments (package-arguments faust)
+       ((#:make-flags flags)
+        `(list (string-append "prefix=" (assoc-ref %outputs "out"))
+               "world"))))
+    (native-inputs
+     `(("llvm" ,llvm-with-rtti)
+       ("which" ,which)
+       ("xxd" ,vim)
+       ("ctags" ,emacs-minimal)  ; for ctags
+       ("pkg-config" ,pkg-config)))
+    (inputs
+     `(("libsndfile" ,libsndfile)
+       ("libmicrohttpd" ,libmicrohttpd)
+       ("ncurses" ,ncurses)
+       ("openssl" ,openssl)
+       ("zlib" ,zlib)))))
+
 (define-public freepats
   (package
     (name "freepats")
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 4dfac15040..5444f0a2a1 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -2048,7 +2048,7 @@ identify enrichments with functional annotations of the genome.")
 (define-public diamond
   (package
     (name "diamond")
-    (version "0.8.23")
+    (version "0.8.26")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -2057,7 +2057,7 @@ identify enrichments with functional annotations of the genome.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0xpcq3fbk4c52xbpgyk5brl58rljvl83bg8nkxy8vs00pxanm7i2"))))
+                "17s38pgjih6yc2z81040pircbv60c9wr33mbcyki2rfpv8rbxlh0"))))
     (build-system cmake-build-system)
     (arguments
      '(#:tests? #f ; no "check" target
@@ -6869,7 +6869,7 @@ downloaded from Encode.")
 (define-public r-org-hs-eg-db
   (package
     (name "r-org-hs-eg-db")
-    (version "3.3.0")
+    (version "3.4.0")
     (source (origin
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
@@ -6879,7 +6879,7 @@ downloaded from Encode.")
                                   "org.Hs.eg.db_" version ".tar.gz"))
               (sha256
                (base32
-                "09zb43yjd82ny210n5a0wsrji4w56l2r6ana6d9lx0nn9mzd7rzp"))))
+                "19mg64pw8zcvb9yxzzyf7caz1kvdrkfsj1hd84bzq7crrh8kc4y6"))))
     (properties
      `((upstream-name . "org.Hs.eg.db")))
     (build-system r-build-system)
@@ -6895,7 +6895,7 @@ annotations for the human genome.")
 (define-public r-org-ce-eg-db
   (package
     (name "r-org-ce-eg-db")
-    (version "3.3.0")
+    (version "3.4.0")
     (source (origin
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
@@ -6905,7 +6905,7 @@ annotations for the human genome.")
                                   "org.Ce.eg.db_" version ".tar.gz"))
               (sha256
                (base32
-                "17mvb2ci2jgac3zi420cbf70n4zswqinzxlk1v2fjnp8vvydl2fw"))))
+                "12llfzrrc09kj2wzbisdspv38qzkzgpsbn8kv7qkwg746k3pq436"))))
     (properties
      `((upstream-name . "org.Ce.eg.db")))
     (build-system r-build-system)
@@ -6921,7 +6921,7 @@ annotations for the genome of the model worm Caenorhabditis elegans.")
 (define-public r-org-dm-eg-db
   (package
     (name "r-org-dm-eg-db")
-    (version "3.3.0")
+    (version "3.4.0")
     (source (origin
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
@@ -6931,7 +6931,7 @@ annotations for the genome of the model worm Caenorhabditis elegans.")
                                   "org.Dm.eg.db_" version ".tar.gz"))
               (sha256
                (base32
-                "15kzvw78xwa54yk1d69l6pmgny4726ydpdkk8lic26vr0yiwicla"))))
+                "1vzbphbrh1cf7xi5cksia9xy9a9l42js2z2qsajvjxvddiphrb7j"))))
     (properties
      `((upstream-name . "org.Dm.eg.db")))
     (build-system r-build-system)
@@ -6947,7 +6947,7 @@ annotations for the genome of the model fruit fly Drosophila melanogaster.")
 (define-public r-org-mm-eg-db
   (package
     (name "r-org-mm-eg-db")
-    (version "3.3.0")
+    (version "3.4.0")
     (source (origin
               (method url-fetch)
               ;; We cannot use bioconductor-uri here because this tarball is
@@ -6957,7 +6957,7 @@ annotations for the genome of the model fruit fly Drosophila melanogaster.")
                                   "org.Mm.eg.db_" version ".tar.gz"))
               (sha256
                (base32
-                "0r939vfmsqqdwfimix1nv0bkhnixawy9c6avbclrncfanw3kgjax"))))
+                "1lykjqjaf01fmgg3cvfcvwd5xjq6zc5vbxnm5r4l32fzvl89q50c"))))
     (properties
      `((upstream-name . "org.Mm.eg.db")))
     (build-system r-build-system)
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 8d69def5b7..0323a51838 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -285,7 +285,7 @@ Language.")
 (define-public mariadb
   (package
     (name "mariadb")
-    (version "10.1.18")
+    (version "10.1.19")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://downloads.mariadb.org/f/"
@@ -293,7 +293,7 @@ Language.")
                                   name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0wrvhyck95czhz553834i9im7ljvn8k2byakcinlji7zx43njcyp"))))
+                "108s4mimdbmgmmn5pcr9a405j70cyny9adzv49s75lg22krp74sv"))))
     (build-system cmake-build-system)
     (arguments
      '(#:configure-flags
@@ -353,14 +353,14 @@ as a drop-in replacement of MySQL.")
 (define-public postgresql
   (package
     (name "postgresql")
-    (version "9.5.4")
+    (version "9.5.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://ftp.postgresql.org/pub/source/v"
                                   version "/postgresql-" version ".tar.bz2"))
               (sha256
                (base32
-                "1l3fqxlpxgl6nrcd4h6lpi2hsiv56yg83n3xrn704rmdch8mfpng"))))
+                "157kf6mdazmxfmd11f0akya2xcz6sfgprn7yqc26dpklps855ih2"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
@@ -375,7 +375,7 @@ as a drop-in replacement of MySQL.")
     (inputs
      `(("readline" ,readline)
        ("zlib" ,zlib)))
-    (home-page "http://www.postgresql.org/")
+    (home-page "https://www.postgresql.org/")
     (synopsis "Powerful object-relational database system")
     (description
      "PostgreSQL is a powerful object-relational database system.  It is fully
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index 9eb37957dc..e190e508a7 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -358,7 +358,8 @@ Go.  It also includes runtime support libraries for these languages.")
               (sha256
                (base32
                 "0fihlcy5hnksdxk0sn6bvgnyq8gfrgs8m794b1jxwd1dxinzg3b0"))
-              (patches (search-patches "gcc-5.0-libvtv-runpath.patch"))))))
+              (patches (search-patches "gcc-strmov-store-file-names.patch"
+                                       "gcc-5.0-libvtv-runpath.patch"))))))
 
 (define-public gcc-6
   (package
@@ -371,7 +372,8 @@ Go.  It also includes runtime support libraries for these languages.")
               (sha256
                (base32
                 "1idpf43988v1a6i8lw9ak1r7igcfg1bm5kn011iydlr2qygmhi4r"))
-              (patches (search-patches "gcc-5.0-libvtv-runpath.patch"))))))
+              (patches (search-patches "gcc-strmov-store-file-names.patch"
+                                       "gcc-5.0-libvtv-runpath.patch"))))))
 
 ;; Note: When changing the default gcc version, update
 ;;       the gcc-toolchain-* definitions accordingly.
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index b246d3a6ad..5d4293c290 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -28,6 +28,7 @@
 (define-module (gnu packages guile)
   #:use-module (guix licenses)
   #:use-module (gnu packages)
+  #:use-module (gnu packages aspell)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages bdw-gc)
   #:use-module (gnu packages gawk)
@@ -1373,4 +1374,40 @@ an abstraction over raw memory.  It's also more powerful than the C
 type system, elevating types to first-class status.")
     (license gpl3+)))
 
+(define-public guile-aspell
+  (package
+    (name "guile-aspell")
+    (version "0.3")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "http://lonelycactus.com/tarball/guile_aspell-"
+                    version ".tar.gz"))
+              (sha256
+               (base32
+                "1wknn57x2qcsbn7zw6sbn1ma6fjsg8cvpnf78ak47s8jw6k6j75n"))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:configure-flags (list (string-append "--with-guilesitedir="
+                                              (assoc-ref %outputs "out")
+                                              "/share/guile/site/2.0"))
+       #:phases (modify-phases %standard-phases
+                  (add-before 'build 'set-libaspell-file-name
+                    (lambda* (#:key inputs #:allow-other-keys)
+                      (let ((aspell (assoc-ref inputs "aspell")))
+                        (substitute* "aspell/aspell.scm"
+                          (("\"libaspell\\.so\"")
+                           (string-append "\"" aspell
+                                          "/lib/libaspell\"")))
+                        #t))))))
+    (native-inputs `(("pkg-config" ,pkg-config)))
+    (inputs `(("guile" ,guile-2.0)
+              ("aspell" ,aspell)))
+    (home-page "https://github.com/spk121/guile-aspell")
+    (synopsis "Spell-checking from Guile")
+    (description
+     "guile-aspell is a Guile Scheme library for comparing a string against a
+dictionary and suggesting spelling corrections.")
+    (license gpl3+)))
+
 ;;; guile.scm ends here
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 47544a629e..a40b212710 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -299,7 +299,8 @@ collection of tools for doing simple manipulations of TIFF images.")
                          "libtiff-CVE-2016-5314.patch"
                          "libtiff-CVE-2016-5321.patch"
                          "libtiff-CVE-2016-5323.patch"
-                         "libtiff-CVE-2016-5652.patch"))))))
+                         "libtiff-CVE-2016-5652.patch"
+                         "libtiff-CVE-2016-9273.patch"))))))
 
 (define-public libwmf
   (package
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 071d42a165..8dcfbc72c5 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -43,14 +43,14 @@
 (define-public imagemagick
   (package
     (name "imagemagick")
-    (version "6.9.6-3")
+    (version "6.9.6-4")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://imagemagick/ImageMagick-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "0min87mdhv6bni5hz99i3j1wkrjrqp88dx4ckjzmilg28p9ick63"))))
+               "1mv2qihr9jfagz1dds42q46zirh0dvx0rai7pkqmbzy2bp2c48ym"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--with-frozenpaths" "--without-gcc-arch")
diff --git a/gnu/packages/inkscape.scm b/gnu/packages/inkscape.scm
index 16f83fc474..d98a4cd7a9 100644
--- a/gnu/packages/inkscape.scm
+++ b/gnu/packages/inkscape.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2014, 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -80,13 +81,13 @@
      `(;; Add '-std=c++11', required by recent versions of GLibmm & co.
        ;; Use '-g0' to reduce disk usage during the build.
        #:configure-flags '("CXXFLAGS=-g0 -O2 -fopenmp -std=c++11")
-
-       #:phases (alist-cons-after
-                 'unpack 'fix-test-includes
-                 (lambda _
-                   (substitute* "src/cxxtests.cpp"
-                     (("\\.\\./\\.\\./src") "../src")))
-                 %standard-phases)))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'fix-test-includes
+           (lambda _
+             (substitute* "src/cxxtests.cpp"
+               (("\\.\\./\\.\\./src") "../src"))
+             #t)))))
     (home-page "http://inkscape.org/")
     (synopsis "Vector graphics editor")
     (description "Inkscape is a vector graphics editor.  What sets Inkscape
diff --git a/gnu/packages/kde.scm b/gnu/packages/kde.scm
index 34a5046d20..82e7ed2cc7 100644
--- a/gnu/packages/kde.scm
+++ b/gnu/packages/kde.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016 Thomas Danckaert <post@thomasdanckaert.be>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -27,6 +28,63 @@
   #:use-module (gnu packages tls)
   #:use-module (gnu packages qt))
 
+(define-public kdevelop-pg-qt
+  (package
+    (name "kdevelop-pg-qt")
+    (version "2.0.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/KDE/kdevelop-pg-qt/archive/v"
+                           version ".tar.gz"))
+       (file-name (string-append name "-" version ".tar.gz"))
+       (sha256
+        (base32 "1av8plqz7hyhrd07avnmn6ryslqlarmxn0pw7swzvb6ddiqp59j4"))))
+    (native-inputs
+     `(("extra-cmake-modules" ,extra-cmake-modules)))
+    (inputs
+     `(("qtbase" ,qtbase)))
+    (build-system cmake-build-system)
+    (home-page "https://kde.org")
+    (synopsis "Parser generator library for KDevplatform")
+    (description "KDevelop-PG-Qt is the parser generator used in KDevplatform
+for some KDevelop language plugins (Ruby, PHP, CSS...).")
+    (license license:lgpl2.0+)))
+
+(define-public libkomparediff2
+  (package
+    (name "libkomparediff2")
+    (version "16.08.2")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (string-append "https://github.com/KDE/libkomparediff2/archive/v"
+                            version ".tar.gz"))
+        (file-name (string-append name "-" version ".tar.gz"))
+        (sha256
+         (base32
+          "1lafifrwfxvn0jwhz67kwv7m38lm4syips3fq77rwcvfhmkiijmh"))))
+    (native-inputs
+     `(("extra-cmake-modules" ,extra-cmake-modules)
+       ("pkg-config" ,pkg-config)))
+    (inputs
+     `(("kcodecs" ,kcodecs)
+       ("kconfig" ,kconfig)
+       ("kcoreaddons" ,kcoreaddons)
+       ("ki18n" ,ki18n)
+       ("kio" ,kio)
+       ("kxmlgui" ,kxmlgui)
+       ("qtbase" ,qtbase)))
+    (build-system cmake-build-system)
+    (home-page "https://kde.org")
+    (synopsis "Library to compare files and strings, used in Kompare and KDevelop")
+    (description "Libkomparediff2 is a library to work with diffs and patches,
+used in KDE development tools Kompare and KDevelop.")
+
+    ;; GPL, some files are also licensed under LGPL or BSD, see COPYING in the
+    ;; source archive
+    (license (list license:gpl2+ license:lgpl2.0+ license:bsd-3))))
+
 (define-public qca
   (package
     (name "qca")
diff --git a/gnu/packages/libusb.scm b/gnu/packages/libusb.scm
index 2c66eca372..215cecee1f 100644
--- a/gnu/packages/libusb.scm
+++ b/gnu/packages/libusb.scm
@@ -237,4 +237,4 @@ HID-Class devices.")
     ;; HIDAPI can be used under one of three licenses.
     (license (list gpl3
                    bsd-3
-                   non-copyleft "file://LICENSE-orig.txt"))))
+                   (non-copyleft "file://LICENSE-orig.txt")))))
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 01f5d6c88d..a3c65979d9 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -15,6 +15,7 @@
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 David Craven <david@craven.ch>
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
+;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -63,6 +64,7 @@
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pciutils)
   #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages popt)
   #:use-module (gnu packages pulseaudio)
   #:use-module (gnu packages python)
   #:use-module (gnu packages readline)
@@ -325,14 +327,14 @@ It has been modified to remove all non-free binary blobs.")
 (define %intel-compatible-systems '("x86_64-linux" "i686-linux"))
 
 (define-public linux-libre
-  (make-linux-libre "4.8.6"
-                    "07h618x13yyp3lnf77px4v60pdcz7il0fa7p466wa5gp3h0yhvmi"
+  (make-linux-libre "4.8.7"
+                    "1jbwm131zv59iyr6qw7qcbcfz49qqb2hhx30230gb99flyc5h4hg"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.4
-  (make-linux-libre "4.4.30"
-                    "16jjcjfbf3s4mrifk6v7kmnm8l7yywispfap98wcv6gw6mv9sxdx"
+  (make-linux-libre "4.4.31"
+                    "1s4xdllvxw02g4yqlafcacgsgdpxccf6dlqafpqffm873q1y9n4d"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
@@ -343,8 +345,8 @@ It has been modified to remove all non-free binary blobs.")
                     #:configuration-file kernel-config))
 
 ;; Avoid rebuilding kernel variants when there is a minor version bump.
-(define %linux-libre-version "4.8.6")
-(define %linux-libre-hash "07h618x13yyp3lnf77px4v60pdcz7il0fa7p466wa5gp3h0yhvmi")
+(define %linux-libre-version "4.8.7")
+(define %linux-libre-hash "1jbwm131zv59iyr6qw7qcbcfz49qqb2hhx30230gb99flyc5h4hg")
 
 (define-public linux-libre-arm-generic
   (make-linux-libre %linux-libre-version
@@ -3140,3 +3142,80 @@ activity of the GPU as a whole, which is also accurate during OpenCL
 computations, as well as separate component statistics that are only meaningful
 under OpenGL graphics workloads.")
     (license license:gpl3)))
+
+(define-public efivar
+  (package
+    (name "efivar")
+    (version "30")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/rhinstaller/" name
+                                  "/releases/download/" version "/" name
+                                  "-" version ".tar.bz2"))
+              (sha256
+               (base32
+                "12qjnm44yi55ffqxjpgrxy82s89yjziy84w2rfjjknsd8flj0mqz"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(;; Tests require a UEFI system and is not detected in the chroot.
+       #:tests? #f
+       #:make-flags (list (string-append "prefix=" %output)
+                          (string-append "libdir=" %output "/lib")
+                          (string-append "LDFLAGS=-Wl,-rpath=" %output "/lib"))
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure))))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (inputs
+     `(("popt" ,popt)))
+    (home-page "https://github.com/rhinstaller/efivar")
+    (synopsis "Tool and library to manipulate EFI variables")
+    (description "This package provides a library and a command line
+interface to the variable facility of UEFI boot firmware.")
+    (license license:lgpl2.1+)))
+
+(define-public efibootmgr
+  (package
+    (name "efibootmgr")
+    (version "14")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/rhinstaller/" name
+                                  "/releases/download/" version "/" name
+                                  "-" version ".tar.bz2"))
+              (sha256
+               (base32
+                "1n3sydvpr6yl040hhf460k7mrxby7laqd9dqs6pq0js1hijc2zip"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:tests? #f ; No tests.
+       #:make-flags (list (string-append "prefix=" %output)
+                          (string-append "libdir=" %output "/lib")
+                          ;; Override CFLAGS to add efivar include directory.
+                          (string-append "CFLAGS=-O2 -g -flto -I"
+                                         (assoc-ref %build-inputs "efivar")
+                                         "/include/efivar"))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'branding
+           ;; Replace default loader path with something more familiar.
+           (lambda _
+             (substitute* "src/efibootmgr.c"
+               (("EFI\\\\\\\\redhat") ; Matches 'EFI\\redhat'.
+                "EFI\\\\gnu"))
+             #t))
+         (delete 'configure))))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (inputs
+     `(("efivar" ,efivar)
+       ("popt" ,popt)))
+    (home-page "https://github.com/rhinstaller/efibootmgr")
+    (synopsis "Modify the Extensible Firmware Interface (EFI) boot manager")
+    (description
+     "@code{efibootmgr} is a user-space application to modify the Intel
+Extensible Firmware Interface (EFI) Boot Manager.  This application can
+create and destroy boot entries, change the boot order, change the next
+running boot option, and more.")
+    (license license:gpl2+)))
diff --git a/gnu/packages/llvm.scm b/gnu/packages/llvm.scm
index 1a1f7eef6c..96679bf97b 100644
--- a/gnu/packages/llvm.scm
+++ b/gnu/packages/llvm.scm
@@ -85,6 +85,17 @@ languages is in development.  The compiler infrastructure includes mirror sets
 of programming tools as well as libraries with equivalent functionality.")
     (license license:ncsa)))
 
+(define-public llvm-with-rtti
+  (package (inherit llvm)
+    (name "llvm-with-rtti")
+    (arguments
+     (substitute-keyword-arguments (package-arguments llvm)
+       ((#:configure-flags flags)
+        `(append '("-DCMAKE_SKIP_BUILD_RPATH=FALSE"
+                   "-DCMAKE_BUILD_WITH_INSTALL_RPATH=FALSE"
+                   "-DLLVM_REQUIRES_RTTI=1")
+                 ,flags))))))
+
 (define (clang-runtime-from-llvm llvm hash)
   (package
     (name "clang-runtime")
diff --git a/gnu/packages/lua.scm b/gnu/packages/lua.scm
index fe0ec208aa..f95da3587d 100644
--- a/gnu/packages/lua.scm
+++ b/gnu/packages/lua.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 doncatnip <gnopap@gmail.com>
+;;; Copyright © 2016 Clément Lassieur <clement@lassieur.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -280,6 +281,18 @@ communication.  It takes an already established TCP connection and creates a
 secure session between the peers.")
     (license (package-license lua-5.1))))
 
+(define-public lua5.1-sec-0.5
+  (package
+    (inherit lua5.1-sec)
+    (version "0.5.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/brunoos/luasec/archive/"
+                                  "luasec-" version ".tar.gz"))
+              (sha256
+               (base32
+                "01llf5bcrjmqqy6m65avqkajz7h79rvkka6rd131kwr10n75yp3d"))))))
+
 (define-public lua-lgi
   (package
     (name "lua-lgi")
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 1408e2e030..0e09c5c594 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -727,7 +727,7 @@ MailCore 2.")
 (define-public claws-mail
   (package
     (name "claws-mail")
-    (version "3.14.0")
+    (version "3.14.1")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -735,7 +735,7 @@ MailCore 2.")
                     ".tar.xz"))
               (sha256
                (base32
-                "0nfchgga3ir91s8rky0a0vnz8cgj2f6h716wh3cmb466a01xfss6"))))
+                "0df34gj4r5cbb92834hph19gnh7ih9rgmmw47rliyg8b9z01v6mp"))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)))
     (inputs `(("bogofilter" ,bogofilter)
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index 5665c2a7b8..f7a4bbe75f 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -949,14 +949,14 @@ script files.")
 (define-public gmsh
   (package
     (name "gmsh")
-    (version "2.11.0")
+    (version "2.14.1")
     (source
      (origin
       (method url-fetch)
-      (uri (string-append "http://www.geuz.org/gmsh/src/gmsh-"
+      (uri (string-append "http://gmsh.info/src/gmsh-"
                           version "-source.tgz"))
       (sha256
-       (base32 "1ilplibvjgf7a905grpnclrvkmqy9fgrpl7xyp3w4yl1qc682v9b"))
+       (base32 "1vsxp47j6srmy8kqb3p1z9pmlm42whhhz7r0vzpa2a86gga4zx17"))
       (modules '((guix build utils)))
       (snippet
        ;; Remove non-free METIS code
diff --git a/gnu/packages/messaging.scm b/gnu/packages/messaging.scm
index 66cf231cfb..72b89067f0 100644
--- a/gnu/packages/messaging.scm
+++ b/gnu/packages/messaging.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2015 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 ng0 <ngillmann@runbox.com>
 ;;; Copyright © 2016 Andy Patterson <ajpatter@uwaterloo.ca>
+;;; Copyright © 2016 Clément Lassieur <clement@lassieur.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -563,7 +564,8 @@ end-to-end encryption support; XML console.")
        ("lua5.1-expat" ,lua5.1-expat)
        ("lua5.1-socket" ,lua5.1-socket)
        ("lua5.1-filesystem" ,lua5.1-filesystem)
-       ("lua5.1-sec" ,lua5.1-sec)))
+       ;; See <https://prosody.im/doc/depends#luasec>.
+       ("lua5.1-sec" ,lua5.1-sec-0.5)))
     (home-page "https://prosody.im/")
     (synopsis "Jabber (XMPP) server")
     (description "Prosody is a modern XMPP communication server.  It aims to
diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 9ad7bab335..abcc498599 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -1896,7 +1896,7 @@ of tools for manipulating and accessing your music.")
     (version "0.90.86")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://milkytracker.org/files/"
+              (uri (string-append "http://milkytracker.titandemo.org/files/"
                                   name "-" version ".tar.bz2"))
               (sha256
                (base32
@@ -1916,7 +1916,7 @@ of tools for manipulating and accessing your music.")
 module files.  It attempts to recreate the module replay and user experience of
 the popular DOS program Fasttracker II, with special playback modes available
 for improved Amiga ProTracker 2/3 compatibility.")
-    (home-page "http://milkytracker.org/")
+    (home-page "http://milkytracker.titandemo.org/")
     ;; 'src/milkyplay' is under Modified BSD, the rest is under GPL3 or later.
     (license (list license:bsd-3 license:gpl3+))))
 
diff --git a/gnu/packages/nano.scm b/gnu/packages/nano.scm
index 01ef5dc800..e1830d291b 100644
--- a/gnu/packages/nano.scm
+++ b/gnu/packages/nano.scm
@@ -29,7 +29,7 @@
 (define-public nano
   (package
     (name "nano")
-    (version "2.7.0")
+    (version "2.7.1")
     (source
      (origin
       (method url-fetch)
@@ -37,12 +37,12 @@
                           version ".tar.gz"))
       (sha256
        (base32
-        "1hzazcrbwjqiw89jjvlj97q0wf385qqkzcm0870pdrixiv7yklax"))))
+        "06715a39hmp2dl0qz0979cyv8brpb91z5hn94q224ymbsc876m41"))))
     (build-system gnu-build-system)
     (inputs
      `(("gettext" ,gettext-minimal)
        ("ncurses" ,ncurses)))
-    (home-page "http://www.nano-editor.org/")
+    (home-page "https://www.nano-editor.org/")
     (synopsis "Small, user-friendly console text editor")
     (description
      "GNU Nano is a small and simple text editor.  In addition to basic
diff --git a/gnu/packages/ncurses.scm b/gnu/packages/ncurses.scm
index 97991670f3..e21e477f4f 100644
--- a/gnu/packages/ncurses.scm
+++ b/gnu/packages/ncurses.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -26,7 +27,8 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
   #:use-module (gnu packages)
-  #:use-module (gnu packages perl))
+  #:use-module (gnu packages perl)
+  #:use-module (gnu packages swig))
 
 (define-public ncurses
   (let ((patch-makefile-phase
@@ -207,3 +209,42 @@ curses widgets, such as dialog boxes.")
      "@code{Curses} is the interface between Perl and the curses library
 of your system.")
     (license (package-license perl))))
+
+(define-public stfl
+  (package
+    (name "stfl")
+    (version "0.24")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (string-append "http://www.clifford.at/stfl/stfl-"
+                            version ".tar.gz"))
+        (sha256
+         (base32
+          "1460d5lc780p3q38l3wc9jfr2a7zlyrcra0li65aynj738cam9yl"))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:tests? #f ; no test target
+       #:make-flags (list (string-append "prefix=" (assoc-ref %outputs "out")))
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure) ; there is no configure script
+         ;; in our ncurses, the headers are in /include
+         (add-before 'build 'patch-ncursesw
+           (lambda _
+             (substitute* "stfl_internals.h"
+               (("ncursesw/") ""))
+             #t))
+         (add-after 'install 'install-missing-symlink
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (lib (string-append out "/lib")))
+               ;; Some programs look for libstfl.so.0.
+               (symlink "libstfl.so" (string-append lib "/libstfl.so.0"))))))))
+    (inputs `(("ncurses" ,ncurses)))
+    (native-inputs `(("swig" ,swig)))
+    (home-page "http://www.clifford.at/stfl/")
+    (synopsis "Structured terminal forms library")
+    (description "Stfl is a library which implements a curses-based widget
+set for text terminals.")
+    (license lgpl3+)))
diff --git a/gnu/packages/openstack.scm b/gnu/packages/openstack.scm
index fc865d36e0..43a6490b22 100644
--- a/gnu/packages/openstack.scm
+++ b/gnu/packages/openstack.scm
@@ -206,14 +206,14 @@ tested on Python version 3.2, 2.7 and 2.6.")
 (define-public python-os-testr
   (package
     (name "python-os-testr")
-    (version "0.5.0")
+    (version "0.8.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "os-testr" version))
        (sha256
         (base32
-         "0bv03wnmvxhyi8y08hjh9clxrwqc2251529v4kh5khvca0fsbqdp"))))
+         "0mknd9hlmxmihr755gjkxyjp180380jajq5i3zm34q7y7bi62lss"))))
     (build-system python-build-system)
     (arguments
      ;; os-testr uses itself to run the tests. It seems like pbr writes the
@@ -227,7 +227,7 @@ tested on Python version 3.2, 2.7 and 2.6.")
     (inputs
       `(("python-babel" ,python-babel)
         ("python-setuptools" ,python-setuptools)))
-    (home-page "http://www.openstack.org/")
+    (home-page "https://www.openstack.org/")
     (synopsis "Testr wrapper to provide functionality for OpenStack projects")
     (description
       "Os-testr provides developers with a testr wrapper and an output filter
@@ -320,14 +320,14 @@ extensions.")
 (define-public python-tempest-lib
   (package
     (name "python-tempest-lib")
-    (version "0.12.0")
+    (version "1.0.0")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "tempest-lib" version))
       (sha256
        (base32
-        "0f15wxk394cb2kw34krpxq8mvy1rxw0lnl5wfiv14cq1s1fm9cjd"))))
+        "1cpp2vwmawpd29hjsklsps181lq2ah91cl412qvpnz228nf9sqn5"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -352,7 +352,7 @@ extensions.")
         ("python-os-testr" ,python-os-testr)
         ("python-oslotest" ,python-oslotest)
         ("python-setuptools" ,python-setuptools)))
-    (home-page "http://www.openstack.org/")
+    (home-page "https://www.openstack.org/")
     (synopsis "OpenStack functional testing library")
     (description
       "Tempest-lib is a functional testing library for OpenStack.  It provides
diff --git a/gnu/packages/owncloud.scm b/gnu/packages/owncloud.scm
index f755df4f0b..6b40bd3ada 100644
--- a/gnu/packages/owncloud.scm
+++ b/gnu/packages/owncloud.scm
@@ -21,27 +21,26 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix download)
   #:use-module (guix packages)
+  #:use-module (gnu packages check)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
-  #:use-module (gnu packages python)
   #:use-module (gnu packages qt)
-  #:use-module (gnu packages ruby)
   #:use-module (gnu packages tls))
 
 (define-public owncloud-client
   (package
     (name "owncloud-client")
-    (version "2.2.2")
+    (version "2.2.4")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "https://download.owncloud.com/desktop/stable/"
                            "owncloudclient-" version ".tar.xz"))
        (sha256
-        (base32 "0m0pxv12w72qqgxim9fh8w3bgkgnhpjyay8ldll3nnzq1jmhk09n"))
+        (base32 "1lz7v5sscj5489panz5ng372g9l66ng0srx6xaz8drnsgi7m64zk"))
        (modules '((guix build utils)))
        (snippet
         '(begin
@@ -71,16 +70,29 @@
                            "src/crashreporter/CMakeLists.txt"
                            "src/gui/CMakeLists.txt")
               ;; This has the same issue as the substitution above.
-              (("\\/\\$\\{APPLICATION_EXECUTABLE\\}\\\"") "\"")))))))
-    (native-inputs `(("pkg-config" ,pkg-config)))
+              (("\\/\\$\\{APPLICATION_EXECUTABLE\\}\\\"") "\""))
+            #t))
+         (add-after 'unpack 'delete-failing-tests
+           ;; These tests fail for no apparent reason
+           (lambda _
+             (substitute* "test/CMakeLists.txt"
+                          (("owncloud_add_test\\(FileSystem \"\"\\)" test)
+                           (string-append "#" test))
+                          (("owncloud_add_test\\(Utility \"\"\\)" test)
+                           (string-append "#" test)))
+             #t)))
+       #:configure-flags '("-DUNIT_TESTING=ON")))
+    (native-inputs
+     `(("cmocka" ,cmocka)
+       ("perl" ,perl)
+       ("pkg-config" ,pkg-config)
+       ("qtlinguist" ,qttools)))
     (inputs
      `(("inotify-tools" ,inotify-tools)
        ("openssl" ,openssl)
-       ("perl" ,perl)
-       ("python-wrapper" ,python-wrapper)
-       ("qt" ,qt)
+       ("qtbase" ,qtbase)
        ("qtkeychain" ,qtkeychain)
-       ("ruby" ,ruby)
+       ("qtwebkit" ,qtwebkit)
        ("sqlite" ,sqlite)
        ("zlib" ,zlib)))
     (home-page "https://owncloud.org")
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 9b3a4d3981..b917ee7246 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -222,9 +222,9 @@ the Nix package manager.")
   ;;
   ;; Note: use a very short commit id; with a longer one, the limit on
   ;; hash-bang lines would be exceeded while running the tests.
-  (let ((commit "4420940f20a2f36f29519f686bca7b85be6be5c9"))
+  (let ((commit "166ba5b10207f44360e218d9e3f00772d09bc7cd"))
     (package (inherit guix-0.11.0)
-      (version (string-append "0.11.0-1." (string-take commit 4)))
+      (version (string-append "0.11.0-2." (string-take commit 4)))
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
@@ -234,7 +234,7 @@ the Nix package manager.")
                       (commit commit)))
                 (sha256
                  (base32
-                  "1c1rqsfc4vrclkk03aj1m8r1lzk9pfa61ax9hhhj5nw23bilsixc"))
+                  "144ld5l2gnjcw819cz8mninfwhxr0ijv3wac3j3xf0pzqhxfi29c"))
                 (file-name (string-append "guix-" version "-checkout"))))
       (arguments
        (substitute-keyword-arguments (package-arguments guix-0.11.0)
diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index 30b538d630..55c14762e9 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -71,7 +71,7 @@ human.")
 (define-public keepassx
   (package
     (name "keepassx")
-    (version "2.0.2")
+    (version "2.0.3")
     (source
      (origin
        (method url-fetch)
@@ -79,10 +79,11 @@ human.")
                            "/keepassx-" version ".tar.gz"))
        (sha256
         (base32
-         "1f1nlbd669rmpzr52d9dgfgclg4jcaq2jkrby3b8q1vjkksdqjr0"))))
+         "1ia7cqx9ias38mnffsl7da7g1f66bcbjsi23k49sln0c6spb9zr3"))))
     (build-system cmake-build-system)
     (inputs
      `(("libgcrypt" ,libgcrypt)
+       ("libxi" ,libxi)
        ("libxtst" ,libxtst)
        ("qt" ,qt-4)))
     (native-inputs
diff --git a/gnu/packages/patches/gcc-strmov-store-file-names.patch b/gnu/packages/patches/gcc-strmov-store-file-names.patch
new file mode 100644
index 0000000000..7951b87616
--- /dev/null
+++ b/gnu/packages/patches/gcc-strmov-store-file-names.patch
@@ -0,0 +1,66 @@
+Make sure that statements such as:
+
+  strcpy (dst, "/gnu/store/…");
+
+do not result in chunked /gnu/store strings that are undetectable by
+Guix's GC and its grafting code.  See <http://bugs.gnu.org/24703>.
+
+--- gcc-5.3.0/gcc/builtins.c	2016-10-18 10:50:46.080616285 +0200
++++ gcc-5.3.0/gcc/builtins.c	2016-11-09 15:26:43.693042737 +0100
+@@ -3192,6 +3192,42 @@ determine_block_size (tree len, rtx len_
+ 			  GET_MODE_MASK (GET_MODE (len_rtx)));
+ }
+ 
++/* Return true if STR contains the string "/gnu/store".  */
++
++static bool
++store_reference_p (tree str)
++{
++  if (TREE_CODE (str) == ADDR_EXPR)
++    str = TREE_OPERAND (str, 0);
++
++  if (TREE_CODE (str) != STRING_CST)
++    return false;
++
++  int len;
++  const char *store;
++
++  store = getenv ("NIX_STORE") ? getenv ("NIX_STORE") : "/gnu/store";
++  len = strlen (store);
++
++  /* Size of the hash part of store file names, including leading slash and
++     trailing hyphen.  */
++  const int hash_len = 34;
++
++  if (TREE_STRING_LENGTH (str) < len + hash_len)
++    return false;
++
++  /* We cannot use 'strstr' because 'TREE_STRING_POINTER' returns a string
++     that is not necessarily NUL-terminated.  */
++
++  for (int i = 0; i < TREE_STRING_LENGTH (str) - (len + hash_len); i++)
++    {
++      if (strncmp (TREE_STRING_POINTER (str) + i, store, len) == 0)
++	return true;
++    }
++
++  return false;
++}
++
+ /* Helper function to do the actual work for expand_builtin_memcpy.  */
+ 
+ static rtx
+@@ -3207,6 +3243,13 @@ expand_builtin_memcpy_args (tree dest, t
+   unsigned HOST_WIDE_INT max_size;
+   unsigned HOST_WIDE_INT probable_max_size;
+ 
++  /* Do not emit block moves, which translate to the 'movabs' instruction on
++     x86_64, when SRC refers to store items.  That way, store references
++     remain visible to the Guix GC and grafting code.  See
++     <http://bugs.gnu.org/24703>.  */
++  if (store_reference_p (src))
++    return NULL_RTX;
++
+   /* If DEST is not a pointer type, call the normal function.  */
+   if (dest_align == 0)
+     return NULL_RTX;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-9273.patch b/gnu/packages/patches/libtiff-CVE-2016-9273.patch
new file mode 100644
index 0000000000..9cd6b3d8c5
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2016-9273.patch
@@ -0,0 +1,41 @@
+Fix CVE-2016-9273:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
+http://bugzilla.maptools.org/show_bug.cgi?id=2587
+
+Patch extracted from upstream CVS repo:
+
+2016-11-10 Even Rouault <even.rouault at spatialys.com>
+
+revision 1.37
+date: 2016-11-09 18:00:49 -0500;  author: erouault;  state: Exp;  lines: +10 -1;  commitid: pzKipPxDJO2dxvtz;
+* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
+value when it is non-zero, instead of recomputing it. This is needed in
+TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
+array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
+Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
+
+Index: libtiff/tif_strip.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
+retrieving revision 1.36
+retrieving revision 1.37
+diff -u -r1.36 -r1.37
+--- a/libtiff/tif_strip.c	7 Jun 2015 22:35:40 -0000	1.36
++++ b/libtiff/tif_strip.c	9 Nov 2016 23:00:49 -0000	1.37
+@@ -63,6 +63,15 @@
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 	uint32 nstrips;
+ 
++    /* If the value was already computed and store in td_nstrips, then return it,
++       since ChopUpSingleUncompressedStrip might have altered and resized the
++       since the td_stripbytecount and td_stripoffset arrays to the new value
++       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
++       tif_dirread.c ~line 3612.
++       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
++    if( td->td_nstrips )
++        return td->td_nstrips;
++
+ 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
+ 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
+ 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
diff --git a/gnu/packages/patches/libxslt-CVE-2016-4738.patch b/gnu/packages/patches/libxslt-CVE-2016-4738.patch
new file mode 100644
index 0000000000..a7537c66ca
--- /dev/null
+++ b/gnu/packages/patches/libxslt-CVE-2016-4738.patch
@@ -0,0 +1,39 @@
+Fix CVE-2016-4738:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
+https://bugs.chromium.org/p/chromium/issues/detail?id=619006
+
+Patch copied from upstream source repository:
+https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
+
+From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jun 2016 14:23:58 +0200
+Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
+
+An empty decimal-separator could cause a heap overread. This can be
+exploited to leak a couple of bytes after the buffer that holds the
+pattern string.
+
+Found with afl-fuzz and ASan.
+---
+ libxslt/numbers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index d1549b4..e78c46b 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
+     }
+ 
+     /* We have finished the integer part, now work on fraction */
+-    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
++    if ( (*the_format != 0) &&
++         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
+         format_info.add_decimal = TRUE;
+ 	the_format += xsltUTF8Size(the_format);	/* Skip over the decimal */
+     }
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7504.patch b/gnu/packages/patches/mupdf-CVE-2016-7504.patch
new file mode 100644
index 0000000000..4bbb4411c0
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-7504.patch
@@ -0,0 +1,99 @@
+Fix CVE-2016-7504:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7504
+http://bugs.ghostscript.com/show_bug.cgi?id=697142
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5c337af4b3df80cf967e4f9f6a21522de84b392a
+
+From 5c337af4b3df80cf967e4f9f6a21522de84b392a Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Wed, 21 Sep 2016 16:01:08 +0200
+Subject: [PATCH] Fix bug 697142: Stale string pointer stored in regexp object.
+
+Make sure to make a copy of the source pattern string.
+A case we missed when adding short and memory strings to the runtime.
+The code assumed all strings passed to it were either literal or interned.
+---
+ jsgc.c     | 4 +++-
+ jsi.h      | 1 +
+ jsregexp.c | 2 +-
+ jsrun.c    | 8 ++++++++
+ jsvalue.h  | 2 +-
+ 5 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/jsgc.c b/jsgc.c
+index 9bd6482..4f7e7dc 100644
+--- a/thirdparty/mujs/jsgc.c
++++ b/thirdparty/mujs/jsgc.c
+@@ -44,8 +44,10 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
+ {
+ 	if (obj->head)
+ 		jsG_freeproperty(J, obj->head);
+-	if (obj->type == JS_CREGEXP)
++	if (obj->type == JS_CREGEXP) {
++		js_free(J, obj->u.r.source);
+ 		js_regfree(obj->u.r.prog);
++	}
+ 	if (obj->type == JS_CITERATOR)
+ 		jsG_freeiterator(J, obj->u.iter.head);
+ 	if (obj->type == JS_CUSERDATA && obj->u.user.finalize)
+diff --git a/jsi.h b/jsi.h
+index 7d9f7c7..e855045 100644
+--- a/thirdparty/mujs/jsi.h
++++ b/thirdparty/mujs/jsi.h
+@@ -79,6 +79,7 @@ typedef unsigned short js_Instruction;
+ 
+ /* String interning */
+ 
++char *js_strdup(js_State *J, const char *s);
+ const char *js_intern(js_State *J, const char *s);
+ void jsS_dumpstrings(js_State *J);
+ void jsS_freestrings(js_State *J);
+diff --git a/jsregexp.c b/jsregexp.c
+index 2a056b7..a2d5156 100644
+--- a/thirdparty/mujs/jsregexp.c
++++ b/thirdparty/mujs/jsregexp.c
+@@ -21,7 +21,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags)
+ 		js_syntaxerror(J, "regular expression: %s", error);
+ 
+ 	obj->u.r.prog = prog;
+-	obj->u.r.source = pattern;
++	obj->u.r.source = js_strdup(J, pattern);
+ 	obj->u.r.flags = flags;
+ 	obj->u.r.last = 0;
+ 	js_pushobject(J, obj);
+diff --git a/jsrun.c b/jsrun.c
+index 2648c4c..ee80845 100644
+--- a/thirdparty/mujs/jsrun.c
++++ b/thirdparty/mujs/jsrun.c
+@@ -45,6 +45,14 @@ void *js_realloc(js_State *J, void *ptr, int size)
+ 	return ptr;
+ }
+ 
++char *js_strdup(js_State *J, const char *s)
++{
++	int n = strlen(s) + 1;
++	char *p = js_malloc(J, n);
++	memcpy(p, s, n);
++	return p;
++}
++
+ void js_free(js_State *J, void *ptr)
+ {
+ 	J->alloc(J->actx, ptr, 0);
+diff --git a/jsvalue.h b/jsvalue.h
+index 6cfbd89..8fb5016 100644
+--- a/thirdparty/mujs/jsvalue.h
++++ b/thirdparty/mujs/jsvalue.h
+@@ -71,7 +71,7 @@ struct js_String
+ struct js_Regexp
+ {
+ 	void *prog;
+-	const char *source;
++	char *source;
+ 	unsigned short flags;
+ 	unsigned short last;
+ };
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7505.patch b/gnu/packages/patches/mupdf-CVE-2016-7505.patch
new file mode 100644
index 0000000000..15e4f374d6
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-7505.patch
@@ -0,0 +1,32 @@
+Fix CVE-2016-7505:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7505
+http://bugs.ghostscript.com/show_bug.cgi?id=697140
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=8c805b4eb19cf2af689c860b77e6111d2ee439d5
+
+From 8c805b4eb19cf2af689c860b77e6111d2ee439d5 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Wed, 21 Sep 2016 15:21:04 +0200
+Subject: [PATCH] Fix bug 697140: Overflow check in ascii division in strtod.
+
+---
+ jsdtoa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/jsdtoa.c b/jsdtoa.c
+index 2e52368..920c1a7 100644
+--- a/thirdparty/mujs/jsdtoa.c
++++ b/thirdparty/mujs/jsdtoa.c
+@@ -735,6 +735,7 @@ xx:
+ 		n -= c<<b;
+ 		*p++ = c + '0';
+ 		(*na)++;
++		if (*na >= Ndig) break; /* abort if overflowing */
+ 	}
+ 	*p = 0;
+ }
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7506.patch b/gnu/packages/patches/mupdf-CVE-2016-7506.patch
new file mode 100644
index 0000000000..733249acaa
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-7506.patch
@@ -0,0 +1,42 @@
+Fix CVE-2016-7506:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506
+http://bugs.ghostscript.com/show_bug.cgi?id=697141
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a
+
+From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Wed, 21 Sep 2016 16:02:11 +0200
+Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution.
+
+A '$' escape at the end of the string would read past the zero terminator
+when looking for the escaped character.
+---
+ jsstring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/jsstring.c b/jsstring.c
+index 66f6a89..0209a8e 100644
+--- a/thirdparty/mujs/jsstring.c
++++ b/thirdparty/mujs/jsstring.c
+@@ -421,6 +421,7 @@ loop:
+ 		while (*r) {
+ 			if (*r == '$') {
+ 				switch (*(++r)) {
++				case 0: --r; /* end of string; back up and fall through */
+ 				case '$': js_putc(J, &sb, '$'); break;
+ 				case '`': js_putm(J, &sb, source, s); break;
+ 				case '\'': js_puts(J, &sb, s + n); break;
+@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J)
+ 		while (*r) {
+ 			if (*r == '$') {
+ 				switch (*(++r)) {
++				case 0: --r; /* end of string; back up and fall through */
+ 				case '$': js_putc(J, &sb, '$'); break;
+ 				case '&': js_putm(J, &sb, s, s + n); break;
+ 				case '`': js_putm(J, &sb, source, s); break;
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7563.patch b/gnu/packages/patches/mupdf-CVE-2016-7563.patch
new file mode 100644
index 0000000000..288c9ab2df
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-7563.patch
@@ -0,0 +1,37 @@
+Fix CVE-2016-7563:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7563
+http://bugs.ghostscript.com/show_bug.cgi?id=697136
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=f8234d830e17fc5e8fe09eb76d86dad3f6233c59
+
+From f8234d830e17fc5e8fe09eb76d86dad3f6233c59 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 20 Sep 2016 17:11:32 +0200
+Subject: [PATCH] Fix bug 697136.
+
+We were unconditionally reading the next character if we encountered
+a '*' in a multi-line comment; possibly reading past the end of
+the input.
+---
+ jslex.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/jslex.c b/jslex.c
+index 7b80800..cbd0eeb 100644
+--- a/thirdparty/mujs/jslex.c
++++ b/thirdparty/mujs/jslex.c
+@@ -225,7 +225,8 @@ static int lexcomment(js_State *J)
+ 			if (jsY_accept(J, '/'))
+ 				return 0;
+ 		}
+-		jsY_next(J);
++		else
++			jsY_next(J);
+ 	}
+ 	return -1;
+ }
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7564.patch b/gnu/packages/patches/mupdf-CVE-2016-7564.patch
new file mode 100644
index 0000000000..c2ce33d1df
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-7564.patch
@@ -0,0 +1,34 @@
+Fix CVE-2016-7564:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564
+http://bugs.ghostscript.com/show_bug.cgi?id=697137
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8
+
+From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 20 Sep 2016 17:19:06 +0200
+Subject: [PATCH] Fix bug 697137: off by one in string length calculation.
+
+We were not allocating space for the terminating zero byte.
+---
+ jsfunction.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/jsfunction.c b/jsfunction.c
+index 8b5b18e..28f7aa7 100644
+--- a/thirdparty/mujs/jsfunction.c
++++ b/thirdparty/mujs/jsfunction.c
+@@ -61,7 +61,7 @@ static void Fp_toString(js_State *J)
+ 		n += strlen(F->name);
+ 		for (i = 0; i < F->numparams; ++i)
+ 			n += strlen(F->vartab[i]) + 1;
+-		s = js_malloc(J, n);
++		s = js_malloc(J, n + 1);
+ 		strcpy(s, "function ");
+ 		strcat(s, F->name);
+ 		strcat(s, "(");
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-9017.patch b/gnu/packages/patches/mupdf-CVE-2016-9017.patch
new file mode 100644
index 0000000000..1e2b7c3258
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-9017.patch
@@ -0,0 +1,46 @@
+Fix CVE-2016-9017:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9107
+http://bugs.ghostscript.com/show_bug.cgi?id=697171
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a5c747f1d40e8d6659a37a8d25f13fb5acf8e767
+
+From a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Tue, 25 Oct 2016 14:08:27 +0200
+Subject: [PATCH] Fix 697171: missed an operand in the bytecode debugger dump.
+
+---
+ jscompile.h | 2 +-
+ jsdump.c    | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/jscompile.h b/jscompile.h
+index 802cc9e..3054d13 100644
+--- a/thirdparty/mujs/jscompile.h
++++ b/thirdparty/mujs/jscompile.h
+@@ -21,7 +21,7 @@ enum js_OpCode
+ 
+ 	OP_NEWARRAY,
+ 	OP_NEWOBJECT,
+-	OP_NEWREGEXP,
++	OP_NEWREGEXP,	/* -S,opts- <regexp> */
+ 
+ 	OP_UNDEF,
+ 	OP_NULL,
+diff --git a/jsdump.c b/jsdump.c
+index 1c51c29..37ad88c 100644
+--- a/thirdparty/mujs/jsdump.c
++++ b/thirdparty/mujs/jsdump.c
+@@ -750,6 +750,7 @@ void jsC_dumpfunction(js_State *J, js_Function *F)
+ 		case OP_INITVAR:
+ 		case OP_DEFVAR:
+ 		case OP_GETVAR:
++		case OP_HASVAR:
+ 		case OP_SETVAR:
+ 		case OP_DELVAR:
+ 		case OP_GETPROP_S:
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-9136.patch b/gnu/packages/patches/mupdf-CVE-2016-9136.patch
new file mode 100644
index 0000000000..1f68839a52
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-9136.patch
@@ -0,0 +1,32 @@
+Fix CVE-2016-9136:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9136
+http://bugs.ghostscript.com/show_bug.cgi?id=697244
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a0ceaf5050faf419401fe1b83acfa950ec8a8a89
+From a0ceaf5050faf419401fe1b83acfa950ec8a8a89 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Mon, 31 Oct 2016 13:05:37 +0100
+Subject: [PATCH] Fix 697244: Check for incomplete escape sequence at end of
+ input.
+
+---
+ jslex.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/jslex.c b/jslex.c
+index cbd0eeb..aaafdac 100644
+--- a/thirdparty/mujs/jslex.c
++++ b/thirdparty/mujs/jslex.c
+@@ -377,6 +377,7 @@ static int lexescape(js_State *J)
+ 		return 0;
+ 
+ 	switch (J->lexchar) {
++	case 0: jsY_error(J, "unterminated escape sequence");
+ 	case 'u':
+ 		jsY_next(J);
+ 		if (!jsY_ishex(J->lexchar)) return 1; else { x |= jsY_tohex(J->lexchar) << 12; jsY_next(J); }
+-- 
+2.10.2
+
diff --git a/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch b/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch
new file mode 100644
index 0000000000..f592f5cd51
--- /dev/null
+++ b/gnu/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch
@@ -0,0 +1,17 @@
+The tests currently fail due to use of 'skip' rather than 'pending' to skip a
+test usually not skipped by upstream.  This patch has been proposed upstream
+at https://github.com/lsegal/yard/pull/1033
+
+diff --git a/spec/templates/helpers/html_helper_spec.rb b/spec/templates/helpers/html_helper_spec.rb
+index 84624c3..9c4fc2b 100644
+--- a/spec/templates/helpers/html_helper_spec.rb
++++ b/spec/templates/helpers/html_helper_spec.rb
+@@ -184,7 +184,7 @@ describe YARD::Templates::Helpers::HtmlHelper do
+     it "creates tables (markdown specific)" do
+       log.enter_level(Logger::FATAL) do
+         unless markup_class(:markdown).to_s == "RedcarpetCompat"
+-          skip "This test depends on a markdown engine that supports tables"
++          pending "This test depends on a markdown engine that supports tables"
+         end
+       end
+ 
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index bfb457fcb3..9c6e9a967e 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -491,7 +491,14 @@ extracting content or merging files.")
         (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
                                  "mupdf-CVE-2016-6265.patch"
                                  "mupdf-CVE-2016-6525.patch"
-                                 "mupdf-CVE-2016-8674.patch"))
+                                 "mupdf-CVE-2016-7504.patch"
+                                 "mupdf-CVE-2016-7505.patch"
+                                 "mupdf-CVE-2016-7506.patch"
+                                 "mupdf-CVE-2016-7563.patch"
+                                 "mupdf-CVE-2016-7564.patch"
+                                 "mupdf-CVE-2016-8674.patch"
+                                 "mupdf-CVE-2016-9017.patch"
+                                 "mupdf-CVE-2016-9136.patch"))
         (modules '((guix build utils)))
         (snippet
             ;; Delete all the bundled libraries except for mujs, which is
@@ -778,3 +785,106 @@ the framebuffer.")
     (description "@command{pdf2svg} is a simple command-line PDF to SVG
 converter using the Poppler and Cairo libraries.")
     (license license:gpl2+)))
+
+(define-public python-pypdf2
+  (package
+    (name "python-pypdf2")
+    (version "1.26.0")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "PyPDF2" version))
+              (sha256
+               (base32
+                "11a3aqljg4sawjijkvzhs3irpw0y67zivqpbjpm065ha5wpr13z2"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after
+          'unpack 'patch-test-suite
+          (lambda _
+            ;; The text-file needs to be opened in binary mode for Python 3,
+            ;; so patch in the "b"
+            (substitute* "Tests/tests.py"
+              (("pdftext_file = open\\(.* 'crazyones.txt'\\), 'r" line)
+               (string-append line "b")))
+            #t))
+         (replace 'check
+           (lambda _
+             (zero? (system* "python" "-m" "unittest" "Tests.tests")))))))
+    (home-page "http://mstamy2.github.com/PyPDF2")
+    (synopsis "Pure Python PDF toolkit")
+    (description "PyPDF2 is a pure Python PDF library capable of:
+
+@enumerate
+@item extracting document information (title, author, …)
+@item splitting documents page by page
+@item merging documents page by page
+@item cropping pages
+@item merging multiple pages into a single page
+@item encrypting and decrypting PDF files
+@end enumerate
+
+By being pure Python, it should run on any Python platform without any
+dependencies on external libraries.  It can also work entirely on
+@code{StringIO} objects rather than file streams, allowing for PDF
+manipulation in memory.  It is therefore a useful tool for websites that
+manage or manipulate PDFs.")
+    (license license:bsd-3)))
+
+(define-public python2-pypdf2
+  (package-with-python2 python-pypdf2))
+
+(define-public python2-pypdf
+  (package
+    (name "python2-pypdf")
+    (version "1.13")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "pyPdf" version))
+              (sha256
+               (base32
+                "0fqfvamir7k41w84c73rghzkiv891gdr17q5iz4hgbf6r71y9v9s"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:tests? #f  ; no tests
+       #:python ,python-2))
+    (home-page "http://pybrary.net/pyPdf/")
+    (synopsis "Pure Python PDF toolkit")
+    (description "PyPDF2 is a pure Python PDF toolkit.
+
+Note: This module isn't maintained anymore.  For new projects please use
+python-pypdf2 instead.")
+    (license license:bsd-3)))
+
+(define-public pdfposter
+  (package
+    (name "pdfposter")
+    (version "0.6.0")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "pdftools.pdfposter" version ".tar.bz2"))
+              (sha256
+               (base32
+                "1i9jqawf279va089ykicglcq4zlsnwgcnsdzaa8vnm836lqhywma"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:tests? #f  ; no test suite, only for visual control
+       #:python ,python-2))
+    (inputs
+     ;; pdfposter 0.6.0 still uses the old pyPdf
+     `(("python2-pypdf" ,python2-pypdf)))
+    (native-inputs
+     `(("python2-setuptools" ,python2-setuptools)))
+    (home-page "https://pythonhosted.org/pdftools.pdfposter/")
+    (synopsis "Scale and tile PDF images/pages to print on multiple pages")
+    (description "@command{pdfposter} can be used to create a large poster by
+building it from multple pages and/or printing it on large media.  It expects
+as input a PDF file, normally printing on a single page.  The output is again
+a PDF file, maybe containing multiple pages together building the poster.  The
+input page will be scaled to obtain the desired size.
+
+This is much like @command{poster} does for Postscript files, but working with
+PDF.  Since sometimes @command{poster} does not like your files converted from
+PDF.  Indeed @command{pdfposter} was inspired by @command{poster}.")
+    (license license:gpl3+)))
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 7beca849c8..a044a32b32 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -3506,6 +3506,31 @@ just write a method to handle handles, and methods for handling strings and
 file names are added for you.")
     (license (package-license perl))))
 
+(define-public perl-modern-perl
+  (package
+    (name "perl-modern-perl")
+    (version "1.20150127")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "mirror://cpan/authors/id/C/CH/CHROMATIC/Modern-Perl-"
+             version
+             ".tar.gz"))
+       (sha256
+        (base32
+         "0iv2crfxl3xh6mq36g1gv9fr8iqq3kpbj8afxy5qi60hh7v3xhcl"))))
+    (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
+    (home-page
+     "http://search.cpan.org/dist/Modern-Perl")
+    (synopsis
+     "Enable all of the features of Modern Perl with one import")
+    (description "@code{Modern::Perl} provides a simple way to enable
+multiple, by now, standard libraries in a Perl program.")
+    (license (package-license perl))))
+
 (define-public perl-module-build-tiny
   (package
     (name "perl-module-build-tiny")
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index eb08a451b8..23934196db 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -2521,9 +2521,8 @@ version numbers.")
               (base32
                "0hddbqjm4jq63y8jf44nswina1crjs16l9snb6m3vvgyg31klrrn"))))
     (build-system python-build-system)
-    (inputs
-     `(("python-setuptools" ,python-setuptools)
-       ("python-vcversioner" ,python-vcversioner)))
+    (native-inputs
+     `(("python-vcversioner" ,python-vcversioner)))
     (home-page "http://github.com/Julian/jsonschema")
     (synopsis "Implementation of JSON Schema for Python")
     (description
@@ -2535,9 +2534,11 @@ version numbers.")
   (let ((jsonschema (package-with-python2
                      (strip-python2-variant python-jsonschema))))
     (package (inherit jsonschema)
-      (inputs
-       `(("python2-functools32" ,python2-functools32)
-         ,@(package-inputs jsonschema))))))
+             (native-inputs
+              `(("python2-setuptools" ,python2-setuptools)
+                ,@(package-native-inputs jsonschema)))
+             (propagated-inputs
+              `(("python2-functools32" ,python2-functools32))))))
 
 (define-public python-unidecode
   (package
@@ -4078,7 +4079,19 @@ both of which are installed automatically if you install this library.")
     (synopsis "Various utility functions for SQLAlchemy")
     (description
      "SQLAlchemy-utils provides various utility functions and custom data types
-for SQLAlchemy.  SQLAlchemy is an SQL database abstraction library for Python.")
+for SQLAlchemy.  SQLAlchemy is an SQL database abstraction library for Python.
+
+You might also want to install the following optional dependencies:
+@enumerate
+@item @code{python-passlib}
+@item @code{python-babel}
+@item @code{python-cryptography}
+@item @code{python-pytz}
+@item @code{python-psycopg2}
+@item @code{python-furl}
+@item @code{python-flask-babel}
+@end enumerate
+")
     (properties `((python2-variant . ,(delay python2-sqlalchemy-utils))))
     (license license:bsd-3)))
 
@@ -4190,14 +4203,14 @@ services for your Python modules and applications.")
 (define-public python-pillow
   (package
     (name "python-pillow")
-    (version "3.3.1")
+    (version "3.3.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Pillow" version))
        (sha256
         (base32
-         "1w9x3dfrg8b5lqhpjl0fczfyf9842wbqwgxbjjq4vfpxv5jwm49l"))))
+         "0xkv0p1d73gz0a1qaasf0ai4262g8f334j07vd60bjrxs2wr3nmj"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-setuptools" ,python-setuptools)
@@ -6583,14 +6596,14 @@ responses, rather than doing any computation.")
 (define-public python-cryptography-vectors
   (package
     (name "python-cryptography-vectors")
-    (version "1.3.4")
+    (version "1.5.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "cryptography_vectors" version))
        (sha256
         (base32
-         "15h1iz2klnpb4f8djxy7cpbnyn3wbjp7bnj4pz6s7w6plghbq524"))))
+         "1bnd1bricyhxa27rhr0ljk0kacxzvysd3ar2j2hlv13a2k6zw4z5"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-setuptools" ,python-setuptools)))
@@ -6607,14 +6620,14 @@ responses, rather than doing any computation.")
 (define-public python-cryptography
   (package
     (name "python-cryptography")
-    (version "1.3.4")
+    (version "1.5.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "cryptography" version))
        (sha256
         (base32
-         "1a85l548w5vvq3yhz0az7ajg2ijixzp6gagapw6wgrqvq28ghgs2"))))
+         "1raanvkdfw5ai56ymlij6ghc4k126fs7jx948ig7yn4vj6ndv0ng"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -6645,7 +6658,8 @@ responses, rather than doing any computation.")
        ("python-pretend" ,python-pretend)
        ("python-pyasn1" ,python-pyasn1)
        ("python-pyasn1-modules" ,python-pyasn1-modules)
-       ("python-pytest" ,python-pytest)))
+       ("python-pytz" ,python-pytz)
+       ("python-pytest" ,python-pytest-2.9.2)))
     (home-page "https://github.com/pyca/cryptography")
     (synopsis "Cryptographic recipes and primitives for Python")
     (description
@@ -12303,3 +12317,84 @@ asynchronous messaging environments.")
 
 (define-public python2-axolotl
   (package-with-python2 python-axolotl))
+
+(define-public python-termstyle
+  (package
+    (name "python-termstyle")
+    (version "0.1.11")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (pypi-uri "termstyle" version))
+        (sha256
+          (base32
+            "17wzkkcqy5zc0g68xlad3kcv66iw14d2pwqc0h9420gak0vbhx7g"))))
+    (build-system python-build-system)
+    (home-page "http://github.com/gfxmonk/termstyle")
+    (synopsis "Console text coloring for Python")
+    (description "This package provides console text coloring for Python.")
+    (license license:bsd-3)))
+
+(define-public python-rednose
+  (package
+    (name "python-rednose")
+    (version "1.2.1")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (pypi-uri "rednose" version))
+        (sha256
+          (base32
+            "0b0bsna217lr1nykyhl5fgjly15zhdvqd4prg4wy1zrgfv7al6m0"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'fix-deps
+           (lambda _
+             ;; See <https://github.com/JBKahn/rednose/issues/12>
+             (substitute* "setup.py"
+               (("python-termstyle") "termstyle"))
+             #t)))))
+    (propagated-inputs
+     `(("python-colorama" ,python-colorama)
+       ("python-termstyle" ,python-termstyle)))
+    (native-inputs
+     `(("python-six" ,python-six)
+       ("python-nose" ,python-nose)))
+    (home-page "https://github.com/JBKahn/rednose")
+    (synopsis "Colored output for Python nosetests")
+    (description "This package provides colored output for the
+@command{nosetests} command of the Python Nose unit test framework.")
+    (license license:bsd-3)))
+
+(define-public python-flask-restplus
+  (package
+    (name "python-flask-restplus")
+    (version "0.9.2")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (pypi-uri "flask-restplus" version))
+        (sha256
+          (base32
+            "11his6ii5brpkhld0d5bwzjjw4q3vmplpd6fmgzjrvvklsbk0cf4"))))
+    (build-system python-build-system)
+    (propagated-inputs
+      `(("python-aniso8601" ,python-aniso8601)
+        ("python-flask" ,python-flask)
+        ("python-jsonschema" ,python-jsonschema)
+        ("python-pytz" ,python-pytz)
+        ("python-six" ,python-six)))
+    (native-inputs
+     `(("python-tzlocal" ,python-tzlocal)
+       ("python-blinker" ,python-blinker)
+       ("python-nose" ,python-nose)
+       ("python-rednose" ,python-rednose)))
+    (home-page "https://github.com/noirbizarre/flask-restplus")
+    (synopsis "Framework for documented API development with Flask")
+    (description "This package provides a framework for API development with
+the Flask web framework in Python.  It is similar to package
+@code{python-flask-restful} but supports the @code{python-swagger}
+documentation builder.")
+    (license license:expat)))
diff --git a/gnu/packages/qt.scm b/gnu/packages/qt.scm
index 8559b17492..b442356530 100644
--- a/gnu/packages/qt.scm
+++ b/gnu/packages/qt.scm
@@ -1171,3 +1171,117 @@ different kinds of sliders, and much more.")
     (license:non-copyleft "http://qwt.sourceforge.net/qwtlicense.html")
     ;; textengines/mathml/qwt_mml_document.{cpp,h} is dual LGPL2.1/GPL3 (either).
     license:lgpl2.1 license:gpl3))))
+
+(define-public qtwebkit
+  (package
+    (name "qtwebkit")
+    (version "5.7.0")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (string-append "http://download.qt.io/community_releases/"
+                            (version-major+minor version)
+                            "/" version "/qtwebkit-opensource-src-" version
+                            ".tar.xz"))
+        ;; Note: since Qt 5.6, Qt no longer officially supports qtwebkit:
+        ;; <http://lists.qt-project.org/pipermail/development/2016-May/025923.html>.
+        (sha256
+         (base32
+          "1prlpl3zslzpr1iv7m3irvxjxn3v8nlxh21v9k2kaq4fpwy2b8y7"))))
+    (build-system gnu-build-system)
+    (native-inputs
+     `(("perl" ,perl)
+       ("python" ,python-2.7)
+       ("ruby" ,ruby)
+       ("bison" ,bison)
+       ("flex" ,flex)
+       ("gperf" ,gperf)
+       ("pkg-config" ,pkg-config)))
+    (inputs
+     `(("icu" ,icu4c)
+       ("libjpeg" ,libjpeg)
+       ("libpng" ,libpng)
+       ("libwebp" ,libwebp)
+       ("sqlite" ,sqlite)
+       ("fontconfig" ,fontconfig)
+       ("libxrender", libxrender)
+       ("qtbase" ,qtbase)
+       ("qtdeclarative" ,qtdeclarative)
+       ("qtmultimedia" ,qtmultimedia)
+       ("libxml2" ,libxml2)
+       ("libxslt" ,libxslt)
+       ("libx11" ,libx11)
+       ("libxcomposite" ,libxcomposite)))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'configure
+                  (lambda* (#:key outputs #:allow-other-keys)
+                    (let ((out (assoc-ref outputs "out")))
+                      (setenv "QMAKEPATH"
+                              (string-append (getcwd) "/Tools/qmake:"
+                                             (getenv "QMAKEPATH")))
+                      (system* "qmake"))))
+         ;; prevent webkit from trying to install into the qtbase store directory,
+         ;; and replace references to the build directory in linker options:
+         (add-before 'build 'patch-installpaths
+                     (lambda* (#:key outputs inputs #:allow-other-keys)
+                       (let* ((out (assoc-ref outputs "out"))
+                              (qtbase (assoc-ref inputs "qtbase"))
+                              (builddir (getcwd))
+                              (linkbuild (string-append "-L" builddir))
+                              (linkout (string-append "-L" out))
+                              (makefiles
+                               (map-in-order
+                                (lambda (i)
+                                  (let* ((in (car i))
+                                         (mf (string-append (dirname in) "/"
+                                                            (cdr i))))
+                                    ;; by default, these Makefiles are
+                                    ;; generated during install, but we need
+                                    ;; to generate them now
+                                    (system* "qmake" in "-o" mf)
+                                    mf))
+                                '(("Source/api.pri" . "Makefile.api")
+                                  ("Source/widgetsapi.pri"
+                                   . "Makefile.widgetsapi")
+                                  ("Source/WebKit2/WebProcess.pro"
+                                   . "Makefile.WebProcess")
+                                  ("Source/WebKit2/PluginProcess.pro"
+                                   . "Makefile.PluginProcess")
+                                  ("Source/WebKit/qt/declarative/public.pri"
+                                   . "Makefile.declarative.public")
+                                  ("Source/WebKit/qt/declarative/experimental/experimental.pri"
+                                   . "Makefile.declarative.experimental")
+                                  ("Source/WebKit/qt/examples/platformplugin/platformplugin.pro"
+                                   . "Makefile")))))
+                         ;; Order of qmake calls and substitutions matters here.
+                         (system* "qmake" "-prl" "Source/widgetsapi.pri"
+                                  "-o" "Source/Makefile")
+                         (substitute* (find-files "lib" "libQt5.*\\.prl")
+                           ((linkbuild) linkout))
+                         (substitute* (find-files "lib"
+                                                  "libQt5WebKit.*\\.la")
+                           (("libdir='.*'")
+                            (string-append "libdir='" out "/lib'"))
+                           ((linkbuild) linkout))
+                         (substitute* (find-files "lib/pkgconfig"
+                                                  "Qt5WebKit.*\\.pc")
+                           (((string-append "prefix=" qtbase))
+                            (string-append "prefix=" out))
+                           ((linkbuild) linkout))
+                         ;; Makefiles must be modified after .prl/.la/.pc
+                         ;; files, lest they get rebuilt:
+                         (substitute* makefiles
+                           (((string-append "\\$\\(INSTALL_ROOT\\)" qtbase))
+                            out )
+                           (((string-append "-Wl,-rpath," builddir))
+                            (string-append "-Wl,-rpath," out)))))))))
+    (home-page "https://www.webkit.org")
+    (synopsis "Web browser engine and classes to render and interact with web
+content")
+    (description "QtWebKit provides a Web browser engine that makes it easy to
+embed content from the World Wide Web into your Qt application.  At the same
+time Web content can be enhanced with native controls.")
+
+    (license license:lgpl2.1+)))
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 60f1992281..42beda3d44 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -178,13 +178,13 @@ a focus on simplicity and productivity.")
 (define-public ruby-hoe
   (package
     (name "ruby-hoe")
-    (version "3.13.1")
+    (version "3.15.2")
     (source (origin
               (method url-fetch)
               (uri (rubygems-uri "hoe" version))
               (sha256
                (base32
-                "1mac13krdrasn9819dd65xj27kklfy0xdbj3p6s2ij4vlcb46h8q"))) )
+                "1riyf9j9vp7dzgpw5xj9xx1vqkdmg6lr7qiprmn91hcdp81kaszp"))) )
     (build-system ruby-build-system)
     (synopsis "Ruby project management helper")
     (description
@@ -199,13 +199,13 @@ announcement.")
 (define-public ruby-rake-compiler
   (package
     (name "ruby-rake-compiler")
-    (version "0.9.5")
+    (version "1.0.1")
     (source (origin
               (method url-fetch)
               (uri (rubygems-uri "rake-compiler" version))
               (sha256
                (base32
-                "1k8im2vzj849xdgjk6wafspkiwwapqwm738majchb4dnhnsk64cx"))))
+                "1lf91nf1fcnmsh54mxz06wyfmjkwh58vljr35zns5cwbg8fwmi20"))))
     (build-system ruby-build-system)
     (arguments
      '(#:tests? #f)) ; needs cucumber
@@ -262,13 +262,13 @@ an extensible architecture with a swappable backend.")
 (define-public ruby-rspec-core
   (package
     (name "ruby-rspec-core")
-    (version "3.5.1")
+    (version "3.5.4")
     (source (origin
               (method url-fetch)
               (uri (rubygems-uri "rspec-core" version))
               (sha256
                (base32
-                "0brfq51fwkkh5g6vw7smky5fvip46pryi243jmin0nzn7iwh9j5g"))))
+                "1nacs062qbr98fx6czf1vwppn1js956nv2c8vfwj6i65axdfs46i"))))
     (build-system ruby-build-system)
     (arguments
      '(#:tests? #f)) ; avoid dependency cycles
@@ -423,13 +423,13 @@ expectations and mocks frameworks.")
 (define-public bundler
   (package
     (name "bundler")
-    (version "1.13.5")
+    (version "1.13.6")
     (source (origin
               (method url-fetch)
               (uri (rubygems-uri "bundler" version))
               (sha256
                (base32
-                "0fxr7aq7qhlga423mygy7q96cwxmvqlcy676v2x5swlw8rlha2in"))))
+                "1xyhy9cn8w9passp64p6hb3df2fpiqbds6rj7xha1335xpgj5zgs"))))
     (build-system ruby-build-system)
     (arguments
      '(#:tests? #f)) ; avoid dependency cycles
@@ -710,16 +710,17 @@ interfaces.")
 (define-public ruby-lumberjack
   (package
     (name "ruby-lumberjack")
-    (version "1.0.9")
+    (version "1.0.10")
     (source (origin
               (method url-fetch)
               (uri (rubygems-uri "lumberjack" version))
               (sha256
                (base32
-                "162frm2bwy58pj8ccsdqa4a6i0csrhb9h5l3inhkl1ivgfc8814l"))))
+                "0ily8j83q959w19zb7qm6m7y53sdj9afxj4x6mn2adl4i7vpdsv4"))))
     (build-system ruby-build-system)
     (native-inputs
-     `(("ruby-rspec" ,ruby-rspec)))
+     `(("ruby-rspec" ,ruby-rspec)
+       ("ruby-timecop" ,ruby-timecop)))
     (synopsis "Logging utility library for Ruby")
     (description "Lumberjack is a simple logging utility that can be a drop in
 replacement for Logger or ActiveSupport::BufferedLogger.  It provides support
@@ -1839,13 +1840,13 @@ net/http library.")
 (define-public ruby-arel
   (package
     (name "ruby-arel")
-    (version "7.1.1")
+    (version "7.1.4")
     (source (origin
               (method url-fetch)
               (uri (rubygems-uri "arel" version))
               (sha256
                (base32
-                "0d6kfsh7qf5gls0n1nrppxv89zyli27kw8nklpq2by3z7cxjcvjg"))))
+                "0l757dkkaxk5fq3368l79jpyzq9a9driricjamhiwhwvh0h7xcyx"))))
     (build-system ruby-build-system)
     (arguments '(#:tests? #f)) ; no tests
     (home-page "https://github.com/rails/arel")
@@ -2115,7 +2116,7 @@ aware transformations between times in different time zones.")
 (define-public ruby-tzinfo-data
   (package
     (name "ruby-tzinfo-data")
-    (version "1.2016.7")
+    (version "1.2016.9")
     (source
      (origin
        (method url-fetch)
@@ -2128,7 +2129,7 @@ aware transformations between times in different time zones.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "0vh75hkfmqk4hdjv6nm7acw64izwpnv7slkmh2kj7qlfz133yh9l"))
+         "0i8vz2j7wmcpr4pd066qvlg4if5blscjrgxk2imavfa49nq5lp06"))
        ;; Remove the known test failure.
        ;; https://github.com/tzinfo/tzinfo-data/issues/10
        ;; https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1587128
@@ -3047,43 +3048,44 @@ features such as filtering and fine grained logging.")
     (license license:expat)))
 
 (define-public ruby-yard
-  (package
-    (name "ruby-yard")
-    (version "0.8.7.6")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (rubygems-uri "yard" version))
-       (sha256
-        (base32
-         "1dj6ibc0qqvmb5a5r5kk0vhr04mnrz9b26gnfrs5p8jgp620i89x"))))
-    (build-system ruby-build-system)
-    (arguments
-     `(#:test-target "specs"
-       #:phases
-       (modify-phases %standard-phases
-         (add-before 'check 'set-HOME-and-disable-failing-test
-           (lambda _
-             ;; $HOME needs to be set to somewhere writeable for tests to run
-             (setenv "HOME" "/tmp")
-             ;; Disable tests which fails on Ruby 2.3.  See
-             ;; https://github.com/lsegal/yard/issues/927
-             (substitute* "spec/parser/ruby/ruby_parser_spec.rb"
-               (("comment.type.should == :comment") "")
-               (("comment.docstring_hash_flag.should be_true") "")
-               (("comment.docstring.strip.should == .*") ""))
-             #t)))))
-    (native-inputs
-     `(("ruby-rspec" ,ruby-rspec-2)
-       ("ruby-rack" ,ruby-rack)))
-    (synopsis "Documentation generation tool for Ruby")
-    (description
-     "YARD is a documentation generation tool for the Ruby programming
+  ;; Use git reference because gem is >100 commits out of date and the tests
+  ;; do not pass with the released gem.
+  (let ((commit "d816482a0d4850506c3bcccc9434550c536c28c6"))
+    (package
+      (name "ruby-yard")
+      (version (string-append "0.9.5-1." (string-take commit 8)))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://github.com/lsegal/yard.git")
+               (commit commit)))
+         (file-name (string-append name "-" version "-checkout"))
+         (sha256
+          (base32
+           "1j16c85x22if7y0fzi3c900p9wzkx2riq1y7vsj92a0zvwsxai4i"))
+         (patches (search-patches "ruby-yard-fix-skip-of-markdown-tests.patch"))))
+      (build-system ruby-build-system)
+      (arguments
+       `(#:test-target "spec"
+         #:phases
+         (modify-phases %standard-phases
+           (add-before 'check 'set-HOME-and-disable-failing-test
+             (lambda _
+               ;; $HOME needs to be set to somewhere writeable for tests to run
+               (setenv "HOME" "/tmp")
+               #t)))))
+      (native-inputs
+       `(("ruby-rspec" ,ruby-rspec-2)
+         ("ruby-rack" ,ruby-rack)))
+      (synopsis "Documentation generation tool for Ruby")
+      (description
+       "YARD is a documentation generation tool for the Ruby programming
 language.  It enables the user to generate consistent, usable documentation
 that can be exported to a number of formats very easily, and also supports
 extending for custom Ruby constructs such as custom class level definitions.")
-    (home-page "http://yardoc.org")
-    (license license:expat)))
+      (home-page "http://yardoc.org")
+      (license license:expat))))
 
 (define-public ruby-clap
   (package
@@ -3301,14 +3303,14 @@ neither too verbose nor too minimal.")
 (define-public ruby-sqlite3
   (package
     (name "ruby-sqlite3")
-    (version "1.3.11")
+    (version "1.3.12")
     (source
      (origin
        (method url-fetch)
        (uri (rubygems-uri "sqlite3" version))
        (sha256
         (base32
-         "19r06wglnm6479ffj9dl0fa4p5j2wi6dj7k6k3d0rbx7036cv3ny"))))
+         "0hld87rvwyy31xsxzhicv2lj3g3kmvmwfxj09kw13g6lacdjz4bx"))))
     (build-system ruby-build-system)
     (arguments
      `(#:phases
@@ -3333,14 +3335,14 @@ engine.")
 (define-public ruby-shoulda-context
   (package
     (name "ruby-shoulda-context")
-    (version "1.2.1")
+    (version "1.2.2")
     (source
      (origin
        (method url-fetch)
        (uri (rubygems-uri "shoulda-context" version))
        (sha256
         (base32
-         "06wv2ika5zrbxn0m3qxwk0zkbspxids3zmlq3xxays5qmvl1qb55"))))
+         "1l0ncsxycb4s8n47dml97kdnixw4mizljbkwqc3rh05r70csq9bc"))))
     (build-system ruby-build-system)
     (arguments
      `(#:phases
@@ -3469,14 +3471,14 @@ support to both Ruby and JRuby.  It uses @code{unf_ext} on CRuby and
 (define-public ruby-domain-name
   (package
     (name "ruby-domain-name")
-    (version "0.5.20160826")
+    (version "0.5.20161021")
     (source
      (origin
        (method url-fetch)
        (uri (rubygems-uri "domain_name" version))
        (sha256
         (base32
-         "0rg7gvp45xmb5qz8ydp7ivw05hhplh6k7mbawrpvkysl2c77w5xx"))))
+         "1y5c96gzyh6z4nrnkisljqngfvljdba36dww657ka0x7khzvx7jl"))))
     (build-system ruby-build-system)
     (arguments
      `(#:phases
@@ -3509,14 +3511,14 @@ Suffix List.")
 (define-public ruby-http-cookie
   (package
     (name "ruby-http-cookie")
-    (version "1.0.2")
+    (version "1.0.3")
     (source
      (origin
        (method url-fetch)
        (uri (rubygems-uri "http-cookie" version))
        (sha256
         (base32
-         "0cz2fdkngs3jc5w32a6xcl511hy03a7zdiy988jk1sf3bf5v3hdw"))))
+         "004cgs4xg5n6byjs7qld0xhsjq3n6ydfh897myr2mibvh6fjc49g"))))
     (build-system ruby-build-system)
     (arguments
      `(#:phases
@@ -4043,14 +4045,14 @@ generation.")
 (define-public ruby-sequel
   (package
     (name "ruby-sequel")
-    (version "4.39.0")
+    (version "4.40.0")
     (source
      (origin
        (method url-fetch)
        (uri (rubygems-uri "sequel" version))
        (sha256
         (base32
-         "01zqd6mi9wvhbg76b91k35jppha0c944ar9f816gi400cf9817bg"))))
+         "0r39dv3yprai0cy7hslfxswjr4fg783xwxskmbih8ry24f18lbk0"))))
     (build-system ruby-build-system)
     (arguments
      '(#:tests? #f)) ; Avoid dependency loop with ruby-minitest-hooks.
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index 9501f2235c..700a8957cc 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -2155,20 +2155,6 @@ encoder/decoder, round-off-error-free sum and cumsum, etc.")
             "1czvkaz1ji3jyj6qrvbswisqs9d05ljqc4vjkfdrf6hygix7azd0"))))
     (properties `((upstream-name . "rmarkdown")))
     (build-system r-build-system)
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         ;; See https://github.com/rstudio/rmarkdown/pull/800
-         ;; The resource files are in the store and have mode 444.  After
-         ;; copying the files R fails to remove them again because it doesn't
-         ;; have write access to them.
-         (add-after 'unpack 'copy-files-without-mode
-           (lambda _
-             (substitute* "R/render.R"
-               (("file.copy\\(from = from," prefix)
-                (string-append prefix
-                               " copy.mode = FALSE, ")))
-             #t)))))
     (propagated-inputs
      `(("r-catools" ,r-catools)
        ("r-evaluate" ,r-evaluate)
diff --git a/gnu/packages/syndication.scm b/gnu/packages/syndication.scm
new file mode 100644
index 0000000000..f4668de0c0
--- /dev/null
+++ b/gnu/packages/syndication.scm
@@ -0,0 +1,75 @@
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages syndication)
+  #:use-module ((guix licenses) #:prefix license:)
+  #:use-module (guix download)
+  #:use-module (guix packages)
+  #:use-module (guix build-system gnu)
+  #:use-module (gnu packages curl)
+  #:use-module (gnu packages databases)
+  #:use-module (gnu packages gettext)
+  #:use-module (gnu packages ncurses)
+  #:use-module (gnu packages perl)
+  #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages ruby)
+  #:use-module (gnu packages xml)
+  #:use-module (gnu packages web))
+
+(define-public newsbeuter
+  (package
+    (name "newsbeuter")
+    (version "2.9")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (string-append "https://newsbeuter.org/downloads/newsbeuter-"
+                            version ".tar.gz"))
+        (sha256
+         (base32
+          "1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l"))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         (replace 'configure
+           (lambda _
+             (substitute* "config.sh"
+               ;; try to remove this at the next release
+               (("ncursesw5") "ncursesw6"))
+             #t)))
+       #:make-flags (list (string-append "prefix=" (assoc-ref %outputs "out")))
+       #:test-target "test"))
+    (native-inputs
+     `(("gettext" ,gnu-gettext)
+       ("perl" ,perl)
+       ("pkg-config" ,pkg-config)
+       ("ruby" ,ruby))) ; for tests
+    (inputs
+     `(("curl" ,curl)
+       ("json-c" ,json-c)
+       ("ncurses" ,ncurses)
+       ("stfl" ,stfl)
+       ("sqlite" ,sqlite)
+       ("libxml2" ,libxml2)))
+    (home-page "https://newsbeuter.org/")
+    (synopsis "Text mode rss feed reader with podcast support")
+    (description "Newsbeuter is an innovative RSS feed reader for the text
+console.  It supports OPML import/exports, HTML rendering, podcast (podbeuter),
+offline reading, searching and storing articles to your filesystem, and many
+more features.  Its user interface is coherent, easy to use, and might look
+common to users of @command{mutt} and @command{slrn}.")
+    (license (list license:gpl2+ ; filter/*
+                   license:x11))))
diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm
index c8114c2077..9186e4693a 100644
--- a/gnu/packages/tex.scm
+++ b/gnu/packages/tex.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Federico Beffa <beffa@fbengineering.ch>
+;;; Copyright © 2016 Thomas Danckaert <post@thomasdanckaert.be>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -439,7 +440,9 @@ PDF documents.")
                                "texmaker.pro"))))))))
     (inputs
      `(("poppler-qt5" ,poppler-qt5)
-       ("qt" ,qt)
+       ("qtbase" ,qtbase)
+       ("qtscript" ,qtscript)
+       ("qtwebkit" ,qtwebkit)
        ("zlib" ,zlib)))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
diff --git a/gnu/packages/uml.scm b/gnu/packages/uml.scm
new file mode 100644
index 0000000000..8f6e1d8a5e
--- /dev/null
+++ b/gnu/packages/uml.scm
@@ -0,0 +1,91 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016 Theodoros Foradis <theodoros.for@openmailbox.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages uml)
+  #:use-module ((guix licenses) #:prefix license:)
+  #:use-module (guix packages)
+  #:use-module (guix download)
+  #:use-module (guix utils)
+  #:use-module (guix build-system ant)
+  #:use-module (gnu packages graphviz)
+  #:use-module (gnu packages java))
+
+(define-public plantuml
+  (package
+    (name "plantuml")
+    (version "8048")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "mirror://sourceforge/plantuml/plantuml-"
+                    version ".tar.gz"))
+              (sha256
+               (base32
+                "1vipxd6p7isb1k1qqh4hrpfcj27hx1nll2yp0rfwpvps1w2d936i"))))
+    (build-system ant-build-system)
+    (arguments
+     `(#:tests? #f ; no tests
+       #:build-target "dist"
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'delete-extra-from-classpath
+           (lambda _
+             (substitute* "build.xml"
+               (("1.6") "1.7")
+               (("<attribute name=\"Class-Path\"") "<!--")
+               (("j2v8_macosx_x86_64-3.1.7.jar\" />") "-->"))
+             #t))
+         (add-after 'delete-extra-from-classpath 'patch-usr-bin-dot
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let ((dot (string-append (assoc-ref inputs "graphviz")
+                                       "/bin/dot")))
+               (substitute*
+                   "src/net/sourceforge/plantuml/cucadiagram/dot/GraphvizLinux.java"
+                 (("/usr/bin/dot") dot)))
+             #t))
+         (replace 'install
+           (lambda* (#:key outputs #:allow-other-keys)
+             (install-file "plantuml.jar" (string-append
+                                           (assoc-ref outputs "out")
+                                           "/share/java"))
+             #t))
+         (add-after 'install 'make-wrapper
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (wrapper (string-append out "/bin/plantuml")))
+               (mkdir-p (string-append out "/bin"))
+               (with-output-to-file wrapper
+                 (lambda _
+                   (display
+                    (string-append
+                     "#!/bin/sh\n\n"
+                     (assoc-ref inputs "jre") "/bin/java -jar "
+                     out "/share/java/plantuml.jar \"$@\"\n"))))
+               (chmod wrapper #o555))
+             #t)))))
+    (inputs
+     `(("graphviz" ,graphviz)
+       ("jre" ,icedtea)))
+    (home-page "http://plantuml.com/")
+    (synopsis "Draw UML diagrams from simple textual description")
+    (description
+     "Plantuml is a tool to generate sequence, usecase, class, activity,
+component, state, deployment and object UML diagrams, using a simple and
+human readable text description.  Contains @code{salt}, a tool that can design
+simple graphical interfaces.")
+    (license license:gpl3+)))
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 1f7d60148c..e06a611164 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -313,7 +313,7 @@ everything from small to very large projects with speed and efficiency.")
 (define-public libgit2
   (package
     (name "libgit2")
-    (version "0.24.2")
+    (version "0.24.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/libgit2/libgit2/"
@@ -321,7 +321,7 @@ everything from small to very large projects with speed and efficiency.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "1rkmfjiv5h80ycra42w9idbcrgj9rz581k5c06badys3650agw00"))))
+                "0m37b2jq8g70bmxlgrhbj4p23c893vxwmlmw1v5ywfxz3njyc90a"))))
     (build-system cmake-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/vim.scm b/gnu/packages/vim.scm
index 172d6105bb..b283e975d5 100644
--- a/gnu/packages/vim.scm
+++ b/gnu/packages/vim.scm
@@ -31,6 +31,7 @@
   #:use-module (gnu packages gawk)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages glib)
+  #:use-module (gnu packages groff)
   #:use-module (gnu packages gtk)
   #:use-module (gnu packages image)
   #:use-module (gnu packages linux)
@@ -48,7 +49,7 @@
 (define-public vim
   (package
     (name "vim")
-    (version "8.0.0069")
+    (version "8.0.0073")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://github.com/vim/vim/archive/v"
@@ -56,7 +57,7 @@
              (file-name (string-append name "-" version ".tar.gz"))
              (sha256
               (base32
-               "1xxg0m296jqcg7wxxw1zcr0i10j1a85aw6ainpql2h4jrqbwqvy9"))))
+               "1snbzgj89scjs0v3m86p53wvpal9jgs1s6i3hv7jyknpnjvqv5q5"))))
     (build-system gnu-build-system)
     (arguments
      `(#:test-target "test"
@@ -147,3 +148,62 @@ configuration files.")
        ("ruby" ,ruby)
        ("tcl" ,tcl)
        ,@(package-inputs vim)))))
+
+(define-public vifm
+  (package
+    (name "vifm")
+    (version "0.8.2")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (string-append "mirror://sourceforge/vifm/vifm/vifm-"
+                            version ".tar.bz2"))
+        (sha256
+         (base32
+          "07r15kq7kjl3a41sd11ncpsii866xxps4f90zh3lv8jqcrv6silb"))))
+    (build-system gnu-build-system)
+    (arguments
+    '(#:phases
+      (modify-phases %standard-phases
+        (add-after 'patch-source-shebangs 'patch-test-shebangs
+          (lambda _
+            (substitute* (find-files "tests" "\\.c$")
+              (("/bin/sh") (which "sh")))
+            #t)))))
+    (native-inputs
+     `(("groff" ,groff) ; for the documentation
+       ("perl" ,perl)))
+    (inputs
+     `(("libx11" ,libx11)
+       ("ncurses" ,ncurses)))
+    (home-page "http://vifm.info/")
+    (synopsis "Flexible vi-like file manager using ncurses")
+    (description "Vifm is a file manager providing a @command{vi}-like usage
+experience.  It has similar keybindings and modes (e.g. normal, command line,
+visual).  The interface uses ncurses, thus vifm can be used in text-only
+environments.  It supports a wide range of features, some of which are known
+from the @command{vi}-editor:
+@enumerate
+@item utf8 support
+@item user mappings (almost like in @code{vi})
+@item ranges in command
+@item line commands
+@item user defined commands (with support for ranges)
+@item registers
+@item operation undoing/redoing
+@item fuse file systems support
+@item trash
+@item multiple files renaming
+@item support of filename modifiers
+@item colorschemes support
+@item file name color according to file type
+@item path specific colorscheme customization
+@item bookmarks
+@item operation backgrounding
+@item customizable file viewers
+@item handy @code{less}-like preview mode
+@item filtering out and searching for files using regular expressions
+@item one or two panes view
+@end enumerate
+With the package comes a plugin to use vifm as a vim file selector.")
+    (license license:gpl2+)))
diff --git a/gnu/packages/wordnet.scm b/gnu/packages/wordnet.scm
index 357c19351b..42076645c4 100644
--- a/gnu/packages/wordnet.scm
+++ b/gnu/packages/wordnet.scm
@@ -23,6 +23,7 @@
   #:use-module (guix licenses)
   #:use-module (guix download)
   #:use-module (gnu packages)
+  #:use-module (gnu packages gcc)
   #:use-module (gnu packages tcl))
 
 (define-public wordnet
@@ -51,22 +52,7 @@
 
                                ;; Provide the `result' field in `Tcl_Interp'.
                                ;; See <https://bugs.gentoo.org/show_bug.cgi?id=452034>.
-                               ;;
-                               ;; The 'DEFAULTPATH' string literal, which
-                               ;; contains the output path, only appears as
-                               ;; the operand of one 'strcpy' call.  As a
-                               ;; consequence, GCC does not store the string
-                               ;; literal as is but instead introduces "gaps"
-                               ;; for alignment reasons presumably---like
-                               ;; "/gnu/sto?????re/8jp8b??????ky105…".  This
-                               ;; makes this string invisible to the GC, which
-                               ;; in turns causes problems when running a
-                               ;; grafted WordNet because that grafted WordNet
-                               ;; keeps referring to the ungrafted variant,
-                               ;; which is not protected from GC.  Thus,
-                               ;; disable use of '__builtin_strcpy' to avoid
-                               ;; that.
-                               "CFLAGS=-DUSE_INTERP_RESULT -O2 -fno-builtin-strcpy")
+                               "CFLAGS=-DUSE_INTERP_RESULT -O2")
        #:phases
        (modify-phases %standard-phases
          (add-after 'install 'post-install
@@ -93,6 +79,12 @@
                #t))))))
     (outputs '("out"
                "tk"))                             ; for the Tcl/Tk GUI
+
+    ;; Build with a patched GCC to work around <http://bugs.gnu.org/24703>.
+    ;; (Specifically the 'DEFAULTPATH' string literal is what we want to
+    ;; prevent from being chunked so that grafting can "see" it and patch it.)
+    (native-inputs `(("gcc@6" ,gcc-6)))
+
     (inputs `(("tk" ,tk)
               ("tcl" ,tcl)))
     (home-page "http://wordnet.princeton.edu/")
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 94a017d1d5..505d585e66 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -134,6 +134,7 @@ project (but it is usable outside of the Gnome platform).")
 (define-public libxslt
   (package
     (name "libxslt")
+    (replacement libxslt/fixed)
     (version "1.1.29")
     (source (origin
              (method url-fetch)
@@ -155,6 +156,14 @@ project (but it is usable outside of the Gnome platform).")
 based on libxml for XML parsing, tree manipulation and XPath support.")
     (license license:x11)))
 
+(define libxslt/fixed
+  (package
+    (inherit libxslt)
+    (name "libxslt")
+    (source (origin
+              (inherit (package-source libxslt))
+              (patches (search-patches "libxslt-CVE-2016-4738.patch"))))))
+
 (define-public perl-graph-readwrite
   (package
     (name "perl-graph-readwrite")
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
new file mode 100644
index 0000000000..144c71bba0
--- /dev/null
+++ b/gnu/services/kerberos.scm
@@ -0,0 +1,67 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016 John Darrington <jmd@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services kerberos)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu services)
+  #:use-module (gnu system pam)
+  #:use-module (guix gexp)
+  #:use-module (guix records)
+  #:export (pam-krb5-configuration
+            pam-krb5-configuration?
+            pam-krb5-service-type))
+
+(define-record-type* <pam-krb5-configuration>
+  pam-krb5-configuration  make-pam-krb5-configuration
+  pam-krb5-configuration?
+  (pam-krb5               pam-krb5-configuration-pam-krb5
+                          (default pam-krb5))
+  (minimum-uid            pam-krb5-configuration-minimum-uid
+                          (default 1000)))
+
+(define (pam-krb5-pam-service config)
+  "Return a PAM service for Kerberos authentication."
+  (lambda (pam)
+    (define pam-krb5-module
+      #~(string-append #$(pam-krb5-configuration-pam-krb5 config) "/lib/security/pam_krb5.so"))
+
+    (let ((pam-krb5-sufficient
+           (pam-entry
+            (control "sufficient")
+            (module pam-krb5-module)
+            (arguments (list
+                        (format #f "minimum_uid=~a"
+                                (pam-krb5-configuration-minimum-uid config)))))))
+      (pam-service
+       (inherit pam)
+       (auth (cons* pam-krb5-sufficient
+                    (pam-service-auth pam)))
+       (session (cons* pam-krb5-sufficient
+                       (pam-service-session pam)))
+       (account (cons* pam-krb5-sufficient
+                       (pam-service-account pam)))))))
+
+(define (pam-krb5-pam-services config)
+  (list (pam-krb5-pam-service config)))
+
+(define pam-krb5-service-type
+  (service-type (name 'pam-krb5)
+                (extensions
+                 (list
+                  (service-extension pam-root-service-type
+                                     pam-krb5-pam-services)))))
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index b51d57f079..4cc1221eb8 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -40,6 +40,7 @@
             file-system-dependencies
 
             file-system->spec
+            spec->file-system
             specification->file-system-mapping
             uuid
 
@@ -107,6 +108,16 @@ initrd code."
     (($ <file-system> device title mount-point type flags options _ _ check?)
      (list device title mount-point type flags options check?))))
 
+(define (spec->file-system sexp)
+  "Deserialize SEXP, a list, to the corresponding <file-system> object."
+  (match sexp
+    ((device title mount-point type flags options check?)
+     (file-system
+       (device device) (title title)
+       (mount-point mount-point) (type type)
+       (flags flags) (options options)
+       (check? check?)))))
+
 (define (specification->file-system-mapping spec writable?)
   "Read the SPEC and return the corresponding <file-system-mapping>.  SPEC is
 a string of the form \"SOURCE\" or \"SOURCE=TARGET\".  The former specifies
diff --git a/gnu/system/grub.scm b/gnu/system/grub.scm
index 5c9d0f15a1..4657b06b5f 100644
--- a/gnu/system/grub.scm
+++ b/gnu/system/grub.scm
@@ -51,6 +51,7 @@
             grub-configuration
             grub-configuration?
             grub-configuration-device
+            grub-configuration-grub
 
             menu-entry
             menu-entry?
diff --git a/gnu/system/linux-container.scm b/gnu/system/linux-container.scm
index d3c0036f47..24e61c3ead 100644
--- a/gnu/system/linux-container.scm
+++ b/gnu/system/linux-container.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
+;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -24,6 +25,7 @@
   #:use-module (guix gexp)
   #:use-module (guix derivations)
   #:use-module (guix monads)
+  #:use-module (guix modules)
   #:use-module (gnu build linux-container)
   #:use-module (gnu services)
   #:use-module (gnu system)
@@ -87,19 +89,15 @@ that will be shared with the host system."
                                   #:container? #t)))
 
       (define script
-        (with-imported-modules '((guix config)
-                                 (guix utils)
-                                 (guix combinators)
-                                 (guix build utils)
-                                 (guix build syscalls)
-                                 (guix build bournish)
-                                 (gnu build file-systems)
-                                 (gnu build linux-container))
+        (with-imported-modules (source-module-closure
+                                '((guix build utils)
+                                  (gnu build linux-container)))
           #~(begin
               (use-modules (gnu build linux-container)
+                           (gnu system file-systems) ;spec->file-system
                            (guix build utils))
 
-              (call-with-container '#$specs
+              (call-with-container (map spec->file-system '#$specs)
                 (lambda ()
                   (setenv "HOME" "/root")
                   (setenv "TMPDIR" "/tmp")
diff --git a/guix/build/download.scm b/guix/build/download.scm
index 4259f52b7a..8e32b3d7ff 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -32,6 +32,7 @@
   #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
+  #:autoload   (ice-9 ftw) (scandir)
   #:use-module (ice-9 match)
   #:use-module (ice-9 format)
   #:export (open-socket-for-uri
@@ -273,14 +274,78 @@ out if the connection could not be established in less than TIMEOUT seconds."
 session record port using PORT as its underlying communication port."
   (hashq-set! %tls-ports record-port port))
 
-(define (tls-wrap port server)
+(define %x509-certificate-directory
+  ;; The directory where X.509 authority PEM certificates are stored.
+  (make-parameter (or (getenv "GUIX_TLS_CERTIFICATE_DIRECTORY")
+                      (getenv "SSL_CERT_DIR"))))  ;like OpenSSL
+
+(define (make-credendials-with-ca-trust-files directory)
+  "Return certificate credentials with X.509 authority certificates read from
+DIRECTORY.  Those authority certificates are checked when
+'peer-certificate-status' is later called."
+  (let ((cred  (make-certificate-credentials))
+        (files (or (scandir directory
+                            (lambda (file)
+                              (string-suffix? ".pem" file)))
+                   '())))
+    (for-each (lambda (file)
+                (set-certificate-credentials-x509-trust-file!
+                 cred (string-append directory "/" file)
+                 x509-certificate-format/pem))
+              (or files '()))
+    cred))
+
+(define (peer-certificate session)
+  "Return the certificate of the remote peer in SESSION."
+  (match (session-peer-certificate-chain session)
+    ((first _ ...)
+     (import-x509-certificate first x509-certificate-format/der))))
+
+(define (assert-valid-server-certificate session server)
+  "Return #t if the certificate of the remote peer for SESSION is a valid
+certificate for SERVER, where SERVER is the expected host name of peer."
+  (define cert
+    (peer-certificate session))
+
+  ;; First check whether the server's certificate matches SERVER.
+  (unless (x509-certificate-matches-hostname? cert server)
+    (throw 'tls-certificate-error 'host-mismatch cert server))
+
+  ;; Second check its validity and reachability from the set of authority
+  ;; certificates loaded via 'set-certificate-credentials-x509-trust-file!'.
+  (match (peer-certificate-status session)
+    (()                                           ;certificate is valid
+     #t)
+    ((statuses ...)
+     (throw 'tls-certificate-error 'invalid-certificate cert server
+            statuses))))
+
+(define (print-tls-certificate-error port key args default-printer)
+  "Print the TLS certificate error represented by ARGS in an intelligible
+way."
+  (match args
+    (('host-mismatch cert server)
+     (format port
+             "X.509 server certificate for '~a' does not match: ~a~%"
+             server (x509-certificate-dn cert)))
+    (('invalid-certificate cert server statuses)
+     (format port
+             "X.509 certificate of '~a' could not be verified:~%~{  ~a~%~}"
+             server
+             (map certificate-status->string statuses)))))
+
+(set-exception-printer! 'tls-certificate-error
+                        print-tls-certificate-error)
+
+(define* (tls-wrap port server #:key (verify-certificate? #t))
   "Return PORT wrapped in a TLS connection to SERVER.  SERVER must be a DNS
 host name without trailing dot."
   (define (log level str)
     (format (current-error-port)
             "gnutls: [~a|~a] ~a" (getpid) level str))
 
-  (let ((session (make-session connection-end/client)))
+  (let ((session  (make-session connection-end/client))
+        (ca-certs (%x509-certificate-directory)))
 
     ;; Some servers such as 'cloud.github.com' require the client to support
     ;; the 'SERVER NAME' extension.  However, 'set-session-server-name!' is
@@ -301,13 +366,27 @@ host name without trailing dot."
     ;; <https://tools.ietf.org/html/rfc7568>.
     (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0")
 
-    (set-session-credentials! session (make-certificate-credentials))
+    (set-session-credentials! session
+                              (if (and verify-certificate? ca-certs)
+                                  (make-credendials-with-ca-trust-files
+                                   ca-certs)
+                                  (make-certificate-credentials)))
 
     ;; Uncomment the following lines in case of debugging emergency.
     ;;(set-log-level! 10)
     ;;(set-log-procedure! log)
 
     (handshake session)
+
+    ;; Verify the server's certificate if needed.
+    (when verify-certificate?
+      (catch 'tls-certificate-error
+        (lambda ()
+          (assert-valid-server-certificate session server))
+        (lambda args
+          (close-port port)
+          (apply throw args))))
+
     (let ((record (session-record-port session)))
       ;; Since we use `fileno' above, the file descriptor behind PORT would be
       ;; closed when PORT is GC'd.  If we used `port->fdes', it would instead
@@ -374,9 +453,13 @@ ETIMEDOUT error is raised."
               (apply throw args)
               (loop (cdr addresses))))))))
 
-(define* (open-connection-for-uri uri #:key timeout)
+(define* (open-connection-for-uri uri
+                                  #:key
+                                  timeout
+                                  (verify-certificate? #t))
   "Like 'open-socket-for-uri', but also handle HTTPS connections.  The
-resulting port must be closed with 'close-connection'."
+resulting port must be closed with 'close-connection'.  When
+VERIFY-CERTIFICATE? is true, verify HTTPS server certificates."
   (define https?
     (eq? 'https (uri-scheme uri)))
 
@@ -403,7 +486,8 @@ resulting port must be closed with 'close-connection'."
        (setvbuf s _IOFBF %http-receive-buffer-size)
 
        (if https?
-           (tls-wrap s (uri-host uri))
+           (tls-wrap s (uri-host uri)
+                     #:verify-certificate? verify-certificate?)
            s)))))
 
 (define (close-connection port)
@@ -588,10 +672,11 @@ Return the resulting target URI."
                     #:query    (uri-query    ref)
                     #:fragment (uri-fragment ref)))))
 
-(define* (http-fetch uri file #:key timeout)
+(define* (http-fetch uri file #:key timeout (verify-certificate? #t))
   "Fetch data from URI and write it to FILE; when TIMEOUT is true, bail out if
 the connection could not be established in less than TIMEOUT seconds.  Return
-FILE on success."
+FILE on success.  When VERIFY-CERTIFICATE? is true, verify HTTPS
+certificates; otherwise simply ignore them."
 
   (define post-2.0.7?
     (or (> (string->number (major-version)) 2)
@@ -618,7 +703,10 @@ FILE on success."
           (_ '()))))
 
   (let*-values (((connection)
-                 (open-connection-for-uri uri #:timeout timeout))
+                 (open-connection-for-uri uri
+                                          #:timeout timeout
+                                          #:verify-certificate?
+                                          verify-certificate?))
                 ((resp bv-or-port)
                  ;; XXX: `http-get*' was introduced in 2.0.7, and replaced by
                  ;; #:streaming? in 2.0.8.  We know we're using it within the
@@ -659,7 +747,9 @@ FILE on success."
          (format #t "following redirection to `~a'...~%"
                  (uri->string uri))
          (close connection)
-         (http-fetch uri file #:timeout timeout)))
+         (http-fetch uri file
+                     #:timeout timeout
+                     #:verify-certificate? verify-certificate?)))
       (else
        (error "download failed" (uri->string uri)
               code (response-reason-phrase resp))))))
@@ -699,7 +789,7 @@ Return a list of URIs."
 
 (define* (url-fetch url file
                     #:key
-                    (timeout 10)
+                    (timeout 10) (verify-certificate? #t)
                     (mirrors '()) (content-addressed-mirrors '())
                     (hashes '()))
   "Fetch FILE from URL; URL may be either a single string, or a list of
@@ -713,7 +803,10 @@ HASHES must be a list of algorithm/hash pairs, where each algorithm is a
 symbol such as 'sha256 and each hash is a bytevector.
 CONTENT-ADDRESSED-MIRRORS must be a list of procedures that, given a hash
 algorithm and a hash, return a URL where the specified data can be retrieved
-or #f."
+or #f.
+
+When VERIFY-CERTIFICATE? is true, validate HTTPS server certificates;
+otherwise simply ignore them."
   (define uri
     (append-map (cut maybe-expand-mirrors <> mirrors)
                 (match url
@@ -725,9 +818,13 @@ or #f."
             file (uri->string uri))
     (case (uri-scheme uri)
       ((http https)
-       (false-if-exception* (http-fetch uri file #:timeout timeout)))
+       (false-if-exception* (http-fetch uri file
+                                        #:verify-certificate?
+                                        verify-certificate?
+                                        #:timeout timeout)))
       ((ftp)
-       (false-if-exception* (ftp-fetch uri file #:timeout timeout)))
+       (false-if-exception* (ftp-fetch uri file
+                                       #:timeout timeout)))
       (else
        (format #t "skipping URI with unsupported scheme: ~s~%"
                uri)
diff --git a/guix/download.scm b/guix/download.scm
index 80507f952a..0c275053c5 100644
--- a/guix/download.scm
+++ b/guix/download.scm
@@ -372,7 +372,11 @@ in the store."
                        #:hashes
                        (value-from-environment "guix download hashes")
                        #:content-addressed-mirrors
-                       (primitive-load #$%content-addressed-mirror-file))))))
+                       (primitive-load #$%content-addressed-mirror-file)
+
+                       ;; No need to validate certificates since we know the
+                       ;; hash of the expected result.
+                       #:verify-certificate? #f)))))
 
   (let ((uri (and (string? url) (string->uri url))))
     (if (or (and (string? url) (not uri))
@@ -430,10 +434,12 @@ own.  This helper makes it easier to deal with \"tar bombs\"."
                       #:local-build? #t)))
 
 (define* (download-to-store store url #:optional (name (basename url))
-                            #:key (log (current-error-port)) recursive?)
+                            #:key (log (current-error-port)) recursive?
+                            (verify-certificate? #t))
   "Download from URL to STORE, either under NAME or URL's basename if
 omitted.  Write progress reports to LOG.  RECURSIVE? has the same effect as
-the same-named parameter of 'add-to-store'."
+the same-named parameter of 'add-to-store'.  VERIFY-CERTIFICATE? determines
+whether or not to validate HTTPS server certificates."
   (define uri
     (string->uri url))
 
@@ -444,7 +450,10 @@ the same-named parameter of 'add-to-store'."
        (lambda (temp port)
          (let ((result
                 (parameterize ((current-output-port log))
-                  (build:url-fetch url temp #:mirrors %mirrors))))
+                  (build:url-fetch url temp
+                                   #:mirrors %mirrors
+                                   #:verify-certificate?
+                                   verify-certificate?))))
            (close port)
            (and result
                 (add-to-store store name recursive? "sha256" temp)))))))
diff --git a/guix/http-client.scm b/guix/http-client.scm
index a8324be09f..cc3acc9587 100644
--- a/guix/http-client.scm
+++ b/guix/http-client.scm
@@ -223,7 +223,7 @@ or if EOF is reached."
                 'shutdown (const #f))
 
 (define* (http-fetch uri #:key port (text? #f) (buffered? #t)
-                     keep-alive?)
+                     keep-alive? (verify-certificate? #t))
   "Return an input port containing the data at URI, and the expected number of
 bytes available or #f.  If TEXT? is true, the data at URI is considered to be
 textual.  Follow any HTTP redirection.  When BUFFERED? is #f, return an
@@ -231,11 +231,15 @@ unbuffered port, suitable for use in `filtered-port'.  When KEEP-ALIVE? is
 true, send a 'Connection: keep-alive' HTTP header, in which case PORT may be
 reused for future HTTP requests.
 
+When VERIFY-CERTIFICATE? is true, verify HTTPS server certificates.
+
 Raise an '&http-get-error' condition if downloading fails."
   (let loop ((uri (if (string? uri)
                       (string->uri uri)
                       uri)))
-    (let ((port (or port (open-connection-for-uri uri)))
+    (let ((port (or port (open-connection-for-uri uri
+                                                  #:verify-certificate?
+                                                  verify-certificate?)))
           (auth-header (match (uri-userinfo uri)
                          ((? string? str)
                           (list (cons 'Authorization
diff --git a/guix/scripts/download.scm b/guix/scripts/download.scm
index bcb4eaa043..ec30b05ac0 100644
--- a/guix/scripts/download.scm
+++ b/guix/scripts/download.scm
@@ -41,7 +41,8 @@
 
 (define %default-options
   ;; Alist of default option values.
-  `((format . ,bytevector->nix-base32-string)))
+  `((format . ,bytevector->nix-base32-string)
+    (verify-certificate? . #t)))
 
 (define (show-help)
   (display (_ "Usage: guix download [OPTION] URL
@@ -52,6 +53,9 @@ Supported formats: 'nix-base32' (default), 'base32', and 'base16'
 ('hex' and 'hexadecimal' can be used as well).\n"))
   (format #t (_ "
   -f, --format=FMT       write the hash in the given format"))
+  (format #t (_ "
+      --no-check-certificate
+                         do not validate the certificate of HTTPS servers "))
   (newline)
   (display (_ "
   -h, --help             display this help and exit"))
@@ -77,6 +81,9 @@ Supported formats: 'nix-base32' (default), 'base32', and 'base16'
 
                   (alist-cons 'format fmt-proc
                               (alist-delete 'format result))))
+        (option '("no-check-certificate") #f #f
+                (lambda (opt name arg result)
+                  (alist-cons 'verify-certificate? #f result)))
 
         (option '(#\h "help") #f #f
                 (lambda args
@@ -120,7 +127,10 @@ Supported formats: 'nix-base32' (default), 'base32', and 'base16'
                      (parameterize ((current-terminal-columns
                                      (terminal-columns)))
                        (download-to-store store (uri->string uri)
-                                          (basename (uri-path uri)))))))
+                                          (basename (uri-path uri))
+                                          #:verify-certificate?
+                                          (assoc-ref opts
+                                                     'verify-certificate?))))))
            (hash  (call-with-input-file
                       (or path
                           (leave (_ "~a: download failed~%")
diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 0c69bfc9d3..6dea67ca22 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -427,7 +427,7 @@ host file systems to mount inside the container."
             (file-systems (append %container-file-systems
                                   (map mapping->file-system mappings))))
        (exit/status
-        (call-with-container (map file-system->spec file-systems)
+        (call-with-container file-systems
           (lambda ()
             ;; Setup global shell.
             (mkdir-p "/bin")
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index d6281eae64..6e6f550941 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -369,7 +369,8 @@ for connections to complete; when TIMEOUT is #f, wait as long as needed."
               ;; This can happen if the server returns an invalid HTTP header,
               ;; as is the case with the 'Date' header at sqlite.org.
               (values 'invalid-http-response #f))
-             ((getaddrinfo-error system-error gnutls-error)
+             ((getaddrinfo-error system-error
+               gnutls-error tls-certificate-error)
               (values key args))
              (else
               (apply throw key args))))))
@@ -397,6 +398,13 @@ for connections to complete; when TIMEOUT is #f, wait as long as needed."
       (_
        (values 'unknown-protocol #f)))))
 
+(define (tls-certificate-error-string args)
+  "Return a string explaining the 'tls-certificate-error' arguments ARGS."
+  (call-with-output-string
+    (lambda (port)
+      (print-exception port #f
+                       'tls-certificate-error args))))
+
 (define (validate-uri uri package field)
   "Return #t if the given URI can be reached, otherwise return #f and emit a
 warning for PACKAGE mentionning the FIELD."
@@ -457,6 +465,10 @@ suspiciously small file (~a bytes)")
                                (cons status argument))))
                      field)
        #f)
+      ((tls-certificate-error)
+       (emit-warning package
+                     (format #f (_ "TLS certificate error: ~a")
+                             (tls-certificate-error-string argument))))
       ((invalid-http-response gnutls-error)
        ;; Probably a misbehaving server; ignore.
        #f)
@@ -672,14 +684,22 @@ from ~s: ~a (~s)~%")
                       (http-get-error-reason c))
              (warning (_ "assuming no CVE vulnerabilities~%"))
              '()))
-    (catch 'getaddrinfo-error
+    (catch #t
       (lambda ()
         (current-vulnerabilities))
-      (lambda (key errcode)
-        (warning (_ "failed to lookup NIST host: ~a~%")
-                 (gai-strerror errcode))
-        (warning (_ "assuming no CVE vulnerabilities~%"))
-        '()))))
+      (match-lambda*
+        (('getaddrinfo-error errcode)
+         (warning (_ "failed to lookup NIST host: ~a~%")
+                  (gai-strerror errcode))
+         (warning (_ "assuming no CVE vulnerabilities~%"))
+         '())
+        (('tls-certificate-error args ...)
+         (warning (_ "TLS certificate error: ~a")
+                  (tls-certificate-error-string args))
+         (warning (_ "assuming no CVE vulnerabilities~%"))
+         '())
+        (args
+         (apply throw args))))))
 
 (define package-vulnerabilities
   (let ((lookup (delay (vulnerabilities->lookup-proc
diff --git a/guix/scripts/substitute.scm b/guix/scripts/substitute.scm
index 3d6fde0188..524b019a31 100755
--- a/guix/scripts/substitute.scm
+++ b/guix/scripts/substitute.scm
@@ -210,10 +210,12 @@ provide."
                  (close-connection port))))
            (begin
              (when (or (not port) (port-closed? port))
-               (set! port (open-connection-for-uri uri))
+               (set! port (open-connection-for-uri uri
+                                                   #:verify-certificate? #f))
                (unless (or buffered? (not (file-port? port)))
                  (setvbuf port _IONBF)))
-             (http-fetch uri #:text? #f #:port port))))))
+             (http-fetch uri #:text? #f #:port port
+                         #:verify-certificate? #f))))))
     (else
      (leave (_ "unsupported substitute URI scheme: ~a~%")
             (uri->string uri)))))
@@ -246,6 +248,7 @@ failure, return #f and #f."
                  #f))
         ((http https)
          (let ((port (open-connection-for-uri uri
+                                              #:verify-certificate? #f
                                               #:timeout %fetch-timeout)))
            (guard (c ((http-get-error? c)
                       (warning (_ "while fetching '~a': ~a (~s)~%")
@@ -256,6 +259,7 @@ failure, return #f and #f."
                       (warning (_ "ignoring substitute server at '~s'~%") url)
                       (values #f #f)))
              (values (read-cache-info (http-fetch uri
+                                                  #:verify-certificate? #f
                                                   #:port port
                                                   #:keep-alive? #t))
                      port))))))
@@ -518,7 +522,7 @@ indicates that PATH is unavailable at CACHE-URL."
     (build-request (string->uri url) #:method 'GET)))
 
 (define* (http-multiple-get base-uri proc seed requests
-                            #:key port)
+                            #:key port (verify-certificate? #t))
   "Send all of REQUESTS to the server at BASE-URI.  Call PROC for each
 response, passing it the request object, the response, a port from which to
 read the response body, and the previous result, starting with SEED, à la
@@ -529,7 +533,9 @@ initial connection on which HTTP requests are sent."
                 (result   seed))
     ;; (format (current-error-port) "connecting (~a requests left)..."
     ;;         (length requests))
-    (let ((p (or port (open-connection-for-uri base-uri))))
+    (let ((p (or port (open-connection-for-uri base-uri
+                                               #:verify-certificate?
+                                               verify-certificate?))))
       ;; For HTTPS, P is not a file port and does not support 'setvbuf'.
       (when (file-port? p)
         (setvbuf p _IOFBF (expt 2 16)))
@@ -627,9 +633,14 @@ if file doesn't exist, and the narinfo otherwise."
       ((http https)
        (let ((requests (map (cut narinfo-request url <>) paths)))
          (update-progress!)
+
+         ;; Note: Do not check HTTPS server certificates to avoid depending on
+         ;; the X.509 PKI.  We can do it because we authenticate narinfos,
+         ;; which provides a much stronger guarantee.
          (let ((result (http-multiple-get uri
                                           handle-narinfo-response '()
                                           requests
+                                          #:verify-certificate? #f
                                           #:port port)))
            (close-connection port)
            (newline (current-error-port))
diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm
index df9b37d544..71ddccfa61 100644
--- a/guix/scripts/system.scm
+++ b/guix/scripts/system.scm
@@ -44,7 +44,6 @@
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
   #:use-module (gnu services herd)
-  #:use-module (gnu packages grub)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-19)
@@ -617,7 +616,8 @@ building anything."
                                                 #:image-size image-size
                                                 #:full-boot? full-boot?
                                                 #:mappings mappings))
-       (grub      (package->derivation grub))
+       (grub      (package->derivation (grub-configuration-grub
+                                        (operating-system-bootloader os))))
        (grub.cfg  (if (eq? 'container action)
                       (return #f)
                       (operating-system-grub.cfg os
diff --git a/po/guix/fr.po b/po/guix/fr.po
index 6e83d018c9..f641339e05 100644
--- a/po/guix/fr.po
+++ b/po/guix/fr.po
@@ -2,6 +2,7 @@
 # Copyright (C) 2016 Free Software Foundation, Inc.
 # This file is distributed under the same license as the guix package.
 # Rémy Chevalier <remychevalier@laposte.net>, 2013, 2014.
+# Frédéric Marchal <fmarchal@perso.be>, 2016
 #
 # Note de Frédéric Marchal: Le nom « shepherd » est le nom d'un démon (voir
 # https://www.gnu.org/software/shepherd/). Je ne l'ai pas traduit dans les
@@ -12,7 +13,7 @@ msgstr ""
 "Project-Id-Version: guix 0.11.0\n"
 "Report-Msgid-Bugs-To: ludo@gnu.org\n"
 "POT-Creation-Date: 2016-07-29 10:16+0200\n"
-"PO-Revision-Date: 2016-11-05 10:20+0200\n"
+"PO-Revision-Date: 2016-11-11 10:43+0100\n"
 "Last-Translator: Frédéric Marchal <fmarchal@perso.be>\n"
 "Language-Team: French <traduc@traduc.org>\n"
 "Language: fr\n"
@@ -2601,128 +2602,123 @@ msgstr "Ce programme est un démon qui tourne en tâche de fond. Il répond aux
 
 #: nix/nix-daemon/guix-daemon.cc:87
 msgid "SYSTEM"
-msgstr ""
+msgstr "SYSTÈME"
 
 #: nix/nix-daemon/guix-daemon.cc:88
 msgid "assume SYSTEM as the current system type"
-msgstr ""
+msgstr "suppose que SYSTÈME est le type de système actuel"
 
 #: nix/nix-daemon/guix-daemon.cc:89 nix/nix-daemon/guix-daemon.cc:92
 msgid "N"
-msgstr ""
+msgstr "N"
 
 #: nix/nix-daemon/guix-daemon.cc:90
 msgid "use N CPU cores to build each derivation; 0 means as many as available"
-msgstr ""
+msgstr "utilise N cœurs CPU pour compiler chaque dérivation; 0 signifie autant que disponible"
 
 #: nix/nix-daemon/guix-daemon.cc:93
 msgid "allow at most N build jobs"
-msgstr ""
+msgstr "autorise au plus N tâches de compilation"
 
 #: nix/nix-daemon/guix-daemon.cc:95
 msgid "disable chroot builds"
-msgstr ""
+msgstr "désactive les compilations chroot"
 
 #: nix/nix-daemon/guix-daemon.cc:96
 msgid "DIR"
-msgstr ""
+msgstr "RÉP"
 
 #: nix/nix-daemon/guix-daemon.cc:97
 msgid "add DIR to the build chroot"
-msgstr ""
+msgstr "ajoute RÉP au chroot de compilation"
 
 #: nix/nix-daemon/guix-daemon.cc:98
 msgid "GROUP"
-msgstr ""
+msgstr "GROUPE"
 
 #: nix/nix-daemon/guix-daemon.cc:99
 msgid "perform builds as a user of GROUP"
-msgstr ""
+msgstr "réalise les compilations en tant qu'un utilisateur du GROUPE"
 
 #: nix/nix-daemon/guix-daemon.cc:101
 msgid "do not use substitutes"
-msgstr ""
+msgstr "ne pas utiliser de substituts"
 
 #: nix/nix-daemon/guix-daemon.cc:102
 msgid "URLS"
-msgstr ""
+msgstr "URLS"
 
 #: nix/nix-daemon/guix-daemon.cc:103
 msgid "use URLS as the default list of substitute providers"
-msgstr ""
+msgstr "utilise URLS comme liste par défaut de fournisseurs de substituts"
 
 #: nix/nix-daemon/guix-daemon.cc:105
 msgid "do not use the 'build hook'"
-msgstr ""
+msgstr "n'utilise pas le « build hook »"
 
 #: nix/nix-daemon/guix-daemon.cc:107
 msgid "cache build failures"
-msgstr ""
+msgstr "garde les fonctionnalités de compilation en cache"
 
 #: nix/nix-daemon/guix-daemon.cc:109
 msgid "build each derivation N times in a row"
-msgstr ""
+msgstr "compile chaque dérivation N fois de suite"
 
 #: nix/nix-daemon/guix-daemon.cc:111
 msgid "do not keep build logs"
-msgstr ""
+msgstr "ne conserve pas les journaux de compilation"
 
 #: nix/nix-daemon/guix-daemon.cc:113
 msgid "disable compression of the build logs"
-msgstr ""
+msgstr "désactive la compression des journaux de compilation"
 
 #: nix/nix-daemon/guix-daemon.cc:118
 msgid "disable automatic file \"deduplication\" in the store"
-msgstr ""
+msgstr "désactive la « déduplication » automatique des fichiers dans le stockage"
 
 #: nix/nix-daemon/guix-daemon.cc:128
 msgid "impersonate Linux 2.6"
-msgstr ""
+msgstr "se faire passer pour Linux 2.6"
 
 #: nix/nix-daemon/guix-daemon.cc:132
 msgid "tell whether the GC must keep outputs of live derivations"
-msgstr ""
+msgstr "indique si le GC doit garder les sorties des dérivations en temps réel"
 
 #: nix/nix-daemon/guix-daemon.cc:135
 msgid "tell whether the GC must keep derivations corresponding to live outputs"
-msgstr ""
+msgstr "indique si le GC doit garder les dérivations correspondant aux sorties en temps réel"
 
 #: nix/nix-daemon/guix-daemon.cc:138
 msgid "SOCKET"
-msgstr ""
+msgstr "SOCKET"
 
 #: nix/nix-daemon/guix-daemon.cc:139
 msgid "listen for connections on SOCKET"
-msgstr ""
+msgstr "écoute sur SOCKET pour des connexions"
 
 #: nix/nix-daemon/guix-daemon.cc:141
 msgid "produce debugging output"
-msgstr ""
+msgstr "produit une sortie de déboguage"
 
 #: nix/nix-daemon/guix-daemon.cc:201
 #, c-format
 msgid "error: %s: invalid number of rounds\n"
-msgstr ""
+msgstr "erreur: %s: nombre de tours invalide\n"
 
 #: nix/nix-daemon/guix-daemon.cc:220 nix/nix-daemon/guix-daemon.cc:396
 #, c-format
 msgid "error: %s\n"
-msgstr ""
+msgstr "erreur: %s\n"
 
 #: nix/nix-daemon/guix-daemon.cc:281
 #, c-format
 msgid "error: libgcrypt version mismatch\n"
-msgstr ""
+msgstr "erreur: désaccord de version de libgcrypt\n"
 
 #: nix/nix-daemon/guix-daemon.cc:372
 #, c-format
 msgid "warning: daemon is running as root, so using `--build-users-group' is highly recommended\n"
-msgstr ""
-
-#, fuzzy
-#~| msgid "wrong arguments"
-#~ msgid "too many arguments\n"
-#~ msgstr "arguments non valides"
+msgstr "avertissement: le daemon fonctionne en tant que root, l'utilisation de « --build-users-group » est fortement recommandée\n"
 
 #~ msgid "looking for the latest release of GNU ~a..."
 #~ msgstr "recherche de la dernière version de GNU ~a..."
diff --git a/tests/containers.scm b/tests/containers.scm
index 698bef3e47..ccd122ac79 100644
--- a/tests/containers.scm
+++ b/tests/containers.scm
@@ -20,6 +20,7 @@
   #:use-module (guix utils)
   #:use-module (guix build syscalls)
   #:use-module (gnu build linux-container)
+  #:use-module (gnu system file-systems)
   #:use-module (srfi srfi-64)
   #:use-module (ice-9 match))
 
@@ -80,7 +81,10 @@
 (skip-if-unsupported)
 (test-assert "call-with-container, mnt namespace"
   (zero?
-   (call-with-container '(("none" device "/testing" "tmpfs" () #f #f))
+   (call-with-container (list (file-system
+                                (device "none")
+                                (mount-point "/testing")
+                                (type "tmpfs")))
      (lambda ()
        (assert-exit (file-exists? "/testing")))
      #:namespaces '(user mnt))))
@@ -91,8 +95,11 @@
   ;; An exception should be raised; see <http://bugs.gnu.org/23306>.
   (catch 'system-error
     (lambda ()
-      (call-with-container '(("/does-not-exist" device "/foo"
-                              "none" (bind-mount) #f #f))
+      (call-with-container (list (file-system
+                                   (device "/does-not-exist")
+                                   (mount-point "/foo")
+                                   (type "none")
+                                   (flags '(bind-mount))))
         (const #t)
         #:namespaces '(user mnt)))
     (lambda args
diff --git a/tests/cpan.scm b/tests/cpan.scm
index 80ff044abd..e37fc437fc 100644
--- a/tests/cpan.scm
+++ b/tests/cpan.scm
@@ -61,7 +61,9 @@
 (test-assert "cpan->guix-package"
   ;; Replace network resources with sample data.
   (mock ((guix build download) url-fetch
-         (lambda* (url file-name #:key (mirrors '()))
+         (lambda* (url file-name
+                       #:key
+                       (mirrors '()) verify-certificate?)
            (with-output-to-file file-name
              (lambda ()
                (display
diff --git a/tests/cran.scm b/tests/cran.scm
index 896c5af06c..f92934c468 100644
--- a/tests/cran.scm
+++ b/tests/cran.scm
@@ -89,7 +89,9 @@ Date/Publication: 2015-07-14 14:15:16
 (test-assert "description->package"
   ;; Replace network resources with sample data.
   (mock ((guix build download) url-fetch
-         (lambda* (url file-name #:key (mirrors '()))
+         (lambda* (url file-name
+                       #:key
+                       (mirrors '()) verify-certificate?)
            (with-output-to-file file-name
              (lambda ()
                (display