summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am2
-rw-r--r--README2
-rw-r--r--build-aux/download.scm9
-rw-r--r--configure.ac2
-rw-r--r--doc/guix.texi141
-rw-r--r--gnu/local.mk8
-rw-r--r--gnu/packages/apl.scm7
-rw-r--r--gnu/packages/bioinformatics.scm252
-rw-r--r--gnu/packages/bootloaders.scm4
-rw-r--r--gnu/packages/datastructures.scm26
-rw-r--r--gnu/packages/dns.scm93
-rw-r--r--gnu/packages/documentation.scm9
-rw-r--r--gnu/packages/emacs.scm6
-rw-r--r--gnu/packages/gnuzilla.scm8
-rw-r--r--gnu/packages/guile.scm73
-rw-r--r--gnu/packages/hurd.scm34
-rw-r--r--gnu/packages/image.scm100
-rw-r--r--gnu/packages/irc.scm4
-rw-r--r--gnu/packages/libevent.scm28
-rw-r--r--gnu/packages/linux.scm22
-rw-r--r--gnu/packages/machine-learning.scm56
-rw-r--r--gnu/packages/maths.scm81
-rw-r--r--gnu/packages/ninja.scm7
-rw-r--r--gnu/packages/ocaml.scm58
-rw-r--r--gnu/packages/package-management.scm7
-rw-r--r--gnu/packages/password-utils.scm4
-rw-r--r--gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch38
-rw-r--r--gnu/packages/patches/libwebp-CVE-2016-9085.patch144
-rw-r--r--gnu/packages/patches/ninja-tests.patch48
-rw-r--r--gnu/packages/patches/password-store-gnupg-compat.patch53
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-2620.patch134
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-2630.patch47
-rw-r--r--gnu/packages/patches/virglrenderer-CVE-2017-6386.patch54
-rw-r--r--gnu/packages/pdf.scm30
-rw-r--r--gnu/packages/python.scm7
-rw-r--r--gnu/packages/qemu.scm2
-rw-r--r--gnu/packages/rust.scm532
-rw-r--r--gnu/packages/skribilo.scm4
-rw-r--r--gnu/packages/spice.scm1
-rw-r--r--gnu/packages/statistics.scm562
-rw-r--r--gnu/packages/tls.scm2
-rw-r--r--gnu/packages/video.scm12
-rw-r--r--gnu/packages/wine.scm4
-rw-r--r--gnu/services/base.scm16
-rw-r--r--gnu/services/networking.scm86
-rw-r--r--gnu/system/file-systems.scm26
-rw-r--r--gnu/system/linux-initrd.scm18
-rw-r--r--guix/base16.scm83
-rw-r--r--guix/build-system/cargo.scm3
-rw-r--r--guix/build-system/r.scm2
-rw-r--r--guix/build/cargo-build-system.scm116
-rw-r--r--guix/build/download.scm32
-rw-r--r--guix/derivations.scm1
-rw-r--r--guix/docker.scm154
-rw-r--r--guix/gexp.scm40
-rw-r--r--guix/http-client.scm25
-rw-r--r--guix/import/cran.scm18
-rw-r--r--guix/import/snix.scm3
-rw-r--r--guix/memoization.scm21
-rw-r--r--guix/pk-crypto.scm6
-rw-r--r--guix/profiles.scm10
-rw-r--r--guix/scripts/archive.scm31
-rw-r--r--guix/scripts/authenticate.scm4
-rw-r--r--guix/scripts/download.scm4
-rw-r--r--guix/scripts/hash.scm2
-rw-r--r--guix/scripts/lint.scm6
-rw-r--r--guix/scripts/pack.scm151
-rwxr-xr-xguix/scripts/substitute.scm23
-rw-r--r--guix/serialization.scm3
-rw-r--r--guix/store.scm1
-rw-r--r--guix/utils.scm65
-rw-r--r--tests/base16.scm34
-rw-r--r--tests/gexp.scm39
-rw-r--r--tests/guix-build.sh4
-rw-r--r--tests/hash.scm2
-rw-r--r--tests/nar.scm12
-rw-r--r--tests/pack.scm3
-rw-r--r--tests/pk-crypto.scm3
-rw-r--r--tests/profiles.scm31
-rw-r--r--tests/utils.scm9
80 files changed, 2834 insertions, 970 deletions
diff --git a/Makefile.am b/Makefile.am
index 4d7bc1caeb..577cb5ebf3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -30,6 +30,7 @@ nodist_noinst_SCRIPTS =				\
 include gnu/local.mk
 
 MODULES =					\
+  guix/base16.scm				\
   guix/base32.scm				\
   guix/base64.scm				\
   guix/cpio.scm					\
@@ -251,6 +252,7 @@ TEST_EXTENSIONS = .scm .sh
 if CAN_RUN_TESTS
 
 SCM_TESTS =					\
+  tests/base16.scm				\
   tests/base32.scm				\
   tests/base64.scm				\
   tests/cpio.scm				\
diff --git a/README b/README
index 5829320dc7..4921f255da 100644
--- a/README
+++ b/README
@@ -20,7 +20,7 @@ Guix is based on the [[http://nixos.org/nix/][Nix]] package manager.
 
 GNU Guix currently depends on the following packages:
 
-  - [[http://gnu.org/software/guile/][GNU Guile 2.0.x]], version 2.0.7 or later
+  - [[http://gnu.org/software/guile/][GNU Guile 2.2.x or 2.0.x]], version 2.0.9 or later
   - [[http://gnupg.org/][GNU libgcrypt]]
   - [[http://www.gnu.org/software/make/][GNU Make]]
   - optionally [[http://savannah.nongnu.org/projects/guile-json/][Guile-JSON]], for the 'guix import pypi' command
diff --git a/build-aux/download.scm b/build-aux/download.scm
index e0b40e6f26..0e98bef55b 100644
--- a/build-aux/download.scm
+++ b/build-aux/download.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
@@ -27,7 +27,7 @@
              (web client)
              (rnrs io ports)
              (srfi srfi-11)
-             (guix utils)
+             (guix base16)
              (guix hash))
 
 (define %url-base
@@ -37,11 +37,6 @@
   ;;"http://www.fdn.fr/~lcourtes/software/guix/packages"
   )
 
-;; XXX: Work around <http://bugs.gnu.org/13095>, present in Guile
-;; up to 2.0.7.
-(module-define! (resolve-module '(web client))
-                'shutdown (const #f))
-
 (define (file-name->uri file)
   "Return the URI for FILE."
   (match (string-tokenize file (char-set-complement (char-set #\/)))
diff --git a/configure.ac b/configure.ac
index 3bf2bf1610..76f52e0ec3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -82,7 +82,7 @@ if test "x$GUILD" = "x"; then
 fi
 
 if test "x$GUILE_EFFECTIVE_VERSION" = "x2.0"; then
-  PKG_CHECK_MODULES([GUILE], [guile-2.0 >= 2.0.7])
+  PKG_CHECK_MODULES([GUILE], [guile-2.0 >= 2.0.9])
 fi
 
 dnl Installation directory for .scm and .go files.
diff --git a/doc/guix.texi b/doc/guix.texi
index 0c6cb56a2b..c72a612b4c 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -47,7 +47,6 @@ Documentation License''.
 @direntry
 * Guix: (guix).       Manage installed software and system configuration.
 * guix package: (guix)Invoking guix package.  Installing, removing, and upgrading packages.
-* guix build: (guix)Invoking guix build.      Building packages.
 * guix gc: (guix)Invoking guix gc.            Reclaiming unused disk space.
 * guix pull: (guix)Invoking guix pull.        Update the list of available packages.
 * guix system: (guix)Invoking guix system.    Manage the operating system configuration.
@@ -56,6 +55,8 @@ Documentation License''.
 @dircategory Software development
 @direntry
 * guix environment: (guix)Invoking guix environment. Building development environments with Guix.
+* guix build: (guix)Invoking guix build.      Building packages.
+* guix pack: (guix)Invoking guix pack.        Creating binary bundles.
 @end direntry
 
 @titlepage
@@ -505,11 +506,13 @@ To use substitutes from @code{hydra.gnu.org} or one of its mirrors
 @example
 # guix archive --authorize < ~root/.guix-profile/share/guix/hydra.gnu.org.pub
 @end example
+
+@item
+Each user may need to perform a few additional steps to make their Guix
+environment ready for use, @pxref{Application Setup}.
 @end enumerate
 
-This completes root-level install of Guix.  Each user will need to
-perform additional steps to make their Guix environment ready for use,
-@pxref{Application Setup}.
+Voilà, the installation is complete!
 
 You can confirm that Guix is working by installing a sample package into
 the root profile:
@@ -551,7 +554,7 @@ in the Guix source tree for additional details.
 GNU Guix depends on the following packages:
 
 @itemize
-@item @url{http://gnu.org/software/guile/, GNU Guile}, version 2.0.7 or
+@item @url{http://gnu.org/software/guile/, GNU Guile}, version 2.0.9 or
 later, including 2.2.x;
 @item @url{http://gnupg.org/, GNU libgcrypt};
 @item
@@ -2405,7 +2408,9 @@ The @command{guix pack} command creates a shrink-wrapped @dfn{pack} or
 containing the binaries of the software you're interested in, and all
 its dependencies.  The resulting archive can be used on any machine that
 does not have Guix, and people can run the exact same binaries as those
-you have with Guix.
+you have with Guix.  The pack itself is created in a bit-reproducible
+fashion, so anyone can verify that it really contains the build results
+that you pretend to be shipping.
 
 For example, to create a bundle containing Guile, Emacs, Geiser, and all
 their dependencies, you can run:
@@ -2435,14 +2440,50 @@ guix pack -S /opt/gnu/bin=bin guile emacs geiser
 @noindent
 That way, users can happily type @file{/opt/gnu/bin/guile} and enjoy.
 
+Alternatively, you can produce a pack in the Docker image format using
+the following command:
+
+@example
+guix pack -f docker guile emacs geiser
+@end example
+
+@noindent
+The result is a tarball that can be passed to the @command{docker load}
+command.  See the
+@uref{https://docs.docker.com/engine/reference/commandline/load/, Docker
+documentation} for more information.
+
 Several command-line options allow you to customize your pack:
 
 @table @code
+@item --format=@var{format}
+@itemx -f @var{format}
+Produce a pack in the given @var{format}.
+
+The available formats are:
+
+@table @code
+@item tarball
+This is the default format.  It produces a tarball containing all the
+specifies binaries and symlinks.
+
+@item docker
+This produces a tarball that follows the
+@uref{https://github.com/docker/docker/blob/master/image/spec/v1.2.md,
+Docker Image Specification}.
+@end table
+
 @item --system=@var{system}
 @itemx -s @var{system}
 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
 the system type of the build host.
 
+@item --target=@var{triplet}
+@cindex cross-compilation
+Cross-build for @var{triplet}, which must be a valid GNU triplet, such
+as @code{"mips64el-linux-gnu"} (@pxref{Specifying target triplets, GNU
+configuration triplets,, autoconf, Autoconf}).
+
 @item --compression=@var{tool}
 @itemx -C @var{tool}
 Compress the resulting tarball using @var{tool}---one of @code{gzip},
@@ -2537,7 +2578,7 @@ what you should use in this case (@pxref{Invoking guix copy}).
 
 @cindex nar, archive format
 @cindex normalized archive (nar)
-By default archives are stored in the ``normalized archive'' or ``nar'' format, which is
+Archives are stored in the ``normalized archive'' or ``nar'' format, which is
 comparable in spirit to `tar', but with differences
 that make it more appropriate for our purposes.  First, rather than
 recording all Unix metadata for each file, the nar format only mentions
@@ -2553,9 +2594,6 @@ verifies the signature and rejects the import in case of an invalid
 signature or if the signing key is not authorized.
 @c FIXME: Add xref to daemon doc about signatures.
 
-Optionally, archives can be exported as a Docker image in the tar
-archive format using @code{--format=docker}.
-
 The main options are:
 
 @table @code
@@ -2584,19 +2622,6 @@ Read a list of store file names from the standard input, one per line,
 and write on the standard output the subset of these files missing from
 the store.
 
-@item -f
-@item --format=@var{FMT}
-@cindex docker, export
-@cindex export format
-Specify the export format.  Acceptable arguments are @code{nar} and
-@code{docker}.  The default is the nar format.  When the format is
-@code{docker}, recursively export the specified store directory as a
-Docker image in tar archive format, as specified in
-@uref{https://github.com/docker/docker/blob/master/image/spec/v1.2.md,
-version 1.2.0 of the Docker Image Specification}.  Using
-@code{--format=docker} implies @code{--recursive}.  The generated
-archive can be loaded by Docker using @command{docker load}.
-
 @item --generate-key[=@var{parameters}]
 @cindex signing, archives
 Generate a new key pair for the daemon.  This is a prerequisite before
@@ -4347,8 +4372,22 @@ of the @code{gexp?} type (see below.)
 
 @deffn {Scheme Syntax} with-imported-modules @var{modules} @var{body}@dots{}
 Mark the gexps defined in @var{body}@dots{} as requiring @var{modules}
-in their execution environment.  @var{modules} must be a list of Guile
-module names, such as @code{'((guix build utils) (guix build gremlin))}.
+in their execution environment.
+
+Each item in @var{modules} can be the name of a module, such as
+@code{(guix build utils)}, or it can be a module name, followed by an
+arrow, followed by a file-like object:
+
+@example
+`((guix build utils)
+  (guix gcrypt)
+  ((guix config) => ,(scheme-file "config.scm"
+                                  #~(define-module @dots{}))))
+@end example
+
+@noindent
+In the example above, the first two modules are taken from the search
+path, and the last one is created from the given file-like object.
 
 This form has @emph{lexical} scope: it has an effect on the gexps
 directly defined in @var{body}@dots{}, but not on those defined, say, in
@@ -4882,15 +4921,15 @@ or @code{guile@@1.8}.
 
 For instance, the following command builds Guix, but replaces its
 dependency on the current stable version of Guile with a dependency on
-the development version of Guile, @code{guile-next}:
+the legacy version of Guile, @code{guile@@2.0}:
 
 @example
-guix build --with-input=guile=guile-next guix
+guix build --with-input=guile=guile@@2.0 guix
 @end example
 
 This is a recursive, deep replacement.  So in this example, both
 @code{guix} and its dependency @code{guile-json} (which also depends on
-@code{guile}) get rebuilt against @code{guile-next}.
+@code{guile}) get rebuilt against @code{guile@@2.0}.
 
 This is implemented using the @code{package-input-rewriting} Scheme
 procedure (@pxref{Defining Packages, @code{package-input-rewriting}}).
@@ -5032,8 +5071,8 @@ to build packages in a complete 32-bit environment.
 @item --target=@var{triplet}
 @cindex cross-compilation
 Cross-build for @var{triplet}, which must be a valid GNU triplet, such
-as @code{"mips64el-linux-gnu"} (@pxref{Configuration Names, GNU
-configuration triplets,, configure, GNU Configure and Build System}).
+as @code{"mips64el-linux-gnu"} (@pxref{Specifying target triplets, GNU
+configuration triplets,, autoconf, Autoconf}).
 
 @anchor{build-check}
 @item --check
@@ -6365,7 +6404,7 @@ home directory is accessible read-only via the @file{/exchange}
 directory:
 
 @example
-guix environment --container --expose=$HOME=/exchange guile -- guile
+guix environment --container --expose=$HOME=/exchange --ad-hoc guile -- guile
 @end example
 
 @item --share=@var{source}[=@var{target}]
@@ -6379,13 +6418,15 @@ home directory is accessible for both reading and writing via the
 @file{/exchange} directory:
 
 @example
-guix environment --container --share=$HOME=/exchange guile -- guile
+guix environment --container --share=$HOME=/exchange --ad-hoc guile -- guile
 @end example
 @end table
 
-It also supports all of the common build options that @command{guix
+@command{guix environment}
+also supports all of the common build options that @command{guix
 build} supports (@pxref{Common Build Options}).
 
+
 @node Invoking guix publish
 @section Invoking @command{guix publish}
 
@@ -9254,16 +9295,34 @@ NetworkManager will not modify @code{resolv.conf}.
 @end deftp
 
 @cindex Connman
-@deffn {Scheme Procedure} connman-service @
-       [#:connman @var{connman}]
-Return a service that runs @url{https://01.org/connman,Connman}, a network
-connection manager.
-
-This service adds the @var{connman} package to the global profile, providing
-several the @command{connmanctl} command to interact with the daemon and
-configure networking."
+@deffn {Scheme Variable} connman-service-type
+This is the service type to run @url{https://01.org/connman,Connman},
+a network connection manager.
+
+Its value must be an
+@code{connman-configuration} record as in this example:
+
+@example
+(service connman-service-type
+         (connman-configuration
+           (disable-vpn? #t)))
+@end example
+
+See below for details about @code{connman-configuration}.
 @end deffn
 
+@deftp {Data Type} connman-configuration
+Data Type representing the configuration of connman.
+
+@table @asis
+@item @code{connman} (default: @var{connman})
+The connman package to use.
+
+@item @code{disable-vpn?} (default: @code{#f})
+When true, enable connman's vpn plugin.
+@end table
+@end deftp
+
 @cindex WPA Supplicant
 @defvr {Scheme Variable} wpa-supplicant-service-type
 This is the service type to run @url{https://w1.fi/wpa_supplicant/,WPA
diff --git a/gnu/local.mk b/gnu/local.mk
index 9fc5953863..c92a5d09f8 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -11,6 +11,7 @@
 # Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>
 # Copyright © 2016, 2017 Alex Vong <alexvong1995@gmail.com>
 # Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
+# Copyright © 2017 Clément Lassieur <clement@lassieur.org>
 #
 # This file is part of GNU Guix.
 #
@@ -680,6 +681,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libevent-2.0-CVE-2016-10195.patch	\
   %D%/packages/patches/libevent-2.0-CVE-2016-10196.patch	\
   %D%/packages/patches/libevent-2.0-CVE-2016-10197.patch	\
+  %D%/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch	\
   %D%/packages/patches/libevent-2.1-dns-tests.patch		\
   %D%/packages/patches/libevent-2.1-skip-failing-test.patch	\
   %D%/packages/patches/libextractor-ffmpeg-3.patch		\
@@ -714,7 +716,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/libtool-skip-tests2.patch		\
   %D%/packages/patches/libunwind-CVE-2015-3239.patch		\
   %D%/packages/patches/libvpx-CVE-2016-2818.patch		\
-  %D%/packages/patches/libwebp-CVE-2016-9085.patch		\
   %D%/packages/patches/libwmf-CAN-2004-0941.patch		\
   %D%/packages/patches/libwmf-CVE-2006-3376.patch		\
   %D%/packages/patches/libwmf-CVE-2007-0455.patch		\
@@ -779,7 +780,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/netsurf-longer-test-timeout.patch	\
   %D%/packages/patches/ngircd-handle-zombies.patch		\
   %D%/packages/patches/ngircd-no-dns-in-tests.patch		\
-  %D%/packages/patches/ninja-tests.patch			\
   %D%/packages/patches/ninja-zero-mtime.patch			\
   %D%/packages/patches/node-9077.patch				\
   %D%/packages/patches/nss-increase-test-timeout.patch		\
@@ -809,6 +809,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ots-no-include-missing-file.patch	\
   %D%/packages/patches/p7zip-CVE-2016-9296.patch			\
   %D%/packages/patches/p7zip-remove-unused-code.patch		\
+  %D%/packages/patches/password-store-gnupg-compat.patch	\
   %D%/packages/patches/patchelf-page-size.patch			\
   %D%/packages/patches/patchelf-rework-for-arm.patch		\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch	\
@@ -878,6 +879,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/python2-subprocess32-disable-input-test.patch	\
   %D%/packages/patches/qemu-CVE-2016-10155.patch			\
   %D%/packages/patches/qemu-CVE-2017-2615.patch			\
+  %D%/packages/patches/qemu-CVE-2017-2620.patch			\
+  %D%/packages/patches/qemu-CVE-2017-2630.patch			\
   %D%/packages/patches/qemu-CVE-2017-5525.patch			\
   %D%/packages/patches/qemu-CVE-2017-5526.patch			\
   %D%/packages/patches/qemu-CVE-2017-5552.patch			\
@@ -965,6 +968,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/upower-builddir.patch			\
   %D%/packages/patches/valgrind-enable-arm.patch		\
   %D%/packages/patches/vim-CVE-2017-5953.patch			\
+  %D%/packages/patches/virglrenderer-CVE-2017-6386.patch 	\
   %D%/packages/patches/vorbis-tools-CVE-2014-9638+CVE-2014-9639.patch		\
   %D%/packages/patches/vorbis-tools-CVE-2014-9640.patch		\
   %D%/packages/patches/vorbis-tools-CVE-2015-6749.patch		\
diff --git a/gnu/packages/apl.scm b/gnu/packages/apl.scm
index 1c7d42b713..aa47edcd64 100644
--- a/gnu/packages/apl.scm
+++ b/gnu/packages/apl.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -30,16 +31,16 @@
 (define-public apl
   (package
     (name "apl")
-    (version "1.6")
+    (version "1.7")
     (source
      (origin
       (method url-fetch)
       (uri (string-append "mirror://gnu/apl/apl-" version ".tar.gz"))
       (sha256
        (base32
-        "057zwzvvgcrrwsl52a27w86hgy31jqq6avqq629xj7yq90qah3ay"))))
+        "07xq8ddlmz8psvsmwr23gar108ri0lwmw0n6kpxcv8ypas1f5xlg"))))
     (build-system gnu-build-system)
-    (home-page "http://www.gnu.org/software/apl/")
+    (home-page "https://www.gnu.org/software/apl/")
     (inputs
      `(("gettext" ,gettext-minimal)
        ("lapack" ,lapack)
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 3387a2571a..90092ddf70 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -108,6 +108,9 @@
         (base32
          "0959fiiy11rzfzrzaknmgrx64bhszj02l0ycz79k5a6bmpfzanlk"))))
     (build-system r-build-system)
+    (propagated-inputs
+     `(("r-lattice" ,r-lattice)
+       ("r-nlme" ,r-nlme)))
     (home-page "http://ape-package.ird.fr/")
     (synopsis "Analyses of phylogenetics and evolution")
     (description
@@ -475,7 +478,7 @@ BED, GFF/GTF, VCF.")
     (inputs
      `(("bedtools" ,bedtools-2.18)
        ("samtools" ,samtools-0.1)
-       ("r" ,r)
+       ("r-minimal" ,r-minimal)
        ("r-foreach" ,r-foreach)
        ("r-xnomial" ,r-xnomial)
        ("r-domc" ,r-domc)
@@ -1725,7 +1728,7 @@ gene predictor designed to work with assembled, aligned RNA-seq transcripts.")
        ("python2-scipy" ,python2-scipy)
        ("python2-matplotlib" ,python2-matplotlib)))
     (propagated-inputs
-     `(("r" ,r)
+     `(("r-minimal" ,r-minimal)
        ("libsvm" ,libsvm)
        ("randomjungle" ,randomjungle)))
     (native-inputs
@@ -4001,7 +4004,7 @@ partial genes, and identifies translation initiation sites.")
        ("grep" ,grep)
        ("sed" ,sed)
        ("gawk" ,gawk)
-       ("r" ,r)
+       ("r-minimal" ,r-minimal)
        ("r-ggplot2" ,r-ggplot2)
        ("coreutils" ,coreutils)))
     (home-page "http://sanger-pathogens.github.io/Roary")
@@ -4116,7 +4119,7 @@ phylogenies.")
     (inputs
      `(("boost" ,boost)
        ("ncurses" ,ncurses)
-       ("r" ,r)
+       ("r-minimal" ,r-minimal)
        ("perl" ,perl)
        ("samtools" ,samtools-0.1)
        ("zlib" ,zlib)))
@@ -4383,7 +4386,7 @@ Roche 454, Ion Torrent and Pacific BioSciences SMRT.")
 (define-public ngs-sdk
   (package
     (name "ngs-sdk")
-    (version "1.2.5")
+    (version "1.3.0")
     (source
      (origin
        (method url-fetch)
@@ -4393,7 +4396,7 @@ Roche 454, Ion Torrent and Pacific BioSciences SMRT.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "04y1fsmdnb5y86m3gg6f5g9wcscr6r25n7m8mdlcxy0i2q6w6cia"))))
+         "1wiyf4c6nm2j87pv015cbi0qny5byf3pbvcw3likifz5dl56ag40"))))
     (build-system gnu-build-system)
     (arguments
      `(#:parallel-build? #f ; not supported
@@ -4447,7 +4450,7 @@ simultaneously.")
 (define-public ncbi-vdb
   (package
     (name "ncbi-vdb")
-    (version "2.7.0")
+    (version "2.8.2")
     (source
      (origin
        (method url-fetch)
@@ -4457,67 +4460,77 @@ simultaneously.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "0x1cg1x8vy0yjlkp0snc1533zcjhxqzqsaiwqk598n7vvw37n8lf"))))
+         "1acn4bv81mfl137qnbn9995mjjhwd36pm0b7qli1iw5skrxa9j8m"))))
     (build-system gnu-build-system)
     (arguments
      `(#:parallel-build? #f ; not supported
        #:tests? #f ; no "check" target
        #:phases
-       (alist-replace
-        'configure
-        (lambda* (#:key inputs outputs #:allow-other-keys)
-          (let ((out (assoc-ref outputs "out")))
-            ;; Override include path for libmagic
-            (substitute* "setup/package.prl"
-              (("name => 'magic', Include => '/usr/include'")
-               (string-append "name=> 'magic', Include => '"
-                              (assoc-ref inputs "libmagic")
-                              "/include" "'")))
-
-            ;; Install kdf5 library (needed by sra-tools)
-            (substitute* "build/Makefile.install"
-              (("LIBRARIES_TO_INSTALL =")
-               "LIBRARIES_TO_INSTALL = kdf5.$(VERSION_LIBX) kdf5.$(VERSION_SHLX)"))
-
-            (substitute* "build/Makefile.env"
-              (("CFLAGS	=" prefix)
-               (string-append prefix "-msse2 ")))
-
-            ;; The 'configure' script doesn't recognize things like
-            ;; '--enable-fast-install'.
-            (zero? (system*
-                    "./configure"
-                    (string-append "--build-prefix=" (getcwd) "/build")
-                    (string-append "--prefix=" (assoc-ref outputs "out"))
-                    (string-append "--debug")
-                    (string-append "--with-xml2-prefix="
-                                   (assoc-ref inputs "libxml2"))
-                    (string-append "--with-ngs-sdk-prefix="
-                                   (assoc-ref inputs "ngs-sdk"))
-                    (string-append "--with-ngs-java-prefix="
-                                   (assoc-ref inputs "java-ngs"))
-                    (string-append "--with-hdf5-prefix="
-                                   (assoc-ref inputs "hdf5"))))))
-        (alist-cons-after
-         'install 'install-interfaces
-         (lambda* (#:key outputs #:allow-other-keys)
-           ;; Install interface libraries.  On i686 the interface libraries
-           ;; are installed to "linux/gcc/i386", so we need to use the Linux
-           ;; architecture name ("i386") instead of the target system prefix
-           ;; ("i686").
-           (mkdir (string-append (assoc-ref outputs "out") "/ilib"))
-           (copy-recursively (string-append "build/ncbi-vdb/linux/gcc/"
-                                            ,(system->linux-architecture
-                                              (or (%current-target-system)
-                                                  (%current-system)))
-                                            "/rel/ilib")
-                             (string-append (assoc-ref outputs "out")
-                                            "/ilib"))
-           ;; Install interface headers
-           (copy-recursively "interfaces"
-                             (string-append (assoc-ref outputs "out")
-                                            "/include")))
-         %standard-phases))))
+       (modify-phases %standard-phases
+         (replace 'configure
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out")))
+               ;; Override include path for libmagic
+               (substitute* "setup/package.prl"
+                 (("name => 'magic', Include => '/usr/include'")
+                  (string-append "name=> 'magic', Include => '"
+                                 (assoc-ref inputs "libmagic")
+                                 "/include" "'")))
+
+               ;; Install kdf5 library (needed by sra-tools)
+               (substitute* "build/Makefile.install"
+                 (("LIBRARIES_TO_INSTALL =")
+                  "LIBRARIES_TO_INSTALL = kdf5.$(VERSION_LIBX) kdf5.$(VERSION_SHLX)"))
+
+               (substitute* "build/Makefile.env"
+                 (("CFLAGS	=" prefix)
+                  (string-append prefix "-msse2 ")))
+
+               ;; Override search path for ngs-java
+               (substitute* "setup/package.prl"
+                 (("/usr/local/ngs/ngs-java")
+                  (assoc-ref inputs "java-ngs")))
+
+               ;; The 'configure' script doesn't recognize things like
+               ;; '--enable-fast-install'.
+               (zero? (system*
+                       "./configure"
+                       (string-append "--build-prefix=" (getcwd) "/build")
+                       (string-append "--prefix=" (assoc-ref outputs "out"))
+                       (string-append "--debug")
+                       (string-append "--with-xml2-prefix="
+                                      (assoc-ref inputs "libxml2"))
+                       (string-append "--with-ngs-sdk-prefix="
+                                      (assoc-ref inputs "ngs-sdk"))
+                       (string-append "--with-hdf5-prefix="
+                                      (assoc-ref inputs "hdf5")))))))
+         (add-after 'install 'install-interfaces
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; Install interface libraries.  On i686 the interface libraries
+             ;; are installed to "linux/gcc/i386", so we need to use the Linux
+             ;; architecture name ("i386") instead of the target system prefix
+             ;; ("i686").
+             (mkdir (string-append (assoc-ref outputs "out") "/ilib"))
+             (copy-recursively (string-append "build/ncbi-vdb/linux/gcc/"
+                                              ,(system->linux-architecture
+                                                (or (%current-target-system)
+                                                    (%current-system)))
+                                              "/rel/ilib")
+                               (string-append (assoc-ref outputs "out")
+                                              "/ilib"))
+             ;; Install interface headers
+             (copy-recursively "interfaces"
+                               (string-append (assoc-ref outputs "out")
+                                              "/include"))
+             #t))
+         ;; These files are needed by sra-tools.
+         (add-after 'install 'install-configuration-files
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((target (string-append (assoc-ref outputs "out") "/kfg")))
+               (mkdir target)
+               (install-file "libs/kfg/default.kfg" target)
+               (install-file "libs/kfg/certs.kfg" target))
+             #t)))))
     (inputs
      `(("libxml2" ,libxml2)
        ("ngs-sdk" ,ngs-sdk)
@@ -4728,7 +4741,7 @@ sequence itself can be retrieved from these databases.")
 (define-public sra-tools
   (package
     (name "sra-tools")
-    (version "2.7.0")
+    (version "2.8.2-1")
     (source
      (origin
        (method url-fetch)
@@ -4738,13 +4751,19 @@ sequence itself can be retrieved from these databases.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "13paw7bq6y47d2pl0ac5gpgcqp1xsy1g7v1fwysm3hr8lb2dck17"))))
+         "1camsijmvv2s45mb4iyf44ghl4gkd4rl0viphpcgl3ccchy32a0g"))))
     (build-system gnu-build-system)
     (arguments
      `(#:parallel-build? #f ; not supported
        #:tests? #f ; no "check" target
        #:make-flags
-       (list (string-append "VDB_LIBDIR="
+       (list (string-append "DEFAULT_CRT="
+                            (assoc-ref %build-inputs "ncbi-vdb")
+                            "/kfg/certs.kfg")
+             (string-append "DEFAULT_KFG="
+                            (assoc-ref %build-inputs "ncbi-vdb")
+                            "/kfg/default.kfg")
+             (string-append "VDB_LIBDIR="
                             (assoc-ref %build-inputs "ncbi-vdb")
                             ,(if (string-prefix? "x86_64"
                                                  (or (%current-target-system)
@@ -5337,6 +5356,7 @@ information as possible.")
     (propagated-inputs
      `(("r-cluster" ,r-cluster)
        ("r-lattice" ,r-lattice)
+       ("r-mass" ,r-mass)
        ("r-mgcv" ,r-mgcv)
        ("r-permute" ,r-permute)))
     (home-page "https://cran.r-project.org/web/packages/vegan")
@@ -5418,7 +5438,8 @@ microarrays.")
      `(("r-annotate" ,r-annotate)
        ("r-annotationdbi" ,r-annotationdbi)
        ("r-biobase" ,r-biobase)
-       ("r-s4vectors" ,r-s4vectors)))
+       ("r-s4vectors" ,r-s4vectors)
+       ("r-survival" ,r-survival)))
     (home-page "http://bioconductor.org/packages/genefilter")
     (synopsis "Filter genes from high-throughput experiments")
     (description
@@ -5716,6 +5737,7 @@ annotation infrastructure.")
        ("r-genomicalignments" ,r-genomicalignments)
        ("r-genomicranges" ,r-genomicranges)
        ("r-iranges" ,r-iranges)
+       ("r-mass" ,r-mass)
        ("r-rtracklayer" ,r-rtracklayer)
        ("r-s4vectors" ,r-s4vectors)))
     (home-page "https://github.com/Kraus-Lab/groHMM")
@@ -6115,7 +6137,8 @@ functionality.")
     (native-inputs
      `(("which" ,which)))
     (propagated-inputs
-     `(("r-graph" ,r-graph)
+     `(("r-codetools" ,r-codetools)
+       ("r-graph" ,r-graph)
        ("r-knitr" ,r-knitr)
        ("r-httr" ,r-httr)
        ("r-optparse" ,r-optparse)
@@ -6643,6 +6666,7 @@ files.")
        ("r-genomeinfodb" ,r-genomeinfodb)
        ("r-genomicranges" ,r-genomicranges)
        ("r-iranges" ,r-iranges)
+       ("r-matrix" ,r-matrix)
        ("r-s4vectors" ,r-s4vectors)))
     (home-page "http://bioconductor.org/packages/SummarizedExperiment")
     (synopsis "Container for representing genomic ranges by sample")
@@ -6834,8 +6858,9 @@ information about the latest version of the Gene Ontologies.")
        ("r-biobase" ,r-biobase)
        ("r-biocgenerics" ,r-biocgenerics)
        ("r-go-db" ,r-go-db)
-       ("r-matrixstats" ,r-matrixstats)
        ("r-graph" ,r-graph)
+       ("r-lattice" ,r-lattice)
+       ("r-matrixstats" ,r-matrixstats)
        ("r-sparsem" ,r-sparsem)))
     (home-page "http://bioconductor.org/packages/topGO")
     (synopsis "Enrichment analysis for gene ontology")
@@ -7611,9 +7636,9 @@ library implementing most of the pipeline's features.")
                  `("R_LIBS_SITE" ":" = (,(getenv "R_LIBS_SITE")))))
              #t)))))
     (inputs
-     `(("r" ,r)
+     `(("r-minimal" ,r-minimal)
        ("r-rcas" ,r-rcas)
-       ("guile-next" ,guile-next)
+       ("guile-next" ,guile-2.2)
        ("guile-json" ,guile2.2-json)
        ("guile-redis" ,guile2.2-redis)))
     (native-inputs
@@ -8227,7 +8252,8 @@ number detection tools.")
          "1wc1fjm6dzlsqqagm43y57w8jh8nsh0r0m8z1p6ximcb5gxqh7hn"))))
     (build-system r-build-system)
     (propagated-inputs
-     `(("r-genefilter" ,r-genefilter)))
+     `(("r-genefilter" ,r-genefilter)
+       ("r-mgcv" ,r-mgcv)))
     (home-page "http://bioconductor.org/packages/sva")
     (synopsis "Surrogate variable analysis")
     (description
@@ -8279,6 +8305,7 @@ data (variant call format, e.g. VCF or BCF) or meta-analysis results in R.")
     (propagated-inputs
      `(("r-seqminer" ,r-seqminer)
        ("r-mvtnorm" ,r-mvtnorm)
+       ("r-mass" ,r-mass)
        ("r-compquadform" ,r-compquadform)
        ("r-getopt" ,r-getopt)))
     (home-page "http://genome.sph.umich.edu/wiki/RareMETALS2")
@@ -8437,6 +8464,7 @@ analysis.")
      `(("r-affy" ,r-affy)
        ("r-biobase" ,r-biobase)
        ("r-ggplot2" ,r-ggplot2)
+       ("r-lattice" ,r-lattice)
        ("r-limma" ,r-limma)))
     (home-page "http://bioconductor.org/packages/release/bioc/html/vsn.html")
     (synopsis "Variance stabilization and calibration for microarray data")
@@ -8500,6 +8528,7 @@ specific parser.")
     (propagated-inputs
      `(("r-biobase" ,r-biobase)
        ("r-biocgenerics" ,r-biocgenerics)
+       ("r-mass" ,r-mass)
        ("r-rcpp" ,r-rcpp)))
     (home-page "https://github.com/hredestig/pcamethods")
     (synopsis "Collection of PCA methods")
@@ -8593,6 +8622,85 @@ contains a number of utilities to explore the MS/MS results and assess missed
 and irregular enzymatic cleavages, mass measurement accuracy, etc.")
     (license license:artistic2.0)))
 
+(define-public r-seurat
+  ;; Source releases are only made for new x.0 versions.  All newer versions
+  ;; are only released as pre-built binaries.  At the time of this writing the
+  ;; latest binary release is 1.4.0.12, which is equivalent to this commit.
+  (let ((commit "fccb77d1452c35ee47e47ebf8e87bddb59f3b08d")
+        (revision "1"))
+    (package
+      (name "r-seurat")
+      (version (string-append "1.4.0.12-" revision "." (string-take commit 7)))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                      (url "https://github.com/satijalab/seurat")
+                      (commit commit)))
+                (file-name (string-append name "-" version "-checkout"))
+                (sha256
+                 (base32
+                  "101wq3aqrdmbfi3lqmq4iivk9iwbf10d4z216ss25hf7n9091cyl"))
+                ;; Delete pre-built jar.
+                (snippet
+                 '(begin (delete-file "inst/java/ModularityOptimizer.jar")
+                         #t))))
+      (build-system r-build-system)
+      (arguments
+       `(#:phases
+         (modify-phases %standard-phases
+           (add-after 'unpack 'build-jar
+             (lambda* (#:key inputs #:allow-other-keys)
+               (let ((classesdir "tmp-classes"))
+                 (setenv "JAVA_HOME" (assoc-ref inputs "jdk"))
+                 (mkdir classesdir)
+                 (and (zero? (apply system* `("javac" "-d" ,classesdir
+                                              ,@(find-files "java" "\\.java$"))))
+                      (zero? (system* "jar"
+                                      "-cf" "inst/java/ModularityOptimizer.jar"
+                                      "-C" classesdir ".")))))))))
+      (native-inputs
+       `(("jdk" ,icedtea "jdk")))
+      (propagated-inputs
+       `(("r-ape" ,r-ape)
+         ("r-caret" ,r-caret)
+         ("r-cowplot" ,r-cowplot)
+         ("r-dplyr" ,r-dplyr)
+         ("r-fastica" ,r-fastica)
+         ("r-fnn" ,r-fnn)
+         ("r-fpc" ,r-fpc)
+         ("r-gdata" ,r-gdata)
+         ("r-ggplot2" ,r-ggplot2)
+         ("r-gplots" ,r-gplots)
+         ("r-gridextra" ,r-gridextra)
+         ("r-igraph" ,r-igraph)
+         ("r-irlba" ,r-irlba)
+         ("r-lars" ,r-lars)
+         ("r-mixtools" ,r-mixtools)
+         ("r-pbapply" ,r-pbapply)
+         ("r-plyr" ,r-plyr)
+         ("r-ranger" ,r-ranger)
+         ("r-rcolorbrewer" ,r-rcolorbrewer)
+         ("r-rcpp" ,r-rcpp)
+         ("r-rcppeigen" ,r-rcppeigen)
+         ("r-rcppprogress" ,r-rcppprogress)
+         ("r-reshape2" ,r-reshape2)
+         ("r-rocr" ,r-rocr)
+         ("r-rtsne" ,r-rtsne)
+         ("r-stringr" ,r-stringr)
+         ("r-tclust" ,r-tclust)
+         ("r-tsne" ,r-tsne)
+         ("r-vgam" ,r-vgam)))
+      (home-page "http://www.satijalab.org/seurat")
+      (synopsis "Seurat is an R toolkit for single cell genomics")
+      (description
+       "This package is an R package designed for QC, analysis, and
+exploration of single cell RNA-seq data.  It easily enables widely-used
+analytical techniques, including the identification of highly variable genes,
+dimensionality reduction; PCA, ICA, t-SNE, standard unsupervised clustering
+algorithms; density clustering, hierarchical clustering, k-means, and the
+discovery of differentially expressed genes and markers.")
+      (license license:gpl3))))
+
 (define htslib-for-sambamba
   (let ((commit "2f3c3ea7b301f9b45737a793c0b2dcf0240e5ee5"))
     (package
diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index 86a776910a..5fc6bf2e29 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -259,7 +259,7 @@ tree binary files.  These are board description files used by Linux and BSD.")
 (define u-boot
   (package
     (name "u-boot")
-    (version "2017.01")
+    (version "2017.03")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -267,7 +267,7 @@ tree binary files.  These are board description files used by Linux and BSD.")
                     "u-boot-" version ".tar.bz2"))
               (sha256
                (base32
-                "1wpc51jm3zyibgcr78jng2yksqvrya76bxgsr4pcyjrsz5sm2hkc"))))
+                "0gqihplap05dlpwdb971wsqyv01nz2vabwq5g5649gr5jczsyjzm"))))
     (native-inputs
      `(("bc" ,bc)
        ("dtc" ,dtc)
diff --git a/gnu/packages/datastructures.scm b/gnu/packages/datastructures.scm
index b9e6061238..ef249b9659 100644
--- a/gnu/packages/datastructures.scm
+++ b/gnu/packages/datastructures.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2016 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -19,6 +19,7 @@
 
 (define-module (gnu packages datastructures)
   #:use-module (gnu packages)
+  #:use-module (gnu packages perl)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
@@ -92,3 +93,26 @@ hashes (CTPH), also called fuzzy checksums.  It can identify similar files
 that have sequences of identical bytes in the same order, even though bytes
 in between these sequences may be different in both content and length.")
     (license license:gpl2+)))
+
+(define-public liburcu
+  (package
+    (name "liburcu")
+    (version "0.9.3")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://www.lttng.org/files/urcu/"
+                                  "userspace-rcu-" version ".tar.bz2"))
+              (sha256
+               (base32
+                "01j0xp3f0w147yfyzybkjvb7i67i7prsvnkssgvgwry9lvk35khv"))))
+    (build-system gnu-build-system)
+    (native-inputs
+     `(("perl" ,perl)))                 ; for tests
+    (home-page "http://liburcu.org/")
+    (synopsis "User-space RCU data synchronisation library")
+    (description "liburcu is a user-space @dfn{Read-Copy-Update} (RCU) data
+synchronisation library.  It provides read-side access that scales linearly
+with the number of cores.  liburcu-cds provides efficient data structures
+based on RCU and lock-free algorithms.  These structures include hash tables,
+queues, stacks, and doubly-linked lists.")
+    (license license:lgpl2.1+)))
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index 541979f587..d09abc1366 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
-;;; Copyright © 2016 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -24,17 +24,25 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (gnu packages dns)
+  #:use-module (gnu packages admin)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages base)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages crypto)
+  #:use-module (gnu packages datastructures)
   #:use-module (gnu packages glib)
   #:use-module (gnu packages groff)
+  #:use-module (gnu packages groff)
+  #:use-module (gnu packages libedit)
   #:use-module (gnu packages libevent)
+  #:use-module (gnu packages libidn)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages ncurses)
+  #:use-module (gnu packages nettle)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages tls)
+  #:use-module (gnu packages web)
   #:use-module (gnu packages xml)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
@@ -134,8 +142,8 @@ and BOOTP/TFTP for network booting of diskless machines.")
            (lambda _
              (zero? (system* "make" "force-test")))))))
     (synopsis "An implementation of the Domain Name System")
-    (description "BIND is an implementation of the Domain Name System (DNS)
-protocols for the Internet.  It is a reference implementation of those
+    (description "BIND is an implementation of the @dfn{Domain Name System}
+(DNS) protocols for the Internet.  It is a reference implementation of those
 protocols, but it is also production-grade software, suitable for use in
 high-volume and high-reliability applications. The name BIND stands for
 \"Berkeley Internet Name Domain\", because the software originated in the early
@@ -298,9 +306,80 @@ asynchronous fashion.")
                                "--disable-nsid")))
     (home-page "http://www.yadifa.eu/")
     (synopsis "Authoritative DNS name server")
-    (description "YADIFA is an authorative name server for the Domain Name
-System (DNS).  It aims for both higher performance and a smaller memory
+    (description "YADIFA is an authoritative name server for the @dfn{Domain
+Name System} (DNS).  It aims for both higher performance and a smaller memory
 footprint than other implementations, while remaining fully RFC-compliant.
-YADIFA supports dynamic record updates and the Domain Name System Security
-Extensions (DNSSEC).")
+YADIFA supports dynamic record updates and the @dfn{Domain Name System Security
+Extensions} (DNSSEC).")
     (license license:bsd-3)))
+
+(define-public knot
+  (package
+    (name "knot")
+    (version "2.4.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://secure.nic.cz/files/knot-dns/"
+                                  name "-" version ".tar.xz"))
+              (sha256
+               (base32
+                "0k3hkc6vqj8yd479zdn80ki5f0vnjhrm4fka7kfj9z7mkgwxsr60"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  ;; Remove bundled libraries and dependencies on them.
+                  (substitute* "configure"
+                    (("src/contrib/dnstap/Makefile") ""))
+                  (substitute* "src/Makefile.in"
+                    (("contrib/dnstap ") ""))
+                  (with-directory-excursion "src/contrib"
+                    (for-each delete-file-recursively
+                              (list "dnstap" "lmdb")))))))
+    (build-system gnu-build-system)
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (inputs
+     `(("gnutls" ,gnutls)
+       ("jansson" ,jansson)
+       ("libcap-ng" ,libcap-ng)
+       ("libedit" ,libedit)
+       ("libidn" ,libidn)
+       ("liburcu" ,liburcu)
+       ("lmdb" ,lmdb)
+       ("ncurses" ,ncurses)
+       ("nettle" ,nettle)))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'disable-directory-pre-creation
+           (lambda _
+             ;; Don't install empty directories like ‘/etc’ outside the store.
+             (substitute* "src/Makefile.in" (("\\$\\(INSTALL\\) -d") "true"))))
+         (replace 'install
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (doc (string-append out "/share/doc/knot"))
+                    (etc (string-append doc "/examples/etc")))
+               (zero?
+                (system* "make"
+                         (string-append "config_dir=" etc)
+                         "install"))))))
+       #:configure-flags
+       (list "--sysconfdir=/etc"
+             "--localstatedir=/var"
+             "--enable-rosedb"          ; serve static records from a database
+             (string-append "--with-bash-completions="
+                            (assoc-ref %outputs "out")
+                            "/etc/bash_completion.d"))))
+    (home-page "https://www.knot-dns.cz/")
+    (synopsis "Authoritative DNS name server")
+    (description "Knot DNS is an authorative name server for the @dfn{Domain
+Name System} (DNS), designed to meet the needs of root and @dfn{top-level
+domain} (TLD) name servers.  It is implemented as a threaded daemon and uses a
+number of programming techniques to improve speed.  For example, the responder
+is completely lock-free, resulting in a very high response rate.  Other features
+include automatic @dfn{DNS Security Extensions} (DNSSEC) signing, dynamic record
+synthesis, and on-the-fly re-configuration.")
+    (license (list license:expat        ; src/contrib/{hat-trie,murmurhash3}
+                   license:lgpl2.0+     ; parts of scr/contrib/ucw
+                   license:gpl3+))))    ; everything else
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index 792e70ecdd..ba8eea3931 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -85,8 +85,17 @@ release/xsl/current")
                            (string-append (assoc-ref inputs "docbook-xsl")
                                           "/xml/xsl/docbook-xsl-"
                                           ,(package-version docbook-xsl)))))
+                       #t))
+         ;; Do the same for docbook-xml.
+         (add-before 'install 'make-local-docbook-xml
+                     (lambda* (#:key inputs #:allow-other-keys)
+                       (substitute* "docbook45.conf"
+                         (("http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd")
+                          (string-append (assoc-ref inputs "docbook-xml")
+                                         "/xml/dtd/docbook/docbookx.dtd")))
                        #t)))))
     (inputs `(("python" ,python-2)
+              ("docbook-xml" ,docbook-xml)
               ("docbook-xsl" ,docbook-xsl)
               ("libxml2" ,libxml2)
               ("libxslt" ,libxslt)))
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index c6e62acb7a..b84faaff07 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -2179,7 +2179,7 @@ in @code{html-mode}.")
 (define-public emacs-slime
   (package
     (name "emacs-slime")
-    (version "2.18")
+    (version "2.19")
     (source
      (origin
        (file-name (string-append name "-" version ".tar.gz"))
@@ -2189,7 +2189,7 @@ in @code{html-mode}.")
              version ".tar.gz"))
        (sha256
         (base32
-         "146avwbwr6mw0nmgyihx8gkr0mv6al7a73igzxvysj62000cqvlj"))))
+         "1jhaq5cn89k45nzyl0jd12gmjxnh1bq9jlfwrxba342agxsscb0p"))))
     (build-system emacs-build-system)
     (native-inputs
      `(("texinfo" ,texinfo)))
@@ -2924,7 +2924,7 @@ E-Prime forbids the use of the \"to be\" form to strengthen your writing.")
                 (string-append "SHELL = " (which "sh")))))))))
     (inputs
      `(("emacs" ,emacs-minimal)
-       ("r" ,r)))
+       ("r-minimal" ,r-minimal)))
     (native-inputs
      `(("perl" ,perl)
        ("texinfo" ,texinfo)
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index af95f149f7..97fddc2a84 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -350,7 +350,13 @@ standards.")
         (mozilla-patch "icecat-bug-1341137-pt3.patch"    "69f3d44bdb48" "1ad7rw6nmg3c49ylqxlqqkb6cm2f0ygfzrigs6b60a2zkjqhbl0h")
         (mozilla-patch "icecat-bug-1341137-pt4.patch"    "22546e2cee64" "0gbwxa3p7qkq53hwnvxcqhx8h34qmnjdxy0h3ajik4mw76vrna9s")
         (mozilla-patch "icecat-bug-1341137-pt5.patch"    "e5083d8a855a" "1247vbpqzf007nigbxxqd6nwgr1dxd4p8cd0dr45afqh19vhlapj")
-        (mozilla-patch "icecat-bug-1339122.patch"        "b0d156c7445e" "026jp5bb565yvhkmmicgygcn1lmak85p0466yl1vnjlx1rc8n724")))
+        (mozilla-patch "icecat-bug-1339122.patch"        "b0d156c7445e" "026jp5bb565yvhkmmicgygcn1lmak85p0466yl1vnjlx1rc8n724")
+        (mozilla-patch "icecat-bug-1319087.patch"        "9cd44507fd65" "0mcfvby53r2150libazgrgaqrdyvl0g6cr1f01dsya3cgmc9mkcn")
+        (mozilla-patch "icecat-bug-1342661.patch"        "d449995ef7d9" "1kz8k2jxvhqpjgrsj7r0kqq79036lrkfnx5pvdnsl59np9128j81")
+        (mozilla-patch "icecat-bug-1343261.patch"        "9b5374019b58" "0v5w50r5ys4jjy1lpks280cq8paw7wdy9mrk7szzq7nlcxz90is7")
+        (mozilla-patch "icecat-bug-1343552-pt1.patch"    "08bc7a3330e4" "1hsvffscqc4zflni866ilylgi3a13wz0n882z85xplbhwhc9lcfj")
+        (mozilla-patch "icecat-bug-1343552-pt2.patch"    "8c61ebe37f1b" "1fjsr6bzfyd1zqzz2pglwh2ckys95h21wy3j4rlwkz66057z53qq")
+        (mozilla-patch "icecat-bug-1340718.patch"        "bfa75fc20c2b" "08gksd06lwbb5ykdrk9gh2cb9bximwxhbxl3rprz64jj2bnmd3dq")))
       (modules '((guix build utils)))
       (snippet
        '(begin
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 59de06b62f..b621d8274d 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -217,9 +217,9 @@ without requiring the source code to be rewritten.")
     (properties '((hidden? . #t)))          ;people should install 'guile-2.0'
     (replacement #f)))
 
-(define-public guile-next
+(define-public guile-2.2
   (package (inherit guile-2.0)
-    (name "guile-next")
+    (name "guile")
     (version "2.2.0")
     (replacement #f)
     (source (origin
@@ -236,12 +236,8 @@ without requiring the source code to be rewritten.")
               ;; times (almost 3 hours on a 4-core Intel i5).
               (snippet '(for-each delete-file
                                   (find-files "prebuilt" "\\.go$")))))
-    (synopsis "Snapshot of what will become version 2.2 of GNU Guile")
     (properties '((timeout . 72000)               ;20 hours
-                  (max-silent-time . 10800)       ;3 hours (needed on ARM)
-                  (upstream-name . "guile")
-                  (ftp-server . "alpha.gnu.org")
-                  (ftp-directory . "/gnu/guile")))
+                  (max-silent-time . 10800)))     ;3 hours (needed on ARM)
     (native-search-paths
      (list (search-path-specification
             (variable "GUILE_LOAD_PATH")
@@ -251,23 +247,28 @@ without requiring the source code to be rewritten.")
             (files '("lib/guile/2.2/site-ccache"
                      "share/guile/site/2.2")))))))
 
-(define (guile-2.2-package-name name)
-  "Return NAME with a \"guile2.2-\" prefix instead of \"guile-\", when
-applicable."
-  (if (string-prefix? "guile-" name)
-      (string-append "guile2.2-"
-                     (string-drop name
-                                  (string-length "guile-")))
-      name))
+(define (guile-variant-package-name prefix)
+  (lambda (name)
+    "Return NAME with PREFIX instead of \"guile-\", when applicable."
+    (if (string-prefix? "guile-" name)
+        (string-append prefix "-"
+                       (string-drop name
+                                    (string-length "guile-")))
+        name)))
 
 (define package-for-guile-2.2
   ;; A procedure that rewrites the dependency tree of the given package to use
-  ;; GUILE-NEXT instead of GUILE-2.0.
-  (package-input-rewriting `((,guile-2.0 . ,guile-next))
-                           guile-2.2-package-name))
+  ;; GUILE-2.2 instead of GUILE-2.0.
+  (package-input-rewriting `((,guile-2.0 . ,guile-2.2))
+                           (guile-variant-package-name "guile2.2")))
+
+(define package-for-guile-2.0
+  ;; Likewise, but the other way around.  :-)
+  (package-input-rewriting `((,guile-2.2 . ,guile-2.0))
+                           (guile-variant-package-name "guile2.0")))
 
 (define-public guile-for-guile-emacs
-  (package (inherit guile-next)
+  (package (inherit guile-2.2)
     (name "guile-for-guile-emacs")
     (version "20150510.d8d9a8d")
     (source (origin
@@ -282,7 +283,7 @@ applicable."
      (substitute-keyword-arguments `(;; Tests aren't passing for now.
                                      ;; Obviously we should re-enable this!
                                      #:tests? #f
-                                     ,@(package-arguments guile-next))
+                                     ,@(package-arguments guile-2.2))
        ((#:phases phases)
         `(modify-phases ,phases
            (add-after 'unpack 'autogen
@@ -300,7 +301,7 @@ applicable."
        ("flex" ,flex)
        ("texinfo" ,texinfo)
        ("gettext" ,gettext-minimal)
-       ,@(package-native-inputs guile-next)))
+       ,@(package-native-inputs guile-2.2)))
     ;; Same as in guile-2.0
     (native-search-paths
      (list (search-path-specification
@@ -441,7 +442,7 @@ more.")
     (build-system gnu-build-system)
     (native-inputs `(("pkgconfig" ,pkg-config)
                      ("gperf" ,gperf)))
-    (inputs `(("guile" ,guile-2.0)))
+    (inputs `(("guile" ,guile-2.2)))
     (synopsis "Framework for building readers for GNU Guile")
     (description
      "Guile-Reader is a simple framework for building readers for GNU Guile.
@@ -458,8 +459,10 @@ many readers as needed).")
     (home-page "http://www.nongnu.org/guile-reader/")
     (license license:gpl3+)))
 
+(define-public guile2.0-reader
+  (package-for-guile-2.0 guile-reader))
 (define-public guile2.2-reader
-  (package-for-guile-2.2 guile-reader))
+  (deprecated-package "guile2.2-reader" guile-reader))
 
 (define-public guile-ncurses
   (package
@@ -1042,7 +1045,7 @@ Guile's foreign function interface.")
      `(("pkg-config" ,pkg-config)
        ("texinfo" ,texinfo)))
     (inputs
-     `(("guile" ,guile-2.0)))
+     `(("guile" ,guile-2.2)))
     (propagated-inputs
      `(("guile-reader" ,guile-reader)
        ("guile-commonmark" ,guile-commonmark)))
@@ -1053,9 +1056,11 @@ interface for reading articles in any format.")
     (home-page "http://haunt.dthompson.us")
     (license license:gpl3+)))
 
+(define-public guile2.0-haunt
+  (package-for-guile-2.0
+   (package (inherit haunt) (name "guile2.0-haunt"))))
 (define-public guile2.2-haunt
-  (package-for-guile-2.2
-   (package (inherit haunt) (name "guile2.2-haunt"))))
+  (deprecated-package "guile2.2-haunt" haunt))
 
 (define-public guile-config
   (package
@@ -1413,7 +1418,7 @@ you send to a FIFO file.")
                      "/site/@GUILE_EFFECTIVE_VERSION@"))))))
     (build-system gnu-build-system)
     (inputs
-     `(("guile" ,guile-2.0)))
+     `(("guile" ,guile-2.2)))
     (synopsis "CommonMark parser for Guile")
     (description
      "guile-commonmark is a library for parsing CommonMark, a fully specified
@@ -1424,8 +1429,10 @@ is no support for parsing block and inline level HTML.")
     (home-page "https://github.com/OrangeShark/guile-commonmark")
     (license license:lgpl3+)))
 
+(define-public guile2.0-commonmark
+  (package-for-guile-2.0 guile-commonmark))
 (define-public guile2.2-commonmark
-  (package-for-guile-2.2 guile-commonmark))
+  (deprecated-package "guile2.2-commonmark" guile-commonmark))
 
 (define-public guile-bytestructures
   (package
@@ -1616,18 +1623,18 @@ and then run @command{scm example.scm}.")
 (define-public guile-8sync
   (package
     (name "guile-8sync")
-    (version "0.4.1")
+    (version "0.4.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/8sync/8sync-" version
                                   ".tar.gz"))
               (sha256
                (base32
-                "1fvf8d2s3vvg4nyskbqaiqmlm2x571hv7hizcnmny45zvalydr9h"))))
+                "031wm13srak3wsnll7j2mbbi29g1pcm4swdb71ds9yn567pn20qw"))))
     (build-system gnu-build-system)
     (native-inputs `(("autoconf" ,autoconf)
                      ("automake" ,automake)
-                     ("guile" ,guile-next)
+                     ("guile" ,guile-2.2)
                      ("pkg-config" ,pkg-config)
                      ("texinfo" ,texinfo)))
     (arguments
@@ -1643,7 +1650,7 @@ and then run @command{scm example.scm}.")
      "GNU 8sync (pronounced \"eight-sync\") is an asynchronous programming
 library for GNU Guile based on the actor model.
 
-Note that 8sync is only available for Guile 2.2 (guile-next in Guix).")
+Note that 8sync is only available for Guile 2.2.")
     (license license:lgpl3+)))
 
 (define-public guile-fibers
@@ -1662,7 +1669,7 @@ Note that 8sync is only available for Guile 2.2 (guile-next in Guix).")
      `(("texinfo" ,texinfo)
        ("pkg-config" ,pkg-config)))
     (inputs
-     `(("guile" ,guile-next)))
+     `(("guile" ,guile-2.2)))
     (synopsis "Lightweight concurrency facility for Guile")
     (description
      "Fibers is a Guile library that implements a a lightweight concurrency
diff --git a/gnu/packages/hurd.scm b/gnu/packages/hurd.scm
index ba91b60bea..2d7b7b2ac0 100644
--- a/gnu/packages/hurd.scm
+++ b/gnu/packages/hurd.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2014, 2015, 2016 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
+;;; Copyright © 2014, 2015, 2016, 2017 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -210,3 +210,35 @@ Library for GNU/Hurd.")
 Hurd-minimal package which are needed for both glibc and GCC.")
     (home-page (package-home-page hurd-headers))
     (license (package-license hurd-headers))))
+
+(define-public gnumach
+  (package
+    (name "gnumach")
+    (version "1.8")
+    (source (origin
+              (method url-fetch)
+              (uri (gnumach-source-url version))
+              (sha256
+               (base32
+                "02hygsfpd2dljl5lg1vjjg9pizi9jyxd4aiiqzjshz6jax62jm9f"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:phases (modify-phases %standard-phases
+                  (add-after 'install 'produce-image
+                    (lambda* (#:key outputs #:allow-other-keys)
+                      (let* ((out  (assoc-ref outputs "out"))
+                             (boot (string-append out "/boot")))
+                        (and (zero? (system* "make" "gnumach.gz"))
+                             (begin
+                               (install-file "gnumach.gz" boot)
+                               #t))))))))
+    (native-inputs
+     `(("mig" ,mig)
+       ("perl" ,perl)))
+    (supported-systems (cons "i686-linux" %hurd-systems))
+    (home-page
+     "https://www.gnu.org/software/hurd/microkernel/mach/gnumach.html")
+    (synopsis "Microkernel of the GNU system")
+    (description
+     "GNU Mach is the microkernel upon which a GNU Hurd system is based.")
+    (license gpl2+)))
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index fd2eefab0d..2989ea006f 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -3,10 +3,10 @@
 ;;; Copyright © 2013, 2015, 2016 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015 Alex Kost <alezost@gmail.com>
-;;; Copyright © 2014, 2016 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2014, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
 ;;; Copyright © 2015 Amirouche Boubekki <amirouche@hypermove.net>
-;;; Copyright © 2014 John Darrington <jmd@gnu.org>
+;;; Copyright © 2014, 2017 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
@@ -14,6 +14,7 @@
 ;;; Copyright © 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 ng0 <contact.ng0@cryptolab.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -90,6 +91,52 @@ library.  It supports almost all PNG features and is extensible.")
    (license license:zlib)
    (home-page "http://www.libpng.org/pub/png/libpng.html")))
 
+(define-public libpng-apng
+  (package
+    (inherit libpng)
+    (replacement #f) ;libpng's replacement doesn't apply here
+    (name "libpng-apng")
+    (version (package-version libpng))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'patch-apng
+           (lambda* (#:key inputs #:allow-other-keys)
+             (define (apply-patch file)
+               (zero? (system* "patch" "-p1" "--force"
+                               "--input" file)))
+             (let ((apng.gz (assoc-ref inputs "apng")))
+               (format #t "Applying APNG patch '~a'...~%"
+                       apng.gz)
+               (system (string-append "gunzip < " apng.gz " > the-patch"))
+               (and (apply-patch "the-patch")
+                    (for-each apply-patch
+                              (find-files "\\.patch"))))
+           #t))
+         (add-before 'configure 'no-checks
+           (lambda _
+             (substitute* "Makefile.in"
+               (("^scripts/symbols.chk") "")
+               (("check: scripts/symbols.chk") ""))
+             #t)))))
+    (inputs
+     `(("apng" ,(origin
+                  (method url-fetch)
+                  (uri
+                   (string-append "mirror://sourceforge/libpng-apng/libpng16/"
+                                  version "/libpng-" version "-apng.patch.gz"))
+                  (sha256
+                   (base32
+                    "026r0gbkf6d6v54wca02cdxln8sj4m2c1yk62sj2aasv2ki2ffh5"))))))
+    (native-inputs
+     `(("libtool" ,libtool)))
+    (synopsis "APNG patch for libpng")
+    (description
+     "APNG (Animated Portable Network Graphics) is an unofficial
+extension of the APNG (Portable Network Graphics) format.
+APNG patch provides APNG support to libpng.")
+    (home-page "https://sourceforge.net/projects/libpng-apng/")))
+
 (define-public libpng-1.2
   (package
     (inherit libpng)
@@ -721,17 +768,16 @@ multi-dimensional image processing.")
 (define-public libwebp
   (package
     (name "libwebp")
-    (version "0.5.1")
+    (version "0.6.0")
     (source
      (origin
        (method url-fetch)
        (uri (string-append
              "http://downloads.webmproject.org/releases/webp/libwebp-" version
              ".tar.gz"))
-       (patches (search-patches "libwebp-CVE-2016-9085.patch"))
        (sha256
         (base32
-         "1pqki1g8nzi8qgciysypd5r38zccv81np1dn43g27830rmpnrmka"))))
+         "0h1brwkyxc7lb8lc53aacdks5vc1y9hzngqi41gg7y6l56912a69"))))
     (build-system gnu-build-system)
     (inputs
      `(("freeglut" ,freeglut)
@@ -1081,3 +1127,47 @@ interface.  It supports color space extensions that allow it to compress from
 and decompress to 32-bit and big-endian pixel buffers (RGBX, XBGR, etc.).")
     (license (list license:bsd-3        ; jsimd*.[ch] and most of simd/
                    license:ijg))))      ; the rest
+
+(define-public niftilib
+  (package
+    (name "niftilib")
+    (version "2.0.0")
+    (source (origin
+              (method url-fetch)
+              (uri (list (string-append "mirror://sourceforge/niftilib/"
+                                        "nifticlib/nifticlib_"
+                                        (string-join (string-split version #\.) "_")
+                                        "/nifticlib-" version ".tar.gz")))
+              (sha256
+               (base32 "123z9bwzgin5y8gi5ni8j217k7n683whjsvg0lrpii9flgk8isd3"))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:tests? #f                      ; there is no test target
+       #:parallel-build? #f             ; not supported
+       #:make-flags
+       (list "SHELL=bash"
+             (string-append "ZLIB_INC="
+                            (assoc-ref %build-inputs "zlib") "/include")
+             ;; Append "-fPIC" to CFLAGS.
+             (string-append "CFLAGS="
+                            "-Wall -ansi -pedantic -fPIC"))
+       #:phases
+       (modify-phases %standard-phases
+         (replace 'install
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out")))
+               (for-each
+                (lambda (dir)
+                  (copy-recursively dir (string-append out "/" dir)))
+                '("bin" "lib" "include")))
+             #t))
+         (delete 'configure))))
+    (inputs
+     `(("zlib" ,zlib)))
+    (synopsis "Library for reading and writing files in the nifti-1 format")
+    (description "Niftilib is a set of i/o libraries for reading and writing
+files in the nifti-1 data format - a binary file format for storing
+medical image data, e.g. magnetic resonance image (MRI) and functional MRI
+(fMRI) brain images.")
+    (home-page "http://niftilib.sourceforge.net")
+    (license license:public-domain)))
diff --git a/gnu/packages/irc.scm b/gnu/packages/irc.scm
index 3d06df9ed8..f4ff7fcbef 100644
--- a/gnu/packages/irc.scm
+++ b/gnu/packages/irc.scm
@@ -298,14 +298,14 @@ and extensible with plugins and scripts.")
 (define-public limnoria
   (package
     (name "limnoria")
-    (version "2016.08.07")
+    (version "2017.01.10")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "limnoria" version))
        (sha256
         (base32
-         "0w1d98hfhn4iqrczam7zahhqsvxa79n3xfcrm4jwkg5lba4f9ccm"))))
+         "0va7iiwkrd5miibpaphfm2jlfsmaazbqb8izkmlnlzkqnskhz1ff"))))
     (build-system python-build-system)
     (inputs
      `(("python-pytz" ,python-pytz)
diff --git a/gnu/packages/libevent.scm b/gnu/packages/libevent.scm
index 551fbf7206..1bfdefd7b5 100644
--- a/gnu/packages/libevent.scm
+++ b/gnu/packages/libevent.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2015, 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Eric Dvorsak <eric@dvorsak.fr>
 ;;; Copyright © 2016 David Thompson <davet@gnu.org>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
@@ -74,18 +74,20 @@ loop.")
     (inherit libevent)
     (version "2.0.22")
     (source (origin
-          (method url-fetch)
-          (uri (string-append
-                "https://github.com/libevent/libevent/releases/download/release-"
-                version "-stable/libevent-" version "-stable.tar.gz"))
-          (sha256
-           (base32
-            "18qz9qfwrkakmazdlwxvjmw8p76g70n3faikwvdwznns1agw9hki"))
-          (patches (search-patches
-                    "libevent-dns-tests.patch"
-                    "libevent-2.0-CVE-2016-10195.patch"
-                    "libevent-2.0-CVE-2016-10196.patch"
-                    "libevent-2.0-CVE-2016-10197.patch"))))))
+              (method url-fetch)
+              (uri (string-append
+                    "https://github.com/libevent/libevent/releases/download/release-"
+                    version "-stable/libevent-" version "-stable.tar.gz"))
+              (sha256
+               (base32
+                "18qz9qfwrkakmazdlwxvjmw8p76g70n3faikwvdwznns1agw9hki"))
+              (patches
+               (search-patches
+                "libevent-dns-tests.patch"
+                "libevent-2.0-CVE-2016-10195.patch"
+                "libevent-2.0-CVE-2016-10196.patch"
+                "libevent-2.0-CVE-2016-10197.patch"
+                "libevent-2.0-evbuffer-add-use-last-with-datap.patch"))))))
 
 (define-public libev
   (package
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 62b1971f02..8f13a38b5f 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -348,8 +348,8 @@ It has been modified to remove all non-free binary blobs.")
 
 (define %intel-compatible-systems '("x86_64-linux" "i686-linux"))
 
-(define %linux-libre-version "4.10.2")
-(define %linux-libre-hash "01kinnv40lqsk6fyz1k7hkx2diyg4mgp28bwraar5sii1gqmcw7k")
+(define %linux-libre-version "4.10.4")
+(define %linux-libre-hash "0cmz4y8pb3sdag32bsrn7vg1i8v9rymfspg85ipkbamm53c7v54g")
 
 (define-public linux-libre
   (make-linux-libre %linux-libre-version
@@ -358,14 +358,14 @@ It has been modified to remove all non-free binary blobs.")
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.9
-  (make-linux-libre "4.9.14"
-                    "104715z772if18qi61jbyhvidfh6qnwkiy0m9aa8irxgzs1pk9mn"
+  (make-linux-libre "4.9.16"
+                    "0n7y7h7ps4l1pr9d0m75hkw41jnfyw301r343dsaznwc0lpq3ch7"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.4
-  (make-linux-libre "4.4.53"
-                    "07sfg4i506f3hmd9k4iimnq1w3x0980qxnh649d1sldqxbmhdgjs"
+  (make-linux-libre "4.4.55"
+                    "1m4h3wi4j573hny1yfi9qwkiicx2bx3gwy52zpr8bhxpyqz0d2dl"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
@@ -2764,7 +2764,7 @@ and copy/paste text in the console and in xterm.")
 (define-public btrfs-progs
   (package
     (name "btrfs-progs")
-    (version "4.10")
+    (version "4.10.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/kernel/"
@@ -2772,7 +2772,7 @@ and copy/paste text in the console and in xterm.")
                                   "btrfs-progs-v" version ".tar.xz"))
               (sha256
                (base32
-                "1njw2nrm51380d8arvqfmspa3app9353yd7hiddas3gpkaiwrjs4"))))
+                "06hs20jwa15xybbmlalba8wvhv3slq1g0wrqrgyh7ll5y11bc5kc"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "static"))      ; static versions of binaries in "out" (~16MiB!)
@@ -2807,9 +2807,9 @@ and copy/paste text in the console and in xterm.")
                      ("which" ,which)))
     (home-page "https://btrfs.wiki.kernel.org/")
     (synopsis "Create and manage btrfs copy-on-write file systems")
-    (description "Btrfs is a copy-on-write (CoW) file system for Linux aimed at
-implementing advanced features while focusing on fault tolerance, repair and
-easy administration.")
+    (description "Btrfs is a @dfn{copy-on-write} (CoW) file system for Linux
+aimed at implementing advanced features while focusing on fault tolerance,
+repair and easy administration.")
     ;; GPL2+: crc32.c, radix-tree.c, raid6.c, rbtree.c.
     ;; GPL2: Everything else.
     (license (list license:gpl2 license:gpl2+))))
diff --git a/gnu/packages/machine-learning.scm b/gnu/packages/machine-learning.scm
index 7bad833b38..30f005a331 100644
--- a/gnu/packages/machine-learning.scm
+++ b/gnu/packages/machine-learning.scm
@@ -26,6 +26,7 @@
   #:use-module (guix svn-download)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
+  #:use-module (guix build-system ocaml)
   #:use-module (guix build-system r)
   #:use-module (gnu packages)
   #:use-module (gnu packages autotools)
@@ -35,6 +36,7 @@
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages image)
   #:use-module (gnu packages maths)
+  #:use-module (gnu packages ocaml)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
@@ -239,6 +241,39 @@ networks) based on simulation of (stochastic) flow in graphs.")
     ;; http://listserver.ebi.ac.uk/pipermail/mcl-users/2016/000376.html
     (license license:gpl3)))
 
+(define-public ocaml-mcl
+  (package
+    (name "ocaml-mcl")
+    (version "12-068oasis4")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "https://github.com/fhcrc/mcl/archive/"
+             version ".tar.gz"))
+       (file-name (string-append name "-" version ".tar.gz"))
+       (sha256
+        (base32
+         "1l5jbhwjpsj38x8b9698hfpkv75h8hn3kj0gihjhn8ym2cwwv110"))))
+    (build-system ocaml-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'patch-paths
+           (lambda _
+             (substitute* "configure"
+               (("SHELL = /bin/sh") (string-append "SHELL = "(which "sh"))))
+             (substitute* "setup.ml"
+               (("LDFLAGS=-fPIC")
+                (string-append "LDFLAGS=-fPIC\"; \"SHELL=" (which "sh"))))
+             #t)))))
+    (home-page "https://github.com/fhcrc/mcl")
+    (synopsis "OCaml wrappers around MCL")
+    (description
+     "This package provides OCaml bindings for the MCL graph clustering
+algorithm.")
+    (license license:gpl3)))
+
 (define-public randomjungle
   (package
     (name "randomjungle")
@@ -402,7 +437,7 @@ sample proximities between pairs of cases.")
     (inputs
      `(("python" ,python)
        ("numpy" ,python-numpy)
-       ("r" ,r)
+       ("r-minimal" ,r-minimal)
        ("octave" ,octave)
        ("swig" ,swig)
        ("hdf5" ,hdf5)
@@ -460,25 +495,6 @@ adaptive sparsity and the Wong algorithm for adaptively sparse gaussian
 geometric models.")
     (license license:lgpl3+)))
 
-(define-public r-nnet
-  (package
-    (name "r-nnet")
-    (version "7.3-12")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (cran-uri "nnet" version))
-       (sha256
-        (base32
-         "17amqnw9dpap2w8ivx53hxha2xrm0drwfnj32li0xk41hlz548r7"))))
-    (build-system r-build-system)
-    (home-page "http://www.stats.ox.ac.uk/pub/MASS4/")
-    (synopsis "Feed-forward neural networks and multinomial log-linear models")
-    (description
-     "This package provides functions for feed-forward neural networks with a
-single hidden layer, and for multinomial log-linear models.")
-    (license (list license:gpl2+ license:gpl3+))))
-
 (define-public r-kernlab
   (package
     (name "r-kernlab")
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index 03567ba083..ed13556cb4 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
-;;; Copyright © 2014, 2016 John Darrington <jmd@gnu.org>
+;;; Copyright © 2014, 2016, 2017 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2014, 2015, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2014 Federico Beffa <beffa@fbengineering.ch>
 ;;; Copyright © 2014 Mathieu Lirzin <mathieu.lirzin@openmailbox.org>
@@ -17,6 +17,7 @@
 ;;; Copyright © 2016 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Paul Garlick <pgarlick@tourbillion-technology.com>
 ;;; Copyright © 2017 ng0 <contact.ng0@cryptolab.net>
+;;; Copyright © 2017 Ben Woodcroft <donttrustben@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -44,6 +45,7 @@
   #:use-module (guix build utils)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
+  #:use-module (guix build-system ocaml)
   #:use-module (guix build-system r)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages bison)
@@ -77,6 +79,7 @@
   #:use-module (gnu packages mpi)
   #:use-module (gnu packages multiprecision)
   #:use-module (gnu packages netpbm)
+  #:use-module (gnu packages ocaml)
   #:use-module (gnu packages pcre)
   #:use-module (gnu packages popt)
   #:use-module (gnu packages perl)
@@ -277,6 +280,30 @@ differential equations, linear algebra, Fast Fourier Transforms and random
 numbers.")
     (license license:gpl3+)))
 
+(define-public ocaml-gsl
+  (package
+    (name "ocaml-gsl")
+    (version "1.19.3")
+    (source
+     (origin
+       (method url-fetch)
+       (uri
+        (string-append
+         "https://github.com/mmottl/gsl-ocaml/releases/download/v"
+         version"/gsl-ocaml-" version ".tar.gz"))
+       (sha256
+        (base32
+         "0nzp43hp8pbjqkrxnwp5lgjrabxayf61h18fjaydi0s5faq6f3xh"))))
+    (build-system ocaml-build-system)
+    (inputs
+     `(("gsl" ,gsl)))
+    (home-page "https://mmottl.github.io/gsl-ocaml")
+    (synopsis "Bindings to the GNU Scientific Library")
+    (description
+     "GSL-OCaml is an interface to the @dfn{GNU scientific library} (GSL) for
+the OCaml language.")
+    (license license:gpl3+)))
+
 (define-public glpk
   (package
     (name "glpk")
@@ -734,6 +761,34 @@ Swath).")
 HDF5 file is encoded according to the HDF File Format Specification.")
     (license (license:x11-style "file://COPYING"))))
 
+(define-public itpp
+  (package
+    (name "itpp")
+    (version "4.3.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://sourceforge/itpp/itpp/"
+                                  version "/itpp-"
+                                  version ".tar.gz"))
+       (sha256
+        (base32
+         "14ddy2xnb6sgp4hiax9v5sv4pr4l4dd4ps76nfha3nrpr1ikhcqm"))))
+    (build-system cmake-build-system)
+    (arguments `(#:tests? #f)) ; Tests require googletest *sources*
+    (inputs `(("lapack" ,lapack)
+              ("fftw" ,fftw)))
+    (native-inputs `(("texlive-minimal" ,texlive-minimal)
+                     ("doxygen" ,doxygen)))
+    (home-page "http://itpp.sourceforge.net")
+    (synopsis "C++ library of maths, signal processing and communication classes")
+    (description "IT++ is a C++ library of mathematical, signal processing and
+communication classes and functions.  Its main use is in simulation of
+communication systems and for performing research in the area of
+communications.  The kernel of the library consists of generic vector and
+matrix classes, and a set of accompanying routines.  Such a kernel makes IT++
+similar to MATLAB, GNU Octave or SciPy.")
+    (license license:gpl3+)))
+
 (define-public netcdf
   (package
     (name "netcdf")
@@ -1083,6 +1138,30 @@ modules is done either interactively using the graphical user interface or in
 ASCII text files using Gmsh's own scripting language.")
     (license license:gpl2+)))
 
+(define-public maxflow
+  (package
+    (name "maxflow")
+    (version "3.04")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/gerddie/maxflow.git")
+                    (commit "42401fa54823d16b9da47716f04e5d9ef1605875")))
+              (file-name (string-append name "-" version "-checkout"))
+              (sha256
+               (base32
+                "0rll38whw55h0vcjrrwdnh9ascvxby0ph7n1l0d12z17cg215kkb"))))
+    (build-system cmake-build-system)
+    (home-page "http://pub.ist.ac.at/~vnk/software.html")
+    (synopsis "Library implementing Maxflow algorithm")
+    (description "An implementation of the maxflow algorithm described in
+@cite{An Experimental Comparison of Min-Cut/Max-Flow Algorithms for
+Energy Minimization in Computer Vision.\n
+Yuri Boykov and Vladimir Kolmogorov.\n
+In IEEE Transactions on Pattern Analysis and Machine Intelligence,\n
+September 2004}")
+    (license license:gpl3+)))
+
 (define-public petsc
   (package
     (name "petsc")
diff --git a/gnu/packages/ninja.scm b/gnu/packages/ninja.scm
index 8f18eb3560..2a53a3f5b3 100644
--- a/gnu/packages/ninja.scm
+++ b/gnu/packages/ninja.scm
@@ -29,7 +29,7 @@
 (define-public ninja
   (package
     (name "ninja")
-    (version "1.7.1")
+    (version "1.7.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/martine/ninja/"
@@ -37,9 +37,8 @@
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "06dy2dc1aafm61ynw9gzig88la3km9dsh53bxf4mnw7l7kjisn2i"))
-              (patches (search-patches "ninja-zero-mtime.patch"
-                                       "ninja-tests.patch"))))
+                "1n8n3g26ppwh7zwrc37n3alkbpbj0wki34ih53s3rkhs8ajs1p9f"))
+              (patches (search-patches "ninja-zero-mtime.patch"))))
     (build-system gnu-build-system)
     (native-inputs `(("python" ,python-2)))
     (arguments
diff --git a/gnu/packages/ocaml.scm b/gnu/packages/ocaml.scm
index ebc5caf254..2f22226b78 100644
--- a/gnu/packages/ocaml.scm
+++ b/gnu/packages/ocaml.scm
@@ -29,6 +29,7 @@
   #:use-module (gnu packages base)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages curl)
+  #:use-module (gnu packages databases)
   #:use-module (gnu packages emacs)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages ghostscript)
@@ -971,14 +972,14 @@ GNU CC attributes.  It provides also a C pretty printer as an example of use.")
 (define-public ocaml-qtest
   (package
     (name "ocaml-qtest")
-    (version "2.3")
+    (version "2.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/vincent-hugot/iTeML/"
                                   "archive/v" version ".tar.gz"))
               (sha256
                (base32
-                "1n7x5l6h4j44f75wzgzjsjkq349i4gj707w1hr7fx84igxxfr6vl"))))
+                "1hw3jqir7w79payy4knc38fa3nxcvl7ap6y6hnqavrhpi8zqb59j"))))
     (build-system ocaml-build-system)
     (native-inputs
      `(("findlib" ,ocaml-findlib)))
@@ -1213,6 +1214,59 @@ to operate on the result type available from OCaml 4.03 in the standard
 library.")
     (license license:isc)))
 
+(define-public ocaml-sqlite3
+  (package
+    (name "ocaml-sqlite3")
+    (version "4.1.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "https://github.com/mmottl/sqlite3-ocaml/releases/download/v"
+             version "/sqlite3-ocaml-" version ".tar.gz"))
+       (sha256
+        (base32
+         "14c1nir7c6bivajg0vyx853y7la7r5d25g1v5hjb2wfi73r15p1m"))))
+    (build-system ocaml-build-system)
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (inputs
+     `(("sqlite" ,sqlite)))
+    (home-page "https://mmottl.github.io/sqlite3-ocaml")
+    (synopsis "SQLite3 Bindings for OCaml")
+    (description
+     "SQLite3-OCaml is an OCaml library with bindings to the SQLite3 client
+API.  Sqlite3 is a self-contained, serverless, zero-configuration,
+transactional SQL database engine with outstanding performance for many use
+cases.  These bindings are written in a way that enables a friendly
+coexistence with the old (version 2) SQLite and its OCaml wrapper
+@code{ocaml-sqlite}.")
+    (license license:expat)))
+
+(define-public ocaml-csv
+  (package
+    (name "ocaml-csv")
+    (version "1.6")
+    (source
+     (origin
+       (method url-fetch)
+       (uri
+        (string-append
+         "http://github.com/Chris00/ocaml-csv/releases/download/"
+         version "/csv-" version ".tar.gz"))
+       (sha256
+        (base32
+         "0rv7x843vn6scxj87hzl01yqrl26rc27lr8s7z6rp9vs745g05zj"))))
+    (build-system ocaml-build-system)
+    (home-page "https://github.com/Chris00/ocaml-csv")
+    (synopsis "Pure OCaml functions to read and write CSV")
+    (description
+     "@dfn{Comma separated values} (CSV) is a simple tabular format supported
+by all major spreadsheets.  This library implements pure OCaml functions to
+read and write files in this format as well as some convenience functions to
+manipulate such data.")
+    (license (package-license camlp4))))
+
 (define-public ocaml-mtime
   (package
     (name "ocaml-mtime")
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 685636e8ba..f675e22ad9 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -147,14 +147,9 @@
                                      ssh "/share/guile/site/2.0:"
                                      gnutls "/share/guile/site/2.0")))
 
-                       ;; Ignore user settings so that a bogus
-                       ;; GUILE_LOAD_COMPILED_PATH does not prevent use of
-                       ;; 'guix', notably when it contains entries pointing to
-                       ;; incompatible .go files as reported at
-                       ;; <https://lists.gnu.org/archive/html/guix-devel/2016-03/msg01261.html>.
                        (wrap-program (string-append out "/bin/guix")
                          `("GUILE_LOAD_PATH" ":" prefix (,path))
-                         `("GUILE_LOAD_COMPILED_PATH" ":" = (,path)))
+                         `("GUILE_LOAD_COMPILED_PATH" ":" prefix (,path)))
 
                        #t))))))
     (native-inputs `(("pkg-config" ,pkg-config)
diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index 811173cae4..3f125a0119 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -8,6 +8,7 @@
 ;;; Copyright © 2016 Lukas Gradl <lgradl@openmailbox.org>
 ;;; Copyright © 2016 Alex Griffin <a@ajgrf.com>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -291,7 +292,8 @@ any X11 window.")
                               name "-" version ".tar.xz"))
               (sha256
                (base32
-                "002mw7j0m33bw483rllzhcf41wp3ixka8yma6kqrfaj57jyw66hn"))))
+                "002mw7j0m33bw483rllzhcf41wp3ixka8yma6kqrfaj57jyw66hn"))
+              (patches (search-patches "password-store-gnupg-compat.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
diff --git a/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch b/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch
new file mode 100644
index 0000000000..0253700bf6
--- /dev/null
+++ b/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch
@@ -0,0 +1,38 @@
+From a8769ef12d7e223e33fc47bed03fba2bfa2f3536 Mon Sep 17 00:00:00 2001
+From: Marcus Sundberg <marcus@marcussundberg.com>
+Date: Sat, 26 Mar 2016 20:11:43 +0100
+Subject: [PATCH] evbuffer_add: Use last_with_datap if set, not last.
+
+evbuffer_add() would always put data in the last chain, even if there
+was available space in a previous chain, and in doing so it also
+failed to update last_with_datap, causing subsequent calls to other
+functions that do look at last_with_datap to add data in the middle
+of the evbuffer instead of at the end.
+
+Fixes the evbuffer_add() part of issue #335, and the evbuffer/add2 and
+evbuffer/add3 tests, and also prevents wasting space available in the
+chain pointed to by last_with_datap.
+---
+ buffer.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/buffer.c b/buffer.c
+index 7cca0e8a..f378b731 100644
+--- a/buffer.c
++++ b/buffer.c
+@@ -1732,7 +1732,11 @@ evbuffer_add(struct evbuffer *buf, const void *data_in, size_t datlen)
+ 		goto done;
+ 	}
+ 
+-	chain = buf->last;
++	if (*buf->last_with_datap == NULL) {
++		chain = buf->last;
++	} else {
++		chain = *buf->last_with_datap;
++	}
+ 
+ 	/* If there are no chains allocated for this buffer, allocate one
+ 	 * big enough to hold all the data. */
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/libwebp-CVE-2016-9085.patch b/gnu/packages/patches/libwebp-CVE-2016-9085.patch
deleted file mode 100644
index e40b353303..0000000000
--- a/gnu/packages/patches/libwebp-CVE-2016-9085.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-Fix CVE-2016-9085 (several integer overflows):
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9085
-http://seclists.org/oss-sec/2016/q4/253
-
-Patch copied from upstream source repository:
-
-https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83
-
-From e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83 Mon Sep 17 00:00:00 2001
-From: Pascal Massimino <pascal.massimino@gmail.com>
-Date: Mon, 10 Oct 2016 11:48:39 +0200
-Subject: [PATCH] fix potential overflow when width * height * 4 >= (1<<32)
-
-Mostly: avoid doing calculation like: ptr + j * stride
-when stride is 'int'. Rather use size_t, or pointer increments (ptr += stride)
-when possible.
-
-BUG=webp:314
-
-Change-Id: I81c684b515dd1ec4f601f32d50a6e821c4e46e20
----
- examples/gifdec.c | 56 +++++++++++++++++++++++++++++++------------------------
- 1 file changed, 32 insertions(+), 24 deletions(-)
-
-diff --git a/examples/gifdec.c b/examples/gifdec.c
-index 83c3d82..7df176f 100644
---- a/examples/gifdec.c
-+++ b/examples/gifdec.c
-@@ -20,6 +20,7 @@
- 
- #include "webp/encode.h"
- #include "webp/mux_types.h"
-+#include "webp/format_constants.h"
- 
- #define GIF_TRANSPARENT_COLOR 0x00000000
- #define GIF_WHITE_COLOR       0xffffffff
-@@ -103,12 +104,19 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index,
-   const GifImageDesc* const image_desc = &gif->Image;
-   uint32_t* dst = NULL;
-   uint8_t* tmp = NULL;
--  int ok = 0;
--  GIFFrameRect rect = {
-+  const GIFFrameRect rect = {
-       image_desc->Left, image_desc->Top, image_desc->Width, image_desc->Height
-   };
-+  const uint64_t memory_needed = 4 * rect.width * (uint64_t)rect.height;
-+  int ok = 0;
-   *gif_rect = rect;
- 
-+  if (memory_needed != (size_t)memory_needed ||
-+      memory_needed > 4 * MAX_IMAGE_AREA) {
-+    fprintf(stderr, "Image is too large (%d x %d).", rect.width, rect.height);
-+    return 0;
-+  }
-+
-   // Use a view for the sub-picture:
-   if (!WebPPictureView(picture, rect.x_offset, rect.y_offset,
-                        rect.width, rect.height, &sub_image)) {
-@@ -132,15 +140,15 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index,
-            y += interlace_jumps[pass]) {
-         if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End;
-         Remap(gif, tmp, rect.width, transparent_index,
--              dst + y * sub_image.argb_stride);
-+              dst + y * (size_t)sub_image.argb_stride);
-       }
-     }
-   } else {  // Non-interlaced image.
-     int y;
--    for (y = 0; y < rect.height; ++y) {
-+    uint32_t* ptr = dst;
-+    for (y = 0; y < rect.height; ++y, ptr += sub_image.argb_stride) {
-       if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End;
--      Remap(gif, tmp, rect.width, transparent_index,
--            dst + y * sub_image.argb_stride);
-+      Remap(gif, tmp, rect.width, transparent_index, ptr);
-     }
-   }
-   ok = 1;
-@@ -216,13 +224,11 @@ int GIFReadMetadata(GifFileType* const gif, GifByteType** const buf,
- 
- static void ClearRectangle(WebPPicture* const picture,
-                            int left, int top, int width, int height) {
--  int j;
--  for (j = top; j < top + height; ++j) {
--    uint32_t* const dst = picture->argb + j * picture->argb_stride;
--    int i;
--    for (i = left; i < left + width; ++i) {
--      dst[i] = GIF_TRANSPARENT_COLOR;
--    }
-+  int i, j;
-+  const size_t stride = picture->argb_stride;
-+  uint32_t* dst = picture->argb + top * stride + left;
-+  for (j = 0; j < height; ++j, dst += stride) {
-+    for (i = 0; i < width; ++i) dst[i] = GIF_TRANSPARENT_COLOR;
-   }
- }
- 
-@@ -246,29 +252,31 @@ void GIFDisposeFrame(GIFDisposeMethod dispose, const GIFFrameRect* const rect,
-   if (dispose == GIF_DISPOSE_BACKGROUND) {
-     GIFClearPic(curr_canvas, rect);
-   } else if (dispose == GIF_DISPOSE_RESTORE_PREVIOUS) {
--    const int src_stride = prev_canvas->argb_stride;
--    const uint32_t* const src =
--        prev_canvas->argb + rect->x_offset + rect->y_offset * src_stride;
--    const int dst_stride = curr_canvas->argb_stride;
--    uint32_t* const dst =
--        curr_canvas->argb + rect->x_offset + rect->y_offset * dst_stride;
-+    const size_t src_stride = prev_canvas->argb_stride;
-+    const uint32_t* const src = prev_canvas->argb + rect->x_offset
-+                              + rect->y_offset * src_stride;
-+    const size_t dst_stride = curr_canvas->argb_stride;
-+    uint32_t* const dst = curr_canvas->argb + rect->x_offset
-+                        + rect->y_offset * dst_stride;
-     assert(prev_canvas != NULL);
--    WebPCopyPlane((uint8_t*)src, 4 * src_stride, (uint8_t*)dst, 4 * dst_stride,
-+    WebPCopyPlane((uint8_t*)src, (int)(4 * src_stride),
-+                  (uint8_t*)dst, (int)(4 * dst_stride),
-                   4 * rect->width, rect->height);
-   }
- }
- 
- void GIFBlendFrames(const WebPPicture* const src,
-                     const GIFFrameRect* const rect, WebPPicture* const dst) {
--  int j;
-+  int i, j;
-+  const size_t src_stride = src->argb_stride;
-+  const size_t dst_stride = dst->argb_stride;
-   assert(src->width == dst->width && src->height == dst->height);
-   for (j = rect->y_offset; j < rect->y_offset + rect->height; ++j) {
--    int i;
-     for (i = rect->x_offset; i < rect->x_offset + rect->width; ++i) {
--      const uint32_t src_pixel = src->argb[j * src->argb_stride + i];
-+      const uint32_t src_pixel = src->argb[j * src_stride + i];
-       const int src_alpha = src_pixel >> 24;
-       if (src_alpha != 0) {
--        dst->argb[j * dst->argb_stride + i] = src_pixel;
-+        dst->argb[j * dst_stride + i] = src_pixel;
-       }
-     }
-   }
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/ninja-tests.patch b/gnu/packages/patches/ninja-tests.patch
deleted file mode 100644
index f9b0d9f910..0000000000
--- a/gnu/packages/patches/ninja-tests.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 67d6b9262efad99f8aad63ab81efc8e689748766 Mon Sep 17 00:00:00 2001
-From: Efraim Flashner <efraim@flashner.co.il>
-Date: Sun, 3 Jul 2016 11:55:43 +0300
-Subject: [PATCH] patch
-
----
- src/subprocess_test.cc | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/subprocess_test.cc b/src/subprocess_test.cc
-index ee16190..a537c11 100644
---- a/src/subprocess_test.cc
-+++ b/src/subprocess_test.cc
-@@ -72,6 +72,7 @@ TEST_F(SubprocessTest, NoSuchCommand) {
- 
- #ifndef _WIN32
- 
-+#if 0
- TEST_F(SubprocessTest, InterruptChild) {
-   Subprocess* subproc = subprocs_.Add("kill -INT $$");
-   ASSERT_NE((Subprocess *) 0, subproc);
-@@ -82,6 +83,7 @@ TEST_F(SubprocessTest, InterruptChild) {
- 
-   EXPECT_EQ(ExitInterrupted, subproc->Finish());
- }
-+#endif
- 
- TEST_F(SubprocessTest, InterruptParent) {
-   Subprocess* subproc = subprocs_.Add("kill -INT $PPID ; sleep 1");
-@@ -217,6 +219,7 @@ TEST_F(SubprocessTest, SetWithMulti) {
- // OS X's process limit is less than 1025 by default
- // (|sysctl kern.maxprocperuid| is 709 on 10.7 and 10.8 and less prior to that).
- #if !defined(__APPLE__) && !defined(_WIN32)
-+#if 0
- TEST_F(SubprocessTest, SetWithLots) {
-   // Arbitrary big number; needs to be over 1024 to confirm we're no longer
-   // hostage to pselect.
-@@ -245,6 +248,7 @@ TEST_F(SubprocessTest, SetWithLots) {
-   }
-   ASSERT_EQ(kNumProcs, subprocs_.finished_.size());
- }
-+#endif
- #endif  // !__APPLE__ && !_WIN32
- 
- // TODO: this test could work on Windows, just not sure how to simply
--- 
-2.9.0
-
diff --git a/gnu/packages/patches/password-store-gnupg-compat.patch b/gnu/packages/patches/password-store-gnupg-compat.patch
new file mode 100644
index 0000000000..c314ba6647
--- /dev/null
+++ b/gnu/packages/patches/password-store-gnupg-compat.patch
@@ -0,0 +1,53 @@
+Copied from upstream mailing list:
+https://lists.zx2c4.com/pipermail/password-store/2017-March/002844.html.
+
+The patch actually restores compatibility with GnuPG 2.1.19, the '2.2.19' in
+the commit message is a typo.
+
+From 8723d8e8192683891904aff321446b0fac37d1ad Mon Sep 17 00:00:00 2001
+From: Andreas Stieger <astieger@suse.com>
+Date: Fri, 10 Mar 2017 15:43:26 +0100
+Subject: [PATCH] Fix compatibility with GnuPG 2.2.19
+
+GnuPG 2.2.19 added a warning when no command was given.
+
+* src/password-store.sh (reencrypt_path): Add --decrypt to --list-only
+* tests/t0300-reencryption.sh (gpg_keys_from_encrypted_file): same
+
+https://bugs.gnupg.org/gnupg/msg9873
+http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=810adfd47801fc01e45fb71af9f05c91f7890cdb
+https://bugzilla.suse.com/show_bug.cgi?id=1028867
+---
+ src/password-store.sh       | 2 +-
+ tests/t0300-reencryption.sh | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/password-store.sh b/src/password-store.sh
+index 1ab6fb5..bad8d4f 100755
+--- a/src/password-store.sh
++++ b/src/password-store.sh
+@@ -125,7 +125,7 @@ reencrypt_path() {
+ 			done
+ 			gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
+ 		fi
+-		current_keys="$($GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --list-only --keyid-format long "$passfile" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u)"
++		current_keys="$($GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u)"
+ 
+ 		if [[ $gpg_keys != "$current_keys" ]]; then
+ 			echo "$passfile_display: reencrypting to ${gpg_keys//$'\n'/ }"
+diff --git a/tests/t0300-reencryption.sh b/tests/t0300-reencryption.sh
+index 9d46580..6d5811d 100755
+--- a/tests/t0300-reencryption.sh
++++ b/tests/t0300-reencryption.sh
+@@ -10,7 +10,7 @@ canonicalize_gpg_keys() {
+ 	$GPG --list-keys --with-colons "$@" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u
+ }
+ gpg_keys_from_encrypted_file() {
+-	$GPG -v --no-secmem-warning --no-permission-warning --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u
++	$GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u
+ }
+ gpg_keys_from_group() {
+ 	local output="$($GPG --list-config --with-colons | sed -n "s/^cfg:group:$1:\\(.*\\)/\\1/p" | head -n 1)"
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-2620.patch b/gnu/packages/patches/qemu-CVE-2017-2620.patch
new file mode 100644
index 0000000000..d3111827b7
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-2620.patch
@@ -0,0 +1,134 @@
+Fix CVE-2017-2620:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620
+https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html
+
+Both patches copied from upstream source repository:
+
+Fixes CVE-2017-2620:
+http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298
+
+The CVE-2017-2620 bug-fix depends on this earlier patch:
+http://git.qemu-project.org/?p=qemu.git;a=commit;h=913a87885f589d263e682c2eb6637c6e14538061
+
+From 92f2b88cea48c6aeba8de568a45f2ed958f3c298 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 8 Feb 2017 11:18:36 +0100
+Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
+ (CVE-2017-2620)
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all.  Oops.  Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 1deb52070a..b9e7cb1df1 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+     int w;
+ 
++    if (blit_is_unsafe(s, true)) {
++        return 0;
++    }
++
+     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ 	}
+         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+     }
++
++    /* the blit_is_unsafe call above should catch this */
++    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+     s->cirrus_srcptr = s->cirrus_bltbuf;
+     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+     cirrus_update_memory_access(s);
+-- 
+2.12.0
+
+From 913a87885f589d263e682c2eb6637c6e14538061 Mon Sep 17 00:00:00 2001
+From: Bruce Rogers <brogers@suse.com>
+Date: Mon, 9 Jan 2017 13:35:20 -0700
+Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
+ blit_is_unsafe
+
+Commit 4299b90 added a check which is too broad, given that the source
+pitch value is not required to be initialized for solid fill operations.
+This patch refines the blit_is_unsafe() check to ignore source pitch in
+that case. After applying the above commit as a security patch, we
+noticed the SLES 11 SP4 guest gui failed to initialize properly.
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Message-id: 20170109203520.5619-1-brogers@suse.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index bdb092ee9d..379910db2d 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+     return false;
+ }
+ 
+-static bool blit_is_unsafe(struct CirrusVGAState *s)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ {
+     /* should be the case, see cirrus_bitblt_start */
+     assert(s->cirrus_blt_width > 0);
+@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
+                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+         return true;
+     }
++    if (dst_only) {
++        return false;
++    }
+     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+         return true;
+@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+ 
+     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+ 
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     (*s->cirrus_rop) (s, dst, src,
+@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+     cirrus_fill_t rop_func;
+ 
+-    if (blit_is_unsafe(s)) {
++    if (blit_is_unsafe(s, true)) {
+         return 0;
+     }
+     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-2630.patch b/gnu/packages/patches/qemu-CVE-2017-2630.patch
new file mode 100644
index 0000000000..b154d171f1
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-2630.patch
@@ -0,0 +1,47 @@
+Fix CVE-2017-2630:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2630
+https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html
+
+Patch copied from upstream source repository:
+
+http://git.qemu-project.org/?p=qemu.git;a=commit;h=2563c9c6b8670400c48e562034b321a7cf3d9a85
+
+From 2563c9c6b8670400c48e562034b321a7cf3d9a85 Mon Sep 17 00:00:00 2001
+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Date: Tue, 7 Mar 2017 09:16:27 -0600
+Subject: [PATCH] nbd/client: fix drop_sync [CVE-2017-2630]
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Comparison symbol is misused. It may lead to memory corruption.
+Introduced in commit 7d3123e.
+
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com>
+[eblake: add CVE details, update conditional]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20170307151627.27212-1-eblake@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ nbd/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nbd/client.c b/nbd/client.c
+index 5c9dee37fa..3dc2564cd0 100644
+--- a/nbd/client.c
++++ b/nbd/client.c
+@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
+     char small[1024];
+     char *buffer;
+ 
+-    buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
++    buffer = sizeof(small) >= size ? small : g_malloc(MIN(65536, size));
+     while (size > 0) {
+         ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
+ 
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch
new file mode 100644
index 0000000000..bd3bf106bf
--- /dev/null
+++ b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch
@@ -0,0 +1,54 @@
+Fix CVE-2017-6386 (memory leak introduced by fix for CVE-2017-5994).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5994
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920
+
+From 737c3350850ca4dbc5633b3bdb4118176ce59920 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Tue, 28 Feb 2017 14:52:09 +1000
+Subject: renderer: fix memory leak in vertex elements state create
+
+Reported-by: Li Qiang
+Free the vertex array in error path.
+This was introduced by this commit:
+renderer: fix heap overflow in vertex elements state create.
+
+I rewrote the code to not require the allocation in the first
+place if we have an error, seems nicer.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 1bca7ad..e5d9f5c 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -1648,18 +1648,19 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx,
+                                        unsigned num_elements,
+                                        const struct pipe_vertex_element *elements)
+ {
+-   struct vrend_vertex_element_array *v = CALLOC_STRUCT(vrend_vertex_element_array);
++   struct vrend_vertex_element_array *v;
+    const struct util_format_description *desc;
+    GLenum type;
+    int i;
+    uint32_t ret_handle;
+ 
+-   if (!v)
+-      return ENOMEM;
+-
+    if (num_elements > PIPE_MAX_ATTRIBS)
+       return EINVAL;
+ 
++   v = CALLOC_STRUCT(vrend_vertex_element_array);
++   if (!v)
++      return ENOMEM;
++
+    v->count = num_elements;
+    for (i = 0; i < num_elements; i++) {
+       memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));
+-- 
+cgit v0.10.2
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index ef63f58f64..7f3dccc8ba 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -12,6 +12,7 @@
 ;;; Copyright © 2016 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
+;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -45,6 +46,7 @@
   #:use-module (gnu packages fontutils)
   #:use-module (gnu packages game-development)
   #:use-module (gnu packages ghostscript)
+  #:use-module (gnu packages gnupg)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages djvu)
   #:use-module (gnu packages gettext)
@@ -875,3 +877,31 @@ This is much like @command{poster} does for Postscript files, but working with
 PDF.  Since sometimes @command{poster} does not like your files converted from
 PDF.  Indeed @command{pdfposter} was inspired by @command{poster}.")
     (license license:gpl3+)))
+
+(define-public pdfgrep
+  (package
+    (name "pdfgrep")
+    (version "2.0.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://pdfgrep.org/download/"
+                           name "-" version ".tar.gz"))
+       (sha256
+        (base32
+         "07llkrkcfjwd3ybai9ad10ybhr0biffcplmy7lw4fb87nd2dfw03"))))
+    (build-system gnu-build-system)
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (inputs
+     `(("libgcrypt" ,libgcrypt)
+       ("pcre" ,pcre)
+       ("poppler" ,poppler)))
+    (home-page "https://pdfgrep.org")
+    (synopsis "Command-line utility to search text in PDF files")
+    (description
+     "Pdfgrep searches in pdf files for strings matching a regular expression.
+Support some GNU grep options as file name output, page number output,
+optional case insensitivity, count occurrences, color highlights and search in
+multiple files.")
+    (license license:gpl2+)))
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 00598776ab..96c4245384 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -4075,7 +4075,8 @@ operators such as union, intersection, and difference.")
      `(("readline" ,readline)
        ("icu4c" ,icu4c)
        ("pcre" ,pcre)
-       ("r" ,r)))
+       ("r-minimal" ,r-minimal)
+       ("r-survival" ,r-survival)))
     (native-inputs
      `(("zlib" ,zlib)))
     (home-page "http://rpy.sourceforge.net/")
@@ -5860,13 +5861,13 @@ of the structure, dynamics, and functions of complex networks.")
 (define-public snakemake
   (package
     (name "snakemake")
-    (version "3.9.0")
+    (version "3.11.2")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "snakemake" version))
        (sha256
-        (base32 "1d48ql0010v9ls6mac7fz6j391gm4h74a64hqgw89s0vfqgdyzdl"))))
+        (base32 "0qcp7y9csvanyzh08jppryhd5di8r1z7p0d4wkfg5591pj3bb8zp"))))
     (build-system python-build-system)
     (arguments
      ;; TODO: Package missing test dependencies.
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index d43593957e..aa12b2c493 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -79,6 +79,8 @@
                "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs"))
              (patches (search-patches "qemu-CVE-2016-10155.patch"
                                       "qemu-CVE-2017-2615.patch"
+                                      "qemu-CVE-2017-2620.patch"
+                                      "qemu-CVE-2017-2630.patch"
                                       "qemu-CVE-2017-5525.patch"
                                       "qemu-CVE-2017-5526.patch"
                                       "qemu-CVE-2017-5552.patch"
diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index fb284102da..2dedef8373 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -44,7 +44,7 @@
   #:use-module (srfi srfi-26))
 
 ;; Should be one less than the current released version.
-(define %rust-bootstrap-binaries-version "1.13.0")
+(define %rust-bootstrap-binaries-version "1.14.0")
 
 (define %rust-bootstrap-binaries
   (origin
@@ -55,7 +55,7 @@
           "-i686-unknown-linux-gnu.tar.gz"))
     (sha256
      (base32
-      "0fcl7xgm2m21sjv1f27i3v692aa91lk8r867hl8d6l377w8k95r3"))))
+      "0h384prpabcl08mxs1bilyb0dbk0knpdylcnz4b84ij4idr7ap4d"))))
 
 (define (increment-rust-version rust-version major patch)
   (match (string-split rust-version #\.)
@@ -205,7 +205,7 @@ rustc-bootstrap and cargo-bootstrap packages.")
                     "rustc-" version "-src.tar.gz"))
               (sha256
                (base32
-                "0srvmhhdbbcl21nzg9m9zni7k10h88lsy8k1ljz03g8mx79fv467"))))
+                "0wvn8m1nfg664b95qrdpfh72q1a6ir09rqkrnlzbkay2r7xf8mgn"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("cmake" ,cmake)
@@ -234,10 +234,13 @@ rustc-bootstrap and cargo-bootstrap packages.")
            (lambda _
              (setenv "SHELL" (which "sh"))
              (setenv "CONFIG_SHELL" (which "sh"))))
-         (add-after 'unpack 'patch-lockfile-test
-           (lambda _
+         (add-after 'unpack 'patch-tests
+           (lambda* (#:key inputs #:allow-other-keys)
              (substitute* "src/tools/tidy/src/main.rs"
-               (("^.*cargo.*::check.*$") ""))))
+               (("^.*cargo.*::check.*$") ""))
+             (substitute* "src/libstd/process.rs"
+               (("\"/bin/sh\"") (string-append "\"" (assoc-ref inputs "bash") "/bin/sh\"")))
+             #t))
          (replace 'configure
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let* ((out (assoc-ref outputs "out"))
@@ -260,7 +263,7 @@ rustc-bootstrap and cargo-bootstrap packages.")
                             "--release-channel=stable"
                             "--enable-rpath"
                             "--enable-local-rust"
-                            ;;"--enable-rustbuild"
+                            "--disable-rustbuild" ; use Makefiles
                             "--disable-manage-submodules")))
                ;; Rust uses a custom configure script (no autoconf).
                (zero? (apply system* "./configure" flags)))))
@@ -288,15 +291,12 @@ safety and thread safety guarantees.")
     (version (cargo-version (rustc-version %rust-bootstrap-binaries-version)))
     (source (origin
               (method url-fetch)
-              ;; Use a cargo tarball with vendored dependencies and a cargo
-              ;; config file.
-              (uri (string-append
-                    "https://github.com/dvc94ch/cargo"
-                    "/archive/" version "-cargo-vendor.tar.gz"))
+              (uri (string-append "https://github.com/rust-lang/cargo/archive/"
+                                  version ".tar.gz"))
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "0hpix5hwz10pm1wh65gimhsy9nxjvy7yikgbpw8afwglqr3bl856"))))
+                "194i06y9nql0p93gahh0vm4qwv6c1kpd9rprpf22w5gav9lpcyjz"))))
     (build-system cargo-build-system)
     (propagated-inputs
      `(("cmake" ,cmake)
@@ -308,6 +308,483 @@ safety and thread safety guarantees.")
        ("openssl" ,openssl)
        ("python-2" ,python-2)
        ("zlib" ,zlib)))
+    (native-inputs
+     `(("rust-openssl"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "openssl" "0.9.1"))
+           (sha256
+            (base32
+             "1m2mhiar87qnw4gxci286q9g85ljafbc41salbj2hmcgh8aagchy"))))
+       ("rust-strsim"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "strsim" "0.5.1"))
+           (sha256
+            (base32
+             "0bj4fsm1l2yqbfpspyvjf9m3m50pskapcddzm0ji9c74jbgnkh2h"))))
+       ("rust-libc"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "libc" "0.2.18"))
+           (sha256
+            (base32
+             "0w5cghr0wx3hi2sclk8r9iyzlbxsakil87ada40q2ykyhky24655"))))
+       ("rust-bitflags"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "bitflags" "0.7.0"))
+           (sha256
+            (base32
+             "0v8hh6wdkpk9my8z8442g4hqrqf05h0qj53dsay6mv18lqvqklda"))))
+       ("rust-unicode-normalization"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "unicode-normalization" "0.1.2"))
+           (sha256
+            (base32
+             "0whi4xxqcjfsz6ywyrfd5lhgk1a44c86qwgvfqcmzidshcpklr16"))))
+       ("rust-rand"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "rand" "0.3.14"))
+           (sha256
+            (base32
+             "1984zvj8572ig28fz6idc4r96fx39h4lzmr07yf7kb7gdn6di497"))))
+       ("rust-gcc"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "gcc" "0.3.39"))
+           (sha256
+            (base32
+             "1q0idjvmhp6shkb9hqabh51rgfr8dqpi1xfmyzq7q8vgzybll7kp"))))
+       ("rust-tempdir"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "tempdir" "0.3.5"))
+           (sha256
+            (base32
+             "1mij45kgzflkja0h8q9avrik76h5a0b60m9hfd6k9yqxbiplm5w7"))))
+       ("rust-memchr"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "memchr" "0.1.11"))
+           (sha256
+            (base32
+             "084d85hjfa3xf5kwdms2mhbkh78m1gl2254cp5swcxj3a7xjkdnq"))))
+       ("rust-rustc-serialize"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "rustc-serialize" "0.3.21"))
+           (sha256
+            (base32
+             "064qmyr2508qf78dwcpiv25rfjp9h9vd0wrj4mmwgppjg4fgrydz"))))
+       ("rust-cmake"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "cmake" "0.1.19"))
+           (sha256
+            (base32
+             "0am8c8ns1h6b1a5x9z2r1m3rszvya5nccl2pzszzjv5aiiaydgcf"))))
+       ("rust-matches"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "matches" "0.1.4"))
+           (sha256
+            (base32
+             "1c8190j84hbicy8jwscw5icfam12j6lcxi02lvmadq9260p65mzg"))))
+       ("rust-winapi"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "winapi" "0.2.8"))
+           (sha256
+            (base32
+             "0yh816lh6lf56dpsgxy189c2ai1z3j8mw9si6izqb6wsjkbcjz8n"))))
+       ("rust-pkg-config"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "pkg-config" "0.3.8"))
+           (sha256
+            (base32
+             "1ypj4nj2z9z27qg06v3g40jyhw685i3l2wi098d21bvyri781vlc"))))
+       ("rust-libssh2-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "libssh2-sys" "0.2.4"))
+           (sha256
+            (base32
+             "1pmmh0hcx14856wg9bp740yf618qfl2765vhf67sfs5lmf39227d"))))
+       ("rust-libz-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "libz-sys" "1.0.10"))
+           (sha256
+            (base32
+             "1rl85x045sk5d345hgcahx99plpbdg2a3bx5vjfxig30qah74p4h"))))
+       ("rust-curl-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "curl-sys" "0.3.6"))
+           (sha256
+            (base32
+             "0fi8kjz3f8m8vfazycs3ddm0h6j3x78hw78gwbvybx71129192i1"))))
+       ("rust-openssl-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "openssl-sys" "0.9.1"))
+           (sha256
+            (base32
+             "1sdhgalfm2zdqf144xhdnxdha7ifjgsfbmlrqbx0j9f3mh4gpscm"))))
+       ("rust-fs2"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "fs2" "0.3.0"))
+           (sha256
+            (base32
+             "0lg57mgcm1r0m8jm4nqpcrl6lmxg8lj854k2h0r7qp46pphh2034"))))
+       ("rust-log"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "log" "0.3.6"))
+           (sha256
+            (base32
+             "0m40hgs3cg57dd5kk1mabfk6gk8z6l1cihar8akx4kmzz1xlk0xb"))))
+       ("rust-filetime"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "filetime" "0.1.10"))
+           (sha256
+            (base32
+             "08p9scgv30i1141cnp5xi4pqlnkfci455nrpca55df1r867anqsk"))))
+       ("rust-tar"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "tar" "0.4.9"))
+           (sha256
+            (base32
+             "1vi3nl8s3jjf5l20ni47gmh1p4bdjfh7q50fbg7izzqrf7i4i40c"))))
+       ("rust-glob"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "glob" "0.2.11"))
+           (sha256
+            (base32
+             "1ysvi72slkw784fcsymgj4308c3y03gwjjzqxp80xdjnkbh8vqcb"))))
+       ("rust-cfg-if"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "cfg-if" "0.1.0"))
+           (sha256
+            (base32
+             "137qikjcal4h75frzcn6mknygqk8vy5bva7w851aydb5gc6pc7ny"))))
+       ("rust-winapi-build"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "winapi-build" "0.1.1"))
+           (sha256
+            (base32
+             "1g4rqsgjky0a7530qajn2bbfcrl2v0zb39idgdws9b1l7gp5wc9d"))))
+       ("rust-advapi32-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "advapi32-sys" "0.2.0"))
+           (sha256
+            (base32
+             "16largvlrd1800vvdchml0ngnszjlnpqm01rcz5hm7di1h48hrg0"))))
+       ("rust-gdi32-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "gdi32-sys" "0.2.0"))
+           (sha256
+            (base32
+             "0605d4ngjsspghwjv4jicajich1gnl0aik9f880ajjzjixd524h9"))))
+       ("rust-ws2_32-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "ws2_32-sys" "0.2.1"))
+           (sha256
+            (base32
+             "0ppscg5qfqaw0gzwv2a4nhn5bn01ff9iwn6ysqnzm4n8s3myz76m"))))
+       ("rust-user32-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "user32-sys" "0.2.0"))
+           (sha256
+            (base32
+             "0ivxc7hmsxax9crdhxdd1nqwik4s9lhb2x59lc8b88bv20fp3x2f"))))
+       ("rust-unicode-bidi"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "unicode-bidi" "0.2.3"))
+           (sha256
+            (base32
+             "0gqbyf6slkgzr14nf6v8dw8a19l5snh6bpms8bpfvzpxdawwxxy1"))))
+       ("rust-net2"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "net2" "0.2.26"))
+           (sha256
+            (base32
+             "1qp3q6xynb481rsp3ig1nmqb6qlxfba3shfrmqij88cppsv9rpsy"))))
+       ("rust-utf8-ranges"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "utf8-ranges" "0.1.3"))
+           (sha256
+            (base32
+             "03xf604b2v51ag3jgzw92l97xnb10kw9zv948bhc7ja1ik017jm1"))))
+       ("rust-crossbeam"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "crossbeam" "0.2.10"))
+           (sha256
+            (base32
+             "15wga0kvk3iqf3l077957j931brf1pl3p74xibd698jccqas4phc"))))
+       ("rust-toml"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "toml" "0.2.1"))
+           (sha256
+            (base32
+             "1d1cz43bxrx4fd6j2p6myckf81f72bp47akg36y3flxjkhj60svk"))))
+       ("rust-aho-corasick"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "aho-corasick" "0.5.3"))
+           (sha256
+            (base32
+             "0rnvdmlajikq0i4zdy1p3pv699q6apvsxfc7av7byhppllp2r5ya"))))
+       ("rust-psapi-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "psapi-sys" "0.1.0"))
+           (sha256
+            (base32
+             "0y14g8qshsfnmb7nk2gs1rpbrs1wrggajmzp4yby4q6k0wd5vkdb"))))
+       ("rust-idna"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "idna" "0.1.0"))
+           (sha256
+            (base32
+             "049c2rmlydrrrgrxdaq2v21adx9vkfh6k9x4xj56ckyf01p26lqh"))))
+       ("rust-url"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "url" "1.2.3"))
+           (sha256
+            (base32
+             "1myr1i8djbl2bhvvrm6n3h7bj7sl6kh5dmaaz2f7c6x8hyyzgk28"))))
+       ("rust-regex-syntax"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "regex-syntax" "0.3.9"))
+           (sha256
+            (base32
+             "0ms9hgdhhsxw9w920i7gipydvagf100bb56jbs192rz86ln01v7r"))))
+       ("rust-kernel32-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "kernel32-sys" "0.2.2"))
+           (sha256
+            (base32
+             "1389av0601a9yz8dvx5zha9vmkd6ik7ax0idpb032d28555n41vm"))))
+       ("rust-term"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "term" "0.4.4"))
+           (sha256
+            (base32
+             "0jpr7jb1xidadh0arklwr99r8w1k1dfc4an3ginpsq5nnfigivrx"))))
+       ("rust-thread-id"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "thread-id" "2.0.0"))
+           (sha256
+            (base32
+             "00zzs2bx1xw8aqm5plqqgr7bc2zz6zkqrdxq8vpiqb8hc2srslx9"))))
+       ("rust-thread_local"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "thread_local" "0.2.7"))
+           (sha256
+            (base32
+             "1mgxikqvhpsic6xk7pan95lvgsky1sdxzw2w5m2l35pgrazxnxl5"))))
+       ("rust-miow"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "miow" "0.1.3"))
+           (sha256
+            (base32
+             "16jvfjsp6fr4mbd2sw5hcdmi4dsa0m0aa45gjz78mb1h4mwcdgym"))))
+       ("rust-regex"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "regex" "0.1.80"))
+           (sha256
+            (base32
+             "0bs036h3vzc6pj5jj4vc909s9rppq7b808ic99qn0y6gm3karm2g"))))
+       ("rust-num_cpus"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "num_cpus" "1.1.0"))
+           (sha256
+            (base32
+             "1bfwcn3yhwa31rinjw9yr7b6gvn6c06hnwnjz06pvm938w4fd448"))))
+       ("rust-libgit2-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "libgit2-sys" "0.6.5"))
+           (sha256
+            (base32
+             "0yl80n12ih4jh1halpbj3zqlqvw5zxdr6m6xdcvdz67svjy50bjh"))))
+       ("rust-env_logger"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "env_logger" "0.3.5"))
+           (sha256
+            (base32
+             "0bvcjgkw4s3k1rd7glpflgc8s9a393zjd6jfdgvs8gjvwj0dgaqm"))))
+       ("rust-openssl-probe"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "openssl-probe" "0.1.0"))
+           (sha256
+            (base32
+             "0689h6rhzy6dypqr90lsxnf108nsnh952wsx7ggs70s48b44jvbm"))))
+       ("rust-lazy_static"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "lazy_static" "0.2.2"))
+           (sha256
+            (base32
+             "16z1h7w702sxnscak38jykxlhxq0b5ip4mndlb46pkaqwzi0xgka"))))
+       ("rust-semver-parser"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "semver-parser" "0.6.1"))
+           (sha256
+            (base32
+             "1s8s7a7yg8xhgci17y0xhyyncg229byivhpr0wbs3ljdlyjl73p8"))))
+       ("rust-semver"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "semver" "0.5.1"))
+           (sha256
+            (base32
+             "1xbiv8l72rmngb3lgbmk3vd4lalcbzxcnrn085c2b75irl7gcbxf"))))
+       ("rust-docopt"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "docopt" "0.6.86"))
+           (sha256
+            (base32
+             "1nf4f4zf5yk0d0l4kl7hkii4na22fhn0l2hgfb46yzv08l2g6zja"))))
+       ("rust-miniz-sys"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "miniz-sys" "0.1.7"))
+           (sha256
+            (base32
+             "0m7dlggsxash0k5jkx576p556g9r8vnhyl9244gjxhq1g8rls7wx"))))
+       ("rust-curl"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "curl" "0.4.1"))
+           (sha256
+            (base32
+             "1b0y27b6vpqffgzm2kxc1s2i6bgdzxk3wn65g2asbcdxrvys3mcg"))))
+       ("rust-flate2"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "flate2" "0.2.14"))
+           (sha256
+            (base32
+             "1fx3zsls5bb1zfx87s5sxkgk853z4nhjsbvq5s6if13kjlg4isry"))))
+       ("rust-git2"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "git2" "0.6.3"))
+           (sha256
+            (base32
+             "06b1bw3pwszs8617xn8js6h0j983qjgfwsychw33lshccj3cld05"))))
+       ("rust-crates-io"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "crates-io" "0.4.0"))
+           (sha256
+            (base32
+             "0kk6abp1qbpv44hkq1yjp7xgpzjzafs83i1l26ycr0aph1gbwig9"))))
+       ("rust-git2-curl"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "git2-curl" "0.7.0"))
+           (sha256
+            (base32
+             "13mzqp4rd81zp78261rlq23iw9aaysdr56484y1yy2xzhk3nnrv8"))))
+       ("rust-bufstream"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "bufstream" "0.1.2"))
+           (sha256
+            (base32
+             "0x6h27md1fwabbhbycfldj0wklrpjr520z9p0cpzm60fzzidnj3v"))))
+       ("rust-hamcrest"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "hamcrest" "0.1.1"))
+           (sha256
+            (base32
+             "1m49rf7bnkx0qxja56slrjh44zi4z5bjz5x4pblqjw265828y25z"))))
+       ("rust-num"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "num" "0.1.36"))
+           (sha256
+            (base32
+             "081i1r3mdz6jasqd7qwraqqfqa3sdpvdvxl1xq0s7ip714xw1rxx"))))
+       ("rust-num-traits"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "num-traits" "0.1.36"))
+           (sha256
+            (base32
+             "07688sp4z40p14lh5ywvrpm4zq8kcxzhjks8sg33jsr5da2l4sm1"))))
+       ("rust-num-integer"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "num-integer" "0.1.32"))
+           (sha256
+            (base32
+             "14pvaaawl0pgdcgh4dfdd67lz58yxlfl95bry86h28pjnfzxj97v"))))
+       ("rust-num-bigint"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "num-bigint" "0.1.35"))
+           (sha256
+            (base32
+             "0jayfkdm33p4zvcahlv46zdfhlzg053mpw32abf2lz0z8xw47cc8"))))
+       ("rust-num-rational"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "num-rational" "0.1.35"))
+           (sha256
+            (base32
+             "1bwaygv64qg7i78yqg0v4d0amfhamj598rpy4yxjz9rlhcxn1zsl"))))
+       ("rust-num-iter"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "num-iter" "0.1.32"))
+           (sha256
+            (base32
+             "0p74nj5c1mc33h9lx4wpmlmggmn5lnkhxv1225g0aix8d6ciqyi8"))))
+       ("rust-num-complex"
+        ,(origin
+           (method url-fetch)
+           (uri (crate-uri "num-complex" "0.1.35"))
+           (sha256
+            (base32
+             "0bzrjfppnnzf9vmkpklhp2dw9sb1lqzydb8r6k83z76i9l2qxizh"))))))
     (arguments
      `(#:cargo ,cargo-bootstrap
        #:tests? #f ; FIXME
@@ -317,12 +794,41 @@ safety and thread safety guarantees.")
          (delete 'patch-source-shebangs)
          (delete 'patch-generated-file-shebangs)
          (delete 'patch-usr-bin-file)
+         (add-after 'unpack 'unpack-submodule-sources
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let ((unpack (lambda (source target)
+                             (mkdir-p target)
+                             (with-directory-excursion target
+                               (zero? (system* "tar" "xf"
+                                               source
+                                               "--strip-components=1"))))))
+               (mkdir "vendor")
+               (for-each (lambda (p)
+                           (let ((name (car p)))
+                             (if (string-prefix? "rust-" name)
+                               (let ((rsrc (string-append "vendor/"
+                                                           (string-drop name
+                                                                        (string-length "rust-")))))
+                                 (unpack (assoc-ref inputs name) rsrc)
+                                 (system* "touch" (string-append rsrc "/.cargo-ok"))
+                                 (generate-checksums rsrc (assoc-ref inputs name)))))) inputs))))
          ;; Set CARGO_HOME to use the vendored dependencies.
          (add-after 'unpack 'set-cargo-home
            (lambda* (#:key inputs #:allow-other-keys)
              (let* ((gcc (assoc-ref inputs "gcc"))
                     (cc (string-append gcc "/bin/gcc")))
+               (mkdir "cargohome")
                (setenv "CARGO_HOME" (string-append (getcwd) "/cargohome"))
+               (call-with-output-file "cargohome/config"
+                 (lambda (p)
+                   (format p "
+[source.crates-io]
+registry = 'https://github.com/rust-lang/crates.io-index'
+replace-with = 'vendored-sources'
+
+[source.vendored-sources]
+directory = 'vendor'
+")))
                (setenv "CMAKE_C_COMPILER" cc)
                (setenv "CC" cc))
              #t)))))
diff --git a/gnu/packages/skribilo.scm b/gnu/packages/skribilo.scm
index 52ed1c34e3..78b4806c8c 100644
--- a/gnu/packages/skribilo.scm
+++ b/gnu/packages/skribilo.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -73,7 +73,7 @@
 
     ;; The 'skribilo' command needs them, and for people using Skribilo as a
     ;; library, these inputs are needed as well.
-    (propagated-inputs `(("guile-reader" ,guile-reader)
+    (propagated-inputs `(("guile-reader" ,guile2.0-reader)
                          ("guile-lib" ,guile-lib)))
 
     (home-page "http://www.nongnu.org/skribilo/")
diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm
index 363a5e8fc5..838db4b35d 100644
--- a/gnu/packages/spice.scm
+++ b/gnu/packages/spice.scm
@@ -102,6 +102,7 @@
               (uri (string-append
                 "https://www.freedesktop.org/software/virgl/"
                 "virglrenderer-" version ".tar.bz2"))
+              (patches (search-patches "virglrenderer-CVE-2017-6386.patch"))
               (sha256
                (base32
                 "06kf0q4l52gzx5p63l8850hff8pmhp7xv1hk8zgx2apbw18y6jd5"))))
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index 49bb24e594..d0bed4dd7f 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -31,6 +31,7 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system r)
   #:use-module (guix build-system python)
+  #:use-module (guix build-system trivial)
   #:use-module (gnu packages)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages curl)
@@ -99,9 +100,12 @@ can be imported from spreadsheets, text files and database sources and it can
 be output in text, PostScript, PDF or HTML.")
     (license license:gpl3+)))
 
-(define-public r
+;; Update this package together with the set of recommended packages: r-boot,
+;; r-class, r-cluster, r-codetools, r-foreign, r-kernsmooth, r-lattice,
+;; r-mass, r-matrix, r-mgcv, r-nlme, r-nnet, r-rpart, r-spatial, r-survival.
+(define-public r-minimal
   (package
-    (name "r")
+    (name "r-minimal")
     (version "3.3.3")
     (source (origin
               (method url-fetch)
@@ -129,17 +133,46 @@ be output in text, PostScript, PDF or HTML.")
                (substitute* "src/scripts/R.sh.in"
                  (("uname") uname-bin)))
              #t))
-         (add-after 'unpack 'build-recommended-packages-reproducibly
+         (add-after 'unpack 'build-reproducibly
            (lambda _
-             (substitute* "src/library/Recommended/Makefile.in"
-               (("INSTALL_OPTS =(.*)" line rest )
-                (string-append "INSTALL_OPTS = --built-timestamp=1970-01-01"
-                               rest)))
-             ;; Ensure that gzipped files are reproducible
+             ;; The documentation contains time stamps to demonstrate
+             ;; documentation generation in different phases.
+             (substitute* "src/library/tools/man/Rd2HTML.Rd"
+               (("\\\\%Y-\\\\%m-\\\\%d at \\\\%H:\\\\%M:\\\\%S")
+                "(removed for reproducibility)"))
+
+             ;; Remove timestamp from tracing environment.  This fixes
+             ;; reproducibility of "methods.rd{b,x}".
+             (substitute* "src/library/methods/R/trace.R"
+               (("dateCreated = Sys.time\\(\\)")
+                "dateCreated = as.POSIXct(\"1970-1-1 00:00:00\", tz = \"UTC\")"))
+
+             ;; Ensure that gzipped files are reproducible.
              (substitute* '("src/library/grDevices/Makefile.in"
                             "doc/manual/Makefile.in")
                (("R_GZIPCMD\\)" line)
                 (string-append line " -n")))
+
+             ;; The "srcfile" procedure in "src/library/base/R/srcfile.R"
+             ;; queries the mtime of a given file and records it in an object.
+             ;; This is acceptable at runtime to detect stale source files,
+             ;; but it destroys reproducibility at build time.
+             ;;
+             ;; Instead of disabling this feature, which may have unexpected
+             ;; consequences, we reset the mtime of generated files before
+             ;; passing them to the "srcfile" procedure.
+             (substitute* "src/library/Makefile.in"
+               (("@\\(cd base && \\$\\(MAKE\\) mkdesc\\)" line)
+                (string-append line "\n	find $(top_builddir)/library/tools | xargs touch -d '1970-01-01'; \n"))
+               (("@\\$\\(MAKE\\) Rdobjects" line)
+                (string-append "@find $(srcdir)/tools | xargs touch -d '1970-01-01'; \n	"
+                               line)))
+             (substitute* "src/library/tools/Makefile.in"
+               (("@\\$\\(INSTALL_DATA\\) all.R \\$\\(top_builddir\\)/library/\\$\\(pkg\\)/R/\\$\\(pkg\\)" line)
+                (string-append
+                 line
+                 "\n	find $(srcdir)/$(pkg) $(top_builddir)/library/$(pkg) | xargs touch -d \"1970-01-01\"; \n")))
+
              ;; This library is installed using "install_package_description",
              ;; so we need to pass the "builtStamp" argument.
              (substitute* "src/library/tools/Makefile.in"
@@ -163,7 +196,12 @@ be output in text, PostScript, PDF or HTML.")
          (add-after 'build 'install-info
           (lambda _ (zero? (system* "make" "install-info")))))
        #:configure-flags
-       '("--with-cairo"
+       '(;; Do not build the recommended packages.  The build system creates
+         ;; random temporary directories and embeds their names in some
+         ;; package files.  We build these packages with the r-build-system
+         ;; instead.
+         "--without-recommended-packages"
+         "--with-cairo"
          "--with-blas=-lopenblas"
          "--with-libpng"
          "--with-jpeglib"
@@ -221,6 +259,343 @@ publication-quality data plots.  A large amount of 3rd-party packages are
 available, greatly increasing its breadth and scope.")
     (license license:gpl3+)))
 
+(define-public r-boot
+  (package
+    (name "r-boot")
+    (version "1.3-18")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "boot" version))
+       (sha256
+        (base32
+         "0pi348vvgzn1ny54yxhw6kq6nl7rx9bpr9ji1a6wqs8ah5zj7z8j"))))
+    (build-system r-build-system)
+    (home-page "http://cran.r-project.org/web/packages/boot")
+    (synopsis "Bootstrap functions for R")
+    (description
+     "This package provides functions and datasets for bootstrapping from the
+book \"Bootstrap Methods and Their Application\" by A.C. Davison and
+D.V. Hinkley (1997, CUP), originally written by Angelo Canty for S.")
+    ;; Unlimited distribution
+    (license (license:non-copyleft "file://R/bootfuns.q"))))
+
+(define-public r-mass
+  (package
+    (name "r-mass")
+    (version "7.3-45")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "MASS" version))
+       (sha256
+        (base32
+         "13lp5919h2bnpmf8rbmkar8a41yx62fnx66pkvljvqf60wa29qsx"))))
+    (properties `((upstream-name . "MASS")))
+    (build-system r-build-system)
+    (home-page "http://www.stats.ox.ac.uk/pub/MASS4/")
+    (synopsis "Support functions and datasets for Venables and Ripley's MASS")
+    (description
+     "This package provides functions and datasets for the book \"Modern
+Applied Statistics with S\" (4th edition, 2002) by Venables and Ripley.")
+    ;; Either version may be picked.
+    (license (list license:gpl2 license:gpl3))))
+
+(define-public r-class
+  (package
+    (name "r-class")
+    (version "7.3-14")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "class" version))
+       (sha256
+        (base32
+         "173b8a16lh1i0zjmr784l0xr0azp9v8bgslh12hfdswbq7dpdf0q"))))
+    (build-system r-build-system)
+    (propagated-inputs
+     `(("r-mass" ,r-mass)))
+    (home-page "http://www.stats.ox.ac.uk/pub/MASS4/")
+    (synopsis "R functions for classification")
+    (description
+     "This package provides various functions for classification, including
+k-nearest neighbour, Learning Vector Quantization and Self-Organizing Maps.")
+    ;; Either of the two versions can be picked.
+    (license (list license:gpl2 license:gpl3))))
+
+(define-public r-cluster
+  (package
+    (name "r-cluster")
+    (version "2.0.5")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "cluster" version))
+       (sha256
+        (base32
+         "1bkvqmv8h2c423q9ag2afb6s9j2vcdlxsf559zzbimraphrr2c2b"))))
+    (build-system r-build-system)
+    (home-page "http://cran.r-project.org/web/packages/cluster")
+    (synopsis "Methods for cluster analysis")
+    (description
+     "This package provides methods for cluster analysis.  It is a much
+extended version of the original from Peter Rousseeuw, Anja Struyf and Mia
+Hubert, based on Kaufman and Rousseeuw (1990) \"Finding Groups in Data\".")
+    (license license:gpl2+)))
+
+(define-public r-codetools
+  (package
+    (name "r-codetools")
+    (version "0.2-15")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "codetools" version))
+       (sha256
+        (base32
+         "0h7sjmvvsi35041jp47cxhsqzgf1y8jrw6fxii7n26i8g7nrh1sf"))))
+    (build-system r-build-system)
+    (home-page "http://cran.r-project.org/web/packages/codetools")
+    (synopsis "Code analysis tools for R")
+    (description "This package provides code analysis tools for R.")
+    ;; Any version of the GPL.
+    (license (list license:gpl2+ license:gpl3+))))
+
+(define-public r-foreign
+  (package
+    (name "r-foreign")
+    (version "0.8-67")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "foreign" version))
+       (sha256
+        (base32
+         "1mcrm2pydimbyjhkrw5h380bifj1jhwzifph1xgh90asf3lvd1xd"))))
+    (build-system r-build-system)
+    (home-page "http://cran.r-project.org/web/packages/foreign")
+    (synopsis "Read data stored by other statistics software")
+    (description
+     "This package provides functions for reading and writing data stored by
+some versions of Epi Info, Minitab, S, SAS, SPSS, Stata, Systat and Weka and
+for reading and writing some dBase files.")
+    (license license:gpl2+)))
+
+(define-public r-kernsmooth
+  (package
+    (name "r-kernsmooth")
+    (version "2.23-15")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "KernSmooth" version))
+       (sha256
+        (base32
+         "1xhha8kw10jv8pv8b61hb5in9qiw3r2a9kdji3qlm991s4zd4wlb"))))
+    (properties `((upstream-name . "KernSmooth")))
+    (build-system r-build-system)
+    (home-page "http://cran.r-project.org/web/packages/KernSmooth")
+    (synopsis "Functions for kernel smoothing")
+    (description
+     "This package provides functions for kernel smoothing (and density
+estimation) corresponding to the book: Wand, M.P. and Jones, M.C. (1995)
+\"Kernel Smoothing\".")
+    ;; Unlimited distribution
+    (license (license:non-copyleft "file://LICENCE.note"))))
+
+(define-public r-lattice
+  (package
+    (name "r-lattice")
+    (version "0.20-34")
+    (source (origin
+              (method url-fetch)
+              (uri (cran-uri "lattice" version))
+              (sha256
+               (base32
+                "0615h69czr73k47whhzimf1qxv5qk0cabcrkljwhyrn6m6piq6ja"))))
+    (build-system r-build-system)
+    (home-page "http://lattice.r-forge.r-project.org/")
+    (synopsis "High-level data visualization system")
+    (description
+     "The lattice package provides a powerful and elegant high-level data
+visualization system inspired by Trellis graphics, with an emphasis on
+multivariate data.  Lattice is sufficient for typical graphics needs, and is
+also flexible enough to handle most nonstandard requirements.")
+    (license license:gpl2+)))
+
+(define-public r-matrix
+  (package
+    (name "r-matrix")
+    (version "1.2-7.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "Matrix" version))
+       (sha256
+        (base32
+         "09rd51na9spz0lm1lylkfhw43w7c922b83m4jsggmpg3pbd6dssa"))))
+    (properties `((upstream-name . "Matrix")))
+    (build-system r-build-system)
+    (propagated-inputs
+     `(("r-lattice" ,r-lattice)))
+    (home-page "http://Matrix.R-forge.R-project.org/")
+    (synopsis "Sparse and dense matrix classes and methods")
+    (description
+     "This package provides classes and methods for dense and sparse matrices
+and operations on them using LAPACK and SuiteSparse.")
+    (license license:gpl2+)))
+
+(define-public r-nlme
+  (package
+    (name "r-nlme")
+    (version "3.1-131")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "nlme" version))
+       (sha256
+        (base32
+         "0k2nvdzhic6bzhfsbq6la6q6a1i5nlj4pnh6lpdxiiwvxdks3nkr"))))
+    (build-system r-build-system)
+    (propagated-inputs
+     `(("r-lattice" ,r-lattice)))
+    (native-inputs
+     `(("gfortran" ,gfortran)))
+    (home-page "http://cran.r-project.org/web/packages/nlme")
+    (synopsis "Linear and nonlinear mixed effects models")
+    (description
+     "This package provides tools to fit and compare Gaussian linear and
+nonlinear mixed-effects models.")
+    (license license:gpl2+)))
+
+(define-public r-mgcv
+  (package
+   (name "r-mgcv")
+   (version "1.8-16")
+   (source
+    (origin
+     (method url-fetch)
+     (uri (cran-uri "mgcv" version))
+     (sha256
+      (base32
+       "0pj31gdwra7nv8spys4pfcbmsik99q1y1d0d2g37ywc3sz5s0rlj"))))
+   (build-system r-build-system)
+   (propagated-inputs
+    `(("r-matrix" ,r-matrix)
+      ("r-nlme" ,r-nlme)))
+   (home-page "http://cran.r-project.org/web/packages/mgcv")
+   (synopsis "Mixed generalised additive model computation")
+   (description
+    "GAMs, GAMMs and other generalized ridge regression with multiple smoothing
+parameter estimation by GCV, REML or UBRE/AIC.  The library includes a
+@code{gam()} function, a wide variety of smoothers, JAGS support and
+distributions beyond the exponential family.")
+   (license license:gpl2+)))
+
+(define-public r-nnet
+  (package
+    (name "r-nnet")
+    (version "7.3-12")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "nnet" version))
+       (sha256
+        (base32
+         "17amqnw9dpap2w8ivx53hxha2xrm0drwfnj32li0xk41hlz548r7"))))
+    (build-system r-build-system)
+    (home-page "http://www.stats.ox.ac.uk/pub/MASS4/")
+    (synopsis "Feed-forward neural networks and multinomial log-linear models")
+    (description
+     "This package provides functions for feed-forward neural networks with a
+single hidden layer, and for multinomial log-linear models.")
+    (license (list license:gpl2+ license:gpl3+))))
+
+(define-public r-rpart
+  (package
+    (name "r-rpart")
+    (version "4.1-10")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "rpart" version))
+       (sha256
+        (base32
+         "119dvh2cpab4vq9blvbkil5hgq6w018amiwlda3ii0fki39axpf5"))))
+    (build-system r-build-system)
+    (home-page "http://cran.r-project.org/web/packages/rpart")
+    (synopsis "Recursive partitioning and regression trees")
+    (description
+     "This package provides recursive partitioning functions for
+classification, regression and survival trees.")
+    (license (list license:gpl2+ license:gpl3+))))
+
+(define-public r-spatial
+  (package
+    (name "r-spatial")
+    (version "7.3-11")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "spatial" version))
+       (sha256
+        (base32
+         "04aw8j533sn63ybyrf4hyhrqm4058vfcb7yhjy07kq92mk94hi32"))))
+    (build-system r-build-system)
+    (home-page "http://www.stats.ox.ac.uk/pub/MASS4/")
+    (synopsis "Functions for kriging and point pattern analysis")
+    (description
+     "This package provides functions for kriging and point pattern
+analysis.")
+    ;; Either version may be picked.
+    (license (list license:gpl2 license:gpl3))))
+
+(define-public r-survival
+  (package
+    (name "r-survival")
+    (version "2.40-1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "survival" version))
+       (sha256
+        (base32
+         "10pf0kq0g66k5rgizrvh29mq3r84acljw2jgrv5yp6z38xw23mci"))))
+    (build-system r-build-system)
+    (propagated-inputs
+     `(("r-matrix" ,r-matrix)))
+    (home-page "https://github.com/therneau/survival")
+    (synopsis "Survival analysis")
+    (description
+     "This package contains the core survival analysis routines, including
+definition of Surv objects, Kaplan-Meier and Aalen-Johansen (multi-state)
+curves, Cox models, and parametric accelerated failure time models.")
+    (license license:lgpl2.0+)))
+
+(define-public r
+  (package (inherit r-minimal)
+    (name "r")
+    (source #f)
+    (build-system trivial-build-system)
+    (arguments '(#:builder (mkdir %output)))
+    (propagated-inputs
+     `(("r-minimal" ,r-minimal)
+       ("r-boot" ,r-boot)
+       ("r-class" ,r-class)
+       ("r-cluster" ,r-cluster)
+       ("r-codetools" ,r-codetools)
+       ("r-foreign" ,r-foreign)
+       ("r-kernsmooth" ,r-kernsmooth)
+       ("r-lattice" ,r-lattice)
+       ("r-mass" ,r-mass)
+       ("r-matrix" ,r-matrix)
+       ("r-mgcv" ,r-mgcv)
+       ("r-nlme" ,r-nlme)
+       ("r-nnet" ,r-nnet)
+       ("r-rpart" ,r-rpart)
+       ("r-spatial" ,r-spatial)
+       ("r-survival" ,r-survival)))))
+
 (define-public r-bit
   (package
     (name "r-bit")
@@ -460,49 +835,6 @@ and Francois (2011, JSS), and the book by Eddelbuettel (2013, Springer); see
 'citation(\"Rcpp\")' for details on these last two.")
     (license license:gpl2+)))
 
-(define-public r-matrix
-  (package
-    (name "r-matrix")
-    (version "1.2-7.1")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (cran-uri "Matrix" version))
-       (sha256
-        (base32
-         "09rd51na9spz0lm1lylkfhw43w7c922b83m4jsggmpg3pbd6dssa"))))
-    (properties `((upstream-name . "Matrix")))
-    (build-system r-build-system)
-    (propagated-inputs
-     `(("r-lattice" ,r-lattice)))
-    (home-page "http://Matrix.R-forge.R-project.org/")
-    (synopsis "Sparse and dense matrix classes and methods")
-    (description
-     "This package provides classes and methods for dense and sparse matrices
-and operations on them using LAPACK and SuiteSparse.")
-    (license license:gpl2+)))
-
-(define-public r-mgcv
-  (package
-   (name "r-mgcv")
-   (version "1.8-16")
-   (source
-    (origin
-     (method url-fetch)
-     (uri (cran-uri "mgcv" version))
-     (sha256
-      (base32
-       "0pj31gdwra7nv8spys4pfcbmsik99q1y1d0d2g37ywc3sz5s0rlj"))))
-   (build-system r-build-system)
-   (home-page "http://cran.r-project.org/web/packages/mgcv")
-   (synopsis "Mixed generalised additive model computation")
-   (description
-    "GAMs, GAMMs and other generalized ridge regression with multiple smoothing
-parameter estimation by GCV, REML or UBRE/AIC.  The library includes a
-@code{gam()} function, a wide variety of smoothers, JAGS support and
-distributions beyond the exponential family.")
-   (license license:gpl2+)))
-
 (define-public r-permute
   (package
    (name "r-permute")
@@ -722,6 +1054,7 @@ legends.")
        ("r-gtable" ,r-gtable)
        ("r-plyr" ,r-plyr)
        ("r-lazyeval" ,r-lazyeval)
+       ("r-mass" ,r-mass)
        ("r-tibble" ,r-tibble)
        ("r-reshape2" ,r-reshape2)
        ("r-scales" ,r-scales)
@@ -1342,6 +1675,8 @@ side.")
         (base32
          "0lafrmq1q7x026m92h01hc9cjjiximqqi3v1g2hw7ai9vf7i897m"))))
     (build-system r-build-system)
+    (propagated-inputs
+     `(("r-lattice" ,r-lattice)))
     (home-page "http://cran.r-project.org/web/packages/locfit")
     (synopsis "Local regression, likelihood and density estimation")
     (description
@@ -1519,6 +1854,8 @@ inference for statistical models.")
                (base32
                 "14a4a8df4ygj05h37chmdn8kzcqs07fpbflxfrq530563mrza7yl"))))
     (build-system r-build-system)
+    (propagated-inputs
+     `(("r-lattice" ,r-lattice)))
     (home-page "http://cran.r-project.org/web/packages/coda")
     (synopsis "This is a package for Output Analysis and Diagnostics for MCMC")
     (description "This package provides functions for summarizing and plotting
@@ -2028,26 +2365,6 @@ scaling functions for R.")
      "This package provides an integration of base and grid graphics for R.")
     (license license:gpl2+)))
 
-(define-public r-lattice
-  (package
-    (name "r-lattice")
-    (version "0.20-34")
-    (source (origin
-              (method url-fetch)
-              (uri (cran-uri "lattice" version))
-              (sha256
-               (base32
-                "0615h69czr73k47whhzimf1qxv5qk0cabcrkljwhyrn6m6piq6ja"))))
-    (build-system r-build-system)
-    (home-page "http://lattice.r-forge.r-project.org/")
-    (synopsis "High-level data visualization system")
-    (description
-     "The lattice package provides a powerful and elegant high-level data
-visualization system inspired by Trellis graphics, with an emphasis on
-multivariate data.  Lattice is sufficient for typical graphics needs, and is
-also flexible enough to handle most nonstandard requirements.")
-    (license license:gpl2+)))
-
 (define-public r-latticeextra
   (package
     (name "r-latticeextra")
@@ -2687,6 +3004,8 @@ flexible than the orphaned \"base64\" package.")
         (base32
          "1qbcn0ix85pmk296jhpi419kvh06vxm5cq24yk013ps3g7fyi0si"))))
     (build-system r-build-system)
+    (propagated-inputs
+     `(("r-matrix" ,r-matrix)))
     (home-page "http://cran.r-project.org/web/packages/irlba")
     (synopsis "Methods for eigendecomposition of large matrices")
     (description
@@ -2707,10 +3026,11 @@ analysis of large sparse or dense matrices.")
       (base32
        "1cbpzmbv837fvq88rgn6mgzgr9f1wqp9fg8gh2kkmngvr1957a9c"))))
    (build-system r-build-system)
-    (inputs
-     `(("gfortran" ,gfortran)))
+   (inputs
+    `(("gfortran" ,gfortran)))
    (propagated-inputs
-    `(("r-foreach" ,r-foreach)))
+    `(("r-foreach" ,r-foreach)
+      ("r-matrix" ,r-matrix)))
    (home-page "http://www.jstatsoft.org/v33/i01")
    (synopsis "Lasso and elastic-net regularized generalized linear models")
    (description
@@ -2828,6 +3148,8 @@ Stochastic Neighbor Embedding using a Barnes-Hut implementation.")
         (base32
          "1069qwj9gsjq6par2cgfah8nn5x2w38830761x1f7mqpmk0gnj3h"))))
     (build-system r-build-system)
+    (propagated-inputs
+     `(("r-class" ,r-class)))
     (home-page "http://cran.r-project.org/web/packages/e1071")
     (synopsis "Miscellaneous functions for probability theory")
     (description
@@ -3439,6 +3761,9 @@ from within R.")
                (("if isnan\\(lambda\\) \\{")
                 "if (isnan(lambda)) {"))
              #t)))))
+    (propagated-inputs
+     `(("r-lattice" ,r-lattice)
+       ("r-matrix" ,r-matrix)))
     (home-page "http://spams-devel.gforge.inria.fr")
     (synopsis "Toolbox for solving sparse estimation problems")
     (description "SPAMS (SPArse Modeling Software) is an optimization toolbox
@@ -3456,45 +3781,6 @@ following problems:
 @end enumerate\n")
     (license license:gpl3+)))
 
-(define-public r-rpart
-  (package
-    (name "r-rpart")
-    (version "4.1-10")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (cran-uri "rpart" version))
-       (sha256
-        (base32
-         "119dvh2cpab4vq9blvbkil5hgq6w018amiwlda3ii0fki39axpf5"))))
-    (build-system r-build-system)
-    (home-page "http://cran.r-project.org/web/packages/rpart")
-    (synopsis "Recursive partitioning and regression trees")
-    (description
-     "This package provides recursive partitioning functions for
-classification, regression and survival trees.")
-    (license (list license:gpl2+ license:gpl3+))))
-
-(define-public r-survival
-  (package
-    (name "r-survival")
-    (version "2.40-1")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (cran-uri "survival" version))
-       (sha256
-        (base32
-         "10pf0kq0g66k5rgizrvh29mq3r84acljw2jgrv5yp6z38xw23mci"))))
-    (build-system r-build-system)
-    (home-page "https://github.com/therneau/survival")
-    (synopsis "Survival analysis")
-    (description
-     "This package contains the core survival analysis routines, including
-definition of Surv objects, Kaplan-Meier and Aalen-Johansen (multi-state)
-curves, Cox models, and parametric accelerated failure time models.")
-    (license license:lgpl2.0+)))
-
 (define-public r-base64
   (package
     (name "r-base64")
@@ -3536,17 +3822,20 @@ package instead.")
      `(("r-acepack" ,r-acepack)
        ("r-base64" ,r-base64)
        ("r-base64enc" ,r-base64enc)
+       ("r-cluster" ,r-cluster)
        ("r-data-table" ,r-data-table)
+       ("r-foreign" ,r-foreign)
        ("r-formula" ,r-formula)
        ("r-ggplot2" ,r-ggplot2)
        ("r-gridextra" ,r-gridextra)
        ("r-gtable" ,r-gtable)
-       ;; Hmisc needs survival >= 2.40.1, so it cannot use the survival
-       ;; package that comes with R 3.3.2.
-       ("r-survival" ,r-survival)
+       ("r-lattice" ,r-lattice)
        ("r-latticeextra" ,r-latticeextra)
        ("r-htmltable" ,r-htmltable)
        ("r-htmltools" ,r-htmltools)
+       ("r-nnet" ,r-nnet)
+       ("r-rpart" ,r-rpart)
+       ("r-survival" ,r-survival)
        ("r-viridis" ,r-viridis)))
     (home-page "http://biostat.mc.vanderbilt.edu/Hmisc")
     (synopsis "Miscellaneous data analysis and graphics functions")
@@ -3831,6 +4120,8 @@ estimation) corresponding to the book: Wand, M.P.  and Jones, M.C. (1995)
                (base32
                 "167m142rwwfy8b9hnfc3fi28dcsdjk61g1crqhll6sh5xmgnfn28"))))
     (build-system r-build-system)
+    (propagated-inputs
+     `(("r-lattice" ,r-lattice)))
     (home-page "http://zoo.R-Forge.R-project.org/")
     (synopsis "S3 infrastructure for regular and irregular time series")
     (description "This package contains an S3 class with methods for totally
@@ -4097,7 +4388,9 @@ letters, as is often required for scientific publications.")
          "133rr17ywmlhsc6457hs8qxi8ng443ql9ashxpwc8875gjhv1x32"))))
     (build-system r-build-system)
     (propagated-inputs
-     `(("r-segmented" ,r-segmented)))
+     `(("r-boot" ,r-boot)
+       ("r-mass" ,r-mass)
+       ("r-segmented" ,r-segmented)))
     (home-page "http://cran.r-project.org/web/packages/mixtools")
     (synopsis "Tools for analyzing finite mixture models")
     (description
@@ -4227,7 +4520,9 @@ to change in the future.")
          "1i205yw3kkxs27gqcs6zx0c2mh16p332a2p06wq6fdzb20bazg3z"))))
     (build-system r-build-system)
     (propagated-inputs
-     `(("r-modeltools" ,r-modeltools)))
+     `(("r-lattice" ,r-lattice)
+       ("r-modeltools" ,r-modeltools)
+       ("r-nnet" ,r-nnet)))
     (home-page "http://cran.r-project.org/web/packages/flexmix")
     (synopsis "Flexible mixture modeling")
     (description
@@ -4274,7 +4569,8 @@ and resampling-based inference.")
          "0qjsxrx6yv338bxm4ki0w9h8hind1l98abdrz828588bwj02jya1"))))
     (build-system r-build-system)
     (propagated-inputs
-     `(("r-mclust" ,r-mclust)))
+     `(("r-mass" ,r-mass)
+       ("r-mclust" ,r-mclust)))
     (home-page "https://cran.r-project.org/web/packages/prabclus")
     (synopsis "Parametric bootstrap tests for spatial neighborhood clustering")
     (description
@@ -4363,9 +4659,12 @@ of the points.")
          "15m0p9l9w2v7sl0cnzyg81i2fmx3hrhvr3371544mwn3fpsca5sx"))))
     (build-system r-build-system)
     (propagated-inputs
-     `(("r-diptest" ,r-diptest)
+     `(("r-class" ,r-class)
+       ("r-cluster" ,r-cluster)
+       ("r-diptest" ,r-diptest)
        ("r-flexmix" ,r-flexmix)
        ("r-kernlab" ,r-kernlab)
+       ("r-mass" ,r-mass)
        ("r-mclust" ,r-mclust)
        ("r-mvtnorm" ,r-mvtnorm)
        ("r-prabclus" ,r-prabclus)
@@ -4484,7 +4783,8 @@ based on an interface to Fortran implementations by M. J. D. Powell.")
     (properties `((upstream-name . "RcppEigen")))
     (build-system r-build-system)
     (propagated-inputs
-     `(("r-rcpp" ,r-rcpp)))
+     `(("r-rcpp" ,r-rcpp)
+       ("r-matrix" ,r-matrix)))
     (home-page "http://eigen.tuxfamily.org")
     (synopsis "Rcpp integration for the Eigen templated linear algebra library")
     (description
@@ -4529,6 +4829,8 @@ metrics for evaluating models.")
          "0cyfvhci2p1vr2x52ymkyqqs63x1qchn856dh2j94yb93r08x1zy"))))
     (properties `((upstream-name . "MatrixModels")))
     (build-system r-build-system)
+    (propagated-inputs
+     `(("r-matrix" ,r-matrix)))
     (home-page "https://cran.r-project.org/web/packages/MatrixModels")
     (synopsis "Modelling with sparse and dense matrices")
     (description
@@ -4606,7 +4908,9 @@ algorithms.")
        ("r-rcppeigen" ,r-rcppeigen)))
     (propagated-inputs
      `(("r-minqa" ,r-minqa)
-       ("r-nloptr" ,r-nloptr)))
+       ("r-nloptr" ,r-nloptr)
+       ("r-mass" ,r-mass)
+       ("r-nlme" ,r-nlme)))
     (home-page "http://cran.r-project.org/web/packages/lme4")
     (synopsis "Linear mixed-effects models using eigen and S4")
     (description
@@ -4629,7 +4933,9 @@ C++ library for numerical linear algebra and RcppEigen glue.")
          "00cw18q7wvddzjrbxz917wkix6r7672vi2wmsp4gwgzady8vha4x"))))
     (build-system r-build-system)
     (propagated-inputs
-     `(("r-lme4" ,r-lme4)))
+     `(("r-lme4" ,r-lme4)
+       ("r-mass" ,r-mass)
+       ("r-matrix" ,r-matrix)))
     (home-page "http://people.math.aau.dk/~sorenh/software/pbkrtest/")
     (synopsis "Methods for linear mixed model comparison")
     (description
@@ -4651,7 +4957,10 @@ bootstrap test for generalized linear mixed models.")
          "0a6v7rsd1xsdyapnfqy37m7c4kx9wslkzsizc9k0lmnba0bwyfgx"))))
     (build-system r-build-system)
     (propagated-inputs
-     `(("r-pbkrtest" ,r-pbkrtest)
+     `(("r-mass" ,r-mass)
+       ("r-mgcv" ,r-mgcv)
+       ("r-nnet" ,r-nnet)
+       ("r-pbkrtest" ,r-pbkrtest)
        ("r-quantreg" ,r-quantreg)))
     (home-page "https://r-forge.r-project.org/projects/car/")
     (synopsis "Companion to applied regression")
@@ -4790,7 +5099,8 @@ multivariate case.")
          "0a1b7yp4l9wf6ic5czizyl2cnxrc1virj0icr8i6m1vv23jd8jfp"))))
     (build-system r-build-system)
     (propagated-inputs
-     `(("r-mclust" ,r-mclust)
+     `(("r-cluster" ,r-cluster)
+       ("r-mclust" ,r-mclust)
        ("r-mvtnorm" ,r-mvtnorm)
        ("r-sn" ,r-sn)))
     (home-page "http://cran.r-project.org/web/packages/tclust")
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 9796c18c7d..2aecc5fd12 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -222,7 +222,7 @@ required structures.")
      (substitute-keyword-arguments (package-arguments gnutls)
        ((#:configure-flags flags)
         `(cdr ,flags))))
-    (inputs `(("guile" ,guile-next)
+    (inputs `(("guile" ,guile-2.2)
               ,@(alist-delete "guile" (package-inputs gnutls))))))
 
 (define-public openssl
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 2988773398..9fa7b8544d 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -220,14 +220,14 @@ television and DVD.  It is also known as AC-3.")
 (define-public libx264
   (package
     (name "libx264")
-    (version "20170224-2245")
+    (version "20170316-2245")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://download.videolan.org/pub/x264/snapshots/"
                                   "x264-snapshot-" version ".tar.bz2"))
               (sha256
                (base32
-                "0paw8vzsy2qh5jf6xg2i1risjwyvmxgfnivly4gh0bib62cp4vib"))))
+                "1s1nnvl3axz38sv4g09skijl6k9mbbngbb1nsh26w4dr2w2gyzad"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)
@@ -980,7 +980,7 @@ access to mpv's powerful playback capabilities.")
 (define-public youtube-dl
   (package
     (name "youtube-dl")
-    (version "2017.03.15")
+    (version "2017.03.16")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://yt-dl.org/downloads/"
@@ -988,7 +988,7 @@ access to mpv's powerful playback capabilities.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0h561pbphdkfalir9awp0k4fmsnzdf6kx56adb9bb0v9pfsb1y0f"))))
+                "14nlgl0kh4mwl7sx58vd7nxr5iklxi00612lmydy91ngm6ykrpsm"))))
     (build-system python-build-system)
     (arguments
      ;; The problem here is that the directory for the man page and completion
@@ -1022,7 +1022,7 @@ YouTube.com and a few more sites.")
 (define-public libbluray
   (package
     (name "libbluray")
-    (version "0.9.3")
+    (version "1.0.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://download.videolan.org/videolan/"
@@ -1030,7 +1030,7 @@ YouTube.com and a few more sites.")
                                   name "-" version ".tar.bz2"))
               (sha256
                (base32
-                "1q1whviqv5sr9nr372h31zwid1rvbfbx3z4lzr8lnj25xha6cdm6"))))
+                "1k3lag4lxi2jjd3zh4wcb5l3hadzm54j5kagh92yzfy76p9svqzp"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--disable-bdjava")
diff --git a/gnu/packages/wine.scm b/gnu/packages/wine.scm
index 40e1dd5cfc..4f6e76d58e 100644
--- a/gnu/packages/wine.scm
+++ b/gnu/packages/wine.scm
@@ -54,14 +54,14 @@
 (define-public wine
   (package
     (name "wine")
-    (version "2.3")
+    (version "2.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://dl.winehq.org/wine/source/2.x"
                                   "/wine-" version ".tar.xz"))
               (sha256
                (base32
-                "0zh6kvs4d6d99x5qgxbb5jq2wilwzifhmib2nhq0g3ychxx5rjdg"))))
+                "13klfadvd44zdfrzh38al99s53i02x3mlhcj5z7fq7vqwh3xzdc7"))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("gettext" ,gettext-minimal)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 5298a11f63..dad1911d31 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -274,7 +274,8 @@ FILE-SYSTEM."
         (options (file-system-options file-system))
         (check?  (file-system-check? file-system))
         (create? (file-system-create-mount-point? file-system))
-        (dependencies (file-system-dependencies file-system)))
+        (dependencies (file-system-dependencies file-system))
+        (packages (file-system-packages (list file-system))))
     (and (file-system-mount? file-system)
          (with-imported-modules '((gnu build file-systems)
                                   (guix build bournish))
@@ -284,7 +285,7 @@ FILE-SYSTEM."
                            ,@(map dependency->shepherd-service-name dependencies)))
             (documentation "Check, mount, and unmount the given file system.")
             (start #~(lambda args
-		       #$(if create?
+                       #$(if create?
                              #~(mkdir-p #$target)
                              #t)
 
@@ -292,11 +293,12 @@ FILE-SYSTEM."
                          ;; Make sure fsck.ext2 & co. can be found.
                          (dynamic-wind
                            (lambda ()
-                             (setenv "PATH"
-                                     (string-append
-                                      #$e2fsprogs "/sbin:"
-                                      "/run/current-system/profile/sbin:"
-                                      $PATH)))
+                             ;; Don’t display the PATH settings.
+                             (with-output-to-port (%make-void-port "w")
+                               (lambda ()
+                                 (set-path-environment-variable "PATH"
+                                                                '("bin" "sbin")
+                                                                '#$packages))))
                            (lambda ()
                              (mount-file-system
                               `(#$device #$title #$target #$type #$flags
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 18bce2a2b8..9b8e5b36b1 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -80,7 +80,10 @@
             network-manager-configuration-dns
             network-manager-service-type
 
-            connman-service
+            connman-configuration
+            connman-configuration?
+            connman-service-type
+
             wpa-supplicant-service-type
 
             openvswitch-service-type
@@ -822,45 +825,54 @@ dns=" dns "
 ;;; Connman
 ;;;
 
-(define %connman-activation
-  ;; Activation gexp for Connman.
-  #~(begin
-      (use-modules (guix build utils))
-      (mkdir-p "/var/lib/connman/")
-      (mkdir-p "/var/lib/connman-vpn/")))
-
-(define (connman-shepherd-service connman)
+(define-record-type* <connman-configuration>
+  connman-configuration make-connman-configuration
+  connman-configuration?
+  (connman      connman-configuration-connman
+                (default connman))
+  (disable-vpn? connman-configuration-disable-vpn?
+                (default #f)))
+
+(define (connman-activation config)
+  (let ((disable-vpn? (connman-configuration-disable-vpn? config)))
+    (with-imported-modules '((guix build utils))
+      #~(begin
+          (use-modules (guix build utils))
+          (mkdir-p "/var/lib/connman/")
+          (unless #$disable-vpn?
+            (mkdir-p "/var/lib/connman-vpn/"))))))
+
+(define (connman-shepherd-service config)
   "Return a shepherd service for Connman"
-  (list (shepherd-service
-         (documentation "Run Connman")
-         (provision '(networking))
-         (requirement '(user-processes dbus-system loopback wpa-supplicant))
-         (start #~(make-forkexec-constructor
-                   (list (string-append #$connman
-                                        "/sbin/connmand")
-                         "-n" "-r")))
-         (stop #~(make-kill-destructor)))))
+  (and
+   (connman-configuration? config)
+   (let ((connman      (connman-configuration-connman config))
+         (disable-vpn? (connman-configuration-disable-vpn? config)))
+     (list (shepherd-service
+            (documentation "Run Connman")
+            (provision '(networking))
+            (requirement
+             '(user-processes dbus-system loopback wpa-supplicant))
+            (start #~(make-forkexec-constructor
+                      (list (string-append #$connman
+                                           "/sbin/connmand")
+                            "-n" "-r"
+                            #$@(if disable-vpn? '("--noplugin=vpn") '()))))
+            (stop #~(make-kill-destructor)))))))
 
 (define connman-service-type
-  (service-type (name 'connman)
-                (extensions
-                 (list (service-extension shepherd-root-service-type
-                                          connman-shepherd-service)
-                       (service-extension dbus-root-service-type list)
-                       (service-extension activation-service-type
-                                          (const %connman-activation))
-                       ;; Add connman to the system profile.
-                       (service-extension profile-service-type list)))))
-
-(define* (connman-service #:key (connman connman))
-  "Return a service that runs @url{https://01.org/connman,Connman}, a network
-connection manager.
-
-This service adds the @var{connman} package to the global profile, providing
-several the @command{connmanctl} command to interact with the daemon and
-configure networking."
-  (service connman-service-type connman))
-
+  (let ((connman-package (compose list connman-configuration-connman)))
+    (service-type (name 'connman)
+                  (extensions
+                   (list (service-extension shepherd-root-service-type
+                                            connman-shepherd-service)
+                         (service-extension dbus-root-service-type
+                                            connman-package)
+                         (service-extension activation-service-type
+                                            connman-activation)
+                         ;; Add connman to the system profile.
+                         (service-extension profile-service-type
+                                            connman-package))))))
 
 
 ;;;
diff --git a/gnu/system/file-systems.scm b/gnu/system/file-systems.scm
index 7011a279d3..8107722c74 100644
--- a/gnu/system/file-systems.scm
+++ b/gnu/system/file-systems.scm
@@ -22,6 +22,8 @@
   #:use-module (guix records)
   #:use-module ((gnu build file-systems)
                 #:select (string->uuid uuid->string))
+  #:use-module (gnu packages linux)
+  #:use-module (gnu packages disk)
   #:re-export (string->uuid
                uuid->string)
   #:export (<file-system>
@@ -65,6 +67,8 @@
 
             file-system-mapping->bind-mount
 
+            file-system-packages
+
             %store-mapping
             %network-configuration-files
             %network-file-mappings))
@@ -411,4 +415,26 @@ a bind mount."
                  (writable? (string=? file "/etc/resolv.conf"))))
               %network-configuration-files))
 
+(define (file-system-type-predicate type)
+  (lambda (fs)
+    (string=? (file-system-type fs) type)))
+
+(define* (file-system-packages file-systems #:key (volatile-root? #f))
+ `(,@(if (find (lambda (fs)
+                 (string-prefix? "ext" (file-system-type fs)))
+               file-systems)
+         (list e2fsck/static)
+         '())
+   ,@(if (find (lambda (fs)
+                 (string-suffix? "fat" (file-system-type fs)))
+               file-systems)
+         (list fatfsck/static)
+         '())
+   ,@(if (find (file-system-type-predicate "btrfs") file-systems)
+         (list btrfs-progs/static)
+         '())
+   ,@(if volatile-root?
+         (list unionfs-fuse/static)
+         '())))
+
 ;;; file-systems.scm ends here
diff --git a/gnu/system/linux-initrd.scm b/gnu/system/linux-initrd.scm
index 81c1278c0c..1f1c306828 100644
--- a/gnu/system/linux-initrd.scm
+++ b/gnu/system/linux-initrd.scm
@@ -272,23 +272,7 @@ loaded at boot time in the order in which they appear."
       ,@extra-modules))
 
   (define helper-packages
-    ;; Packages to be copied on the initrd.
-    `(,@(if (find (lambda (fs)
-                    (string-prefix? "ext" (file-system-type fs)))
-                  file-systems)
-            (list e2fsck/static)
-            '())
-      ,@(if (find (lambda (fs)
-                    (string-suffix? "fat" (file-system-type fs)))
-                  file-systems)
-            (list fatfsck/static)
-            '())
-      ,@(if (find (file-system-type-predicate "btrfs") file-systems)
-            (list btrfs-progs/static)
-            '())
-      ,@(if volatile-root?
-            (list unionfs-fuse/static)
-            '())))
+    (file-system-packages file-systems #:volatile-root? volatile-root?))
 
   (raw-initrd file-systems
               #:linux linux
diff --git a/guix/base16.scm b/guix/base16.scm
new file mode 100644
index 0000000000..6c15a9f588
--- /dev/null
+++ b/guix/base16.scm
@@ -0,0 +1,83 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2012, 2014, 2017 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (guix base16)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-26)
+  #:use-module (srfi srfi-60)
+  #:use-module (rnrs bytevectors)
+  #:use-module (ice-9 vlist)
+  #:use-module (ice-9 format)
+  #:export (bytevector->base16-string
+            base16-string->bytevector))
+
+;;;
+;;; Base 16.
+;;;
+
+(define (bytevector->base16-string bv)
+  "Return the hexadecimal representation of BV's contents."
+  (define len
+    (bytevector-length bv))
+
+  (let-syntax ((base16-chars (lambda (s)
+                               (syntax-case s ()
+                                 (_
+                                  (let ((v (list->vector
+                                            (unfold (cut > <> 255)
+                                                    (lambda (n)
+                                                      (format #f "~2,'0x" n))
+                                                    1+
+                                                    0))))
+                                    v))))))
+    (define chars base16-chars)
+    (let loop ((i len)
+               (r '()))
+      (if (zero? i)
+          (string-concatenate r)
+          (let ((i (- i 1)))
+            (loop i
+                  (cons (vector-ref chars (bytevector-u8-ref bv i)) r)))))))
+
+(define base16-string->bytevector
+  (let ((chars->value (fold (lambda (i r)
+                              (vhash-consv (string-ref (number->string i 16)
+                                                       0)
+                                           i r))
+                            vlist-null
+                            (iota 16))))
+    (lambda (s)
+      "Return the bytevector whose hexadecimal representation is string S."
+      (define bv
+        (make-bytevector (quotient (string-length s) 2) 0))
+
+      (string-fold (lambda (chr i)
+                     (let ((j (quotient i 2))
+                           (v (and=> (vhash-assv chr chars->value) cdr)))
+                       (if v
+                           (if (zero? (logand i 1))
+                               (bytevector-u8-set! bv j
+                                                   (arithmetic-shift v 4))
+                               (let ((w (bytevector-u8-ref bv j)))
+                                 (bytevector-u8-set! bv j (logior v w))))
+                           (error "invalid hexadecimal character" chr)))
+                     (+ i 1))
+                   0
+                   s)
+      bv)))
+
diff --git a/guix/build-system/cargo.scm b/guix/build-system/cargo.scm
index 578c4446a4..c637fbb162 100644
--- a/guix/build-system/cargo.scm
+++ b/guix/build-system/cargo.scm
@@ -64,7 +64,7 @@ to NAME and VERSION."
                       #:key
                       (tests? #t)
                       (test-target #f)
-                      (configure-flags #f)
+                      (cargo-build-flags ''("--release"))
                       (phases '(@ (guix build cargo-build-system)
                                   %standard-phases))
                       (outputs '("out"))
@@ -89,6 +89,7 @@ to NAME and VERSION."
                                  source))
                     #:system ,system
                     #:test-target ,test-target
+                    #:cargo-build-flags ,cargo-build-flags
                     #:tests? ,tests?
                     #:phases ,phases
                     #:outputs %outputs
diff --git a/guix/build-system/r.scm b/guix/build-system/r.scm
index e8269fdeb1..c649036210 100644
--- a/guix/build-system/r.scm
+++ b/guix/build-system/r.scm
@@ -62,7 +62,7 @@ release corresponding to NAME and VERSION."
   "Return the default R package."
   ;; Lazily resolve the binding to avoid a circular dependency.
   (let ((r-mod (resolve-interface '(gnu packages statistics))))
-    (module-ref r-mod 'r)))
+    (module-ref r-mod 'r-minimal)))
 
 (define* (lower name
                 #:key source inputs native-inputs outputs system target
diff --git a/guix/build/cargo-build-system.scm b/guix/build/cargo-build-system.scm
index 7d656a8d58..f11d858749 100644
--- a/guix/build/cargo-build-system.scm
+++ b/guix/build/cargo-build-system.scm
@@ -19,13 +19,16 @@
 (define-module (guix build cargo-build-system)
   #:use-module ((guix build gnu-build-system) #:prefix gnu:)
   #:use-module (guix build utils)
+  #:use-module (ice-9 popen)
+  #:use-module (ice-9 rdelim)
   #:use-module (ice-9 ftw)
   #:use-module (ice-9 format)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
   #:export (%standard-phases
-            cargo-build))
+            cargo-build
+            generate-checksums))
 
 ;; Commentary:
 ;;
@@ -45,27 +48,57 @@
   "Replace Cargo.toml [dependencies] section with guix inputs."
   ;; Make sure Cargo.toml is writeable when the crate uses git-fetch.
   (chmod "Cargo.toml" #o644)
-  (let ((port (open-file "Cargo.toml" "a" #:encoding "utf-8")))
-    (format port "~%[replace]~%")
-    (for-each
-     (match-lambda
-       ((name . path)
-        (let ((crate (package-name->crate-name name)))
-          (when (and crate path)
-            (match (string-split (basename path) #\-)
-              ((_ ... version)
-               (format port "\"~a:~a\" = { path = \"~a/share/rust-source\" }~%"
-                       crate version path)))))))
-     inputs)
-    (close-port port))
+  (chmod "." #o755)
+  (if (not (file-exists? "vendor"))
+    (if (not (file-exists? "Cargo.lock"))
+      (begin
+        (substitute* "Cargo.toml"
+          ((".*32-sys.*") "
+")
+          ((".*winapi.*") "
+")
+          ((".*core-foundation.*") "
+"))
+        ;; Prepare one new directory with all the required dependencies.
+        ;; It's necessary to do this (instead of just using /gnu/store as the
+        ;; directory) because we want to hide the libraries in subdirectories
+        ;;   share/rust-source/... instead of polluting the user's profile root.
+        (mkdir "vendor")
+        (for-each
+          (match-lambda
+            ((name . path)
+             (let ((crate (package-name->crate-name name)))
+               (when (and crate path)
+                 (match (string-split (basename path) #\-)
+                   ((_ ... version)
+                    (symlink (string-append path "/share/rust-source")
+                             (string-append "vendor/" (basename path)))))))))
+          inputs)
+        ;; Configure cargo to actually use this new directory.
+        (mkdir-p ".cargo")
+        (let ((port (open-file ".cargo/config" "w" #:encoding "utf-8")))
+          (display "
+[source.crates-io]
+registry = 'https://github.com/rust-lang/crates.io-index'
+replace-with = 'vendored-sources'
+
+[source.vendored-sources]
+directory = '" port)
+          (display (getcwd) port)
+          (display "/vendor" port)
+          (display "'
+" port)
+          (close-port port)))))
+    (setenv "CC" (string-append (assoc-ref inputs "gcc") "/bin/gcc"))
+
+    ;(setenv "CARGO_HOME" "/gnu/store")
+    ; (setenv "CMAKE_C_COMPILER" cc)
   #t)
 
-(define* (build #:key (cargo-build-flags '("--release" "--frozen"))
+(define* (build #:key (cargo-build-flags '("--release"))
                 #:allow-other-keys)
   "Build a given Cargo package."
-  (if (file-exists? "Cargo.lock")
-      (zero? (apply system* `("cargo" "build" ,@cargo-build-flags)))
-      #t))
+  (zero? (apply system* `("cargo" "build" ,@cargo-build-flags))))
 
 (define* (check #:key tests? #:allow-other-keys)
   "Run tests for a given Cargo package."
@@ -73,6 +106,44 @@
       (zero? (system* "cargo" "test"))
       #t))
 
+(define (file-sha256 file-name)
+  "Calculate the hexdigest of the sha256 checksum of FILE-NAME and return it."
+  (let ((port (open-pipe* OPEN_READ
+                          "sha256sum"
+                          "--"
+                          file-name)))
+    (let ((result (read-delimited " " port)))
+      (close-pipe port)
+      result)))
+
+;; Example dir-name: "/gnu/store/hwlr49riz3la33m6in2n898ly045ylld-rust-rand-0.3.15".
+(define (generate-checksums dir-name src-name)
+  "Given DIR-NAME, checksum all the files in it one by one and put the
+   result into the file \".cargo-checksum.json\" in the same directory.
+   Also includes the checksum of an extra file SRC-NAME as if it was
+   part of the directory DIR-NAME with name \"package\"."
+  (let* ((file-names (find-files dir-name "."))
+         (dir-prefix-name (string-append dir-name "/"))
+         (dir-prefix-name-len (string-length dir-prefix-name))
+         (checksums-file-name (string-append dir-name "/.cargo-checksum.json")))
+    (call-with-output-file checksums-file-name
+      (lambda (port)
+        (display "{\"files\":{" port)
+        (let ((sep ""))
+          (for-each (lambda (file-name)
+            (let ((file-relative-name (string-drop file-name dir-prefix-name-len)))
+                  (display sep port)
+                  (set! sep ",")
+                  (write file-relative-name port)
+                  (display ":" port)
+                  (write (file-sha256 file-name) port))) file-names))
+        (display "},\"package\":" port)
+        (write (file-sha256 src-name) port)
+        (display "}" port)))))
+
+(define (touch file-name)
+  (call-with-output-file file-name (const #t)))
+
 (define* (install #:key inputs outputs #:allow-other-keys)
   "Install a given Cargo package."
   (let* ((out (assoc-ref outputs "out"))
@@ -86,16 +157,19 @@
     ;; distributing crates as source and replacing
     ;; references in Cargo.toml with store paths.
     (copy-recursively "src" (string-append rsrc "/src"))
+    (touch (string-append rsrc "/.cargo-ok"))
+    (generate-checksums rsrc src)
     (install-file "Cargo.toml" rsrc)
     ;; When the package includes executables we install
     ;; it using cargo install. This fails when the crate
     ;; doesn't contain an executable.
     (if (file-exists? "Cargo.lock")
-        (system* "cargo" "install" "--root" out)
-        (mkdir out))))
+        (zero? (system* "cargo" "install" "--root" out))
+        (begin
+          (mkdir out)
+          #t))))
 
 (define %standard-phases
-  ;; 'configure' phase is not needed.
   (modify-phases gnu:%standard-phases
     (replace 'configure configure)
     (replace 'build build)
diff --git a/guix/build/download.scm b/guix/build/download.scm
index e7a7afecd1..36c815c167 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -464,6 +464,9 @@ ETIMEDOUT error is raised."
   "Like 'open-socket-for-uri', but also handle HTTPS connections.  The
 resulting port must be closed with 'close-connection'.  When
 VERIFY-CERTIFICATE? is true, verify HTTPS server certificates."
+  ;; Note: Guile 2.2.0's (web client) has a same-named export that's actually
+  ;; undefined.  See Guile commit 011669af3b428e5626f7bbf66b11d57d9768c047.
+
   (define https?
     (eq? 'https (uri-scheme uri)))
 
@@ -512,12 +515,6 @@ port if PORT is a TLS session record port."
                 'set-port-encoding!
                 (lambda (p e) #f))
 
-;; XXX: Work around <http://bugs.gnu.org/13095>, present in Guile
-;; up to 2.0.7.
-(module-define! (resolve-module '(web client))
-                'shutdown (const #f))
-
-
 ;; XXX: Work around <http://bugs.gnu.org/23421>, fixed in Guile commit
 ;; 16050431f29d56f80c4a8253506fc851b8441840.  Guile's date validation
 ;; procedure rejects dates in which the hour is not padded with a zero but
@@ -682,12 +679,6 @@ the connection could not be established in less than TIMEOUT seconds.  Return
 FILE on success.  When VERIFY-CERTIFICATE? is true, verify HTTPS
 certificates; otherwise simply ignore them."
 
-  (define post-2.0.7?
-    (or (> (string->number (major-version)) 2)
-        (> (string->number (minor-version)) 0)
-        (> (string->number (micro-version)) 7)
-        (string>? (version) "2.0.7")))
-
   (define headers
     `(;; Some web sites, such as http://dist.schmorp.de, would block you if
       ;; there's no 'User-Agent' header, presumably on the assumption that
@@ -712,20 +703,9 @@ certificates; otherwise simply ignore them."
                                           #:verify-certificate?
                                           verify-certificate?))
                 ((resp bv-or-port)
-                 ;; XXX: `http-get*' was introduced in 2.0.7, and replaced by
-                 ;; #:streaming? in 2.0.8.  We know we're using it within the
-                 ;; chroot, but `guix-download' might be using a different
-                 ;; version.  So keep this compatibility hack for now.
-                 (if post-2.0.7?
-                     (http-get uri #:port connection #:decode-body? #f
-                               #:streaming? #t
-                               #:headers headers)
-                     (if (module-defined? (resolve-interface '(web client))
-                                          'http-get*)
-                         (http-get* uri #:port connection #:decode-body? #f
-                                    #:headers headers)
-                         (http-get uri #:port connection #:decode-body? #f
-                                   #:extra-headers headers))))
+                 (http-get uri #:port connection #:decode-body? #f
+                           #:streaming? #t
+                           #:headers headers))
                 ((code)
                  (response-code resp))
                 ((size)
diff --git a/guix/derivations.scm b/guix/derivations.scm
index 47a783f42f..e02d1ee036 100644
--- a/guix/derivations.scm
+++ b/guix/derivations.scm
@@ -31,6 +31,7 @@
   #:use-module (ice-9 vlist)
   #:use-module (guix store)
   #:use-module (guix utils)
+  #:use-module (guix base16)
   #:use-module (guix memoization)
   #:use-module (guix combinators)
   #:use-module (guix monads)
diff --git a/guix/docker.scm b/guix/docker.scm
index dbe1e5351c..060232148e 100644
--- a/guix/docker.scm
+++ b/guix/docker.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -18,16 +19,20 @@
 
 (define-module (guix docker)
   #:use-module (guix hash)
-  #:use-module (guix store)
-  #:use-module (guix utils)
+  #:use-module (guix base16)
   #:use-module ((guix build utils)
-                #:select (delete-file-recursively
+                #:select (mkdir-p
+                          delete-file-recursively
                           with-directory-excursion))
-  #:use-module (json)
+  #:use-module (guix build store-copy)
+  #:use-module (srfi srfi-19)
   #:use-module (rnrs bytevectors)
   #:use-module (ice-9 match)
   #:export (build-docker-image))
 
+;; Load Guile-JSON at run time to simplify the job of 'imported-modules' & co.
+(module-use! (current-module) (resolve-interface '(json)))
+
 ;; Generate a 256-bit identifier in hexadecimal encoding for the Docker image
 ;; containing the closure at PATH.
 (define docker-id
@@ -80,48 +85,99 @@
     (rootfs . ((type . "layers")
                (diff_ids . (,(layer-diff-id layer)))))))
 
-(define* (build-docker-image path #:key system)
-  "Generate a Docker image archive from the given store PATH.  The image
-contains the closure of the given store item."
-  (let ((id (docker-id path))
-        (time (strftime "%FT%TZ" (localtime (current-time))))
-        (name (string-append (getcwd)
-                             "/docker-image-" (basename path) ".tar"))
-        (arch (match system
-                ("x86_64-linux" "amd64")
-                ("i686-linux" "386")
-                ("armhf-linux" "arm")
-                ("mips64el-linux" "mips64le"))))
-    (and (call-with-temporary-directory
-          (lambda (directory)
-            (with-directory-excursion directory
-              ;; Add symlink from /bin to /gnu/store/.../bin
-              (symlink (string-append path "/bin") "bin")
-
-              (mkdir id)
-              (with-directory-excursion id
-                (with-output-to-file "VERSION"
-                  (lambda () (display schema-version)))
-                (with-output-to-file "json"
-                  (lambda () (scm->json (image-description id time))))
-
-                ;; Wrap it up
-                (let ((items (with-store store
-                               (requisites store (list path)))))
-                  (and (zero? (apply system* "tar" "-cf" "layer.tar"
-                                     (cons "../bin" items)))
-                       (delete-file "../bin"))))
-
-              (with-output-to-file "config.json"
-                (lambda ()
-                  (scm->json (config (string-append id "/layer.tar")
-                                     time arch))))
-              (with-output-to-file "manifest.json"
-                (lambda ()
-                  (scm->json (manifest path id))))
-              (with-output-to-file "repositories"
-                (lambda ()
-                  (scm->json (repositories path id)))))
-            (and (zero? (system* "tar" "-C" directory "-cf" name "."))
-                 (begin (delete-file-recursively directory) #t))))
-         name)))
+(define %tar-determinism-options
+  ;; GNU tar options to produce archives deterministically.
+  '("--sort=name" "--mtime=@1"
+    "--owner=root:0" "--group=root:0"))
+
+(define symlink-source
+  (match-lambda
+    ((source '-> target)
+     (string-trim source #\/))))
+
+(define (topmost-component file)
+  "Return the topmost component of FILE.  For instance, if FILE is \"/a/b/c\",
+return \"a\"."
+  (match (string-tokenize file (char-set-complement (char-set #\/)))
+    ((first rest ...)
+     first)))
+
+(define* (build-docker-image image path
+                             #:key closure compressor
+                             (symlinks '())
+                             (system (utsname:machine (uname)))
+                             (creation-time (current-time time-utc)))
+  "Write to IMAGE a Docker image archive from the given store PATH.  The image
+contains the closure of PATH, as specified in CLOSURE (a file produced by
+#:references-graphs).  SYMLINKS must be a list of (SOURCE -> TARGET) tuples
+describing symlinks to be created in the image, where each TARGET is relative
+to PATH.  SYSTEM is a GNU triplet (or prefix thereof) of the system the
+binaries at PATH are for; it is used to produce metadata in the image.
+
+Use COMPRESSOR, a command such as '(\"gzip\" \"-9n\"), to compress IMAGE.  Use
+CREATION-TIME, a SRFI-19 time-utc object, as the creation time in metadata."
+  (let ((directory "/tmp/docker-image")           ;temporary working directory
+        (closure (canonicalize-path closure))
+        (id (docker-id path))
+        (time (date->string (time-utc->date creation-time) "~4"))
+        (arch (let-syntax ((cond* (syntax-rules ()
+                                    ((_ (pattern clause) ...)
+                                     (cond ((string-prefix? pattern system)
+                                            clause)
+                                           ...
+                                           (else
+                                            (error "unsupported system"
+                                                   system)))))))
+                (cond* ("x86_64" "amd64")
+                       ("i686"   "386")
+                       ("arm"    "arm")
+                       ("mips64" "mips64le")))))
+    ;; Make sure we start with a fresh, empty working directory.
+    (mkdir directory)
+
+    (and (with-directory-excursion directory
+           (mkdir id)
+           (with-directory-excursion id
+             (with-output-to-file "VERSION"
+               (lambda () (display schema-version)))
+             (with-output-to-file "json"
+               (lambda () (scm->json (image-description id time))))
+
+             ;; Wrap it up.
+             (let ((items (call-with-input-file closure
+                            read-reference-graph)))
+               ;; Create SYMLINKS.
+               (for-each (match-lambda
+                           ((source '-> target)
+                            (let ((source (string-trim source #\/)))
+                              (mkdir-p (dirname source))
+                              (symlink (string-append path "/" target)
+                                       source))))
+                         symlinks)
+
+               (and (zero? (apply system* "tar" "-cf" "layer.tar"
+                                  (append %tar-determinism-options
+                                          items
+                                          (map symlink-source symlinks))))
+                    (for-each delete-file-recursively
+                              (map (compose topmost-component symlink-source)
+                                   symlinks)))))
+
+           (with-output-to-file "config.json"
+             (lambda ()
+               (scm->json (config (string-append id "/layer.tar")
+                                  time arch))))
+           (with-output-to-file "manifest.json"
+             (lambda ()
+               (scm->json (manifest path id))))
+           (with-output-to-file "repositories"
+             (lambda ()
+               (scm->json (repositories path id)))))
+
+         (and (zero? (apply system* "tar" "-C" directory "-cf" image
+                            `(,@%tar-determinism-options
+                              ,@(if compressor
+                                    (list "-I" (string-join compressor))
+                                    '())
+                              ".")))
+              (begin (delete-file-recursively directory) #t)))))
diff --git a/guix/gexp.scm b/guix/gexp.scm
index d11ed177fe..1b8e43e994 100644
--- a/guix/gexp.scm
+++ b/guix/gexp.scm
@@ -912,13 +912,17 @@ environment."
                          (system (%current-system))
                          (guile (%guile-for-build)))
   "Return a derivation that imports FILES into STORE.  FILES must be a list
-of (FINAL-PATH . FILE-NAME) pairs; each FILE-NAME is read from the file
-system, imported, and appears under FINAL-PATH in the resulting store path."
+of (FINAL-PATH . FILE) pairs.  Each FILE is mapped to FINAL-PATH in the
+resulting store path.  FILE can be either a file name, or a file-like object,
+as returned by 'local-file' for example."
   (define file-pair
     (match-lambda
-     ((final-path . file-name)
+     ((final-path . (? string? file-name))
       (mlet %store-monad ((file (interned-file file-name
                                                (basename final-path))))
+        (return (list final-path file))))
+     ((final-path . file-like)
+      (mlet %store-monad ((file (lower-object file-like system)))
         (return (list final-path file))))))
 
   (mlet %store-monad ((files (sequence %store-monad
@@ -950,14 +954,28 @@ system, imported, and appears under FINAL-PATH in the resulting store path."
                            (guile (%guile-for-build))
                            (module-path %load-path))
   "Return a derivation that contains the source files of MODULES, a list of
-module names such as `(ice-9 q)'.  All of MODULES must be in the MODULE-PATH
-search path."
-  ;; TODO: Determine the closure of MODULES, build the `.go' files,
-  ;; canonicalize the source files through read/write, etc.
-  (let ((files (map (lambda (m)
-                      (let ((f (module->source-file-name m)))
-                        (cons f (search-path* module-path f))))
-                    modules)))
+module names such as `(ice-9 q)'.  All of MODULES must be either names of
+modules to be found in the MODULE-PATH search path, or a module name followed
+by an arrow followed by a file-like object.  For example:
+
+  (imported-modules `((guix build utils)
+                      (guix gcrypt)
+                      ((guix config) => ,(scheme-file …))))
+
+In this example, the first two modules are taken from MODULE-PATH, and the
+last one is created from the given <scheme-file> object."
+  (mlet %store-monad ((files
+                       (mapm %store-monad
+                             (match-lambda
+                               (((module ...) '=> file)
+                                (return
+                                 (cons (module->source-file-name module)
+                                       file)))
+                               ((module ...)
+                                (let ((f (module->source-file-name module)))
+                                  (return
+                                   (cons f (search-path* module-path f))))))
+                             modules)))
     (imported-files files #:name name #:system system
                     #:guile guile)))
 
diff --git a/guix/http-client.scm b/guix/http-client.scm
index 78d39a0208..6874c51db6 100644
--- a/guix/http-client.scm
+++ b/guix/http-client.scm
@@ -38,7 +38,9 @@
                 #:select (mkdir-p dump-port))
   #:use-module ((guix build download)
                 #:select (open-socket-for-uri
-                          open-connection-for-uri resolve-uri-reference))
+                          (open-connection-for-uri
+                           . guix:open-connection-for-uri)
+                          resolve-uri-reference))
   #:re-export (open-socket-for-uri)
   #:export (&http-get-error
             http-get-error?
@@ -217,10 +219,6 @@ or if EOF is reached."
    (when (module-variable %web-http 'read-line*)
      (module-set! %web-http 'read-line* read-header-line))))
 
-;; XXX: Work around <http://bugs.gnu.org/13095>, present in Guile
-;; up to 2.0.7.
-(module-define! (resolve-module '(web client))
-                'shutdown (const #f))
 
 (define* (http-fetch uri #:key port (text? #f) (buffered? #t)
                      keep-alive? (verify-certificate? #t)
@@ -238,9 +236,9 @@ Raise an '&http-get-error' condition if downloading fails."
   (let loop ((uri (if (string? uri)
                       (string->uri uri)
                       uri)))
-    (let ((port (or port (open-connection-for-uri uri
-                                                  #:verify-certificate?
-                                                  verify-certificate?)))
+    (let ((port (or port (guix:open-connection-for-uri uri
+                                                       #:verify-certificate?
+                                                       verify-certificate?)))
           (headers (match (uri-userinfo uri)
                      ((? string? str)
                       (cons (cons 'Authorization
@@ -252,14 +250,9 @@ Raise an '&http-get-error' condition if downloading fails."
       (unless (or buffered? (not (file-port? port)))
         (setvbuf port _IONBF))
       (let*-values (((resp data)
-                     ;; Try hard to use the API du jour to get an input port.
-                     (if (guile-version>? "2.0.7")
-                         (http-get uri #:streaming? #t #:port port
-                                   #:keep-alive? #t
-                                   #:headers headers)        ; 2.0.9+
-                         (http-get* uri #:decode-body? text?        ; 2.0.7
-                                    #:keep-alive? #t
-                                    #:port port #:headers headers)))
+                     (http-get uri #:streaming? #t #:port port
+                               #:keep-alive? #t
+                               #:headers headers))
                     ((code)
                      (response-code resp)))
         (case code
diff --git a/guix/import/cran.scm b/guix/import/cran.scm
index 40cdea029b..7521a39bc9 100644
--- a/guix/import/cran.scm
+++ b/guix/import/cran.scm
@@ -164,32 +164,16 @@ empty list when the FIELD cannot be found."
                   (map string-trim-both items))))))
 
 (define default-r-packages
-  (list "KernSmooth"
-        "MASS"
-        "Matrix"
-        "base"
-        "boot"
-        "class"
-        "cluster"
-        "codetools"
+  (list "base"
         "compiler"
-        "datasets"
-        "foreign"
         "grDevices"
         "graphics"
         "grid"
-        "lattice"
         "methods"
-        "mgcv"
-        "nlme"
-        "nnet"
         "parallel"
-        "rpart"
-        "spatial"
         "splines"
         "stats"
         "stats4"
-        "survival"
         "tcltk"
         "tools"
         "translations"
diff --git a/guix/import/snix.scm b/guix/import/snix.scm
index bc75cbfda5..778768ff2d 100644
--- a/guix/import/snix.scm
+++ b/guix/import/snix.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2010, 2011, 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -39,6 +39,7 @@
   #:use-module ((guix build utils) #:select (package-name->name+version))
 
   #:use-module (guix import utils)
+  #:use-module (guix base16)
   #:use-module (guix base32)
   #:use-module (guix config)
   #:use-module (guix gnu-maintenance)
diff --git a/guix/memoization.scm b/guix/memoization.scm
index d64f60fe9c..5cae283610 100644
--- a/guix/memoization.scm
+++ b/guix/memoization.scm
@@ -31,9 +31,6 @@
 (define-syntax-rule (return/1 value)
   value)
 
-(define %nothing                                  ;nothingness
-  (list 'this 'is 'nothing))
-
 (define-syntax define-cache-procedure
   (syntax-rules ()
     "Define a procedure NAME that implements a cache using HASH-REF and
@@ -41,15 +38,17 @@ HASH-SET!.  Use CALL to invoke the thunk and RETURN to return its value; CALL
 and RETURN are used to distinguish between multiple-value and single-value
 returns."
     ((_ name hash-ref hash-set! call return)
-     (define (name cache key thunk)
-       "Cache the result of THUNK under KEY in CACHE, or return the
+     (define name
+       (let ((%nothing '(this is nothing)))
+         (lambda (cache key thunk)
+           "Cache the result of THUNK under KEY in CACHE, or return the
 already-cached result."
-       (let ((results (hash-ref cache key %nothing)))
-         (if (eq? results %nothing)
-             (let ((results (call thunk)))
-               (hash-set! cache key results)
-               (return results))
-             (return results)))))
+           (let ((results (hash-ref cache key %nothing)))
+             (if (eq? results %nothing)
+                 (let ((results (call thunk)))
+                   (hash-set! cache key results)
+                   (return results))
+                 (return results)))))))
     ((_ name hash-ref hash-set!)
      (define-cache-procedure name hash-ref hash-set!
        call/mv return/mv))))
diff --git a/guix/pk-crypto.scm b/guix/pk-crypto.scm
index f90c2e61d5..7017006a71 100644
--- a/guix/pk-crypto.scm
+++ b/guix/pk-crypto.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -17,9 +17,7 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (guix pk-crypto)
-  #:use-module ((guix utils)
-                #:select (bytevector->base16-string
-                          base16-string->bytevector))
+  #:use-module (guix base16)
   #:use-module (guix gcrypt)
 
   #:use-module (system foreign)
diff --git a/guix/profiles.scm b/guix/profiles.scm
index de82eae348..a62a076f64 100644
--- a/guix/profiles.scm
+++ b/guix/profiles.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014, 2016 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
@@ -933,13 +933,16 @@ files for the truetype fonts of the @var{manifest} entries."
                              #:key
                              (hooks %default-profile-hooks)
                              (locales? #t)
-                             system)
+                             system target)
   "Return a derivation that builds a profile (aka. 'user environment') with
 the given MANIFEST.  The profile includes additional derivations returned by
 the monadic procedures listed in HOOKS--such as an Info 'dir' file, etc.
 
 When LOCALES? is true, the build is performed under a UTF-8 locale; this adds
-a dependency on the 'glibc-utf8-locales' package."
+a dependency on the 'glibc-utf8-locales' package.
+
+When TARGET is true, it must be a GNU triplet, and the packages in MANIFEST
+are cross-built for TARGET."
   (mlet %store-monad ((system (if system
                                   (return system)
                                   (current-system)))
@@ -1000,6 +1003,7 @@ a dependency on the 'glibc-utf8-locales' package."
 
     (gexp->derivation "profile" builder
                       #:system system
+                      #:target target
 
                       ;; Not worth offloading.
                       #:local-build? #t
diff --git a/guix/scripts/archive.scm b/guix/scripts/archive.scm
index cad279fb50..8137455a9d 100644
--- a/guix/scripts/archive.scm
+++ b/guix/scripts/archive.scm
@@ -1,6 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -45,11 +44,6 @@
   #:export (guix-archive
             options->derivations+files))
 
-;; XXX: Use this hack instead of #:autoload to avoid compilation errors.
-;; See <http://bugs.gnu.org/12202>.
-(module-autoload! (current-module)
-                  '(guix docker) '(build-docker-image))
-
 
 ;;;
 ;;; Command-line options.
@@ -57,8 +51,7 @@
 
 (define %default-options
   ;; Alist of default option values.
-  `((format . "nar")
-    (system . ,(%current-system))
+  `((system . ,(%current-system))
     (substitutes? . #t)
     (graft? . #t)
     (max-silent-time . 3600)
@@ -70,8 +63,6 @@ Export/import one or more packages from/to the store.\n"))
   (display (_ "
       --export           export the specified files/packages to stdout"))
   (display (_ "
-      --format=FMT       export files/packages in the specified format FMT"))
-  (display (_ "
   -r, --recursive        combined with '--export', include dependencies"))
   (display (_ "
       --import           import from the archive passed on stdin"))
@@ -126,9 +117,6 @@ Export/import one or more packages from/to the store.\n"))
          (option '("export") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'export #t result)))
-         (option '(#\f "format") #t #f
-                 (lambda (opt name arg result . rest)
-                   (alist-cons 'format arg result)))
          (option '(#\r "recursive") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'export-recursive? #t result)))
@@ -258,21 +246,8 @@ resulting archive to the standard output port."
 
     (if (or (assoc-ref opts 'dry-run?)
             (build-derivations store drv))
-        (match (assoc-ref opts 'format)
-          ("nar"
-           (export-paths store files (current-output-port)
-                         #:recursive? (assoc-ref opts 'export-recursive?)))
-          ("docker"
-           (match files
-             ((file)
-              (let ((system (assoc-ref opts 'system)))
-                (format #t "~a\n"
-                        (build-docker-image file #:system system))))
-             (x
-              ;; TODO: Remove this restriction.
-              (leave (_ "only a single item can be exported to Docker~%")))))
-          (format
-           (leave (_ "~a: unknown archive format~%") format)))
+        (export-paths store files (current-output-port)
+                      #:recursive? (assoc-ref opts 'export-recursive?))
         (leave (_ "unable to export the given packages~%")))))
 
 (define (generate-key-pair parameters)
diff --git a/guix/scripts/authenticate.scm b/guix/scripts/authenticate.scm
index d9f799df26..d9a312f1da 100644
--- a/guix/scripts/authenticate.scm
+++ b/guix/scripts/authenticate.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -18,7 +18,7 @@
 
 (define-module (guix scripts authenticate)
   #:use-module (guix config)
-  #:use-module (guix utils)
+  #:use-module (guix base16)
   #:use-module (guix pk-crypto)
   #:use-module (guix pki)
   #:use-module (guix ui)
diff --git a/guix/scripts/download.scm b/guix/scripts/download.scm
index dffff79729..1ddfd648cd 100644
--- a/guix/scripts/download.scm
+++ b/guix/scripts/download.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -21,7 +21,7 @@
   #:use-module (guix scripts)
   #:use-module (guix store)
   #:use-module (guix hash)
-  #:use-module (guix utils)
+  #:use-module (guix base16)
   #:use-module (guix base32)
   #:use-module ((guix download) #:hide (url-fetch))
   #:use-module ((guix build download)
diff --git a/guix/scripts/hash.scm b/guix/scripts/hash.scm
index 640b2417d2..a048b53461 100644
--- a/guix/scripts/hash.scm
+++ b/guix/scripts/hash.scm
@@ -24,7 +24,7 @@
   #:use-module (guix serialization)
   #:use-module (guix ui)
   #:use-module (guix scripts)
-  #:use-module (guix utils)
+  #:use-module (guix base16)
   #:use-module (ice-9 binary-ports)
   #:use-module (rnrs files)
   #:use-module (ice-9 match)
diff --git a/guix/scripts/lint.scm b/guix/scripts/lint.scm
index 776e7332c5..66c82f0409 100644
--- a/guix/scripts/lint.scm
+++ b/guix/scripts/lint.scm
@@ -44,7 +44,8 @@
   #:use-module (web uri)
   #:use-module ((guix build download)
                 #:select (maybe-expand-mirrors
-                          open-connection-for-uri
+                          (open-connection-for-uri
+                           . guix:open-connection-for-uri)
                           close-connection))
   #:use-module (web request)
   #:use-module (web response)
@@ -377,7 +378,8 @@ for connections to complete; when TIMEOUT is #f, wait as long as needed."
       ((or 'http 'https)
        (catch #t
          (lambda ()
-           (let ((port    (open-connection-for-uri uri #:timeout timeout))
+           (let ((port    (guix:open-connection-for-uri
+                           uri #:timeout timeout))
                  (request (build-request uri #:headers headers)))
              (define response
                (dynamic-wind
diff --git a/guix/scripts/pack.scm b/guix/scripts/pack.scm
index 067b1227e0..626c592e1c 100644
--- a/guix/scripts/pack.scm
+++ b/guix/scripts/pack.scm
@@ -24,6 +24,7 @@
   #:use-module (guix store)
   #:use-module (guix grafts)
   #:use-module (guix monads)
+  #:use-module (guix modules)
   #:use-module (guix packages)
   #:use-module (guix profiles)
   #:use-module (guix derivations)
@@ -32,6 +33,8 @@
   #:use-module (gnu packages compression)
   #:autoload   (gnu packages base) (tar)
   #:autoload   (gnu packages package-management) (guix)
+  #:autoload   (gnu packages gnupg) (libgcrypt)
+  #:autoload   (gnu packages guile) (guile-json)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-9)
   #:use-module (srfi srfi-37)
@@ -43,19 +46,22 @@
 
 ;; Type of a compression tool.
 (define-record-type <compressor>
-  (compressor name package extension command)
+  (compressor name extension command)
   compressor?
-  (name       compressor-name)                    ;string (e.g., "gzip")
-  (package    compressor-package)                 ;package
-  (extension  compressor-extension)               ;string (e.g., "lz")
-  (command    compressor-command))                ;list (e.g., '("gzip" "-9n"))
+  (name       compressor-name)      ;string (e.g., "gzip")
+  (extension  compressor-extension) ;string (e.g., "lz")
+  (command    compressor-command))  ;gexp (e.g., #~("/gnu/store/…/gzip" "-9n"))
 
 (define %compressors
   ;; Available compression tools.
-  (list (compressor "gzip"  gzip  "gz"  '("gzip" "-9n"))
-        (compressor "lzip"  lzip  "lz"  '("lzip" "-9"))
-        (compressor "xz"    xz    "xz"  '("xz" "-e"))
-        (compressor "bzip2" bzip2 "bz2" '("bzip2" "-9"))))
+  (list (compressor "gzip"  "gz"
+                    #~(#+(file-append gzip "/bin/gzip") "-9n"))
+        (compressor "lzip"  "lz"
+                    #~(#+(file-append lzip "/bin/lzip") "-9"))
+        (compressor "xz"    "xz"
+                    #~(#+(file-append xz "/bin/xz") "-e"))
+        (compressor "bzip2" "bz2"
+                    #~(#+(file-append bzip2 "/bin/bzip2") "-9"))))
 
 (define (lookup-compressor name)
   "Return the compressor object called NAME.  Error out if it could not be
@@ -67,7 +73,8 @@ found."
       (leave (_ "~a: compressor not found~%") name)))
 
 (define* (self-contained-tarball name profile
-                                 #:key deduplicate?
+                                 #:key target
+                                 deduplicate?
                                  (compressor (first %compressors))
                                  localstatedir?
                                  (symlinks '())
@@ -118,8 +125,7 @@ added to the pack."
                   (string-append #$(if localstatedir?
                                        (file-append guix "/sbin:")
                                        "")
-                                 #$tar "/bin:"
-                                 #$(compressor-package compressor) "/bin"))
+                                 #$tar "/bin"))
 
           ;; Note: there is not much to gain here with deduplication and
           ;; there is the overhead of the '.links' directory, so turn it
@@ -139,7 +145,8 @@ added to the pack."
           (with-directory-excursion %root
             (exit
              (zero? (apply system* "tar"
-                           "-I" #$(string-join (compressor-command compressor))
+                           "-I"
+                           (string-join '#+(compressor-command compressor))
                            "--format=gnu"
 
                            ;; Avoid non-determinism in the archive.  Use
@@ -177,6 +184,63 @@ added to the pack."
                     build
                     #:references-graphs `(("profile" ,profile))))
 
+(define* (docker-image name profile
+                       #:key target
+                       deduplicate?
+                       (compressor (first %compressors))
+                       localstatedir?
+                       (symlinks '())
+                       (tar tar))
+  "Return a derivation to construct a Docker image of PROFILE.  The
+image is a tarball conforming to the Docker Image Specification, compressed
+with COMPRESSOR.  It can be passed to 'docker load'.  If TARGET is true, it
+must a be a GNU triplet and it is used to derive the architecture metadata in
+the image."
+  ;; FIXME: Honor LOCALSTATEDIR?.
+  (define not-config?
+    (match-lambda
+      (('guix 'config) #f)
+      (('guix rest ...) #t)
+      (('gnu rest ...) #t)
+      (rest #f)))
+
+  (define config
+    ;; (guix config) module for consumption by (guix gcrypt).
+    (scheme-file "gcrypt-config.scm"
+                 #~(begin
+                     (define-module (guix config)
+                       #:export (%libgcrypt))
+
+                     ;; XXX: Work around <http://bugs.gnu.org/15602>.
+                     (eval-when (expand load eval)
+                       (define %libgcrypt
+                         #+(file-append libgcrypt "/lib/libgcrypt"))))))
+
+  (define build
+    (with-imported-modules `(,@(source-module-closure '((guix docker))
+                                                      #:select? not-config?)
+                             ((guix config) => ,config))
+      #~(begin
+          ;; Guile-JSON is required by (guix docker).
+          (add-to-load-path
+           (string-append #$guile-json "/share/guile/site/"
+                          (effective-version)))
+
+          (use-modules (guix docker) (srfi srfi-19))
+
+          (setenv "PATH" (string-append #$tar "/bin"))
+
+          (build-docker-image #$output #$profile
+                              #:system (or #$target (utsname:machine (uname)))
+                              #:closure "profile"
+                              #:symlinks '#$symlinks
+                              #:compressor '#$(compressor-command compressor)
+                              #:creation-time (make-time time-utc 0 1)))))
+
+  (gexp->derivation (string-append name ".tar."
+                                   (compressor-extension compressor))
+                    build
+                    #:references-graphs `(("profile" ,profile))))
 
 
 ;;;
@@ -185,7 +249,8 @@ added to the pack."
 
 (define %default-options
   ;; Alist of default option values.
-  `((system . ,(%current-system))
+  `((format . tarball)
+    (system . ,(%current-system))
     (substitutes? . #t)
     (graft? . #t)
     (max-silent-time . 3600)
@@ -193,6 +258,11 @@ added to the pack."
     (symlinks . ())
     (compressor . ,(first %compressors))))
 
+(define %formats
+  ;; Supported pack formats.
+  `((tarball . ,self-contained-tarball)
+    (docker  . ,docker-image)))
+
 (define %options
   ;; Specifications of the command-line options.
   (cons* (option '(#\h "help") #f #f
@@ -206,19 +276,27 @@ added to the pack."
          (option '(#\n "dry-run") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'dry-run? #t (alist-cons 'graft? #f result))))
+         (option '(#\f "format") #t #f
+                 (lambda (opt name arg result)
+                   (alist-cons 'format (string->symbol arg) result)))
          (option '(#\s "system") #t #f
                  (lambda (opt name arg result)
                    (alist-cons 'system arg
                                (alist-delete 'system result eq?))))
+         (option '("target") #t #f
+                 (lambda (opt name arg result)
+                   (alist-cons 'target arg
+                               (alist-delete 'target result eq?))))
          (option '(#\C "compression") #t #f
                  (lambda (opt name arg result)
                    (alist-cons 'compressor (lookup-compressor arg)
                                result)))
          (option '(#\S "symlink") #t #f
                  (lambda (opt name arg result)
-                   (match (string-tokenize arg
-                                           (char-set-complement
-                                            (char-set #\=)))
+                   ;; Note: Using 'string-split' allows us to handle empty
+                   ;; TARGET (as in "/opt/guile=", meaning that /opt/guile is
+                   ;; a symlink to the profile) correctly.
+                   (match (string-split arg (char-set #\=))
                      ((source target)
                       (let ((symlinks (assoc-ref result 'symlinks)))
                         (alist-cons 'symlinks
@@ -242,8 +320,12 @@ Create a bundle of PACKAGE.\n"))
   (show-transformation-options-help)
   (newline)
   (display (_ "
+  -f, --format=FORMAT    build a pack in the given FORMAT"))
+  (display (_ "
   -s, --system=SYSTEM    attempt to build for SYSTEM--e.g., \"i686-linux\""))
   (display (_ "
+      --target=TRIPLET   cross-build for TRIPLET--e.g., \"armel-linux-gnu\""))
+  (display (_ "
   -C, --compression=TOOL compress using TOOL--e.g., \"lzip\""))
   (display (_ "
   -S, --symlink=SPEC     create symlinks to the profile according to SPEC"))
@@ -280,20 +362,35 @@ Create a bundle of PACKAGE.\n"))
                                     (specification->package+output spec))
                                 list))
                             specs))
-             (compressor (assoc-ref opts 'compressor))
-             (symlinks   (assoc-ref opts 'symlinks))
+             (pack-format (assoc-ref opts 'format))
+             (name        (string-append (symbol->string pack-format)
+                                         "-pack"))
+             (target      (assoc-ref opts 'target))
+             (compressor  (assoc-ref opts 'compressor))
+             (symlinks    (assoc-ref opts 'symlinks))
+             (build-image (match (assq-ref %formats pack-format)
+                            ((? procedure? proc) proc)
+                            (#f
+                             (leave (_ "~a: unknown pack format")
+                                    format))))
              (localstatedir? (assoc-ref opts 'localstatedir?)))
         (with-store store
+          ;; Set the build options before we do anything else.
+          (set-build-options-from-command-line store opts)
+
           (run-with-store store
             (mlet* %store-monad ((profile (profile-derivation
-                                           (packages->manifest packages)))
-                                 (drv (self-contained-tarball "pack" profile
-                                                              #:compressor
-                                                              compressor
-                                                              #:symlinks
-                                                              symlinks
-                                                              #:localstatedir?
-                                                              localstatedir?)))
+                                           (packages->manifest packages)
+                                           #:target target))
+                                 (drv (build-image name profile
+                                                   #:target
+                                                   target
+                                                   #:compressor
+                                                   compressor
+                                                   #:symlinks
+                                                   symlinks
+                                                   #:localstatedir?
+                                                   localstatedir?)))
               (mbegin %store-monad
                 (show-what-to-build* (list drv)
                                      #:use-substitutes?
diff --git a/guix/scripts/substitute.scm b/guix/scripts/substitute.scm
index 524b019a31..faeb019120 100755
--- a/guix/scripts/substitute.scm
+++ b/guix/scripts/substitute.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Nikita Karetnikov <nikita@karetnikov.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -34,7 +34,8 @@
   #:use-module ((guix build download)
                 #:select (current-terminal-columns
                           progress-proc uri-abbreviation nar-uri-abbreviation
-                          open-connection-for-uri
+                          (open-connection-for-uri
+                           . guix:open-connection-for-uri)
                           close-connection
                           store-path-abbreviation byte-count->string))
   #:use-module (ice-9 rdelim)
@@ -210,8 +211,8 @@ provide."
                  (close-connection port))))
            (begin
              (when (or (not port) (port-closed? port))
-               (set! port (open-connection-for-uri uri
-                                                   #:verify-certificate? #f))
+               (set! port (guix:open-connection-for-uri
+                           uri #:verify-certificate? #f))
                (unless (or buffered? (not (file-port? port)))
                  (setvbuf port _IONBF)))
              (http-fetch uri #:text? #f #:port port
@@ -247,9 +248,10 @@ failure, return #f and #f."
                    read-cache-info)
                  #f))
         ((http https)
-         (let ((port (open-connection-for-uri uri
-                                              #:verify-certificate? #f
-                                              #:timeout %fetch-timeout)))
+         (let ((port (guix:open-connection-for-uri
+                      uri
+                      #:verify-certificate? #f
+                      #:timeout %fetch-timeout)))
            (guard (c ((http-get-error? c)
                       (warning (_ "while fetching '~a': ~a (~s)~%")
                                (uri->string (http-get-error-uri c))
@@ -533,9 +535,10 @@ initial connection on which HTTP requests are sent."
                 (result   seed))
     ;; (format (current-error-port) "connecting (~a requests left)..."
     ;;         (length requests))
-    (let ((p (or port (open-connection-for-uri base-uri
-                                               #:verify-certificate?
-                                               verify-certificate?))))
+    (let ((p (or port (guix:open-connection-for-uri
+                       base-uri
+                       #:verify-certificate?
+                       verify-certificate?))))
       ;; For HTTPS, P is not a file port and does not support 'setvbuf'.
       (when (file-port? p)
         (setvbuf p _IOFBF (expt 2 16)))
diff --git a/guix/serialization.scm b/guix/serialization.scm
index 4cab5910f7..4a8cd2086e 100644
--- a/guix/serialization.scm
+++ b/guix/serialization.scm
@@ -130,8 +130,7 @@
   ;; <http://bugs.gnu.org/19621>.  See <http://bugs.gnu.org/19610> for
   ;; a discussion.
   (let ((bv (read-byte-string p)))
-    ;; XXX: Rewrite using (ice-9 iconv) when the minimum requirement is
-    ;; upgraded to Guile >= 2.0.9.
+    ;; XXX: Rewrite using (ice-9 iconv).
     (list->string (map integer->char (bytevector->u8-list bv)))))
 
 (define (read-maybe-utf8-string p)
diff --git a/guix/store.scm b/guix/store.scm
index cce460f3ce..2f05351767 100644
--- a/guix/store.scm
+++ b/guix/store.scm
@@ -22,6 +22,7 @@
   #:use-module (guix memoization)
   #:use-module (guix serialization)
   #:use-module (guix monads)
+  #:use-module (guix base16)
   #:autoload   (guix base32) (bytevector->base32-string)
   #:autoload   (guix build syscalls) (terminal-columns)
   #:use-module (rnrs bytevectors)
diff --git a/guix/utils.scm b/guix/utils.scm
index b72e3f233f..bc90686de0 100644
--- a/guix/utils.scm
+++ b/guix/utils.scm
@@ -28,15 +28,12 @@
   #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-39)
-  #:use-module (srfi srfi-60)
-  #:use-module (rnrs bytevectors)
   #:use-module (ice-9 binary-ports)
   #:autoload   (rnrs io ports) (make-custom-binary-input-port)
   #:use-module ((rnrs bytevectors) #:select (bytevector-u8-set!))
   #:use-module (guix memoization)
   #:use-module ((guix build utils) #:select (dump-port))
   #:use-module ((guix build syscalls) #:select (mkdtemp! fdatasync))
-  #:use-module (ice-9 vlist)
   #:use-module (ice-9 format)
   #:autoload   (ice-9 popen)  (open-pipe*)
   #:autoload   (ice-9 rdelim) (read-line)
@@ -46,10 +43,7 @@
   #:use-module ((ice-9 iconv) #:prefix iconv:)
   #:use-module (system foreign)
   #:re-export (memoize)         ; for backwards compatibility
-  #:export (bytevector->base16-string
-            base16-string->bytevector
-
-            strip-keyword-arguments
+  #:export (strip-keyword-arguments
             default-keyword-arguments
             substitute-keyword-arguments
             ensure-keyword-arguments
@@ -100,63 +94,6 @@
 
 
 ;;;
-;;; Base 16.
-;;;
-
-(define (bytevector->base16-string bv)
-  "Return the hexadecimal representation of BV's contents."
-  (define len
-    (bytevector-length bv))
-
-  (let-syntax ((base16-chars (lambda (s)
-                               (syntax-case s ()
-                                 (_
-                                  (let ((v (list->vector
-                                            (unfold (cut > <> 255)
-                                                    (lambda (n)
-                                                      (format #f "~2,'0x" n))
-                                                    1+
-                                                    0))))
-                                    v))))))
-    (define chars base16-chars)
-    (let loop ((i len)
-               (r '()))
-      (if (zero? i)
-          (string-concatenate r)
-          (let ((i (- i 1)))
-            (loop i
-                  (cons (vector-ref chars (bytevector-u8-ref bv i)) r)))))))
-
-(define base16-string->bytevector
-  (let ((chars->value (fold (lambda (i r)
-                              (vhash-consv (string-ref (number->string i 16)
-                                                       0)
-                                           i r))
-                            vlist-null
-                            (iota 16))))
-    (lambda (s)
-      "Return the bytevector whose hexadecimal representation is string S."
-      (define bv
-        (make-bytevector (quotient (string-length s) 2) 0))
-
-      (string-fold (lambda (chr i)
-                     (let ((j (quotient i 2))
-                           (v (and=> (vhash-assv chr chars->value) cdr)))
-                       (if v
-                           (if (zero? (logand i 1))
-                               (bytevector-u8-set! bv j
-                                                   (arithmetic-shift v 4))
-                               (let ((w (bytevector-u8-ref bv j)))
-                                 (bytevector-u8-set! bv j (logior v w))))
-                           (error "invalid hexadecimal character" chr)))
-                     (+ i 1))
-                   0
-                   s)
-      bv)))
-
-
-
-;;;
 ;;; Filtering & pipes.
 ;;;
 
diff --git a/tests/base16.scm b/tests/base16.scm
new file mode 100644
index 0000000000..a64b650bec
--- /dev/null
+++ b/tests/base16.scm
@@ -0,0 +1,34 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (test-base16)
+  #:use-module (guix base16)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-64)
+  #:use-module (rnrs bytevectors))
+
+(test-begin "base16")
+
+(test-assert "bytevector->base16-string->bytevector"
+  (every (lambda (bv)
+           (equal? (base16-string->bytevector
+                    (bytevector->base16-string bv))
+                   bv))
+         (map string->utf8 '("" "f" "fo" "foo" "foob" "fooba" "foobar"))))
+
+(test-end "base16")
diff --git a/tests/gexp.scm b/tests/gexp.scm
index baf78837ae..b3f7323984 100644
--- a/tests/gexp.scm
+++ b/tests/gexp.scm
@@ -598,6 +598,23 @@
                             get-bytevector-all))))
                 files))))))
 
+(test-assertm "imported-files with file-like objects"
+  (mlet* %store-monad ((plain -> (plain-file "foo" "bar!"))
+                       (q-scm -> (search-path %load-path "ice-9/q.scm"))
+                       (files -> `(("a/b/c" . ,q-scm)
+                                   ("p/q"   . ,plain)))
+                       (drv      (imported-files files)))
+    (mbegin %store-monad
+      (built-derivations (list drv))
+      (mlet %store-monad ((dir -> (derivation->output-path drv))
+                          (plain* (text-file "foo" "bar!"))
+                          (q-scm* (interned-file q-scm "c")))
+        (return
+         (and (string=? (readlink (string-append dir "/a/b/c"))
+                        q-scm*)
+              (string=? (readlink (string-append dir "/p/q"))
+                        plain*)))))))
+
 (test-equal "gexp-modules & ungexp"
   '((bar) (foo))
   ((@@ (guix gexp) gexp-modules)
@@ -668,6 +685,28 @@
                      (equal? '(chdir "/foo")
                              (call-with-input-file b read))))))))
 
+(test-assertm "gexp->derivation & with-imported-module & computed module"
+  (mlet* %store-monad
+      ((module -> (scheme-file "x" #~(begin
+                                       (define-module (foo bar)
+                                         #:export (the-answer))
+
+                                       (define the-answer 42))))
+       (build -> (with-imported-modules `(((foo bar) => ,module)
+                                          (guix build utils))
+                   #~(begin
+                       (use-modules (guix build utils)
+                                    (foo bar))
+                       mkdir-p
+                       (call-with-output-file #$output
+                         (lambda (port)
+                           (write the-answer port))))))
+       (drv      (gexp->derivation "thing" build))
+       (out ->   (derivation->output-path drv)))
+    (mbegin %store-monad
+      (built-derivations (list drv))
+      (return (= 42 (call-with-input-file out read))))))
+
 (test-assertm "gexp->derivation #:references-graphs"
   (mlet* %store-monad
       ((one (text-file "one" (random-text)))
diff --git a/tests/guix-build.sh b/tests/guix-build.sh
index e1ec560641..ab911b7210 100644
--- a/tests/guix-build.sh
+++ b/tests/guix-build.sh
@@ -1,5 +1,5 @@
 # GNU Guix --- Functional package management for GNU
-# Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
+# Copyright © 2012, 2013, 2014, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 #
 # This file is part of GNU Guix.
 #
@@ -160,7 +160,7 @@ rm -f "$result"
 guix build coreutils --target=mips64el-linux-gnu --dry-run --no-substitutes
 
 # Replacements.
-drv1=`guix build guix --with-input=guile=guile-next -d`
+drv1=`guix build guix --with-input=guile@2.0=guile@2.2 -d`
 drv2=`guix build guix -d`
 test "$drv1" != "$drv2"
 
diff --git a/tests/hash.scm b/tests/hash.scm
index 86501dca2d..b189e435c8 100644
--- a/tests/hash.scm
+++ b/tests/hash.scm
@@ -18,7 +18,7 @@
 
 (define-module (test-hash)
   #:use-module (guix hash)
-  #:use-module (guix utils)
+  #:use-module (guix base16)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-11)
   #:use-module (srfi srfi-64)
diff --git a/tests/nar.scm b/tests/nar.scm
index 28ead8b783..61646db964 100644
--- a/tests/nar.scm
+++ b/tests/nar.scm
@@ -35,6 +35,7 @@
   #:use-module (srfi srfi-64)
   #:use-module (ice-9 ftw)
   #:use-module (ice-9 regex)
+  #:use-module ((ice-9 control) #:select (let/ec))
   #:use-module (ice-9 match))
 
 ;; Test the (guix nar) module.
@@ -148,17 +149,6 @@
   (string-append (dirname (search-path %load-path "pre-inst-env"))
                  "/test-nar-" (number->string (getpid))))
 
-(define-syntax-rule (let/ec k exp...)
-  ;; This one appeared in Guile 2.0.9, so provide a copy here.
-  (let ((tag (make-prompt-tag)))
-    (call-with-prompt tag
-      (lambda ()
-        (let ((k (lambda args
-                   (apply abort-to-prompt tag args))))
-          exp...))
-      (lambda (_ . args)
-        (apply values args)))))
-
 
 (test-begin "nar")
 
diff --git a/tests/pack.scm b/tests/pack.scm
index de9ef8e6ab..eb643c3229 100644
--- a/tests/pack.scm
+++ b/tests/pack.scm
@@ -42,7 +42,8 @@
 (define %gzip-compressor
   ;; Compressor that uses the bootstrap 'gzip'.
   ((@ (guix scripts pack) compressor) "gzip"
-   %bootstrap-coreutils&co "gz" '("gzip" "-6n")))
+   "gz"
+   #~(#+(file-append %bootstrap-coreutils&co "/bin/gzip") "-6n")))
 
 (define %tar-bootstrap %bootstrap-coreutils&co)
 
diff --git a/tests/pk-crypto.scm b/tests/pk-crypto.scm
index 5024a15a43..fe33a6f7b5 100644
--- a/tests/pk-crypto.scm
+++ b/tests/pk-crypto.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -19,6 +19,7 @@
 (define-module (test-pk-crypto)
   #:use-module (guix pk-crypto)
   #:use-module (guix utils)
+  #:use-module (guix base16)
   #:use-module (guix hash)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-11)
diff --git a/tests/profiles.scm b/tests/profiles.scm
index 5536364889..d0b1e14a86 100644
--- a/tests/profiles.scm
+++ b/tests/profiles.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Alex Kost <alezost@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -212,6 +212,35 @@
                                        #:locales? #f)))
     (return (derivation-inputs drv))))
 
+(test-assertm "profile-derivation, cross-compilation"
+  (mlet* %store-monad
+      ((manifest -> (packages->manifest (list packages:sed packages:grep)))
+       (target ->   "arm-linux-gnueabihf")
+       (grep        (package->cross-derivation packages:grep target))
+       (sed         (package->cross-derivation packages:sed target))
+       (locales     (package->derivation packages:glibc-utf8-locales))
+       (drv         (profile-derivation manifest
+                                        #:hooks '()
+                                        #:locales? #t
+                                        #:target target)))
+    (define (find-input name)
+      (let ((name (string-append name ".drv")))
+        (any (lambda (input)
+               (let ((input (derivation-input-path input)))
+                 (and (string-suffix? name input) input)))
+             (derivation-inputs drv))))
+
+    ;; The inputs for grep and sed should be cross-build derivations, but that
+    ;; for the glibc-utf8-locales should be a native build.
+    (return (and (string=? (derivation-system drv) (%current-system))
+                 (string=? (find-input (package-full-name packages:grep))
+                           (derivation-file-name grep))
+                 (string=? (find-input (package-full-name packages:sed))
+                           (derivation-file-name sed))
+                 (string=? (find-input
+                            (package-full-name packages:glibc-utf8-locales))
+                           (derivation-file-name locales))))))
+
 (test-assert "package->manifest-entry defaults to \"out\""
   (let ((outputs (package-outputs packages:glibc)))
     (equal? (manifest-entry-output
diff --git a/tests/utils.scm b/tests/utils.scm
index bcfaa14faa..035886dd16 100644
--- a/tests/utils.scm
+++ b/tests/utils.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
 ;;;
@@ -36,13 +36,6 @@
 
 (test-begin "utils")
 
-(test-assert "bytevector->base16-string->bytevector"
-  (every (lambda (bv)
-           (equal? (base16-string->bytevector
-                    (bytevector->base16-string bv))
-                   bv))
-         (map string->utf8 '("" "f" "fo" "foo" "foob" "fooba" "foobar"))))
-
 (test-assert "gnu-triplet->nix-system"
   (let ((samples '(("i586-gnu0.3" "i686-gnu")
                    ("x86_64-unknown-linux-gnu" "x86_64-linux")