summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/calibre-no-updates-dialog.patch22
-rw-r--r--gnu/packages/patches/calibre-remove-test-sqlite.patch21
-rw-r--r--gnu/packages/patches/calibre-remove-test-unrar.patch24
-rw-r--r--gnu/packages/patches/chez-scheme-build-util-paths-backport.patch780
-rw-r--r--gnu/packages/patches/containerd-test-with-go1.13.patch21
-rw-r--r--gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch64
-rw-r--r--gnu/packages/patches/gimp-make-gegl-introspect-optional.patch43
-rw-r--r--gnu/packages/patches/imagemagick-CVE-2020-27829.patch27
-rw-r--r--gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch26
-rw-r--r--gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch35
-rw-r--r--gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch25
-rw-r--r--gnu/packages/patches/libvirt-add-install-prefix.patch329
-rw-r--r--gnu/packages/patches/linphone-desktop-without-sdk.patch235
-rw-r--r--gnu/packages/patches/linphoneqt-tabbutton.patch96
-rw-r--r--gnu/packages/patches/lksctp-tools-1.0.18-fix-header-file-name.patch32
-rw-r--r--gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch100
-rw-r--r--gnu/packages/patches/mariadb-CVE-2021-27928.patch642
-rw-r--r--gnu/packages/patches/mediastreamer2-srtp2.patch155
-rw-r--r--gnu/packages/patches/opendht-fix-jami.patch33
-rw-r--r--gnu/packages/patches/pidgin-vv-gst.patch48
-rw-r--r--gnu/packages/patches/pyqt-public-sip.patch55
-rw-r--r--gnu/packages/patches/qemu-build-info-manual.patch2
-rw-r--r--gnu/packages/patches/qemu-glibc-2.30.patch57
-rw-r--r--gnu/packages/patches/racket-sh-via-rktio.patch87
-rw-r--r--gnu/packages/patches/runc-CVE-2019-5736.patch343
-rw-r--r--gnu/packages/patches/upx-CVE-2021-20285.patch76
-rw-r--r--gnu/packages/patches/vtk-fix-freetypetools-build-failure.patch14
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2021-30004.patch115
28 files changed, 2715 insertions, 792 deletions
diff --git a/gnu/packages/patches/calibre-no-updates-dialog.patch b/gnu/packages/patches/calibre-no-updates-dialog.patch
index 1d8d79660e..66ac913cb5 100644
--- a/gnu/packages/patches/calibre-no-updates-dialog.patch
+++ b/gnu/packages/patches/calibre-no-updates-dialog.patch
@@ -1,11 +1,17 @@
-Taken from debian.
+From 19e8d7701c302b0eca4c638705a6db625352caa3 Mon Sep 17 00:00:00 2001
+From: Brendan Tildesley <mail@brendan.scot>
+Date: Thu, 25 Feb 2021 12:17:30 +1100
+Subject: [PATCH] Don't check for updates.
 
-# Description: Disable update check by default.
-Index: calibre/src/calibre/gui2/main.py
-===================================================================
---- calibre.orig/src/calibre/gui2/main.py	2014-02-02 10:41:28.470954623 +0100
-+++ calibre/src/calibre/gui2/main.py	2014-02-02 10:41:56.546954247 +0100
-@@ -37,8 +37,8 @@
+---
+ src/calibre/gui2/main.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/calibre/gui2/main.py b/src/calibre/gui2/main.py
+index 776f8bebfb..4302716d7e 100644
+--- a/src/calibre/gui2/main.py
++++ b/src/calibre/gui2/main.py
+@@ -59,8 +59,8 @@ def option_parser():
                        help=_('Start minimized to system tray.'))
      parser.add_option('-v', '--verbose', default=0, action='count',
                        help=_('Ignored, do not use. Present only for legacy reasons'))
@@ -16,3 +22,5 @@ Index: calibre/src/calibre/gui2/main.py
      parser.add_option('--ignore-plugins', default=False, action='store_true',
              help=_('Ignore custom plugins, useful if you installed a plugin'
                  ' that is preventing calibre from starting'))
+--
+2.30.1
diff --git a/gnu/packages/patches/calibre-remove-test-sqlite.patch b/gnu/packages/patches/calibre-remove-test-sqlite.patch
index 7bdd90874d..fc2b237ef2 100644
--- a/gnu/packages/patches/calibre-remove-test-sqlite.patch
+++ b/gnu/packages/patches/calibre-remove-test-sqlite.patch
@@ -1,20 +1,20 @@
-From a92e26359bd07743ab105819ed0b619e27e14017 Mon Sep 17 00:00:00 2001
+From d8225e83c3b73f0e0da73874910f50ca652f48cf Mon Sep 17 00:00:00 2001
 From: Brendan Tildesley <mail@brendan.scot>
-Date: Sat, 27 Apr 2019 03:30:53 +1000
-Subject: [PATCH] Disable test_sqlite.
+Date: Thu, 25 Feb 2021 00:48:00 +1100
+Subject: [PATCH] Remove test_sqlite
 
 ---
  src/calibre/test_build.py | 6 ------
  1 file changed, 6 deletions(-)
 
 diff --git a/src/calibre/test_build.py b/src/calibre/test_build.py
-index 07bdffd3e5..740588c95b 100644
+index 0ab7aa0646..87fdfabd9a 100644
 --- a/src/calibre/test_build.py
 +++ b/src/calibre/test_build.py
-@@ -162,12 +162,6 @@ class BuildTest(unittest.TestCase):
-             au(x, 'strftime')
-             self.assertEqual(unicode_type(time.strftime(fmt.replace('%e', '%#d'), t)), x)
- 
+@@ -273,12 +273,6 @@ def read_changes():
+         m.close()
+         self.assertEqual(winutil.parse_cmdline('"c:\\test exe.exe" "some arg" 2'), ('c:\\test exe.exe', 'some arg', '2'))
+
 -    def test_sqlite(self):
 -        import sqlite3
 -        conn = sqlite3.connect(':memory:')
@@ -24,6 +24,5 @@ index 07bdffd3e5..740588c95b 100644
      def test_apsw(self):
          import apsw
          conn = apsw.Connection(':memory:')
--- 
-2.21.0
-
+--
+2.30.1
diff --git a/gnu/packages/patches/calibre-remove-test-unrar.patch b/gnu/packages/patches/calibre-remove-test-unrar.patch
index 4e5572d1a6..961cc3eba7 100644
--- a/gnu/packages/patches/calibre-remove-test-unrar.patch
+++ b/gnu/packages/patches/calibre-remove-test-unrar.patch
@@ -1,28 +1,26 @@
-Unrar contains security vulnerabilities and has thus been removed from Guix.
-From a16f97b02bd8afd0ec05c471e156f631f2cc6eec Mon Sep 17 00:00:00 2001
+From 9edf67191cc3655480b6fd418247709ade930b1a Mon Sep 17 00:00:00 2001
 From: Brendan Tildesley <mail@brendan.scot>
-Date: Tue, 26 Mar 2019 22:17:03 +1100
-Subject: [PATCH] Remove test_unrar.
+Date: Thu, 25 Feb 2021 00:33:10 +1100
+Subject: [PATCH] Remove test_unrar
 
 ---
  src/calibre/test_build.py | 4 ----
  1 file changed, 4 deletions(-)
 
 diff --git a/src/calibre/test_build.py b/src/calibre/test_build.py
-index d67afd20a6..709132ef17 100644
+index b37fb1bcfb..0ab7aa0646 100644
 --- a/src/calibre/test_build.py
 +++ b/src/calibre/test_build.py
-@@ -220,10 +220,6 @@ class BuildTest(unittest.TestCase):
+@@ -369,10 +369,6 @@ def test_file_dialog_helper(self):
          from calibre.gui2.win_file_dialogs import test
          test()
- 
+
 -    def test_unrar(self):
 -        from calibre.utils.unrar import test_basic
 -        test_basic()
 -
-     @unittest.skipUnless(iswindows, 'WPD is windows only')
-     def test_wpd(self):
-         wpd = plugins['wpd'][0]
--- 
-2.21.0
-
+     def test_7z(self):
+         from calibre.utils.seven_zip import test_basic
+         test_basic()
+--
+2.30.1
diff --git a/gnu/packages/patches/chez-scheme-build-util-paths-backport.patch b/gnu/packages/patches/chez-scheme-build-util-paths-backport.patch
new file mode 100644
index 0000000000..aad2d99996
--- /dev/null
+++ b/gnu/packages/patches/chez-scheme-build-util-paths-backport.patch
@@ -0,0 +1,780 @@
+From 2447e047b750c3371778beb487f881641a582e66 Mon Sep 17 00:00:00 2001
+From: Philip McGrath <philip@philipmcgrath.com>
+Date: Thu, 11 Mar 2021 18:17:47 -0500
+Subject: [PATCH] avoid hard-coded paths for utilities in build scripts
+
+Backported from
+https://github.com/cisco/ChezScheme/commit/8f4633ce24ac6425b2ab13cc78026b1c9bb5361e
+
+Specific changes:
+  - `cc` -> `$(CC)`
+  - `/bin/rm` -> `rm`
+  - `/bin/ln` -> `ln`
+  - `/bin/cp` -> `cp`
+  - `/bin/echo` -> `echo`
+  - in `makefiles/installsh`, add a case to find `true`
+    at an unusual path or as a shell builtin
+
+Co-authored-by: Andy Keep <akeep@robotman.org>
+---
+ LOG                                 | 12 ++++++++++++
+ csug/gifs/Makefile                  |  8 ++++----
+ csug/math/Makefile                  |  4 ++--
+ examples/Makefile                   |  2 +-
+ makefiles/Makefile-csug.in          |  6 +++---
+ makefiles/Makefile-release_notes.in |  2 +-
+ makefiles/Mf-install.in             |  4 ++--
+ makefiles/installsh                 |  3 ++-
+ mats/6.ms                           |  2 +-
+ mats/Mf-a6fb                        |  4 ++--
+ mats/Mf-a6le                        |  4 ++--
+ mats/Mf-a6nb                        |  4 ++--
+ mats/Mf-a6ob                        |  4 ++--
+ mats/Mf-a6osx                       |  4 ++--
+ mats/Mf-arm32le                     |  4 ++--
+ mats/Mf-i3fb                        |  4 ++--
+ mats/Mf-i3le                        |  4 ++--
+ mats/Mf-i3nb                        |  4 ++--
+ mats/Mf-i3ob                        |  4 ++--
+ mats/Mf-i3osx                       |  4 ++--
+ mats/Mf-i3qnx                       |  4 ++--
+ mats/Mf-ppc32le                     |  4 ++--
+ mats/Mf-ta6fb                       |  4 ++--
+ mats/Mf-ta6le                       |  4 ++--
+ mats/Mf-ta6nb                       |  4 ++--
+ mats/Mf-ta6ob                       |  4 ++--
+ mats/Mf-ta6osx                      |  4 ++--
+ mats/Mf-ti3fb                       |  4 ++--
+ mats/Mf-ti3le                       |  4 ++--
+ mats/Mf-ti3nb                       |  4 ++--
+ mats/Mf-ti3ob                       |  4 ++--
+ mats/Mf-ti3osx                      |  4 ++--
+ mats/Mf-tppc32le                    |  4 ++--
+ mats/unix.ms                        |  4 ++--
+ newrelease                          | 22 +++++++++++-----------
+ pkg/Makefile                        |  2 +-
+ release_notes/gifs/Makefile         |  6 +++---
+ release_notes/math/Makefile         |  4 ++--
+ s/Mf-base                           |  2 +-
+ workarea                            | 10 +++++-----
+ 40 files changed, 101 insertions(+), 88 deletions(-)
+
+diff --git a/LOG b/LOG
+index e1631df..399104d 100644
+--- a/LOG
++++ b/LOG
+@@ -2119,3 +2119,15 @@
+     bintar/Makefile rpm/Makefile pkg/Makefile wininstall/Makefile
+     wininstall/a6nt.wxs wininstall/i3nt.wxs wininstall/ta6nt.wxs
+     wininstall/ti3nt.wxs
++9.5.5 changes:
++- avoid hard-coded paths for utilities in build scripts
++    checkin csug/gifs/Makefile csug/math/Makefile examples/Makefile
++    makefiles/Makefile-csug.in makefiles/Makefile-release_notes.in
++    makefiles/Mf-install.in makefiles/installsh mats/6.ms mats/Mf-a6fb
++    mats/Mf-a6le mats/Mf-a6nb mats/Mf-a6ob mats/Mf-a6osx mats/Mf-arm32le
++    mats/Mf-i3fb mats/Mf-i3le mats/Mf-i3nb mats/Mf-i3ob mats/Mf-i3osx
++    mats/Mf-i3qnx mats/Mf-ppc32le mats/Mf-ta6fb mats/Mf-ta6le mats/Mf-ta6nb
++    mats/Mf-ta6ob mats/Mf-ta6osx mats/Mf-ti3fb mats/Mf-ti3le mats/Mf-ti3nb
++    mats/Mf-ti3ob mats/Mf-ti3osx mats/Mf-tppc32le mats/unix.ms newrelease
++    pkg/Makefile release_notes/gifs/Makefile release_notes/math/Makefile
++    s/Mf-base workarea
+diff --git a/csug/gifs/Makefile b/csug/gifs/Makefile
+index 8676e4c..4253ffd 100644
+--- a/csug/gifs/Makefile
++++ b/csug/gifs/Makefile
+@@ -18,7 +18,7 @@ density=-r90x90
+           ${density} - |\
+           pnmcrop |\
+           ppmtogif -transparent white > $*.gif
+-	/bin/rm -f $*.dvi $*.log *.aux
++	rm -f $*.dvi $*.log *.aux
+ 	test -f $*.gif && chmod 644 $*.gif
+
+ # translate ps file to gif w/o transparent white background
+@@ -28,7 +28,7 @@ density=-r90x90
+           ${density} - |\
+           pnmcrop |\
+           ppmtogif > $*.gif
+-	/bin/rm -f $*.dvi $*.log *.aux
++	rm -f $*.dvi $*.log *.aux
+ 	test -f $*.gif && chmod 644 $*.gif
+
+ all: ${gifs}
+@@ -57,7 +57,7 @@ ghostRightarrow.gif: Rightarrow.tex
+           giftrans -g '#000000=#ffffff' |\
+           giftopnm |\
+           ppmtogif -transparent white > $*.gif
+-	/bin/rm -f Rightarrow.dvi Rightarrow.log Rightarrow.aux
++	rm -f Rightarrow.dvi Rightarrow.log Rightarrow.aux
+ 	test -f $*.gif && chmod 644 $*.gif
+
+-clean: ; /bin/rm -f *.gif Make.out
++clean: ; rm -f *.gif Make.out
+diff --git a/csug/math/Makefile b/csug/math/Makefile
+index 3385fdb..3392ea8 100644
+--- a/csug/math/Makefile
++++ b/csug/math/Makefile
+@@ -15,11 +15,11 @@ density=-r90x90
+           ${density} - |\
+           pnmcrop |\
+           ppmtogif -transparent white > $*.gif
+-	/bin/rm -f $*.dvi $*.log $*.aux
++	rm -f $*.dvi $*.log $*.aux
+ 	test -f $*.gif && chmod 644 $*.gif
+
+ all: ${gifs}
+
+ ${gifs}: mathmacros
+
+-clean: ; /bin/rm -f *.gif Make.out
++clean: ; rm -f *.gif Make.out
+diff --git a/examples/Makefile b/examples/Makefile
+index b1b4e1d..3edfdd0 100644
+--- a/examples/Makefile
++++ b/examples/Makefile
+@@ -25,4 +25,4 @@ needed:	${obj}
+
+ all: ; echo "(time (for-each compile-file (map symbol->string '(${src}))))" | ${Scheme}
+
+-clean: ; /bin/rm -f $(obj) expr.md
++clean: ; rm -f $(obj) expr.md
+diff --git a/makefiles/Makefile-csug.in b/makefiles/Makefile-csug.in
+index df24092..6f8a8d9 100644
+--- a/makefiles/Makefile-csug.in
++++ b/makefiles/Makefile-csug.in
+@@ -29,7 +29,7 @@ install: target
+ # thrice is not enough when starting from scratch
+ logcheck1: $(x).thirdrun
+ 	@if [ -n "`grep 'Warning: Label(s) may have changed' $(x).log`" ] ; then\
+-            /bin/rm -f $(x).thirdrun ;\
++            rm -f $(x).thirdrun ;\
+             $(MAKE) $(x).thirdrun;\
+          fi
+
+@@ -55,7 +55,7 @@ stexsrc = csug.stex title.stex copyright.stex contents.stex\
+ texsrc = ${stexsrc:%.stex=%.tex}
+
+ title.tex contents.tex bibliography.tex:
+-	/bin/rm -f $*.tex
++	rm -f $*.tex
+ 	echo "%%% DO NOT EDIT THIS FILE" > $*.tex
+ 	echo "%%% Edit the .stex version instead" >> $*.tex
+ 	echo "" >> $*.tex
+@@ -147,7 +147,7 @@ code: $(stexsrc)
+ 	echo '(load "code" pretty-print)' | $(Scheme) -q
+
+ $(x).clean:
+-	-/bin/rm -f $(x).rfm $(x).sfm $(x).prefirstrun $(x).presecondrun\
++	-rm -f $(x).rfm $(x).sfm $(x).prefirstrun $(x).presecondrun\
+                     $(x).prethirdrun $(x).ans\
+                     $(x).hprefirstrun $(x).hpresecondrun $(x).hprethirdrun\
+                     tspl.aux tspl.haux tspl.rfm tspl.idx in.hidx\
+diff --git a/makefiles/Makefile-release_notes.in b/makefiles/Makefile-release_notes.in
+index 4435b6f..64348a4 100644
+--- a/makefiles/Makefile-release_notes.in
++++ b/makefiles/Makefile-release_notes.in
+@@ -38,7 +38,7 @@ install: $x.pdf $x.html
+ 	$(INSTALL) -m 2755 -d $(installdir)/gifs
+ 	$(INSTALL) -m 0644 --ifdiff gifs/*.gif $(installdir)/gifs
+ 	$(INSTALL) -m 2755 -d $(installdir)/math
+-	-/bin/rm -rf $(installdir)/$(mathdir)
++	-rm -rf $(installdir)/$(mathdir)
+ 	$(INSTALL) -m 2755 -d $(installdir)/$(mathdir)
+ 	if [ -e $(mathdir)/0.gif ] ; then $(INSTALL) -m 0644 $(mathdir)/*.gif $(installdir)/$(mathdir) ; fi
+
+diff --git a/makefiles/Mf-install.in b/makefiles/Mf-install.in
+index a702c34..c09043d 100644
+--- a/makefiles/Mf-install.in
++++ b/makefiles/Mf-install.in
+@@ -114,12 +114,12 @@ bininstall: ${Bin}
+ libbininstall: ${LibBin}
+ 	$I -m 444 ${PetiteBoot} ${LibBin}/petite.boot
+ 	if [ "${InstallPetiteName}" != "petite" ]; then\
+-          /bin/rm -f ${LibBin}/${InstallPetiteName}.boot;\
++          rm -f ${LibBin}/${InstallPetiteName}.boot;\
+           ln -f ${LibBin}/petite.boot ${LibBin}/${InstallPetiteName}.boot;\
+         fi
+ 	$I -m 444 ${SchemeBoot} ${LibBin}/scheme.boot;\
+ 	if [ "${InstallSchemeName}" != "scheme" ]; then\
+-          /bin/rm -f ${LibBin}/${InstallSchemeName}.boot;\
++          rm -f ${LibBin}/${InstallSchemeName}.boot;\
+           ln -f ${LibBin}/scheme.boot ${LibBin}/${InstallSchemeName}.boot;\
+         fi
+ 	ln -f ${LibBin}/scheme.boot ${LibBin}/${InstallScriptName}.boot;
+diff --git a/makefiles/installsh b/makefiles/installsh
+index 48f1e46..95d85fb 100755
+--- a/makefiles/installsh
++++ b/makefiles/installsh
+@@ -1,7 +1,8 @@
+ #! /bin/sh
+ if [ -x /bin/true ]; then TRUE=/bin/true;
+ elif [ -x /usr/bin/true ]; then TRUE=/usr/bin/true;
+-else echo "Can't find /bin/true or /usr/bin/true" ; exit 1;
++elif command -v true &> /dev/null; then TRUE=true;
++else echo "Can't find /bin/true or /usr/bin/true and no true command" ; exit 1;
+ fi
+
+ while ${TRUE} ; do
+diff --git a/mats/6.ms b/mats/6.ms
+index 102f84b..e504230 100644
+--- a/mats/6.ms
++++ b/mats/6.ms
+@@ -2685,7 +2685,7 @@
+       (begin
+         (system "ln -s ../examples .")
+         (load "examples/fatfib.ss" compile)
+-        (system "/bin/rm examples")
++        (system "rm -f examples")
+         #t))
+   (or (windows?) (embedded?)
+       (equal?
+diff --git a/mats/Mf-a6fb b/mats/Mf-a6fb
+index b16d1b6..ff9e687 100644
+--- a/mats/Mf-a6fb
++++ b/mats/Mf-a6fb
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-a6le b/mats/Mf-a6le
+index d6fee09..a3bda76 100644
+--- a/mats/Mf-a6le
++++ b/mats/Mf-a6le
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m64 -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m64 -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-a6nb b/mats/Mf-a6nb
+index 48187ef..0f7ac17 100644
+--- a/mats/Mf-a6nb
++++ b/mats/Mf-a6nb
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-a6ob b/mats/Mf-a6ob
+index 12758f3..0ffcccc 100644
+--- a/mats/Mf-a6ob
++++ b/mats/Mf-a6ob
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-a6osx b/mats/Mf-a6osx
+index f1dbf85..57bac22 100644
+--- a/mats/Mf-a6osx
++++ b/mats/Mf-a6osx
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m64 -dynamiclib -undefined dynamic_lookup -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m64 -dynamiclib -undefined dynamic_lookup -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-arm32le b/mats/Mf-arm32le
+index f33a665..83896eb 100644
+--- a/mats/Mf-arm32le
++++ b/mats/Mf-arm32le
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -fPIC -fomit-frame-pointer -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -fPIC -fomit-frame-pointer -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-i3fb b/mats/Mf-i3fb
+index 150cedb..1e4e8fc 100644
+--- a/mats/Mf-i3fb
++++ b/mats/Mf-i3fb
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-i3le b/mats/Mf-i3le
+index 8f521c8..b248620 100644
+--- a/mats/Mf-i3le
++++ b/mats/Mf-i3le
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m32 -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m32 -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-i3nb b/mats/Mf-i3nb
+index e81f6ff..8afeb5c 100644
+--- a/mats/Mf-i3nb
++++ b/mats/Mf-i3nb
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-i3ob b/mats/Mf-i3ob
+index 4e3ee1b..fcd4dee 100644
+--- a/mats/Mf-i3ob
++++ b/mats/Mf-i3ob
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-i3osx b/mats/Mf-i3osx
+index 53c7d4a..a55f6ee 100644
+--- a/mats/Mf-i3osx
++++ b/mats/Mf-i3osx
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m32 -dynamiclib -undefined dynamic_lookup -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m32 -dynamiclib -undefined dynamic_lookup -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-i3qnx b/mats/Mf-i3qnx
+index 724f2db..3e1437a 100644
+--- a/mats/Mf-i3qnx
++++ b/mats/Mf-i3qnx
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m32 -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m32 -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ppc32le b/mats/Mf-ppc32le
+index 28151a8..547ca00 100644
+--- a/mats/Mf-ppc32le
++++ b/mats/Mf-ppc32le
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m32 -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m32 -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ta6fb b/mats/Mf-ta6fb
+index 921d609..5ed233e 100644
+--- a/mats/Mf-ta6fb
++++ b/mats/Mf-ta6fb
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ta6le b/mats/Mf-ta6le
+index cd014ec..21c686a 100644
+--- a/mats/Mf-ta6le
++++ b/mats/Mf-ta6le
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m64 -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m64 -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ta6nb b/mats/Mf-ta6nb
+index 6b1929d..9b9b898 100644
+--- a/mats/Mf-ta6nb
++++ b/mats/Mf-ta6nb
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ta6ob b/mats/Mf-ta6ob
+index a7aee91..8f25aed 100644
+--- a/mats/Mf-ta6ob
++++ b/mats/Mf-ta6ob
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ta6osx b/mats/Mf-ta6osx
+index 42da5d7..0dd386f 100644
+--- a/mats/Mf-ta6osx
++++ b/mats/Mf-ta6osx
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m64 -pthread -dynamiclib -undefined dynamic_lookup -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m64 -pthread -dynamiclib -undefined dynamic_lookup -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ti3fb b/mats/Mf-ti3fb
+index c891145..56bf7d3 100644
+--- a/mats/Mf-ti3fb
++++ b/mats/Mf-ti3fb
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ti3le b/mats/Mf-ti3le
+index 12e77b8..22b4148 100644
+--- a/mats/Mf-ti3le
++++ b/mats/Mf-ti3le
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m32 -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m32 -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ti3nb b/mats/Mf-ti3nb
+index 028c652..573946e 100644
+--- a/mats/Mf-ti3nb
++++ b/mats/Mf-ti3nb
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ti3ob b/mats/Mf-ti3ob
+index 8a4741c..4472b60 100644
+--- a/mats/Mf-ti3ob
++++ b/mats/Mf-ti3ob
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-ti3osx b/mats/Mf-ti3osx
+index 6913c34..9273b44 100644
+--- a/mats/Mf-ti3osx
++++ b/mats/Mf-ti3osx
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m32 -pthread -dynamiclib -undefined dynamic_lookup -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m32 -pthread -dynamiclib -undefined dynamic_lookup -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/Mf-tppc32le b/mats/Mf-tppc32le
+index a12b515..8b9d9f0 100644
+--- a/mats/Mf-tppc32le
++++ b/mats/Mf-tppc32le
+@@ -21,7 +21,7 @@ fobj = foreign1.so
+ include Mf-base
+
+ foreign1.so: ${fsrc} ../boot/$m/scheme.h
+-	cc -m32 -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
++	$(CC) -m32 -pthread -fPIC -shared -I${Include} -o foreign1.so ${fsrc}
+
+ cat_flush: cat_flush.c
+-	cc -o cat_flush cat_flush.c
++	$(CC) -o cat_flush cat_flush.c
+diff --git a/mats/unix.ms b/mats/unix.ms
+index cfba3e7..db7f6f9 100644
+--- a/mats/unix.ms
++++ b/mats/unix.ms
+@@ -72,8 +72,8 @@
+   (mat system
+     (eqv? (with-output-to-file "testfile.ss" void '(replace)) (void))
+     (begin
+-      (system (format "~:[~;/pkg~]/bin/rm testfile.ss" (embedded?)))
+-      (system (format "~:[~;/pkg~]/bin/echo hello > testfile.ss" (embedded?)))
++      (system "rm -f testfile.ss")
++      (system "echo hello > testfile.ss")
+       (let ([p (open-input-file "testfile.ss")])
+         (and (eq? (read p) 'hello)
+              (begin (close-input-port p) #t))))
+diff --git a/newrelease b/newrelease
+index e903956..2d06740 100755
+--- a/newrelease
++++ b/newrelease
+@@ -75,13 +75,13 @@ if ($status != 0) exit 1
+
+ cd $W
+
+-/bin/rm -f BUILDING
++rm -f BUILDING
+ sed -e "s/Chez Scheme Version [^ ]*/Chez Scheme Version $R/" \
+     -e "s/Copyright 1984-.... /Copyright 1984-`date +%Y` /" \
+     ../BUILDING > BUILDING
+ set updatedfiles = ($updatedfiles BUILDING)
+
+-/bin/rm -f NOTICE
++rm -f NOTICE
+ sed -e "s/Chez Scheme Version [^ ]*/Chez Scheme Version $R/" \
+     -e "s/Copyright 1984-.... /Copyright 1984-`date +%Y` /" \
+     ../NOTICE > NOTICE
+@@ -92,19 +92,19 @@ sed -e "s/csv[0-9]\.[0-9]\(\.[0-9]\)*/csv$R/" ../makefiles/Mf-install.in > makef
+ sed -e "s/csug[0-9]\.[0-9]/csug$MR.$mR/" -e "s/csug[0-9]_[0-9]/csug$MR""_$mR/" ../makefiles/Makefile-csug.in > makefiles/Makefile-csug.in
+ set updatedfiles = ($updatedfiles makefiles/Mf-install.in makefiles/Makefile-csug.in)
+
+-/bin/rm scheme.1.in
++rm -f scheme.1.in
+ sed -e "s/Chez Scheme Version [0-9]\.[0-9]\(\.[0-9]\)* .* [0-9][0-9]*/Chez Scheme Version $R `date +'%B %Y'`/" \
+     -e "s/Copyright .* Cisco Systems, Inc./Copyright `date +%Y` Cisco Systems, Inc./" \
+   ../scheme.1.in > scheme.1.in
+ set updatedfiles = ($updatedfiles scheme.1.in)
+
+-/bin/rm -f c/Makefile.{,t}{i3,a6}nt
++rm -f c/Makefile.{,t}{i3,a6}nt
+ foreach fn (c/Makefile.{,t}{a6,i3}nt)
+   set updatedfiles = ($updatedfiles $fn)
+   sed -e "s/csv[0-9][0-9][0-9]*/csv$ZR/g" ../$fn > $fn
+ end
+
+-/bin/rm -f mats/Mf-{,t}{i3,a6}nt
++rm -f mats/Mf-{,t}{i3,a6}nt
+ foreach fn (mats/Mf-{,t}{a6,i3}nt)
+   set updatedfiles = ($updatedfiles $fn)
+   sed -e "s/csv[0-9][0-9][0-9]*/csv$ZR/g" ../$fn > $fn
+@@ -123,11 +123,11 @@ sed -e "s/FILEVERSION .*/FILEVERSION $RCVERSION/"\
+     -e "s/Copyright 1984-..../Copyright 1984-`date +%Y`/g" ../c/scheme.rc > c/scheme.rc
+ set updatedfiles = ($updatedfiles c/scheme.rc)
+
+-/bin/rm -f s/7.ss
++rm -f s/7.ss
+ sed -e "s/nCopyright 1984-..../nCopyright 1984-`date +%Y`/g" ../s/7.ss > s/7.ss
+ set updatedfiles = ($updatedfiles s/7.ss)
+
+-/bin/rm -f s/cmacros.ss
++rm -f s/cmacros.ss
+ set VNUM = `printf "%04x%02x%02x" $MR $mR $bR`
+ sed -e "s/scheme-version #x......../scheme-version #x$VNUM/" ../s/cmacros.ss > s/cmacros.ss
+ set updatedfiles = ($updatedfiles s/cmacros.ss)
+@@ -146,17 +146,17 @@ sed -e "s/Revised\(.*\)for Chez Scheme Version [^ ]*<br>/Revised\1for Chez Schem
+   ../csug/csug.stex > csug/csug.stex
+ set updatedfiles = ($updatedfiles csug/copyright.stex csug/csug.stex)
+
+-/bin/rm bintar/Makefile
++rm -f bintar/Makefile
+ sed -e "s/^version = .*/version = $R/" \
+     -e "s/csv[0-9][0-9][0-9]*/csv$ZR/g" \
+   ../bintar/Makefile > bintar/Makefile
+ set updatedfiles = ($updatedfiles bintar/Makefile)
+
+-/bin/rm rpm/Makefile
++rm -f rpm/Makefile
+ sed -e "s/^version = .*/version = $R/" ../rpm/Makefile > rpm/Makefile
+ set updatedfiles = ($updatedfiles rpm/Makefile)
+
+-/bin/rm pkg/Makefile
++rm -f pkg/Makefile
+ sed -e "s/^version = .*/version = $R/" \
+     -e "s/&copy; .* Cisco Systems/\&copy; `date +%Y` Cisco Systems/" \
+      ../pkg/Makefile > pkg/Makefile
+@@ -170,7 +170,7 @@ foreach fn (wininstall/{,t}{a6,i3}nt.wxs)
+   sed -e "s/csv[0-9][0-9][0-9]*/csv$ZR/" ../$fn > $fn
+ end
+
+-/bin/rm LOG
++rm -f LOG
+ cat ../LOG > LOG
+ echo "" >> LOG
+ echo "$R changes:" >> LOG
+diff --git a/pkg/Makefile b/pkg/Makefile
+index e0eef67..a3fe83f 100644
+--- a/pkg/Makefile
++++ b/pkg/Makefile
+@@ -39,7 +39,7 @@ $(PKG): $(BUILDROOT)/$(PKG)
+           --package-path $(BUILDROOT)\
+           $(PKG)
+ 	sudo chown $(DOTUSER):$(DOTGROUP) $(PKG)
+-	sudo /bin/rm -rf $(RELEASE) $(BUILDROOT)
++	sudo rm -rf $(RELEASE) $(BUILDROOT)
+
+ $(BUILDROOT)/$(PKG): $(PKGCONTENT)
+ 	sudo /usr/bin/pkgbuild\
+diff --git a/release_notes/gifs/Makefile b/release_notes/gifs/Makefile
+index 9572965..701d53a 100644
+--- a/release_notes/gifs/Makefile
++++ b/release_notes/gifs/Makefile
+@@ -15,7 +15,7 @@ density=-r90x90
+           ${density} - |\
+           pnmcrop |\
+           ppmtogif -transparent white > $*.gif
+-	/bin/rm -f $*.dvi $*.log *.aux
++	rm -f $*.dvi $*.log *.aux
+ 	test -f $*.gif && chmod 644 $*.gif
+
+ all: ${gifs}
+@@ -44,7 +44,7 @@ ghostRightarrow.gif: Rightarrow.tex
+           giftrans -g '#000000=#ffffff' |\
+           giftopnm |\
+           ppmtogif -transparent white > $*.gif
+-	/bin/rm -f Rightarrow.dvi Rightarrow.log Rightarrow.aux
++	rm -f Rightarrow.dvi Rightarrow.log Rightarrow.aux
+ 	test -f $*.gif && chmod 644 $*.gif
+
+-clean: ; /bin/rm -f *.gif Make.out
++clean: ; rm -f *.gif Make.out
+diff --git a/release_notes/math/Makefile b/release_notes/math/Makefile
+index b3ffae3..9eca430 100644
+--- a/release_notes/math/Makefile
++++ b/release_notes/math/Makefile
+@@ -16,11 +16,11 @@ density=-r90x90
+           ${density} - |\
+           pnmcrop |\
+           ppmtogif -transparent white > $*.gif
+-	/bin/rm -f $*.dvi $*.log $*.aux
++	rm -f $*.dvi $*.log $*.aux
+ 	test -f $*.gif && chmod 644 $*.gif
+
+ all: ${gifs}
+
+ ${gifs}: mathmacros
+
+-clean: ; /bin/rm -f *.gif Make.out
++clean: ; rm -f *.gif Make.out
+diff --git a/s/Mf-base b/s/Mf-base
+index c709608..40d816c 100644
+--- a/s/Mf-base
++++ b/s/Mf-base
+@@ -206,7 +206,7 @@ profiled:
+ 	$(MAKE) all loadspd=t bp=t PetiteBoot=../boot/$m/xpetite.boot SchemeBoot=../boot/$m/xscheme.boot
+ 	$(MAKE) prettyclean
+ 	$(MAKE) io.$m loadspd=t dumpbpd=t Scheme="../bin/$m/scheme -b ../boot/$m/xpetite.boot -b ../boot/$m/xscheme.boot"
+-	/bin/rm -f ../boot/$m/xpetite.boot ../boot/$m/xscheme.boot
++	rm -f ../boot/$m/xpetite.boot ../boot/$m/xscheme.boot
+ 	$(MAKE) prettyclean
+ 	$(MAKE) all loadspd=t loadbpd=t
+
+diff --git a/workarea b/workarea
+index bacc712..0461919 100755
+--- a/workarea
++++ b/workarea
+@@ -70,9 +70,9 @@ esac
+
+ if [ "$OS" = "Windows_NT" ]
+ then
+-    ln="/bin/cp -R"
++    ln="cp -R"
+ else
+-    ln="/bin/ln -s"
++    ln="ln -s"
+ fi
+
+ # This shell script creates a workarea for local modifications to the
+@@ -102,7 +102,7 @@ workln()
+ forceworkln()
+ {
+     if [ ! -e $2 ] ; then
+-        /bin/ln -s $1 $2 2> /dev/null
++        ln -s $1 $2 2> /dev/null
+     fi
+ }
+
+@@ -168,13 +168,13 @@ done
+ # deep copy submodules where builds occur so changes don't propagate through symlinks
+ for dir in `echo zlib` ; do
+   if [ ! -e $W/$dir ] ; then
+-    /bin/cp -R $dir $W/$dir
++    cp -R $dir $W/$dir
+   fi
+ done
+
+ for dir in `echo lz4` ; do
+   if [ ! -e $W/$dir ] ; then
+-    /bin/cp -R $dir $W/$dir
++    cp -R $dir $W/$dir
+   fi
+ done
+
+--
+2.21.1 (Apple Git-122.3)
+
diff --git a/gnu/packages/patches/containerd-test-with-go1.13.patch b/gnu/packages/patches/containerd-test-with-go1.13.patch
deleted file mode 100644
index 964adee9e6..0000000000
--- a/gnu/packages/patches/containerd-test-with-go1.13.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Compatibility fix for go 1.13, flag.Parse() shouldn't be called during
-package initialization.
-https://golang.org/doc/go1.13#testing
---- a/client_test.go	2020-02-12 14:50:28.991245371 -0500
-+++ b/client_test.go	2020-02-12 15:12:37.383523980 -0500
-@@ -49,7 +49,6 @@
- 	flag.StringVar(&address, "address", defaultAddress, "The address to the containerd socket for use in the tests")
- 	flag.BoolVar(&noDaemon, "no-daemon", false, "Do not start a dedicated daemon for the tests")
- 	flag.BoolVar(&noCriu, "no-criu", false, "Do not run the checkpoint tests")
--	flag.Parse()
- }
- 
- func testContext() (context.Context, context.CancelFunc) {
-@@ -59,6 +58,7 @@
- }
- 
- func TestMain(m *testing.M) {
-+	flag.Parse()
- 	if testing.Short() {
- 		os.Exit(m.Run())
- 	}
diff --git a/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
new file mode 100644
index 0000000000..24be6e31d9
--- /dev/null
+++ b/gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch
@@ -0,0 +1,64 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
+are fetched during initialization to preserve thread-safety (curl_global_init(3)
+must be called when no other threads exist).
+
+This fixes network functionality in rust:cargo, and probably removes the need
+for other future workarounds.
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c	2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ #  pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+ 
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+  * curl_global_init() globally initializes curl given a bitwise set of the
+  * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+   }
+ 
++  Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++  Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+   if(!Curl_ssl_init()) {
+     DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+     return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+   Curl_ssl_cleanup();
+   Curl_resolver_global_cleanup();
+ 
++  free(Curl_ssl_cert_dir);
++  free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+   Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+     if(result)
+       return result;
+ #endif
++    extern char * Curl_ssl_cert_dir;
++    extern char * Curl_ssl_cert_file;
++    if(Curl_ssl_cert_dir) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], Curl_ssl_cert_dir))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++            return result;
++    }
++
++    if(Curl_ssl_cert_file) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], Curl_ssl_cert_file))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++            return result;
++    }
+   }
+ 
+   set->wildcard_enabled = FALSE;
diff --git a/gnu/packages/patches/gimp-make-gegl-introspect-optional.patch b/gnu/packages/patches/gimp-make-gegl-introspect-optional.patch
new file mode 100644
index 0000000000..4dd1ab74a8
--- /dev/null
+++ b/gnu/packages/patches/gimp-make-gegl-introspect-optional.patch
@@ -0,0 +1,43 @@
+From 2cae9b9acf9da98c4c9990819ffbd5aabe23017e Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Mon, 14 Dec 2020 19:53:38 +0100
+Subject: [PATCH] app: make "gegl:introspect" an optional operation dependency.
+
+Check at runtime for the operation availability and set the "Show Image
+Graph" action active depending on this check.
+
+This goes with discussions to make this operation optional with a
+runtime check for the tool `dot`.
+See: https://gitlab.gnome.org/GNOME/gegl/-/merge_requests/84
+---
+ app/actions/debug-actions.c | 6 ++++++
+ app/sanity.c                | 1 -
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/app/actions/debug-actions.c b/app/actions/debug-actions.c
+index 6be4422b228..22ca38b15ea 100644
+--- a/app/actions/debug-actions.c
++++ b/app/actions/debug-actions.c
+@@ -103,4 +103,10 @@ void
+ debug_actions_update (GimpActionGroup *group,
+                       gpointer         data)
+ {
++#define SET_SENSITIVE(action,condition) \
++        gimp_action_group_set_action_sensitive (group, action, (condition) != 0)
++
++  SET_SENSITIVE ("debug-show-image-graph", gegl_has_operation ("gegl:introspect"));
++
++#undef SET_SENSITIVE
+ }
+diff --git a/app/sanity.c b/app/sanity.c
+index 015801a396e..6374ac1ad20 100644
+--- a/app/sanity.c
++++ b/app/sanity.c
+@@ -650,7 +650,6 @@ sanity_check_gegl_ops (void)
+     "gegl:hue-chroma",
+     "gegl:illusion",
+     "gegl:image-gradient",
+-    "gegl:introspect",
+     "gegl:invert-gamma",
+     "gegl:invert-linear",
+     "gegl:lens-blur",
diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
new file mode 100644
index 0000000000..b15c1d0879
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch
@@ -0,0 +1,27 @@
+We omit the ChangeLog changes below, since they do not apply cleanly.
+
+
+From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 30 Nov 2020 16:26:59 +0000
+Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by
+ Hardik Shah)
+
+---
+ ChangeLog     | 6 ++++++
+ coders/tiff.c | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e98f927ab..1eecf17ae 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         extent+=image->columns*sizeof(uint32);
+ #endif
+         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+-          sizeof(*strip_pixels));
++          2*sizeof(*strip_pixels));
+         if (strip_pixels == (unsigned char *) NULL)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels));
diff --git a/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch b/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch
new file mode 100644
index 0000000000..42ece43682
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-ReadDCMImage-fix.patch
@@ -0,0 +1,26 @@
+From 512668dfd92b20d0d08b91d62b422d8262573281 Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Wed, 24 Mar 2021 20:37:15 +0100
+Subject: [PATCH] Throw exception when no exception was raised but status was
+ false (#3432).
+
+---
+ coders/dcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index 7a68ed6e8..ed17c9567 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -3989,6 +3989,8 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+         if (redmap != (int *) NULL)
+           redmap=(int *) RelinquishMagickMemory(redmap);
+         image=DestroyImageList(image);
++        if ((status == MagickFalse) && (exception->severity < ErrorException))
++          ThrowReaderException(CorruptImageError,"CorruptImage");
+         return(GetFirstImageInList(images));
+       }
+     if (info.depth != (1UL*MAGICKCORE_QUANTUM_DEPTH))
+-- 
+2.31.0
+
diff --git a/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch b/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch
new file mode 100644
index 0000000000..a91999186b
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-ReadDCMPixels-fix.patch
@@ -0,0 +1,35 @@
+From c8f25953ad1dd38a8b2d92738f0f742ad7e0bce7 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Sun, 21 Mar 2021 21:21:15 -0400
+Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32322
+
+---
+ coders/dcm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index 29eed9618..7a68ed6e8 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -2984,12 +2984,12 @@ static MagickBooleanType ReadDCMPixels(Image *image,DCMInfo *info,
+         }
+       else
+         {
+-          SetPixelRed(q,(Quantum) (((ssize_t) pixel.red) |
+-            (((ssize_t) GetPixelRed(q)) << 8)));
+-          SetPixelGreen(q,(Quantum) (((ssize_t) pixel.green) |
+-            (((ssize_t) GetPixelGreen(q)) << 8)));
+-          SetPixelBlue(q,(Quantum) (((ssize_t) pixel.blue) |
+-            (((ssize_t) GetPixelBlue(q)) << 8)));
++          SetPixelRed(q,(Quantum) (((size_t) pixel.red) |
++            (((size_t) GetPixelRed(q)) << 8)));
++          SetPixelGreen(q,(Quantum) (((size_t) pixel.green) |
++            (((size_t) GetPixelGreen(q)) << 8)));
++          SetPixelBlue(q,(Quantum) (((size_t) pixel.blue) |
++            (((size_t) GetPixelBlue(q)) << 8)));
+         }
+       q++;
+     }
+-- 
+2.31.0
+
diff --git a/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch b/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch
new file mode 100644
index 0000000000..f38a45b800
--- /dev/null
+++ b/gnu/packages/patches/imagemagick-WriteTHUMBNAILImage-fix.patch
@@ -0,0 +1,25 @@
+From 6a5d3575487487f2703383338bd17c8c25068f19 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 25 Mar 2021 08:58:18 -0400
+Subject: [PATCH] eliminate compiler warning
+
+---
+ coders/thumbnail.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/thumbnail.c b/coders/thumbnail.c
+index 3833341b0..1e2bfe8c2 100644
+--- a/coders/thumbnail.c
++++ b/coders/thumbnail.c
+@@ -199,7 +199,7 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
+     q++;
+   }
+   if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ||
+-      (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
++      ((ssize_t) length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
+     ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
+   thumbnail_image=BlobToImage(image_info,q,length,&image->exception);
+   if (thumbnail_image == (Image *) NULL)
+-- 
+2.31.0
+
diff --git a/gnu/packages/patches/libvirt-add-install-prefix.patch b/gnu/packages/patches/libvirt-add-install-prefix.patch
new file mode 100644
index 0000000000..1331fa9b6f
--- /dev/null
+++ b/gnu/packages/patches/libvirt-add-install-prefix.patch
@@ -0,0 +1,329 @@
+Patch from NixOS: 
+https://raw.githubusercontent.com/NixOS/nixpkgs/b98031a49c66095dd1eb9185ecdaeeb5e3cd752d/pkgs/development/libraries/libvirt/0001-meson-patch-in-an-install-prefix-for-building-on-nix.patch
+
+From a896b0be849455edb83a9305dfec9b41447ef3e4 Mon Sep 17 00:00:00 2001
+From: Euan Kemp <euank@euank.com>
+Date: Thu, 14 Jan 2021 00:32:00 -0800
+Subject: [PATCH] meson: patch in an install prefix for building on nix
+
+Used in the nixpkgs version of libvirt so that we can install things in
+the nix store, but read them from the root filesystem.
+---
+ meson.build                       |  9 +++++++++
+ meson_options.txt                 |  2 ++
+ src/libxl/meson.build             |  6 +++---
+ src/locking/meson.build           |  8 ++++----
+ src/lxc/meson.build               |  6 +++---
+ src/meson.build                   | 18 +++++++++---------
+ src/network/meson.build           | 12 ++++++------
+ src/nwfilter/xml/meson.build      |  2 +-
+ src/qemu/meson.build              | 14 +++++++-------
+ src/remote/meson.build            |  6 +++---
+ src/security/apparmor/meson.build |  8 ++++----
+ tools/meson.build                 |  4 ++--
+ 12 files changed, 53 insertions(+), 42 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index b5164f6..33719f1 100644
+--- a/meson.build
++++ b/meson.build
+@@ -39,6 +39,8 @@ if host_machine.system() == 'windows'
+   conf.set('WINVER', '0x0600') # Win Vista / Server 2008
+ endif
+ 
++# patched in for nix
++install_prefix = get_option('install_prefix')
+ 
+ # set various paths
+ 
+@@ -57,6 +59,13 @@ else
+   sysconfdir = prefix / get_option('sysconfdir')
+ endif
+ 
++# nix: don't prefix the localstatedir; some things need to write to it, so it
++# can't be in the nix store, and that's what the prefix is.
++# We'll prefix things ourselves where needed
++localstatedir = get_option('localstatedir')
++# Same for sysconfidr
++sysconfdir = get_option('sysconfdir')
++
+ # if --prefix is /usr, don't use /usr/var for localstatedir or /usr/etc for
+ # sysconfdir as this makes a lot of things break in testing situations
+ if prefix == '/usr'
+diff --git a/meson_options.txt b/meson_options.txt
+index e5d79c2..081cd32 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -1,3 +1,5 @@
++option('install_prefix', type: 'string', value: '', description: 'prefix for nix store installation')
++
+ option('no_git', type: 'boolean', value: false, description: 'Disable git submodule update')
+ option('packager', type: 'string', value: '', description: 'Extra packager name')
+ option('packager_version', type: 'string', value: '', description: 'Extra packager version')
+diff --git a/src/libxl/meson.build b/src/libxl/meson.build
+index 3bb6cc5..78d7be0 100644
+--- a/src/libxl/meson.build
++++ b/src/libxl/meson.build
+@@ -84,8 +84,8 @@ if conf.has('WITH_LIBXL')
+   }
+ 
+   virt_install_dirs += [
+-    localstatedir / 'lib' / 'libvirt' / 'libxl',
+-    runstatedir / 'libvirt' / 'libxl',
+-    localstatedir / 'log' / 'libvirt' / 'libxl',
++    install_prefix + localstatedir / 'lib' / 'libvirt' / 'libxl',
++    install_prefix + runstatedir / 'libvirt' / 'libxl',
++    install_prefix + localstatedir / 'log' / 'libvirt' / 'libxl',
+   ]
+ endif
+diff --git a/src/locking/meson.build b/src/locking/meson.build
+index 8a28310..9da81cc 100644
+--- a/src/locking/meson.build
++++ b/src/locking/meson.build
+@@ -243,14 +243,14 @@ if conf.has('WITH_LIBVIRTD')
+   }
+ 
+   virt_install_dirs += [
+-    localstatedir / 'lib' / 'libvirt' / 'lockd',
+-    localstatedir / 'lib' / 'libvirt' / 'lockd' / 'files',
+-    runstatedir / 'libvirt' / 'lockd',
++    install_prefix + localstatedir / 'lib' / 'libvirt' / 'lockd',
++    install_prefix + localstatedir / 'lib' / 'libvirt' / 'lockd' / 'files',
++    install_prefix + runstatedir / 'libvirt' / 'lockd',
+   ]
+ 
+   if conf.has('WITH_SANLOCK')
+     virt_install_dirs += [
+-      localstatedir / 'lib' / 'libvirt' / 'sanlock',
++      install_prefix + localstatedir / 'lib' / 'libvirt' / 'sanlock',
+     ]
+   endif
+ endif
+diff --git a/src/lxc/meson.build b/src/lxc/meson.build
+index f8e2a88..96d6687 100644
+--- a/src/lxc/meson.build
++++ b/src/lxc/meson.build
+@@ -182,8 +182,8 @@ if conf.has('WITH_LXC')
+   }
+ 
+   virt_install_dirs += [
+-    localstatedir / 'lib' / 'libvirt' / 'lxc',
+-    runstatedir / 'libvirt' / 'lxc',
+-    localstatedir / 'log' / 'libvirt' / 'lxc',
++    install_prefix + localstatedir / 'lib' / 'libvirt' / 'lxc',
++    install_prefix + runstatedir / 'libvirt' / 'lxc',
++    install_prefix + localstatedir / 'log' / 'libvirt' / 'lxc',
+   ]
+ endif
+diff --git a/src/meson.build b/src/meson.build
+index 7c47821..d33d16a 100644
+--- a/src/meson.build
++++ b/src/meson.build
+@@ -669,7 +669,7 @@ endforeach
+ 
+ virt_conf_files += 'libvirt.conf'
+ 
+-install_data(virt_conf_files, install_dir: confdir)
++install_data(virt_conf_files, install_dir: install_prefix + confdir)
+ install_data(virt_aug_files, install_dir: virt_aug_dir)
+ 
+ # augeas_test_data:
+@@ -729,7 +729,7 @@ foreach data : virt_daemon_confs
+     output: '@0@.conf'.format(data['name']),
+     configuration: daemon_conf,
+     install: true,
+-    install_dir: confdir,
++    install_dir: install_prefix + confdir,
+   )
+ 
+   if data.get('with_ip', false)
+@@ -853,14 +853,14 @@ if conf.has('WITH_LIBVIRTD')
+ 
+       install_data(
+         init_file,
+-        install_dir: sysconfdir / 'init.d',
++        install_dir: install_prefix + sysconfdir / 'init.d',
+         rename: [ init['name'] ],
+       )
+ 
+       if init.has_key('confd')
+         install_data(
+           init['confd'],
+-          install_dir: sysconfdir / 'conf.d',
++          install_dir: install_prefix + sysconfdir / 'conf.d',
+           rename: [ init['name'] ],
+         )
+       endif
+@@ -872,7 +872,7 @@ if init_script != 'none'
+   foreach sysconf : sysconf_files
+     install_data(
+       sysconf['file'],
+-      install_dir: sysconfdir / 'sysconfig',
++      install_dir: install_prefix + sysconfdir / 'sysconfig',
+       rename: [ sysconf['name'] ],
+     )
+   endforeach
+@@ -897,10 +897,10 @@ endif
+ # Install empty directories
+ 
+ virt_install_dirs += [
+-  localstatedir / 'cache' / 'libvirt',
+-  localstatedir / 'lib' / 'libvirt' / 'images',
+-  localstatedir / 'lib' / 'libvirt' / 'filesystems',
+-  localstatedir / 'lib' / 'libvirt' / 'boot',
++  install_prefix + localstatedir / 'cache' / 'libvirt',
++  install_prefix + localstatedir / 'lib' / 'libvirt' / 'images',
++  install_prefix + localstatedir / 'lib' / 'libvirt' / 'filesystems',
++  install_prefix + localstatedir / 'lib' / 'libvirt' / 'boot',
+ ]
+ 
+ meson.add_install_script(
+diff --git a/src/network/meson.build b/src/network/meson.build
+index 3ec598c..b02040b 100644
+--- a/src/network/meson.build
++++ b/src/network/meson.build
+@@ -79,9 +79,9 @@ if conf.has('WITH_NETWORK')
+   }
+ 
+   virt_install_dirs += [
+-    localstatedir / 'lib' / 'libvirt' / 'network',
+-    localstatedir / 'lib' / 'libvirt' / 'dnsmasq',
+-    runstatedir / 'libvirt' / 'network',
++    install_prefix + localstatedir / 'lib' / 'libvirt' / 'network',
++    install_prefix + localstatedir / 'lib' / 'libvirt' / 'dnsmasq',
++    install_prefix + runstatedir / 'libvirt' / 'network',
+   ]
+ 
+   configure_file(
+@@ -89,12 +89,12 @@ if conf.has('WITH_NETWORK')
+     output: '@BASENAME@',
+     copy: true,
+     install: true,
+-    install_dir: confdir / 'qemu' / 'networks',
++    install_dir: install_prefix + confdir / 'qemu' / 'networks',
+   )
+ 
+   meson.add_install_script(
+     meson_python_prog.path(), python3_prog.path(), meson_install_symlink_prog.path(),
+-    confdir / 'qemu' / 'networks' / 'autostart',
++    install_prefix + confdir / 'qemu' / 'networks' / 'autostart',
+     '../default.xml', 'default.xml',
+   )
+ 
+diff --git a/src/nwfilter/xml/meson.build b/src/nwfilter/xml/meson.build
+index 0d96c54..66c92a1 100644
+--- a/src/nwfilter/xml/meson.build
++++ b/src/nwfilter/xml/meson.build
+@@ -25,4 +25,4 @@ nwfilter_xml_files = [
+   'qemu-announce-self.xml',
+ ]
+ 
+-install_data(nwfilter_xml_files, install_dir: sysconfdir / 'libvirt' / 'nwfilter')
++install_data(nwfilter_xml_files, install_dir: install_prefix + sysconfdir / 'libvirt' / 'nwfilter')
+diff --git a/src/qemu/meson.build b/src/qemu/meson.build
+index 90640b0..8802cec 100644
+--- a/src/qemu/meson.build
++++ b/src/qemu/meson.build
+@@ -171,12 +171,12 @@ if conf.has('WITH_QEMU')
+   }
+ 
+   virt_install_dirs += [
+-    localstatedir / 'lib' / 'libvirt' / 'qemu',
+-    runstatedir / 'libvirt' / 'qemu',
+-    localstatedir / 'cache' / 'libvirt' / 'qemu',
+-    localstatedir / 'log' / 'libvirt' / 'qemu',
+-    localstatedir / 'lib' / 'libvirt' / 'swtpm',
+-    runstatedir / 'libvirt' / 'qemu' / 'swtpm',
+-    localstatedir / 'log' / 'swtpm' / 'libvirt' / 'qemu',
++    install_prefix + localstatedir / 'lib' / 'libvirt' / 'qemu',
++    install_prefix + runstatedir / 'libvirt' / 'qemu',
++    install_prefix + localstatedir / 'cache' / 'libvirt' / 'qemu',
++    install_prefix + localstatedir / 'log' / 'libvirt' / 'qemu',
++    install_prefix + localstatedir / 'lib' / 'libvirt' / 'swtpm',
++    install_prefix + runstatedir / 'libvirt' / 'qemu' / 'swtpm',
++    install_prefix + localstatedir / 'log' / 'swtpm' / 'libvirt' / 'qemu',
+   ]
+ endif
+diff --git a/src/remote/meson.build b/src/remote/meson.build
+index 9ad2f6a..429a15b 100644
+--- a/src/remote/meson.build
++++ b/src/remote/meson.build
+@@ -245,7 +245,7 @@ if conf.has('WITH_REMOTE')
+     }
+ 
+     virt_install_dirs += [
+-      localstatedir / 'log' / 'libvirt',
++      install_prefix + localstatedir / 'log' / 'libvirt',
+     ]
+ 
+     logrotate_conf = configuration_data()
+@@ -259,7 +259,7 @@ if conf.has('WITH_REMOTE')
+       )
+       install_data(
+         log_file,
+-        install_dir: sysconfdir / 'logrotate.d',
++        install_dir: install_prefix + sysconfdir / 'logrotate.d',
+         rename: [ name ],
+       )
+     endforeach
+@@ -309,7 +309,7 @@ endif
+ if conf.has('WITH_SASL')
+   install_data(
+     'libvirtd.sasl',
+-    install_dir: sysconfdir / 'sasl2',
++    install_dir: install_prefix + sysconfdir / 'sasl2',
+     rename: [ 'libvirt.conf' ],
+   )
+ endif
+diff --git a/src/security/apparmor/meson.build b/src/security/apparmor/meson.build
+index af43780..e2d6c81 100644
+--- a/src/security/apparmor/meson.build
++++ b/src/security/apparmor/meson.build
+@@ -17,22 +17,22 @@ foreach name : apparmor_gen_profiles
+     output: name,
+     configuration: apparmor_gen_profiles_conf,
+     install: true,
+-    install_dir: apparmor_dir,
++    install_dir: install_prefix + apparmor_dir,
+   )
+ endforeach
+ 
+ install_data(
+   [ 'libvirt-qemu', 'libvirt-lxc' ],
+-  install_dir: apparmor_dir / 'abstractions',
++  install_dir: install_prefix + apparmor_dir / 'abstractions',
+ )
+ 
+ install_data(
+   [ 'TEMPLATE.qemu', 'TEMPLATE.lxc' ],
+-  install_dir: apparmor_dir / 'libvirt',
++  install_dir: install_prefix + apparmor_dir / 'libvirt',
+ )
+ 
+ install_data(
+   'usr.lib.libvirt.virt-aa-helper.local',
+-  install_dir: apparmor_dir / 'local',
++  install_dir: install_prefix + apparmor_dir / 'local',
+   rename: 'usr.lib.libvirt.virt-aa-helper',
+ )
+diff --git a/tools/meson.build b/tools/meson.build
+index b8c6802..dacd0ff 100644
+--- a/tools/meson.build
++++ b/tools/meson.build
+@@ -115,7 +115,7 @@ if conf.has('WITH_LOGIN_SHELL')
+     install_rpath: libvirt_rpath,
+   )
+ 
+-  install_data('virt-login-shell.conf', install_dir: sysconfdir / 'libvirt')
++  install_data('virt-login-shell.conf', install_dir: install_prefix + sysconfdir / 'libvirt')
+ endif
+ 
+ if host_machine.system() == 'windows'
+@@ -274,7 +274,7 @@ configure_file(
+ if init_script == 'systemd'
+   install_data(
+     'libvirt-guests.sysconf',
+-    install_dir: sysconfdir / 'sysconfig',
++    install_dir: install_prefix + sysconfdir / 'sysconfig',
+     rename: 'libvirt-guests',
+   )
diff --git a/gnu/packages/patches/linphone-desktop-without-sdk.patch b/gnu/packages/patches/linphone-desktop-without-sdk.patch
new file mode 100644
index 0000000000..63e9808bf4
--- /dev/null
+++ b/gnu/packages/patches/linphone-desktop-without-sdk.patch
@@ -0,0 +1,235 @@
+From cfdf6d1c2051d6a20d0cbb94d81fe398f70dea4d Mon Sep 17 00:00:00 2001
+From: Raghav Gururajan <rg@raghavgururajan.name>
+Date: Sun, 21 Mar 2021 21:13:53 -0400
+Subject: [PATCH] [PATCH]: Fix building from git.
+
+---
+ CMakeLists.txt                                | 73 +------------------
+ linphone-app/CMakeLists.txt                   | 12 +--
+ .../cmake_builder/additional_steps.cmake      |  2 +-
+ .../linphone_package/CMakeLists.txt           | 38 ----------
+ linphone-app/linphoneqt_version.cmake         |  1 +
+ linphone-app/src/config.h.cmake               |  1 +
+ 6 files changed, 6 insertions(+), 121 deletions(-)
+ create mode 100644 linphone-app/linphoneqt_version.cmake
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index f7eb05f2..3e853bdd 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -48,16 +48,6 @@ project(linphoneqt)
+ include(GNUInstallDirs)
+ include(CheckCXXCompilerFlag)
+ 
+-# Prepare gobal CMAKE configuration specific to the current project
+-set(SDK_BUILD_DIR "${CMAKE_BINARY_DIR}/WORK")       # SDK build in WORK. Keep all in it.
+-set(LINPHONE_OUTPUT_DIR "${CMAKE_BINARY_DIR}/linphone-sdk/desktop")
+-
+-set(APPLICATION_OUTPUT_DIR "${CMAKE_BINARY_DIR}/OUTPUT")
+-
+-set(CMAKE_PREFIX_PATH "${LINPHONE_OUTPUT_DIR};${APPLICATION_OUTPUT_DIR}${PREFIX_PATH}")
+-string(REPLACE ";" "|" PREFIX_PATH "${CMAKE_PREFIX_PATH}")
+-#set(PREFIX_PATH "${LINPHONE_OUTPUT_DIR}|${APPLICATION_OUTPUT_DIR}${PREFIX_PATH}")
+-
+ # Avoid cmake warning if CMP0071 is not set.
+ if (POLICY CMP0071)
+     cmake_policy(SET CMP0071 NEW)
+@@ -116,9 +106,6 @@ if(ENABLE_V4L)
+ endif()
+ list(APPEND APP_OPTIONS "-DENABLE_RELATIVE_PREFIX=${ENABLE_RELATIVE_PREFIX}")
+ 
+-list(APPEND APP_OPTIONS "-DLINPHONE_OUTPUT_DIR=${LINPHONE_OUTPUT_DIR}")
+-
+-include(ExternalProject)
+ set(PROJECT_BUILD_COMMAND "")
+ if(CMAKE_BUILD_PARALLEL_LEVEL)
+ 	list(APPEND APP_OPTIONS "-DCMAKE_BUILD_PARALLEL_LEVEL=${CMAKE_BUILD_PARALLEL_LEVEL}")
+@@ -133,32 +120,10 @@ if(CMAKE_VERBOSE_MAKEFILE)
+ 	endif()
+ endif()
+ if(UNIX AND NOT APPLE)
+-	set(CMAKE_INSTALL_RPATH "$ORIGIN:$ORIGIN/lib64:$ORIGIN/../lib64:$ORIGIN/lib:$ORIGIN/../lib:${LINPHONE_OUTPUT_DIR}/${CMAKE_INSTALL_LIBDIR}")
+ 	list(APPEND APP_OPTIONS "-DCMAKE_INSTALL_RPATH=${CMAKE_INSTALL_RPATH}")
+ endif()
+-ExternalProject_Add(sdk PREFIX "${CMAKE_BINARY_DIR}/sdk"
+-    SOURCE_DIR "${CMAKE_SOURCE_DIR}/linphone-sdk"
+-    INSTALL_DIR "${LINPHONE_OUTPUT_DIR}"
+-    STAMP_DIR "${SDK_BUILD_DIR}/stamp"
+-    BINARY_DIR "${SDK_BUILD_DIR}"
+-    STEP_TARGETS build
+-    BUILD_COMMAND ${CMAKE_COMMAND} --build <BINARY_DIR> --config $<CONFIG> ${PROJECT_BUILD_COMMAND}
+-    INSTALL_COMMAND ${CMAKE_COMMAND} -E echo "Install step is already done at build time."
+-    LIST_SEPARATOR | # Use the alternate list separator
+-    CMAKE_ARGS ${APP_OPTIONS} ${USER_ARGS} -DCMAKE_INSTALL_PREFIX:PATH=<INSTALL_DIR> -DCMAKE_PREFIX_PATH=${PREFIX_PATH}
+-    #BUILD_ALWAYS NO #${DO_BUILD}
+-)
+-ExternalProject_Add_Step(sdk force_build
+-	COMMENT "Forcing build for 'desktop'"
+-	DEPENDEES configure
+-	DEPENDERS build
+-	ALWAYS 1
+-)
+ include(FindPkgConfig)
+ 
+-set(APP_DEPENDS sdk)
+-
+-
+ find_package(Qt5 5.12 COMPONENTS Core REQUIRED)
+ 
+ if ( NOT Qt5_FOUND )
+@@ -173,39 +138,5 @@ find_package(Mediastreamer2 CONFIG QUIET)
+ find_package(ortp CONFIG QUIET)
+ 
+ 
+-if(NOT (LinphoneCxx_FOUND) OR NOT (Linphone_FOUND) OR NOT (bctoolbox_FOUND) OR NOT (belcard_FOUND) OR NOT (Mediastreamer2_FOUND) OR NOT (ortp_FOUND) OR FORCE_APP_EXTERNAL_PROJECTS)
+-	message("Projects are set as External projects. You can start building them by using for example : cmake --build . --target install")
+-	ExternalProject_Add(linphone-qt PREFIX "${CMAKE_BINARY_DIR}/linphone-app"
+-		SOURCE_DIR "${CMAKE_SOURCE_DIR}/linphone-app"
+-		INSTALL_DIR "${APPLICATION_OUTPUT_DIR}"
+-		BINARY_DIR "${CMAKE_BINARY_DIR}/linphone-app"
+-		DEPENDS ${APP_DEPENDS}
+-		BUILD_COMMAND ${CMAKE_COMMAND} --build <BINARY_DIR> --config $<CONFIG> ${PROJECT_BUILD_COMMAND}
+-		INSTALL_COMMAND ${CMAKE_COMMAND} -E echo "Install step will not be done by external project"
+-		LIST_SEPARATOR | # Use the alternate list separator
+-		CMAKE_ARGS ${APP_OPTIONS} ${USER_ARGS} -DCMAKE_INSTALL_PREFIX:PATH=<INSTALL_DIR> -DCMAKE_PREFIX_PATH=${PREFIX_PATH}
+-	# ${APP_OPTIONS}
+-		BUILD_ALWAYS ON
+-	)
+-	install(CODE "message(STATUS Running install)")
+-	set(AUTO_REGENERATION auto_regeneration)
+-	add_custom_target(${AUTO_REGENERATION} ALL
+-		COMMAND ${CMAKE_COMMAND} ${CMAKE_CURRENT_SOURCE_DIR}
+-		DEPENDS linphone-qt)
+-else()
+-	message("Adding Linphone Desktop in an IDE-friendly state")
+-	set(CMAKE_INSTALL_PREFIX "${APPLICATION_OUTPUT_DIR}")
+-	add_subdirectory(${CMAKE_SOURCE_DIR}/linphone-app)
+-	add_dependencies(app-library ${APP_DEPENDS})
+-endif()
+-ExternalProject_Add(linphone-qt-only PREFIX "${CMAKE_BINARY_DIR}/linphone-app"
+-    SOURCE_DIR "${CMAKE_SOURCE_DIR}/linphone-app"
+-    INSTALL_DIR "${APPLICATION_OUTPUT_DIR}"
+-    BINARY_DIR "${CMAKE_BINARY_DIR}/linphone-app"
+-    BUILD_COMMAND ${CMAKE_COMMAND} --build <BINARY_DIR> --config $<CONFIG> ${PROJECT_BUILD_COMMAND}
+-#    INSTALL_COMMAND ${CMAKE_COMMAND} -E echo "Install step is already done at build time."
+-    LIST_SEPARATOR | # Use the alternate list separator
+-    CMAKE_ARGS ${APP_OPTIONS} ${USER_ARGS} -DCMAKE_INSTALL_PREFIX:PATH=<INSTALL_DIR> -DCMAKE_PREFIX_PATH=${PREFIX_PATH}
+-    EXCLUDE_FROM_ALL ON
+-    BUILD_ALWAYS ON
+-)
++message("Adding Linphone Desktop in an IDE-friendly state")
++add_subdirectory(${CMAKE_SOURCE_DIR}/linphone-app)
+diff --git a/linphone-app/CMakeLists.txt b/linphone-app/CMakeLists.txt
+index 3bc9420a..5267cd4a 100644
+--- a/linphone-app/CMakeLists.txt
++++ b/linphone-app/CMakeLists.txt
+@@ -21,17 +21,8 @@
+ ################################################################################
+ cmake_minimum_required(VERSION 3.1)
+ 
++include(linphoneqt_version.cmake)
+ find_package(bctoolbox CONFIG)
+-set(FULL_VERSION )
+-bc_compute_full_version(FULL_VERSION)
+-set(version_major )
+-set(version_minor )
+-set(version_patch )
+-set(identifiers )
+-set(metadata )
+-bc_parse_full_version("${FULL_VERSION}" version_major version_minor version_patch identifiers metadata)
+-
+-project(linphoneqt VERSION "${version_major}.${version_minor}.${version_patch}")
+ 
+ if(ENABLE_BUILD_VERBOSE)
+ 	#message("CMAKE_PREFIX_PATH ${CMAKE_PREFIX_PATH}")
+@@ -49,7 +40,6 @@ if(UNIX AND NOT APPLE)
+     set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
+ endif()
+ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/../cmake")
+-list(APPEND CMAKE_MODULE_PATH "${LINPHONE_OUTPUT_DIR}/cmake")
+ 
+ set(APP_LIBRARY app-library)
+ include(application_info.cmake)
+diff --git a/linphone-app/cmake_builder/additional_steps.cmake b/linphone-app/cmake_builder/additional_steps.cmake
+index 7f7fd573..48e3c716 100644
+--- a/linphone-app/cmake_builder/additional_steps.cmake
++++ b/linphone-app/cmake_builder/additional_steps.cmake
+@@ -61,7 +61,7 @@ if (ENABLE_PACKAGING)
+       SOURCE_DIR "${CMAKE_CURRENT_LIST_DIR}/linphone_package"
+       DOWNLOAD_COMMAND ""
+       CMAKE_GENERATOR ${CMAKE_GENERATOR}
+-      CMAKE_ARGS ${LINPHONE_BUILDER_EP_ARGS} -DCMAKE_INSTALL_PREFIX=${LINPHONE_BUILDER_WORK_DIR}/PACKAGE -DTOOLS_DIR=${CMAKE_BINARY_DIR}/programs -DLINPHONE_OUTPUT_DIR=${CMAKE_INSTALL_PREFIX} -DLINPHONE_DESKTOP_DIR=${CMAKE_CURRENT_LIST_DIR}/.. -DLINPHONE_SOURCE_DIR=${EP_linphone_SOURCE_DIR} ${ENABLE_VARIABLES} -DLINPHONE_BUILDER_SIGNING_IDENTITY=${LINPHONE_BUILDER_SIGNING_IDENTITY}
++      CMAKE_ARGS ${LINPHONE_BUILDER_EP_ARGS} -DCMAKE_INSTALL_PREFIX=${LINPHONE_BUILDER_WORK_DIR}/PACKAGE -DTOOLS_DIR=${CMAKE_BINARY_DIR}/programs -DLINPHONE_DESKTOP_DIR=${CMAKE_CURRENT_LIST_DIR}/.. -DLINPHONE_SOURCE_DIR=${EP_linphone_SOURCE_DIR} ${ENABLE_VARIABLES} -DLINPHONE_BUILDER_SIGNING_IDENTITY=${LINPHONE_BUILDER_SIGNING_IDENTITY}
+     )
+   endif ()
+ endif ()
+diff --git a/linphone-app/cmake_builder/linphone_package/CMakeLists.txt b/linphone-app/cmake_builder/linphone_package/CMakeLists.txt
+index baea03cf..d06dcb74 100644
+--- a/linphone-app/cmake_builder/linphone_package/CMakeLists.txt
++++ b/linphone-app/cmake_builder/linphone_package/CMakeLists.txt
+@@ -200,44 +200,6 @@ elseif (APPLE)
+   endif ()
+ #  install(DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/${APPLICATION_NAME}.app" DESTINATION "." USE_SOURCE_PERMISSIONS)
+ else()# Not Windows and Apple
+-	foreach (LIBRARY ${SHARED_LIBRARIES})
+-		get_filename_component(LIBRARY_FILENAME ${LIBRARY} NAME)
+-		message("Changing RPATH of ${LIBRARY_FILENAME} from '${LINPHONE_OUTPUT_DIR}/${CMAKE_INSTALL_LIBDIR}' to '$ORIGIN/../${CMAKE_INSTALL_LIBDIR}'")
+-		execute_process(COMMAND install_name_tool -rpath "${LINPHONE_OUTPUT_DIR}/${CMAKE_INSTALL_LIBDIR}" "$ORIGIN/../lib" "${LIBRARY}")
+-		execute_process(COMMAND install_name_tool -addrpath "$ORIGIN/../lib64" "${LIBRARY}")
+-	endforeach ()
+-	install(DIRECTORY "${LINPHONE_OUTPUT_DIR}/${CMAKE_INSTALL_BINDIR}/" DESTINATION "${CMAKE_INSTALL_BINDIR}" USE_SOURCE_PERMISSIONS)
+-#Just in case. This is useless because we have to use CMAKE_INSTALL_LIBDIR
+-	if( EXISTS "${LINPHONE_OUTPUT_DIR}/lib/")
+-		file(GLOB SHARED_LIBRARIES "${LINPHONE_OUTPUT_DIR}/lib/*.so*")
+-		if( ENABLE_OPENH264 )# Remove openH264 lib from the installation. this codec will be download by user
+-			foreach(item ${SHARED_LIBRARIES})
+-				get_filename_component(LIBRARY_FILENAME ${item} NAME)
+-				if("${LIBRARY_FILENAME}" MATCHES "^libopenh264.*$")
+-					list(REMOVE_ITEM SHARED_LIBRARIES ${item})
+-				endif()
+-			endforeach(item)
+-		endif()
+-		install(FILES ${SHARED_LIBRARIES} DESTINATION "lib")
+-	endif()
+-	if( EXISTS "${LINPHONE_OUTPUT_DIR}/lib64/")
+-		file(GLOB SHARED_LIBRARIES "${LINPHONE_OUTPUT_DIR}/lib64/*.so*")
+-		if( ENABLE_OPENH264 )# Remove openH264 lib from the installation. this codec will be download by user
+-			foreach(item ${SHARED_LIBRARIES})
+-				get_filename_component(LIBRARY_FILENAME ${item} NAME)
+-				if("${LIBRARY_FILENAME}" MATCHES "^libopenh264.*$")
+-					list(REMOVE_ITEM SHARED_LIBRARIES ${item})
+-				endif()
+-			endforeach(item)
+-		endif()
+-		install(FILES ${SHARED_LIBRARIES} DESTINATION "lib64")
+-	endif()
+-	install(DIRECTORY "${LINPHONE_OUTPUT_DIR}/${CMAKE_INSTALL_DATAROOTDIR}/" DESTINATION "${CMAKE_INSTALL_DATAROOTDIR}" USE_SOURCE_PERMISSIONS)
+-	if(ENABLE_BUILD_VERBOSE)
+-		message("INSTALLATION : ${LINPHONE_OUTPUT_DIR}/${CMAKE_INSTALL_DATAROOTDIR}/" )
+-	endif()
+-	file(GLOB PLUGINS_FILES "${LINPHONE_OUTPUT_DIR}/${CMAKE_INSTALL_LIBDIR}/mediastreamer/plugins/*")
+-	install(FILES ${PLUGINS_FILES} DESTINATION "plugins/mediastreamer/" )
+ # Install desktop/icon files.
+ 	configure_file("${CMAKE_CURRENT_SOURCE_DIR}/../../assets/linphone.desktop.cmake" "${CMAKE_CURRENT_BINARY_DIR}/../../${EXECUTABLE_NAME}.desktop" @ONLY)	
+ 	install(FILES "${CMAKE_CURRENT_BINARY_DIR}/../../${EXECUTABLE_NAME}.desktop" DESTINATION "${CMAKE_INSTALL_DATADIR}/applications")
+diff --git a/linphone-app/linphoneqt_version.cmake b/linphone-app/linphoneqt_version.cmake
+new file mode 100644
+index 00000000..a85d3455
+--- /dev/null
++++ b/linphone-app/linphoneqt_version.cmake
+@@ -0,0 +1 @@
++project(linphoneqt VERSION ${GUIX-SET-VERSION})
+\ No newline at end of file
+diff --git a/linphone-app/src/config.h.cmake b/linphone-app/src/config.h.cmake
+index 093539e0..5a238c70 100644
+--- a/linphone-app/src/config.h.cmake
++++ b/linphone-app/src/config.h.cmake
+@@ -28,3 +28,4 @@
+ #cmakedefine ENABLE_UPDATE_CHECK 1
+ #cmakedefine EXECUTABLE_NAME "${EXECUTABLE_NAME}"
+ #cmakedefine MSPLUGINS_DIR "${MSPLUGINS_DIR}"
++#define LINPHONE_QT_GIT_VERSION "${PROJECT_VERSION}"
+\ No newline at end of file
+-- 
+2.31.0
+
diff --git a/gnu/packages/patches/linphoneqt-tabbutton.patch b/gnu/packages/patches/linphoneqt-tabbutton.patch
deleted file mode 100644
index 6b3214026e..0000000000
--- a/gnu/packages/patches/linphoneqt-tabbutton.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From ecaab0f73d0b74bbfbf150286305fa6e12970037 Mon Sep 17 00:00:00 2001
-From: Ronan Abhamon <ronan.abhamon@belledonne-communications.com>
-Date: Fri, 19 Jan 2018 14:42:01 +0100
-Subject: [PATCH] fix(SettingsWindow): rename icon property of TabButton to
- iconName (issue with Qt 5.10 and new icon property)
-
----
- ui/modules/Common/Form/Tab/TabButton.qml |  8 ++++----
- ui/views/App/Settings/SettingsWindow.qml | 14 +++++++-------
- 2 files changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/ui/modules/Common/Form/Tab/TabButton.qml b/ui/modules/Common/Form/Tab/TabButton.qml
-index ad220ab2..a47bb20b 100644
---- a/ui/modules/Common/Form/Tab/TabButton.qml
-+++ b/ui/modules/Common/Form/Tab/TabButton.qml
-@@ -12,8 +12,8 @@ Controls.TabButton {
- 
-   // ---------------------------------------------------------------------------
- 
--  property string icon
-   property int iconSize: TabButtonStyle.icon.size
-+  property string iconName
- 
-   readonly property bool _isSelected: parent.parent.currentItem === button
- 
-@@ -66,9 +66,9 @@ Controls.TabButton {
-       Layout.leftMargin: TabButtonStyle.text.leftPadding
- 
-       icon: {
--        var icon = button.icon
--        return icon.length
--          ? (icon + '_' + (button._isSelected ? 'selected' : 'normal'))
-+        var iconName = button.iconName
-+        return iconName.length
-+          ? (iconName + '_' + (button._isSelected ? 'selected' : 'normal'))
-           : ''
-       }
-       iconSize: button.iconSize
-diff --git a/ui/views/App/Settings/SettingsWindow.qml b/ui/views/App/Settings/SettingsWindow.qml
-index b8f5a80f..58909544 100644
---- a/ui/views/App/Settings/SettingsWindow.qml
-+++ b/ui/views/App/Settings/SettingsWindow.qml
-@@ -48,43 +48,43 @@ ApplicationWindow {
-         id: tabBar
- 
-         TabButton {
--          icon: 'settings_sip_accounts'
-+          iconName: 'settings_sip_accounts'
-           text: qsTr('sipAccountsTab')
-           width: implicitWidth
-         }
- 
-         TabButton {
--          icon: 'settings_audio'
-+          iconName: 'settings_audio'
-           text: qsTr('audioTab')
-           width: implicitWidth
-         }
- 
-         TabButton {
--          icon: 'settings_video'
-+          iconName: 'settings_video'
-           text: qsTr('videoTab')
-           width: implicitWidth
-         }
- 
-         TabButton {
--          icon: 'settings_call'
-+          iconName: 'settings_call'
-           text: qsTr('callsAndChatTab')
-           width: implicitWidth
-         }
- 
-         TabButton {
--          icon: 'settings_network'
-+          iconName: 'settings_network'
-           text: qsTr('networkTab')
-           width: implicitWidth
-         }
- 
-         TabButton {
--          icon: 'settings_advanced'
-+          iconName: 'settings_advanced'
-           text: qsTr('uiTab')
-           width: implicitWidth
-         }
- 
-         TabButton {
--          icon: 'settings_advanced'
-+          iconName: 'settings_advanced'
-           text: qsTr('uiAdvanced')
-           width: implicitWidth
-         }
--- 
-2.21.0
-
diff --git a/gnu/packages/patches/lksctp-tools-1.0.18-fix-header-file-name.patch b/gnu/packages/patches/lksctp-tools-1.0.18-fix-header-file-name.patch
new file mode 100644
index 0000000000..1ebe6c803d
--- /dev/null
+++ b/gnu/packages/patches/lksctp-tools-1.0.18-fix-header-file-name.patch
@@ -0,0 +1,32 @@
+From 378560050a8f93786c590cc99a55461666205b61 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 24 Aug 2018 01:13:32 +0800
+Subject: [PATCH] build: fix netinet/sctp.h not to be installed
+
+After libcnetinet_HEADERS was set to sctp.h.in, netinet/sctp.h can
+no longer be installed into ${includedir}.
+
+Since "AC_CONFIG_HEADERS([src/include/netinet/sctp.h])" is already
+added into configure.ac, there's no need to generate sctp.h by
+automake.
+
+So we simply set libcnetinet_HEADERS back to sctp.h.
+
+Fixes: 9607dd85e70a ("netinet/sctp.h: dynamically build based on system setup")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+---
+ src/include/netinet/Makefile.am | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/include/netinet/Makefile.am b/src/include/netinet/Makefile.am
+index ca0aac2..965db8c 100644
+--- a/src/include/netinet/Makefile.am
++++ b/src/include/netinet/Makefile.am
+@@ -11,5 +11,4 @@ libcnetinetdir = $(includedir)/netinet
+ # API.
+ include_HEADERS =
+ 
+-libcnetinet_HEADERS = sctp.h.in
+-BUILT_SOURCES = sctp.h
++libcnetinet_HEADERS = sctp.h
diff --git a/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch b/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch
new file mode 100644
index 0000000000..215c920e53
--- /dev/null
+++ b/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch
@@ -0,0 +1,100 @@
+This patch comes from upstream.  It corresponds to a patch applied to
+the generated C source code for llhttp included in Node.js 14.16.0
+(see commit 641f786bb1a1f6eb1ff8750782ed939780f2b31a).  That commit
+fixes CVE-2020-8287.  With this patch, the output of our
+llhttp-bootstrap package matches the files included in Node.js 14.16.0
+exactly.
+
+commit e9b36ea64709c35ca66094d5cf3787f444029601
+Author: Fedor Indutny <fedor@indutny.com>
+Date:   Sat Oct 10 19:56:01 2020 -0700
+
+    http: unset `F_CHUNKED` on new `Transfer-Encoding`
+    
+    Duplicate `Transfer-Encoding` header should be a treated as a single,
+    but with original header values concatenated with a comma separator. In
+    the light of this, even if the past `Transfer-Encoding` ended with
+    `chunked`, we should be not let the `F_CHUNKED` to leak into the next
+    header, because mere presence of another header indicates that `chunked`
+    is not the last transfer-encoding token.
+
+diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts
+index f4f1a6e..0a0c365 100644
+--- a/src/llhttp/http.ts
++++ b/src/llhttp/http.ts
+@@ -460,11 +460,19 @@ export class HTTP {
+       .match([ ' ', '\t' ], n('header_value_discard_ws'))
+       .otherwise(checkContentLengthEmptiness);
+ 
++    // Multiple `Transfer-Encoding` headers should be treated as one, but with
++    // values separate by a comma.
++    //
++    // See: https://tools.ietf.org/html/rfc7230#section-3.2.2
++    const toTransferEncoding = this.unsetFlag(
++      FLAGS.CHUNKED,
++      'header_value_te_chunked');
++
+     n('header_value_start')
+       .otherwise(this.load('header_state', {
+         [HEADER_STATE.UPGRADE]: this.setFlag(FLAGS.UPGRADE, fallback),
+         [HEADER_STATE.TRANSFER_ENCODING]: this.setFlag(
+-          FLAGS.TRANSFER_ENCODING, 'header_value_te_chunked'),
++          FLAGS.TRANSFER_ENCODING, toTransferEncoding),
+         [HEADER_STATE.CONTENT_LENGTH]: n('header_value_content_length_once'),
+         [HEADER_STATE.CONNECTION]: n('header_value_connection'),
+       }, 'header_value'));
+@@ -847,6 +855,11 @@ export class HTTP {
+     return span.start(span.end(this.node(next)));
+   }
+ 
++  private unsetFlag(flag: FLAGS, next: string | Node): Node {
++    const p = this.llparse;
++    return p.invoke(p.code.and('flags', ~flag), this.node(next));
++  }
++
+   private setFlag(flag: FLAGS, next: string | Node): Node {
+     const p = this.llparse;
+     return p.invoke(p.code.or('flags', flag), this.node(next));
+diff --git a/test/request/transfer-encoding.md b/test/request/transfer-encoding.md
+index a7d1681..b0891d6 100644
+--- a/test/request/transfer-encoding.md
++++ b/test/request/transfer-encoding.md
+@@ -353,6 +353,38 @@ off=106 headers complete method=3 v=1/1 flags=200 content_length=0
+ off=106 error code=15 reason="Request has invalid `Transfer-Encoding`"
+ ```
+ 
++## POST with `chunked` and duplicate transfer-encoding
++
++<!-- meta={"type": "request", "noScan": true} -->
++```http
++POST /post_identity_body_world?q=search#hey HTTP/1.1
++Accept: */*
++Transfer-Encoding: chunked
++Transfer-Encoding: deflate
++
++World
++```
++
++```log
++off=0 message begin
++off=5 len=38 span[url]="/post_identity_body_world?q=search#hey"
++off=44 url complete
++off=54 len=6 span[header_field]="Accept"
++off=61 header_field complete
++off=62 len=3 span[header_value]="*/*"
++off=67 header_value complete
++off=67 len=17 span[header_field]="Transfer-Encoding"
++off=85 header_field complete
++off=86 len=7 span[header_value]="chunked"
++off=95 header_value complete
++off=95 len=17 span[header_field]="Transfer-Encoding"
++off=113 header_field complete
++off=114 len=7 span[header_value]="deflate"
++off=123 header_value complete
++off=125 headers complete method=3 v=1/1 flags=200 content_length=0
++off=125 error code=15 reason="Request has invalid `Transfer-Encoding`"
++```
++
+ ## POST with `chunked` before other transfer-coding (lenient)
+ 
+ TODO(indutny): should we allow it even in lenient mode? (Consider disabling
diff --git a/gnu/packages/patches/mariadb-CVE-2021-27928.patch b/gnu/packages/patches/mariadb-CVE-2021-27928.patch
new file mode 100644
index 0000000000..39a023c159
--- /dev/null
+++ b/gnu/packages/patches/mariadb-CVE-2021-27928.patch
@@ -0,0 +1,642 @@
+From 7580701e6279900fec40822952a3b874732289cf Mon Sep 17 00:00:00 2001
+From: Sergei Golubchik <serg@mariadb.org>
+Date: Thu, 18 Feb 2021 14:20:48 +0100
+Subject: [PATCH] make @@wsrep_provider and @@wsrep_notify_cmd read-only
+
+this should simplify run-time cluster management
+---
+ mysql-test/suite/galera/disabled.def          |  2 +
+ .../galera/include/galera_load_provider.inc   | 19 --------
+ .../galera/include/galera_unload_provider.inc |  3 +-
+ .../suite/galera/r/galera_ist_rsync.result    |  2 +-
+ .../galera/r/galera_sst_mysqldump.result      |  2 +-
+ .../suite/galera/r/mysql-wsrep#33.result      |  2 +-
+ .../suite/sys_vars/r/sysvars_wsrep.result     |  4 +-
+ .../sys_vars/r/wsrep_notify_cmd_basic.result  | 47 -------------------
+ .../sys_vars/r/wsrep_provider_basic.result    | 40 ----------------
+ .../r/wsrep_provider_options_basic.result     | 46 ------------------
+ .../sys_vars/t/wsrep_notify_cmd_basic.test    | 43 -----------------
+ .../sys_vars/t/wsrep_provider_basic.test      | 39 ---------------
+ .../t/wsrep_provider_options_basic.test       | 41 ----------------
+ mysql-test/suite/wsrep/disabled.def           |  2 +
+ mysql-test/suite/wsrep/r/variables.result     | 12 ++---
+ mysql-test/suite/wsrep/t/variables.test       | 32 +++----------
+ sql/sys_vars.cc                               |  8 ++--
+ 17 files changed, 25 insertions(+), 319 deletions(-)
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
+ delete mode 100644 mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
+
+diff --git a/mysql-test/suite/galera/disabled.def b/mysql-test/suite/galera/disabled.def
+index d940c702d54..83f26e81636 100644
+--- a/mysql-test/suite/galera/disabled.def
++++ b/mysql-test/suite/galera/disabled.def
+@@ -49,3 +49,5 @@ partition : MDEV-19958 Galera test failure on galera.partition
+ query_cache: MDEV-15805 Test failure on galera.query_cache
+ sql_log_bin : MDEV-21491 galera.sql_log_bin
+ versioning_trx_id : MDEV-18590 galera.versioning_trx_id
++galera_wsrep_provider_unset_set: wsrep_provider is read-only for security reasons
++pxc-421: wsrep_provider is read-only for security reasons
+diff --git a/mysql-test/suite/galera/include/galera_load_provider.inc b/mysql-test/suite/galera/include/galera_load_provider.inc
+index 0f843597d9c..28010cc5b71 100644
+--- a/mysql-test/suite/galera/include/galera_load_provider.inc
++++ b/mysql-test/suite/galera/include/galera_load_provider.inc
+@@ -1,25 +1,6 @@
+ --echo Loading wsrep provider ...
+ 
+ --disable_query_log
+---eval SET GLOBAL wsrep_provider = '$wsrep_provider_orig';
+-
+-#
+-# count occurences of successful node starts in error log
+-#
+-perl;
+-  use strict;
+-   my $test_log=$ENV{'LOG_FILE'} or die "LOG_FILE not set";
+-   my $test_log_copy=$test_log . '.copy';
+-   if (-e $test_log_copy) {
+-      unlink $test_log_copy;
+-   }
+-
+-EOF
+---copy_file $LOG_FILE $LOG_FILE.copy
+-
+-#
+-#  now join to the cluster
+-#
+ --eval SET GLOBAL wsrep_cluster_address = '$wsrep_cluster_address_orig';
+ 
+ --enable_query_log
+diff --git a/mysql-test/suite/galera/include/galera_unload_provider.inc b/mysql-test/suite/galera/include/galera_unload_provider.inc
+index cd841f51fbc..ed7e9bc41f0 100644
+--- a/mysql-test/suite/galera/include/galera_unload_provider.inc
++++ b/mysql-test/suite/galera/include/galera_unload_provider.inc
+@@ -1,7 +1,6 @@
+ --echo Unloading wsrep provider ...
+ 
+ --let $wsrep_cluster_address_orig = `SELECT @@wsrep_cluster_address`
+---let $wsrep_provider_orig = `SELECT @@wsrep_provider`
+ --let $wsrep_provider_options_orig = `SELECT @@wsrep_provider_options`
+ --let $wsrep_error_log_orig = `SELECT @@log_error`
+ if(!$wsrep_log_error_orig)
+@@ -12,4 +11,4 @@ if(!$wsrep_log_error_orig)
+ }
+ --let LOG_FILE= $wsrep_log_error_orig
+ 
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+diff --git a/mysql-test/suite/galera/r/galera_ist_rsync.result b/mysql-test/suite/galera/r/galera_ist_rsync.result
+index 13f7d898a59..70a87c73df7 100644
+--- a/mysql-test/suite/galera/r/galera_ist_rsync.result
++++ b/mysql-test/suite/galera/r/galera_ist_rsync.result
+@@ -23,7 +23,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/galera/r/galera_sst_mysqldump.result b/mysql-test/suite/galera/r/galera_sst_mysqldump.result
+index 4ed679ba477..145b3a94775 100644
+--- a/mysql-test/suite/galera/r/galera_sst_mysqldump.result
++++ b/mysql-test/suite/galera/r/galera_sst_mysqldump.result
+@@ -30,7 +30,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/galera/r/mysql-wsrep#33.result b/mysql-test/suite/galera/r/mysql-wsrep#33.result
+index fb0b593cc96..45c6a3f660a 100644
+--- a/mysql-test/suite/galera/r/mysql-wsrep#33.result
++++ b/mysql-test/suite/galera/r/mysql-wsrep#33.result
+@@ -32,7 +32,7 @@ INSERT INTO t1 VALUES ('node2_committed_before');
+ INSERT INTO t1 VALUES ('node2_committed_before');
+ COMMIT;
+ Unloading wsrep provider ...
+-SET GLOBAL wsrep_provider = 'none';
++SET GLOBAL wsrep_cluster_address = '';
+ connection node_1;
+ SET AUTOCOMMIT=OFF;
+ START TRANSACTION;
+diff --git a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
+index 4b6abf85434..f73bfbd13e7 100644
+--- a/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
++++ b/mysql-test/suite/sys_vars/r/sysvars_wsrep.result
+@@ -403,7 +403,7 @@ NUMERIC_MIN_VALUE	NULL
+ NUMERIC_MAX_VALUE	NULL
+ NUMERIC_BLOCK_SIZE	NULL
+ ENUM_VALUE_LIST	NULL
+-READ_ONLY	NO
++READ_ONLY	YES
+ COMMAND_LINE_ARGUMENT	REQUIRED
+ GLOBAL_VALUE_PATH	NULL
+ VARIABLE_NAME	WSREP_ON
+@@ -463,7 +463,7 @@ NUMERIC_MIN_VALUE	NULL
+ NUMERIC_MAX_VALUE	NULL
+ NUMERIC_BLOCK_SIZE	NULL
+ ENUM_VALUE_LIST	NULL
+-READ_ONLY	NO
++READ_ONLY	YES
+ COMMAND_LINE_ARGUMENT	REQUIRED
+ GLOBAL_VALUE_PATH	NULL
+ VARIABLE_NAME	WSREP_PROVIDER_OPTIONS
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result b/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
+deleted file mode 100644
+index 056ff8c817b..00000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_notify_cmd_basic.result
++++ /dev/null
+@@ -1,47 +0,0 @@
+-#
+-# wsrep_notify_cmd
+-#
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-# save the initial value
+-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd;
+-# default
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-
+-
+-# scope
+-SELECT @@session.wsrep_notify_cmd;
+-ERROR HY000: Variable 'wsrep_notify_cmd' is a GLOBAL variable
+-SET @@global.wsrep_notify_cmd='notify_cmd';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-notify_cmd
+-
+-# valid values
+-SET @@global.wsrep_notify_cmd='command';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-command
+-SET @@global.wsrep_notify_cmd='hyphenated-command';
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-hyphenated-command
+-SET @@global.wsrep_notify_cmd=default;
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-
+-SET @@global.wsrep_notify_cmd=NULL;
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-NULL
+-
+-# invalid values
+-SET @@global.wsrep_notify_cmd=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_notify_cmd'
+-SELECT @@global.wsrep_notify_cmd;
+-@@global.wsrep_notify_cmd
+-NULL
+-
+-# restore the initial value
+-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
+deleted file mode 100644
+index 3e4ac8ca883..00000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_provider_basic.result
++++ /dev/null
+@@ -1,40 +0,0 @@
+-#
+-# wsrep_provider
+-#
+-# save the initial value
+-SET @wsrep_provider_global_saved = @@global.wsrep_provider;
+-# default
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# scope
+-SELECT @@session.wsrep_provider;
+-ERROR HY000: Variable 'wsrep_provider' is a GLOBAL variable
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# valid values
+-SET @@global.wsrep_provider=default;
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# invalid values
+-SET @@global.wsrep_provider='/invalid/libgalera_smm.so';
+-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of '/invalid/libgalera_smm.so'
+-SET @@global.wsrep_provider=NULL;
+-ERROR 42000: Variable 'wsrep_provider' can't be set to the value of 'NULL'
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-SET @@global.wsrep_provider=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_provider'
+-SELECT @@global.wsrep_provider;
+-@@global.wsrep_provider
+-none
+-
+-# restore the initial value
+-SET @@global.wsrep_provider = @wsrep_provider_global_saved;
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result b/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
+deleted file mode 100644
+index 15949a14e39..00000000000
+--- a/mysql-test/suite/sys_vars/r/wsrep_provider_options_basic.result
++++ /dev/null
+@@ -1,46 +0,0 @@
+-#
+-# wsrep_provider_options
+-#
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-# default
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# scope
+-SELECT @@session.wsrep_provider_options;
+-ERROR HY000: Variable 'wsrep_provider_options' is a GLOBAL variable
+-SET @@global.wsrep_provider_options='option1';
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# valid values
+-SET @@global.wsrep_provider_options='name1=value1;name2=value2';
+-ERROR HY000: WSREP (galera) not started
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options='hyphenated-name:value';
+-ERROR HY000: WSREP (galera) not started
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options=default;
+-ERROR HY000: WSREP (galera) not started
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-
+-# invalid values
+-SET @@global.wsrep_provider_options=1;
+-ERROR 42000: Incorrect argument type to variable 'wsrep_provider_options'
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-SET @@global.wsrep_provider_options=NULL;
+-Got one of the listed errors
+-SELECT @@global.wsrep_provider_options;
+-@@global.wsrep_provider_options
+-
+-# End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test b/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
+deleted file mode 100644
+index 6d1535ba148..00000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_notify_cmd_basic.test
++++ /dev/null
+@@ -1,43 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_notify_cmd
+---echo #
+-
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-
+---echo # save the initial value
+-SET @wsrep_notify_cmd_global_saved = @@global.wsrep_notify_cmd;
+-
+---echo # default
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd='notify_cmd';
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # valid values
+-SET @@global.wsrep_notify_cmd='command';
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd='hyphenated-command';
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd=default;
+-SELECT @@global.wsrep_notify_cmd;
+-SET @@global.wsrep_notify_cmd=NULL;
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_notify_cmd=1;
+-SELECT @@global.wsrep_notify_cmd;
+-
+---echo
+---echo # restore the initial value
+-SET @@global.wsrep_notify_cmd = @wsrep_notify_cmd_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
+deleted file mode 100644
+index 1190ab41bb0..00000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_provider_basic.test
++++ /dev/null
+@@ -1,39 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_provider
+---echo #
+-
+---echo # save the initial value
+-SET @wsrep_provider_global_saved = @@global.wsrep_provider;
+-
+---echo # default
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_provider;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # valid values
+-SET @@global.wsrep_provider=default;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_VALUE_FOR_VAR
+-SET @@global.wsrep_provider='/invalid/libgalera_smm.so';
+---error ER_WRONG_VALUE_FOR_VAR
+-SET @@global.wsrep_provider=NULL;
+-SELECT @@global.wsrep_provider;
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_provider=1;
+-SELECT @@global.wsrep_provider;
+-
+---echo
+---echo # restore the initial value
+-SET @@global.wsrep_provider = @wsrep_provider_global_saved;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test b/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
+deleted file mode 100644
+index 6eb3a94b6a4..00000000000
+--- a/mysql-test/suite/sys_vars/t/wsrep_provider_options_basic.test
++++ /dev/null
+@@ -1,41 +0,0 @@
+---source include/have_wsrep.inc
+-
+---echo #
+---echo # wsrep_provider_options
+---echo #
+-
+-call mtr.add_suppression("WSREP: Failed to get provider options");
+-
+---echo # default
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # scope
+---error ER_INCORRECT_GLOBAL_LOCAL_VAR
+-SELECT @@session.wsrep_provider_options;
+---error 0,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='option1';
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # valid values
+---error ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='name1=value1;name2=value2';
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options='hyphenated-name:value';
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options=default;
+-SELECT @@global.wsrep_provider_options;
+-
+---echo
+---echo # invalid values
+---error ER_WRONG_TYPE_FOR_VAR
+-SET @@global.wsrep_provider_options=1;
+-SELECT @@global.wsrep_provider_options;
+---error ER_WRONG_ARGUMENTS,ER_WRONG_ARGUMENTS
+-SET @@global.wsrep_provider_options=NULL;
+-SELECT @@global.wsrep_provider_options;
+-
+---echo # End of test
+diff --git a/mysql-test/suite/wsrep/disabled.def b/mysql-test/suite/wsrep/disabled.def
+index 11577bfe8b0..3d204db6945 100644
+--- a/mysql-test/suite/wsrep/disabled.def
++++ b/mysql-test/suite/wsrep/disabled.def
+@@ -10,3 +10,5 @@
+ #
+ ##############################################################################
+ 
++
++mdev_6832: wsrep_provider is read-only for security reasons
+diff --git a/mysql-test/suite/wsrep/r/variables.result b/mysql-test/suite/wsrep/r/variables.result
+index a9988fd1628..e57440125ee 100644
+--- a/mysql-test/suite/wsrep/r/variables.result
++++ b/mysql-test/suite/wsrep/r/variables.result
+@@ -14,7 +14,6 @@ SET SESSION wsrep_replicate_myisam= ON;
+ ERROR HY000: Variable 'wsrep_replicate_myisam' is a GLOBAL variable and should be set with SET GLOBAL
+ SET GLOBAL wsrep_replicate_myisam= ON;
+ SET GLOBAL wsrep_replicate_myisam= OFF;
+-SET GLOBAL wsrep_provider=none;
+ #
+ # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of
+ # variables when using "_"
+@@ -151,7 +150,6 @@ wsrep_local_state_comment	#
+ # Should show nothing.
+ SHOW STATUS LIKE 'x';
+ Variable_name	Value
+-SET GLOBAL wsrep_provider=none;
+ 
+ SHOW STATUS LIKE 'wsrep_local_state_uuid';
+ Variable_name	Value
+@@ -160,7 +158,6 @@ wsrep_local_state_uuid	#
+ SHOW STATUS LIKE 'wsrep_last_committed';
+ Variable_name	Value
+ wsrep_last_committed	#
+-SET GLOBAL wsrep_provider=none;
+ 
+ #
+ # MDEV#6206: wsrep_slave_threads subtracts from max_connections
+@@ -174,7 +171,7 @@ SELECT @@global.wsrep_slave_threads;
+ 1
+ SELECT @@global.wsrep_cluster_address;
+ @@global.wsrep_cluster_address
+-
++gcomm://
+ SELECT @@global.wsrep_on;
+ @@global.wsrep_on
+ 1
+@@ -183,14 +180,14 @@ Variable_name	Value
+ Threads_connected	1
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ Variable_name	Value
+-wsrep_thread_count	0
++wsrep_thread_count	2
+ 
+ SELECT @@global.wsrep_provider;
+ @@global.wsrep_provider
+ libgalera_smm.so
+ SELECT @@global.wsrep_cluster_address;
+ @@global.wsrep_cluster_address
+-
++gcomm://
+ SELECT @@global.wsrep_on;
+ @@global.wsrep_on
+ 1
+@@ -199,11 +196,10 @@ Variable_name	Value
+ Threads_connected	1
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ Variable_name	Value
+-wsrep_thread_count	0
++wsrep_thread_count	2
+ 
+ # Setting wsrep_cluster_address triggers the creation of
+ # applier/rollbacker threads.
+-SET GLOBAL wsrep_cluster_address= 'gcomm://';
+ # Wait for applier thread to get created 1.
+ # Wait for applier thread to get created 2.
+ SELECT VARIABLE_VALUE AS EXPECT_1 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_applier_thread_count';
+diff --git a/mysql-test/suite/wsrep/t/variables.test b/mysql-test/suite/wsrep/t/variables.test
+index f2c3a0a3b78..fd352b61a3a 100644
+--- a/mysql-test/suite/wsrep/t/variables.test
++++ b/mysql-test/suite/wsrep/t/variables.test
+@@ -23,7 +23,7 @@ SET GLOBAL wsrep_replicate_myisam= ON;
+ 
+ # Reset it back.
+ SET GLOBAL wsrep_replicate_myisam= OFF;
+-SET GLOBAL wsrep_provider=none;
++#SET GLOBAL wsrep_provider=none;
+ 
+ --echo #
+ --echo # MDEV#5790: SHOW GLOBAL STATUS LIKE does not show the correct list of
+@@ -32,9 +32,6 @@ SET GLOBAL wsrep_provider=none;
+ 
+ CALL mtr.add_suppression("WSREP: Could not open saved state file for reading.*");
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
+ 
+ --replace_column 2 #
+ SHOW GLOBAL STATUS LIKE 'wsrep%';
+@@ -50,11 +47,9 @@ SHOW GLOBAL STATUS LIKE 'wsrep_local_state_comment';
+ SHOW STATUS LIKE 'x';
+ 
+ # Reset it back.
+-SET GLOBAL wsrep_provider=none;
++#SET GLOBAL wsrep_provider=none;
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+ 
+ # The following 2 variables are used by mariabackup
+ # SST.
+@@ -66,7 +61,7 @@ SHOW STATUS LIKE 'wsrep_local_state_uuid';
+ SHOW STATUS LIKE 'wsrep_last_committed';
+ 
+ # Reset it back.
+-SET GLOBAL wsrep_provider=none;
++#SET GLOBAL wsrep_provider=none;
+ 
+ --echo
+ --echo #
+@@ -74,9 +69,7 @@ SET GLOBAL wsrep_provider=none;
+ --echo #
+ call mtr.add_suppression("WSREP: Failed to get provider options");
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+ 
+ --replace_regex /.*libgalera_smm.*/libgalera_smm.so/
+ SELECT @@global.wsrep_provider;
+@@ -87,9 +80,7 @@ SHOW STATUS LIKE 'threads_connected';
+ SHOW STATUS LIKE 'wsrep_thread_count';
+ --echo
+ 
+---disable_query_log
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+---enable_query_log
++#evalp SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+ 
+ --replace_regex /.*libgalera_smm.*/libgalera_smm.so/
+ SELECT @@global.wsrep_provider;
+@@ -101,7 +92,7 @@ SHOW STATUS LIKE 'wsrep_thread_count';
+ 
+ --echo # Setting wsrep_cluster_address triggers the creation of
+ --echo # applier/rollbacker threads.
+-SET GLOBAL wsrep_cluster_address= 'gcomm://';
++#SET GLOBAL wsrep_cluster_address= 'gcomm://';
+ 
+ --echo # Wait for applier thread to get created 1.
+ --let $wait_condition = SELECT VARIABLE_VALUE = 1 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_applier_thread_count';
+@@ -162,15 +153,6 @@ SET @@global.wsrep_sst_auth= NULL;
+ SELECT @@global.wsrep_sst_auth;
+ SET @@global.wsrep_sst_auth= @wsrep_sst_auth_saved;
+ 
+-# Reset (for mtr internal checks)
+-
+---disable_query_log
+-SET GLOBAL wsrep_slave_threads= @wsrep_slave_threads_saved;
+-eval SET GLOBAL wsrep_provider= '$WSREP_PROVIDER';
+-SET GLOBAL wsrep_cluster_address= @wsrep_cluster_address_saved;
+-SET GLOBAL wsrep_provider_options= @wsrep_provider_options_saved;
+---enable_query_log
+-
+ --source include/galera_wait_ready.inc
+ 
+ --echo # End of test.
+diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc
+index 64040243df0..8c67a4d432a 100644
+--- a/sql/sys_vars.cc
++++ b/sql/sys_vars.cc
+@@ -5669,8 +5669,8 @@ static Sys_var_tz Sys_time_zone(
+ 
+ static Sys_var_charptr_fscs Sys_wsrep_provider(
+        "wsrep_provider", "Path to replication provider library",
+-       PREALLOCATED GLOBAL_VAR(wsrep_provider), CMD_LINE(REQUIRED_ARG),
+-       DEFAULT(WSREP_NONE),
++       PREALLOCATED READ_ONLY GLOBAL_VAR(wsrep_provider), CMD_LINE(REQUIRED_ARG),
++       DEFAULT(WSREP_NONE),
+        NO_MUTEX_GUARD, NOT_IN_BINLOG,
+        ON_CHECK(wsrep_provider_check), ON_UPDATE(wsrep_provider_update));
+ 
+@@ -5886,8 +5886,8 @@ static Sys_var_ulong Sys_wsrep_max_ws_rows (
+ 
+ static Sys_var_charptr Sys_wsrep_notify_cmd(
+        "wsrep_notify_cmd", "",
+-       GLOBAL_VAR(wsrep_notify_cmd),CMD_LINE(REQUIRED_ARG),
+-       DEFAULT(""));
++       READ_ONLY GLOBAL_VAR(wsrep_notify_cmd), CMD_LINE(REQUIRED_ARG),
++       DEFAULT(""));
+ 
+ static Sys_var_mybool Sys_wsrep_certify_nonPK(
+        "wsrep_certify_nonPK", "Certify tables with no primary key",
+-- 
+2.31.0
+
diff --git a/gnu/packages/patches/mediastreamer2-srtp2.patch b/gnu/packages/patches/mediastreamer2-srtp2.patch
deleted file mode 100644
index f6d494facb..0000000000
--- a/gnu/packages/patches/mediastreamer2-srtp2.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 97903498364ae2596e790cb2c2ce9ac76c04d64a Mon Sep 17 00:00:00 2001
-From: Danmei Chen <danmei.chen@belledonne-communications.com>
-Date: Fri, 19 Jan 2018 10:04:07 +0100
-Subject: [PATCH] add compability with srtp2
-
----
- cmake/FindSRTP.cmake    | 24 ++++++++++++++++++++----
- src/CMakeLists.txt      |  1 +
- src/crypto/ms_srtp.c    | 10 ++--------
- src/utils/srtp_prefix.h | 41 +++++++++++++++++++++++++++++++++++++++++
- 4 files changed, 64 insertions(+), 12 deletions(-)
- create mode 100644 src/utils/srtp_prefix.h
-
-diff --git a/cmake/FindSRTP.cmake b/cmake/FindSRTP.cmake
-index 988b846a..f720ce7e 100644
---- a/cmake/FindSRTP.cmake
-+++ b/cmake/FindSRTP.cmake
-@@ -31,20 +31,36 @@ set(_SRTP_ROOT_PATHS
- )
- 
- find_path(SRTP_INCLUDE_DIRS
--	NAMES srtp/srtp.h
-+	NAMES srtp2/srtp.h
- 	HINTS _SRTP_ROOT_PATHS
- 	PATH_SUFFIXES include
- )
- 
- if(SRTP_INCLUDE_DIRS)
- 	set(HAVE_SRTP_SRTP_H 1)
--endif()
--
--find_library(SRTP_LIBRARIES
-+	set(SRTP_VERSION 2)
-+	find_library(SRTP_LIBRARIES
-+		NAMES srtp2
-+		HINTS ${_SRTP_ROOT_PATHS}
-+		PATH_SUFFIXES bin lib
-+	)
-+else()
-+	find_path(SRTP_INCLUDE_DIRS
-+		NAMES srtp/srtp.h
-+		HINTS _SRTP_ROOT_PATHS
-+		PATH_SUFFIXES include
-+	)
-+	if(SRTP_INCLUDE_DIRS)
-+		set(HAVE_SRTP_SRTP_H 1)
-+		set(SRTP_VERSION 1)
-+	endif()
-+	find_library(SRTP_LIBRARIES
- 	NAMES srtp
- 	HINTS ${_SRTP_ROOT_PATHS}
- 	PATH_SUFFIXES bin lib
- )
-+endif()
-+
- 
- include(FindPackageHandleStandardArgs)
- find_package_handle_standard_args(SRTP
-diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
-index da429764..c46faa62 100644
---- a/src/CMakeLists.txt
-+++ b/src/CMakeLists.txt
-@@ -183,6 +183,7 @@ set(VOIP_SOURCE_FILES_C
- 	utils/pcap_sender.c
- 	utils/pcap_sender.h
- 	utils/stream_regulator.c
-+	utils/srtp_prefix.h
- 	voip/audioconference.c
- 	voip/audiostream.c
- 	voip/bandwidthcontroller.c
-diff --git a/src/crypto/ms_srtp.c b/src/crypto/ms_srtp.c
-index 5a510c99..67810316 100644
---- a/src/crypto/ms_srtp.c
-+++ b/src/crypto/ms_srtp.c
-@@ -25,6 +25,7 @@
- #include "mediastreamer2/ms_srtp.h"
- #include "mediastreamer2/mediastream.h"
- 
-+
- #ifdef HAVE_SRTP
- 
- /*srtp defines all this stuff*/
-@@ -34,13 +35,7 @@
- #undef PACKAGE_TARNAME
- #undef PACKAGE_VERSION
- 
--#if defined(MS2_WINDOWS_PHONE)
--// Windows phone doesn't use make install
--#include <srtp.h>
--#else
--#include <srtp/srtp.h>
--#endif
--
-+#include "srtp_prefix.h"
- 
- #include "ortp/b64.h"
- 
-@@ -352,7 +347,6 @@ int ms_srtp_init(void)
- 			srtp_init_done++;
- 		}else{
- 			ms_fatal("Couldn't initialize SRTP library: %d.", st);
--			err_reporting_init("mediastreamer2");
- 		}
- 	}else srtp_init_done++;
- 	return (int)st;
-diff --git a/src/utils/srtp_prefix.h b/src/utils/srtp_prefix.h
-new file mode 100644
-index 00000000..68bde496
---- /dev/null
-+++ b/src/utils/srtp_prefix.h
-@@ -0,0 +1,41 @@
-+/*
-+  mediastreamer2 library - modular sound and video processing and streaming
-+  Copyright (C) 2006-2014 Belledonne Communications, Grenoble
-+
-+  This library is free software; you can redistribute it and/or
-+  modify it under the terms of the GNU Lesser General Public
-+  License as published by the Free Software Foundation; either
-+  version 2.1 of the License, or (at your option) any later version.
-+
-+  This library is distributed in the hope that it will be useful,
-+  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+  Lesser General Public License for more details.
-+
-+  You should have received a copy of the GNU Lesser General Public
-+  License along with this library; if not, write to the Free Software
-+  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-+*/
-+#ifndef __SRTP2_H__
-+#define __SRTP2_H__
-+
-+#if defined(MS2_WINDOWS_PHONE)
-+// Windows phone doesn't use make install
-+#include <srtp.h>
-+#elif SRTP_VERSION==1
-+#include <srtp/srtp.h>
-+#else
-+#include <srtp2/srtp.h>
-+#define err_status_t srtp_err_status_t
-+#define err_status_ok srtp_err_status_ok
-+#define crypto_policy_t srtp_crypto_policy_t
-+#define crypto_policy_set_aes_cm_256_hmac_sha1_80 srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80
-+#define crypto_policy_set_aes_cm_128_hmac_sha1_32 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32
-+#define crypto_policy_set_aes_cm_128_null_auth srtp_crypto_policy_set_aes_cm_128_null_auth
-+#define crypto_policy_set_null_cipher_hmac_sha1_80 srtp_crypto_policy_set_null_cipher_hmac_sha1_80
-+#define crypto_policy_set_aes_cm_128_hmac_sha1_80 srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80
-+#define crypto_policy_set_aes_cm_256_hmac_sha1_32 srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32
-+#define ssrc_t srtp_ssrc_t
-+#endif
-+
-+#endif
--- 
-2.21.0
-
diff --git a/gnu/packages/patches/opendht-fix-jami.patch b/gnu/packages/patches/opendht-fix-jami.patch
deleted file mode 100644
index 9718a84a41..0000000000
--- a/gnu/packages/patches/opendht-fix-jami.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From e2b39dd3a0742853e00f9c3e8c46c911da20bed7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Adrien=20B=C3=A9raud?= <adrien.beraud@savoirfairelinux.com>
-Date: Tue, 30 Jun 2020 10:42:49 -0400
-Subject: [PATCH 1/4] http/request: make terminate public
-
----
- include/opendht/http.h | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/include/opendht/http.h b/include/opendht/http.h
-index cc8d5f9..46b722c 100644
---- a/include/opendht/http.h
-+++ b/include/opendht/http.h
-@@ -294,6 +294,7 @@ public:
-      * User action to cancel the Request and call the completion callbacks.
-      */
-     void cancel();
-+    void terminate(const asio::error_code& ec);
- 
- private:
-     using OnCompleteCb = std::function<void()>;
-@@ -320,8 +321,6 @@ private:
- 
-     void connect(std::vector<asio::ip::tcp::endpoint>&& endpoints, HandlerCb cb = {});
- 
--    void terminate(const asio::error_code& ec);
--
-     void post();
- 
-     void handle_request(const asio::error_code& ec);
--- 
-2.27.0
-
diff --git a/gnu/packages/patches/pidgin-vv-gst.patch b/gnu/packages/patches/pidgin-vv-gst.patch
deleted file mode 100644
index e0553dd119..0000000000
--- a/gnu/packages/patches/pidgin-vv-gst.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Name: Gary Kramlich
-Date: 2020-07-12
-Source: https://keep.imfreedom.org/pidgin/pidgin/rev/39ac50435cfb
-
-diff --git a/libpurple/mediamanager.c b/libpurple/mediamanager.c
---- a/libpurple/mediamanager.c
-+++ b/libpurple/mediamanager.c
-@@ -2231,6 +2231,7 @@
- purple_media_manager_unregister_gst_device(PurpleMediaManager *manager,
- 		GstDevice *device)
- {
-+#ifdef USE_VV
- 	GList *i;
- 	gchar *name;
- 	gchar *device_class;
-@@ -2277,6 +2278,7 @@
- 
- 	g_free(name);
- 	g_free(device_class);
-+#endif /* USE_VV */
- }
- 
- static gboolean
-@@ -2304,7 +2306,7 @@
- static void
- purple_media_manager_init_device_monitor(PurpleMediaManager *manager)
- {
--#if GST_CHECK_VERSION(1, 4, 0)
-+#if GST_CHECK_VERSION(1, 4, 0) && defined(USE_VV)
- 	GstBus *bus;
- 	GList *i;
- 
-@@ -2334,6 +2336,7 @@
- 		PurpleMediaElementType type)
- {
- 	GList *result = NULL;
-+#ifdef USE_VV
- 	GList *i;
- 
- 	for (i = manager->priv->elements; i; i = i->next) {
-@@ -2347,6 +2350,7 @@
- 			result = g_list_prepend(result, info);
- 		}
- 	}
-+#endif /* USE_VV */
- 
- 	return result;
- }
diff --git a/gnu/packages/patches/pyqt-public-sip.patch b/gnu/packages/patches/pyqt-public-sip.patch
deleted file mode 100644
index 44cdcb6371..0000000000
--- a/gnu/packages/patches/pyqt-public-sip.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-https://sources.debian.org/data/main/p/pyqt5/5.11.3+dfsg-1/debian/patches/public_sip.diff
-
-From: Dmitry Shachnev <mitya57@debian.org>
-Date: Tue, 3 Jul 2018 09:46:42 +0300
-Subject: Use the public version of sip module
-
-Per https://www.debian.org/doc/debian-policy/#convenience-copies-of-code.
----
- configure.py              | 2 +-
- designer/pluginloader.cpp | 2 +-
- qmlscene/pluginloader.cpp | 4 ++--
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/configure.py b/configure.py
-index 32d03a0..3c43a14 100644
---- a/configure.py
-+++ b/configure.py
-@@ -2440,7 +2440,7 @@ def get_sip_flags(target_config):
-     the target configuration.
-     """
- 
--    sip_flags = ['-n', 'PyQt5.sip']
-+    sip_flags = ['-n', 'sip']
- 
-     # If we don't check for signed interpreters, we exclude the 'VendorID'
-     # feature
-diff --git a/designer/pluginloader.cpp b/designer/pluginloader.cpp
-index f41d391..3ca8b11 100644
---- a/designer/pluginloader.cpp
-+++ b/designer/pluginloader.cpp
-@@ -167,7 +167,7 @@ bool PyCustomWidgets::importPlugins(const QString &dir, const QStringList &plugi
-     // Make sure we have sip.unwrapinstance.
-     if (!sip_unwrapinstance)
-     {
--        sip_unwrapinstance = getModuleAttr("PyQt5.sip", "unwrapinstance");
-+        sip_unwrapinstance = getModuleAttr("sip", "unwrapinstance");
- 
-         if (!sip_unwrapinstance)
-             return true;
-diff --git a/qmlscene/pluginloader.cpp b/qmlscene/pluginloader.cpp
-index e14b946..140e80c 100644
---- a/qmlscene/pluginloader.cpp
-+++ b/qmlscene/pluginloader.cpp
-@@ -412,9 +412,9 @@ PyObject *PyQt5QmlPlugin::getModuleAttr(const char *module, const char *attr)
- void PyQt5QmlPlugin::getSipAPI()
- {
- #if defined(SIP_USE_PYCAPSULE)
--    sip = (const sipAPIDef *)PyCapsule_Import("PyQt5.sip._C_API", 0);
-+    sip = (const sipAPIDef *)PyCapsule_Import("sip._C_API", 0);
- #else
--    PyObject *c_api = getModuleAttr("PyQt5.sip", "_C_API");
-+    PyObject *c_api = getModuleAttr("sip", "_C_API");
- 
-     if (c_api)
-     {
diff --git a/gnu/packages/patches/qemu-build-info-manual.patch b/gnu/packages/patches/qemu-build-info-manual.patch
index c837040d45..f2bee30ab0 100644
--- a/gnu/packages/patches/qemu-build-info-manual.patch
+++ b/gnu/packages/patches/qemu-build-info-manual.patch
@@ -90,7 +90,7 @@ index ebd85d59f9..1243839461 100644
 +      output: 'QEMU.info',
 +      install: true,
 +      install_dir: get_option('infodir'),
-+      command: [makeinfo, '@INPUT0@', '--output=@OUTPUT@'])
++      command: [makeinfo, '--no-split', '@INPUT0@', '--output=@OUTPUT@'])
 +    alias_target('texi', sphinxtexi)
 +    alias_target('info', sphinxinfo)
 +  endif
diff --git a/gnu/packages/patches/qemu-glibc-2.30.patch b/gnu/packages/patches/qemu-glibc-2.30.patch
new file mode 100644
index 0000000000..1b74dee4ac
--- /dev/null
+++ b/gnu/packages/patches/qemu-glibc-2.30.patch
@@ -0,0 +1,57 @@
+This patch was taken from NixOS
+https://raw.githubusercontent.com/Mindavi/nixpkgs/1a737743a829746e48f4869ac517ff29c23c9d09/pkgs/tools/security/afl/qemu-patches/syscall-glibc2_30.diff
+It is based on an unmerged patch against american-fuzzy-lop and was
+never merged upstream because the author was unable to sign Google's CLA.
+Based on https://github.com/google/AFL/commit/6c917e3d63a2a0685d58c3518524f9615b001893.patch
+
+--- qemu-2.10.0-clean/linux-user/syscall.c	2020-03-12 18:47:47.898592169 +0100
++++ qemu-2.10.0/linux-user/syscall.c	2020-03-13 09:13:42.461809699 +0100
+@@ -34,6 +34,7 @@
+ #include <sys/resource.h>
+ #include <sys/swap.h>
+ #include <linux/capability.h>
++#include <linux/sockios.h> // https://lkml.org/lkml/2019/6/3/988
+ #include <sched.h>
+ #include <sys/timex.h>
+ #ifdef __ia64__
+@@ -256,7 +257,9 @@ static type name (type1 arg1,type2 arg2,
+ #endif
+ 
+ #ifdef __NR_gettid
+-_syscall0(int, gettid)
++// taken from https://patchwork.kernel.org/patch/10862231/
++#define __NR_sys_gettid __NR_gettid
++_syscall0(int, sys_gettid)
+ #else
+ /* This is a replacement for the host gettid() and must return a host
+    errno. */
+@@ -6219,7 +6222,7 @@ static void *clone_func(void *arg)
+     cpu = ENV_GET_CPU(env);
+     thread_cpu = cpu;
+     ts = (TaskState *)cpu->opaque;
+-    info->tid = gettid();
++    info->tid = sys_gettid();
+     task_settid(ts);
+     if (info->child_tidptr)
+         put_user_u32(info->tid, info->child_tidptr);
+@@ -6363,9 +6366,9 @@ static int do_fork(CPUArchState *env, un
+                mapping.  We can't repeat the spinlock hack used above because
+                the child process gets its own copy of the lock.  */
+             if (flags & CLONE_CHILD_SETTID)
+-                put_user_u32(gettid(), child_tidptr);
++                put_user_u32(sys_gettid(), child_tidptr);
+             if (flags & CLONE_PARENT_SETTID)
+-                put_user_u32(gettid(), parent_tidptr);
++                put_user_u32(sys_gettid(), parent_tidptr);
+             ts = (TaskState *)cpu->opaque;
+             if (flags & CLONE_SETTLS)
+                 cpu_set_tls (env, newtls);
+@@ -11402,7 +11405,7 @@ abi_long do_syscall(void *cpu_env, int n
+         break;
+ #endif
+     case TARGET_NR_gettid:
+-        ret = get_errno(gettid());
++        ret = get_errno(sys_gettid());
+         break;
+ #ifdef TARGET_NR_readahead
+     case TARGET_NR_readahead:
diff --git a/gnu/packages/patches/racket-sh-via-rktio.patch b/gnu/packages/patches/racket-sh-via-rktio.patch
new file mode 100644
index 0000000000..b4fefd1514
--- /dev/null
+++ b/gnu/packages/patches/racket-sh-via-rktio.patch
@@ -0,0 +1,87 @@
+From 3574b567c486d264d680a37586436c3b5a8cb978 Mon Sep 17 00:00:00 2001
+From: Philip McGrath <philip@philipmcgrath.com>
+Date: Thu, 4 Mar 2021 04:11:50 -0500
+Subject: [PATCH] patch rktio_process for "/bin/sh" on Guix
+
+Racket provides the functions `system` and `process`,
+which execute shell commands using `sh` (or `cmd` on Windows).
+Racket assumes that `sh` can be found at "/bin/sh",
+which is not necessarily true on Guix.
+
+This patch adds a special case for "/bin/sh" to `rktio_process`,
+the C function that implements the core of `system`, `process`,
+and related Racket functions.
+
+Guix should enable the special case by defining the C preprocessor
+macro `GUIX_RKTIO_PATCH_BIN_SH` with the path to `sh` in the store.
+If:
+
+    1. The `GUIX_RKTIO_PATCH_BIN_SH` macro is defined; and
+
+    2. `rktio_process` is called with the exact path "/bin/sh"; and
+
+    3. The path specified by `GUIX_RKTIO_PATCH_BIN_SH` does exists;
+
+then `rktio_process` will execute the file specified
+by `GUIX_RKTIO_PATCH_BIN_SH` instead of "/bin/sh".
+
+Compared to previous attempts to patch the Racket sources,
+making this change at the C level is both:
+
+    - More comprehensive: it catches all attempts to execute "/bin/sh",
+      without having to track down the source of every occurance; and
+
+    - Less intrusive: by guarding the special case with a C preprocessor
+      conditional and a runtime check that the file in the store exists,
+      we make it much less likely that it will "leak" out of Guix.
+---
+ src/rktio/rktio_process.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/rktio/rktio_process.c b/src/rktio/rktio_process.c
+index 89202436c0..465ebdd5c5 100644
+--- a/src/rktio/rktio_process.c
++++ b/src/rktio/rktio_process.c
+@@ -1224,12 +1224,14 @@ int rktio_process_allowed_flags(rktio_t *rktio)
+ /*========================================================================*/
+ 
+ rktio_process_result_t *rktio_process(rktio_t *rktio,
+-                                      const char *command, int argc, rktio_const_string_t *argv,
++                                      /* PATCHED for Guix (next line) */
++                                      const char *_guix_orig_command, int argc, rktio_const_string_t *argv,
+                                       rktio_fd_t *stdout_fd, rktio_fd_t *stdin_fd, rktio_fd_t *stderr_fd,
+                                       rktio_process_t *group_proc,
+                                       const char *current_directory, rktio_envvars_t *envvars,
+                                       int flags)
+ {
++  const char *command; /* PATCHED for Guix */
+   rktio_process_result_t *result;
+   intptr_t to_subprocess[2], from_subprocess[2], err_subprocess[2];
+   int pid;
+@@ -1255,6 +1257,23 @@ rktio_process_result_t *rktio_process(rktio_t *rktio,
+   int i;
+ #endif
+ 
++/* BEGIN PATCH for Guix */
++#if defined(GUIX_RKTIO_PATCH_BIN_SH)
++# define GUIX_AS_a_STR_HELPER(x) #x
++# define GUIX_AS_a_STR(x) GUIX_AS_a_STR_HELPER(x)
++  /* A level of indirection makes `#` work as needed: */
++  command =
++      ((0 == strcmp(_guix_orig_command, "/bin/sh"))
++       && rktio_file_exists(rktio, GUIX_AS_a_STR(GUIX_RKTIO_PATCH_BIN_SH)))
++      ? GUIX_AS_a_STR(GUIX_RKTIO_PATCH_BIN_SH)
++      : _guix_orig_command;
++# undef GUIX_AS_a_STR
++# undef GUIX_AS_a_STR_HELPER
++#else
++  command = _guix_orig_command;
++#endif
++/* END PATCH for Guix */
++
+   /* avoid compiler warnings: */
+   to_subprocess[0] = -1;
+   to_subprocess[1] = -1;
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/gnu/packages/patches/runc-CVE-2019-5736.patch b/gnu/packages/patches/runc-CVE-2019-5736.patch
deleted file mode 100644
index f629fcbfb4..0000000000
--- a/gnu/packages/patches/runc-CVE-2019-5736.patch
+++ /dev/null
@@ -1,343 +0,0 @@
-Fix CVE-2019-5736:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
-https://seclists.org/oss-sec/2019/q1/119
-
-Patch copied from upstream source repository:
-
-https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
-
-From 0a8e4117e7f715d5fbeef398405813ce8e88558b Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Wed, 9 Jan 2019 13:40:01 +1100
-Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary
- to container
-
-There are quite a few circumstances where /proc/self/exe pointing to a
-pretty important container binary is a _bad_ thing, so to avoid this we
-have to make a copy (preferably doing self-clean-up and not being
-writeable).
-
-We require memfd_create(2) -- though there is an O_TMPFILE fallback --
-but we can always extend this to use a scratch MNT_DETACH overlayfs or
-tmpfs. The main downside to this approach is no page-cache sharing for
-the runc binary (which overlayfs would give us) but this is far less
-complicated.
-
-This is only done during nsenter so that it happens transparently to the
-Go code, and any libcontainer users benefit from it. This also makes
-ExtraFiles and --preserve-fds handling trivial (because we don't need to
-worry about it).
-
-Fixes: CVE-2019-5736
-Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- libcontainer/nsenter/cloned_binary.c | 268 +++++++++++++++++++++++++++
- libcontainer/nsenter/nsexec.c        |  11 ++
- 2 files changed, 279 insertions(+)
- create mode 100644 libcontainer/nsenter/cloned_binary.c
-
-diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
-new file mode 100644
-index 000000000..c8a42c23f
---- /dev/null
-+++ b/libcontainer/nsenter/cloned_binary.c
-@@ -0,0 +1,268 @@
-+/*
-+ * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
-+ * Copyright (C) 2019 SUSE LLC
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ *     http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+#define _GNU_SOURCE
-+#include <unistd.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <stdbool.h>
-+#include <string.h>
-+#include <limits.h>
-+#include <fcntl.h>
-+#include <errno.h>
-+
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <sys/vfs.h>
-+#include <sys/mman.h>
-+#include <sys/sendfile.h>
-+#include <sys/syscall.h>
-+
-+/* Use our own wrapper for memfd_create. */
-+#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
-+#  define SYS_memfd_create __NR_memfd_create
-+#endif
-+#ifdef SYS_memfd_create
-+#  define HAVE_MEMFD_CREATE
-+/* memfd_create(2) flags -- copied from <linux/memfd.h>. */
-+#  ifndef MFD_CLOEXEC
-+#    define MFD_CLOEXEC       0x0001U
-+#    define MFD_ALLOW_SEALING 0x0002U
-+#  endif
-+int memfd_create(const char *name, unsigned int flags)
-+{
-+	return syscall(SYS_memfd_create, name, flags);
-+}
-+#endif
-+
-+/* This comes directly from <linux/fcntl.h>. */
-+#ifndef F_LINUX_SPECIFIC_BASE
-+#  define F_LINUX_SPECIFIC_BASE 1024
-+#endif
-+#ifndef F_ADD_SEALS
-+#  define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
-+#  define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
-+#endif
-+#ifndef F_SEAL_SEAL
-+#  define F_SEAL_SEAL   0x0001	/* prevent further seals from being set */
-+#  define F_SEAL_SHRINK 0x0002	/* prevent file from shrinking */
-+#  define F_SEAL_GROW   0x0004	/* prevent file from growing */
-+#  define F_SEAL_WRITE  0x0008	/* prevent writes */
-+#endif
-+
-+#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
-+#ifdef HAVE_MEMFD_CREATE
-+#  define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
-+#  define RUNC_MEMFD_SEALS \
-+	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
-+#endif
-+
-+static void *must_realloc(void *ptr, size_t size)
-+{
-+	void *old = ptr;
-+	do {
-+		ptr = realloc(old, size);
-+	} while(!ptr);
-+	return ptr;
-+}
-+
-+/*
-+ * Verify whether we are currently in a self-cloned program (namely, is
-+ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
-+ * for shmem files), and we want to be sure it's actually sealed.
-+ */
-+static int is_self_cloned(void)
-+{
-+	int fd, ret, is_cloned = 0;
-+
-+	fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
-+	if (fd < 0)
-+		return -ENOTRECOVERABLE;
-+
-+#ifdef HAVE_MEMFD_CREATE
-+	ret = fcntl(fd, F_GET_SEALS);
-+	is_cloned = (ret == RUNC_MEMFD_SEALS);
-+#else
-+	struct stat statbuf = {0};
-+	ret = fstat(fd, &statbuf);
-+	if (ret >= 0)
-+		is_cloned = (statbuf.st_nlink == 0);
-+#endif
-+	close(fd);
-+	return is_cloned;
-+}
-+
-+/*
-+ * Basic wrapper around mmap(2) that gives you the file length so you can
-+ * safely treat it as an ordinary buffer. Only gives you read access.
-+ */
-+static char *read_file(char *path, size_t *length)
-+{
-+	int fd;
-+	char buf[4096], *copy = NULL;
-+
-+	if (!length)
-+		return NULL;
-+
-+	fd = open(path, O_RDONLY | O_CLOEXEC);
-+	if (fd < 0)
-+		return NULL;
-+
-+	*length = 0;
-+	for (;;) {
-+		int n;
-+
-+		n = read(fd, buf, sizeof(buf));
-+		if (n < 0)
-+			goto error;
-+		if (!n)
-+			break;
-+
-+		copy = must_realloc(copy, (*length + n) * sizeof(*copy));
-+		memcpy(copy + *length, buf, n);
-+		*length += n;
-+	}
-+	close(fd);
-+	return copy;
-+
-+error:
-+	close(fd);
-+	free(copy);
-+	return NULL;
-+}
-+
-+/*
-+ * A poor-man's version of "xargs -0". Basically parses a given block of
-+ * NUL-delimited data, within the given length and adds a pointer to each entry
-+ * to the array of pointers.
-+ */
-+static int parse_xargs(char *data, int data_length, char ***output)
-+{
-+	int num = 0;
-+	char *cur = data;
-+
-+	if (!data || *output != NULL)
-+		return -1;
-+
-+	while (cur < data + data_length) {
-+		num++;
-+		*output = must_realloc(*output, (num + 1) * sizeof(**output));
-+		(*output)[num - 1] = cur;
-+		cur += strlen(cur) + 1;
-+	}
-+	(*output)[num] = NULL;
-+	return num;
-+}
-+
-+/*
-+ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
-+ * This is necessary because we are running in a context where we don't have a
-+ * main() that we can just get the arguments from.
-+ */
-+static int fetchve(char ***argv, char ***envp)
-+{
-+	char *cmdline = NULL, *environ = NULL;
-+	size_t cmdline_size, environ_size;
-+
-+	cmdline = read_file("/proc/self/cmdline", &cmdline_size);
-+	if (!cmdline)
-+		goto error;
-+	environ = read_file("/proc/self/environ", &environ_size);
-+	if (!environ)
-+		goto error;
-+
-+	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
-+		goto error;
-+	if (parse_xargs(environ, environ_size, envp) <= 0)
-+		goto error;
-+
-+	return 0;
-+
-+error:
-+	free(environ);
-+	free(cmdline);
-+	return -EINVAL;
-+}
-+
-+static int clone_binary(void)
-+{
-+	int binfd, memfd;
-+	ssize_t sent = 0;
-+
-+#ifdef HAVE_MEMFD_CREATE
-+	memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
-+#else
-+	memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711);
-+#endif
-+	if (memfd < 0)
-+		return -ENOTRECOVERABLE;
-+
-+	binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
-+	if (binfd < 0)
-+		goto error;
-+
-+	sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX);
-+	close(binfd);
-+	if (sent < 0)
-+		goto error;
-+
-+#ifdef HAVE_MEMFD_CREATE
-+	int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
-+	if (err < 0)
-+		goto error;
-+#else
-+	/* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */
-+	int newfd;
-+	char *fdpath = NULL;
-+
-+	if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0)
-+		goto error;
-+	newfd = open(fdpath, O_RDONLY | O_CLOEXEC);
-+	free(fdpath);
-+	if (newfd < 0)
-+		goto error;
-+
-+	close(memfd);
-+	memfd = newfd;
-+#endif
-+	return memfd;
-+
-+error:
-+	close(memfd);
-+	return -EIO;
-+}
-+
-+int ensure_cloned_binary(void)
-+{
-+	int execfd;
-+	char **argv = NULL, **envp = NULL;
-+
-+	/* Check that we're not self-cloned, and if we are then bail. */
-+	int cloned = is_self_cloned();
-+	if (cloned > 0 || cloned == -ENOTRECOVERABLE)
-+		return cloned;
-+
-+	if (fetchve(&argv, &envp) < 0)
-+		return -EINVAL;
-+
-+	execfd = clone_binary();
-+	if (execfd < 0)
-+		return -EIO;
-+
-+	fexecve(execfd, argv, envp);
-+	return -ENOEXEC;
-+}
-diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
-index 28269dfc0..7750af35e 100644
---- a/libcontainer/nsenter/nsexec.c
-+++ b/libcontainer/nsenter/nsexec.c
-@@ -534,6 +534,9 @@ void join_namespaces(char *nslist)
- 	free(namespaces);
- }
- 
-+/* Defined in cloned_binary.c. */
-+extern int ensure_cloned_binary(void);
-+
- void nsexec(void)
- {
- 	int pipenum;
-@@ -549,6 +552,14 @@ void nsexec(void)
- 	if (pipenum == -1)
- 		return;
- 
-+	/*
-+	 * We need to re-exec if we are not in a cloned binary. This is necessary
-+	 * to ensure that containers won't be able to access the host binary
-+	 * through /proc/self/exe. See CVE-2019-5736.
-+	 */
-+	if (ensure_cloned_binary() < 0)
-+		bail("could not ensure we are a cloned binary");
-+
- 	/* Parse all of the netlink configuration. */
- 	nl_parse(pipenum, &config);
- 
diff --git a/gnu/packages/patches/upx-CVE-2021-20285.patch b/gnu/packages/patches/upx-CVE-2021-20285.patch
new file mode 100644
index 0000000000..1d47b2a8bb
--- /dev/null
+++ b/gnu/packages/patches/upx-CVE-2021-20285.patch
@@ -0,0 +1,76 @@
+From 3781df9da23840e596d5e9e8493f22666802fe6c Mon Sep 17 00:00:00 2001
+From: John Reiser <jreiser@BitWagon.com>
+Date: Fri, 11 Dec 2020 13:38:18 -0800
+Subject: [PATCH] Check DT_REL/DT_RELA, DT_RELSZ/DT_RELASZ
+
+https://github.com/upx/upx/issues/421
+	modified:   p_lx_elf.cpp
+---
+ src/p_lx_elf.cpp | 34 +++++++++++++++++++++++++++++-----
+ 1 file changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/src/p_lx_elf.cpp b/src/p_lx_elf.cpp
+index 182db192..3a4101cf 100644
+--- a/src/p_lx_elf.cpp
++++ b/src/p_lx_elf.cpp
+@@ -2222,8 +2222,20 @@ bool PackLinuxElf32::canPack()
+                         int z_rsz = dt_table[Elf32_Dyn::DT_RELSZ];
+                         if (z_rel && z_rsz) {
+                             unsigned rel_off = get_te32(&dynseg[-1+ z_rel].d_val);
++                            if ((unsigned)file_size <= rel_off) {
++                                char msg[70]; snprintf(msg, sizeof(msg),
++                                     "bad Elf32_Dynamic[DT_REL] %#x\n",
++                                     rel_off);
++                                throwCantPack(msg);
++                            }
+                             Elf32_Rel *rp = (Elf32_Rel *)&file_image[rel_off];
+                             unsigned relsz   = get_te32(&dynseg[-1+ z_rsz].d_val);
++                            if ((unsigned)file_size <= relsz) {
++                                char msg[70]; snprintf(msg, sizeof(msg),
++                                     "bad Elf32_Dynamic[DT_RELSZ] %#x\n",
++                                     relsz);
++                                throwCantPack(msg);
++                            }
+                             Elf32_Rel *last = (Elf32_Rel *)(relsz + (char *)rp);
+                             for (; rp < last; ++rp) {
+                                 unsigned r_va = get_te32(&rp->r_offset);
+@@ -2562,14 +2574,26 @@ PackLinuxElf64::canPack()
+                         int z_rel = dt_table[Elf64_Dyn::DT_RELA];
+                         int z_rsz = dt_table[Elf64_Dyn::DT_RELASZ];
+                         if (z_rel && z_rsz) {
+-                            unsigned rel_off = get_te64(&dynseg[-1+ z_rel].d_val);
++                            upx_uint64_t rel_off = get_te64(&dynseg[-1+ z_rel].d_val);
++                            if ((u64_t)file_size <= rel_off) {
++                                char msg[70]; snprintf(msg, sizeof(msg),
++                                     "bad Elf64_Dynamic[DT_RELA] %#llx\n",
++                                     rel_off);
++                                throwCantPack(msg);
++                            }
+                             Elf64_Rela *rp = (Elf64_Rela *)&file_image[rel_off];
+-                            unsigned relsz   = get_te64(&dynseg[-1+ z_rsz].d_val);
++                            upx_uint64_t relsz   = get_te64(&dynseg[-1+ z_rsz].d_val);
++                            if ((u64_t)file_size <= relsz) {
++                                char msg[70]; snprintf(msg, sizeof(msg),
++                                     "bad Elf64_Dynamic[DT_RELASZ] %#llx\n",
++                                     relsz);
++                                throwCantPack(msg);
++                            }
+                             Elf64_Rela *last = (Elf64_Rela *)(relsz + (char *)rp);
+                             for (; rp < last; ++rp) {
+-                                unsigned r_va = get_te64(&rp->r_offset);
++                                upx_uint64_t r_va = get_te64(&rp->r_offset);
+                                 if (r_va == user_init_ava) { // found the Elf64_Rela
+-                                    unsigned r_info = get_te64(&rp->r_info);
++                                    upx_uint64_t r_info = get_te64(&rp->r_info);
+                                     unsigned r_type = ELF64_R_TYPE(r_info);
+                                     if (Elf64_Ehdr::EM_AARCH64 == e_machine
+                                     &&  R_AARCH64_RELATIVE == r_type) {
+@@ -2581,7 +2605,7 @@ PackLinuxElf64::canPack()
+                                     }
+                                     else {
+                                         char msg[50]; snprintf(msg, sizeof(msg),
+-                                            "bad relocation %#x DT_INIT_ARRAY[0]",
++                                            "bad relocation %#llx DT_INIT_ARRAY[0]",
+                                             r_info);
+                                         throwCantPack(msg);
+                                     }
diff --git a/gnu/packages/patches/vtk-fix-freetypetools-build-failure.patch b/gnu/packages/patches/vtk-fix-freetypetools-build-failure.patch
index 6988e65872..23f651b5eb 100644
--- a/gnu/packages/patches/vtk-fix-freetypetools-build-failure.patch
+++ b/gnu/packages/patches/vtk-fix-freetypetools-build-failure.patch
@@ -17,20 +17,16 @@ diff --git a/Rendering/FreeType/vtkFreeTypeTools.cxx b/Rendering/FreeType/vtkFre
 index c54289dc60..03b899c4da 100644
 --- a/Rendering/FreeType/vtkFreeTypeTools.cxx
 +++ b/Rendering/FreeType/vtkFreeTypeTools.cxx
-@@ -387,11 +387,8 @@ FTC_CMapCache* vtkFreeTypeTools::GetCMapCache()
+@@ -378,8 +378,7 @@ FTC_CMapCache* vtkFreeTypeTools::GetCMapCache()
  }
- 
+
  //----------------------------------------------------------------------------
 -FT_CALLBACK_DEF(FT_Error)
--vtkFreeTypeToolsFaceRequester(FTC_FaceID face_id,
--                              FT_Library lib,
--                              FT_Pointer request_data,
--                              FT_Face* face)
+-vtkFreeTypeToolsFaceRequester(
 +static FT_Error vtkFreeTypeToolsFaceRequester(
-+  FTC_FaceID face_id, FT_Library lib, FT_Pointer request_data, FT_Face* face)
+   FTC_FaceID face_id, FT_Library lib, FT_Pointer request_data, FT_Face* face)
  {
  #if VTK_FTFC_DEBUG_CD
-   printf("vtkFreeTypeToolsFaceRequester()\n");
--- 
+--
 2.30.1
 
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2021-30004.patch b/gnu/packages/patches/wpa-supplicant-CVE-2021-30004.patch
new file mode 100644
index 0000000000..8c8ba93355
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2021-30004.patch
@@ -0,0 +1,115 @@
+From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Mar 2021 18:19:31 +0200
+Subject: ASN.1: Validate DigestAlgorithmIdentifier parameters
+
+The supported hash algorithms do not use AlgorithmIdentifier parameters.
+However, there are implementations that include NULL parameters in
+addition to ones that omit the parameters. Previous implementation did
+not check the parameters value at all which supported both these cases,
+but did not reject any other unexpected information.
+
+Use strict validation of digest algorithm parameters and reject any
+unexpected value when validating a signature. This is needed to prevent
+potential forging attacks.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/tls/pkcs1.c  | 21 +++++++++++++++++++++
+ src/tls/x509v3.c | 20 ++++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
+index bbdb0d7..5761dfe 100644
+--- a/src/tls/pkcs1.c
++++ b/src/tls/pkcs1.c
+@@ -244,6 +244,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ 		os_free(decrypted);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
++		    hdr.payload, hdr.length);
+ 
+ 	pos = hdr.payload;
+ 	end = pos + hdr.length;
+@@ -265,6 +267,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ 		os_free(decrypted);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
++		    hdr.payload, hdr.length);
+ 	da_end = hdr.payload + hdr.length;
+ 
+ 	if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -273,6 +277,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ 		os_free(decrypted);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
++		    next, da_end - next);
++
++	/*
++	 * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++	 * omit the parameters, but there are implementation that encode these
++	 * as a NULL element. Allow these two cases and reject anything else.
++	 */
++	if (da_end > next &&
++	    (asn1_get_next(next, da_end - next, &hdr) < 0 ||
++	     !asn1_is_null(&hdr) ||
++	     hdr.payload + hdr.length != da_end)) {
++		wpa_printf(MSG_DEBUG,
++			   "PKCS #1: Unexpected digest algorithm parameters");
++		os_free(decrypted);
++		return -1;
++	}
+ 
+ 	if (!asn1_oid_equal(&oid, hash_alg)) {
+ 		char txt[100], txt2[100];
+diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
+index a8944dd..df337ec 100644
+--- a/src/tls/x509v3.c
++++ b/src/tls/x509v3.c
+@@ -1964,6 +1964,7 @@ int x509_check_signature(struct x509_certificate *issuer,
+ 		os_free(data);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
+ 
+ 	pos = hdr.payload;
+ 	end = pos + hdr.length;
+@@ -1985,6 +1986,8 @@ int x509_check_signature(struct x509_certificate *issuer,
+ 		os_free(data);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
++		    hdr.payload, hdr.length);
+ 	da_end = hdr.payload + hdr.length;
+ 
+ 	if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -1992,6 +1995,23 @@ int x509_check_signature(struct x509_certificate *issuer,
+ 		os_free(data);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
++		    next, da_end - next);
++
++	/*
++	 * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++	 * omit the parameters, but there are implementation that encode these
++	 * as a NULL element. Allow these two cases and reject anything else.
++	 */
++	if (da_end > next &&
++	    (asn1_get_next(next, da_end - next, &hdr) < 0 ||
++	     !asn1_is_null(&hdr) ||
++	     hdr.payload + hdr.length != da_end)) {
++		wpa_printf(MSG_DEBUG,
++			   "X509: Unexpected digest algorithm parameters");
++		os_free(data);
++		return -1;
++	}
+ 
+ 	if (x509_sha1_oid(&oid)) {
+ 		if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
+-- 
+cgit v0.12
+