summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk25
-rw-r--r--gnu/packages/algebra.scm4
-rw-r--r--gnu/packages/base.scm70
-rw-r--r--gnu/packages/bash.scm8
-rw-r--r--gnu/packages/bdw-gc.scm12
-rw-r--r--gnu/packages/bison.scm19
-rw-r--r--gnu/packages/boost.scm18
-rw-r--r--gnu/packages/bootloaders.scm3
-rw-r--r--gnu/packages/build-tools.scm2
-rw-r--r--gnu/packages/calendar.scm4
-rw-r--r--gnu/packages/check.scm40
-rw-r--r--gnu/packages/cmake.scm12
-rw-r--r--gnu/packages/commencement.scm15
-rw-r--r--gnu/packages/compression.scm76
-rw-r--r--gnu/packages/cups.scm24
-rw-r--r--gnu/packages/curl.scm7
-rw-r--r--gnu/packages/databases.scm32
-rw-r--r--gnu/packages/disk.scm1
-rw-r--r--gnu/packages/docbook.scm10
-rw-r--r--gnu/packages/documentation.scm15
-rw-r--r--gnu/packages/file.scm5
-rw-r--r--gnu/packages/flex.scm16
-rw-r--r--gnu/packages/fontutils.scm19
-rw-r--r--gnu/packages/freedesktop.scm4
-rw-r--r--gnu/packages/fribidi.scm7
-rw-r--r--gnu/packages/gcc.scm25
-rw-r--r--gnu/packages/ghostscript.scm5
-rw-r--r--gnu/packages/gl.scm6
-rw-r--r--gnu/packages/glib.scm16
-rw-r--r--gnu/packages/gnome.scm32
-rw-r--r--gnu/packages/gnupg.scm41
-rw-r--r--gnu/packages/gtk.scm53
-rw-r--r--gnu/packages/guile.scm39
-rw-r--r--gnu/packages/icu4c.scm14
-rw-r--r--gnu/packages/image.scm20
-rw-r--r--gnu/packages/inkscape.scm21
-rw-r--r--gnu/packages/jemalloc.scm5
-rw-r--r--gnu/packages/kerberos.scm7
-rw-r--r--gnu/packages/libbsd.scm4
-rw-r--r--gnu/packages/libevent.scm13
-rw-r--r--gnu/packages/libffi.scm9
-rw-r--r--gnu/packages/libidn.scm25
-rw-r--r--gnu/packages/libsigsegv.scm33
-rw-r--r--gnu/packages/libunistring.scm29
-rw-r--r--gnu/packages/linux.scm37
-rw-r--r--gnu/packages/m4.scm1
-rw-r--r--gnu/packages/make-bootstrap.scm10
-rw-r--r--gnu/packages/nettle.scm18
-rw-r--r--gnu/packages/openldap.scm4
-rw-r--r--gnu/packages/openstack.scm8
-rw-r--r--gnu/packages/package-management.scm4
-rw-r--r--gnu/packages/patches/binutils-aarch64-symbol-relocation.patch36
-rw-r--r--gnu/packages/patches/cairo-setjmp-wrapper.patch78
-rw-r--r--gnu/packages/patches/doxygen-gcc-ice.patch25
-rw-r--r--gnu/packages/patches/findutils-gnulib-libio.patch114
-rw-r--r--gnu/packages/patches/findutils-makedev.patch22
-rw-r--r--gnu/packages/patches/freetype-CVE-2018-6942.patch31
-rw-r--r--gnu/packages/patches/gcc-4.9-libsanitizer-ustat.patch37
-rw-r--r--gnu/packages/patches/gcc-libsanitizer-ustat.patch41
-rw-r--r--gnu/packages/patches/gcc-strmov-store-file-names.patch12
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2018-10194.patch52
-rw-r--r--gnu/packages/patches/glibc-2.28-git-fixes.patch248
-rw-r--r--gnu/packages/patches/grub-binutils-compat.patch53
-rw-r--r--gnu/packages/patches/jemalloc-arm-address-bits.patch39
-rw-r--r--gnu/packages/patches/libgcrypt-make-yat2m-reproducible.patch32
-rw-r--r--gnu/packages/patches/libgpg-error-aarch64-logging-fix.patch58
-rw-r--r--gnu/packages/patches/m4-gnulib-libio.patch128
-rw-r--r--gnu/packages/patches/mariadb-gcc-ice.patch24
-rw-r--r--gnu/packages/patches/meson-for-build-rpath.patch6
-rw-r--r--gnu/packages/patches/parted-glibc-compat.patch17
-rw-r--r--gnu/packages/patches/perf-gcc-ice.patch13
-rw-r--r--gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch36
-rw-r--r--gnu/packages/patches/perl-deterministic-ordering.patch6
-rw-r--r--gnu/packages/patches/perl-file-path-CVE-2017-6512.patch173
-rw-r--r--gnu/packages/patches/python-pillow-fix-failing-tests.patchbin112373 -> 0 bytes
-rw-r--r--gnu/packages/patches/qtbase-glibc-compat.patch50
-rw-r--r--gnu/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch36
-rw-r--r--gnu/packages/patches/texinfo-5-perl-compat.patch19
-rw-r--r--gnu/packages/patches/texinfo-perl-compat.patch51
-rw-r--r--gnu/packages/pcre.scm21
-rw-r--r--gnu/packages/pdf.scm20
-rw-r--r--gnu/packages/perl.scm42
-rw-r--r--gnu/packages/python-crypto.scm4
-rw-r--r--gnu/packages/python-web.scm4
-rw-r--r--gnu/packages/python.scm520
-rw-r--r--gnu/packages/qt.scm4
-rw-r--r--gnu/packages/readline.scm4
-rw-r--r--gnu/packages/samba.scm18
-rw-r--r--gnu/packages/ssh.scm21
-rw-r--r--gnu/packages/statistics.scm4
-rw-r--r--gnu/packages/tcl.scm16
-rw-r--r--gnu/packages/tex.scm126
-rw-r--r--gnu/packages/texinfo.scm2
-rw-r--r--gnu/packages/time.scm19
-rw-r--r--gnu/packages/tls.scm14
-rw-r--r--gnu/packages/web.scm8
-rw-r--r--gnu/packages/xdisorg.scm8
-rw-r--r--gnu/packages/xml.scm20
-rw-r--r--gnu/packages/xorg.scm38
99 files changed, 1878 insertions, 1399 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 0407fdc597..c3cd1d4084 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -594,12 +594,12 @@ dist_patch_DATA =						\
   %D%/packages/patches/bash-completion-directories.patch	\
   %D%/packages/patches/bazaar-CVE-2017-14176.patch		\
   %D%/packages/patches/beignet-correct-file-names.patch		\
-  %D%/packages/patches/binutils-aarch64-symbol-relocation.patch	\
   %D%/packages/patches/binutils-loongson-workaround.patch	\
   %D%/packages/patches/blast+-fix-makefile.patch		\
   %D%/packages/patches/boost-fix-icu-build.patch		\
   %D%/packages/patches/byobu-writable-status.patch		\
   %D%/packages/patches/cairo-CVE-2016-9082.patch			\
+  %D%/packages/patches/cairo-setjmp-wrapper.patch		\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/calibre-use-packaged-feedparser.patch	\
   %D%/packages/patches/catdoc-CVE-2017-11110.patch		\
@@ -650,7 +650,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/doc++-include-directives.patch		\
   %D%/packages/patches/doc++-segfault-fix.patch			\
   %D%/packages/patches/dovecot-trees-support-dovecot-2.3.patch	\
-  %D%/packages/patches/doxygen-gcc-ice.patch			\
   %D%/packages/patches/doxygen-test.patch			\
   %D%/packages/patches/dropbear-CVE-2018-15599.patch		\
   %D%/packages/patches/dvd+rw-tools-add-include.patch 		\
@@ -682,7 +681,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/fcgi-2.4.0-poll.patch			\
   %D%/packages/patches/fifo-map-fix-flags-for-gcc.patch		\
   %D%/packages/patches/fifo-map-remove-catch.hpp.patch		\
+  %D%/packages/patches/findutils-gnulib-libio.patch		\
   %D%/packages/patches/findutils-localstatedir.patch		\
+  %D%/packages/patches/findutils-makedev.patch			\
   %D%/packages/patches/findutils-test-xargs.patch		\
   %D%/packages/patches/flann-cmake-3.11.patch			\
   %D%/packages/patches/flint-ldconfig.patch			\
@@ -692,7 +693,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/freeimage-CVE-2016-5684.patch		\
   %D%/packages/patches/freeimage-fix-build-with-gcc-5.patch	\
   %D%/packages/patches/freeimage-unbundle.patch		\
-  %D%/packages/patches/freetype-CVE-2018-6942.patch		\
   %D%/packages/patches/fuse-overlapping-headers.patch				\
   %D%/packages/patches/gawk-shell.patch				\
   %D%/packages/patches/gcc-arm-bug-71399.patch			\
@@ -702,7 +702,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcc-fix-texi2pod.patch			\
   %D%/packages/patches/gcc-4.8-libsanitizer-fix.patch		\
   %D%/packages/patches/gcc-4.9-libsanitizer-fix.patch		\
+  %D%/packages/patches/gcc-4.9-libsanitizer-ustat.patch		\
   %D%/packages/patches/gcc-libsanitizer-fix.patch		\
+  %D%/packages/patches/gcc-libsanitizer-ustat.patch		\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-strmov-store-file-names.patch	\
   %D%/packages/patches/gcc-4-compile-with-gcc-5.patch		 \
@@ -726,6 +728,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghc-8.0-fall-back-to-madv_dontneed.patch \
   %D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch	\
+  %D%/packages/patches/ghostscript-CVE-2018-10194.patch		\
   %D%/packages/patches/ghostscript-CVE-2018-16509.patch		\
   %D%/packages/patches/ghostscript-bug-699708.patch		\
   %D%/packages/patches/ghostscript-no-header-id.patch		\
@@ -754,6 +757,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/glibc-vectorized-strcspn-guards.patch	\
   %D%/packages/patches/glibc-versioned-locpath.patch		\
   %D%/packages/patches/glibc-2.27-git-fixes.patch		\
+  %D%/packages/patches/glibc-2.28-git-fixes.patch		\
   %D%/packages/patches/glusterfs-use-PATH-instead-of-hardcodes.patch		\
   %D%/packages/patches/glog-gcc-5-demangling.patch		\
   %D%/packages/patches/gmp-arm-asm-nothumb.patch		\
@@ -772,6 +776,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/grep-timing-sensitive-test.patch		\
   %D%/packages/patches/groff-source-date-epoch.patch		\
   %D%/packages/patches/groovy-add-exceptionutilsgenerator.patch	\
+  %D%/packages/patches/grub-binutils-compat.patch		\
   %D%/packages/patches/grub-check-error-efibootmgr.patch	\
   %D%/packages/patches/gsl-test-i686.patch			\
   %D%/packages/patches/gspell-dash-test.patch			\
@@ -832,7 +837,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/java-xerces-bootclasspath.patch	\
   %D%/packages/patches/java-xerces-build_dont_unzip.patch	\
   %D%/packages/patches/java-xerces-xjavac_taskdef.patch	\
-  %D%/packages/patches/jemalloc-arm-address-bits.patch		\
   %D%/packages/patches/jbig2dec-ignore-testtest.patch		\
   %D%/packages/patches/json-glib-fix-tests-32bit.patch		\
   %D%/packages/patches/jq-CVE-2015-8863.patch			\
@@ -877,12 +881,12 @@ dist_patch_DATA =						\
   %D%/packages/patches/libevent-2.1-skip-failing-test.patch	\
   %D%/packages/patches/libexif-CVE-2016-6328.patch		\
   %D%/packages/patches/libexif-CVE-2017-7544.patch		\
+  %D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch	\
   %D%/packages/patches/libgit2-mtime-0.patch			\
   %D%/packages/patches/libgdata-fix-tests.patch			\
   %D%/packages/patches/libgdata-glib-duplicate-tests.patch	\
   %D%/packages/patches/libgnome-encoding.patch			\
   %D%/packages/patches/libgnomeui-utf8.patch			\
-  %D%/packages/patches/libgpg-error-aarch64-logging-fix.patch	\
   %D%/packages/patches/libgxps-CVE-2017-11590.patch		\
   %D%/packages/patches/libffi-3.2.1-complex-alpha.patch		\
   %D%/packages/patches/libjxr-fix-function-signature.patch	\
@@ -943,7 +947,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/mailutils-uninitialized-memory.patch	\
   %D%/packages/patches/make-glibc-compat.patch			\
   %D%/packages/patches/make-impure-dirs.patch			\
-  %D%/packages/patches/mariadb-gcc-ice.patch			\
   %D%/packages/patches/mariadb-client-test-32bit.patch		\
   %D%/packages/patches/mars-install.patch			\
   %D%/packages/patches/mars-sfml-2.3.patch			\
@@ -977,6 +980,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/mupen64plus-video-z64-glew-correct-path.patch    \
   %D%/packages/patches/mutt-store-references.patch		\
   %D%/packages/patches/myrepos-CVE-2018-7032.patch		\
+  %D%/packages/patches/m4-gnulib-libio.patch			\
   %D%/packages/patches/net-tools-bitrot.patch			\
   %D%/packages/patches/netcdf-date-time.patch			\
   %D%/packages/patches/netcdf-tst_h_par.patch			\
@@ -1019,13 +1023,11 @@ dist_patch_DATA =						\
   %D%/packages/patches/p7zip-CVE-2016-9296.patch		\
   %D%/packages/patches/p7zip-CVE-2017-17969.patch		\
   %D%/packages/patches/p7zip-remove-unused-code.patch		\
+  %D%/packages/patches/parted-glibc-compat.patch		\
   %D%/packages/patches/patchelf-page-size.patch			\
   %D%/packages/patches/patchelf-rework-for-arm.patch		\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   %D%/packages/patches/patch-hurd-path-max.patch		\
-  %D%/packages/patches/perf-gcc-ice.patch			\
-  %D%/packages/patches/perl-archive-tar-CVE-2018-12015.patch	\
-  %D%/packages/patches/perl-file-path-CVE-2017-6512.patch	\
   %D%/packages/patches/perl-autosplit-default-time.patch	\
   %D%/packages/patches/perl-deterministic-ordering.patch	\
   %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
@@ -1086,7 +1088,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-genshi-stripping-of-unsafe-script-tags.patch	\
   %D%/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch \
   %D%/packages/patches/python-networkx2-reproducible-build.patch	\
-  %D%/packages/patches/python-pillow-fix-failing-tests.patch	\
   %D%/packages/patches/python2-rdflib-drop-sparqlwrapper.patch	\
   %D%/packages/patches/python-scikit-learn-fix-test-non-determinism.patch	\
   %D%/packages/patches/python-configobj-setuptools.patch	\
@@ -1103,6 +1104,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-waitress-fix-tests.patch		\
   %D%/packages/patches/qemu-glibc-2.27.patch 			\
   %D%/packages/patches/qt4-ldflags.patch			\
+  %D%/packages/patches/qtbase-glibc-compat.patch		\
   %D%/packages/patches/qtbase-use-TZDIR.patch			\
   %D%/packages/patches/qtscript-disable-tests.patch		\
   %D%/packages/patches/quagga-reproducible-build.patch          \
@@ -1146,6 +1148,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/slim-sigusr1.patch			\
   %D%/packages/patches/slim-reset.patch				\
   %D%/packages/patches/slim-login.patch				\
+  %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch	\
   %D%/packages/patches/sooperlooper-build-with-wx-30.patch 	\
   %D%/packages/patches/soundtouch-CVE-2018-14044-14045.patch 	\
   %D%/packages/patches/soundtouch-CVE-2018-1000223.patch 	\
@@ -1164,6 +1167,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch	\
   %D%/packages/patches/teensy-loader-cli-help.patch		\
   %D%/packages/patches/teeworlds-use-latest-wavpack.patch	\
+  %D%/packages/patches/texinfo-perl-compat.patch		\
+  %D%/packages/patches/texinfo-5-perl-compat.patch		\
   %D%/packages/patches/texi2html-document-encoding.patch	\
   %D%/packages/patches/texi2html-i18n.patch			\
   %D%/packages/patches/thefuck-test-environ.patch		\
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index d8a061b642..45a3da1713 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -528,14 +528,14 @@ a C program.")
 (define-public fftw
   (package
     (name "fftw")
-    (version "3.3.7")
+    (version "3.3.8")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://ftp.fftw.org/pub/fftw/fftw-"
                                  version".tar.gz"))
              (sha256
               (base32
-               "0wsms8narnbhfsa8chdflv2j9hzspvflblnqdn7hw8x5xdzrnq1v"))))
+               "00z3k8fq561wq2khssqg0kallk0504dzlx989x3vvicjdqpjc4v1"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 4065af0abc..3a1186673e 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -102,6 +102,15 @@ command-line arguments, multiple languages, and so on.")
    (arguments
     `(#:phases
       (modify-phases %standard-phases
+        (add-before 'check 'disable-failing-tests
+          (lambda _
+            ;; These tests are expected to fail due to a glibc bug which has
+            ;; been fixed in 2.28, so they are unexpectedly passing.  They
+            ;; should be fixed for grep versions > 3.1.
+            (substitute* "tests/Makefile.in"
+              (("^[[:blank:]]+backref-alt[[:blank:]]+\\\\") "\\")
+              (("^[[:blank:]]+triple-backref[[:blank:]]+\\\\") "\\"))
+            #t))
         (add-after 'install 'fix-egrep-and-fgrep
           ;; Patch 'egrep' and 'fgrep' to execute 'grep' via its
           ;; absolute file name instead of searching for it in $PATH.
@@ -289,7 +298,9 @@ interactive means to merge two files.")
              (base32
               "178nn4dl7wbcw499czikirnkniwnx36argdnqgz4ik9i6zvwkm6y"))
             (patches (search-patches
+                      "findutils-gnulib-libio.patch"
                       "findutils-localstatedir.patch"
+                      "findutils-makedev.patch"
                       "findutils-test-xargs.patch"))
             (modules '((guix build utils)))
             (snippet
@@ -326,14 +337,14 @@ used to apply commands with arbitrarily long arguments.")
 (define-public coreutils
   (package
    (name "coreutils")
-   (version "8.29")
+   (version "8.30")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/coreutils/coreutils-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0plm1zs9il6bb5mk881qvbghq4glc8ybbgakk2lfzb0w64fgml4j"))))
+              "0mxhw43d4wpqmvg0l4znk1vm10fy92biyh90lzdnqjcic2lb6cg8"))))
    (build-system gnu-build-system)
    (inputs `(("acl"  ,acl)                        ; TODO: add SELinux
              ("gmp"  ,gmp)                        ;bignums in 'expr', yay!
@@ -364,7 +375,17 @@ used to apply commands with arbitrarily long arguments.")
                      (substitute* (find-files "gnulib-tests" "\\.c$")
                        (("/bin/sh") (which "sh")))
                      (substitute* (find-files "tests" "\\.sh$")
-                       (("#!/bin/sh") (which "sh")))
+                       (("#!/bin/sh") (string-append "#!" (which "sh"))))
+                     #t))
+                 (add-before 'check 'disable-broken-test
+                   (lambda _
+                     ;; This test hits the 127 character shebang limit in the build
+                     ;; environment due to the way "env -S" splits arguments into
+                     ;; shebangs.  Note that "env-S-script.sh" works around this
+                     ;; specific issue, but "env-S.pl" is not adjusted for build
+                     ;; environments with long prefixes (/tmp/guix-build-...).
+                     (substitute* "Makefile"
+                       (("^.*tests/misc/env-S.pl.*$") ""))
                      #t)))
 
       ;; Work around a cross-compilation bug whereby libcoreutils.a would
@@ -435,14 +456,14 @@ change.  GNU make offers many powerful extensions over the standard utility.")
 (define-public binutils
   (package
    (name "binutils")
-   (version "2.30")
+   (version "2.31.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/binutils/binutils-"
                                 version ".tar.bz2"))
             (sha256
              (base32
-              "028cklfqaab24glva1ks2aqa1zxa6w6xmc8q34zs1sb7h22dxspg"))
+              "1l34hn1zkmhr1wcrgf0d4z7r3najxnw3cx2y2fk7v55zjlk3ik7z"))
             (patches (search-patches "binutils-loongson-workaround.patch"))))
    (build-system gnu-build-system)
 
@@ -480,17 +501,6 @@ included.")
    (license gpl3+)
    (home-page "https://www.gnu.org/software/binutils/")))
 
-(define-public binutils/fixed
-  ;; TODO: Incorporate this in binutils during the next rebuild cycle.
-  (hidden-package
-   (package
-     (inherit binutils)
-     (source (origin
-               (inherit (package-source binutils))
-               (patches (append (origin-patches (package-source binutils))
-                                (search-patches
-                                 "binutils-aarch64-symbol-relocation.patch"))))))))
-
 (define* (make-ld-wrapper name #:key
                           (target (const #f))
                           binutils
@@ -572,13 +582,13 @@ store.")
    (name "glibc")
    ;; Note: Always use a dot after the minor version since various places rely
    ;; on "version-major+minor" to determine where locales are found.
-   (version "2.27")
+   (version "2.28")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz"))
             (sha256
              (base32
-              "0wpwq7gsm7sd6ysidv0z575ckqdg13cr2njyfgrbgh4f65adwwji"))
+              "10iha5ynvdj5m62vgpgqbq4cwvc2yhyl2w9yyyjgfxmdmx8h145i"))
             (snippet
              ;; Disable 'ldconfig' and /etc/ld.so.cache.  The latter is
              ;; required on LFS distros to avoid loading the distro's libc.so
@@ -590,7 +600,7 @@ store.")
                 #t))
             (modules '((guix build utils)))
             (patches (search-patches "glibc-ldd-x86_64.patch"
-                                     "glibc-2.27-git-fixes.patch"
+                                     "glibc-2.28-git-fixes.patch"
                                      "glibc-hidden-visibility-ldconfig.patch"
                                      "glibc-versioned-locpath.patch"
                                      "glibc-allow-kernel-2.6.32.patch"
@@ -873,25 +883,25 @@ GLIBC/HURD for a Hurd host"
 (define-syntax glibc
   (identifier-syntax (glibc-for-target)))
 
-;; The "next" libc.  Useful for populating locale data before reconfiguring the
-;; entire system on it.  Will be the default in the next rebuild cycle.
-(define-public glibc-2.28
+;; Below are old libc versions, which we use mostly to build locale data in
+;; the old format (which the new libc cannot cope with.)
+
+(define-public glibc-2.27
   (package
     (inherit glibc)
-    (version "2.28")
+    (version "2.27")
     (source (origin
               (inherit (package-source glibc))
               (uri (string-append "mirror://gnu/glibc/glibc-" version ".tar.xz"))
               (sha256
                (base32
-                "10iha5ynvdj5m62vgpgqbq4cwvc2yhyl2w9yyyjgfxmdmx8h145i"))
-              (patches (search-patches "glibc-allow-kernel-2.6.32.patch"
-                                       "glibc-ldd-x86_64.patch"
+                "0wpwq7gsm7sd6ysidv0z575ckqdg13cr2njyfgrbgh4f65adwwji"))
+              (patches (search-patches "glibc-ldd-x86_64.patch"
+                                       "glibc-2.27-git-fixes.patch"
                                        "glibc-hidden-visibility-ldconfig.patch"
-                                       "glibc-versioned-locpath.patch"))))))
-
-;; Below are old libc versions, which we use mostly to build locale data in
-;; the old format (which the new libc cannot cope with.)
+                                       "glibc-versioned-locpath.patch"
+                                       "glibc-allow-kernel-2.6.32.patch"
+                                       "glibc-reinstate-prlimit64-fallback.patch"))))))
 
 (define-public glibc-2.26
   (package
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index 121a459fa6..fb4e3f4be3 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015, 2018 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015, 2017 Leo Famulari <leo@famulari.name>
-;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -79,7 +79,11 @@
    (16 "1cgi1y6mifm8hsgv4avj5ih76535js3qba1sqwbfvp7si76927sh")
    (17 "0w6jpj2giakji1ir83rpkx1y7n7xqppah3j748m6dm38hywr0gvp")
    (18 "1k58h4wxbsg7r4rwhrvzx5hfbapba2nxjysbhh6qp6ki5ys99i2v")
-   (19 "07n1i5610lbs672x1s8g82qn3qfj06s0ip3z80sri0g8vxp0s5r7")))
+   (19 "07n1i5610lbs672x1s8g82qn3qfj06s0ip3z80sri0g8vxp0s5r7")
+   (20 "0b2jk5n1af1vh590qfc52hv65mafb4vl1xv26s8j5a3byb5y4h0q")
+   (21 "1hblcd2xmqqlp0idnavw66570n7m0yv5rbbr873c2gkn982mk3xx")
+   (22 "0yfbjzr79vzjs2hyi5m8iy2b38fq7vikdfa4zqdvjsp36q4iycs5")
+   (23 "1dlism6qdx60nvzj0v7ndr7lfahl4a8zmzckp13hqgdx7xpj7v2g")))
 
 (define (download-patches store count)
   "Download COUNT Bash patches into store.  Return a list of
diff --git a/gnu/packages/bdw-gc.scm b/gnu/packages/bdw-gc.scm
index eba30217da..c7491f845f 100644
--- a/gnu/packages/bdw-gc.scm
+++ b/gnu/packages/bdw-gc.scm
@@ -30,14 +30,14 @@
 (define-public libgc
   (package
    (name "libgc")
-   (version "7.6.4")
+   (version "7.6.6")
    (source (origin
             (method url-fetch)
-            (uri (string-append "http://www.hboehm.info/gc/gc_source/gc-"
-                                version ".tar.gz"))
+            (uri (string-append "https://github.com/ivmai/bdwgc/releases"
+                                "/download/v" version "/gc-" version ".tar.gz"))
             (sha256
              (base32
-              "076dzsqqyxd3nlzs0z277vvhqjp8nv5dqi763s0m90zr6ljiyk5r"))))
+              "1p1r015a7jbpvkkbgzv1y8nxrbbp6dg0mq3ksi6ji0qdz3wfss79"))))
    (build-system gnu-build-system)
    (arguments
     `(#:configure-flags
@@ -91,7 +91,7 @@ C or C++ programs, though that is not its primary goal.")
 (define-public libatomic-ops
   (package
     (name "libatomic-ops")
-    (version "7.6.4")
+    (version "7.6.6")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -99,7 +99,7 @@ C or C++ programs, though that is not its primary goal.")
                     version "/libatomic_ops-" version ".tar.gz"))
               (sha256
                (base32
-                "0knxncsjhbknlyy6lx7ycxhpzfk3sykhvicgxyp0rmsxd1d3v0jv"))))
+                "0x7071z707msvyrv9dmgahd1sghbkw8fpbagvcag6xs8yp2spzlr"))))
     (build-system gnu-build-system)
     (outputs '("out" "debug"))
     (synopsis "Accessing hardware atomic memory update operations")
diff --git a/gnu/packages/bison.scm b/gnu/packages/bison.scm
index 09c6481a16..71de47762d 100644
--- a/gnu/packages/bison.scm
+++ b/gnu/packages/bison.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -29,7 +30,7 @@
 (define-public bison
   (package
     (name "bison")
-    (version "3.0.4")
+    (version "3.0.5")
     (source
      (origin
       (method url-fetch)
@@ -37,10 +38,10 @@
                           version ".tar.xz"))
       (sha256
        (base32
-        "1qbgf6q1n2z17k8g33444m0q68kf3fbiq65q7jlrzpvvj73jh957"))))
+        "0f7kjygrckkx8vas2nm673592jif0a9mw5g8207f6hj6h4pfyp07"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)
-                     ;; m4 is not present in PATH when cross-building
+                     ;; m4 is not present in PATH when cross-building.
                      ("m4" ,m4)))
     (inputs `(("flex" ,flex)))
     (propagated-inputs `(("m4" ,m4)))
@@ -52,15 +53,3 @@ deterministic or generalized LR parser from an annotated, context-free
 grammar.  It is versatile enough to have many applications, from parsers for
 simple tools through complex programming languages.")
     (license gpl3+)))
-
-(define-public bison-2.7
-  (package (inherit bison)
-    (version "2.7")
-    (source
-     (origin
-      (method url-fetch)
-      (uri (string-append "mirror://gnu/bison/bison-"
-                          version ".tar.xz"))
-      (sha256
-       (base32
-        "1zd77ilmpv5mi3kr55jrj6ncqlcnyhpianhrwzak2q28cv2cbn23"))))))
diff --git a/gnu/packages/boost.scm b/gnu/packages/boost.scm
index cf70a29775..d1b359b2cb 100644
--- a/gnu/packages/boost.scm
+++ b/gnu/packages/boost.scm
@@ -43,7 +43,7 @@
 (define-public boost
   (package
     (name "boost")
-    (version "1.66.0")
+    (version "1.68.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -52,7 +52,7 @@
                     ".tar.bz2"))
               (sha256
                (base32
-                "1aaw48cmimsskzgiclwn0iifp62a5iw9cbqrhfari876af1828ap"))
+                "1dyqsr9yb01y0nnjdq9b8q5s2kvhxbayk34832k5cpzn7jy30qbz"))
               (patches (search-patches "boost-fix-icu-build.patch"))))
     (build-system gnu-build-system)
     (inputs `(("icu4c" ,icu4c)
@@ -78,7 +78,6 @@
                    (out (assoc-ref outputs "out")))
                (substitute* '("libs/config/configure"
                               "libs/spirit/classic/phoenix/test/runtest.sh"
-                              "tools/build/doc/bjam.qbk"
                               "tools/build/src/engine/execunix.c"
                               "tools/build/src/engine/Jambase"
                               "tools/build/src/engine/jambase.c")
@@ -100,7 +99,18 @@
                     make-flags)))
          (replace 'install
            (lambda* (#:key make-flags #:allow-other-keys)
-             (apply invoke "./b2" "install" make-flags))))))
+             (apply invoke "./b2" "install" make-flags)))
+         (add-after 'install 'provide-libboost_python
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out")))
+               ;; Boost can build support for both Python 2 and Python 3 since
+               ;; version 1.67.0, and suffixes each library with the Python
+               ;; version.  Many consumers only check for libboost_python
+               ;; however, so we provide it here as suggested in
+               ;; <https://github.com/boostorg/python/issues/203>.
+               (with-directory-excursion (string-append out "/lib")
+                 (symlink "libboost_python27.so" "libboost_python.so"))
+               #t))))))
 
     (home-page "https://www.boost.org")
     (synopsis "Peer-reviewed portable C++ source libraries")
diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index e9abf399ab..c99d5d5895 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -86,7 +86,8 @@
              (sha256
               (base32
                "03vvdfhdmf16121v7xs8is2krwnv15wpkhkf16a4yf8nsfc3f2w1"))
-             (patches (search-patches "grub-check-error-efibootmgr.patch"))))
+             (patches (search-patches "grub-check-error-efibootmgr.patch"
+                                      "grub-binutils-compat.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases (modify-phases %standard-phases
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index 4fc2d5acf7..1c9b41ef5b 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Corentin Bocquillon <corentin@nybble.fr>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2018 Fis Trivial <ybbs.daans@hotmail.com>
diff --git a/gnu/packages/calendar.scm b/gnu/packages/calendar.scm
index 79cef99826..3b901dcb4e 100644
--- a/gnu/packages/calendar.scm
+++ b/gnu/packages/calendar.scm
@@ -48,7 +48,7 @@
 (define-public libical
   (package
     (name "libical")
-    (version "3.0.3")
+    (version "3.0.4")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -56,7 +56,7 @@
                     version "/libical-" version ".tar.gz"))
               (sha256
                (base32
-                "0hcjyf35b8rrvy8xziqxc4imi28mmkixb09gknisvp6jsa5fp4av"))))
+                "0ifisnh42cw5z53hp9p52l3ggc7k877zlqk0n06gdhrk0bhidckj"))))
     (build-system cmake-build-system)
     (arguments
      '(#:tests? #f ; test suite appears broken
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index f4596010ea..e3edff50a5 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -619,14 +619,14 @@ standard library.")
 (define-public python-pytest
   (package
     (name "python-pytest")
-    (version "3.5.0")
+    (version "3.7.2")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "pytest" version))
        (sha256
         (base32
-         "1q832zd07zak2lyxbycxjydh0jp7y3hvawjqzlvra6aghz8r3r7s"))))
+         "00jv750alrj62r586hcmvpqlmkqszqfm1x7n6qnqacjmmlis2n9l"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -642,9 +642,11 @@ standard library.")
                 (string-append "@pytest.mark.skip"
                                "(reason=\"Assumes that /usr exists.\")\n    "
                                line)))
-             #t)))))
+             #t))
+         (replace 'check (lambda _ (invoke "pytest" "-vv"))))))
     (propagated-inputs
-     `(("python-attrs" ,python-attrs-bootstrap)
+     `(("python-atomicwrites" ,python-atomicwrites)
+       ("python-attrs" ,python-attrs-bootstrap)
        ("python-more-itertools" ,python-more-itertools)
        ("python-pluggy" ,python-pluggy)
        ("python-py" ,python-py)
@@ -655,6 +657,7 @@ standard library.")
        ("python-hypothesis" ,python-hypothesis)
        ("python-nose" ,python-nose)
        ("python-mock" ,python-mock)
+       ("python-pytest" ,python-pytest-bootstrap)
        ("python-setuptools-scm" ,python-setuptools-scm)))
     (home-page "http://pytest.org")
     (synopsis "Python testing library")
@@ -672,6 +675,7 @@ and many external plugins.")
       (inherit pytest)
       (propagated-inputs
        `(("python2-funcsigs" ,python2-funcsigs)
+         ("python2-pathlib2" ,python2-pathlib2)
          ,@(package-propagated-inputs pytest))))))
 
 (define-public python-pytest-bootstrap
@@ -688,19 +692,20 @@ and many external plugins.")
     (package (inherit pytest)
              (propagated-inputs
               `(("python2-funcsigs" ,python2-funcsigs-bootstrap)
+                ("python2-pathlib2" ,python2-pathlib2-bootstrap)
                 ,@(package-propagated-inputs pytest))))))
 
 (define-public python-pytest-cov
   (package
     (name "python-pytest-cov")
-    (version "2.4.0")
+    (version "2.5.1")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "pytest-cov" version))
         (sha256
          (base32
-          "03c2qc42r4bczyw93gd7n0qi1h1jfhw7fnbhi33c3vp1hs81gm2k"))))
+          "0bbfpwdh9k3636bxc88vz9fa7vf4akchgn513ql1vd0xy4n7bah3"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -729,26 +734,15 @@ supports coverage of subprocesses.")
 (define-public python-pytest-runner
   (package
     (name "python-pytest-runner")
-    (version "2.11.1")
+    (version "4.2")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "pytest-runner" version))
        (sha256
         (base32
-         "1cw978kqqcq916b9gfns1qjqvg33c5ail5jhw9054dsynkm32flq"))))
+         "1gkpyphawxz38ni1gdq1fmwyqcg02m7ypzqvv46z06crwdxi2gyj"))))
     (build-system python-build-system)
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         ;; The fancy way of setting the version with setuptools_scm does not
-         ;; seem to work here.
-         (add-after 'unpack 'set-version
-          (lambda _
-            (substitute* "docs/conf.py"
-              (("version = setuptools_scm\\.get_version\\(root='\\.\\.')")
-               (string-append "version = \"" ,version "\"")))
-            #t)))))
     (native-inputs
      `(("python-pytest" ,python-pytest-bootstrap)
        ("python-setuptools-scm" ,python-setuptools-scm)))
@@ -765,14 +759,14 @@ supports coverage of subprocesses.")
 (define-public python-pytest-mock
   (package
     (name "python-pytest-mock")
-    (version "1.6.3")
+    (version "1.10.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "pytest-mock" version))
         (sha256
          (base32
-          "075v7b2wm5f839r1a30n21wfk5rfqp3d05q7zb9jlb2wmxki23cj"))))
+          "1h6lgpmsvs9s8j2s80v06f9f3iaw1n1rc51mbrxk1f12sw4q56nq"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-setuptools-scm" ,python-setuptools-scm)))
@@ -1421,13 +1415,13 @@ normally the case.")
 (define-public python-hypothesis
   (package
     (name "python-hypothesis")
-    (version "3.52.0")
+    (version "3.68.2")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "hypothesis" version))
               (sha256
                (base32
-                "0g54cypfi5qj6cgxfr7l1nb41r1cqhhngx4qxn4ga9h720rcsbr8"))))
+                "15wlbdy148h3z0ckylf7zkszrfnnk254a6ld3qaf37lkf7hyp4r0"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-flake8" ,python-flake8)
diff --git a/gnu/packages/cmake.scm b/gnu/packages/cmake.scm
index 06b1cab82c..03bce8b68d 100644
--- a/gnu/packages/cmake.scm
+++ b/gnu/packages/cmake.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017, 2018 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -43,7 +44,7 @@
 (define-public cmake
   (package
     (name "cmake")
-    (version "3.11.0")
+    (version "3.12.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.cmake.org/files/v"
@@ -51,7 +52,7 @@
                                   "/cmake-" version ".tar.gz"))
               (sha256
                (base32
-                "0sv5k9q6braa8hhw0y3w19avqn0xn5czv5jf5fz5blnlf7ivw4y3"))
+                "1ckswlaid3p2is1a80fmr4hgwpfsiif66giyx1z9ayhxx0n5qgf5"))
               (modules '((guix build utils)))
               (snippet
                '(begin
@@ -86,6 +87,13 @@
            " --exclude-regex ^\\(" (string-join skipped-tests "\\|") "\\)$")))
        #:phases
        (modify-phases %standard-phases
+         (add-after 'unpack 'split-package
+           ;; Remove files that have been packaged in other package recipes.
+           (lambda _
+             (delete-file "Auxiliary/cmake-mode.el")
+             (substitute* "Auxiliary/CMakeLists.txt"
+               ((".*cmake-mode.el.*") ""))
+             #t))
          (add-before 'configure 'patch-bin-sh
            (lambda _
              ;; Replace "/bin/sh" by the right path in... a lot of
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 30a0ffcec9..0aa65fe638 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -186,12 +186,25 @@
                     ,cf)))))
      (inputs %boot0-inputs))))
 
+;; Use a "fixed" package source for this early libstdc++ variant so we can
+;; update GCC 4.9 without triggering a full rebuild.
+(define gcc-for-libstdc++
+  (package
+    (inherit gcc-4.9)
+    (source (origin
+              (inherit (package-source gcc-4.9))
+              (patches (search-patches "gcc-4.9-libsanitizer-fix.patch"
+                                       "gcc-arm-bug-71399.patch"
+                                       "gcc-asan-missing-include.patch"
+                                       "gcc-libvtv-runpath.patch"
+                                       "gcc-fix-texi2pod.patch"))))))
+
 (define libstdc++-boot0
   ;; GCC's libcc1 is always built as a shared library (the top-level
   ;; 'Makefile.def' forcefully adds --enable-shared) and thus needs to refer
   ;; to libstdc++.so.  We cannot build libstdc++-5.3 because it relies on
   ;; C++14 features missing in some of our bootstrap compilers.
-  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc-4.9))))
+  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc-for-libstdc++))))
     (package
       (inherit lib)
       (name "libstdc++-boot0")
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 666c9bfc3e..e15f47ac3b 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -85,6 +85,7 @@
        (base32
         "18dighcs333gsvajvvgqp8l4cx7h1x7yx9gd5xacnk80spyykrf3"))))
     (build-system gnu-build-system)
+    (outputs '("out" "static"))
     (arguments
      `(#:phases
        (modify-phases %standard-phases
@@ -99,7 +100,15 @@
                      `((setenv "CHOST" ,(%current-target-system)))
                      '())
                (invoke "./configure"
-                       (string-append "--prefix=" out))))))))
+                       (string-append "--prefix=" out)))))
+         (add-after 'install 'move-static-library
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out"))
+                   (static (assoc-ref outputs "static")))
+               (with-directory-excursion (string-append out "/lib")
+                 (install-file "libz.a" (string-append static "/lib"))
+                 (delete-file "libz.a")
+                 #t)))))))
     (home-page "https://zlib.net/")
     (synopsis "Compression library")
     (description
@@ -216,6 +225,21 @@ adding and extracting files to/from a tar archive.")
     '(#:tests? #f
       #:phases
       (modify-phases %standard-phases
+        (add-after 'unpack 'patch-for-glibc-2.28
+          (lambda _
+            ;; Adjust the bundled gnulib to work with glibc 2.28.  See e.g.
+            ;; "m4-gnulib-libio.patch".  This is a phase rather than patch
+            ;; or snippet to work around <https://bugs.gnu.org/32347>.
+            (substitute* (find-files "lib" "\\.c$")
+              (("#if defined _IO_ftrylockfile")
+               "#if defined _IO_EOF_SEEN"))
+            (substitute* "lib/stdio-impl.h"
+              (("^/\\* BSD stdio derived implementations")
+               (string-append "#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN\n"
+                              "# define _IO_IN_BACKUP 0x100\n"
+                              "#endif\n\n"
+                              "/* BSD stdio derived implementations")))
+            #t))
         (add-after 'unpack 'use-absolute-name-of-gzip
           (lambda* (#:key outputs #:allow-other-keys)
             (substitute* "gunzip.in"
@@ -248,6 +272,7 @@ file; as a result, it is often used in conjunction with \"tar\", resulting in
     (arguments
      `(#:modules ((guix build gnu-build-system)
                   (guix build utils)
+                  (ice-9 ftw)
                   (srfi srfi-1))
        #:phases
        (modify-phases %standard-phases
@@ -276,25 +301,32 @@ file; as a result, it is often used in conjunction with \"tar\", resulting in
              ;; it create all the (un)versioned symlinks, so we handle it here.
              (let* ((out    (assoc-ref outputs "out"))
                     (libdir (string-append out "/lib"))
-                    ;; Find the actual library (e.g. "libbz2.so.1.0.6").
-                    (lib (string-drop
-                          (car (find-files
-                                "."
-                                (lambda (file stat)
-                                  (and (string-prefix? "./libbz2.so" file)
-                                       (eq? 'regular (stat:type stat))))))
-                          2))
-                    (soversion (string-drop lib (string-length "libbz2.so."))))
+                    (soname "libbz2.so")
+                    ;; Locate the built library (e.g. "libbz2.so.1.0.6").
+                    (lib (car (scandir "."
+                                       (lambda (file)
+                                         (and (string-prefix? soname file)
+                                              (eq? 'regular
+                                                   (stat:type (lstat file))))))))
+                    (soversion (string-drop lib (+ 1 (string-length soname)))))
                (install-file lib libdir)
                (with-directory-excursion libdir
                  ;; Create symlinks libbz2.so.1 -> libbz2.so.1.0, etc.
-                 (let loop ((base "libbz2.so")
+                 (let loop ((base soname)
                             (numbers (string-split soversion #\.)))
                    (unless (null? numbers)
                      (let ((so-file (string-append base "." (car numbers))))
                        (symlink so-file base)
                        (loop so-file (cdr numbers))))))
                #t)))
+         (add-after 'install-shared-lib 'move-static-lib
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out"))
+                   (static (assoc-ref outputs "static")))
+               (with-directory-excursion (string-append out "/lib")
+                 (install-file "libbz2.a" (string-append static "/lib"))
+                 (delete-file "libbz2.a")
+                 #t))))
          (add-after 'install-shared-lib 'patch-scripts
            (lambda* (#:key outputs inputs #:allow-other-keys)
              (let* ((out (assoc-ref outputs "out")))
@@ -309,6 +341,7 @@ file; as a result, it is often used in conjunction with \"tar\", resulting in
        ,@(if (%current-target-system)
              '(#:tests? #f)
              '())))
+    (outputs '("out" "static"))
     (synopsis "High-quality data compression program")
     (description
      "bzip2 is a freely available, patent free (see below), high-quality data
@@ -376,7 +409,7 @@ compressed with pbzip2 can be decompressed with bzip2).")
 (define-public xz
   (package
    (name "xz")
-   (version "5.2.3")
+   (version "5.2.4")
    (source (origin
             (method url-fetch)
             (uri (list (string-append "http://tukaani.org/xz/xz-" version
@@ -385,7 +418,7 @@ compressed with pbzip2 can be decompressed with bzip2).")
                                       version ".tar.gz")))
             (sha256
              (base32
-              "1jr8pxnz55ifc8cvp3ivgl79ph9iik5aypsc9cma228aglsqp4ki"))))
+              "0ibi2zsfaz6l756spjwc5rayf4ckgc9hwmy8qinppcyk4svz64mm"))))
    (build-system gnu-build-system)
    (synopsis "General-purpose data compression")
    (description
@@ -1154,14 +1187,15 @@ algorithm within the Numpy framework.")
   (package
     (name "snappy")
     (version "1.1.7")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "https://github.com/google/snappy/archive/"
-                                  version ".tar.gz"))
-              (file-name (string-append "snappy-" version ".tar.gz"))
-              (sha256
-               (base32
-                "1m7rcdqzkys5lspj8jcsaah8w33zh28s771bw0ga2lgzfgl05yix"))))
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/google/snappy/archive/"
+                           version ".tar.gz"))
+       (file-name (string-append "snappy-" version ".tar.gz"))
+       (sha256
+        (base32 "1m7rcdqzkys5lspj8jcsaah8w33zh28s771bw0ga2lgzfgl05yix"))
+       (patches (search-patches "snappy-add-O2-flag-in-CmakeLists.txt.patch"))))
     (build-system cmake-build-system)
     (arguments
      `(#:configure-flags '("-DBUILD_SHARED_LIBS=ON")))
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index 3150c25019..b4034dfad8 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -53,7 +53,7 @@
 (define-public cups-filters
   (package
     (name "cups-filters")
-    (version "1.20.1")
+    (version "1.21.0")
     (source(origin
               (method url-fetch)
               (uri
@@ -61,7 +61,7 @@
                               "cups-filters-" version ".tar.xz"))
               (sha256
                (base32
-                "0qix1whz5n4ijnl6d44f1v8nzkpv99wqjyrby8vx6xnpskw5hsxk"))
+                "0fs90xx9i4h8gbpligf5kkh21llv4kf5g3bgfbx4z272xkm7bsfi"))
               (modules '((guix build utils)))
               (snippet
                ;; install backends, banners and filters to cups-filters output
@@ -176,8 +176,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
 (define-public cups-minimal
   (package
     (name "cups-minimal")
-    (replacement cups-minimal-2.2.8)
-    (version "2.2.6")
+    (version "2.2.8")
     (source
      (origin
        (method url-fetch)
@@ -185,7 +184,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
                            version "/cups-" version "-source.tar.gz"))
        (sha256
         (base32
-         "16qn41b84xz6khrr2pa2wdwlqxr29rrrkjfi618gbgdkq9w5ff20"))))
+         "1r7r7b3nqpzc1a9dczqpj2mr8rkcwf01676v11sp4j7w4qfzqs1r"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -237,21 +236,8 @@ describe printer capabilities and features, and a wide variety of generic and
 device-specific programs to convert and print many types of files.")
     (license license:gpl2)))
 
-(define-public cups-minimal-2.2.8
-  (package
-    (inherit cups-minimal)
-    (version "2.2.8")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append "https://github.com/apple/cups/releases/download/v"
-                           version "/cups-" version "-source.tar.gz"))
-       (sha256
-        (base32
-         "1r7r7b3nqpzc1a9dczqpj2mr8rkcwf01676v11sp4j7w4qfzqs1r"))))))
-
 (define-public cups
-  (package/inherit cups-minimal
+  (package (inherit cups-minimal)
     (name "cups")
     (arguments
      `(;; Three tests fail:
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 6d45dc0cc5..d4a620f1b3 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -50,7 +50,7 @@
 (define-public curl
   (package
    (name "curl")
-   (version "7.59.0")
+   (version "7.61.0")
    (replacement curl-7.61.1)
    (source (origin
             (method url-fetch)
@@ -58,7 +58,7 @@
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1z310hrjm2vmbcpkyp81dcmj9rk127zkjyawpy2pah0nz6yslkp4"))))
+              "080p9r2kln8cbfj0rqfn6wqp5kdn9k5wp720nirkcw845lcmavpg"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -85,7 +85,8 @@
            (separator #f)                         ;single entry
            (files '("etc/ssl/certs/ca-certificates.crt")))))
    (arguments
-    `(#:configure-flags '("--with-gnutls" "--with-gssapi")
+    `(#:configure-flags '("--with-gnutls" "--with-gssapi"
+                          "--disable-static")
       ;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
       #:phases
       (modify-phases %standard-phases
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index ecc14c259a..c652f39b12 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -164,14 +164,14 @@ either single machines or networked clusters.")
 (define-public gdbm
   (package
     (name "gdbm")
-    (version "1.14.1")
+    (version "1.18")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/gdbm/gdbm-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0pxwz3jlwvglq2mrbxvrjgr8pa0aj73p3v9sxmdlj570zw0gzknd"))))
+                "1kimnv12bzjjhaqk4c8w2j6chdj9c6bg21lchaf7abcyfss2r0mq"))))
     (arguments `(#:configure-flags '("--enable-libgdbm-compat")))
     (build-system gnu-build-system)
     (home-page "http://www.gnu.org.ua/software/gdbm")
@@ -630,8 +630,7 @@ Language.")
               (sha256
                (base32
                 "0k9walaglwmwdwmkq48ir17g98n83vliyyg5wck22rjgxn2xk4cy"))
-              (patches (search-patches "mariadb-gcc-ice.patch"
-                                       "mariadb-client-test-32bit.patch"))
+              (patches (search-patches "mariadb-client-test-32bit.patch"))
               (modules '((guix build utils)))
               (snippet
                '(begin
@@ -773,8 +772,8 @@ Language.")
                 (for-each delete-file-recursively
                           '("data" "mysql-test" "sql-bench"
                             "share/man/man1/mysql-test-run.pl.1"))
-                ;; Delete huge mysqltest executables.
-                (for-each delete-file (find-files "bin" "test"))
+                ;; Delete huge and unnecessary executables.
+                (for-each delete-file (find-files "bin" "(test|embedded)"))
                 ;; And static libraries.
                 (for-each delete-file (find-files "lib" "\\.a$")))
               #t))))))
@@ -786,11 +785,13 @@ Language.")
        ("libaio" ,libaio)
        ("libxml2" ,libxml2)
        ("ncurses" ,ncurses)
-       ("openssl" ,openssl)
        ("pcre" ,pcre)
        ("snappy" ,snappy)
        ("xz" ,xz)
        ("zlib" ,zlib)))
+    (propagated-inputs
+     ;; mariadb.pc says -lssl -lcrypto, so propagate it.
+     `(("openssl" ,openssl)))
     ;; The test suite is very resource intensive and can take more than three
     ;; hours on a x86_64 system.  Give slow and busy machines some leeway.
     (properties '((timeout . 64800)))        ;18 hours
@@ -1167,7 +1168,7 @@ changes.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.23.0")
+   (version "3.24.0")
    (source (origin
             (method url-fetch)
             (uri (let ((numeric-version
@@ -1183,7 +1184,7 @@ changes.")
                                   numeric-version ".tar.gz")))
             (sha256
              (base32
-              "0jbf78g3cm5wq77k7sfg8fb6rz44hnp9hs7p5d66fwd000c1lwdp"))))
+              "0jmprv2vpggzhy7ma4ynmv1jzn3pfiwzkld0kkg6hvgvqs44xlfr"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
@@ -1584,7 +1585,7 @@ valid SQL query.")
 (define-public unixodbc
   (package
    (name "unixodbc")
-   (version "2.3.6")
+   (version "2.3.7")
    (source (origin
             (method url-fetch)
             (uri
@@ -1592,7 +1593,7 @@ valid SQL query.")
               "ftp://ftp.unixodbc.org/pub/unixODBC/unixODBC-"
               version ".tar.gz"))
             (sha256
-             (base32 "0sads5b8cmmj526gyjba7ccknl1vbhkslfqshv1yqln08zv3gdl8"))))
+             (base32 "0xry3sg497wly8f7715a7gwkn2k36bcap0mvzjw74jj53yx6kwa5"))))
    (build-system gnu-build-system)
    (synopsis "Data source abstraction library")
    (description "Unixodbc is a library providing an API with which to access
@@ -2219,9 +2220,6 @@ and web services platform functionality.")
      `(("pkg-config" ,pkg-config)))
     (inputs
      `(("mariadb" ,mariadb)
-       ;; FIXME: This should be propagated from MariaDB, but add it here
-       ;; for now to prevent a large rebuild.
-       ("openssl" ,openssl)
        ("zlib" ,zlib)))
     (propagated-inputs
      `(("r-dbi" ,r-dbi)))
@@ -2290,7 +2288,7 @@ Database API 2.0T.")
 (define-public python-sqlalchemy
   (package
     (name "python-sqlalchemy")
-    (version "1.0.12")
+    (version "1.2.11")
     (source
      (origin
       (method url-fetch)
@@ -2298,7 +2296,7 @@ Database API 2.0T.")
                           "SQLAlchemy/SQLAlchemy-" version ".tar.gz"))
       (sha256
        (base32
-        "1l8qclhd0s90w3pvwhi5mjxdwr5j7gw7cjka2fx6f2vqmq7f4yb6"))))
+        "094mmbs4igrxplfyqd59j90jb83ixpbbzqc0w49yw81m82nnjrgg"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-cython" ,python-cython) ;for c extensions
@@ -2308,7 +2306,7 @@ Database API 2.0T.")
      `(#:phases
        (modify-phases %standard-phases
          (replace 'check
-           (lambda _ (zero? (system* "py.test")))))))
+           (lambda _ (invoke "py.test"))))))
     (home-page "http://www.sqlalchemy.org")
     (synopsis "Database abstraction library")
     (description
diff --git a/gnu/packages/disk.scm b/gnu/packages/disk.scm
index 58c867d765..206f9c71bb 100644
--- a/gnu/packages/disk.scm
+++ b/gnu/packages/disk.scm
@@ -76,6 +76,7 @@
               (method url-fetch)
               (uri (string-append "mirror://gnu/parted/parted-"
                                   version ".tar.xz"))
+              (patches (search-patches "parted-glibc-compat.patch"))
               (sha256
                (base32
                 "1r3qpg3bhz37mgvp9chsaa3k0csby3vayfvz8ggsqz194af5i2w5"))))
diff --git a/gnu/packages/docbook.scm b/gnu/packages/docbook.scm
index 1c00e56d6d..1e5379b020 100644
--- a/gnu/packages/docbook.scm
+++ b/gnu/packages/docbook.scm
@@ -138,11 +138,15 @@ by no means limited to these applications.)  This package provides XML DTDs.")
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/docbook/docbook-xsl/"
                                   version "/docbook-xsl-" version ".tar.bz2"))
-              ;; Note: If removing all patches, the XZ dependency is no longer needed.
               (patches (search-patches "docbook-xsl-nonrecursive-string-subst.patch"))
               (sha256
                (base32
-                "0s59lihif2fr7rznckxr2kfyrvkirv76r1zvidp9b5mj28p4apvj"))))
+                "0s59lihif2fr7rznckxr2kfyrvkirv76r1zvidp9b5mj28p4apvj"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  (for-each delete-file (find-files "." "\\.jar$"))
+                  #t))))
     (build-system trivial-build-system)
     (arguments
      `(#:builder (let ((name-version (string-append ,name "-" ,version)))
@@ -168,7 +172,7 @@ by no means limited to these applications.)  This package provides XML DTDs.")
                      #t))
        #:modules ((guix build utils))))
     (native-inputs `(("bzip2" ,bzip2)
-                     ("xz" ,xz)
+                     ("xz" ,xz)         ;needed for repacked tarballs
                      ("tar" ,tar)))
     (home-page "http://docbook.org")
     (synopsis "DocBook XSL style sheets for document authoring")
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index f533535f03..9425df707c 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -139,23 +139,10 @@ markup) can be customized and extended by the user.")
        ("libxml2" ,libxml2) ; provides xmllint for the tests
        ("python" ,python-2))) ; for creating the documentation
     (inputs
-     `(("bash" ,bash-minimal)
-       ,@(if (string-prefix? "armhf-" (%current-system))
-             `(("gcc-ice-patch" ,@(search-patches "doxygen-gcc-ice.patch")))
-             '())))
+     `(("bash" ,bash-minimal)))
     (arguments
      `(#:test-target "tests"
        #:phases (modify-phases %standard-phases
-                  ;; Work around an ICE that shows up on native compiles for
-                  ;; armhf-linux.
-                  ,@(if (string-prefix? "armhf-" (%current-system))
-                        `((add-after 'unpack 'apply-gcc-patch
-                            (lambda* (#:key inputs #:allow-other-keys)
-                              (let ((patch (assoc-ref inputs "gcc-ice-patch")))
-                                (invoke "patch" "-p1" "--force"
-                                        "--input" patch)))))
-                        '())
-
                   (add-before 'configure 'patch-sh
                               (lambda* (#:key inputs #:allow-other-keys)
                                 (substitute* "src/portable.cpp"
diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm
index 0473c519d5..78f0360c2e 100644
--- a/gnu/packages/file.scm
+++ b/gnu/packages/file.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -28,14 +29,14 @@
 (define-public file
   (package
     (name "file")
-    (version "5.32")
+    (version "5.33")
     (source (origin
               (method url-fetch)
               (uri (string-append "ftp://ftp.astron.com/pub/file/file-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "0l1bfa0icng9vdwya00ff48fhvjazi5610ylbhl35qi13d6xqfc6"))))
+                "1iipnwjkag7q04zjkaqic41r9nlw0ml6mhqian6qkkbisb1whlhw"))))
    (build-system gnu-build-system)
 
    ;; When cross-compiling, this package depends upon a native install of
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 29c5c92766..e08b0c13db 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -45,22 +45,10 @@
     (build-system gnu-build-system)
     (inputs
      (let ((bison-for-tests
-            ;; Work around an incompatibility with Bison 3.0:
-            ;; <http://lists.gnu.org/archive/html/bug-bison/2013-09/msg00014.html>.
             (package
               (inherit bison)
-              (version "2.7.1")
-              (source (origin
-                        (method url-fetch)
-                        (uri (string-append
-                              "mirror://gnu/bison/"
-                              "bison-" version ".tar.xz"))
-                        (sha256
-                         (base32
-                          "1yx7isx67sdmyijvihgyra1f59fwdz7sqriginvavfj5yb5ss2dl"))))
-
-              ;; Unlike Bison 3.0, this version did not need Flex for its
-              ;; tests, so it allows us to break the cycle.
+              ;; Disable tests, since they require flex.
+              (arguments '(#:tests? #f))
               (inputs (alist-delete "flex" (package-inputs bison))))))
        `(("bison" ,bison-for-tests)
          ("indent" ,indent))))
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index 30143eba34..69e35cda0e 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Nils Gillmann <ng0@n0.is>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -54,15 +55,18 @@
 (define-public freetype
   (package
    (name "freetype")
-   (version "2.9")
+   (version "2.9.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://savannah/freetype/freetype-"
                                 version ".tar.bz2"))
             (sha256 (base32
-                     "12jcdz1in20yaa55izxalg3hm1pf7nydfrzps5bzb4zgihybmzz6"))
-            (patches (search-patches "freetype-CVE-2018-6942.patch"))))
+                     "0kg8w6qyiizlyzh4a8lpzslipcbv96hcg3rqqpnxba8ffbm8g3fv"))))
    (build-system gnu-build-system)
+   (arguments
+    ;; The use of "freetype-config" is deprecated, but other packages still
+    ;; depend on it.
+    `(#:configure-flags (list "--enable-freetype-config")))
    (native-inputs
     `(("pkg-config" ,pkg-config)))
    (propagated-inputs
@@ -375,7 +379,7 @@ applications should be.")
 (define-public graphite2
   (package
    (name "graphite2")
-   (version "1.3.11")
+   (version "1.3.12")
    (source
      (origin
        (method url-fetch)
@@ -383,7 +387,7 @@ applications should be.")
                            "download/" version "/" name "-" version ".tgz"))
        (sha256
         (base32
-         "0z5dcgh8r3678awq6fb8igik7xmar5m6z9xxwpkkhradhk8jxfds"))))
+         "1l1940d8fz67jm6a0x8cjb5p2dv48cvz3wcskwa83hamd70k15fd"))))
    (build-system cmake-build-system)
    (native-inputs
     `(("python" ,python-2) ; because of "import imap" in tests
@@ -533,7 +537,10 @@ definitions.")
              ("libxml2"         ,libxml2)
              ("pango"           ,pango)
              ("potrace"         ,potrace)
-             ("python"          ,python-wrapper)
+             ;; FIXME: We use Python 2 here because there is a bug in Python
+             ;; 3.7 that is triggered when Py_Main is called after Py_Init, as
+             ;; is done by fontforge.  This will be fixed in Python 3.7.1.
+             ("python"          ,python-2)
              ("zlib"            ,zlib)))
    (arguments
     '(#:phases
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 626d883648..ce67b6858b 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -437,14 +437,14 @@ Python.")
 (define-public wayland
   (package
     (name "wayland")
-    (version "1.15.0")
+    (version "1.16.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://wayland.freedesktop.org/releases/"
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1c5fnys8hi71cnzjv5k7j0r8gx80p0yyqlrpmn06mmarhnxvwgzb"))))
+                "1xajhxad43izq9f7sbww1hlg42nayijy8xnp21kgpk09c6sw4wjf"))))
     (build-system gnu-build-system)
     (arguments
      `(#:parallel-tests? #f))
diff --git a/gnu/packages/fribidi.scm b/gnu/packages/fribidi.scm
index 0368779240..dfd2a77c20 100644
--- a/gnu/packages/fribidi.scm
+++ b/gnu/packages/fribidi.scm
@@ -27,7 +27,7 @@
 (define-public fribidi
   (package
     (name "fribidi")
-    (version "1.0.2")
+    (version "1.0.5")
     (source
       (origin
         (method url-fetch)
@@ -36,11 +36,8 @@
                         "/download/v" version "/fribidi-" version
                          ".tar.bz2"))
         (sha256
-          (base32 "0aw3i1g96axbr96flw4543dvhb8zlgb0w8314ks6cq2g1i9invdx"))))
+          (base32 "1kp4b1hpx2ky20ixgy2xhj5iygfl7ps5k9kglh1z5i7mhykg4r3a"))))
     (build-system gnu-build-system)
-    (arguments
-     `(#:configure-flags
-       (list "--disable-docs")))        ; TODO: enable; requires c2man
     (synopsis "Implementation of the Unicode bidirectional algorithm")
     (description
      "GNU FriBidi is an implementation of the Unicode Bidirectional
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index 0dd5d64464..8207104174 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -398,6 +398,7 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "14l06m7nvcvb0igkbip58x59w3nq6315k6jcz3wr9ch1rn9d44bc"))
               (patches (search-patches "gcc-4.9-libsanitizer-fix.patch"
+                                       "gcc-4.9-libsanitizer-ustat.patch"
                                        "gcc-arm-bug-71399.patch"
                                        "gcc-asan-missing-include.patch"
                                        "gcc-libvtv-runpath.patch"
@@ -432,6 +433,7 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "11zd1hgzkli3b2v70qsm2hyqppngd4616qc96lmm9zl2kl9yl32k"))
               (patches (search-patches "gcc-arm-bug-71399.patch"
+                                       "gcc-libsanitizer-ustat.patch"
                                        "gcc-strmov-store-file-names.patch"
                                        "gcc-5.0-libvtv-runpath.patch"
                                        "gcc-5-source-date-epoch-1.patch"
@@ -452,7 +454,8 @@ Go.  It also includes runtime support libraries for these languages.")
                      "$OBJDUMP_FOR_TARGET -T"))
                   #t))))
     (inputs
-     `(("isl" ,isl)
+     `(;; GCC5 needs <isl/band.h> which is removed in later versions.
+       ("isl" ,isl-0.18)
        ,@(package-inputs gcc-4.7)))))
 
 (define-public gcc-6
@@ -467,6 +470,7 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "1m0lr7938lw5d773dkvwld90hjlcq2282517d1gwvrfzmwgg42w5"))
               (patches (search-patches "gcc-libsanitizer-fix.patch"
+                                       "gcc-libsanitizer-ustat.patch"
                                        "gcc-strmov-store-file-names.patch"
                                        "gcc-6-source-date-epoch-1.patch"
                                        "gcc-6-source-date-epoch-2.patch"
@@ -511,6 +515,7 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "0p71bij6bfhzyrs8676a8jmpjsfz392s2rg862sdnsk30jpacb43"))
               (patches (search-patches "gcc-strmov-store-file-names.patch"
+                                       "gcc-libsanitizer-ustat.patch"
                                        "gcc-5.0-libvtv-runpath.patch"))))
     (description
      "GCC is the GNU Compiler Collection.  It provides compiler front-ends
@@ -854,7 +859,7 @@ as the 'native-search-paths' field."
 (define-public isl
   (package
     (name "isl")
-    (version "0.18")
+    (version "0.19")
     (source (origin
              (method url-fetch)
              (uri (list (string-append
@@ -865,7 +870,7 @@ as the 'native-search-paths' field."
                                        name "-" version ".tar.gz")))
              (sha256
               (base32
-               "06ybml6llhi4i56q90jnimbcgk1lpcdwhy9nxdxra2hxz3bhz2vb"))))
+               "1n4yz9rj24mv226hqbpw210ifvqkn8dgvpnkzf0s0lkq9zrjd5ym"))))
     (build-system gnu-build-system)
     (inputs `(("gmp" ,gmp)))
     (home-page "http://isl.gforge.inria.fr/")
@@ -883,6 +888,20 @@ reduction, transitive closures on maps (which may encode infinite graphs),
 dependence analysis and bounds on piecewise step-polynomials.")
     (license lgpl2.1+)))
 
+(define-public isl-0.18
+  (package
+    (inherit isl)
+    (version "0.18")
+    (source (origin
+              (method url-fetch)
+              (uri (list (string-append "http://isl.gforge.inria.fr/isl-"
+                                        version ".tar.bz2")
+                         (string-append %gcc-infrastructure
+                                        "isl-" version ".tar.gz")))
+              (sha256
+               (base32
+                "06ybml6llhi4i56q90jnimbcgk1lpcdwhy9nxdxra2hxz3bhz2vb"))))))
+
 (define-public isl-0.11
   (package
     (inherit isl)
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 518e18397b..3808d81524 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2013, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
-;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
@@ -55,7 +55,7 @@
             (sha256 (base32
                      "083xisy6z01zhm7p7rgk4bx9d6zlr8l20qkfv1g29ylnhgwzvij8"))))
    (build-system gnu-build-system)
-   (inputs `(("libjpeg-8" ,libjpeg-8)
+   (inputs `(("libjpeg" ,libjpeg)
              ("libtiff" ,libtiff)
              ("zlib" ,zlib)))
    (synopsis "Little CMS, a small-footprint colour management engine")
@@ -148,6 +148,7 @@ printing, and psresize, for adjusting page sizes.")
          (base32
           "1ng8d9fm5lza7k1f7ybc791275c07z5hcmpkrl2i226nshkxrkhz"))
         (patches (search-patches "ghostscript-runpath.patch"
+                                 "ghostscript-CVE-2018-10194.patch"
                                  "ghostscript-no-header-creationdate.patch"
                                  "ghostscript-no-header-id.patch"
                                  "ghostscript-no-header-uuid.patch"))
diff --git a/gnu/packages/gl.scm b/gnu/packages/gl.scm
index 28e283640d..7c9e20e2ee 100644
--- a/gnu/packages/gl.scm
+++ b/gnu/packages/gl.scm
@@ -224,7 +224,7 @@ also known as DXTn or DXTC) for Mesa.")
 (define-public mesa
   (package
     (name "mesa")
-    (version "18.1.5")
+    (version "18.1.7")
     (source
       (origin
         (method url-fetch)
@@ -236,7 +236,7 @@ also known as DXTn or DXTC) for Mesa.")
                                   version "/mesa-" version ".tar.xz")))
         (sha256
          (base32
-          "1sldv7l3g6jfx0yn16kvxlik1qiy037lypdqpvsqc0v6lvqydnv9"))
+          "01kk42m2sjyc4k1nfw6k1lnzipjbbmp5js47drgdvp9vrqr3npk5"))
         (patches
          (search-patches "mesa-skip-disk-cache-test.patch"))))
     (build-system gnu-build-system)
@@ -252,7 +252,7 @@ also known as DXTn or DXTC) for Mesa.")
         ("xorgproto" ,xorgproto)))
     (inputs
       `(("expat" ,expat)
-        ("libelf" ,libelf)    ;required for r600 when using llvm
+        ("libelf" ,elfutils)  ;required for r600 when using llvm
         ("libva" ,(force libva-without-mesa))
         ("libxml2" ,libxml2)
         ;; TODO: Add 'libxml2-python' for OpenGL ES 1.1 and 2.0 support
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 14d2a8b315..8dff95fc70 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -80,7 +80,7 @@
 (define dbus
   (package
     (name "dbus")
-    (version "1.12.6")
+    (version "1.12.10")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -88,7 +88,7 @@
                     version ".tar.gz"))
               (sha256
                (base32
-                "05picaq8j60wlwyi84qvw5liw3nd0cws9va3krnc3pms0wm906v2"))
+                "1xywijmgfad4m3cxp0b4l6kvypwc53ckmhwwzbrc6n32jwj3ssab"))
               (patches (search-patches "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -150,7 +150,7 @@ shared NFS home directories.")
 (define glib
   (package
    (name "glib")
-   (version "2.56.0")
+   (version "2.56.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/"
@@ -158,7 +158,7 @@ shared NFS home directories.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "1iqgi90fmpl3l23jm2iv44qp7hqsxvnv7978s18933bvx4bnxvzc"))
+              "12d738n1wpvrn39zvy9xazg5h6vzyiwsw8z1qibcj09mh4bbsjnn"))
             (patches (search-patches "glib-tests-timer.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"           ; everything
@@ -303,14 +303,14 @@ dynamic loading, and an object system.")
 (define gobject-introspection
   (package
     (name "gobject-introspection")
-    (version "1.56.0")
+    (version "1.56.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnome/sources/"
                    "gobject-introspection/" (version-major+minor version)
                    "/gobject-introspection-" version ".tar.xz"))
              (sha256
-              (base32 "1y50pbn5qqbcv2h9rkz96wvv5jls2gma9bkqjq6wapmaszx5jw0d"))
+              (base32 "0jx2kryjd7l0vl5gb3qp1qjfy3cjiizvcd1snsm7pzwrzz67aa2v"))
              (modules '((guix build utils)))
              (snippet
               '(begin
@@ -598,7 +598,7 @@ useful for C++.")
 (define-public python-pygobject
   (package
     (name "python-pygobject")
-    (version "3.28.2")
+    (version "3.28.3")
     (source
      (origin
        (method url-fetch)
@@ -607,7 +607,7 @@ useful for C++.")
                            "/pygobject-" version ".tar.xz"))
        (sha256
         (base32
-         "1jpjws4v17wv99lbhks0g0152w0f70mnwpdn8ibzzfgw2kykli5c"))))
+         "1c6h3brzlyvzbpdsammnd957azmp6cbzqrd65r400vnh2l8f5lrx"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 1a0cc9cc11..2b723e99ee 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -122,6 +122,7 @@
   #:use-module (gnu packages ssh)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages gl)
+  #:use-module (gnu packages graphviz)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages spice)
   #:use-module (gnu packages tex)
@@ -938,14 +939,14 @@ guidelines.")
 (define-public shared-mime-info
   (package
     (name "shared-mime-info")
-    (version "1.8")
+    (version "1.9")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://freedesktop.org/~hadess/"
                                  "shared-mime-info-" version ".tar.xz"))
              (sha256
               (base32
-               "1sc96lv9dp1lkvs8dh3ngm3hbjb274d363dl9avhb61il3qmxx9a"))))
+               "10ywzhzg8v1xmb9sz5xbqaci90id38knswigynyl33i29vn360aw"))))
     (build-system gnu-build-system)
     (arguments
      ;; The build system appears not to be parallel-safe.
@@ -1176,7 +1177,7 @@ XML/CSS rendering engine.")
 (define-public libgsf
   (package
     (name "libgsf")
-    (version "1.14.43")
+    (version "1.14.44")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -1184,7 +1185,7 @@ XML/CSS rendering engine.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "05pf3h0dha3s20ddsrljbx7m94qyiqs5igwxx1ql0vlsdlylx50j"))))
+                "1ppzfk3zmmgrg9jh8vc4dacddbfngjslq2wpj94pcr3i0c8dxgk8"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("intltool" ,intltool)
@@ -2034,7 +2035,7 @@ passwords in the GNOME keyring.")
 (define-public vala
   (package
     (name "vala")
-    (version "0.36.3")
+    (version "0.40.9")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -2042,7 +2043,7 @@ passwords in the GNOME keyring.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0706izk9prxqclm7gv4f63diwnlc1llvfl5sc9ghqbgn076lx2mc"))))
+                "0yvaijkpahzz26sa37cyzbj75a9vbcbgvxbqzzb7hbcvfy009zy7"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
@@ -2050,20 +2051,25 @@ passwords in the GNOME keyring.")
          (add-before 'check 'pre-check
                      (lambda _
                        (setenv "CC" "gcc")
+                       (substitute* "valadoc/tests/testrunner.sh"
+                         (("export PKG_CONFIG_PATH=" m)
+                          (string-append m "$PKG_CONFIG_PATH:")))
                        ;; For missing '/etc/machine-id'.
                        (setenv "DBUS_FATAL_WARNINGS" "0")
-                       #t)))
-       ;; Build the Vala API generator
-       #:configure-flags '("--enable-vapigen")))
+                       #t)))))
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("flex" ,flex)
        ("bison" ,bison)
        ("xsltproc" ,libxslt)
+       ("grep" ,grep)
+       ("sed" ,sed)
        ("dbus" ,dbus)                                     ; for dbus tests
        ("gobject-introspection" ,gobject-introspection))) ; for gir tests
+    (inputs
+     `(("graphviz" ,graphviz)))
     (propagated-inputs
-     `(("glib" ,glib))) ; required by libvala-0.26.pc
+     `(("glib" ,glib))) ; required by libvala-0.40.pc
     (home-page "https://live.gnome.org/Vala/")
     (synopsis "Compiler for the GObject type system")
     (description
@@ -5861,7 +5867,7 @@ is complete it provides a graphical representation of each selected folder.")
 (define-public gnome-backgrounds
   (package
     (name "gnome-backgrounds")
-    (version "3.26.2")
+    (version "3.28.0")
     (source
      (origin
        (method url-fetch)
@@ -5870,8 +5876,8 @@ is complete it provides a graphical representation of each selected folder.")
                            name "-" version ".tar.xz"))
        (sha256
         (base32
-         "0kzrh5h0cfby3rhsy31d1w1c0rr3wcc845kv6zibqw1x8v9si2rs"))))
-    (build-system glib-or-gtk-build-system)
+         "1qgim0yhzjgcq172y4vp5hqz4rh1ak38a7pgi6s7dq0wklyrcnxj"))))
+    (build-system meson-build-system)
     (native-inputs
      `(("intltool" ,intltool)))
     (home-page "https://git.gnome.org/browse/gnome-backgrounds")
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 067a2338d4..0cd9818326 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -72,7 +72,7 @@
 (define-public libgpg-error
   (package
     (name "libgpg-error")
-    (version "1.28")
+    (version "1.32")
     (source
      (origin
       (method url-fetch)
@@ -80,8 +80,7 @@
                           version ".tar.bz2"))
       (sha256
        (base32
-        "0jfsfnh9bxlxiwxws60yah4ybjw2hshmvqp31pri4m4h8ivrbnry"))
-      (patches (search-patches "libgpg-error-aarch64-logging-fix.patch"))))
+        "1jj08ns4sh1hmafqp1giskvdicdz18la516va26jycy27kkwaif3"))))
     (build-system gnu-build-system)
     (home-page "https://gnupg.org")
     (synopsis "Library of error values for GnuPG components")
@@ -94,32 +93,19 @@ Daemon and possibly more in the future.")
     (properties '((ftp-server . "ftp.gnupg.org")
                   (ftp-directory . "/gcrypt/libgpg-error")))))
 
-;; Some packages (e.g. GPGME) require a newer libgpg-error to deal with
-;; error codes from recent GnuPG.  Remove this in the next rebuild cycle.
-(define-public libgpg-error-1.31
-  (package
-    (inherit libgpg-error)
-    (version "1.31")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnupg/libgpg-error/libgpg-error-"
-                                  version ".tar.bz2"))
-              (sha256
-               (base32
-                "1vx4nw6rxh2biy3h8n96fyr86q29h8gjl6837437i51jr4isil20"))))))
-
 (define-public libgcrypt
   (package
-    (replacement libgcrypt/fixed)
     (name "libgcrypt")
-    (version "1.8.2")
+    (version "1.8.3")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "01sca9m8hm6b5v8hmqsfdjhyz013869p1f0fxw9ln52qfnp4q1n8"))))
+               "0z5gs1khzyknyfjr19k8gk4q148s6q987ya85cpn0iv70fz91v36"))
+             (patches
+              (search-patches "libgcrypt-make-yat2m-reproducible.patch"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
@@ -145,19 +131,6 @@ generation.")
     (properties '((ftp-server . "ftp.gnupg.org")
                   (ftp-directory . "/gcrypt/libgcrypt")))))
 
-(define libgcrypt/fixed
-  (package
-    (inherit libgcrypt)
-    (name "libgcrypt")
-    (version "1.8.3")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
-                                 version ".tar.bz2"))
-             (sha256
-              (base32
-               "0z5gs1khzyknyfjr19k8gk4q148s6q987ya85cpn0iv70fz91v36"))))))
-
 (define-public libassuan
   (package
     (name "libassuan")
@@ -406,7 +379,7 @@ libskba (working with X.509 certificates and CMS data).")
      `(("gnupg" ,gnupg)))
     (propagated-inputs
      ;; Needs to be propagated because gpgme.h includes gpg-error.h.
-     `(("libgpg-error" ,libgpg-error-1.31)))
+     `(("libgpg-error" ,libgpg-error)))
     (inputs
      `(("libassuan" ,libassuan)))
     (home-page "https://www.gnupg.org/related_software/gpgme/")
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 4daaad0ebc..7a70239684 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -8,7 +8,7 @@
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2015 Andy Wingo <wingo@igalia.com>
 ;;; Copyright © 2015 David Hashe <david.hashe@dhashe.com>
-;;; Copyright © 2015, 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Coypright © 2015, 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Fabian Harfert <fhmgufs@web.de>
 ;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
@@ -112,15 +112,16 @@ tools have full access to view and control running applications.")
 (define-public cairo
   (package
    (name "cairo")
-   (version "1.14.10")
+   (version "1.14.12")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://cairographics.org/releases/cairo-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "02banr0wxckq62nbhc3mqidfdh2q956i2r7w2hd9bjgjb238g1vy"))
-            (patches (search-patches "cairo-CVE-2016-9082.patch"))))
+              "05mzyxkvsfc1annjw2dja8vka01ampp9pp93lg09j8hba06g144c"))
+            (patches (search-patches "cairo-CVE-2016-9082.patch"
+                                     "cairo-setjmp-wrapper.patch"))))
    (build-system gnu-build-system)
    (propagated-inputs
     `(("fontconfig" ,fontconfig)
@@ -178,7 +179,7 @@ affine transformation (scale, rotation, shear, etc.).")
 (define-public harfbuzz
   (package
    (name "harfbuzz")
-   (version "1.7.6")
+   (version "1.8.8")
    (source (origin
              (method url-fetch)
              (uri (string-append "https://www.freedesktop.org/software/"
@@ -186,7 +187,7 @@ affine transformation (scale, rotation, shear, etc.).")
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "16rf7qwgy1gza74v2ws79zdwwb1lpvgz2abwwm8ws9j82cwysyys"))))
+               "1ag3scnm1fcviqgx2p4858y433mr0ndqw6zccnccrqcr9mpcird8"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "bin")) ; 160K, only hb-view depend on cairo
@@ -217,8 +218,7 @@ affine transformation (scale, rotation, shear, etc.).")
 (define-public pango
   (package
    (name "pango")
-   (version "1.42.0")
-   (replacement pango-1.42.4)
+   (version "1.42.4")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/pango/"
@@ -226,18 +226,18 @@ affine transformation (scale, rotation, shear, etc.).")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0illn78nfwpa8y5knh9ir74wa1skc2hi8f3ny19zgpyf7n5dh94r"))))
+              "17bwb7dgbncrfsmchlib03k9n3xaalirb39g3yb43gg8cg6p8aqx"))))
    (build-system gnu-build-system)
    (propagated-inputs
     ;; These are all in Requires or Requires.private of the '.pc' files.
     `(("cairo" ,cairo)
+      ("fribidi" ,fribidi)
       ("fontconfig" ,fontconfig)
       ("freetype" ,freetype)
       ("glib" ,glib)
       ("harfbuzz" ,harfbuzz)))
    (inputs
-    `(("fribidi" ,fribidi)
-      ("zlib" ,zlib)
+    `(("zlib" ,zlib)
 
       ;; Some packages, such as Openbox, expect Pango to be built with the
       ;; optional libxft support.
@@ -254,19 +254,6 @@ used throughout the world.")
    (license license:lgpl2.0+)
    (home-page "https://developer.gnome.org/pango/")))
 
-(define-public pango-1.42.4
-  (package
-    (inherit pango)
-    (version "1.42.4")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnome/sources/pango/"
-                                  (version-major+minor version) "/"
-                                  "pango-" version ".tar.xz"))
-              (sha256
-               (base32
-                "17bwb7dgbncrfsmchlib03k9n3xaalirb39g3yb43gg8cg6p8aqx"))))))
-
 (define-public pangox-compat
   (package
     (name "pangox-compat")
@@ -584,7 +571,7 @@ is part of the GNOME accessibility project.")
 (define-public at-spi2-atk
   (package
    (name "at-spi2-atk")
-   (version "2.26.1")
+   (version "2.26.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -592,7 +579,7 @@ is part of the GNOME accessibility project.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0x9vc99ni46fg5dzlx67vbw0zqffr24gz8jvbdxbmzyvc5xw5w5l"))))
+              "0vkan52ab9vrkknnv8y4f1cspk8x7xd10qx92xk9ys71p851z2b1"))))
    (build-system gnu-build-system)
    (arguments
     '(#:phases
@@ -729,9 +716,9 @@ application suites.")
       ("python-wrapper" ,python-wrapper)
       ;; By using a special xorg-server for GTK+'s tests, we reduce the impact
       ;; of updating xorg-server directly on the master branch.
-      ("xorg-server" ,xorg-server-1.19.3)))
+      ("xorg-server" ,xorg-server-for-tests)))
    (arguments
-    `(#:disallowed-references (,xorg-server-1.19.3)
+    `(#:disallowed-references (,xorg-server-for-tests)
       ;; 47 MiB goes to "out" (24 of which is locale data!), and 26 MiB goes
       ;; to "doc".
       #:configure-flags (list (string-append "--with-html-dir="
@@ -1088,7 +1075,7 @@ toolkit.")
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("glib" ,glib "bin")        ;for 'glib-compile-resources'
-                     ("xorg-server" ,xorg-server-1.19.3)))
+                     ("xorg-server" ,xorg-server-for-tests)))
     (propagated-inputs
      `(("pangomm" ,pangomm)
        ("cairomm" ,cairomm)
@@ -1099,7 +1086,7 @@ toolkit.")
      `(;; XXX: Tests require C++14 or later.  Remove this when the default
        ;; compiler is >= GCC6.
        #:configure-flags '("CXXFLAGS=-std=gnu++14")
-       #:disallowed-references (,xorg-server-1.19.3)
+       #:disallowed-references (,xorg-server-for-tests)
        #:phases (modify-phases %standard-phases
                   (add-before 'check 'run-xvfb
                     (lambda* (#:key inputs #:allow-other-keys)
@@ -1180,7 +1167,7 @@ printing and other features typical of a source code editor.")
 (define-public python-pycairo
   (package
     (name "python-pycairo")
-    (version "1.16.3")
+    (version "1.17.1")
     (source
      (origin
       (method url-fetch)
@@ -1188,7 +1175,7 @@ printing and other features typical of a source code editor.")
                           version "/pycairo-" version ".tar.gz"))
       (sha256
        (base32
-        "1xq1bwhyi5imca5kvd28szh2rdzi8g0kaspwaqgsbczqskjj3csv"))))
+        "165n0g7gp2a0qi8558snvfans17x83jv2lv7bx4vr1rxjbn3a2hg"))))
     (build-system python-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)
@@ -1383,7 +1370,7 @@ and routines to assist in editing internationalized text.")
                      ("check" ,check)
                      ("gettext" ,gettext-minimal)
                      ("glib:bin" ,glib "bin")
-                     ("xorg-server" ,xorg-server-1.19.3)))
+                     ("xorg-server" ,xorg-server-for-tests)))
     ;; Listed in 'Requires.private' of 'girara.pc'.
     (propagated-inputs `(("gtk+" ,gtk+)))
     (arguments
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 05d9315214..7c88454300 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -212,8 +212,7 @@ without requiring the source code to be rewritten.")
            (files '("share/guile/site/2.0")))
           (search-path-specification
            (variable "GUILE_LOAD_COMPILED_PATH")
-           (files '("lib/guile/2.0/site-ccache"
-                    "share/guile/site/2.0")))))
+           (files '("lib/guile/2.0/site-ccache")))))
 
    (synopsis "Scheme implementation intended especially for extensions")
    (description
@@ -228,7 +227,7 @@ without requiring the source code to be rewritten.")
 (define-public guile-2.2
   (package (inherit guile-2.0)
     (name "guile")
-    (version "2.2.3")
+    (version "2.2.4")
     (source (origin
               (method url-fetch)
 
@@ -238,7 +237,7 @@ without requiring the source code to be rewritten.")
                                   ".tar.xz"))
               (sha256
                (base32
-                "11j01agvnci2cx32wwpqs9078856yxmvs15gcsz7ganpkj2ahlw3"))
+                "07p3g0v2ba2vlfbfidqzlgbhnzdx46wh2rgc5gszq1mjyx5bks6r"))
               (modules '((guix build utils)))
 
               ;; Remove the pre-built object files.  Instead, build everything
@@ -257,8 +256,7 @@ without requiring the source code to be rewritten.")
             (files '("share/guile/site/2.2")))
            (search-path-specification
             (variable "GUILE_LOAD_COMPILED_PATH")
-            (files '("lib/guile/2.2/site-ccache"
-                     "share/guile/site/2.2")))))
+            (files '("lib/guile/2.2/site-ccache")))))
 
     (arguments
      (if (%current-target-system)
@@ -287,35 +285,6 @@ without requiring the source code to be rewritten.")
                   (max-silent-time . 36000))))) ;10 hours (needed on ARM
                                                 ;  when heavily loaded)
 
-(define-public guile-2.2.2
-  ;; Keep it so that, when 'guix' runs on 2.2.2, 'guix pull' compiles objects
-  ;; with 2.2.2, thereby avoiding the ABI incompatibility issues described in
-  ;; <https://bugs.gnu.org/29570>.
-  (package
-    (inherit guile-2.2)
-    (version "2.2.2")
-    (source (origin
-              (inherit (package-source guile-2.2))
-              (uri (string-append "mirror://gnu/guile/guile-" version
-                                  ".tar.xz"))
-              (sha256
-               (base32
-                "1azm25zcmxif0skxfrp11d2wc89nrzpjaann9yxdw6pvjxhs948w"))))))
-
-(define-public guile-2.2.4
-  ;; This version contains important bug fixes, in particular wrt. to crashes
-  ;; of multi-threaded code as used by 'guix pull' and grafting.
-  (package
-    (inherit guile-2.2)
-    (version "2.2.4")
-    (source (origin
-              (inherit (package-source guile-2.2))
-              (uri (string-append "mirror://gnu/guile/guile-" version
-                                  ".tar.xz"))
-              (sha256
-               (base32
-                "07p3g0v2ba2vlfbfidqzlgbhnzdx46wh2rgc5gszq1mjyx5bks6r"))))))
-
 (define-public guile-next
   (deprecated-package "guile-next" guile-2.2))
 
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index c4d3703794..cbba9aa42a 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -32,7 +32,7 @@
 (define-public icu4c
   (package
    (name "icu4c")
-   (version "61.1")
+   (version "62.1")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -42,7 +42,7 @@
                   (string-map (lambda (x) (if (char=? x #\.) #\_ x)) version)
                   "-src.tgz"))
             (sha256
-             (base32 "1vxgkx0cyvdy00a9yd5khkx14r5kcndkax2wa99klm52x2dgh1yh"))))
+             (base32 "18ssgnwzzpm1g1fvbm9h1fvryiwxvvn5wc3fdakdsl33cs6qdn9x"))))
    (build-system gnu-build-system)
    (inputs
     `(("perl" ,perl)))
@@ -58,7 +58,15 @@
       #:phases
       (modify-phases %standard-phases
         (add-after 'unpack 'chdir-to-source
-          (lambda _ (chdir "source") #t)))))
+          (lambda _ (chdir "source") #t))
+        (add-after 'install 'avoid-coreutils-reference
+          ;; Don't keep a reference to the build tools.
+          (lambda* (#:key outputs #:allow-other-keys)
+            (let ((out (assoc-ref outputs "out")))
+              (substitute* (find-files (string-append out "/lib/icu")
+                                       "\\.inc$")
+                (("INSTALL_CMD=.*/bin/install") "INSTALL_CMD=install"))
+              #t))))))
    (synopsis "International Components for Unicode")
    (description
     "ICU is a set of C/C++ and Java libraries providing Unicode and
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 78fb30c279..03f08a614f 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -254,13 +254,13 @@ files.  It can compress them as much as 40% losslessly.")
 (define-public libjpeg
   (package
    (name "libjpeg")
-   (version "9b")
+   (version "9c")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://www.ijg.org/files/jpegsrc.v"
                    version ".tar.gz"))
             (sha256 (base32
-                     "0lnhpahgdwlrkd41lx6cr90r199f8mc6ydlh7jznj5klvacd63r4"))))
+                     "08kixcf3a7s9x91174abjnk1xbvj4v8crdc73zi4k9h3jfbm00k5"))))
    (build-system gnu-build-system)
    (synopsis "Library for handling JPEG files")
    (description
@@ -394,7 +394,6 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (replacement libtiff/fixed)
    (version "4.0.9")
    (source
      (origin
@@ -405,7 +404,9 @@ extracting icontainer icon files.")
         (base32
          "1kfg4q01r4mqn7dj63ifhi6pmqzbf4xax6ni6kkk81ri5kndwyvf"))
        (patches (search-patches "libtiff-CVE-2017-9935.patch"
-                                "libtiff-CVE-2017-18013.patch"))))
+                                "libtiff-CVE-2017-18013.patch"
+                                "libtiff-CVE-2018-8905.patch"
+                                "libtiff-CVE-2018-10963.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                           ;1.3 MiB of HTML documentation
@@ -427,17 +428,6 @@ collection of tools for doing simple manipulations of TIFF images.")
                                   "See COPYRIGHT in the distribution."))
    (home-page "http://www.simplesystems.org/libtiff/")))
 
-(define libtiff/fixed
-  (package
-    (inherit libtiff)
-    (source
-      (origin
-        (inherit (package-source libtiff))
-        (patches
-          (append (origin-patches (package-source libtiff))
-                  (search-patches "libtiff-CVE-2018-8905.patch"
-                                  "libtiff-CVE-2018-10963.patch")))))))
-
 (define-public leptonica
   (package
     (name "leptonica")
diff --git a/gnu/packages/inkscape.scm b/gnu/packages/inkscape.scm
index de9940df1c..1673cc602e 100644
--- a/gnu/packages/inkscape.scm
+++ b/gnu/packages/inkscape.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2014, 2016 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2016, 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
@@ -54,7 +54,24 @@
                                   "inkscape-" version ".tar.bz2"))
               (sha256
                (base32
-                "1chng2yw8dsjxc9gf92aqv7plj11cav8ax321wmakmv5bb09cch6"))))
+                "1chng2yw8dsjxc9gf92aqv7plj11cav8ax321wmakmv5bb09cch6"))
+              (patches
+               (list (origin
+                       (method url-fetch)
+                       (uri (string-append "https://gitlab.com/inkscape/inkscape/commit/"
+                                           "a600c6438fef2f4c06f9a4a7d933d99fb054a973.diff"))
+                       (file-name "inkscape-poppler-compat.patch")
+                       (sha256
+                        (base32
+                         "19dam5vsy571xszgjddl5g0958dmcsv0wvgxidp4bhj2lban222i")))
+                     (origin
+                       (method url-fetch)
+                       (uri (string-append "https://gitlab.com/inkscape/inkscape/commit/"
+                                           "fa1c469aa8c005e07bb8676d72af9f7c16fae3e0.diff"))
+                       (file-name "inkscape-poppler-compat2.patch")
+                       (sha256
+                        (base32
+                         "14k9yrfjz4nx3bz9dk91q74mc0i7rvl2qzkwhcy1br71yqjvngn5")))))))
     (build-system cmake-build-system)
     (inputs
      `(("aspell" ,aspell)
diff --git a/gnu/packages/jemalloc.scm b/gnu/packages/jemalloc.scm
index 5086df7a1b..cb870208e4 100644
--- a/gnu/packages/jemalloc.scm
+++ b/gnu/packages/jemalloc.scm
@@ -32,7 +32,7 @@
 (define-public jemalloc
   (package
     (name "jemalloc")
-    (version "5.0.1")
+    (version "5.1.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -40,8 +40,7 @@
                     version "/jemalloc-" version ".tar.bz2"))
               (sha256
                (base32
-                "1sf3lzgb0y8nnyzmp4zrca3sngdxw3kfh20sna9z03jv74fph528"))
-              (patches (search-patches "jemalloc-arm-address-bits.patch"))))
+                "0s3jpcyhzia8d4k0xyc67is78kg416p9yc3c2f9w6fhhqqffd5jk"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 22d74d32df..508f9c4bd2 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -47,7 +48,7 @@
 (define-public mit-krb5
   (package
     (name "mit-krb5")
-    (version "1.16")
+    (version "1.16.1")
     (source (origin
               (method url-fetch)
               (uri (list
@@ -59,7 +60,7 @@
                                    "/krb5-" version ".tar.gz")))
               (sha256
                (base32
-                "024yjr15ij0qdnay0bcqfpclgfri0qa8iw4r5zdlryxhhdgi5szs"))))
+                "05qis9l93hhxaknbp0a2v5cr24fsy52fqx20aqqcgl1s9qwzwkr1"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("bison" ,bison)
@@ -116,7 +117,7 @@ cryptography.")
      '(;; This is required since we patch some of the build scripts.
        ;; Remove for the next Shishi release after 1.0.2 or when
        ;; removing 'shishi-fix-libgcrypt-detection.patch'.
-       #:configure-flags '("ac_cv_libgcrypt=yes")))
+       #:configure-flags '("ac_cv_libgcrypt=yes" "--disable-static")))
     (native-inputs `(("pkg-config" ,pkg-config)))
     (inputs
      `(("gnutls" ,gnutls)
diff --git a/gnu/packages/libbsd.scm b/gnu/packages/libbsd.scm
index 58b0be872c..a616de70bd 100644
--- a/gnu/packages/libbsd.scm
+++ b/gnu/packages/libbsd.scm
@@ -25,14 +25,14 @@
 (define-public libbsd
   (package
     (name "libbsd")
-    (version "0.8.7")
+    (version "0.9.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://libbsd.freedesktop.org/releases/"
                                   "libbsd-" version ".tar.xz"))
               (sha256
                (base32
-                "0c9bl49zs0xdddcwj5dh0lay9sxi2m1yi74848g8p87mb87g2j7m"))))
+                "1957w2wi7iqar978qlfsm220dwywnrh5m58nrnn9zmi74ds3bn2n"))))
     (build-system gnu-build-system)
     (synopsis "Utility functions from BSD systems")
     (description "This library provides useful functions commonly found on BSD
diff --git a/gnu/packages/libevent.scm b/gnu/packages/libevent.scm
index a7752dc5f0..bc7f6c670d 100644
--- a/gnu/packages/libevent.scm
+++ b/gnu/packages/libevent.scm
@@ -122,24 +122,17 @@ limited support for fork events.")
 (define-public libuv
   (package
     (name "libuv")
-    (version "1.19.2")
+    (version "1.23.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://dist.libuv.org/dist/v" version
                                   "/libuv-v" version ".tar.gz"))
               (sha256
                (base32
-                "1msk9ac1z69whww88ibrwjqkd1apdla6l77cm2fwy5kigq0z5g3w"))))
+                "09yf7c71n8b80nbsv4lsmq5nqmb0rylhpx3z9jgkv5za9lr6sx6i"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:phases (modify-phases %standard-phases
-                  (add-after 'unpack 'autogen
-                    (lambda _
-                      ;; Fashionable people don't run 'make dist' these days, so
-                      ;; we need to do that ourselves.
-                      (invoke "sh" "autogen.sh"))))
-
-       ;; XXX: Some tests want /dev/tty, attempt to make connections, etc.
+     '(;; XXX: Some tests want /dev/tty, attempt to make connections, etc.
        #:tests? #f))
     (native-inputs `(("autoconf" ,autoconf-wrapper)
                      ("automake" ,automake)
diff --git a/gnu/packages/libffi.scm b/gnu/packages/libffi.scm
index 0d54c305b2..d1b910bd07 100644
--- a/gnu/packages/libffi.scm
+++ b/gnu/packages/libffi.scm
@@ -50,7 +50,10 @@
               (patches (search-patches "libffi-3.2.1-complex-alpha.patch"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:phases
+     `(;; Prevent the build system from passing -march and -mtune to the
+       ;; compiler.  See "ax_cc_maxopt.m4" and "ax_gcc_archflag.m4".
+       #:configure-flags '("--enable-portable-binary" "--without-gcc-arch")
+       #:phases
        (modify-phases %standard-phases
          (add-after 'install 'post-install
            (lambda* (#:key outputs #:allow-other-keys)
@@ -79,13 +82,13 @@ conversions for values passed between the two languages.")
 (define-public python-cffi
   (package
     (name "python-cffi")
-    (version "1.11.4")
+    (version "1.11.5")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "cffi" version))
       (sha256
-       (base32 "07fiy4wqg8g08x38r04ydjr8n6g0g74gb8si8b6jhymijalq746z"))))
+       (base32 "1x3lrj928dcxx1k8k9gf3s4s3jwvzv8mc3kkyg1g7c3a1sc1f3z9"))))
     (build-system python-build-system)
     (outputs '("out" "doc"))
     (inputs
diff --git a/gnu/packages/libidn.scm b/gnu/packages/libidn.scm
index 249c3f8458..719a0f0b4b 100644
--- a/gnu/packages/libidn.scm
+++ b/gnu/packages/libidn.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -32,26 +33,18 @@
 (define-public libidn
   (package
    (name "libidn")
-   (version "1.34")
+   (version "1.35")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/libidn/libidn-" version
                                 ".tar.gz"))
             (sha256
              (base32
-              "0g3fzypp0xjcgr90c5cyj57apx1cmy0c6y9lvw2qdcigbyby469p"))
-            (modules '((guix build utils)))
-            (snippet
-             '(begin
-                ;; The gnulib test-lock test is prone to writer starvation
-                ;; with our glibc@2.25, which prefers readers, so disable it.
-                ;; The gnulib commit b20e8afb0b2 should fix this once
-                ;; incorporated here.
-                (substitute* "lib/gltests/Makefile.in"
-                  (("test-lock\\$\\(EXEEXT\\) ") ""))
-                #t))))
+              "07pyy0afqikfq51z5kbzbj9ldbd12mri0zvx0mfv3ds6bc0g26pi"))))
    (build-system gnu-build-system)
-;; FIXME: No Java and C# libraries are currently built.
+   ;; FIXME: No Java and C# libraries are currently built.
+   (arguments
+    `(#:configure-flags '("--disable-static")))
    (synopsis "Internationalized string processing library")
    (description
      "libidn is a library implementing of the Stringprep, Punycode and IDNA
@@ -66,19 +59,21 @@ Java libraries.")
 (define-public libidn2
   (package
     (name "libidn2")
-    (version "2.0.4")
+    (version "2.0.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/libidn/" name "-" version
                                   ".tar.lz"))
               (sha256
                (base32
-                "00f2fyw5kwr9is3cdn5h9arzxp0lnvg0z9bb9zyfs0dq81gaqim4"))))
+                "0s4nkazy1xbs6bbq4farby1xhmhzk5bdclbil5gqdwyzxsgabxqg"))))
     (native-inputs
      `(("lzip" ,lzip)))
     (inputs
      `(("libunistring" ,libunistring)))
     (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--disable-static")))
     (synopsis "Internationalized domain name library for IDNA2008")
     (description "Libidn2 is an internationalized domain library implementing
 the IDNA2008 specifications.   Libidn2 is believed to be a complete IDNA2008
diff --git a/gnu/packages/libsigsegv.scm b/gnu/packages/libsigsegv.scm
index 7f63bb26c4..927a12f4cf 100644
--- a/gnu/packages/libsigsegv.scm
+++ b/gnu/packages/libsigsegv.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -38,20 +38,23 @@
    (home-page "https://www.gnu.org/software/libsigsegv/")
    (synopsis "Library for handling page faults")
    (arguments
-    ;; On MIPS, work around this error:
-    ;;
-    ;; In file included from fault-linux-mips-old.h:18:0,
-    ;;    [...]
-    ;; linux-libre-headers-cross-mips64el-linux-gnu-3.3.8/include/asm/sigcontext.h:57:8: error: redefinition of 'struct sigcontext'
-    (if (string-contains (or (%current-target-system) (%current-system))
-                         "mips64el")
-        `(#:phases (modify-phases %standard-phases
-                     (add-before 'configure 'patch-mips-old-h
-                       (lambda _
-                         (substitute* "src/fault-linux-mips-old.h"
-                           (("#include <asm/sigcontext\\.h>") ""))
-                         #t))))
-        '()))
+    `(;; The shared library isn't built by default but some packages need it.
+      #:configure-flags '("--enable-shared")
+
+      ;; On MIPS, work around this error:
+      ;;
+      ;; In file included from fault-linux-mips-old.h:18:0,
+      ;;    [...]
+      ;; linux-libre-headers-cross-mips64el-linux-gnu-3.3.8/include/asm/sigcontext.h:57:8: error: redefinition of 'struct sigcontext'
+      ,@(if (string-contains (or (%current-target-system) (%current-system))
+                             "mips64el")
+            `(#:phases (modify-phases %standard-phases
+                         (add-before 'configure 'patch-mips-old-h
+                           (lambda _
+                             (substitute* "src/fault-linux-mips-old.h"
+                               (("#include <asm/sigcontext\\.h>") ""))
+                             #t))))
+            '())))
    (description
     "GNU libsigsegv is a library to handle page faults, which occur when a
 program tries to access an unavailable region of memory, in user mode.  By
diff --git a/gnu/packages/libunistring.scm b/gnu/packages/libunistring.scm
index 6a3afd4f05..fda839be54 100644
--- a/gnu/packages/libunistring.scm
+++ b/gnu/packages/libunistring.scm
@@ -5,6 +5,8 @@
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
 ;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -32,7 +34,7 @@
 (define-public libunistring
   (package
    (name "libunistring")
-   (version "0.9.9")
+   (version "0.9.10")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -40,24 +42,25 @@
                   version ".tar.xz"))
             (sha256
              (base32
-              "0cx8v6862w7vvacbkcvg49kfx731ckdgaybmzw1zav71zkn97nd4"))
-            (modules '((guix build utils)))
-            (snippet
-             '(begin
-                ;; The gnulib test-lock test is prone to writer starvation
-                ;; with our glibc@2.25, which prefers readers, so disable it.
-                ;; The gnulib commit b20e8afb0b2 should fix this once
-                ;; incorporated here.
-                (substitute* "tests/Makefile.in"
-                  (("test-lock\\$\\(EXEEXT\\) ") ""))
-                #t))))
+              "1mq57h06622m6qc5cv347fc3qk5mj840axw3c0vd7qmnwk1v53zb"))))
    (propagated-inputs (libiconv-if-needed))
+   (outputs '("out" "static"))
    (build-system gnu-build-system)
    (arguments
     ;; Work around parallel build issue whereby C files may be compiled before
     ;; config.h is built: see <http://hydra.gnu.org/build/59381/nixlog/2/raw> and
     ;; <http://lists.openembedded.org/pipermail/openembedded-core/2012-April/059850.html>.
-    '(#:parallel-build? #f))
+    '(#:parallel-build? #f
+      #:phases (modify-phases %standard-phases
+                 (add-after 'install 'move-static-library
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((out (assoc-ref outputs "out"))
+                           (static (assoc-ref outputs "static")))
+                       (with-directory-excursion (string-append out "/lib")
+                         (install-file "libunistring.a"
+                                       (string-append static "/lib"))
+                         (delete-file "libunistring.a")
+                         #t)))))))
    (synopsis "C library for manipulating Unicode strings")
    (description
     "GNU libunistring is a library providing functions to manipulate
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 7d5b3aed86..fc071a1338 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -164,13 +164,13 @@ defconfig.  Return the appropriate make target if applicable, otherwise return
 (define-public linux-libre-headers
   (package
     (name "linux-libre-headers")
-    (version "4.14.26")
+    (version "4.14.67")
     (source (origin
              (method url-fetch)
              (uri (linux-libre-urls version))
              (sha256
               (base32
-               "1m2zr17wpasg5riysbaa4g5i492jzr93py2jm088ki818s4a9cm3"))))
+               "050zvdxjy6sc64q75pr1gxsmh49chwav2pwxz8xlif39bvahnrpg"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (arguments
@@ -299,12 +299,6 @@ for ARCH and optionally VARIANT, or #f if there is no such configuration."
                  (or (%current-target-system) (%current-system)))
            ((or "x86_64" "i386")
             `(("gcc" ,gcc-7)))
-           ("arm64"
-            ;; Work around a binutils 2.30 bug where some kernel symbols would
-            ;; be incorrectly marked as relocatable:
-            ;; <https://sourceware.org/bugzilla/show_bug.cgi?id=22764>.
-            `(("ld-wrapper" ,(make-ld-wrapper "ld-wrapper"
-                                              #:binutils binutils/fixed))))
            (_
             '()))
        ,@(match (and configuration-file
@@ -495,17 +489,17 @@ It has been modified to remove all non-free binary blobs.")
 (define-public linux-pam
   (package
     (name "linux-pam")
-    (version "1.3.0")
+    (version "1.3.1")
     (source
      (origin
-      (method url-fetch)
-      (uri (string-append
-            "http://www.linux-pam.org/library/"
-            "Linux-PAM-" version ".tar.bz2"))
-      (sha256
-       (base32
-        "1fyi04d5nsh8ivd0rn2y0z83ylgc0licz7kifbb6xxi2ylgfs6i4"))
-      (patches (search-patches "linux-pam-no-setfsuid.patch"))))
+       (method url-fetch)
+       (uri (string-append
+             "https://github.com/linux-pam/linux-pam/releases/download/v"
+             version "/Linux-PAM-" version ".tar.xz"))
+       (sha256
+        (base32
+         "1nyh9kdi3knhxcbv5v4snya0g3gff0m671lnvqcbygw3rm77mx7g"))
+       (patches (search-patches "linux-pam-no-setfsuid.patch"))))
 
     (build-system gnu-build-system)
     (native-inputs
@@ -587,7 +581,7 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
   (package
     (name "util-linux")
-    (version "2.32")
+    (version "2.32.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/utils/"
@@ -595,7 +589,7 @@ providing the system administrator with some help in common tasks.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0d2758kjll5xqm5fpp3sww1h66aahx161sf2b60jxqv4qymrfwvc"))
+                "1ck7d8srw5szpjq7v0gpmjahnjs6wgqzm311ki4gazww6xx71rl6"))
               (patches (search-patches "util-linux-tests.patch"))
               (modules '((guix build utils)))
               (snippet
@@ -2543,9 +2537,7 @@ in a digital read-out.")
   (package
     (name "perf")
     (version (package-version linux-libre))
-    (source (origin
-              (inherit (package-source linux-libre))
-              (patches (search-patches "perf-gcc-ice.patch"))))
+    (source (package-source linux-libre))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
@@ -3308,6 +3300,7 @@ and copy/paste text in the console and in xterm.")
               ("libuuid:static" ,util-linux "static")
               ("lzo" ,lzo)
               ("zlib" ,zlib)
+              ("zlib:static" ,zlib "static")
               ("zstd" ,zstd)))
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("asciidoc" ,asciidoc)
diff --git a/gnu/packages/m4.scm b/gnu/packages/m4.scm
index b223ce91d1..090f5578e3 100644
--- a/gnu/packages/m4.scm
+++ b/gnu/packages/m4.scm
@@ -32,6 +32,7 @@
             (method url-fetch)
             (uri (string-append "mirror://gnu/m4/m4-"
                                 version ".tar.xz"))
+            (patches (search-patches "m4-gnulib-libio.patch"))
             (sha256
              (base32
               "01sfjd5a4waqw83bibvmn522g69qfqvwig9i2qlgy154l1nfihgj"))))
diff --git a/gnu/packages/make-bootstrap.scm b/gnu/packages/make-bootstrap.scm
index 475749bbf6..65d632f64e 100644
--- a/gnu/packages/make-bootstrap.scm
+++ b/gnu/packages/make-bootstrap.scm
@@ -22,7 +22,7 @@
 (define-module (gnu packages make-bootstrap)
   #:use-module (guix utils)
   #:use-module (guix packages)
-  #:use-module (guix licenses)
+  #:use-module ((guix licenses) #:select (gpl3+))
   #:use-module (guix build-system trivial)
   #:use-module (guix build-system gnu)
   #:use-module ((gnu packages) #:select (search-patch))
@@ -34,6 +34,7 @@
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages bdw-gc)
+  #:use-module (gnu packages libunistring)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages hurd)
   #:use-module (gnu packages multiprecision)
@@ -440,6 +441,9 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                                                    "^gnu-user.*\\.h$"))
                       ((" -lgcc_s}}") "}}"))
                     #t)))))))
+     (inputs
+      `(("zlib:static" ,zlib "static")
+        ,@(package-inputs gcc)))
      (native-inputs
       (if (%current-target-system)
           `(;; When doing a Canadian cross, we need GMP/MPFR/MPC both
@@ -525,6 +529,10 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                   ;; Remove the 'debug' output (see above for the reason.)
                   (outputs (delete "debug" (package-outputs guile-2.2)))
 
+                  (inputs
+                   `(("libunistring:static" ,libunistring "static")
+                     ,@(package-inputs guile-2.2)))
+
                   (propagated-inputs
                    `(("bdw-gc" ,libgc)
                      ,@(alist-delete "bdw-gc"
diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm
index 67a3062a5a..1212f32812 100644
--- a/gnu/packages/nettle.scm
+++ b/gnu/packages/nettle.scm
@@ -44,8 +44,22 @@
      ;; $libdir, which is not the case by default.  Work around it.
      '(#:configure-flags (list (string-append "LDFLAGS=-Wl,-rpath="
                                               (assoc-ref %outputs "out")
-                                              "/lib"))))
-    (outputs '("out" "debug"))
+                                              "/lib"))
+       #:phases (modify-phases %standard-phases
+                  (add-after 'install 'move-static-libraries
+                    (lambda* (#:key outputs #:allow-other-keys)
+                      (let ((out (assoc-ref outputs "out"))
+                            (slib (string-append (assoc-ref outputs "static")
+                                                 "/lib")))
+                        (mkdir-p slib)
+                        (with-directory-excursion (string-append out "/lib")
+                          (for-each (lambda (ar)
+                                      (rename-file ar (string-append
+                                                       slib "/"
+                                                       (basename ar))))
+                                    (find-files "." "\\.a$")))
+                        #t))))))
+    (outputs '("out" "debug" "static"))
     (native-inputs `(("m4" ,m4)))
     (propagated-inputs `(("gmp" ,gmp)))
     (home-page "https://www.lysator.liu.se/~nisse/nettle/")
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 4b615b5d32..ae39870dd4 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -84,11 +84,9 @@
    (native-inputs `(("libtool" ,libtool)))
    (arguments
     `(#:tests? #f
+      #:configure-flags '("--disable-static")
       #:phases
       (modify-phases %standard-phases
-        (add-after 'configure 'provide-libtool
-          (lambda _ (copy-file (which "libtool") "libtool")
-            #t))
         (add-after 'install 'patch-sasl-path
           ;; Give -L arguments for cyrus-sasl to avoid propagation.
           (lambda* (#:key inputs outputs #:allow-other-keys)
diff --git a/gnu/packages/openstack.scm b/gnu/packages/openstack.scm
index 64e05c4b0e..c07f011c9d 100644
--- a/gnu/packages/openstack.scm
+++ b/gnu/packages/openstack.scm
@@ -182,7 +182,7 @@ guidelines}.")
        ("python-pbr" ,python-pbr)))
     (native-inputs
       `(("python-openstackdocstheme" ,python-openstackdocstheme)
-        ("python-sphinx" ,python-sphinx-1.6)
+        ("python-sphinx" ,python-sphinx)
         ("python-subunit" ,python-subunit)
         ("python-testrepository" ,python-testrepository)
         ("python-testtools" ,python-testtools)))
@@ -216,7 +216,7 @@ with mox as possible, but small enhancements have been made.")
      `(("python-dulwich" ,python-dulwich)
        ("python-pbr" ,python-pbr)))
     (native-inputs
-     `(("python-sphinx" ,python-sphinx-1.6)))
+     `(("python-sphinx" ,python-sphinx)))
     (home-page "https://docs.openstack.org/openstackdocstheme/latest/")
     (synopsis "OpenStack Docs Theme")
     (description
@@ -313,7 +313,7 @@ to docs.openstack.org and developer.openstack.org.")
        ("python-six" ,python-six)))
     (native-inputs
      `(("python-mock" ,python-mock)
-       ("python-sphinx" ,python-sphinx-1.6)
+       ("python-sphinx" ,python-sphinx)
        ("python-testrepository" ,python-testrepository)))
     (home-page "https://github.com/dreamhost/stevedore")
     (synopsis "Manage dynamic plugins for Python applications")
@@ -405,7 +405,7 @@ common features used in Tempest.")
        ("python-openstackdocstheme" ,python-openstackdocstheme)
        ("python-oslotest" ,python-oslotest)
        ("python-reno" ,python-reno)
-       ("python-sphinx" ,python-sphinx-1.6)
+       ("python-sphinx" ,python-sphinx)
        ("python-testrepository" ,python-testrepository)
        ("python-testscenarios" ,python-testscenarios)
        ("python-testtools" ,python-testtools)))
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 5edfb5dffb..06c344e7af 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -266,9 +266,7 @@
          ("sqlite" ,sqlite)
          ("libgcrypt" ,libgcrypt)
 
-         ;; Use 2.2.4 to avoid various thread-safety issues while building
-         ;; code in parallel.
-         ("guile" ,guile-2.2.4)
+         ("guile" ,guile-2.2)
 
          ;; Many tests rely on the 'guile-bootstrap' package, which is why we
          ;; have it here.
diff --git a/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch b/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch
deleted file mode 100644
index fbd596862b..0000000000
--- a/gnu/packages/patches/binutils-aarch64-symbol-relocation.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Fix a regression in Binutils 2.30 where some symbols are incorrectly assumed
-to be addresses:
-
-https://sourceware.org/bugzilla/show_bug.cgi?id=22764
-
-Patch taken from upstream (with ChangeLog entries and tests omitted):
-
-https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=279b2f94168ee91e02ccd070d27c983fc001fe12
-
-diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c
-index af448f9..2737773 100644
---- a/bfd/elfnn-aarch64.c
-+++ b/bfd/elfnn-aarch64.c
-@@ -7189,10 +7189,19 @@ elfNN_aarch64_check_relocs (bfd *abfd, struct bfd_link_info *info,
- #if ARCH_SIZE == 64
- 	case BFD_RELOC_AARCH64_32:
- #endif
--	  if (bfd_link_pic (info)
--	      && (sec->flags & SEC_ALLOC) != 0
--	      && (sec->flags & SEC_READONLY) != 0)
-+	  if (bfd_link_pic (info) && (sec->flags & SEC_ALLOC) != 0)
- 	    {
-+	      if (h != NULL
-+		  /* This is an absolute symbol.  It represents a value instead
-+		     of an address.  */
-+		  && ((h->root.type == bfd_link_hash_defined
-+		       && bfd_is_abs_section (h->root.u.def.section))
-+		      /* This is an undefined symbol.  */
-+		      || h->root.type == bfd_link_hash_undefined))
-+		break;
-+
-+	      /* For local symbols, defined global symbols in a non-ABS section,
-+		 it is assumed that the value is an address.  */
- 	      int howto_index = bfd_r_type - BFD_RELOC_AARCH64_RELOC_START;
- 	      _bfd_error_handler
- 		/* xgettext:c-format */
diff --git a/gnu/packages/patches/cairo-setjmp-wrapper.patch b/gnu/packages/patches/cairo-setjmp-wrapper.patch
new file mode 100644
index 0000000000..bffac6e041
--- /dev/null
+++ b/gnu/packages/patches/cairo-setjmp-wrapper.patch
@@ -0,0 +1,78 @@
+Revert faulty commit to avoid undefined behaviour:
+https://bugs.freedesktop.org/show_bug.cgi?id=104325
+
+Taken from this upstream commit:
+https://cgit.freedesktop.org/cairo/commit/?h=1.14&id=2acc4382c54bd8239361ceed14423412a343d311
+
+diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c
+index cb2e30c..5541bdc 100644
+--- a/src/cairo-bentley-ottmann-rectangular.c
++++ b/src/cairo-bentley-ottmann-rectangular.c
+@@ -593,12 +593,6 @@ sweep_line_insert (sweep_line_t	*sweep, rectangle_t *rectangle)
+     pqueue_push (sweep, rectangle);
+ }
+ 
+-static int
+-sweep_line_setjmp (sweep_line_t *sweep_line)
+-{
+-    return setjmp (sweep_line->unwind);
+-}
+-
+ static cairo_status_t
+ _cairo_bentley_ottmann_tessellate_rectangular (rectangle_t	**rectangles,
+ 					       int			  num_rectangles,
+@@ -615,7 +609,7 @@ _cairo_bentley_ottmann_tessellate_rectangular (rectangle_t	**rectangles,
+ 		     rectangles, num_rectangles,
+ 		     fill_rule,
+ 		     do_traps, container);
+-    if ((status = sweep_line_setjmp (&sweep_line)))
++    if ((status = setjmp (sweep_line.unwind)))
+ 	return status;
+ 
+     rectangle = rectangle_pop_start (&sweep_line);
+diff --git a/src/cairo-png.c b/src/cairo-png.c
+index e64b14a..068617d 100644
+--- a/src/cairo-png.c
++++ b/src/cairo-png.c
+@@ -158,14 +158,6 @@ png_simple_warning_callback (png_structp png,
+      */
+ }
+ 
+-static int
+-png_setjmp (png_struct *png)
+-{
+-#ifdef PNG_SETJMP_SUPPORTED
+-    return setjmp (png_jmpbuf (png));
+-#endif
+-    return 0;
+-}
+ 
+ /* Starting with libpng-1.2.30, we must explicitly specify an output_flush_fn.
+  * Otherwise, we will segfault if we are writing to a stream. */
+@@ -237,8 +229,10 @@ write_png (cairo_surface_t	*surface,
+ 	goto BAIL4;
+     }
+ 
+-    if (png_setjmp (png))
++#ifdef PNG_SETJMP_SUPPORTED
++    if (setjmp (png_jmpbuf (png)))
+ 	goto BAIL4;
++#endif
+ 
+     png_set_write_fn (png, closure, write_func, png_simple_output_flush_fn);
+ 
+@@ -577,11 +571,12 @@ read_png (struct png_read_closure_t *png_closure)
+     png_set_read_fn (png, png_closure, stream_read_func);
+ 
+     status = CAIRO_STATUS_SUCCESS;
+-
+-    if (png_setjmp (png)) {
++#ifdef PNG_SETJMP_SUPPORTED
++    if (setjmp (png_jmpbuf (png))) {
+ 	surface = _cairo_surface_create_in_error (status);
+ 	goto BAIL;
+     }
++#endif
+ 
+     png_read_info (png, info);
+ 
diff --git a/gnu/packages/patches/doxygen-gcc-ice.patch b/gnu/packages/patches/doxygen-gcc-ice.patch
deleted file mode 100644
index fbfedcb7ab..0000000000
--- a/gnu/packages/patches/doxygen-gcc-ice.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Work around this GCC ICE: <https://bugs.gnu.org/31708>.  It shows up
-only when doing native compiles on armhf-linux.
-
-Yes it's a terrible patch, but it does the job.
-
---- doxygen-1.8.13/qtools/qutfcodec.cpp	1970-01-01 01:00:00.000000000 +0100
-+++ doxygen-1.8.13/qtools/qutfcodec.cpp	2018-06-08 14:14:29.614009929 +0200
-@@ -189,7 +189,7 @@ int QUtf16Codec::heuristicContentMatch(c
- }
- 
- 
--
-+volatile const void *bomPointer = &QChar::byteOrderMark;
- 
- class QUtf16Encoder : public QTextEncoder {
-     bool headerdone;
-@@ -209,7 +209,7 @@ public:
- 	    headerdone = TRUE;
- 	    len_in_out = (1+uc.length())*(int)sizeof(QChar);
- 	    QCString d(len_in_out);
--	    memcpy(d.rawData(),&QChar::byteOrderMark,sizeof(QChar));
-+	    memcpy(d.rawData(),(void *)bomPointer,sizeof(QChar));
- 	    memcpy(d.rawData()+sizeof(QChar),uc.unicode(),uc.length()*sizeof(QChar));
- 	    return d;
- 	}
diff --git a/gnu/packages/patches/findutils-gnulib-libio.patch b/gnu/packages/patches/findutils-gnulib-libio.patch
new file mode 100644
index 0000000000..79f9fd914d
--- /dev/null
+++ b/gnu/packages/patches/findutils-gnulib-libio.patch
@@ -0,0 +1,114 @@
+Adjust to removal of libio interface in glibc 2.28.
+
+Based on this gnulib commit:
+https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=4af4a4a71827c0bc5e0ec67af23edef4f15cee8e
+
+diff --git a/gl/lib/fflush.c b/gl/lib/fflush.c
+index 5ae3e41..7a82470 100644
+--- a/gl/lib/fflush.c
++++ b/gl/lib/fflush.c
+@@ -33,7 +33,7 @@
+ #undef fflush
+ 
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+ /* Clear the stream's ungetc buffer, preserving the value of ftello (fp).  */
+ static void
+@@ -72,7 +72,7 @@ clear_ungetc_buffer (FILE *fp)
+ 
+ #endif
+ 
+-#if ! (defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
++#if ! (defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
+ 
+ # if (defined __sferror || defined __DragonFly__ || defined __ANDROID__) && defined __SNPT
+ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
+@@ -148,7 +148,7 @@ rpl_fflush (FILE *stream)
+   if (stream == NULL || ! freading (stream))
+     return fflush (stream);
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+   clear_ungetc_buffer_preserving_position (stream);
+ 
+diff --git a/gl/lib/fpurge.c b/gl/lib/fpurge.c
+index f313b22..ecdf82d 100644
+--- a/gl/lib/fpurge.c
++++ b/gl/lib/fpurge.c
+@@ -62,7 +62,7 @@ fpurge (FILE *fp)
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   fp->_IO_read_end = fp->_IO_read_ptr;
+   fp->_IO_write_ptr = fp->_IO_write_base;
+   /* Avoid memory leak when there is an active ungetc buffer.  */
+diff --git a/gl/lib/freadahead.c b/gl/lib/freadahead.c
+index 094daab..3f8101e 100644
+--- a/gl/lib/freadahead.c
++++ b/gl/lib/freadahead.c
+@@ -25,7 +25,7 @@
+ size_t
+ freadahead (FILE *fp)
+ {
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_write_ptr > fp->_IO_write_base)
+     return 0;
+   return (fp->_IO_read_end - fp->_IO_read_ptr)
+diff --git a/gl/lib/freading.c b/gl/lib/freading.c
+index 0512b19..8c48fe4 100644
+--- a/gl/lib/freading.c
++++ b/gl/lib/freading.c
+@@ -31,7 +31,7 @@ freading (FILE *fp)
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   return ((fp->_flags & _IO_NO_WRITES) != 0
+           || ((fp->_flags & (_IO_NO_READS | _IO_CURRENTLY_PUTTING)) == 0
+               && fp->_IO_read_base != NULL));
+diff --git a/gl/lib/fseeko.c b/gl/lib/fseeko.c
+index 1c65d2a..9026408 100644
+--- a/gl/lib/fseeko.c
++++ b/gl/lib/fseeko.c
+@@ -47,7 +47,7 @@ fseeko (FILE *fp, off_t offset, int whence)
+ #endif
+ 
+   /* These tests are based on fpurge.c.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_read_end == fp->_IO_read_ptr
+       && fp->_IO_write_ptr == fp->_IO_write_base
+       && fp->_IO_save_base == NULL)
+@@ -123,7 +123,7 @@ fseeko (FILE *fp, off_t offset, int whence)
+           return -1;
+         }
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+       fp->_flags &= ~_IO_EOF_SEEN;
+       fp->_offset = pos;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+diff --git a/gl/lib/stdio-impl.h b/gl/lib/stdio-impl.h
+index 502d891..ea38ee2 100644
+--- a/gl/lib/stdio-impl.h
++++ b/gl/lib/stdio-impl.h
+@@ -18,6 +18,12 @@
+    the same implementation of stdio extension API, except that some fields
+    have different naming conventions, or their access requires some casts.  */
+ 
++/* Glibc 2.28 made _IO_IN_BACKUP private.  For now, work around this
++   problem by defining it ourselves.  FIXME: Do not rely on glibc
++   internals.  */
++#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN
++# define _IO_IN_BACKUP 0x100
++#endif
+ 
+ /* BSD stdio derived implementations.  */
+ 
diff --git a/gnu/packages/patches/findutils-makedev.patch b/gnu/packages/patches/findutils-makedev.patch
new file mode 100644
index 0000000000..2f16c625d8
--- /dev/null
+++ b/gnu/packages/patches/findutils-makedev.patch
@@ -0,0 +1,22 @@
+Include <sys/sysmacros.h> for "makedev".
+
+Taken from this gnulib commit:
+https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=4da63c5881f60f71999a943612da9112232b9161
+
+diff --git a/gl/lib/mountlist.c b/gl/lib/mountlist.c
+index bb4e4ee21..cf4020e2a 100644
+--- a/gl/lib/mountlist.c
++++ b/gl/lib/mountlist.c
+@@ -37,6 +37,12 @@
+ # include <sys/param.h>
+ #endif
+ 
++#if MAJOR_IN_MKDEV
++# include <sys/mkdev.h>
++#elif MAJOR_IN_SYSMACROS
++# include <sys/sysmacros.h>
++#endif
++
+ #if defined MOUNTED_GETFSSTAT   /* OSF_1 and Darwin1.3.x */
+ # if HAVE_SYS_UCRED_H
+ #  include <grp.h> /* needed on OSF V4.0 for definition of NGROUPS,
diff --git a/gnu/packages/patches/freetype-CVE-2018-6942.patch b/gnu/packages/patches/freetype-CVE-2018-6942.patch
deleted file mode 100644
index 680f357765..0000000000
--- a/gnu/packages/patches/freetype-CVE-2018-6942.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Fix CVE-2018-6942:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6942
-https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6942.html
-
-Copied from upstream (ChangeLog section removed):
-https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=29c759284e305ec428703c9a5831d0b1fc3497ef
-
-diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
-index d855aaa..551f14a 100644
---- a/src/truetype/ttinterp.c
-+++ b/src/truetype/ttinterp.c
-@@ -7532,8 +7532,16 @@
-       return;
-     }
- 
--    for ( i = 0; i < num_axes; i++ )
--      args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
-+    if ( coords )
-+    {
-+      for ( i = 0; i < num_axes; i++ )
-+        args[i] = coords[i] >> 2; /* convert 16.16 to 2.14 format */
-+    }
-+    else
-+    {
-+      for ( i = 0; i < num_axes; i++ )
-+        args[i] = 0;
-+    }
-   }
- 
- 
diff --git a/gnu/packages/patches/gcc-4.9-libsanitizer-ustat.patch b/gnu/packages/patches/gcc-4.9-libsanitizer-ustat.patch
new file mode 100644
index 0000000000..795881ab9b
--- /dev/null
+++ b/gnu/packages/patches/gcc-4.9-libsanitizer-ustat.patch
@@ -0,0 +1,37 @@
+Remove use of deprecated ustat interface in glibc 2.28:
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85835
+
+Adapted to GCC 4 series from this upstream patch:
+https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=260684
+
+--- a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc
++++ b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc
+@@ -81,7 +81,6 @@
+ #include <sys/statvfs.h>
+ #include <sys/timex.h>
+ #include <sys/user.h>
+-#include <sys/ustat.h>
+ #include <linux/cyclades.h>
+ #include <linux/if_eql.h>
+ #include <linux/if_plip.h>
+@@ -163,7 +162,19 @@
+   unsigned struct_old_utsname_sz = sizeof(struct old_utsname);
+   unsigned struct_oldold_utsname_sz = sizeof(struct oldold_utsname);
+   unsigned struct_itimerspec_sz = sizeof(struct itimerspec);
+-  unsigned struct_ustat_sz = sizeof(struct ustat);
++  // Use pre-computed size of struct ustat to avoid <sys/ustat.h> which
++  // has been removed from glibc 2.28.
++#if defined(__aarch64__) || defined(__s390x__) || defined (__mips64) \
++  || defined(__powerpc64__) || defined(__arch64__) || defined(__sparcv9) \
++  || defined(__x86_64__)
++#define SIZEOF_STRUCT_USTAT 32
++#elif defined(__arm__) || defined(__i386__) || defined(__mips__) \
++  || defined(__powerpc__) || defined(__s390__)
++#define SIZEOF_STRUCT_USTAT 20
++#else
++#error Unknown size of struct ustat
++#endif
++  unsigned struct_ustat_sz = SIZEOF_STRUCT_USTAT;
+ #endif // SANITIZER_LINUX
+ 
+ #if SANITIZER_LINUX && !SANITIZER_ANDROID
diff --git a/gnu/packages/patches/gcc-libsanitizer-ustat.patch b/gnu/packages/patches/gcc-libsanitizer-ustat.patch
new file mode 100644
index 0000000000..a4e0c6affa
--- /dev/null
+++ b/gnu/packages/patches/gcc-libsanitizer-ustat.patch
@@ -0,0 +1,41 @@
+Remove use of deprecated ustat interface in glibc 2.28:
+
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85835
+
+Taken from upstream:
+
+https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=260684
+
+diff --git a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc
+index 858bb2184505..de18e56d11cf 100644
+--- a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc
++++ b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc
+@@ -157,7 +157,6 @@ typedef struct user_fpregs elf_fpregset_t;
+ # include <sys/procfs.h>
+ #endif
+ #include <sys/user.h>
+-#include <sys/ustat.h>
+ #include <linux/cyclades.h>
+ #include <linux/if_eql.h>
+ #include <linux/if_plip.h>
+@@ -250,7 +249,19 @@ namespace __sanitizer {
+ #endif // SANITIZER_LINUX || SANITIZER_FREEBSD
+ 
+ #if SANITIZER_LINUX && !SANITIZER_ANDROID
+-  unsigned struct_ustat_sz = sizeof(struct ustat);
++  // Use pre-computed size of struct ustat to avoid <sys/ustat.h> which
++  // has been removed from glibc 2.28.
++#if defined(__aarch64__) || defined(__s390x__) || defined (__mips64) \
++  || defined(__powerpc64__) || defined(__arch64__) || defined(__sparcv9) \
++  || defined(__x86_64__)
++#define SIZEOF_STRUCT_USTAT 32
++#elif defined(__arm__) || defined(__i386__) || defined(__mips__) \
++  || defined(__powerpc__) || defined(__s390__)
++#define SIZEOF_STRUCT_USTAT 20
++#else
++#error Unknown size of struct ustat
++#endif
++  unsigned struct_ustat_sz = SIZEOF_STRUCT_USTAT;
+   unsigned struct_rlimit64_sz = sizeof(struct rlimit64);
+   unsigned struct_statvfs64_sz = sizeof(struct statvfs64);
+ #endif // SANITIZER_LINUX && !SANITIZER_ANDROID
diff --git a/gnu/packages/patches/gcc-strmov-store-file-names.patch b/gnu/packages/patches/gcc-strmov-store-file-names.patch
index 9f9162855d..7358de3326 100644
--- a/gnu/packages/patches/gcc-strmov-store-file-names.patch
+++ b/gnu/packages/patches/gcc-strmov-store-file-names.patch
@@ -15,7 +15,7 @@ and <https://bugs.gnu.org/30395>.
 
 --- gcc-5.3.0/gcc/builtins.c	2016-10-18 10:50:46.080616285 +0200
 +++ gcc-5.3.0/gcc/builtins.c	2016-11-09 15:26:43.693042737 +0100
-@@ -3192,6 +3192,54 @@ determine_block_size (tree len, rtx len_
+@@ -3192,6 +3192,58 @@ determine_block_size (tree len, rtx len_
  			  GET_MODE_MASK (GET_MODE (len_rtx)));
  }
  
@@ -35,9 +35,13 @@ and <https://bugs.gnu.org/30395>.
 +  if (TREE_CODE (str) == VAR_DECL
 +      && TREE_STATIC (str)
 +      && TREE_READONLY (str))
-+    /* STR may be a 'static const' variable whose initial value
-+       is a string constant.  See <https://bugs.gnu.org/30395>.  */
-+    str = DECL_INITIAL (str);
++    {
++      /* STR may be a 'static const' variable whose initial value
++         is a string constant.  See <https://bugs.gnu.org/30395>.  */
++      str = DECL_INITIAL (str);
++      if (str == NULL_TREE)
++        return false;
++    }
 +
 +  if (TREE_CODE (str) != STRING_CST)
 +    return false;
diff --git a/gnu/packages/patches/ghostscript-CVE-2018-10194.patch b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch
new file mode 100644
index 0000000000..242e57c27c
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2018-10194.patch
@@ -0,0 +1,52 @@
+Fix CVE-2018-10194:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10194
+https://bugs.ghostscript.com/show_bug.cgi?id=699255
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
+
+From 39b1e54b2968620723bf32e96764c88797714879 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 18 Apr 2018 15:46:32 +0100
+Subject: [PATCH] pdfwrite - Guard against trying to output an infinite number
+
+Bug #699255 " Buffer overflow on pprintg1 due to mishandle postscript file data to pdf"
+
+The file uses an enormous parameter to xyxhow, causing an overflow in
+the calculation of text positioning (value > 1e39).
+
+Since this is basically a nonsense value, and PostScript only supports
+real values up to 1e38, this patch follows the same approach as for
+a degenerate CTM, and treats it as 0.
+
+Adobe Acrobat Distiller throws a limitcheck error, so we could do that
+instead if this approach proves to be a problem.
+---
+ devices/vector/gdevpdts.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/devices/vector/gdevpdts.c b/devices/vector/gdevpdts.c
+index 848ad781f..172fe6bc3 100644
+--- a/devices/vector/gdevpdts.c
++++ b/devices/vector/gdevpdts.c
+@@ -103,9 +103,14 @@ append_text_move(pdf_text_state_t *pts, double dw)
+ static int
+ set_text_distance(gs_point *pdist, double dx, double dy, const gs_matrix *pmat)
+ {
+-    int code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
++    int code;
+     double rounded;
+ 
++    if (dx > 1e38 || dy > 1e38)
++        code = gs_error_undefinedresult;
++    else
++        code = gs_distance_transform_inverse(dx, dy, pmat, pdist);
++
+     if (code == gs_error_undefinedresult) {
+         /* The CTM is degenerate.
+            Can't know the distance in user space.
+-- 
+2.18.0
+
diff --git a/gnu/packages/patches/glibc-2.28-git-fixes.patch b/gnu/packages/patches/glibc-2.28-git-fixes.patch
new file mode 100644
index 0000000000..7e370ef0b1
--- /dev/null
+++ b/gnu/packages/patches/glibc-2.28-git-fixes.patch
@@ -0,0 +1,248 @@
+This file contains fixes from the "release/2.28/master" branch:
+https://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.28/master
+
+Currently we have these commits (sans tests and ChangeLog updates):
+7f11842e7483da7aa9fa3031be122021978ef600
+726e1554ce4db5e35af41cb0110c54c5e1232054
+4b25485f03158959cff45379eecc1d73c7dcdd11
+d05b05d1570ba3ae354a2f5a3cfeefb373b09979
+bfcfa22589f2b4277a65e60c6b736b6bbfbd87d0
+2f498f3d140ab5152bd784df2be7af7d9c5e63ed
+
+diff --git a/htl/Versions b/htl/Versions
+index 6a63a1b8a1..c5a616da10 100644
+--- a/htl/Versions
++++ b/htl/Versions
+@@ -150,6 +150,8 @@ libpthread {
+     __cthread_keycreate;
+     __cthread_getspecific;
+     __cthread_setspecific;
++    __pthread_getspecific;
++    __pthread_setspecific;
+     __pthread_getattr_np;
+     __pthread_attr_getstack;
+   }
+
+diff --git a/sysdeps/htl/pt-getspecific.c b/sysdeps/htl/pt-getspecific.c
+index a0227a67f6..64ddf9551a 100644
+--- a/sysdeps/htl/pt-getspecific.c
++++ b/sysdeps/htl/pt-getspecific.c
+@@ -36,3 +36,4 @@ __pthread_getspecific (pthread_key_t key)
+   return self->thread_specifics[key];
+ }
+ strong_alias (__pthread_getspecific, pthread_getspecific);
++hidden_def (__pthread_getspecific)
+diff --git a/sysdeps/htl/pt-setspecific.c b/sysdeps/htl/pt-setspecific.c
+index a46a12f157..02aff417ef 100644
+--- a/sysdeps/htl/pt-setspecific.c
++++ b/sysdeps/htl/pt-setspecific.c
+@@ -48,3 +48,4 @@ __pthread_setspecific (pthread_key_t key, const void *value)
+   return 0;
+ }
+ strong_alias (__pthread_setspecific, pthread_setspecific);
++hidden_def (__pthread_setspecific)
+diff --git a/sysdeps/htl/pthreadP.h b/sysdeps/htl/pthreadP.h
+index 132ac1718e..71c2fcd9c6 100644
+--- a/sysdeps/htl/pthreadP.h
++++ b/sysdeps/htl/pthreadP.h
+@@ -68,6 +68,8 @@ struct __pthread_cancelation_handler **___pthread_get_cleanup_stack (void) attri
+ 
+ #if IS_IN (libpthread)
+ hidden_proto (__pthread_key_create)
++hidden_proto (__pthread_getspecific)
++hidden_proto (__pthread_setspecific)
+ hidden_proto (_pthread_mutex_init)
+ #endif
+ 
+diff --git a/sysdeps/unix/sysv/linux/getdents64.c b/sysdeps/unix/sysv/linux/getdents64.c
+index 3bde0cf4f0..bc140b5a7f 100644
+--- a/sysdeps/unix/sysv/linux/getdents64.c
++++ b/sysdeps/unix/sysv/linux/getdents64.c
+@@ -33,41 +33,80 @@ strong_alias (__getdents64, __getdents)
+ # include <shlib-compat.h>
+ 
+ # if SHLIB_COMPAT(libc, GLIBC_2_1, GLIBC_2_2)
+-# include <olddirent.h>
++#  include <olddirent.h>
++#  include <unistd.h>
+ 
+-/* kernel definition of as of 3.2.  */
+-struct compat_linux_dirent
++static ssize_t
++handle_overflow (int fd, __off64_t offset, ssize_t count)
+ {
+-  /* Both d_ino and d_off are compat_ulong_t which are defined in all
+-     architectures as 'u32'.  */
+-  uint32_t        d_ino;
+-  uint32_t        d_off;
+-  unsigned short  d_reclen;
+-  char            d_name[1];
+-};
++  /* If this is the first entry in the buffer, we can report the
++     error.  */
++  if (count == 0)
++    {
++      __set_errno (EOVERFLOW);
++      return -1;
++    }
++
++  /* Otherwise, seek to the overflowing entry, so that the next call
++     will report the error, and return the data read so far..  */
++  if (__lseek64 (fd, offset, SEEK_SET) != 0)
++    return -1;
++  return count;
++}
+ 
+ ssize_t
+ __old_getdents64 (int fd, char *buf, size_t nbytes)
+ {
+-  ssize_t retval = INLINE_SYSCALL_CALL (getdents, fd, buf, nbytes);
++  /* We do not move the individual directory entries.  This is only
++     possible if the target type (struct __old_dirent64) is smaller
++     than the source type.  */
++  _Static_assert (offsetof (struct __old_dirent64, d_name)
++		  <= offsetof (struct dirent64, d_name),
++		  "__old_dirent64 is larger than dirent64");
++  _Static_assert (__alignof__ (struct __old_dirent64)
++		  <= __alignof__ (struct dirent64),
++		  "alignment of __old_dirent64 is larger than dirent64");
+ 
+-  /* The kernel added the d_type value after the name.  Change this now.  */
+-  if (retval != -1)
++  ssize_t retval = INLINE_SYSCALL_CALL (getdents64, fd, buf, nbytes);
++  if (retval > 0)
+     {
+-      union
+-      {
+-	struct compat_linux_dirent k;
+-	struct dirent u;
+-      } *kbuf = (void *) buf;
+-
+-      while ((char *) kbuf < buf + retval)
++      char *p = buf;
++      char *end = buf + retval;
++      while (p < end)
+ 	{
+-	  char d_type = *((char *) kbuf + kbuf->k.d_reclen - 1);
+-	  memmove (kbuf->u.d_name, kbuf->k.d_name,
+-		   strlen (kbuf->k.d_name) + 1);
+-	  kbuf->u.d_type = d_type;
++	  struct dirent64 *source = (struct dirent64 *) p;
++
++	  /* Copy out the fixed-size data.  */
++	  __ino_t ino = source->d_ino;
++	  __off64_t offset = source->d_off;
++	  unsigned int reclen = source->d_reclen;
++	  unsigned char type = source->d_type;
++
++	  /* Check for ino_t overflow.  */
++	  if (__glibc_unlikely (ino != source->d_ino))
++	    return handle_overflow (fd, offset, p - buf);
++
++	  /* Convert to the target layout.  Use a separate struct and
++	     memcpy to side-step aliasing issues.  */
++	  struct __old_dirent64 result;
++	  result.d_ino = ino;
++	  result.d_off = offset;
++	  result.d_reclen = reclen;
++	  result.d_type = type;
++
++	  /* Write the fixed-sized part of the result to the
++	     buffer.  */
++	  size_t result_name_offset = offsetof (struct __old_dirent64, d_name);
++	  memcpy (p, &result, result_name_offset);
++
++	  /* Adjust the position of the name if necessary.  Copy
++	     everything until the end of the record, including the
++	     terminating NUL byte.  */
++	  if (result_name_offset != offsetof (struct dirent64, d_name))
++	    memmove (p + result_name_offset, source->d_name,
++		     reclen - offsetof (struct dirent64, d_name));
+ 
+-	  kbuf = (void *) ((char *) kbuf + kbuf->k.d_reclen);
++	  p += reclen;
+ 	}
+      }
+   return retval;
+
+diff --git a/misc/error.c b/misc/error.c
+index b4e8b6c938..03378e2f2a 100644
+--- a/misc/error.c
++++ b/misc/error.c
+@@ -319,6 +319,7 @@ error (int status, int errnum, const char *message, ...)
+ 
+   va_start (args, message);
+   error_tail (status, errnum, message, args);
++  va_end (args);
+ 
+ #ifdef _LIBC
+   _IO_funlockfile (stderr);
+@@ -390,6 +391,7 @@ error_at_line (int status, int errnum, const char *file_name,
+ 
+   va_start (args, message);
+   error_tail (status, errnum, message, args);
++  va_end (args);
+ 
+ #ifdef _LIBC
+   _IO_funlockfile (stderr);
+
+diff --git a/nscd/nscd_conf.c b/nscd/nscd_conf.c
+index 265a02434d..7293b795b6 100644
+--- a/nscd/nscd_conf.c
++++ b/nscd/nscd_conf.c
+@@ -190,7 +190,10 @@ nscd_parse_file (const char *fname, struct database_dyn dbs[lastdb])
+ 	  if (!arg1)
+ 	    error (0, 0, _("Must specify user name for server-user option"));
+ 	  else
+-	    server_user = xstrdup (arg1);
++	    {
++	      free ((char *) server_user);
++	      server_user = xstrdup (arg1);
++	    }
+ 	}
+       else if (strcmp (entry, "stat-user") == 0)
+ 	{
+@@ -198,6 +201,7 @@ nscd_parse_file (const char *fname, struct database_dyn dbs[lastdb])
+ 	    error (0, 0, _("Must specify user name for stat-user option"));
+ 	  else
+ 	    {
++	      free ((char *) stat_user);
+ 	      stat_user = xstrdup (arg1);
+ 
+ 	      struct passwd *pw = getpwnam (stat_user);
+
+diff --git a/nss/nss_files/files-alias.c b/nss/nss_files/files-alias.c
+index cfd34b66b9..35b0bfc5d2 100644
+--- a/nss/nss_files/files-alias.c
++++ b/nss/nss_files/files-alias.c
+@@ -221,6 +221,13 @@ get_next_alias (FILE *stream, const char *match, struct aliasent *result,
+ 			{
+ 			  while (! feof_unlocked (listfile))
+ 			    {
++			      if (room_left < 2)
++				{
++				  free (old_line);
++				  fclose (listfile);
++				  goto no_more_room;
++				}
++
+ 			      first_unused[room_left - 1] = '\xff';
+ 			      line = fgets_unlocked (first_unused, room_left,
+ 						     listfile);
+@@ -229,6 +236,7 @@ get_next_alias (FILE *stream, const char *match, struct aliasent *result,
+ 			      if (first_unused[room_left - 1] != '\xff')
+ 				{
+ 				  free (old_line);
++				  fclose (listfile);
+ 				  goto no_more_room;
+ 				}
+ 
+@@ -256,6 +264,7 @@ get_next_alias (FILE *stream, const char *match, struct aliasent *result,
+ 						       + __alignof__ (char *)))
+ 					{
+ 					  free (old_line);
++					  fclose (listfile);
+ 					  goto no_more_room;
+ 					}
+ 				      room_left -= ((first_unused - cp)
+
diff --git a/gnu/packages/patches/grub-binutils-compat.patch b/gnu/packages/patches/grub-binutils-compat.patch
new file mode 100644
index 0000000000..2107869314
--- /dev/null
+++ b/gnu/packages/patches/grub-binutils-compat.patch
@@ -0,0 +1,53 @@
+Fix a relocation issue that shows up with recent binutils.
+
+Patch taken from upstream:
+https://git.sv.gnu.org/cgit/grub.git/commit/?id=842c390469e2c2e10b5aa36700324cd3bde25875
+
+diff --git a/grub-core/efiemu/i386/loadcore64.c b/grub-core/efiemu/i386/loadcore64.c
+index e49d0b6..18facf4 100644
+--- a/grub-core/efiemu/i386/loadcore64.c
++++ b/grub-core/efiemu/i386/loadcore64.c
+@@ -98,6 +98,7 @@ grub_arch_efiemu_relocate_symbols64 (grub_efiemu_segment_t segs,
+ 		    break;
+ 
+ 		  case R_X86_64_PC32:
++		  case R_X86_64_PLT32:
+ 		    err = grub_efiemu_write_value (addr,
+ 						   *addr32 + rel->r_addend
+ 						   + sym.off
+diff --git a/grub-core/kern/x86_64/dl.c b/grub-core/kern/x86_64/dl.c
+index 4406906..3a73e6e 100644
+--- a/grub-core/kern/x86_64/dl.c
++++ b/grub-core/kern/x86_64/dl.c
+@@ -70,6 +70,7 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
+ 	  break;
+ 
+ 	case R_X86_64_PC32:
++	case R_X86_64_PLT32:
+ 	  {
+ 	    grub_int64_t value;
+ 	    value = ((grub_int32_t) *addr32) + rel->r_addend + sym->st_value -
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index a2bb054..39d7efb 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -841,6 +841,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections,
+ 		  break;
+ 
+ 		case R_X86_64_PC32:
++		case R_X86_64_PLT32:
+ 		  {
+ 		    grub_uint32_t *t32 = (grub_uint32_t *) target;
+ 		    *t32 = grub_host_to_target64 (grub_target_to_host32 (*t32)
+diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c
+index 9179285..a79271f 100644
+--- a/util/grub-module-verifier.c
++++ b/util/grub-module-verifier.c
+@@ -19,6 +19,7 @@ struct grub_module_verifier_arch archs[] = {
+       -1
+     }, (int[]){
+       R_X86_64_PC32,
++      R_X86_64_PLT32,
+       -1
+     }
+   },
diff --git a/gnu/packages/patches/jemalloc-arm-address-bits.patch b/gnu/packages/patches/jemalloc-arm-address-bits.patch
deleted file mode 100644
index f2ef24c25a..0000000000
--- a/gnu/packages/patches/jemalloc-arm-address-bits.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 8cfc9dec37b312a2686f602bbcdd102ca07cca99 Mon Sep 17 00:00:00 2001
-From: David Goldblatt <davidgoldblatt@fb.com>
-Date: Fri, 29 Sep 2017 13:54:08 -0700
-Subject: [PATCH] ARM: Don't extend bit LG_VADDR to compute high address bits.
-
-In userspace ARM on Linux, zero-ing the high bits is the correct way to do this.
-This doesn't fix the fact that we currently set LG_VADDR to 48 on ARM, when in
-fact larger virtual address sizes are coming soon.  We'll cross that bridge when
-we come to it.
----
- include/jemalloc/internal/rtree.h | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/include/jemalloc/internal/rtree.h b/include/jemalloc/internal/rtree.h
-index b5d4db39..4563db23 100644
---- a/include/jemalloc/internal/rtree.h
-+++ b/include/jemalloc/internal/rtree.h
-@@ -178,9 +178,21 @@ rtree_leaf_elm_bits_read(tsdn_t *tsdn, rtree_t *rtree, rtree_leaf_elm_t *elm,
- 
- JEMALLOC_ALWAYS_INLINE extent_t *
- rtree_leaf_elm_bits_extent_get(uintptr_t bits) {
-+#    ifdef __aarch64__
-+	/*
-+	 * aarch64 doesn't sign extend the highest virtual address bit to set
-+	 * the higher ones.  Instead, the high bits gets zeroed.
-+	 */
-+	uintptr_t high_bit_mask = ((uintptr_t)1 << LG_VADDR) - 1;
-+	/* Mask off the slab bit. */
-+	uintptr_t low_bit_mask = ~(uintptr_t)1;
-+	uintptr_t mask = high_bit_mask & low_bit_mask;
-+	return (extent_t *)(bits & mask);
-+#    else
- 	/* Restore sign-extended high bits, mask slab bit. */
- 	return (extent_t *)((uintptr_t)((intptr_t)(bits << RTREE_NHIB) >>
- 	    RTREE_NHIB) & ~((uintptr_t)0x1));
-+#    endif
- }
- 
- JEMALLOC_ALWAYS_INLINE szind_t
diff --git a/gnu/packages/patches/libgcrypt-make-yat2m-reproducible.patch b/gnu/packages/patches/libgcrypt-make-yat2m-reproducible.patch
new file mode 100644
index 0000000000..3056f0baad
--- /dev/null
+++ b/gnu/packages/patches/libgcrypt-make-yat2m-reproducible.patch
@@ -0,0 +1,32 @@
+Make yat2m in libgcrypt respect SOURCE_DATE_EPOCH, making
+the build reproducible.
+
+This was already fixed upstream in GnuPG:
+https://dev.gnupg.org/rG139de02b93773615bdd95e04a7f0c1ad73b4f6fb
+
+and in libgpg-error:
+https://dev.gnupg.org/rE5494a5728418938d2e42158bb646b07124184e64
+
+
+--- a/doc/yat2m.c 2017-11-23 19:16:58.000000000 +0100
++++ b/doc/yat2m.c 2017-08-28 12:22:54.000000000 +0200
+@@ -1475,6 +1484,7 @@
+ main (int argc, char **argv)
+ {
+   int last_argc = -1;
++  const char *s;
+ 
+   opt_source = "GNU";
+   opt_release = "";
+@@ -1608,6 +1618,11 @@
+   if (argc > 1)
+     die ("usage: " PGM " [OPTION] [FILE] (try --help for more information)\n");
+ 
++  /* Take care of supplied timestamp for reproducible builds.  See
++   * https://reproducible-builds.org/specs/source-date-epoch/  */
++  if (!opt_date && (s = getenv ("SOURCE_DATE_EPOCH")) && *s)
++    opt_date = s;
++
+   /* Start processing. */
+   if (argc && strcmp (*argv, "-"))
+     {
diff --git a/gnu/packages/patches/libgpg-error-aarch64-logging-fix.patch b/gnu/packages/patches/libgpg-error-aarch64-logging-fix.patch
deleted file mode 100644
index d848d639b2..0000000000
--- a/gnu/packages/patches/libgpg-error-aarch64-logging-fix.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=patch;h=791177de023574223eddf7288eb7c5a0721ac623
-
-From 791177de023574223eddf7288eb7c5a0721ac623 Mon Sep 17 00:00:00 2001
-From: Werner Koch <wk@gnupg.org>
-Date: Sun, 18 Mar 2018 17:39:43 +0100
-Subject: [PATCH] core: Fix regression on arm64 due to invalid use of va_list.
-
-* src/logging.c (_gpgrt_log_printhex): Provide a dummy arg instead of
-NULL.
---
-
-Fix
-Suggested-by: Jakub Wilk <jwilk@jwilk.net>
-
-Signed-off-by: Werner Koch <wk@gnupg.org>
----
- src/logging.c | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/src/logging.c b/src/logging.c
-index 1a4f620..d01f974 100644
---- a/src/logging.c
-+++ b/src/logging.c
-@@ -1090,9 +1090,10 @@ _gpgrt_log_flush (void)
- 
- 
- /* Print a hexdump of (BUFFER,LENGTH).  With FMT passed as NULL print
-- * just the raw dump, with FMT being an empty string, print a trailing
-- * linefeed, otherwise print an entire debug line with the expanded
-- * FMT followed by a possible wrapped hexdump and a final LF.  */
-+ * just the raw dump (in this case ARG_PTR is not used), with FMT
-+ * being an empty string, print a trailing linefeed, otherwise print
-+ * an entire debug line with the expanded FMT followed by a possible
-+ * wrapped hexdump and a final LF.  */
- void
- _gpgrt_logv_printhex (const void *buffer, size_t length,
-                       const char *fmt, va_list arg_ptr)
-@@ -1150,7 +1151,16 @@ _gpgrt_log_printhex (const void *buffer, size_t length,
-       va_end (arg_ptr);
-     }
-   else
--    _gpgrt_logv_printhex (buffer, length, NULL, NULL);
-+    {
-+      /* va_list is not necessary a pointer and thus we can't use NULL
-+       * because that would conflict with platforms using a straight
-+       * struct for it (e.g. arm64).  We use a dummy variable instead;
-+       * the static is a simple way zero it out so to not get
-+       * complains about uninitialized use.  */
-+      static va_list dummy_argptr;
-+
-+      _gpgrt_logv_printhex (buffer, length, NULL, dummy_argptr);
-+    }
- }
- 
- 
--- 
-2.8.0.rc3
-
diff --git a/gnu/packages/patches/m4-gnulib-libio.patch b/gnu/packages/patches/m4-gnulib-libio.patch
new file mode 100644
index 0000000000..a26622ccf3
--- /dev/null
+++ b/gnu/packages/patches/m4-gnulib-libio.patch
@@ -0,0 +1,128 @@
+Adjust the bundled gnulib to cope with removal of libio interface in
+glibc 2.28.
+
+Based on this upstream patch, without hunks that do not apply to m4:
+https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=4af4a4a71827c0bc5e0ec67af23edef4f15cee8e
+
+diff --git a/lib/fflush.c b/lib/fflush.c
+index 983ade0..a6edfa1 100644
+--- a/lib/fflush.c
++++ b/lib/fflush.c
+@@ -33,7 +33,7 @@
+ #undef fflush
+ 
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+ /* Clear the stream's ungetc buffer, preserving the value of ftello (fp).  */
+ static void
+@@ -72,7 +72,7 @@ clear_ungetc_buffer (FILE *fp)
+ 
+ #endif
+ 
+-#if ! (defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
++#if ! (defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */)
+ 
+ # if (defined __sferror || defined __DragonFly__ || defined __ANDROID__) && defined __SNPT
+ /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+@@ -148,7 +148,7 @@ rpl_fflush (FILE *stream)
+   if (stream == NULL || ! freading (stream))
+     return fflush (stream);
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+ 
+   clear_ungetc_buffer_preserving_position (stream);
+ 
+diff --git a/lib/fpending.c b/lib/fpending.c
+index c84e3a5..789f50e 100644
+--- a/lib/fpending.c
++++ b/lib/fpending.c
+@@ -32,7 +32,7 @@ __fpending (FILE *fp)
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   return fp->_IO_write_ptr - fp->_IO_write_base;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+   /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+diff --git a/lib/fpurge.c b/lib/fpurge.c
+index b1d417c..3aedcc3 100644
+--- a/lib/fpurge.c
++++ b/lib/fpurge.c
+@@ -62,7 +62,7 @@ fpurge (FILE *fp)
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   fp->_IO_read_end = fp->_IO_read_ptr;
+   fp->_IO_write_ptr = fp->_IO_write_base;
+   /* Avoid memory leak when there is an active ungetc buffer.  */
+diff --git a/lib/freadahead.c b/lib/freadahead.c
+index c2ecb5b..23ec76e 100644
+--- a/lib/freadahead.c
++++ b/lib/freadahead.c
+@@ -30,7 +30,7 @@ extern size_t __sreadahead (FILE *);
+ size_t
+ freadahead (FILE *fp)
+ {
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_write_ptr > fp->_IO_write_base)
+     return 0;
+   return (fp->_IO_read_end - fp->_IO_read_ptr)
+diff --git a/lib/freading.c b/lib/freading.c
+index 73c28ac..c24d0c8 100644
+--- a/lib/freading.c
++++ b/lib/freading.c
+@@ -31,7 +31,7 @@ freading (FILE *fp)
+   /* Most systems provide FILE as a struct and the necessary bitmask in
+      <stdio.h>, because they need it for implementing getc() and putc() as
+      fast macros.  */
+-# if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++# if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   return ((fp->_flags & _IO_NO_WRITES) != 0
+           || ((fp->_flags & (_IO_NO_READS | _IO_CURRENTLY_PUTTING)) == 0
+               && fp->_IO_read_base != NULL));
+diff --git a/lib/fseeko.c b/lib/fseeko.c
+index 0101ab5..193f4e8 100644
+--- a/lib/fseeko.c
++++ b/lib/fseeko.c
+@@ -47,7 +47,7 @@ fseeko (FILE *fp, off_t offset, int whence)
+ #endif
+ 
+   /* These tests are based on fpurge.c.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_read_end == fp->_IO_read_ptr
+       && fp->_IO_write_ptr == fp->_IO_write_base
+       && fp->_IO_save_base == NULL)
+@@ -123,7 +123,7 @@ fseeko (FILE *fp, off_t offset, int whence)
+           return -1;
+         }
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
+       fp->_flags &= ~_IO_EOF_SEEN;
+       fp->_offset = pos;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+diff --git a/lib/stdio-impl.h b/lib/stdio-impl.h
+index 78d896e..05c5752 100644
+--- a/lib/stdio-impl.h
++++ b/lib/stdio-impl.h
+@@ -18,6 +18,12 @@
+    the same implementation of stdio extension API, except that some fields
+    have different naming conventions, or their access requires some casts.  */
+ 
++/* Glibc 2.28 made _IO_IN_BACKUP private.  For now, work around this
++   problem by defining it ourselves.  FIXME: Do not rely on glibc
++   internals.  */
++#if !defined _IO_IN_BACKUP && defined _IO_EOF_SEEN
++# define _IO_IN_BACKUP 0x100
++#endif
+ 
+ /* BSD stdio derived implementations.  */
+ 
diff --git a/gnu/packages/patches/mariadb-gcc-ice.patch b/gnu/packages/patches/mariadb-gcc-ice.patch
deleted file mode 100644
index 59b188f45a..0000000000
--- a/gnu/packages/patches/mariadb-gcc-ice.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Work around this GCC ICE: <https://bugs.gnu.org/31708>.  It shows up
-only when doing native compiles on armhf-linux.
-
---- mariadb-10.1.33/plugin/semisync/semisync_master.cc	2018-07-28 02:13:12.604020250 +0200
-+++ mariadb-10.1.33/plugin/semisync/semisync_master.cc	2018-07-28 02:14:11.907753417 +0200
-@@ -847,6 +847,8 @@
-   return function_exit(kWho, 0);
- }
- 
-+volatile const void *kSyncHeaderPtr = &ReplSemiSyncMaster::kSyncHeader;
-+
- int ReplSemiSyncMaster::reserveSyncHeader(unsigned char *header,
- 					  unsigned long size)
- {
-@@ -873,7 +875,7 @@
-     /* Set the magic number and the sync status.  By default, no sync
-      * is required.
-      */
--    memcpy(header, kSyncHeader, sizeof(kSyncHeader));
-+    memcpy(header, (void *)kSyncHeaderPtr, sizeof(kSyncHeader));
-     hlen= sizeof(kSyncHeader);
-   }
-   return function_exit(kWho, hlen);
-
diff --git a/gnu/packages/patches/meson-for-build-rpath.patch b/gnu/packages/patches/meson-for-build-rpath.patch
index 59249e294d..ef9a73f07c 100644
--- a/gnu/packages/patches/meson-for-build-rpath.patch
+++ b/gnu/packages/patches/meson-for-build-rpath.patch
@@ -2,10 +2,10 @@ This patch removes a part of meson that clears the rpath upon installation.
 This will only be applied to a special version of meson, used for the
 meson-build-system.
 
-Patch by Peter Mikkelsen <petermikkelsen10@gmail.com>
+Original patch for Meson 0.42.0 by Peter Mikkelsen <petermikkelsen10@gmail.com>
 
---- meson-0.42.0/mesonbuild/minstall.py.orig	2017-09-09 01:49:39.147374148 +0200
-+++ meson-0.42.0/mesonbuild/minstall.py	2017-09-09 01:51:01.209134717 +0200
+--- meson-0.47.1/mesonbuild/minstall.py.old	2018-08-10 11:01:27.812327013 +0200
++++ meson-0.47.1/mesonbuild/minstall.py	2018-08-10 11:01:51.940368505 +0200
 @@ -436,15 +436,6 @@
                          print("Symlink creation does not work on this platform. "
                                "Skipping all symlinking.")
diff --git a/gnu/packages/patches/parted-glibc-compat.patch b/gnu/packages/patches/parted-glibc-compat.patch
new file mode 100644
index 0000000000..edf4afb0d1
--- /dev/null
+++ b/gnu/packages/patches/parted-glibc-compat.patch
@@ -0,0 +1,17 @@
+Include <sys/sysmacros.h> for "major" and "minor".
+
+Taken from upstream:
+https://git.savannah.gnu.org/cgit/parted.git/commit/?id=ba5e0451b51c983e40afd123b6e0d3eddb55e610
+
+diff --git a/libparted/arch/linux.c b/libparted/arch/linux.c
+index 31b98ab..7e86b51 100644
+--- a/libparted/arch/linux.c
++++ b/libparted/arch/linux.c
+@@ -41,6 +41,7 @@
+ #include <sys/utsname.h>        /* for uname() */
+ #include <scsi/scsi.h>
+ #include <assert.h>
++#include <sys/sysmacros.h>
+ #ifdef ENABLE_DEVICE_MAPPER
+ #include <libdevmapper.h>
+ #endif
diff --git a/gnu/packages/patches/perf-gcc-ice.patch b/gnu/packages/patches/perf-gcc-ice.patch
deleted file mode 100644
index 58ab5359c2..0000000000
--- a/gnu/packages/patches/perf-gcc-ice.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Work around this GCC ICE: <https://bugs.gnu.org/31708>.
-
---- linux-4.16.13/tools/perf/util/header.c	2018-06-04 11:30:39.368146035 +0200
-+++ linux-4.16.13/tools/perf/util/header.c	2018-06-04 11:34:04.667212378 +0200
-@@ -135,7 +135,7 @@ int do_write(struct feat_fd *ff, const v
- int write_padded(struct feat_fd *ff, const void *bf,
- 		 size_t count, size_t count_aligned)
- {
--	static const char zero_buf[NAME_ALIGN];
-+	static const char zero_buf[NAME_ALIGN] = { 0 };
- 	int err = do_write(ff, bf, count);
- 
- 	if (!err)
diff --git a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch b/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
deleted file mode 100644
index 6460cf5855..0000000000
--- a/gnu/packages/patches/perl-archive-tar-CVE-2018-12015.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Fix CVE-2018-12015:
-
-https://security-tracker.debian.org/tracker/CVE-2018-12015
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015
-https://rt.cpan.org/Ticket/Display.html?id=125523
-
-Patch taken from this upstream commit and adapted to apply to
-the bundled copy in the Perl distribution:
-
-https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5
-
-diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
-index 6244369..a83975f 100644
---- a/cpan/Archive-Tar/lib/Archive/Tar.pm
-+++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
-@@ -845,6 +845,20 @@ sub _extract_file {
-         return;
-     }
- 
-+    ### If a file system already contains a block device with the same name as
-+    ### the being extracted regular file, we would write the file's content
-+    ### to the block device. So remove the existing file (block device) now.
-+    ### If an archive contains multiple same-named entries, the last one
-+    ### should replace the previous ones. So remove the old file now.
-+    ### If the old entry is a symlink to a file outside of the CWD, the new
-+    ### entry would create a file there. This is CVE-2018-12015
-+    ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
-+    if (-l $full || -e _) {
-+	if (!unlink $full) {
-+	    $self->_error( qq[Could not remove old file '$full': $!] );
-+	    return;
-+	}
-+    }
-     if( length $entry->type && $entry->is_file ) {
-         my $fh = IO::File->new;
-         $fh->open( $full, '>' ) or (
diff --git a/gnu/packages/patches/perl-deterministic-ordering.patch b/gnu/packages/patches/perl-deterministic-ordering.patch
index 92e33ef135..be63d5cde3 100644
--- a/gnu/packages/patches/perl-deterministic-ordering.patch
+++ b/gnu/packages/patches/perl-deterministic-ordering.patch
@@ -12,10 +12,10 @@ reproducibility.
  cpan/Devel-PPPort/PPPort_xs.PL | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/cpan/Devel-PPPort/PPPort_xs.PL b/cpan/Devel-PPPort/PPPort_xs.PL
+diff --git a/dist/Devel-PPPort/PPPort_xs.PL b/dist/Devel-PPPort/PPPort_xs.PL
 index 5f18940..149f2fe 100644
---- a/cpan/Devel-PPPort/PPPort_xs.PL
-+++ b/cpan/Devel-PPPort/PPPort_xs.PL
+--- a/dist/Devel-PPPort/PPPort_xs.PL
++++ b/dist/Devel-PPPort/PPPort_xs.PL
 @@ -38,7 +38,7 @@ END
  my $file;
  my $sec;
diff --git a/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch b/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch
deleted file mode 100644
index 28ab067599..0000000000
--- a/gnu/packages/patches/perl-file-path-CVE-2017-6512.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-Fix CVE-2017-6512:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6512
-https://rt.cpan.org/Public/Bug/Display.html?id=121951
-
-Patch copied from Debian, adapted to apply to the copy of File::Path in Perl
-5.24.0.
-
-https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2
-https://anonscm.debian.org/cgit/perl/perl.git/diff/debian/patches/fixes/file_path_chmod_race.diff?id=e7b50f8fb6413f8ddfbbfda2d531615fb029e2d3
-
-From d760748be0efca7c05454440e24f3df77bf7cf5d Mon Sep 17 00:00:00 2001
-From: John Lightsey <john@nixnuts.net>
-Date: Tue, 2 May 2017 12:03:52 -0500
-Subject: Prevent directory chmod race attack.
-
-CVE-2017-6512 is a race condition attack where the chmod() of directories
-that cannot be entered is misused to change the permissions on other
-files or directories on the system. This has been corrected by limiting
-the directory-permission loosening logic to systems where fchmod() is
-supported.
-
-[Backported (whitespace adjustments) to File-Path 2.12 / perl 5.24 by
-Dominic Hargreaves for Debian.]
-
-Bug: https://rt.cpan.org/Public/Bug/Display.html?id=121951
-Bug-Debian: https://bugs.debian.org/863870
-Patch-Name: fixes/file_path_chmod_race.diff
----
- cpan/File-Path/lib/File/Path.pm | 39 +++++++++++++++++++++++++--------------
- cpan/File-Path/t/Path.t         | 40 ++++++++++++++++++++++++++--------------
- 2 files changed, 51 insertions(+), 28 deletions(-)
-
-diff --git a/cpan/File-Path/lib/File/Path.pm b/cpan/File-Path/lib/File/Path.pm
-index 034da1e..a824cc8 100644
---- a/cpan/File-Path/lib/File/Path.pm
-+++ b/cpan/File-Path/lib/File/Path.pm
-@@ -354,21 +354,32 @@ sub _rmtree {
- 
-                 # see if we can escalate privileges to get in
-                 # (e.g. funny protection mask such as -w- instead of rwx)
--                $perm &= oct '7777';
--                my $nperm = $perm | oct '700';
--                if (
--                    !(
--                           $arg->{safe}
--                        or $nperm == $perm
--                        or chmod( $nperm, $root )
--                    )
--                  )
--                {
--                    _error( $arg,
--                        "cannot make child directory read-write-exec", $canon );
--                    next ROOT_DIR;
-+                # This uses fchmod to avoid traversing outside of the proper
-+                # location (CVE-2017-6512)
-+                my $root_fh;
-+                if (open($root_fh, '<', $root)) {
-+                    my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1];
-+                    $perm &= oct '7777';
-+                    my $nperm = $perm | oct '700';
-+                    local $@;
-+                    if (
-+                        !(
-+                            $arg->{safe}
-+                           or $nperm == $perm
-+                           or !-d _
-+                           or $fh_dev ne $ldev
-+                           or $fh_inode ne $lino
-+                           or eval { chmod( $nperm, $root_fh ) }
-+                        )
-+                      )
-+                    {
-+                        _error( $arg,
-+                            "cannot make child directory read-write-exec", $canon );
-+                        next ROOT_DIR;
-+                    }
-+                    close $root_fh;
-                 }
--                elsif ( !chdir($root) ) {
-+                if ( !chdir($root) ) {
-                     _error( $arg, "cannot chdir to child", $canon );
-                     next ROOT_DIR;
-                 }
-diff --git a/cpan/File-Path/t/Path.t b/cpan/File-Path/t/Path.t
-index ff52fd6..956ca09 100644
---- a/cpan/File-Path/t/Path.t
-+++ b/cpan/File-Path/t/Path.t
-@@ -3,7 +3,7 @@
- 
- use strict;
- 
--use Test::More tests => 127;
-+use Test::More tests => 126;
- use Config;
- use Fcntl ':mode';
- use lib 't/';
-@@ -18,6 +18,13 @@ BEGIN {
- 
- my $Is_VMS = $^O eq 'VMS';
- 
-+my $fchmod_supported = 0;
-+if (open my $fh, curdir()) {
-+    my ($perm) = (stat($fh))[2];
-+    $perm &= 07777;
-+    eval { $fchmod_supported = chmod( $perm, $fh); };
-+}
-+
- # first check for stupid permissions second for full, so we clean up
- # behind ourselves
- for my $perm (0111,0777) {
-@@ -299,16 +306,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check");
- 
- is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef");
- 
--$dir = catdir($tmp_base,'G');
--$dir = VMS::Filespec::unixify($dir) if $Is_VMS;
-+SKIP: {
-+    skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported;
-+    $dir = catdir($tmp_base,'G');
-+    $dir = VMS::Filespec::unixify($dir) if $Is_VMS;
- 
--@created = mkpath($dir, undef, 0200);
-+    @created = mkpath($dir, undef, 0400);
- 
--is(scalar(@created), 1, "created write-only dir");
-+    is(scalar(@created), 1, "created read-only dir");
- 
--is($created[0], $dir, "created write-only directory cross-check");
-+    is($created[0], $dir, "created read-only directory cross-check");
- 
--is(rmtree($dir), 1, "removed write-only dir");
-+    is(rmtree($dir), 1, "removed read-only dir");
-+}
- 
- # borderline new-style heuristics
- if (chdir $tmp_base) {
-@@ -450,26 +460,28 @@ SKIP: {
- }
- 
- SKIP : {
--    my $skip_count = 19;
-+    my $skip_count = 18;
-     # this test will fail on Windows, as per:
-     #   http://perldoc.perl.org/perlport.html#chmod
- 
-     skip "Windows chmod test skipped", $skip_count
-         if $^O eq 'MSWin32';
-+    skip "fchmod() on directories is not supported on this platform", $skip_count
-+        unless $fchmod_supported;
-     my $mode;
-     my $octal_mode;
-     my @inputs = (
--      0777, 0700, 0070, 0007,
--      0333, 0300, 0030, 0003,
--      0111, 0100, 0010, 0001,
--      0731, 0713, 0317, 0371, 0173, 0137,
--      00 );
-+      0777, 0700, 0470, 0407,
-+      0433, 0400, 0430, 0403,
-+      0111, 0100, 0110, 0101,
-+      0731, 0713, 0317, 0371,
-+      0173, 0137);
-     my $input;
-     my $octal_input;
--    $dir = catdir($tmp_base, 'chmod_test');
- 
-     foreach (@inputs) {
-         $input = $_;
-+        $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input));
-         # We can skip from here because 0 is last in the list.
-         skip "Mode of 0 means assume user defaults on VMS", 1
-           if ($input == 0 && $Is_VMS);
diff --git a/gnu/packages/patches/python-pillow-fix-failing-tests.patch b/gnu/packages/patches/python-pillow-fix-failing-tests.patch
deleted file mode 100644
index 2575d6f612..0000000000
--- a/gnu/packages/patches/python-pillow-fix-failing-tests.patch
+++ /dev/null
Binary files differdiff --git a/gnu/packages/patches/qtbase-glibc-compat.patch b/gnu/packages/patches/qtbase-glibc-compat.patch
new file mode 100644
index 0000000000..15a2540b3a
--- /dev/null
+++ b/gnu/packages/patches/qtbase-glibc-compat.patch
@@ -0,0 +1,50 @@
+Fix qmake build with glibc 2.28.
+
+Taken from upstream:
+https://code.qt.io/cgit/qt/qtbase.git/commit/?id=25feee4e061b99edab79503d81f5bd045c6c8e3d
+
+diff --git a/src/corelib/global/qconfig-bootstrapped.h b/src/corelib/global/qconfig-bootstrapped.h
+index 3469ebe5e6..c5585ea32a 100644
+--- a/src/corelib/global/qconfig-bootstrapped.h
++++ b/src/corelib/global/qconfig-bootstrapped.h
+@@ -98,10 +98,18 @@
+ #define QT_NO_QOBJECT
+ #define QT_FEATURE_process -1
+ #define QT_FEATURE_regularexpression -1
+-#define QT_FEATURE_renameat2 -1
++#ifdef __GLIBC_PREREQ
++# define QT_FEATURE_renameat2 (__GLIBC_PREREQ(2, 28) ? 1 : -1)
++#else
++# define QT_FEATURE_renameat2 -1
++#endif
+ #define QT_FEATURE_sharedmemory -1
+ #define QT_FEATURE_slog2 -1
+-#define QT_FEATURE_statx -1
++#ifdef __GLIBC_PREREQ
++# define QT_FEATURE_statx (__GLIBC_PREREQ(2, 28) ? 1 : -1)
++#else
++# define QT_FEATURE_statx -1
++#endif
+ #define QT_FEATURE_syslog -1
+ #define QT_NO_SYSTEMLOCALE
+ #define QT_FEATURE_systemsemaphore -1
+diff --git a/src/corelib/io/qfilesystemengine_unix.cpp b/src/corelib/io/qfilesystemengine_unix.cpp
+index 0c9cdb8667..deb4a9f220 100644
+--- a/src/corelib/io/qfilesystemengine_unix.cpp
++++ b/src/corelib/io/qfilesystemengine_unix.cpp
+@@ -91,7 +91,6 @@ extern "C" NSString *NSTemporaryDirectory();
+ #  include <sys/syscall.h>
+ #  include <sys/sendfile.h>
+ #  include <linux/fs.h>
+-#  include <linux/stat.h>
+ 
+ // in case linux/fs.h is too old and doesn't define it:
+ #ifndef FICLONE
+@@ -112,6 +111,7 @@ static int renameat2(int oldfd, const char *oldpath, int newfd, const char *newp
+ #    endif
+ 
+ #    if !QT_CONFIG(statx) && defined(SYS_statx)
++#      include <linux/stat.h>
+ static int statx(int dirfd, const char *pathname, int flag, unsigned mask, struct statx *statxbuf)
+ { return syscall(SYS_statx, dirfd, pathname, flag, mask, statxbuf); }
+ #    elif !QT_CONFIG(statx) && !defined(SYS_statx)
diff --git a/gnu/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch b/gnu/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch
new file mode 100644
index 0000000000..561763dabe
--- /dev/null
+++ b/gnu/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch
@@ -0,0 +1,36 @@
+From: Tobias Geerinckx-Rice <me@tobias.gr>
+Date: Sun, 26 Aug 2018 17:24:42 +0200
+Subject: [PATCH] snappy: Add O2 flag in CmakeLists.txt.
+
+Use ‘-O2’ optimisation when building with CMake, as is already done when
+using the Makefile. This patch was copied verbatim from the Snappy
+mailing list[0].
+
+[0]: <snappy-compression@googlegroups.com>
+
+From 903c72fb29b2db07b4abc38a5feb83d88f739d80 Mon Sep 17 00:00:00 2001
+From: huangwenjun <huangwenjun-hf@loongson.cn>
+Date: Fri, 10 Aug 2018 17:17:35 +0800
+Subject: [PATCH] Add O2 optimize flag in CmakeLists.txt.
+
+---
+ CMakeLists.txt | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 62ecd09..29e0cdc 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -6,6 +6,9 @@ set(CMAKE_CXX_STANDARD 11)
+ set(CMAKE_CXX_STANDARD_REQUIRED ON)
+ set(CMAKE_CXX_EXTENSIONS OFF)
+ 
++SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O2")
++SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -O2")
++
+ # BUILD_SHARED_LIBS is a standard CMake variable, but we declare it here to make
+ # it prominent in the GUI.
+ option(BUILD_SHARED_LIBS "Build shared libraries(DLLs)." OFF)
+-- 
+2.1.0
+
diff --git a/gnu/packages/patches/texinfo-5-perl-compat.patch b/gnu/packages/patches/texinfo-5-perl-compat.patch
new file mode 100644
index 0000000000..f16d6b4da8
--- /dev/null
+++ b/gnu/packages/patches/texinfo-5-perl-compat.patch
@@ -0,0 +1,19 @@
+Fix a deprecation warning with newer Perl that breaks some tests.
+
+--- a/tp/Texinfo/Parser.pm
++++ b/tp/Texinfo/Parser.pm
+@@ -5438,12 +5438,12 @@
+     }
+   } elsif ($command eq 'clickstyle') {
+     # REMACRO
+-    if ($line =~ /^\s+@([[:alnum:]][[:alnum:]\-]*)({})?\s*/) {
++    if ($line =~ /^\s+@([[:alnum:]][[:alnum:]\-]*)(\{})?\s*/) {
+       $args = ['@'.$1];
+       $self->{'clickstyle'} = $1
+         unless(_ignore_global_commands($self));
+       $remaining = $line;
+-      $remaining =~ s/^\s+@([[:alnum:]][[:alnum:]\-]*)({})?\s*(\@(c|comment)((\@|\s+).*)?)?//;
++      $remaining =~ s/^\s+@([[:alnum:]][[:alnum:]\-]*)(\{})?\s*(\@(c|comment)((\@|\s+).*)?)?//;
+       $has_comment = 1 if (defined($4));
+     } else {
+       $self->line_error (sprintf($self->__(
diff --git a/gnu/packages/patches/texinfo-perl-compat.patch b/gnu/packages/patches/texinfo-perl-compat.patch
new file mode 100644
index 0000000000..a7348fde0d
--- /dev/null
+++ b/gnu/packages/patches/texinfo-perl-compat.patch
@@ -0,0 +1,51 @@
+Fix compatibility with newer Perls.
+
+The first patch is taken from upstream:
+https://svn.savannah.gnu.org/viewvc/texinfo?view=revision&revision=8008
+
+The second gets rid of a deprecation warning that breaks some tests.
+Taken from Fedora: <https://bugzilla.redhat.com/show_bug.cgi?id=1590308>.
+
+--- trunk/tp/Texinfo/Convert/XSParagraph/xspara.c	2017/04/30 14:57:26	7765
++++ trunk/tp/Texinfo/Convert/XSParagraph/xspara.c	2018/07/13 15:39:29	8008
+@@ -248,6 +248,11 @@
+ 
+   dTHX;
+ 
++#if PERL_VERSION > 27 || (PERL_VERSION == 27 && PERL_SUBVERSION > 8)
++  /* needed due to thread-safe locale handling in newer perls */
++  switch_to_global_locale();
++#endif
++
+   if (setlocale (LC_CTYPE, "en_US.UTF-8")
+       || setlocale (LC_CTYPE, "en_US.utf8"))
+     goto success;
+@@ -320,6 +325,10 @@
+     {
+ success: ;
+       free (utf8_locale);
++#if PERL_VERSION > 27 || (PERL_VERSION == 27 && PERL_SUBVERSION > 8)
++      /* needed due to thread-safe locale handling in newer perls */
++      sync_locale();
++#endif
+       /*
+       fprintf (stderr, "tried to set LC_CTYPE to UTF-8.\n");
+       fprintf (stderr, "character encoding is: %s\n",
+
+diff -up texinfo-6.5/tp/Texinfo/Parser.pm.orig texinfo-6.5/tp/Texinfo/Parser.pm
+--- texinfo-6.5/tp/Texinfo/Parser.pm.orig	2018-06-12 13:40:29.356030136 +0200
++++ texinfo-6.5/tp/Texinfo/Parser.pm	2018-06-12 13:41:28.357725639 +0200
+@@ -5478,11 +5478,11 @@ sub _parse_special_misc_command($$$$)
+     }
+   } elsif ($command eq 'clickstyle') {
+     # REMACRO
+-    if ($line =~ /^\s+@([[:alnum:]][[:alnum:]\-]*)({})?\s*/) {
++    if ($line =~ /^\s+@([[:alnum:]][[:alnum:]\-]*)(\{})?\s*/) {
+       $args = ['@'.$1];
+       $self->{'clickstyle'} = $1;
+       $remaining = $line;
+-      $remaining =~ s/^\s+@([[:alnum:]][[:alnum:]\-]*)({})?\s*(\@(c|comment)((\@|\s+).*)?)?//;
++      $remaining =~ s/^\s+@([[:alnum:]][[:alnum:]\-]*)(\{})?\s*(\@(c|comment)((\@|\s+).*)?)?//;
+       $has_comment = 1 if (defined($4));
+     } else {
+       $self->line_error (sprintf($self->__(
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 5719b7bb45..564a23d012 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -35,7 +35,7 @@
 (define-public pcre
   (package
    (name "pcre")
-   (version "8.41")
+   (version "8.42")
    (source (origin
             (method url-fetch)
             (uri (list
@@ -46,11 +46,12 @@
                                  version "/pcre-" version ".tar.bz2")))
             (sha256
              (base32
-              "0c5m469p5pd7jip621ipq6hbgh7128lzh7xndllfgh77ban7wb76"))))
+              "00ckpzlgyr16bnqx8fawa3afjgqxw5yxgs2l081vw23qi1y4pl1c"))))
    (build-system gnu-build-system)
    (outputs '("out"           ;library & headers
               "bin"           ;depends on Readline (adds 20MiB to the closure)
-              "doc"))         ;1.8 MiB of HTML
+              "doc"           ;1.8 MiB of HTML
+              "static"))      ;1.8 MiB static libraries
    (inputs `(("bzip2" ,bzip2)
              ("readline" ,readline)
              ("zlib" ,zlib)))
@@ -63,7 +64,19 @@
                           "--enable-unicode-properties"
                           "--enable-pcre16"
                           "--enable-pcre32"
-                          "--enable-jit")))
+                          "--enable-jit")
+      #:phases (modify-phases %standard-phases
+                 (add-after 'install 'move-static-libs
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((source (string-append (assoc-ref outputs "out") "/lib"))
+                           (static (string-append (assoc-ref outputs "static") "/lib")))
+                       (mkdir-p static)
+                       (for-each (lambda (lib)
+                                   (link lib (string-append static "/"
+                                                            (basename lib)))
+                                   (delete-file lib))
+                                 (find-files source "\\.a$"))
+                       #t))))))
    (synopsis "Perl Compatible Regular Expressions")
    (description
     "The PCRE library is a set of functions that implement regular expression
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 57a5e1c0ed..a28005a024 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -80,20 +80,20 @@
 (define-public poppler
   (package
    (name "poppler")
-   (version "0.63.0")
+   (version "0.68.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://poppler.freedesktop.org/poppler-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "04d1z1ygyb3llzc6s6c99wxafvljj2sc5b76djif34f7mzfqmk17"))))
+              "0n0f7mv24lzv9p3dlzakpdhqg7ygcvl6l40grcz95xldzgq083gr"))))
    (build-system cmake-build-system)
    ;; FIXME:
    ;;  use libcurl:        no
    (inputs `(("fontconfig" ,fontconfig)
              ("freetype" ,freetype)
-             ("libjpeg" ,libjpeg)
+             ("libjpeg" ,libjpeg-turbo)
              ("libpng" ,libpng)
              ("libtiff" ,libtiff)
              ("lcms" ,lcms)
@@ -104,8 +104,12 @@
              ;; GLib.  But of course, that Cairo must not depend on Poppler.
              ("cairo" ,(package (inherit cairo)
                          (inputs (alist-delete "poppler"
-                                               (package-inputs cairo)))))
-             ("glib" ,glib)))
+                                               (package-inputs cairo)))))))
+   (propagated-inputs
+    ;; As per poppler-cairo and poppler-glib.pc.
+    ;; XXX: Ideally we'd propagate Cairo too, but that would require a
+    ;; different solution to the circular dependency mentioned above.
+    `(("glib" ,glib)))
    (native-inputs
       `(("pkg-config" ,pkg-config)
         ("glib" ,glib "bin")                      ; glib-mkenums, etc.
@@ -511,7 +515,7 @@ by using the poppler rendering engine.")
 
                      ;; For tests.
                      ("check" ,check)
-                     ("xorg-server" ,xorg-server-1.19.3)))
+                     ("xorg-server" ,xorg-server-for-tests)))
     (inputs `(("sqlite" ,sqlite)))
     ;; Listed in 'Requires.private' of 'zathura.pc'.
     (propagated-inputs `(("cairo" ,cairo)
@@ -644,14 +648,14 @@ line tools for batch rendering @command{pdfdraw}, rewriting files
 (define-public qpdf
   (package
    (name "qpdf")
-   (version "8.1.0")
+   (version "8.2.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://sourceforge/qpdf/qpdf/" version
                                 "/qpdf-" version ".tar.gz"))
             (sha256
              (base32
-              "1m3hcgip6bzjx4gd7wq1328p8zi3pq5savzncdyln6l0lcklh7vx"))
+              "1jdb0jj72fjdp6xip4m7yz31r5x13zs7h4smnxsycgw3vbmx6igl"))
             (modules '((guix build utils)))
             (snippet
              ;; Replace shebang with the bi-lingual shell/Perl trick to remove
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index c4c3b665db..4792b6fb49 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -45,7 +45,6 @@
   #:use-module (guix download)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
-  #:use-module (guix utils) ;substitute-keyword-arguments for perl-5.26.2
   #:use-module (gnu packages base)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages freedesktop)
@@ -62,17 +61,15 @@
   ;; Yeah, Perl...  It is required early in the bootstrap process by Linux.
   (package
     (name "perl")
-    (version "5.26.1")
-    (replacement perl/fixed)
+    (version "5.28.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://cpan/src/5.0/perl-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "1p81wwvr5jb81m41d07kfywk5gvbk0axdrnvhc2aghcdbr4alqz7"))
+               "1a3f822lcl8dr8v0hk80yyhpzqlljg49z9flb48rs3nbsij9z4ky"))
              (patches (search-patches
-                       "perl-file-path-CVE-2017-6512.patch"
                        "perl-no-sys-dirs.patch"
                        "perl-autosplit-default-time.patch"
                        "perl-deterministic-ordering.patch"
@@ -163,41 +160,6 @@ more.")
     (home-page "http://www.perl.org/")
     (license gpl1+)))                          ; or "Artistic"
 
-;; Fixes CVE-2018-6797, CVE-2018-6798, and CVE-2018-6913.
-;; See <https://metacpan.org/changes/release/SHAY/perl-5.26.2>.
-(define perl-5.26.2
-  (package
-    (inherit perl)
-    (version "5.26.2")
-    (source (origin
-              (inherit (package-source perl))
-              (uri (string-append "mirror://cpan/src/5.0/perl-"
-                                  version ".tar.gz"))
-              (patches (append (origin-patches (package-source perl))
-                               (search-patches "perl-archive-tar-CVE-2018-12015.patch")))
-              (sha256
-               (base32
-                "03gpnxx1g6hvlh0v4aqx00580h787sfywp1vlvw64q2xcbm9qbsp"))))))
-
-;; When grafting perl, complications arise when the replacement perl has a
-;; different version number than the original.  So, here we create a version
-;; of perl-5.26.2 that thinks it is version 5.26.1.  See
-;; <https://bugs.gnu.org/31210> and <https://bugs.gnu.org/31216>.
-(define perl/fixed
-  (package
-    (inherit perl-5.26.2)
-    (version "5.26.1")
-    (arguments
-     (substitute-keyword-arguments (package-arguments perl-5.26.2)
-       ((#:phases phases)
-        `(modify-phases ,phases
-           (add-after 'unpack 'revert-perl-subversion
-             (lambda _
-               (substitute* "patchlevel.h"
-                 (("^#define PERL_SUBVERSION	2")
-                  "#define PERL_SUBVERSION	1"))
-               #t))))))))
-
 (define-public perl-algorithm-c3
   (package
     (name "perl-algorithm-c3")
diff --git a/gnu/packages/python-crypto.scm b/gnu/packages/python-crypto.scm
index f612b99d01..176f044df1 100644
--- a/gnu/packages/python-crypto.scm
+++ b/gnu/packages/python-crypto.scm
@@ -340,13 +340,13 @@ password storage.")
 (define-public python-certifi
   (package
     (name "python-certifi")
-    (version "2017.1.23")
+    (version "2018.8.13")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "certifi" version))
               (sha256
                (base32
-                "1klrzl3hgvcf2mjk00g0k3kk1p2z27vzwnxivwar4vhjmjvpz1w1"))))
+                "1x7jy10rz3100g9iw7c2czcw2z4lqfaalsd8yg991l4d82hnh7ac"))))
     (build-system python-build-system)
     (home-page "https://certifi.io/")
     (synopsis "Python CA certificate bundle")
diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm
index fd76c0c60c..1230f70572 100644
--- a/gnu/packages/python-web.scm
+++ b/gnu/packages/python-web.scm
@@ -1286,14 +1286,14 @@ authenticated session objects providing things like keep-alive.")
 (define-public python-urllib3
   (package
     (name "python-urllib3")
-    (version "1.18.1")
+    (version "1.23")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "urllib3" version))
         (sha256
          (base32
-          "1wb8aqnq53vzh2amrv8kc66f3h6fx217y0q62y6n30a64p2yqmam"))))
+          "1bvbd35q3zdcd7gsv38fwpizy7p06dr0154g5gfybrvnbvhwb2m6"))))
     (build-system python-build-system)
     (arguments `(#:tests? #f))
     (native-inputs
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 8c7c9d3c33..56176529c9 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -146,7 +146,7 @@
 (define-public python-2.7
   (package
     (name "python2")
-    (version "2.7.14")
+    (version "2.7.15")
     (source
      (origin
       (method url-fetch)
@@ -154,7 +154,7 @@
                           version "/Python-" version ".tar.xz"))
       (sha256
        (base32
-        "0rka541ys16jwzcnnvjp2v12m4cwgd2jp6wj4kj511p715pb5zvi"))
+        "0x2mvz9dp11wj7p5ccvmk9s0hzjk2fa1m462p395l4r6bfnb3n92"))
       (patches (search-patches "python-2.7-search-paths.patch"
                                "python-2-deterministic-build-info.patch"
                                "python-2.7-site-prefixes.patch"
@@ -179,23 +179,7 @@
                "tk"))                     ;tkinter; adds 50 MiB to the closure
     (build-system gnu-build-system)
     (arguments
-     `(;; 356 tests OK.
-       ;; 6 tests failed:
-       ;;     test_compileall test_distutils test_import test_shutil test_socket
-       ;;     test_subprocess
-       ;; 39 tests skipped:
-       ;;     test_aepack test_al test_applesingle test_bsddb test_bsddb185
-       ;;     test_bsddb3 test_cd test_cl test_codecmaps_cn test_codecmaps_hk
-       ;;     test_codecmaps_jp test_codecmaps_kr test_codecmaps_tw test_curses
-       ;;     test_dl test_gdb test_gl test_imageop test_imgfile test_ioctl
-       ;;     test_kqueue test_linuxaudiodev test_macos test_macostools
-       ;;     test_msilib test_ossaudiodev test_scriptpackages test_smtpnet
-       ;;     test_socketserver test_startfile test_sunaudiodev test_timeout
-       ;;     test_tk test_ttk_guionly test_urllib2net test_urllibnet
-       ;;     test_winreg test_winsound test_zipfile64
-       ;; 4 skips unexpected on linux2:
-       ;;     test_bsddb test_bsddb3 test_gdb test_ioctl
-       #:test-target "test"
+     `(#:test-target "test"
        #:configure-flags
        (list "--enable-shared"                    ;allow embedding
              "--with-system-ffi"                  ;build ctypes
@@ -220,11 +204,6 @@
                                     "Lib/test/support/__init__.py"
                                     "Lib/test/test_subprocess.py"))
                (("/bin/sh") (which "sh")))
-
-             ;; Use zero as the timestamp in .pyc files so that builds are
-             ;; deterministic.  TODO: Remove it when this variable is set in
-             ;; gnu-build-system.scm.
-             (setenv "SOURCE_DATE_EPOCH" "1")
              #t))
           (add-before 'configure 'do-not-record-configure-flags
             (lambda* (#:key configure-flags #:allow-other-keys)
@@ -282,15 +261,6 @@
                                                               file))))))
                        (call-with-output-file "__init__.py" (const #t))
                        #t)))))))
-          (add-before 'strip 'make-libraries-writable
-            (lambda* (#:key outputs #:allow-other-keys)
-              ;; Make .so files writable so they can be stripped.
-              (let ((out (assoc-ref outputs "out")))
-                (for-each (lambda (file)
-                            (chmod file #o755))
-                          (find-files (string-append out "/lib")
-                                      "\\.so"))
-                #t)))
           (add-after 'install 'move-tk-inter
             (lambda* (#:key outputs #:allow-other-keys)
               ;; When Tkinter support is built move it to a separate output so
@@ -352,10 +322,10 @@ data types.")
     (name "python")
     (properties `((superseded . ,python-2)))))
 
-(define-public python-3.6
+(define-public python-3.7
   (package (inherit python-2)
     (name "python")
-    (version "3.6.5")
+    (version "3.7.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.python.org/ftp/python/"
@@ -368,66 +338,33 @@ data types.")
               (patch-flags '("-p0"))
               (sha256
                (base32
-                "19l7inxm056jjw33zz97z0m02hsi7jnnx5kyb76abj5ml4xhad7l"))
+                "0j9mic5c9lbd2b20wka7hily7szz740wy9ilfrczxap63rnrk0h3"))
               (snippet
                '(begin
                   (for-each delete-file
-                            '("Lib/ctypes/test/test_structures.py" ; fails on aarch64
-                              "Lib/ctypes/test/test_win32.py" ; fails on aarch64
-                              "Lib/test/test_fcntl.py")) ; fails on aarch64
+                            '("Lib/ctypes/test/test_win32.py" ; fails on aarch64
+                              "Lib/test/test_fcntl.py" ; fails on aarch64
+                              "Lib/test/test_posix.py")) ; fails on aarch64
                   #t))))
     (arguments
      (substitute-keyword-arguments (package-arguments python-2)
-       ((#:tests? _) #t)
        ((#:phases phases)
-        `(modify-phases ,phases
-           (add-after 'unpack 'patch-timestamp-for-pyc-files
-             (lambda _
-               ;; We set DETERMINISTIC_BUILD to only override the mtime when
-               ;; building with Guix, lest we break auto-compilation in
-               ;; environments.
-               (setenv "DETERMINISTIC_BUILD" "1")
-               (substitute* "Lib/py_compile.py"
-                 (("source_stats\\['mtime'\\]")
-                  "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])"))
-
-               ;; Use deterministic hashes for strings, bytes, and datetime
-               ;; objects.
-               (setenv "PYTHONHASHSEED" "0")
-
-               ;; Reset mtime when validating bytecode header.
-               (substitute* "Lib/importlib/_bootstrap_external.py"
-                 (("source_mtime = int\\(source_stats\\['mtime'\\]\\)")
-                  "source_mtime = 1"))
-               #t))
-           ;; These tests fail because of our change to the bytecode
-           ;; validation.  They fail because expected exceptions do not get
-           ;; thrown.  This seems to be no problem.
-           (add-after 'unpack 'disable-broken-bytecode-tests
-             (lambda _
-               (substitute* "Lib/test/test_importlib/source/test_file_loader.py"
-                 (("test_bad_marshal")
-                  "disable_test_bad_marshal")
-                 (("test_no_marshal")
-                  "disable_test_no_marshal")
-                 (("test_non_code_marshal")
-                  "disable_test_non_code_marshal"))
-               #t))
-           ;; Unset DETERMINISTIC_BUILD to allow for tests that check that
-           ;; stale pyc files are rebuilt.
-           (add-before 'check 'allow-non-deterministic-compilation
-             (lambda _ (unsetenv "DETERMINISTIC_BUILD") #t))
-           ;; We need to rebuild all pyc files for three different
-           ;; optimization levels to replace all files that were not built
-           ;; deterministically.
-
-           ;; FIXME: Without this phase we have close to 2000 files that
+       `(modify-phases ,phases
+          ;; Unset SOURCE_DATE_EPOCH while running the test-suite and set it
+          ;; again afterwards.  See <https://bugs.python.org/issue34022>.
+          (add-before 'check 'unset-SOURCE_DATE_EPOCH
+            (lambda _ (unsetenv "SOURCE_DATE_EPOCH") #t))
+          (add-after 'check 'reset-SOURCE_DATE_EPOCH
+            (lambda _ (setenv "SOURCE_DATE_EPOCH" "1") #t))
+           ;; FIXME: Without this phase we have close to 400 files that
            ;; differ across different builds of this package.  With this phase
-           ;; there are about 500 files left that differ.
-           (add-after 'install 'rebuild-bytecode
+           ;; there are 44 files left that differ.
+           (add-after 'remove-tests 'rebuild-bytecode
              (lambda* (#:key outputs #:allow-other-keys)
-               (setenv "DETERMINISTIC_BUILD" "1")
                (let ((out (assoc-ref outputs "out")))
+                 ;; Disable hash randomization to ensure the generated .pycs
+                 ;; are reproducible.
+                 (setenv "PYTHONHASHSEED" "0")
                  (for-each
                   (lambda (opt)
                     (format #t "Compiling with optimization level: ~a\n"
@@ -439,8 +376,7 @@ data types.")
                                          "-m" "compileall"
                                          "-f" ; force rebuild
                                          ;; Don't build lib2to3, because it's Python 2 code.
-                                         ;; Also don't build obviously broken test code.
-                                         "-x" "(lib2to3|test/bad.*)"
+                                         "-x" "lib2to3/.*"
                                          ,file)))
                               (find-files out "\\.py$")))
                   (list '() '("-O") '("-OO")))
@@ -453,7 +389,7 @@ data types.")
                                         "/site-packages"))))))))
 
 ;; Current 3.x version.
-(define-public python-3 python-3.6)
+(define-public python-3 python-3.7)
 
 ;; Current major version.
 (define-public python python-3)
@@ -682,18 +618,24 @@ by @code{binstar}, @code{binstar-build} and @code{chalmers}.")
 (define-public python-babel
   (package
     (name "python-babel")
-    (version "2.3.4")
+    (version "2.6.0")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "Babel" version))
       (sha256
        (base32
-        "0x98qqqw35xllpcama013a9788ly84z8dm1w2wwfpxh2710c8df5"))))
+        "08rxmbx2s4irp0w0gmn498vns5xy0fagm0fg33xa772jiks51flc"))))
     (build-system python-build-system)
+    (native-inputs
+     `(("python-freezegun" ,python-freezegun)
+       ("python-pytest" ,python-pytest)))
     (propagated-inputs
      `(("python-pytz" ,python-pytz)))
-    (arguments `(#:tests? #f)) ; no test target
+    (arguments
+     `(#:phases (modify-phases %standard-phases
+                  (replace 'check
+                    (lambda _ (invoke "pytest" "-vv"))))))
     (home-page "http://babel.pocoo.org/")
     (synopsis
      "Tools for internationalizing Python applications")
@@ -909,14 +851,14 @@ API for locking files.")
 (define-public python-setuptools
   (package
     (name "python-setuptools")
-    (version "31.0.0")
+    (version "40.0.0")
     (source
      (origin
       (method url-fetch)
-      (uri (pypi-uri "setuptools" version))
+      (uri (pypi-uri "setuptools" version ".zip"))
       (sha256
        (base32
-        "0ypybh4hx3bv4vhg2dc74xpj1g56ggnaffm87k4abhwjwq6wq608"))
+        "0pq116lr14gnc62v76nk0npkm6krb2mpp7p9ab369zgv4n7dnah1"))
       (modules '((guix build utils)))
       (snippet
        '(begin
@@ -1212,13 +1154,13 @@ human-friendly syntax.")
 (define-public python-pandas
   (package
     (name "python-pandas")
-    (version "0.23.1")
+    (version "0.23.4")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "pandas" version))
        (sha256
-        (base32 "142nvwb01r2wv42y2cz40bx33hd8ffh6s6gynapg859fmzr2mdah"))))
+        (base32 "1x54pd7hr3y7qahx6b5bf2wzj54xvl8r3s1h4pl254pnmi3wl92v"))))
     (build-system python-build-system)
     (arguments
      `(#:modules ((guix build utils)
@@ -1233,18 +1175,23 @@ human-friendly syntax.")
                               (getcwd) "/build/"
                               (car (scandir "build"
                                             (cut string-prefix? "lib." <>))))))
+                        ;; Disable the "strict data files" option which causes
+                        ;; the build to error out if required data files are not
+                        ;; available (as is the case with PyPI archives).
+                        (substitute* "setup.cfg"
+                          (("addopts = --strict-data-files") "addopts = "))
                         (with-directory-excursion build-directory
                           ;; Delete tests that require "moto" which is not yet in Guix.
                           (for-each delete-file
                                     '("pandas/tests/io/conftest.py"
                                       "pandas/tests/io/json/test_compression.py"
+                                      "pandas/tests/io/parser/test_network.py"
                                       "pandas/tests/io/test_excel.py"
                                       "pandas/tests/io/test_parquet.py"))
-                          (invoke "pytest" "-v" "pandas" "-k"
-                                  (string-append
-                                   "not network and not disabled"
-                                   ;; XXX: Due to the deleted tests above.
-                                   " and not test_read_s3_jsonl")))))))))
+                          (invoke "pytest" "-vv" "pandas" "--skip-slow"
+                                  "--skip-network" "-k"
+                                  ;; XXX: Due to the deleted tests above.
+                                  "not test_read_s3_jsonl"))))))))
     (propagated-inputs
      `(("python-numpy" ,python-numpy)
        ("python-pytz" ,python-pytz)
@@ -1751,14 +1698,14 @@ matching them against a list of media-ranges.")
 (define-public python-py
   (package
     (name "python-py")
-    (version "1.5.3")
+    (version "1.5.4")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "py" version))
        (sha256
         (base32
-         "10gq2lckvgwlk9w6yzijhzkarx44hsaknd0ypa08wlnpjnsgmj99"))))
+         "1xxvwfn82457djf55f5n2c94699rfqnk43br8fif2r2q8gvrmm9z"))))
     (build-system python-build-system)
     (arguments
      ;; FIXME: "ImportError: 'test' module incorrectly imported from
@@ -1766,7 +1713,9 @@ matching them against a list of media-ranges.")
      ;; Expected '/tmp/guix-build-python-py-1.4.31.drv-0/py-1.4.31/py'.
      ;; Is this module globally installed?"
      '(#:tests? #f))
-    (home-page "https://pylib.readthedocs.io/")
+    (native-inputs
+     `(("python-setuptools-scm" ,python-setuptools-scm)))
+    (home-page "https://github.com/pytest-dev/py")
     (synopsis "Python library for parsing, I/O, instrospection, and logging")
     (description
      "Py is a Python library for file name parsing, .ini file parsing, I/O,
@@ -2256,7 +2205,7 @@ object.")
 (define-public python-markupsafe
   (package
     (name "python-markupsafe")
-    (version "0.23")
+    (version "1.0")
     (source
      (origin
        (method url-fetch)
@@ -2265,7 +2214,7 @@ object.")
              version ".tar.gz"))
        (sha256
         (base32
-         "1hvip33wva3fnmvfp9x5klqri7hpl1hkgqmjbss18nmrb7zimv54"))))
+         "0rdn1s8x9ni7ss8rfiacj7x1085lx8mh2zdwqslnw8xc3l4nkgm6"))))
     (build-system python-build-system)
     (home-page "https://github.com/mitsuhiko/markupsafe")
     (synopsis "XML/HTML/XHTML markup safe string implementation for Python")
@@ -2280,14 +2229,14 @@ for Python.")
 (define-public python-jinja2
   (package
     (name "python-jinja2")
-    (version "2.9.6")
+    (version "2.10")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Jinja2" version))
        (sha256
         (base32
-         "1zzrkywhziqffrzks14kzixz7nd4yh2vc0fb04a68vfd2ai03anx"))))
+         "190l36hfw3wb2n3n68yacjabxyb1pnxwn7vjx96cmjj002xy2jzq"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-markupsafe" ,python-markupsafe)))
@@ -2443,26 +2392,17 @@ reStructuredText.")
 (define-public python-sphinxcontrib-websupport
   (package
     (name "python-sphinxcontrib-websupport")
-    (version "1.0.1")
+    (version "1.1.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "sphinxcontrib-websupport" version))
               (sha256
                (base32
-                "1f9f0wjpi9nhikbyaz6d19s7qvzdf1nq2g5dsh640fma4q9rd1bs"))))
+                "1ff3ix76xi1y6m99qxhaq5161ix9swwzydilvdya07mgbcvpzr4x"))))
     (build-system python-build-system)
-    (propagated-inputs
-     `(("python-mock" ,python-mock)
-       ("python-pytest" ,python-pytest)
-       ("python-xapian-bindings" ,python-xapian-bindings)))
-    ;; Needed for running the test suite
-    (native-inputs
-     `(("python-six" ,python-six)
-       ("python-jinja2" ,python-jinja2)
-       ("python-docutils" ,python-docutils)
-       ("python-sphinx" ,python-sphinx)
-       ("python-sqlalchemy" ,python-sqlalchemy)
-       ("python-whoosh" ,python-whoosh)))
+    (arguments
+     ;; FIXME: Tests depend on Sphinx, which depends on this.
+     `(#:tests? #f))
     (home-page "http://sphinx-doc.org/")
     (synopsis "Sphinx API for web applications")
     (description "This package provides a Python API to easily integrate
@@ -2470,17 +2410,20 @@ Sphinx documentation into your web application.  It provides tools to
 integrate Sphinx documents in web templates and to handle searches.")
     (license license:bsd-3)))
 
+(define-public python2-sphinxcontrib-websupport
+  (package-with-python2 python-sphinxcontrib-websupport))
+
 (define-public python-sphinx
   (package
     (name "python-sphinx")
-    (version "1.5.1")
+    (version "1.7.7")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Sphinx" version))
        (sha256
         (base32
-         "1i8p9idnli4gr0y4x67yakbdk5w6a0xjzhrg6bg51y9d1fi7fslf"))))
+         "0pkkbfj7cl157q550gcs45am5y78ps0h7q6455d64s1zmw01jlvi"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -2489,7 +2432,15 @@ integrate Sphinx documents in web templates and to handle searches.")
            (lambda _
              ;; Requires Internet access.
              (delete-file "tests/test_build_linkcheck.py")
-             (zero? (system* "make" "test")))))))
+             (substitute* "tests/test_build_latex.py"
+               (("@pytest.mark.sphinx\\('latex', testroot='images'\\)")
+                "@pytest.mark.skip()"))
+             (when (which "python")
+               ;; XXX: These tests are broken when using Python2:
+               ;; <https://github.com/sphinx-doc/sphinx/issues/4710>.
+               (delete-file "tests/test_api_translator.py")
+               (delete-file "tests/test_setup_command.py"))
+             (invoke "make" "test"))))))
     (propagated-inputs
      `(("python-imagesize" ,python-imagesize)
        ("python-sphinx-alabaster-theme"
@@ -2498,14 +2449,18 @@ integrate Sphinx documents in web templates and to handle searches.")
        ("python-snowballstemmer" ,python-snowballstemmer)
        ("python-docutils" ,python-docutils)
        ("python-jinja2" ,python-jinja2)
+       ("python-packaging" ,python-packaging)
        ("python-pygments" ,python-pygments)
        ("python-requests" ,python-requests)
-       ("python-six" ,python-six)))
+       ("python-six" ,python-six)
+       ("python-sphinxcontrib-websupport" ,python-sphinxcontrib-websupport)))
     (native-inputs
      `(("graphviz" ,graphviz)
+       ("imagemagick" ,imagemagick)                    ;for "convert"
        ("python-html5lib" ,python-html5lib)
        ("python-mock" ,python-mock)
-       ("python-nose" ,python-nose)))
+       ("python-nose" ,python-nose)
+       ("python-pytest" ,python-pytest)))
     (home-page "http://sphinx-doc.org/")
     (synopsis "Python documentation generator")
     (description "Sphinx is a tool that makes it easy to create documentation
@@ -2514,62 +2469,6 @@ sources.")
     (license license:bsd-3)
     (properties `((python2-variant . ,(delay python2-sphinx))))))
 
-(define-public python-sphinx-1.6
-  (package (inherit python-sphinx)
-    (name "python-sphinx")
-    (version "1.6.4")
-    (source (origin
-              (method url-fetch)
-              (uri (pypi-uri "Sphinx" version))
-              (sha256
-               (base32
-                "0gjakw9fv5pwqb5yyclxycs36sapxizk1vx6mkcdizmzgzcfy0gi"))))
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         (replace 'check
-           (lambda _
-             ;; Requires Internet access.
-             (delete-file "tests/test_build_linkcheck.py")
-             (substitute* "tests/test_build_latex.py"
-               (("@pytest.mark.sphinx\\('latex', testroot='images'\\)")
-                "@pytest.mark.skip()"))
-             (zero? (system* "make" "test")))))))
-    (propagated-inputs
-     `(("python-sphinxcontrib-websupport" ,python-sphinxcontrib-websupport)
-       ,@(package-propagated-inputs python-sphinx)))
-    (native-inputs
-     `(("python-pytest" ,python-pytest)
-       ("imagemagick" ,imagemagick) ; for "convert"
-       ,@(package-native-inputs python-sphinx)))
-    (properties `((python2-variant . ,(delay python2-sphinx-1.6))))))
-
-(define-public python2-sphinx-1.6
-  (let ((base (package-with-python2 (strip-python2-variant python-sphinx-1.6))))
-    (package
-      (inherit base)
-      (propagated-inputs
-       `(("python2-typing" ,python2-typing)
-         ,@(package-propagated-inputs base)))
-      (native-inputs `(("python2-enum34" ,python2-enum34)
-                       ,@(package-native-inputs base))))))
-
-(define-public python-sphinx-1.5.3
-  (package
-    (inherit python-sphinx)
-    (name "python-sphinx")
-    (version "1.5.3")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (pypi-uri "Sphinx" version))
-       (sha256
-        (base32
-         "0kw1axswbvaavr8ggyf4qr6hnisnrzlbkkcdada69vk1x9xjassg"))))
-    (native-inputs
-     `(("python-pytest" ,python-pytest)
-       ,@(package-native-inputs python-sphinx)))))
-
 (define-public python2-sphinx
   (let ((base (package-with-python2 (strip-python2-variant python-sphinx))))
     (package
@@ -2578,6 +2477,7 @@ sources.")
                        ("python2-enum34" ,python2-enum34)
                        ,@(package-native-inputs base)))
       (propagated-inputs `(("python2-pytz" ,python2-pytz)
+                           ("python2-typing" ,python2-typing)
                        ,@(package-propagated-inputs base))))))
 
 (define-public python-sphinx-gallery
@@ -2865,7 +2765,11 @@ and is very extensible.")
                '())
 
          (replace 'check
-           (lambda _ (invoke "python" "runtests.py" "-vv"))))))
+           (lambda _
+             ;; The "with_outer_raising" test fails with Python 3.7.  See
+             ;; https://github.com/cython/cython/issues/2454
+             (delete-file "tests/run/generators_py.py")
+             (invoke "python" "runtests.py" "-vv"))))))
     (home-page "http://cython.org/")
     (synopsis "C extensions for Python")
     (description "Cython is an optimising static compiler for both the Python
@@ -2909,7 +2813,7 @@ between language specification and implementation aspects.")
 (define-public python-numpy
   (package
     (name "python-numpy")
-    (version "1.14.5")
+    (version "1.15.1")
     (source
      (origin
        (method url-fetch)
@@ -2918,14 +2822,14 @@ between language specification and implementation aspects.")
              version "/numpy-" version ".tar.gz"))
        (sha256
         (base32
-         "0admjpkih63lm19zbbilq8ck4f6ny5kqi03dk3m6b2mnixsh4jhv"))))
+         "1yp75fkqk7abq3mrbqdf0pdmr2phkr2mnng0dbqqvvrmv7jwq71w"))))
     (build-system python-build-system)
     (inputs
      `(("openblas" ,openblas)
        ("lapack" ,lapack)))
     (native-inputs
      `(("python-cython" ,python-cython)
-       ("python-nose" ,python-nose)
+       ("python-pytest" ,python-pytest)
        ("gfortran" ,gfortran)))
     (arguments
      `(#:phases
@@ -2970,9 +2874,12 @@ include_dirs = ~a/include
            (lambda* (#:key outputs inputs #:allow-other-keys)
              ;; Make installed package available for running the tests
              (add-installed-pythonpath inputs outputs)
+             ;; Make sure "f2py" etc is found.
+             (setenv "PATH" (string-append (assoc-ref outputs "out") "/bin"
+                                           ":" (getenv "PATH")))
              (with-directory-excursion "/tmp"
-               (zero? (system* "python" "-c"
-                               "import numpy; numpy.test(verbose=2)"))))))))
+               (invoke "python" "-c"
+                       "import numpy; numpy.test(verbose=2)")))))))
     (home-page "http://www.numpy.org/")
     (synopsis "Fundamental package for scientific computing with Python")
     (description "NumPy is the fundamental package for scientific computing
@@ -3340,25 +3247,14 @@ that client code uses to construct the grammar directly in Python code.")
 (define-public python-numpydoc
   (package
     (name "python-numpydoc")
-    (version "0.5")
+    (version "0.8.0")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append
-             "https://pypi.python.org/packages/source/n/numpydoc/numpydoc-"
-             version ".tar.gz"))
+       (uri (pypi-uri "numpydoc" version))
        (sha256
         (base32
-         "0d4dnifaxkll50jx6czj05y8cb4ny60njd2wz299sj2jxfy51w4k"))
-       (modules '((guix build utils)))
-       (snippet
-        '(begin
-           ;; Drop a test requiring matplotlib, which we cannot add as an
-           ;; input since it would create a circular dependency: Extend the
-           ;; test for Python 3, where it is already dropped, to Python 2.
-           (substitute* "numpydoc/tests/test_plot_directive.py"
-             (("3") "2"))
-           #t))))
+         "1zazxg3m8j4fksv3f7v7vpf4bj9qb1vj3r326am0vdip141vzx31"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-sphinx" ,python-sphinx)))
@@ -3578,7 +3474,7 @@ toolkits.")
     (native-inputs
      `(("python-matplotlib" ,python-matplotlib)
        ("python-colorspacious" ,python-colorspacious)
-       ("python-sphinx" ,python-sphinx-1.6)
+       ("python-sphinx" ,python-sphinx)
        ("python-sphinx-gallery" ,python-sphinx-gallery)
        ("python-numpydoc" ,python-numpydoc)
        ("python-ipython" ,python-ipython)
@@ -3865,14 +3761,14 @@ as the original project seems to have been abandoned circa 2007.")
 (define-public python-pycodestyle
   (package
     (name "python-pycodestyle")
-    (version "2.3.1")
+    (version "2.4.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "pycodestyle" version))
         (sha256
           (base32
-            "0rk78b66p57ala26mdldl9lafr48blv5s659sah9q50qnfjmc8k8"))))
+            "0fhy4vnlgpjq4qd1wdnl6pvdw7rah0ypmn8c9mkhz8clsndskz6b"))))
     (build-system python-build-system)
     (home-page "https://pycodestyle.readthedocs.io/")
     (synopsis "Python style guide checker")
@@ -4025,7 +3921,7 @@ services for your Python modules and applications.")
 (define-public python-olefile
   (package
     (name "python-olefile")
-    (version "0.44")
+    (version "0.45.1")
     (source
      (origin
        (method url-fetch)
@@ -4034,7 +3930,7 @@ services for your Python modules and applications.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "1wmxbrhyqjry2000zx0zdhqdqxhgi06nz7sbzjlh222q2zjv1gpj"))))
+         "18ai19zwagm6nli14k8bii31ipbab2rp7plrvsm6gmfql551a8ai"))))
     (build-system python-build-system)
     (home-page
      "https://www.decalage.info/python/olefileio")
@@ -4051,19 +3947,17 @@ the OleFileIO module from PIL, the Python Image Library.")
 (define-public python-pillow
   (package
     (name "python-pillow")
-    (version "4.3.0")
+    (version "5.2.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Pillow" version))
        (sha256
         (base32
-         "09xmn7rl6840sli2iz1k3fgxfgmri2nqz6vkinmb9mgg8ifp2z59"))
-       (patch-flags '("-p1" "--binary"))
-       (patches (search-patches "python-pillow-fix-failing-tests.patch"))))
+         "1ary9mj2ddllq3lkxgn6aac7qxqiwbcg2pacrl94py58ql9x9czq"))))
     (build-system python-build-system)
     (native-inputs
-     `(("python-nose"       ,python-nose)))
+     `(("python-pytest"       ,python-pytest)))
     (inputs
      `(("freetype" ,freetype)
        ("lcms"     ,lcms)
@@ -4084,9 +3978,8 @@ the OleFileIO module from PIL, the Python Image Library.")
                        ;; Make installed package available for running the
                        ;; tests
                        (add-installed-pythonpath inputs outputs)
-                       (and (zero? (system* "python" "selftest.py"
-                                            "--installed"))
-                            (zero? (system* "python" "test-installed.py"))))))
+                       (invoke "python" "selftest.py" "--installed")
+                       (invoke "python" "-m" "pytest" "-vv"))))
                  (delete 'check))))
     (home-page "https://pypi.python.org/pypi/Pillow")
     (synopsis "Fork of the Python Imaging Library")
@@ -4107,14 +4000,14 @@ a general image processing tool.")
 (define-public python-pycparser
   (package
     (name "python-pycparser")
-    (version "2.17")
+    (version "2.18")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "pycparser" version))
       (sha256
        (base32
-        "1dkkjri0miidqb1zcqhqljfa34fcy9k5akasgwsv6k622zlk3b0a"))))
+        "09mjyw82ibqzl449g7swy8bfxnfpmas0815d2rkdjlcqw81wma4r"))))
     (outputs '("out" "doc"))
     (build-system python-build-system)
     (native-inputs
@@ -4151,14 +4044,14 @@ a front-end for C compilers or analysis tools.")
 (define-public python-xcffib
   (package
     (name "python-xcffib")
-    (version "0.5.1")
+    (version "0.6.0")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "xcffib" version))
       (sha256
        (base32
-        "09gbnmr5vn58mm8xi3fmd7fz6743cks6c46dphnxzwax6zsxmy60"))))
+        "04k91yxyb3pgc5lvxmivh8w71yjrap2g57yk3s73x4rm4nvjq51n"))))
     (build-system python-build-system)
     (inputs
      `(("libxcb" ,libxcb)))
@@ -4197,17 +4090,14 @@ support for Python 3 and PyPy.  It is based on cffi.")
 (define-public python-cairocffi
   (package
     (name "python-cairocffi")
-    (version "0.8.0")
+    (version "0.9.0")
     (source
      (origin
       (method url-fetch)
-      ;; The archive on pypi is missing the 'utils' directory!
-      (uri (string-append "https://github.com/Kozea/cairocffi/archive/v"
-                          version ".tar.gz"))
-      (file-name (string-append name "-" version ".tar.gz"))
+      (uri (pypi-uri "cairocffi" version))
       (sha256
        (base32
-        "1rk2dvy3fxrga6bvvxc2fi5lbaynm5h4a0w0aaxyn3bc77rszjg9"))
+        "0dq3k4zhqd8cwsf3nyjqvjqm8wkvrjn1wjf44rl3v0h8kqx6qf0m"))
       (patches (search-patches "python-cairocffi-dlopen-path.patch"))))
     (build-system python-build-system)
     (outputs '("out" "doc"))
@@ -4220,14 +4110,14 @@ support for Python 3 and PyPy.  It is based on cffi.")
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("python-pytest" ,python-pytest)
+       ("python-pytest-cov" ,python-pytest-cov)
+       ("python-pytest-runner" ,python-pytest-runner)
        ("python-sphinx" ,python-sphinx)
        ("python-docutils" ,python-docutils)))
     (propagated-inputs
      `(("python-xcffib" ,python-xcffib))) ; used at run time
     (arguments
-     `(;; FIXME: Tests cannot find 'libcairo.so.2'.
-       #:tests? #t
-       #:phases
+     `(#:phases
        (modify-phases %standard-phases
          (add-after 'unpack 'patch-paths
            (lambda* (#:key inputs outputs #:allow-other-keys)
@@ -4493,13 +4383,13 @@ child application and control it as if a human were typing commands.")
 (define-public python-setuptools-scm
   (package
     (name "python-setuptools-scm")
-    (version "1.15.6")
+    (version "3.1.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "setuptools_scm" version))
               (sha256
                (base32
-                "0pzvfmx8s20yrgkgwfbxaspz2x1g38qv61jpm0ns91lrb22ldas9"))))
+                "0h4bglwfz8b9prqljv8z3w9rgydfyxzaj05bm1y6zs5m6shz548i"))))
     (build-system python-build-system)
     (home-page "https://github.com/pypa/setuptools_scm/")
     (synopsis "Manage Python package versions in SCM metadata")
@@ -4952,15 +4842,15 @@ toolkit.  Use it to build trees of widgets.")
 (define-public python-dbus
   (package
     (name "python-dbus")
-    (version "1.2.0")
+    (version "1.2.8")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append
-             "https://dbus.freedesktop.org/releases/dbus-python/dbus-python-"
-             version ".tar.gz"))
+       (uri (string-append "https://dbus.freedesktop.org/releases/dbus-python/"
+                           "dbus-python-" version ".tar.gz"))
        (sha256
-        (base32 "1py62qir966lvdkngg0v8k1khsqxwk5m4s8nflpk1agk5f5nqb71"))))
+        (base32
+         "0vvvjmiwnc9cjlks3gcdk43ap7llhlpz7cm1wbw0nc2yfsxjpwdb"))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases
@@ -4976,7 +4866,7 @@ toolkit.  Use it to build trees of widgets.")
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (inputs
-     `(("python" ,python)
+     `(("python" ,python-wrapper)
        ("dbus-glib" ,dbus-glib)))
     (synopsis "Python bindings for D-bus")
     (description "python-dbus provides bindings for libdbus, the reference
@@ -4998,14 +4888,14 @@ implementation of D-Bus.")
 (define-public python-lxml
   (package
     (name "python-lxml")
-    (version "3.8.0")
+    (version "4.2.4")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "lxml" version))
         (sha256
          (base32
-          "15nvf6n285n282682qyw3wihsncb0x5amdhyi4b83bfa2nz74vvk"))))
+          "1jk336k0kw616gfhqk1wwxsjjwz0flld0n294lz8kxch610bxbz2"))))
     (build-system python-build-system)
     (inputs
       `(("libxml2" ,libxml2)
@@ -5026,14 +4916,14 @@ libxml2 and libxslt.")
 (define-public python-beautifulsoup4
   (package
     (name "python-beautifulsoup4")
-    (version "4.5.3")
+    (version "4.6.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "beautifulsoup4" version))
        (sha256
         (base32
-         "0glaw1vyxnbp03fni7h5496n6iib0n5iim4gax1n0ngscs9s075j"))))
+         "041dhalzjciw6qyzzq7a2k4h1yvyk76xigp35hv5ibnn448ydy4h"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
@@ -5530,14 +5420,14 @@ so it might be a tiny bit slower.")
 (define-public python-waf
   (package
     (name "python-waf")
-    (version "1.9.8")
+    (version "2.0.10")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://waf.io/"
                                   "waf-" version ".tar.bz2"))
               (sha256
                (base32
-                "0wl4cnmp06lfxqjxaan58bqxn27smhydz0sg5prrfbl3bsw4gv6q"))))
+                "1v832jljl5wwqyimz40zgksf5ws1w3d2niz3qxamyp5dnyvzjl35"))))
     (build-system python-build-system)
     (arguments
      '(#:phases
@@ -5621,14 +5511,14 @@ PEP 8.")
 (define-public python-pyflakes
   (package
     (name "python-pyflakes")
-    (version "1.5.0")
+    (version "2.0.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "pyflakes" version))
         (sha256
           (base32
-            "1x1pcca4a24k4pw8x1c77sgi58cg1wl2k38mp8a25k608pzls3da"))))
+            "0jba28czyvimdc72llms3f17swp3i8jdcabf5w0j00adfbn64xls"))))
     (build-system python-build-system)
     (home-page
       "https://github.com/pyflakes/pyflakes")
@@ -5726,33 +5616,44 @@ complexity of Python source code.")
 (define-public python-flake8
   (package
     (name "python-flake8")
-    (version "3.4.1")
+    (version "3.5.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "flake8" version))
         (sha256
           (base32
-            "1n0i38592vy3q0x2a9bf8z6rhhn04i30wsn5i5zzcj7qkxvl8062"))))
+            "184b33grvvjmiwlv9kyd7yng9qv5ld24154j70z332xxg9gjclvj"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
        (modify-phases %standard-phases
+         ;; Two errors don't seem to have assigned codes.
+         (add-after 'unpack 'delete-broken-test
+           (lambda _ (delete-file "tests/unit/test_pyflakes_codes.py") #t))
+         (add-after 'unpack 'fix-problem-with-pycodestyle
+           (lambda _
+             ;; See https://gitlab.com/pycqa/flake8/merge_requests/230
+             ;; This should no longer be needed with the next release.
+             (substitute* "setup.py"
+               (("PEP8_PLUGIN\\('break_around_binary_operator'\\),")
+                "PEP8_PLUGIN('break_after_binary_operator'),\
+PEP8_PLUGIN('break_before_binary_operator'),"))
+             #t))
          (delete 'check)
          (add-after 'install 'check
-          (lambda* (#:key inputs outputs #:allow-other-keys)
-            (add-installed-pythonpath inputs outputs)
-            (zero? (system* "pytest" "-v")))))))
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (add-installed-pythonpath inputs outputs)
+             (invoke "pytest" "-v")
+             #t)))))
     (propagated-inputs
-      `(("python-pycodestyle" ,python-pycodestyle)
-        ("python-pyflakes" ,python-pyflakes)
-        ;; flake8 depends on a newer setuptools than provided by python.
-        ("python-setuptools" ,python-setuptools)
-        ("python-mccabe" ,python-mccabe)))
+     `(("python-pycodestyle" ,python-pycodestyle)
+       ("python-pyflakes" ,python-pyflakes)
+       ("python-mccabe" ,python-mccabe)))
     (native-inputs
-      `(("python-mock" ,python-mock) ; TODO: only required for < 3.3
-        ("python-pytest" ,python-pytest-bootstrap)
-        ("python-pytest-runner" ,python-pytest-runner)))
+     `(("python-mock" ,python-mock)
+       ("python-pytest" ,python-pytest-bootstrap)
+       ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://gitlab.com/pycqa/flake8")
     (synopsis
       "The modular source code checker: pep8, pyflakes and co")
@@ -6003,28 +5904,18 @@ add functionality and customization to your projects with their own plugins.")
 (define-public python-fonttools
   (package
     (name "python-fonttools")
-    (version "3.15.1")
+    (version "3.28.0")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "fonttools" version ".zip"))
               (sha256
                (base32
-                "1hhj97izwliy0vybmza72d90l5d4mcn50y8akq7kyccfl82vdx4d"))))
+                "0vsvjhidpb5kywpjgz1j3fywzkddxkb0afqai18qa3h6lqjyxwpb"))))
     (build-system python-build-system)
-    (arguments
-     '(#:test-target "check"
-       #:phases
-       (modify-phases %standard-phases
-         (add-after 'unpack 'patch-setuppy
-           ;; Remove the undocumented "extra_path" argument, which adds an
-           ;; intervening directories between site-packages and the package
-           ;; directory.
-           (lambda _
-             (substitute* "setup.py"
-               (("^[ \t]*extra_path *= *'FontTools',") ""))
-             #t)))))
     (native-inputs
-     `(("unzip" ,unzip)))
+     `(("unzip" ,unzip)
+       ("python-pytest" ,python-pytest)
+       ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://github.com/behdad/fonttools")
     (synopsis "Tools to manipulate font files")
     (description
@@ -6033,9 +5924,7 @@ supports reading and writing of TrueType/OpenType fonts, reading and writing
 of AFM files, reading (and partially writing) of PS Type 1 fonts.  The package
 also contains a tool called “TTX” which converts TrueType/OpenType fonts to and
 from an XML-based format.")
-    (license (license:non-copyleft
-              "file://LICENSE.txt"
-              "See LICENSE.txt in the distribution."))))
+    (license license:expat)))
 
 (define-public python2-fonttools
   (package-with-python2 python-fonttools))
@@ -6407,13 +6296,13 @@ implementations of ASN.1-based codecs and protocols.")
 (define-public python-ipaddress
   (package
     (name "python-ipaddress")
-    (version "1.0.19")
+    (version "1.0.22")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "ipaddress" version))
               (sha256
                (base32
-                "10agaa1cys1bk1ycpl2w8lky9vjx8h1xh1z29mg0niqx0638c390"))))
+                "0b570bm6xqpjwqis15pvdy6lyvvzfndjvkynilcddjj5x98wfimi"))))
     (build-system python-build-system)
     (home-page "https://github.com/phihag/ipaddress")
     (synopsis "IP address manipulation library")
@@ -6459,14 +6348,14 @@ versions of Python.")
 (define-public python-idna
   (package
     (name "python-idna")
-    (version "2.6")
+    (version "2.7")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "idna" version))
        (sha256
         (base32
-         "13qaab6d0s15gknz8v3zbcfmbj6v86hn9pjxgkdf62ch13imssic"))))
+         "05jam7d31767dr12x0rbvvs8lxnpb1mhdb2zdlfxgh83z6k3hjk8"))))
     (build-system python-build-system)
     (home-page "https://github.com/kjd/idna")
     (synopsis "Internationalized domain names in applications")
@@ -7773,15 +7662,17 @@ library as well as on the command line.")
 (define-public python-pluggy
   (package
    (name "python-pluggy")
-   (version "0.6.0")
+   (version "0.7.1")
    (source
     (origin
      (method url-fetch)
      (uri (pypi-uri "pluggy" version))
      (sha256
       (base32
-       "1zqckndfn85l1cd8pndw212zg1bq9fkg1nnj32kp2mppppsyg2kz"))))
+       "1qbn70mksmr03hac6jgp6fiqc4l7859z8dchx2x950vhlij87swm"))))
    (build-system python-build-system)
+   (native-inputs
+    `(("python-setuptools-scm" ,python-setuptools-scm)))
    (synopsis "Plugin and hook calling mechanism for Python")
    (description "Pluggy is an extraction of the plugin manager as used by
 Pytest but stripped of Pytest specific details.")
@@ -8489,6 +8380,15 @@ ambiguities (forward vs. backward slashes, etc.).
 @end enumerate")
     (license license:expat)))
 
+(define-public python2-pathlib2-bootstrap
+  (hidden-package
+   (package
+     (inherit python2-pathlib2)
+     (name "python2-pathlib2-bootstrap")
+     (propagated-inputs
+      `(("python2-scandir" ,python2-scandir)
+        ("python2-six" ,python2-six-bootstrap))))))
+
 (define-public python-jellyfish
   (package
     (name "python-jellyfish")
@@ -8970,13 +8870,13 @@ multiple processes (imagine multiprocessing, billiard, futures, celery etc).
 (define-public python-greenlet
   (package
     (name "python-greenlet")
-    (version "0.4.11")
+    (version "0.4.14")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "greenlet" version))
               (sha256
                (base32
-                "1xhik26j4f3kc4qw9xmj0c567rb5h1zryb4ijwqnqwwjvfhbv59h"))))
+                "1bsij3bwdhz2chq4ar2v6jqbh69yc7k9ymh41jd8vrdd2n52dk7i"))))
     (build-system python-build-system)
     (home-page "https://greenlet.readthedocs.io/")
     (synopsis "Lightweight in-process concurrent programming")
@@ -10444,21 +10344,17 @@ useful as a validator for JSON data.")
 (define-public python-imagesize
   (package
     (name "python-imagesize")
-    (version "0.7.1")
+    (version "1.0.0")
     (source
       (origin
       (method url-fetch)
       (uri (pypi-uri "imagesize" version))
       (sha256
         (base32
-          "0qk07k0z4241lkzzjji7z4da04pcvg7bfc4xz1934zlqhwmwdcha"))))
+          "05b3p62r7rbcvvbk5vknr3bhcq9b2airysn6ric534mng136wcjv"))))
     (build-system python-build-system)
-    (arguments
-     '(;; Test files are not distributed on PyPi:
-       ;; https://github.com/shibukawa/imagesize_py/issues/7
-       #:tests? #f))
     (home-page "https://github.com/shibukawa/imagesize_py")
-    (synopsis "Gets image size of files in variaous formats in Python")
+    (synopsis "Gets image size of files in various formats in Python")
     (description
       "This package allows determination of image size from
 PNG, JPEG, JPEG2000 and GIF files in pure Python.")
@@ -10894,6 +10790,32 @@ projects.")
 (define-public python2-incremental
   (package-with-python2 python-incremental))
 
+(define-public python-invoke
+  (package
+    (name "python-invoke")
+    (home-page "http://www.pyinvoke.org/")
+    (version "1.1.0")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "invoke" version))
+              (sha256
+               (base32
+                "0aiy1xvk1f91246zxd1zqrm679vdvd10h843a2na41cqr3cflpi6"))))
+    (build-system python-build-system)
+    (arguments
+     ;; XXX: Requires many dependencies that are not yet in Guix.
+     `(#:tests? #f))
+    (synopsis "Pythonic task execution")
+    (description
+     "Invoke is a Python task execution tool and library, drawing inspiration
+from various sources to arrive at a powerful and clean feature set.  It is
+evolved from the Fabric project, but focuses on local and abstract concerns
+instead of servers and network commands.")
+    (license license:bsd-3)))
+
+(define-public python2-invoke
+  (package-with-python2 python-invoke))
+
 (define-public python-automat
   (package
     (name "python-automat")
@@ -11510,13 +11432,13 @@ It supports both normal and Unicode strings.")
 (define-public python-scandir
   (package
     (name "python-scandir")
-    (version "1.7")
+    (version "1.9.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "scandir" version))
        (sha256
-        (base32 "0gbnhjzg42rj87ljv9kb648rfxph69ly3c8r9841dxy4d7l5pmdj"))))
+        (base32 "0r3hvf1a9jm1rkqgx40gxkmccknkaiqjavs8lccgq9s8khh5x5s4"))))
     (build-system python-build-system)
     (arguments
      `(#:phases (modify-phases %standard-phases
@@ -11636,15 +11558,19 @@ several utilities, as well as an API for building localization tools.")
 (define-public python-packaging
   (package
     (name "python-packaging")
-    (version "16.8")
+    (version "17.1")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "packaging" version))
         (sha256
          (base32
-          "17k1xbjshackwvbsnxqixbph8rbqhz4bf4g3al5xyzhavxgq6l2x"))))
+          "0nrpayk8kij1zm9sjnk38ldz3a6705ggvw8ljylqbrb4vmqbf6gh"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases (modify-phases %standard-phases
+                  (replace 'check
+                    (lambda _ (invoke "py.test" "-vv"))))))
     (native-inputs
      `(("python-pretend" ,python-pretend)
        ("python-pytest" ,python-pytest)))
@@ -13426,14 +13352,14 @@ file system events on Linux.")
 (define-public python-more-itertools
   (package
     (name "python-more-itertools")
-    (version "4.1.0")
+    (version "4.3.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "more-itertools" version))
        (sha256
         (base32
-         "0i3ch700g5fyjp692gprlnzbysl8w0sa2vijbp3s40drvk67xkn9"))))
+         "17h3na0rdh8xq30w4b9pizgkdxmm51896bxw600x84jflg9vaxn4"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-six" ,python-six-bootstrap)))
diff --git a/gnu/packages/qt.scm b/gnu/packages/qt.scm
index 7dfdade979..7d1a4ca585 100644
--- a/gnu/packages/qt.scm
+++ b/gnu/packages/qt.scm
@@ -494,7 +494,8 @@ system, and the core design of Django is reused in Grantlee.")
               (base32
                "0ipv18ypbgpxhh49rfplqmflskmnhhwj1bjr5hrwi0jpvar4gl50"))
              ;; Use TZDIR to avoid depending on package "tzdata".
-             (patches (search-patches "qtbase-use-TZDIR.patch"))
+             (patches (search-patches "qtbase-use-TZDIR.patch"
+                                      "qtbase-glibc-compat.patch"))
              (modules '((guix build utils)))
              (snippet
                ;; corelib uses bundled harfbuzz, md4, md5, sha3
@@ -608,7 +609,6 @@ system, and the core design of Django is reused in Grantlee.")
                  ;; kernels that the glibc supports, including the RHEL6
                  ;; (2.6.32) and RHEL7 (3.10) kernels.
                  "-no-feature-getentropy"  ; requires Linux 3.17
-                 "-no-feature-renameat2"   ; requires Linux 3.16
 
                  ;; Do not build examples; if desired, these could go
                  ;; into a separate output, but for the time being, we
diff --git a/gnu/packages/readline.scm b/gnu/packages/readline.scm
index 4695e9fc71..59fa8af8af 100644
--- a/gnu/packages/readline.scm
+++ b/gnu/packages/readline.scm
@@ -48,7 +48,9 @@
   (patch-series
    (1 "0xm3sxvwmss7ddyfb11n6pgcqd1aglnpy15g143vzcf75snb7hcs")
    (2 "0n1dxmqsbjgrfxb1hgk5c6lsraw4ncbnzxlsx7m35nym6lncjiw7")
-   (3 "1027kmymniizcy0zbdlrczxfx3clxcdln5yq05q9yzlc6y9slhwy")))
+   (3 "1027kmymniizcy0zbdlrczxfx3clxcdln5yq05q9yzlc6y9slhwy")
+   (4 "0r3bbaf12iz8m02z6p3fzww2m365fhn71xmzab2p62gj54s6h9gr")
+   (5 "0lxpa4f72y2nsgj6fgrhjk2nmmxvccys6aciwfxwchb5f21rq5fa")))
 
 (define-public readline
   (package
diff --git a/gnu/packages/samba.scm b/gnu/packages/samba.scm
index a6d6ee30cd..65d41a2b67 100644
--- a/gnu/packages/samba.scm
+++ b/gnu/packages/samba.scm
@@ -400,6 +400,18 @@ key-value pair databases and a real LDAP database.")
               (method url-fetch)
               (uri (string-append "https://www.samba.org/ftp/ppp/ppp-"
                                   version ".tar.gz"))
+              (patches
+               (list (origin
+                       ;; Use OpenSSL for cryptography instead of the obsolete glibc
+                       ;; crypto functions that were removed in glibc 2.28.
+                       (method url-fetch)
+                       (uri (string-append "https://github.com/paulusmack/ppp/commit/"
+                                           "3c7b86229f7bd2600d74db14b1fe5b3896be3875"
+                                           ".patch"))
+                       (file-name "ppp-use-openssl-crypto.patch")
+                       (sha256
+                        (base32
+                         "0qlbi247lx3injpy8a1gcij9yilik0vfaibkpvdp88k3sa1rs69z")))))
               (sha256
                (base32
                 "0c7vrjxl52pdwi4ckrvfjr08b31lfpgwf3pp0cqy76a77vfs7q02"))))
@@ -412,15 +424,19 @@ key-value pair databases and a real LDAP database.")
          (add-before 'configure 'patch-Makefile
            (lambda* (#:key inputs #:allow-other-keys)
              (let ((libc    (assoc-ref inputs "libc"))
+                   (openssl (assoc-ref inputs "openssl"))
                    (libpcap (assoc-ref inputs "libpcap")))
                (substitute* "pppd/Makefile.linux"
                  (("/usr/include/crypt\\.h")
                   (string-append libc "/include/crypt.h"))
+                 (("/usr/include/openssl")
+                  (string-append openssl "/include/openssl"))
                  (("/usr/include/pcap-bpf.h")
                   (string-append libpcap "/include/pcap-bpf.h")))
                #t))))))
     (inputs
-     `(("libpcap" ,libpcap)))
+     `(("libpcap" ,libpcap)
+       ("openssl" ,(@ (gnu packages tls) openssl))))
     (synopsis "Implementation of the Point-to-Point Protocol")
     (home-page "https://ppp.samba.org/")
     (description
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 03c4e3cc0b..ebb99e84f0 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -117,23 +117,10 @@ remote applications.")
    (propagated-inputs `(("libgcrypt" ,libgcrypt)
                         ("zlib" ,zlib)))
    (arguments `(#:configure-flags `("--with-libgcrypt")
-                #:phases
-                ;; FIXME: In the next core-updates cycle, replace the entire
-                ;; following ,(...) form with its first 'modify-phases'
-                ;; subform.  The change made here is only strictly needed on
-                ;; MIPS, but should work on any system.  For now, we apply it
-                ;; only to MIPS to avoid forcing thousands of rebuilds on
-                ;; other systems.
-                ,(if (string-prefix? "mips" (or (%current-target-system)
-                                                (%current-system)))
-                     '(modify-phases %standard-phases
-                        (replace 'bootstrap
-                          (lambda _
-                            (invoke "autoreconf" "-v"))))
-                     '(modify-phases %standard-phases
-                        (add-before 'configure 'autoreconf
-                          (lambda _
-                            (invoke "autoreconf" "-v")))))))
+                #:phases (modify-phases %standard-phases
+                           (replace 'bootstrap
+                             (lambda _
+                               (invoke "autoreconf" "-v"))))))
    (native-inputs `(("autoconf" ,autoconf)
                     ("automake" ,automake)))
    (synopsis "Client-side C library implementing the SSH2 protocol")
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index ce7335619b..6e915aa437 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -213,9 +213,9 @@ as.POSIXct(if (\"\" != Sys.getenv(\"SOURCE_DATE_EPOCH\")) {\
                                     "/share/zoneinfo"))
              #t))
          (add-after 'build 'make-info
-          (lambda _ (zero? (system* "make" "info"))))
+          (lambda _ (invoke "make" "info")))
          (add-after 'build 'install-info
-          (lambda _ (zero? (system* "make" "install-info")))))
+          (lambda _ (invoke "make" "install-info"))))
        #:configure-flags
        `(;; We build the recommended packages here, because they are needed in
          ;; order to run the test suite.  We disable them in the r-minimal
diff --git a/gnu/packages/tcl.scm b/gnu/packages/tcl.scm
index f7d3e0ec7d..b8c85eb844 100644
--- a/gnu/packages/tcl.scm
+++ b/gnu/packages/tcl.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015, 2018 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014 Eric Bavier <bavier@member.fsf.org>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -25,6 +25,7 @@
 (define-module (gnu packages tcl)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
   #:use-module (gnu packages)
@@ -145,13 +146,22 @@ X11 GUIs.")
              (patches (search-patches "tk-find-library.patch"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:phases (modify-phases %standard-phases
+     `(#:phases (modify-phases %standard-phases
                   (add-before
                    'configure 'pre-configure
                    (lambda _
                      (chdir "unix")
                      #t))
                   (add-after
+                   'install 'create-wish-symlink
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((out (assoc-ref outputs "out")))
+                       (symlink (string-append out "/bin/wish"
+                                               ,(version-major+minor
+                                                  (package-version tk)))
+                                (string-append out "/bin/wish")))
+                     #t))
+                  (add-after
                    'install 'add-fontconfig-flag
                    (lambda* (#:key inputs outputs #:allow-other-keys)
                      ;; Add the missing -L flag for Fontconfig in 'tk.pc' and
@@ -179,7 +189,7 @@ X11 GUIs.")
     (propagated-inputs `(("libx11" ,libx11)
                          ("libxext" ,libxext)))
 
-    (home-page "http://www.tcl.tk/")
+    (home-page "https://www.tcl.tk/")
     (synopsis "Graphical user interface toolkit for Tcl")
     (description
      "Tk is a graphical toolkit for building graphical user
diff --git a/gnu/packages/tex.scm b/gnu/packages/tex.scm
index 6ab999b2d5..ed85950bb6 100644
--- a/gnu/packages/tex.scm
+++ b/gnu/packages/tex.scm
@@ -6,7 +6,7 @@
 ;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Federico Beffa <beffa@fbengineering.ch>
 ;;; Copyright © 2016 Thomas Danckaert <post@thomasdanckaert.be>
-;;; Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -76,42 +76,41 @@
 (define texlive-extra-src
   (origin
     (method url-fetch)
-    (uri "ftp://tug.org/historic/systems/texlive/2017/texlive-20170524-extra.tar.xz")
+    (uri "ftp://tug.org/historic/systems/texlive/2018/texlive-20180414-extra.tar.xz")
     (sha256 (base32
-              "0zvd2zskk78ig114mfj24g15qys41hzqv59fmqpirdbgq9c9gr5g"))))
+             "0a83kymxc8zmlxjb0y1gf6mx7qnf0hxffwkivwh5yh138y2rfhsv"))))
 
 (define texlive-texmf-src
   (origin
     (method url-fetch)
-    (uri "ftp://tug.org/historic/systems/texlive/2017/texlive-20170524-texmf.tar.xz")
+    (uri "ftp://tug.org/historic/systems/texlive/2018/texlive-20180414-texmf.tar.xz")
     (sha256 (base32
-              "1v69y3kgkbk24f7s4dfkknwd317mqmck5jgpyb35wqgqfy5p0qrz"))))
+             "1b8zigzg8raxkhhzphcmynf84rbdbj2ym2qkz24v8n0qx82zmqms"))))
 
 (define-public texlive-bin
   (package
    (name "texlive-bin")
-   (version "20170524")
+   (version "20180414")
    (source
     (origin
-     (method url-fetch)
-      (uri (string-append "ftp://tug.org/historic/systems/texlive/2017/"
+      (method url-fetch)
+      (uri (string-append "ftp://tug.org/historic/systems/texlive/2018/"
                           "texlive-" version "-source.tar.xz"))
+      (sha256
+       (base32
+        "0khyi6h015r2zfqgg0a44a2j7vmr1cy42knw7jbss237yvakc07y"))
       (patches
        (list
-        ;; This is required for compatibility with Poppler >= 0.58.
-        ;; See <http://tutex.tug.org/pipermail/tex-k/2017-September/002809.html>
-        ;; and <https://bugs.archlinux.org/task/55720> for some discussion.
+        ;; This is required for compatibility with Poppler 0.64.0 and to fix a
+        ;; segmentation fault in dvipdfm-x from XeTeX.
         (origin
           (method url-fetch)
-          (uri (string-append "https://git.archlinux.org/svntogit/packages.git/plain"
-                              "/trunk/texlive-poppler-0.59.patch?h=packages/texlive-bin"
-                              "&id=ba2de374e2b21ecc4b85cc9777f2f15c4d356c61"))
+          (uri (string-append "http://www.linuxfromscratch.org/patches/blfs/"
+                              "svn/texlive-" version "-source-upstream_fixes-1.patch"))
           (file-name "texlive-poppler-compat.patch")
           (sha256
            (base32
-            "1c4ikq4kxw48bi3i33bzpabrjvbk01fwjr2lz20gkc9kv8l0bg3n")))))
-      (sha256 (base32
-               "1amjrxyasplv4alfwcxwnw4nrx7dz2ydmddkq16k6hg90i9njq81"))))
+            "0f8vhyj167y4xj0jx47vkybrcacfpxw0wdn1b777yq3xmhlahhlg")))))))
    (build-system gnu-build-system)
    (inputs
     `(("texlive-extra-src" ,texlive-extra-src)
@@ -175,47 +174,54 @@
                   (not (or (string-prefix? "aarch64" s)
                            (string-prefix? "mips64" s))))
       #:phases
-       (modify-phases %standard-phases
-         (add-after 'unpack 'configure-ghostscript-executable
-           ;; ps2eps.pl uses the "gswin32c" ghostscript executable on Windows,
-           ;; and the "gs" ghostscript executable on Unix. It detects Unix by
-           ;; checking for the existence of the /usr/bin directory. Since
-           ;; GuixSD does not have /usr/bin, it is also detected as Windows.
-           (lambda* (#:key inputs #:allow-other-keys)
-             (substitute* "utils/ps2eps/ps2eps-src/bin/ps2eps.pl"
-               (("gswin32c") "gs"))
-             (substitute* "texk/texlive/linked_scripts/epstopdf/epstopdf.pl"
-               (("\"gs\"")
-                (string-append "\"" (assoc-ref inputs "ghostscript") "/bin/gs\"")))
-             #t))
-         (add-after 'install 'postint
-           (lambda* (#:key inputs outputs #:allow-other-keys #:rest args)
-             (let* ((out (assoc-ref outputs "out"))
-                    (share (string-append out "/share"))
-                    (texlive-extra (assoc-ref inputs "texlive-extra-src"))
-                    (unpack (assoc-ref %standard-phases 'unpack))
-                    (patch-source-shebangs
-                      (assoc-ref %standard-phases 'patch-source-shebangs)))
-               ;; Create symbolic links for the latex variants and their
-               ;; man pages.
-               (with-directory-excursion (string-append out "/bin/")
-                 (for-each symlink
-                 '("pdftex" "pdftex"   "xetex"   "luatex")
-                 '("latex"  "pdflatex" "xelatex" "lualatex")))
-               (with-directory-excursion (string-append share "/man/man1/")
-                 (symlink "luatex.1" "lualatex.1"))
-               ;; Unpack texlive-extra and install tlpkg.
-               (mkdir "texlive-extra")
-               (with-directory-excursion "texlive-extra"
-                 (apply unpack (list #:source texlive-extra))
-                 (apply patch-source-shebangs (list #:source texlive-extra))
-                 (invoke "mv" "tlpkg" share))
-               ;; texlua shebangs are not patched by the patch-source-shebangs
-               ;; phase because the texlua executable does not exist at that
-               ;; time.
-               (setenv "PATH" (string-append (getenv "PATH") ":" out "/bin"))
-               (with-directory-excursion out
-                 (patch-source-shebangs))))))))
+      (modify-phases %standard-phases
+        (add-after 'unpack 'configure-ghostscript-executable
+          ;; ps2eps.pl uses the "gswin32c" ghostscript executable on Windows,
+          ;; and the "gs" ghostscript executable on Unix. It detects Unix by
+          ;; checking for the existence of the /usr/bin directory. Since
+          ;; GuixSD does not have /usr/bin, it is also detected as Windows.
+          (lambda* (#:key inputs #:allow-other-keys)
+            (substitute* "utils/ps2eps/ps2eps-src/bin/ps2eps.pl"
+              (("gswin32c") "gs"))
+            (substitute* "texk/texlive/linked_scripts/epstopdf/epstopdf.pl"
+              (("\"gs\"")
+               (string-append "\"" (assoc-ref inputs "ghostscript") "/bin/gs\"")))
+            #t))
+        (add-after 'unpack 'use-code-for-new-poppler
+          (lambda _
+            (copy-file "texk/web2c/pdftexdir/pdftoepdf-newpoppler.cc"
+                       "texk/web2c/pdftexdir/pdftoepdf.cc")
+            (copy-file "texk/web2c/pdftexdir/pdftosrc-newpoppler.cc"
+                       "texk/web2c/pdftexdir/pdftosrc.cc")
+            #t))
+        (add-after 'install 'postint
+          (lambda* (#:key inputs outputs #:allow-other-keys #:rest args)
+            (let* ((out (assoc-ref outputs "out"))
+                   (share (string-append out "/share"))
+                   (texlive-extra (assoc-ref inputs "texlive-extra-src"))
+                   (unpack (assoc-ref %standard-phases 'unpack))
+                   (patch-source-shebangs
+                    (assoc-ref %standard-phases 'patch-source-shebangs)))
+              ;; Create symbolic links for the latex variants and their
+              ;; man pages.
+              (with-directory-excursion (string-append out "/bin/")
+                (for-each symlink
+                          '("pdftex" "pdftex"   "xetex"   "luatex")
+                          '("latex"  "pdflatex" "xelatex" "lualatex")))
+              (with-directory-excursion (string-append share "/man/man1/")
+                (symlink "luatex.1" "lualatex.1"))
+              ;; Unpack texlive-extra and install tlpkg.
+              (mkdir "texlive-extra")
+              (with-directory-excursion "texlive-extra"
+                (apply unpack (list #:source texlive-extra))
+                (apply patch-source-shebangs (list #:source texlive-extra))
+                (invoke "mv" "tlpkg" share))
+              ;; texlua shebangs are not patched by the patch-source-shebangs
+              ;; phase because the texlua executable does not exist at that
+              ;; time.
+              (setenv "PATH" (string-append (getenv "PATH") ":" out "/bin"))
+              (with-directory-excursion out
+                (patch-source-shebangs))))))))
    (synopsis "TeX Live, a package of the TeX typesetting system")
    (description
     "TeX Live provides a comprehensive TeX document production system.
@@ -3957,7 +3963,7 @@ directly generate PDF documents instead of DVI.")
 (define texlive-texmf
   (package
    (name "texlive-texmf")
-   (version "2017")
+   (version "20180414")
    (source texlive-texmf-src)
    (build-system gnu-build-system)
    (inputs
@@ -4029,7 +4035,7 @@ This package contains the complete tree of texmf-dist data.")
 (define-public texlive
   (package
    (name "texlive")
-   (version "2017")
+   (version "20180414")
    (source #f)
    (build-system trivial-build-system)
    (inputs `(("bash" ,bash) ; for wrap-program
diff --git a/gnu/packages/texinfo.scm b/gnu/packages/texinfo.scm
index 109a24bf62..fa98bd56b8 100644
--- a/gnu/packages/texinfo.scm
+++ b/gnu/packages/texinfo.scm
@@ -37,6 +37,7 @@
               (method url-fetch)
               (uri (string-append "mirror://gnu/texinfo/texinfo-"
                                   version ".tar.xz"))
+              (patches (search-patches "texinfo-perl-compat.patch"))
               (sha256
                (base32
                 "0qjzvbvnv9003xdrcpi3jp7y68j4hq2ciw9frh2hghh698zlnxvp"))))
@@ -68,6 +69,7 @@ is on expressing the content semantically, avoiding physical markup commands.")
               (method url-fetch)
               (uri (string-append "mirror://gnu/texinfo/texinfo-"
                                   version ".tar.xz"))
+              (patches (search-patches "texinfo-5-perl-compat.patch"))
               (sha256
                (base32
                 "1njfwh2z34r2c4r0iqa7v24wmjzvsfyz4vplzry8ln3479lfywal"))))
diff --git a/gnu/packages/time.scm b/gnu/packages/time.scm
index fc831ab6cc..e9bb6969e3 100644
--- a/gnu/packages/time.scm
+++ b/gnu/packages/time.scm
@@ -88,17 +88,15 @@ to a file.")
 (define-public python-pytz
   (package
     (name "python-pytz")
-    (version "2017.3")
+    (version "2018.5")
     (source
      (origin
       (method url-fetch)
-      (uri (pypi-uri "pytz" version ".zip"))
+      (uri (pypi-uri "pytz" version ".tar.gz"))
       (sha256
        (base32
-        "1dw5l527vcafvdqq4wadwl7ikhb2sssz0v0cssibh8890kyczr7s"))))
+        "0xzj5gkpdn2da8m6j47chlp6zrzcypv9m0fjv4236q3jw4fyzfgz"))))
     (build-system python-build-system)
-    (native-inputs
-     `(("unzip" ,unzip)))
     (home-page "http://pythonhosted.org/pytz")
     (synopsis "Python timezone library")
     (description "This library brings the Olson tz database into Python.  It
@@ -143,15 +141,17 @@ Pendulum instances.")
 (define-public python-dateutil
   (package
     (name "python-dateutil")
-    (version "2.6.1")
+    (version "2.7.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "python-dateutil" version))
        (sha256
         (base32
-         "1jkahssf0ir5ssxc3ydbp8cpv77limn8d4s77szb2nrgl2r3h749"))))
+         "1f7h54lg0w2ckch7592xpjkh8dg87k2br256h0iw49zn6bg02w72"))))
     (build-system python-build-system)
+    (native-inputs
+     `(("python-setuptools-scm" ,python-setuptools-scm)))
     (propagated-inputs
      `(("python-six" ,python-six)))
     (home-page "https://dateutil.readthedocs.io/en/stable/")
@@ -159,7 +159,10 @@ Pendulum instances.")
     (description
      "The dateutil module provides powerful extensions to the standard
 datetime module, available in Python 2.3+.")
-    (license bsd-3)))
+    ;; The license was changed from the three-clause BSD license to a dual
+    ;; Apache 2.0/BSD-3 variant at 2017-12-01.  Some code is only available as
+    ;; BSD-3 still; but all new code is dual licensed (the user can choose).
+    (license (list bsd-3 asl2.0))))
 
 (define-public python2-dateutil
   (package-with-python2 python-dateutil))
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index e42b6dfc6c..f638c6094c 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -80,6 +80,8 @@
        (base32
         "1jlc1iahj8k3haz28j55nzg7sgni5h41vqy461i1bpbx6668wlky"))))
     (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--disable-static")))
     (native-inputs `(("perl" ,perl)))
     (home-page "https://www.gnu.org/software/libtasn1/")
     (synopsis "ASN.1 library")
@@ -260,7 +262,6 @@ required structures.")
 (define-public openssl
   (package
    (name "openssl")
-   (replacement openssl/fixed)
    (version "1.0.2o")
    (source (origin
              (method url-fetch)
@@ -275,6 +276,8 @@ required structures.")
               (base32
                "0kcy13l701054nhpbd901mz32v1kn4g311z0nifd83xs2jbmqgzc"))
              (patches (search-patches "openssl-runpath.patch"
+                                      "openssl-1.0.2-CVE-2018-0495.patch"
+                                      "openssl-1.0.2-CVE-2018-0732.patch"
                                       "openssl-c-rehash-in.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
@@ -397,15 +400,6 @@ required structures.")
    (license license:openssl)
    (home-page "https://www.openssl.org/")))
 
-(define openssl/fixed
-  (package
-    (inherit openssl)
-    (source (origin
-              (inherit (package-source openssl))
-              (patches (append (origin-patches (package-source openssl))
-                               (search-patches "openssl-1.0.2-CVE-2018-0495.patch"
-                                               "openssl-1.0.2-CVE-2018-0732.patch")))))))
-
 (define-public openssl-next
   (package
     (inherit openssl)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 9567254424..53d886cf0d 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -508,7 +508,7 @@ libraries for working with JNLP applets.")
 (define-public jansson
   (package
     (name "jansson")
-    (version "2.10")
+    (version "2.11")
     (source (origin
              (method url-fetch)
              (uri
@@ -516,7 +516,7 @@ libraries for working with JNLP applets.")
                              version ".tar.gz"))
              (sha256
               (base32
-               "0iv4rxsnamqm3ldpg7dyhjq0x9cp023nc7ac820jdd3pwb8ml8bq"))))
+               "1x5jllzzqamq6kahx9d9a5mrarm9m3f30vfxvcqpi6p4mcnz91bf"))))
     (build-system gnu-build-system)
     (home-page "http://www.digip.org/jansson/")
     (synopsis "JSON C library")
@@ -6629,7 +6629,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
 (define-public nghttp2
   (package
     (name "nghttp2")
-    (version "1.31.1")
+    (version "1.32.0")
     (source
      (origin
        (method url-fetch)
@@ -6638,7 +6638,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
                            name "-" version ".tar.xz"))
        (sha256
         (base32
-         "00z1687m4wi2gbgkijbv099l9hs1sjlyzbhh8jhn0xssx4xcifb5"))))
+         "0zbgp8f80h2zlfn8cd2ldrmgl81jzcdh1141n71aqmfckzaqj2kh"))))
     (build-system gnu-build-system)
     (outputs (list "out"
                    "lib"))              ; only libnghttp2
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 7c326eb8d0..2e64ce35ad 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -157,14 +157,14 @@ avoiding password prompts when X11 forwarding has already been setup.")
 (define-public libxkbcommon
   (package
     (name "libxkbcommon")
-    (version "0.8.0")
+    (version "0.8.2")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://xkbcommon.org/download/" name "-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "0vgy84vfbig5bqznr137h5arjidnfwrxrdli0pxyn2jfn1fjcag8"))))
+               "136mdq11lrwg6rjmm44lmysxxgb9c35p4sq6k0cd129x82rw9f3s"))))
     (build-system gnu-build-system)
     (inputs
      `(("libx11" ,libx11)
@@ -316,7 +316,7 @@ rasterisation.")
 (define-public libdrm
   (package
     (name "libdrm")
-    (version "2.4.92")
+    (version "2.4.93")
     (source
       (origin
         (method url-fetch)
@@ -326,7 +326,7 @@ rasterisation.")
                ".tar.bz2"))
         (sha256
          (base32
-          "1yirzx8hmlvv6r0l7lb3zxmgy5la2mri9al0k16xqfg19pdqzr79"))
+          "0g6d9wsnb7lx8r1m4kq8js0wsc5jl20cz1csnlh6z9s8jpfd313f"))
         (patches (search-patches "libdrm-symbol-check.patch"))))
     (build-system gnu-build-system)
     (arguments
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 9c8e3cef08..0cecb5bf7c 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -64,14 +64,14 @@
 (define-public expat
   (package
     (name "expat")
-    (version "2.2.5")
+    (version "2.2.6")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/expat/expat/"
                                  version "/expat-" version ".tar.bz2"))
              (sha256
               (base32
-               "1xpd78sp7m34jqrw5x13bz7kgz0n6aj15wn4zj4gfx3ypbpk5p6r"))))
+               "1wl1x93b5w457ddsdgj0lh7yjq4q6l7wfbgwhagkc8fm2qkkrd0p"))))
     (build-system gnu-build-system)
     (home-page "https://libexpat.github.io/")
     (synopsis "Stream-oriented XML parser library written in C")
@@ -129,8 +129,23 @@ hierarchical form with variable field lengths.")
               (base32
                "0ci7is75bwqqw2p32vxvrk6ds51ik7qgx73m920rakv5jlayax0b"))))
     (build-system gnu-build-system)
+    (outputs '("out" "static"))
+    (arguments
+     `(#:phases (modify-phases %standard-phases
+                  (add-after 'install 'move-static-libs
+                    (lambda* (#:key outputs #:allow-other-keys)
+                      (let ((src (string-append (assoc-ref outputs "out") "/lib"))
+                            (dst (string-append (assoc-ref outputs "static")
+                                                "/lib")))
+                        (mkdir-p dst)
+                        (for-each (lambda (ar)
+                                    (rename-file ar (string-append dst "/"
+                                                                   (basename ar))))
+                                  (find-files src "\\.a$"))
+                        #t))))))
     (home-page "http://www.xmlsoft.org/")
     (synopsis "C parser for XML")
+    (inputs `(("xz" ,xz)))
     (propagated-inputs `(("zlib" ,zlib))) ; libxml2.la says '-lz'.
     (native-inputs `(("perl" ,perl)))
     ;; $XML_CATALOG_FILES lists 'catalog.xml' files found in under the 'xml'
@@ -151,6 +166,7 @@ project (but it is usable outside of the Gnome platform).")
   (package/inherit libxml2
     (name "python-libxml2")
     (build-system python-build-system)
+    (outputs '("out"))
     (arguments
      `(;; XXX: Tests are specified in 'Makefile.am', but not in 'setup.py'.
        #:tests? #f
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 30e46fac7c..aa24811695 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -3835,7 +3835,7 @@ extension to the X11 protocol.  It includes:
 (define-public xkeyboard-config
   (package
     (name "xkeyboard-config")
-    (version "2.23.1")
+    (version "2.24")
     (source
       (origin
         (method url-fetch)
@@ -3845,7 +3845,7 @@ extension to the X11 protocol.  It includes:
               ".tar.bz2"))
         (sha256
           (base32
-            "1wq27cs1c9y7d1d7zp5yhq29paj9smajdb68lyvm28d2zq2vqjra"))))
+            "1my4786pd7iv5x392r9skj3qclmbd26nqzvh2fllwkkbyj08bcci"))))
     (build-system gnu-build-system)
     (inputs
       `(("gettext" ,gettext-minimal)
@@ -5199,21 +5199,10 @@ draggable titlebars and borders.")
 ;; This package is intended to be used when building GTK+.
 ;; Note: It's currently marked as "hidden" to avoid having two non-eq?
 ;; packages with the same name and version.
-(define-public xorg-server-1.19.3
+(define-public xorg-server-for-tests
   (hidden-package
    (package
-     (inherit xorg-server)
-     (name "xorg-server")
-     (version "1.19.3")
-     (source
-      (origin
-        (method url-fetch)
-        (uri (string-append
-              "mirror://xorg/individual/xserver/"
-              name "-" version ".tar.bz2"))
-        (sha256
-         (base32
-          "162s1v901djr57gxmmk4airk8hiwcz79dqyz72972x1lw1k82yk7")))))))
+     (inherit xorg-server))))
 
 (define-public xorg-server-xwayland
   (package
@@ -5239,8 +5228,7 @@ draggable titlebars and borders.")
 (define-public libx11
   (package
     (name "libx11")
-    (version "1.6.5")
-    (replacement libx11-1.6.6)
+    (version "1.6.6")
     (source
       (origin
         (method url-fetch)
@@ -5250,7 +5238,7 @@ draggable titlebars and borders.")
                ".tar.bz2"))
         (sha256
           (base32
-            "0pa3cfp6h9rl2vxmkph65250gfqyki0ccqyaan6bl9d25gdr0f2d"))))
+            "0ks1mxlda7nxfmffihi15ljsn50q8dknl33i2xag8xzc80fiizk5"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"))                            ;8 MiB of man pages + XML
@@ -5270,20 +5258,6 @@ draggable titlebars and borders.")
     (description "Xorg Core X11 protocol client library.")
     (license license:x11)))
 
-;; Replacement package to fix multiple security bugs:
-;; <http://seclists.org/oss-sec/2018/q3/146>.
-(define-public libx11-1.6.6
-  (package
-    (inherit libx11)
-    (version "1.6.6")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://xorg/individual/lib/libX11-"
-                                  version ".tar.bz2"))
-              (sha256
-               (base32
-                "0ks1mxlda7nxfmffihi15ljsn50q8dknl33i2xag8xzc80fiizk5"))))))
-
 ;; packages of height 5 in the propagated-inputs tree
 
 (define-public libxcursor